| The Secure Gateway Service is a component that functions as an Internet gateway between ICA Clients and a MetaFrame XP Server farm. The Secure Gateway Service runs as a Windows 2000 service and must be installed on a machine running Windows 2000 Server. The following details how to install the CSG service on a Windows 2000 server. If users will be required to connect to the MetaFrame XP applications and or MetaFrame Secure Access Manager Access Centers then you will want to follow the following steps. Note: If you desire your end-users have the ability to use Web Interface 2.1 as well as MetaFrame Secure Access Manager then you will be required to install the Web Interface, documented earlier in this document. The following defines how to install and configure the Secure Gateway service to connect to MetaFrame Secure Access Manager 2.0 and MetaFrame XP through the Web Interface 2.1. 1. Insert the MetaFrame XP Component CDROM and browse to the \CitrixSecureGateway\Windows\ and double click CSG_GWY.msi to execute installation program. 2. The first screen you are presented with asks you the installation mode from Secure Gateway. This section allows you to define if you will be utilizing the double-hop feature of SG. For this example click to select the Secure Gateway Service radio button. For more information on the double-hop feature please refer to the Secure Gateway for MetaFrame Administrators Guide. You must then select what MetaFrame products you will be securing. For this example we are going secure both MetaFrame Secure Access Manager and MetaFrame XP so click to select MetaFrame Secure Access Manager and MetaFrame XP Server radio button and click Next to continue. 
3. Since you will be securing MetaFrame Secure Access Manager you will be prompted to select the Logon Agent you would like to use. Citrix has given us the ability to select a basic or a login agent that takes advantage of the built in RSA SecurID support. Select the appropriate radio button and click Next to continue. 
4. The Secure Gateway for MetaFrame section of the install program is now launched. Click Next to continue. 
5. Click to select the I accept the license agreement radio button and click Next to continue. 
6. Click the Next button to continue. 
7. You are now prompted to select what components will be installed to the gateway box. With the release of 2.0, Citrix has given us the ability to deploy the logon agent and the gateway service on the same or different servers. For this example we are going to install both components on the same server so verify both are selected and click Next to continue. Note: If you would like to separate the Logon Agent server (IIS) from the gateway service component then you will only want to install the Secure Gateway Service. You will repeat the following steps to install the Logon Agent on a separate server. 
8. You are now prompted to select the level of configuration you would like. Select Advanced and click Next to continue. 
9. The next screen prompts you configure the Logon Agent to contact the Authentication Service running on a MetaFrame Secure Access Manager server in the secure network. The Authentication Service is contacted for authentication and authorization of HTTP/S requests for access center resources. The Authentication Service authenticates and authorizes the user and issues access tokens that are returned to the client browser. To configure the Logon Agent to contact the Authentication Service, enter the FQDN of the MetaFrame Secure Access Manager server running the Authentication Service (usually the first server in the MetaFrame Secure Access Manager farm) in the FQDN text box Enter the name of the Access Center you would like to connect to in the Path text box between the / and the /Auth characters. In this example the name of my Access Center is mydabcc. To secure communications between the Logon Agent server and the Authentication Service (AS) server with SSL you will need to place a Web Server Certificate on the AS Server and the associated root certificate on the web server running the logon agent you will want to check the Secured with HTTPS checkbox. If you will be requiring the use of a different TCP port than the default 80 or 443 then you will need to uncheck the Use default checkbox and enter the appropriate TCP port in the TCP port text box. Click Next to continue. 
10. Select the Set servers default Web page to point to the Logon Agent check box, to force the Logon Agent to load as the default Web page on this server. For example, when a user connects to https://www.dabcc.com/, the user is automatically redirected to the Logon Agent. Selecting this checkbox overwrites the current default Web page, default.asp. This action cannot be reverted so please verify you do not already have a default.asp page in the root of the web site and if you do then you will want to uncheck this box and or make a copy of the default.asp file if a rollback in required. At this point, configuration of the Logon Agent is complete; click Finish to save configuration settings and continue. 
11. You are now prompted to select the level of configuration you would like. Select Advanced and click Next to continue. 
12. Click to select the SSL Web Server certificate you want to use and click the View button. If you do not have a valid SSL certificate please refer to section 15. Install SSL Certificate and Secure IIS Servers found earlier in this document. 
13. Verify the certificate time and date are valid and click on the details tab to verify the certificate is valid. Click OK to continue. 
14. Select the secure protocol and cipher suite to use to encrypt communications between the Secure Gateway service and client device(s). In the select secure protocol box select the encryption protocol(s) that the Secure Gateway Service must use (Secure Gateway for MetaFrame supports SSL 3.0 and TLS 1.0 protocols). Transport Layer Security (TLSv1) - Select this option to force the Secure Gateway to use TLS as the secure protocol. If you select this option, ensure all client devices and the Gateway Client are set to use TLS as well. Secure Sockets Layer (SSLv3) and TLSvl - Select this option to enable the Secure Gateway Service to use both protocols. This is useful when the client requesting access to the enterprise network does not support one or the other protocols. In the Select cipher suit box select the cipher suite that the Secure Gateway Service must use. COM - ect this option to force the Secure Gateway to use commercial strength cipher suites. Commercial strength cipher suites are: RSA_WITH_RC4_128_MD5 or {0x00,0x04} and RSA_WITH_RC4_128_SHA or {0x00,0x05} GOV - Select this option to force the Secure Gateway to use government strength cipher suites. The Government strength cipher suite is: RSA_WITH_3DES_EDE_CBC_SHA or {0x00,0x0A} ALL - This option is the default setting and includes both the commercial and government strength cipher suites. Selecting this option prioritizes the cipher suites to give preference to the highest encryption strength. Select the desired settings and click Next to continue. I recommend the defaults. 
15. The next screen asks you to lists the IP addresses and ports on which the Secure Gateway server listens for incoming client connections. Check the Monitor all IP addresses checkbox to force the Secure Gateway to listen for client connections on all available IP addresses on this server. Enter a listener port number in the TCP port text box. The Secure Gateway listens for client connections on the port specified for all available IP addresses on the server. The default TCP port is 443. To add an entry to the list, click Add. Select an entry in the list and click Modify to change an entry, or select an entry in the list and click Delete to remove the IP address from the list. Click Next to continue. 
16. With the release of version 2.0 of Secure Gateway you can now apply outbound traffic restrictions to servers within the DMZ or the secure network using one of the following mechanisms: No outbound traffic restrictions select this option to enable the Secure Gateway Service to establish connections to any server within the DMZ or secure network. Use the Secure Gateway Proxy - Select this option to force the Secure Gateway to connect to a Secure Gateway Proxy server. If you select this option, specify the FQDN and TCP port number for the Secure Gateway Proxy server to connect to: o FQDN - Specify the fully qualified domain name of the server running the Secure Gateway Proxy software, for example, my_csg_proxy.company.com. o TCP port - Specify the port number on the Secure Gateway Proxy server on which the Secure Gateway Service contacts the proxy server. The default TCP port for unsecured communications between the Secure Gateway Service and the Secure Gateway Proxy is 1080; for secure communications use port 443. o Secured - Select this box to force the Secure Gateway Service to encrypt communications between itself and the Secure Gateway Proxy. Use an Access Control List (ACL) - Select this option to create an ACL for the Secure Gateway server. Using an ACL forces the Secure Gateway Service to establish connections only to server addresses specified in the ACL. Click Configure to manage entries in the ACL. Select the desired configuration and click Next to continue. 
17. Configure the Secure Gateway server to communicate with a server running the Authentication Service in the secure network. The Secure Gateway contacts the Authentication Service for authentication and authorization of HTTP/S requests for resources aggregated through an access center. The Authentication Service authenticates and authorizes the user and issues access tokens that are returned to the client browser. To enable the Secure Gateway server to contact the Authentication Service, specify the following values: FQDN - Enter the fully qualified domain name of the server running the Authentication Service, for example, myaccesscenter01.company.com Path - Specify the default path and file for the Authentication Service. This is typically /<AccessCenter>/AuthService/AuthService.asmx, where AccessCenter is replaced with the actual name of an access center. ID -The configuration wizard populates this field automatically when you click Next. The configuration wizard attempts to resolve the FQDN you specify and read the ID string from the server running the Authentication Service. Communication protocol box: Secured with HTTPS - Check this box to encrypt communications between the Logon Agent and the Authentication Service using SSL or TLS. TCP port - Specify the network port on which to contact the Authentication Service. Use default - Check this box to use the default port assignment for the Authentication Service. Click Next to continue. 
18. The next screen you are presented with asks you to list the STAs that the Secure Gateway Service will contact for tickets. You can configure multiple STAs for failover protection. If you specify multiple STAs, ensure this matches the list of STAs that the Web Interface for MetaFrame XP is configured to contact. Click Add to add an entry to the list of STA servers. 
19. The next screen prompts you to specify the details of a server running the Secure Ticket Authority. In the FQDN text box enter the fully qualified domain name of the STA. The Secure Gateway Service uses this information to contact the STA. In the Path enter the location of the CtxSTA.dll file, typically located in the Inetpub/Scripts directory. Click to check the Secured with HTTPS check box if you would like to encrypt communications to the STA using SSL or TLS. It you then you will require a Web Server certificate on the STA server and the associated root certificate installed on the Secure Gateway service. If you are required to change the default port assignment for the STA you need to uncheck the Use default checkbox and enter the network port number to use to contact the STA in the TCP port text box. Click OK to continue. 
20. Select an entry in the list and click Modify to change an entry, or select an entry and click Delete to remove the server from the list. 21. Repeat the previous step for any additional STA servers and click Next when finished. 
22. Connection parameters specify how the Secure Gateway handles client connections. Enter the following values: Connection timeout - Is the duration of time allowed for handshaking operations required to establish a connection. Enter the duration, in seconds, after which the connection times out. The default value is 100 seconds. Cookie cache timeout - Is the duration of time after which cached an access token issued by the Authentication Service expires. The default value is 10 seconds. When timeout occurs, the Secure Gateway requests the Authentication Service to revalidate the access token. If revalidation is successful, the Secure Gateway refreshes the access token in its cache. Connection Limits: Unlimited - Select this box to allow unlimited connections to this server. If you select this option, the Secure Gateway overrides values specified for Maximum Connections and Connection Resume. Citrix recommends that you enable this setting only if the processor on this server is capable of processing the maximum number of connections possible based on the typical usage profile of your client base. Ensure that enabling this setting does not run the CPU continuously at very high loads, and that your users experience good quality of service. Maximum connections - Specifies the maximum number of concurrent connections allowed. The server stops accepting new connection requests when the number of connections equals the value of Maximum Connections. Set this value at a number suitable to your environment bearing in mind the processor type and processor speed of this server, and the typical usage profile of your user base. Citrix recommends that you set the value of maximum connection so that you don't run the CPU continuously at very high loads, and that your users experience good quality of service. Connection resume - This setting is related to the value you specify for Maximum Connections. If this server does reach the connection limit, it stops accepting connections until the total number of connections drops back to the number you specify for Connection Resume. The default value is set to 0. Citrix recommends that you set the difference between values of Maximum Connections and Connection Resume at a minimum of 10%. For example, if Maximum Connections is 100, set Connection Resume at 90. The system default value is 90% of Maximum Connections. Click Next to continue. 
23. Lists IP addresses of network devices, typically load balancers, which generate extraneous log information you may want to exclude from the Secure Gateway event log. Third-party network devices deployed in a Secure Gateway environment may poll the Secure Gateway Service (or the Secure Gateway Proxy) repeatedly to ensure that the server is active. Each poll is recorded as a connection, resulting in the event log being filled up with unnecessary data. To prevent such polling activity from being recorded in the system log, specify the IP addresses for devices that generate log information you want to exclude. The Secure Gateway Service (or Secure Gateway Proxy) then ignores polling activity from such devices and keeps the log free of this type of data. Click Add to enter details of a server that you want to add to the exclusions list. Click Next to continue. 
24. Select a logging level for the Secure Gateway Service. This setting determines the type of errors and events the Secure Gateway Service logs in its application log. The following options are available: Fatal events only - Fatal error messages are logged because of operational failures that prevent the Secure Gateway from starting. Select this option to log only fatal events to the application log. Error and fatal events - Select this option to log fatal and service error messages to the Secure Gateway log. Service error messages occur because of partial failure of the Secure Gateway Service. Warning, error, and fatal events - Select this option to log warning, service and fatal errors to the application log. Warning error messages occur because of events caused by corrupted data requests or data packets received, ticket time-outs, and so on. All events including informational - Select this option to log all events and errors that occur on this server to the application log. Informational messages are logged because of client connection events. Selecting this option may result in the application log filling up rapidly. Select an option from the list and click Next to continue. 
25. Enter information about the server running the Web Interface for MetaFrame XP. In the Location box select an option to specify the location of the Logon Agent or Web Interface. Installed on this computer - Select this option if either the Logon Agent or Web Interface is installed on the same server as the Secure Gateway Service. Installed on a different computer - Select this option if the Logon Agent or Web Interface is installed on a server other than the server running the Secure Gateway Service. In the Details box select the following settings to specify connectivity settings for a remote Web Interface server. FQDN - Enter the fully qualified domain name of the server running the Logon Agent or Web Interface software. If you selected Installed on this computer as the Location, this field is automatically updated with the value "localhost." TCP port - Specify the port number that the Secure Gateway Service uses to contact the Logon Agent or Web Interface. Secured with HTTPS - Select this box to force the Secure Gateway Service to use HTTPS to communicate with the Logon Agent or Web Interface. If you selected Installed on this computer as the Location, this option is unavailable. Click Next to continue. 
Important: Running the Secure Gateway Service and the Web Interface on a single server is supported only in a single stage DMZ environment. See the Secure Gateway for MetaFrame Administrators Guide for more information.
26. You have now successfully installed Secure Gateway for MetaFrame to secure MetaFrame Secure Access Manager 2.0 and Web Interface 2.1. Click Finish to exit and reboot. 
27. Click Yes to continue. 
If users will be required to connect to the MetaFrame Secure Access Manager - Access Centers then you will want to follow the following steps. The following defines how to install and configure the Secure Gateway service to connect to MetaFrame Secure Access Manager 2.0. 1. Insert the MetaFrame XP Component CDROM and browse to the \CitrixSecureGateway\Windows\ and double click CSG_GWY.msi to execute installation program. 2. The first screen you are presented with asks you the installation mode from Secure Gateway. This section allows you to define if you will be utilizing the double-hop feature of SG. For this example click to select the Secure Gateway Service radio button. For more information on the double-hop feature please refer to the Secure Gateway for MetaFrame Administrators Guide. You must then select what MetaFrame products you will be securing. For this example we are going secure MetaFrame Secure Access Manager only so click to select MetaFrame Secure Access Manager only radio button and click Next to continue. 
3. Since you will be securing MetaFrame Secure Access Manager you will be prompted to select the Logon Agent you would like to use. Citrix has given us the ability to select a basic or a login agent that takes advantage of the built in RSA SecurID support. Select the appropriate radio button and click Next to continue. 
4. Click Next to continue. 
5. Click to select the I accept the license agreement radio button and click Next to continue. 
6. Click Next to continue. 
7. You are now prompted to select what components will be installed to the gateway box. With the release of 2.0, Citrix has given us the ability to deploy the logon agent and the gateway service on the same or different servers. For this example we are going to install both components on the same server so verify both are selected and click Next to continue. Note: If you would like to separate the Logon Agent server (IIS) from the gateway service component then you will only want to install the Secure Gateway Service. You will repeat the following steps to install the Logon Agent on a separate server. 
8. You are now prompted to select the level of configuration you would like. Select Advanced and click Next to continue. 
9. The next screen prompts you configure the Logon Agent to contact the Authentication Service running on a MetaFrame Secure Access Manager server in the secure network. The Authentication Service is contacted for authentication and authorization of HTTP/S requests for access center resources. The Authentication Service authenticates and authorizes the user and issues access tokens that are returned to the client browser. To configure the Logon Agent to contact the Authentication Service, enter the FQDN of the MetaFrame Secure Access Manager server running the Authentication Service (usually the first server in the MetaFrame Secure Access Manager farm) in the FQDN text box Enter the name of the Access Center you would like to connect to in the Path text box between the / and the /Auth characters. In this example the name of my Access Center is mydabcc. To secure communications between the Logon Agent server and the Authentication Service (AS) server with SSL you will need to place a Web Server Certificate on the AS Server and the associated root certificate on the web server running the logon agent you will want to check the Secured with HTTPS checkbox. If you will be requiring the use of a different TCP port than the default 80 or 443 then you will need to uncheck the Use default checkbox and enter the appropriate TCP port in the TCP port text box. Click Next to continue. 
10. Select the Set servers default Web page to point to the Logon Agent check box, to force the Logon Agent to load as the default Web page on this server. For example, when a user connects to https://www.dabcc.com/, the user is automatically redirected to the Logon Agent. Selecting this checkbox overwrites the current default Web page, default.asp. This action cannot be reverted so please verify you do not already have a default.asp page in the root of the web site and if you do then you will want to uncheck this box and or make a copy of the default.asp file if a rollback in required. At this point, configuration of the Logon Agent is complete; click Finish to save configuration settings and continue. 
11. You are now prompted to select the level of configuration you would like. Select Advanced and click Next to continue.
12. Click to select the SSL Web Server certificate you want to use and click the View button. If you do not have a valid SSL certificate please refer to section 15. Install SSL Certificate and Secure IIS Servers found earlier in this document.
13. Verify the certificate time and date are valid and click on the details tab to verify the certificate is valid. Click OK to continue.
14. Select the secure protocol and cipher suite to use to encrypt communications between the Secure Gateway service and client device(s). In the select secure protocol box select the encryption protocol(s) that the Secure Gateway Service must use (Secure Gateway for MetaFrame supports SSL 3.0 and TLS 1.0 protocols). Transport Layer Security (TLSv1) - Select this option to force the Secure Gateway to use TLS as the secure protocol. If you select this option, ensure all client devices and the Gateway Client are set to use TLS as well. Secure Sockets Layer (SSLv3) and TLSvl - Select this option to enable the Secure Gateway Service to use both protocols. This is useful when the client requesting access to the enterprise network does not support one or the other protocols. In the Select cipher suit box select the cipher suite that the Secure Gateway Service must use. COM - Select this option to force the Secure Gateway to use commercial strength cipher suites. Commercial strength cipher suites are: RSA_WITH_RC4_128_MD5 or {0x00,0x04} and RSA_WITH_RC4_128_SHA or {0x00,0x05} GOV - Select this option to force the Secure Gateway to use government strength cipher suites. The Government strength cipher suite is: RSA_WITH_3DES_EDE_CBC_SHA or {0x00,0x0A} ALL - This option is the default setting and includes both the commercial and government strength cipher suites. Selecting this option prioritizes the cipher suites to give preference to the highest encryption strength. Select the desired settings and click Next to continue. I recommend the defaults.
15. The next screen asks you to lists the IP addresses and ports on which the Secure Gateway server listens for incoming client connections. Check the Monitor all IP addresses checkbox to force the Secure Gateway to listen for client connections on all available IP addresses on this server. Enter a listener port number in the TCP port text box. The Secure Gateway listens for client connections on the port specified for all available IP addresses on the server. The default TCP port is 443. To add an entry to the list, click Add. Select an entry in the list and click Modify to change an entry, or select an entry in the list and click Delete to remove the IP address from the list. Click Next to continue.
16. With the release of version 2.0 of Secure Gateway you can now apply outbound traffic restrictions to servers within the DMZ or the secure network using one of the following mechanisms: No outbound traffic restrictions select this option to enable the Secure Gateway Service to establish connections to any server within the DMZ or secure network. Use the Secure Gateway Proxy - Select this option to force the Secure Gateway to connect to a Secure Gateway Proxy server. If you select this option, specify the FQDN and TCP port number for the Secure Gateway Proxy server to connect to: o FQDN - Specify the fully qualified domain name of the server running the Secure Gateway Proxy software, for example, my_csg_proxy.company.com. o TCP port - Specify the port number on the Secure Gateway Proxy server on which the Secure Gateway Service contacts the proxy server. The default TCP port for unsecured communications between the Secure Gateway Service and the Secure Gateway Proxy is 1080; for secure communications use port 443. o Secured - Select this box to force the Secure Gateway Service to encrypt communications between itself and the Secure Gateway Proxy. Use an Access Control List (ACL) - Select this option to create an ACL for the Secure Gateway server. Using an ACL forces the Secure Gateway Service to establish connections only to server addresses specified in the ACL. Click Configure to manage entries in the ACL. Select the desired configuration and click Next to continue.
17. Configure the Secure Gateway server to communicate with a server running the Authentication Service in the secure network. The Secure Gateway contacts the Authentication Service for authentication and authorization of HTTP/S requests for resources aggregated through an access center. The Authentication Service authenticates and authorizes the user and issues access tokens that are returned to the client browser. To enable the Secure Gateway server to contact the Authentication Service, specify the following values: FQDN - Enter the fully qualified domain name of the server running the Authentication Service, for example, myaccesscenter01.company.com Path - Specify the default path and file for the Authentication Service. This is typically /<AccessCenter>/AuthService/AuthService.asmx, where AccessCenter is replaced with the actual name of an access center. ID -The configuration wizard populates this field automatically when you click Next. The configuration wizard attempts to resolve the FQDN you specify and read the ID string from the server running the Authentication Service. Communication protocol box: Secured with HTTPS - Check this box to encrypt communications between the Logon Agent and the Authentication Service using SSL or TLS. TCP port - Specify the network port on which to contact the Authentication Service. Use default - Check this box to use the default port assignment for the Authentication Service. Click Next to continue.
18. Connection parameters specify how the Secure Gateway handles client connections. Enter the following values: Connection timeout - Is the duration of time allowed for handshaking operations required to establish a connection. Enter the duration, in seconds, after which the connection times out. The default value is 100 seconds. Cookie cache timeout - Is the duration of time after which cached an access token issued by the Authentication Service expires. The default value is 10 seconds. When timeout occurs, the Secure Gateway requests the Authentication Service to revalidate the access token. If revalidation is successful, the Secure Gateway refreshes the access token in its cache. Connection Limits: Unlimited - Select this box to allow unlimited connections to this server. If you select this option, the Secure Gateway overrides values specified for Maximum Connections and Connection Resume. Citrix recommends that you enable this setting only if the processor on this server is capable of processing the maximum number of connections possible based on the typical usage profile of your client base. Ensure that enabling this setting does not run the CPU continuously at very high loads, and that your users experience good quality of service. Maximum connections - Specifies the maximum number of concurrent connections allowed. The server stops accepting new connection requests when the number of connections equals the value of Maximum Connections. Set this value at a number suitable to your environment bearing in mind the processor type and processor speed of this server, and the typical usage profile of your user base. Citrix recommends that you set the value of maximum connection so that you don't run the CPU continuously at very high loads, and that your users experience good quality of service. Connection resume - This setting is related to the value you specify for Maximum Connections. If this server does reach the connection limit, it stops accepting connections until the total number of connections drops back to the number you specify for Connection Resume. The default value is set to 0. Citrix recommends that you set the difference between values of Maximum Connections and Connection Resume at a minimum of 10%. For example, if Maximum Connections is 100, set Connection Resume at 90. The system default value is 90% of Maximum Connections. 
19. Lists IP addresses of network devices, typically load balancers, which generate extraneous log information you may want to exclude from the Secure Gateway event log. Third-party network devices deployed in a Secure Gateway environment may poll the Secure Gateway Service (or the Secure Gateway Proxy) repeatedly to ensure that the server is active. Each poll is recorded as a connection, resulting in the event log being filled up with unnecessary data. To prevent such polling activity from being recorded in the system log, specify the IP addresses for devices that generate log information you want to exclude. The Secure Gateway Service (or Secure Gateway Proxy) then ignores polling activity from such devices and keeps the log free of this type of data. Click Add to enter details of a server that you want to add to the exclusions list. Click Next to continue. 
20. Select a logging level for the Secure Gateway Service. This setting determines the type of errors and events the Secure Gateway Service logs in its application log. The following options are available: Fatal events only - Fatal error messages are logged because of operational failures that prevent the Secure Gateway from starting. Select this option to log only fatal events to the application log. Error and fatal events - Select this option to log fatal and service error messages to the Secure Gateway log. Service error messages occur because of partial failure of the Secure Gateway Service. Warning, error, and fatal events - Select this option to log warning, service and fatal errors to the application log. Warning error messages occur because of events caused by corrupted data requests or data packets received, ticket time-outs, and so on. All events including informational - Select this option to log all events and errors that occur on this server to the application log. Informational messages are logged because of client connection events. Selecting this option may result in the application log filling up rapidly. Select an option from the list and click Next to continue. 
21. Enter information about the server running the Logon Agent or Web Interface for MetaFrame XP. In the Location box select an option to specify the location of the Logon Agent or Web Interface. Installed on this computer - Select this option if either the Logon Agent or Web Interface is installed on the same server as the Secure Gateway Service. Installed on a different computer - Select this option if the Logon Agent or Web Interface is installed on a server other than the server running the Secure Gateway Service. In the Details box select the following settings to specify connectivity settings for a remote Web Interface server. FQDN - Enter the fully qualified domain name of the server running the Logon Agent or Web Interface software. If you selected Installed on this computer as the Location, this field is automatically updated with the value "localhost." TCP port - Specify the port number that the Secure Gateway Service uses to contact the Logon Agent or Web Interface. Secured with HTTPS - Select this box to force the Secure Gateway Service to use HTTPS to communicate with the Logon Agent or Web Interface. If you selected Installed on this computer as the Location, this option is unavailable. Click Next to continue. 
Important: Running the Secure Gateway Service and the Logon Agent or Web Interface on a single server is supported only in a single stage DMZ environment. See the Secure Gateway for MetaFrame Administrators Guide for more information.
22. You have now successfully installed Secure Gateway for MetaFrame to secure MetaFrame Secure Access Manager 2.0 and Web Interface 2.1. Click Finish to exit and reboot. 
23. Click Yes to reboot. 
If users will be required to connect to the MetaFrame XP via Web Interface only then you will want to follow the following steps. The following defines how to install and configure the Secure Gateway service to connect to MetaFrame Secure Access Manager 2.0. 1. Insert the MetaFrame XP Component CDROM and browse to the \CitrixSecureGateway\Windows\ and double click CSG_GWY.msi to execute installation program. 2. The first screen you are presented with asks you the installation mode from Secure Gateway. This section allows you to define if you will be utilizing the double-hop feature of SG. For this example click to select the Secure Gateway Service radio button. For more information on the double-hop feature please refer to the Secure Gateway for MetaFrame Administrators Guide. You must then select what MetaFrame products you will be securing. For this example we are going secure MetaFrame XP only so click to select MetaFrame XP Server only radio button and click Next to continue. 
3. Click Next to continue. 
4. Click to select the I accept the license agreement radio button and click Next to continue. 
5. Click Next to continue. 
6. Click Next to continue. 
7. Click to select the Advanced radio button and click Next to continue. 
8. Click to select the SSL Web Server certificate you want to use and click the View button. If you do not have a valid SSL certificate please refer to section 15. Install SSL Certificate and Secure IIS Servers found earlier in this document. 
9. Verify the certificate time and date are valid and click on the details tab to verify the certificate is valid. Click OK to continue. 
10. Select the secure protocol and cipher suite to use to encrypt communications between the Secure Gateway service and client device(s). In the select secure protocol box select the encryption protocol(s) that the Secure Gateway Service must use (Secure Gateway for MetaFrame supports SSL 3.0 and TLS 1.0 protocols). Transport Layer Security (TLSv1) - Select this option to force the Secure Gateway to use TLS as the secure protocol. If you select this option, ensure all client devices and the Gateway Client is set to use TLS as well. Secure Sockets Layer (SSLv3) and TLSvl - Select this option to enable the Secure Gateway Service to use both protocols. This is useful when the client requesting access to the enterprise network does not support one or the other protocols. In the Select cipher suit box select the cipher suite that the Secure Gateway Service must use. COM - Select this option to force the Secure Gateway to use commercial strength cipher suites. Commercial strength cipher suites are: RSA_WITH_RC4_128_MD5 or {0x00,0x04} and RSA_WITH_RC4_128_SHA or {0x00,0x05} GOV - Select this option to force the Secure Gateway to use government strength cipher suites. The Government strength cipher suite is: RSA_WITH_3DES_EDE_CBC_SHA or {0x00,0x0A} ALL - This option is the default setting and includes both the commercial and government strength cipher suites. Selecting this option prioritizes the cipher suites to give preference to the highest encryption strength. Select the desired settings and click Next to continue. I recommend the defaults. 
11. The next screen asks you to lists the IP addresses and ports on which the Secure Gateway server listens for incoming client connections. Check the Monitor all IP addresses checkbox to force the Secure Gateway to listen for client connections on all available IP addresses on this server. Enter a listener port number in the TCP port text box. The Secure Gateway listens for client connections on the port specified for all available IP addresses on the server. The default TCP port is 443. To add an entry to the list, click Add. Select an entry in the list and click Modify to change an entry, or select an entry in the list and click Delete to remove the IP address from the list. Click Next to continue. 
12. With the release of version 2.0 of Secure Gateway you can now apply outbound traffic restrictions to servers within the DMZ or the secure network using one of the following mechanisms: No outbound traffic restrictions select this option to enable the Secure Gateway Service to establish connections to any server within the DMZ or secure network. Use the Secure Gateway Proxy - Select this option to force the Secure Gateway to connect to a Secure Gateway Proxy server. If you select this option, specify the FQDN and TCP port number for the Secure Gateway Proxy server to connect to: o FQDN - Specify the fully qualified domain name of the server running the Secure Gateway Proxy software, for example, my_csg_proxy.company.com. o TCP port - Specify the port number on the Secure Gateway Proxy server on which the Secure Gateway Service contacts the proxy server. The default TCP port for unsecured communications between the Secure Gateway Service and the Secure Gateway Proxy is 1080; for secure communications use port 443. o Secured - Select this box to force the Secure Gateway Service to encrypt communications between itself and the Secure Gateway Proxy. Use an Access Control List (ACL) - Select this option to create an ACL for the Secure Gateway server. Using an ACL forces the Secure Gateway Service to establish connections only to server addresses specified in the ACL. Click Configure to manage entries in the ACL. Select the desired configuration and click Next to continue. 
13. The next screen you are presented with asks you to list the STAs that the Secure Gateway Service will contact for tickets. You can configure multiple STAs for failover protection. If you specify multiple STAs, ensure this matches the list of STAs that the Web Interface for MetaFrame XP is configured to contact. Click Add to add an entry to the list of STA servers. 
14. The next screen prompts you to specify the details of a server running the Secure Ticket Authority. In the FQDN text box enter the fully qualified domain name of the STA. The Secure Gateway Service uses this information to contact the STA. In the Path enter the location of the CtxSTA.dll file, typically located in the Inetpub/Scripts directory. Click to check the Secured with HTTPS check box if you would like to encrypt communications to the STA using SSL or TLS. It you then you will require a Web Server certificate on the STA server and the associated root certificate installed on the Secure Gateway service. If you are required to change the default port assignment for the STA you need to uncheck the Use default checkbox and enter the network port number to use to contact the STA in the TCP port text box. Click OK to continue. 
15. Select an entry in the list and click Modify to change an entry, or select an entry and click Delete to remove the server from the list. 16. Repeat the previous step for any additional STA servers and click Next when finished. 
17. Connection parameters specify how the Secure Gateway handles client connections. Enter the following values: Connection timeout - Is the duration of time allowed for handshaking operations required to establish a connection. Enter the duration, in seconds, after which the connection times out. The default value is 100 seconds. Cookie cache timeout - Is the duration of time after which cached an access token issued by the Authentication Service expires. The default value is 10 seconds. When timeout occurs, the Secure Gateway requests the Authentication Service to revalidate the access token. If revalidation is successful, the Secure Gateway refreshes the access token in its cache. Connection Limits: Unlimited - Select this box to allow unlimited connections to this server. If you select this option, the Secure Gateway overrides values specified for Maximum Connections and Connection Resume. Citrix recommends that you enable this setting only if the processor on this server is capable of processing the maximum number of connections possible based on the typical usage profile of your client base. Ensure that enabling this setting does not run the CPU continuously at very high loads, and that your users experience good quality of service. Maximum connections - Specifies the maximum number of concurrent connections allowed. The server stops accepting new connection requests when the number of connections equals the value of Maximum Connections. Set this value at a number suitable to your environment bearing in mind the processor type and processor speed of this server, and the typical usage profile of your user base. Citrix recommends that you set the value of maximum connection so that you don't run the CPU continuously at very high loads, and that your users experience good quality of service. Connection resume - This setting is related to the value you specify for Maximum Connections. If this server does reach the connection limit, it stops accepting connections until the total number of connections drops back to the number you specify for Connection Resume. The default value is set to 0. Citrix recommends that you set the difference between values of Maximum Connections and Connection Resume at a minimum of 10%. For example, if Maximum Connections is 100, set Connection Resume at 90. The system default value is 90% of Maximum Connections. 
18. Lists IP addresses of network devices, typically load balancers, which generate extraneous log information you may want to exclude from the Secure Gateway event log. Third-party network devices deployed in a Secure Gateway environment may poll the Secure Gateway Service (or the Secure Gateway Proxy) repeatedly to ensure that the server is active. Each poll is recorded as a connection, resulting in the event log being filled up with unnecessary data. To prevent such polling activity from being recorded in the system log, specify the IP addresses for devices that generate log information you want to exclude. The Secure Gateway Service (or Secure Gateway Proxy) then ignores polling activity from such devices and keeps the log free of this type of data. Click Add to enter details of a server that you want to add to the exclusions list. Click Next to continue. 
19. Select a logging level for the Secure Gateway Service. This setting determines the type of errors and events the Secure Gateway Service logs in its application log. The following options are available: Fatal events only - Fatal error messages are logged because of operational failures that prevent the Secure Gateway from starting. Select this option to log only fatal events to the application log. Error and fatal events - Select this option to log fatal and service error messages to the Secure Gateway log. Service error messages occur because of partial failure of the Secure Gateway Service. Warning, error, and fatal events - Select this option to log warning, service and fatal errors to the application log. Warning error messages occur because of events caused by corrupted data requests or data packets received, ticket time-outs, and so on. All events including informational - Select this option to log all events and errors that occur on this server to the application log. Informational messages are logged because of client connection events. Selecting this option may result in the application log filling up rapidly. Select an option from the list and click Next to continue.
20. Enter information about the server running the Logon Agent or Web Interface for MetaFrame XP. In the Location box select an option to specify the location of the Logon Agent or Web Interface. Installed on this computer - Select this option if either the Logon Agent or Web Interface is installed on the same server as the Secure Gateway Service. Installed on a different computer - Select this option if the Logon Agent or Web Interface is installed on a server other than the server running the Secure Gateway Service. In the Details box select the following settings to specify connectivity settings for a remote Web Interface server. FQDN - Enter the fully qualified domain name of the server running the Logon Agent or Web Interface software. If you selected Installed on this computer as the Location, this field is automatically updated with the value "localhost." TCP port - Specify the port number that the Secure Gateway Service uses to contact the Logon Agent or Web Interface. Secured with HTTPS - Select this box to force the Secure Gateway Service to use HTTPS to communicate with the Logon Agent or Web Interface. If you selected Installed on this computer as the Location, this option is unavailable. Click Next to continue. 
Important: Running the Secure Gateway Service and the Logon Agent or Web Interface on a single server is supported only in a single stage DMZ environment. See the Secure Gateway for MetaFrame Administrators Guide for more information.
21. You have now successfully installed Secure Gateway for MetaFrame to secure MetaFrame XP ICA traffic through the Web Interface 2.1. Click Finish to exit and reboot.
22. Click Yes to reboot.
If you will be deploying MetaFrame Secure Access Manger 2.0 with Service Pack 1 (2.1) and Secure Gateway for MetaFrame then you will be required to upgrade the Secure Gateway Service to the SP1 version. The following defines how to upgrade the Secure Gateway Service to the correct version to work with MetaFrame Secure Access Manager 2.1. 1. During the installation of MetaFrame Secure Access Manager 2.0 you would have downloaded and installed Service Pack 1. This updates MetaFrame Secure Access Manager to version 2.1 and fixes a few issues with Secure Gateway. With this in mind it is crucial that we update the Secure Gateway Service. 2. Copy the extracted SP1 files to the server running the Secure Gateway Service and double click on the autorun.exe executable. Click the Secure Gateway for MetaFrame button to upgrade the Secure Gateway Service. 
3. Click Next to continue. 
4. Click Next to continue. 
5. Click Finish 
You have now successfully upgraded the Secure Gateway Service. The installation program should have restarted the service but it would be smart to verify it is running though the Services applet in Administrative Tools.
If users will be using Secure Gateway for MetaFrame to logon to a MetaFrame Secure Access Manager 2.0 Access Centers then your users will be logging in through the Logon Agent, not the Logon CDA. The Logon Agent is an ASP Web based login service which displays a login page and processes logon requests. Clients should not be able to access the Logon Agent without going through the gateway. If they do, the Access Center will fail to load. This is true whether the Logon Agent is co-located on the same box as the gateway service or on a separate server. The Logon Agent ships with two logon page templates one using basic username, password and domain and the second supporting integration with RSA SecurID. Upon successful authentication, the AuthService returns. Session cookie Redirection URL Other cookies required by SAM List of allowed internal web servers Performance The Logon Agent can handle approximately 20 logons per second when run on a standalone 1GHz server. By default, the logon agent is installed on the gateway server. This is fine for small deployments (<1000 users). But for large deployments, the logon agent should be moved to separate machines. If necessary, multiple logon agents per gateway could be used. 
The following defines how to configure the AuthService_conf.asp file. 1. From the IIS web server running the Logon Agent and browse to the \wwwroot\LogonAgent directory to find and configure the AuthService_conf.asp page. You are now ready to modify a few of the settings in this file. 2. In order to specify a different log level than the default you will want to change the LP_LogLevel value to the appropriate value, as shown below. 
3. The LP_PageTitleStr value can be changed to specify a custom string to be shown in the title bar of the web browse displaying the Logon Agent. 4. The LP_LogoTitleStr value should NOT be changed. 
5. The LP_CookieSecure value defines if all cookie values are marked as secure. I dont recommend you change this value. 
6. Probably the most common modification to this file will be to force a default domain so the end-users are not required to enter the domain at logon time. The LP_DomainMode value allows you do set the Logon Agent to force the domain. Enter the appropriate value, as shown below. I recommend forcing the domain if at all possible. The following example I have configured the Logon Agent to force the DABCC domain. 
7. The LP_ForceLogonDomain value works in conjunction with the LP_DomainMode value to supply the name of the domain to be used at logon time. Enter the name of the appropriate domain between the quotes, as shown below. 
8. If you will be requiring access to multiple domains you have the ability to create a drop-down list of the desired domains. The LP_DomainCount value allows you to force the use of multiple domains. Set the value to 1 to force the use of the drop-down list or 0 to disable to use of this feature. 
9. The LP_Domains(X) value works in conjunction with the LP_DomainCount value as it allows you to specify the desired domains to be displayed in the drop-down list. Enter the desired domain in between the quotes and then for additional domains you will be required to add another line and increment the number of domains, as shown below. Repeat this until you have added all the desired domains. 
10. The remaining entries should not be edited. You have now successfully configured the Logon Agent properties. You will want to perform an IISRESET from the command prompt to implement the changes.
By default if you will be using Secure Gateway to login to a MetaFrame Secure Access Manager 2.0 Access Center then the Logon Agent will automatically deploy the Gateway Client to the client device. If for any reason need to disable this client then you will need to follow the step below. For example, if you will be required to logon to password protected web sites from a local site you will want to remove the Gateway Client as it does not support this feature, as of yet. One way to do this is to rename the .cab file on the internal MetaFrame Secure Access Manager Web server. The gateway client is located in the following directory. - Inetpub\wwwroot\<Access_Center_Name >\CDS\CGC\en\CSGProxy.cab
As an example, rename the .cab file from CSGProxy.cab to _CSGProxy.cab to disable it. A different approach would be to modify the default code using CDAPad in sbSessionInit as shown in the next example. Original code: If bCSGEnabled Then %> function <%=Namespace("CGCTest")%>() { var oCGC = null; try { oCGC = new ActiveXObject("CSGProxy.CitrixSecureGatewayProxy.1"); } catch(e) { } return (oCGC != null); } <% End If %> Disabled code: If bCSGEnabled Then %> function <%=Namespace("CGCTest")%>() { /* var oCGC = null; try { oCGC = new ActiveXObject("CSGProxy.CitrixSecureGatewayProxy.1"); } catch(e) { } return (oCGC != null); */ } <% End If %>
Now that we have configured the Secure Gateway components, we are ready to turn your attention to Web Interface 2.1. Web Interface provides the Web frontend that ICA Client users connect to, and supports the ticketing and authentication functions of Secure Gateway. The following details how to configure Web Interface 2.1 to utilize Secure Gateway for MetaFrame. 1. Open the Web Interface Web Administrator (http://web interface server /citrix/metaframexp/wiadmin) 2. Click the Server-Side Firewall link 
3. You now presented with the Server-side firewall settings page. Click the Secure Gateway for MetaFrame radio button in the Default address translation setting section to set SG as the default method for ICA session traffic. 
4. You can specify specific address translation settings per IP network. If you would like to set a specific IP network to utilize a different address translation than the default then you will need to enter the IP network number in the Client address prefix text box select the address translation Option radio button and click Add. 
5. Click the Server-Side Firewall link and scroll down to the Secure Gateway for MetaFrame section of the page. 
6. Enter the FQDN address of the server running the SG component in the Address (FQDN) text box. 7. Enter the port the SG component is listening on in the Port text box. 8. If you have a firewall configured to perform network address translation between the SG box and the MetaFrame XP Server then you will need to check the Use alternate addresses of MetaFrame servers checkbox. 9. In the Secure Ticket Authorities URL text box enter the NETBIOS name of the server running the STA component in place of <server> and click the Add button. 10. Repeat step 10 in order to add STA server for high availibility. If you will be using multiple STAs then I recommend to check the Use the Secure Ticket Authority list for loal balancing checkbox to enable round robin load balancing.
11. Click Save when finished. Click the Apply Changes links. 
12. Click the Apply Changes button take advantage of the above changese. 
You have now successfully implemented Secure Gateway in order to secure the ICA session traffic through the Web Interface for MetaFrame XP.
|