WHITE PAPER Citrix Secure Gateway Startup Guide

WHITE PAPER Citrix Secure Gateway Startup Guide www.citrix.com

Contents Introduction... 2 What you will need... 2 Preparing the environment for Secure Gateway... 2 Installing a CA using Windows Server 2008... 2 Creating a Web Server certificate using Server 2008...10 Generating a Certificate Signing Request using IIS 7.0...10 A word on certificates...11 Signing the CSR with your CA...15 Attaching the Signed certificate with the Private key...19 Downloading The Root CA certificate...22 Installing the Root CA Certificate...24 Installing Citrix Secure Gateway...27 Installing Citrix Secure Gateway...29 Configuring Secure Gateway...33 Modify the Hostfile so the Secure Gateway server can accept the connections on the FQDN...40 Making a connection through secure gateway...45 Creating a Web Server certificate with IIS 6.0...48 Sending the request to be signed...55 Completing the Certificate request...57 1

Introduction Secure Gateway is the defacto standard for facilitating secure remote access of remote users to Citrix hosted applications. Citrix Secure Gateway is an application that runs as a service on a server that is deployed in the DMZ for maximum security. If cost or storage is an issue, Secure Gateway can also be installed on a XenApp server and the effect on performance will depend on the number of users connecting. The Citrix recommended maximum users tested on a standalone server is 250 connections. It is assumed you already have a server running XenApp with Web Interface configured to point to that server as an XML broker. This document guides you through installing a Certificate Authority (CA), generating a certificate for use with Secure Gateway, installing and configuring Secure Gateway, and launching an application through the gateway. What you will need Single Windows Server 2003/2008 XenApp installed with at least one application published Web Interface installed with one web site created Tested direct application launch direct method Preparing the environment for Secure Gateway To configure and start Citrix Secure Gateway you will need two certificates: a server certificate and a root certificate. Follow the screen shots below for instructions on how to install an your own certificate authority for testing purposes In my example, the Certificate Authority (CA) is on the XenApp server. For security purposes, the CA would be the domain controller or a dedicated server. Installing a CA using Windows Server 2008 When it is necessary to sign your own server certificate, installing the Certification Authority role on a Domain controller or member server is the cost effective low hassle way to do it. Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage their validity. For the purposes of this document, you will be creating an Enterprise Root CA; and the screen shots will guide you through the installation process. All steps in this guide should be done while logged on as a domain administrator to circumvent any permission related issues. 2

1. On your Windows 2008 server, begin by clicking Start > Server Manager. 2. Within the Server Manager Console, highlight Roles on the left-hand side then click Add Roles on the right-hand side. 3. Check the box next to Active Directory Certificate Services then click Next. 3

4. Read the overview of the Role you are adding; specifically, the part that mentions after adding the Role, you will not be able to change the computer name domain membership or promote the server to be a domain controller, then click Next. 5. Select the box next to the following Role Services, then click Next a. Certification Authority b. Certification Authority Web Enrollment c. Online Responder 6. For Setup type, we are creating an Enterprise CA that will be the Root, click Next. 4

7. Root CA and Next. 8. Create a new private key for certificate signing and click Next. 5

9. We will use the default cryptographic service provider RSA, and default key length - 2048 Bit. Note: 2048 is the default key length in Windows Server 2008. This is because the greater the key length, the more secure it is considered; however, when creating a CA for Windows Server 2003, the default key length is 1024 Bit. 10. The CA Name, or Common Name as stated here, is placed on all certificates that the CA signs. You see the domain and canonical name is placed in the server certificate. This is 6

why, when you add this Role, you are not able to change the computer name or domain membership, because that would compromise the common name that it signs certificates with. 11. This screen specifies how long the CA private key will remain valid for, click Next. 12. Click Next. 7

13. Review the Roles and Role Services, then click Install. 14. Click Close and you will now have a CA for certificate Signing. 8

This is what you should see in Server Manager > Roles if you have installed the role successfully: When the Web Enrollment Role Service is added successfully, you should see the CertSrv Virtual Directory within the IIS Manager, and it is accessible by typing: http://localhost/certsrv Or http://ipaddressofca/certsrv, if prompted, to authenticate enter the credentials of the Domain or Local administrator, whichever one you installed the role as. 9

Creating a Web Server certificate using Server 2008 Generating a Certificate Signing Request using IIS 7.0 1. Navigate to Start > Administrative Tools > Internet Information Services Manager. 2. Highlight the IIS Homepage as seen on the left-hand side above, then on the right-hand side, scroll down and click on Server Certificates. 3. There will be two certificates in the computer store already, 1) Created during the installation of IIS and 2) Created during the installation of the CA role used to identify the entity that signs certificate known as the Root certificate. 4. Click Create Certificate Request. 10

5. Enter the common name of the certificate; it can me any word string as seen below and click Next. a. Remote.UpstartCompany.com b. ABC.123.XYZ c. Remote.myserver.xtrasecure.mil A word on certificates As stated above, the certificate can be any name, as long as it is resolvable by the client through DNS or Hosts file (located at c:\windows\system32\drivers\etc\hosts). Certificates are generally used by Web Servers to facilitate secure communication with a web browser. For more reading please see: HTTP Over TLS http://www.apps.ietf.org/rfc/rfc2818.html, The TLS Protocol Version 1.0 http://www.ietf.org/rfc/rfc2246.txt 11

6. Accept the default and click Next. 12

7. Save the CSR to a text file preferably the desktop by clicking the button and then clicking Desktop. 8. Make the name is certreq and click Open. 13

9. Be sure that the certificate is in a place you have permission to save to and is easy to access like the desktop, then click Finish. You now have you certificate request. The next step is to send this request to a CA so that it may be signed. 14

Signing the CSR with your CA 1. After you have created the Certificate Signing Request, you must have it signed by a CA. To accomplish this, open a web browser on the CA and navigate to http://localhost/certsrv. If doing this from a machine other than the CA, enter the following URL into the web browser: http://ipaddressofca/certsrv 2. Under Select a task, click on Request a certificate. 15

3. We are creating a Web Server certificate, so choose advanced certificate request. 4. Click the second Option to Submit a certificate Request by using a base-64 encoded CMC 16

5. Go to the CertReq.txt file, open it, and copy the contents as seen above, only copying from to no whitespaces. 17

6. Paste the copied text into the Saved Request Field and in the Certificate Template dropdown box, choose Web Server. 7. With the Radio bullet next to DER encoded, click on Download certificate. 8. Save it to the Desktop as Certnew.cer. 18

Attaching the Signed certificate with the Private key 1. Back in the Server Certificates node within the Homepage of IIS, click on Complete a Certificate Request. 2. Click on and browse to the Certnew.cer file, (whatever you named the file that you downloaded from the CA. 19

3. Click on the certificate received from the CA after submitting the CSR and click Open. 4. Give the Certificate a Friendly Name, this is how the certificate will show up in Microsoft Certificate store and serves as a label this name is arbitrary. 5. Click OK. 20

You now have three certificates within the Server Certificates viewer, and are ready to download the Root Certificate from the CA. 21

Downloading The Root CA certificate 1. In a browser, go to the Certificate Services Web enrollment tool. 2. Click Download a CA certificate, certificate chain, or CRL. 3. Click Download CA certificate also with DER encoding chosen. 22

4. Save As Rootcert.cer onto the desktop 23

Installing the Root CA Certificate 1. Open the Rootcert.cer that you saved to the Desktop. 2. On the General Tab, click on Install Certificate. 3. Click Next. 24

4. Place a bullet in the circle next to Place all certificates in the following store. 5. Click Browse. 6. Check the box next to Show physical store, then expand the Trusted Root Certification Authorities > Local Computer and click OK. 25

7. Click Next. 8. Click Finish. 26

Installing Citrix Secure Gateway Before we can begin the installation of Citrix Secure Gateway, we must ensure that port 443 is not in use. After you install a server certificate, IIS automatically binds to port 443 with the certificate, so we must remove the binding or change the port that it is using. As expected, there is a Binding to 443 on the site, as can be seen below. For the purposes of this document, we will be removing https binding. 1. Open IIS Manager and click on Default Web Site. 2. On the right-hand side, click on Bindings. 3. Scroll down, Highlight HTTPS,and click Remove. Note: If you wanted to secure traffic between IIS and Citrix Secure Gateway, edit the binding and change the port to 444 or some other non-well known TCP port. For best performance, it is only recommended to secure traffic when IIS and Citrix Secure Gateway are on different servers 27

Notice that port 443 is no longer occupied because there is no binding for it under the Default Web Site actions pane. 28

Installing Citrix Secure Gateway 1. Open and run the CSG_GWY executable file. 2. Follow setup recommendations and click Next. 3. Click Next. 29

4. We are installing only Secure Gateway, click Next. Secure Gateway proxy is for use in a Dual-Hop DMZ and acts as a relay host for communications from the second stage of the DMZ to the trusted network. 5. Click Next. 30

6. From the dropdown, change the installation Account to LocalSystem. This ensures the service can run in the event of a Network Service Permission lockdown, which is common in enterprise environments. 7. Click Next. 31

8. Click Finish and OK to the next dialogue box to begin the initial configuration. 9. Click OK. 32

Configuring Secure Gateway 1. Click Advanced and Next. 2. Select the Certificate that you created and click View. Note: If you cannot get past this screen, then you did not complete the certificate request after downloading the.cer file from the certsrv url by going to IIS and clicking Complete Certificate signing request. 33

3. If you do not see the note You have the private key that corresponds to this certificate, go to IIS Manager > IIS Homepage > Server Certificate > Complete Certificate request then point to the certnew.cer. Give it a Friendly name. 4. If you do see the message, then click OK and Next. 5. Accept defaults and click Next. 34

6. Accept Defaults and click Next. 7. Accept defaults and click Next. 35

8. For the FQDN, enter the IP address or NetBIOS name of the XenApp server. a. Leave the path as default. b. If the XML service is sharing with IIS, click OK. c. If the XML service is on a dedicated port, click the Use Default box and enter the dedicated port that the XML service is on. 9. You should see an STA identifier after successful communication with the XenApp server by the Citrix Secure Gateway. Make sure if your XenApp server is a Windows Server 2008, that all three firewalls are turned off and that the XML service is started. 36

10. Click Next. 11. Accept defaults and click Next. 12. Accept defaults and click Next. 37

13. Specify how users will access Web Interface: a. Indirect meaning: to access Web Interface securely, users enter the Fully Qualified Domain Name of the certificate attached to secure gateway. b. Direct meaning: users are able to access Web Interface by IP address or Fully Qualified Domain Name of the Citrix Secure Gateway. Choose the default settings because Citrix Secure Gateway and Web Interface should be on the same machine for this lab. 38

14. This page controls the level of logs that are written to the Windows event log console. It is useful to look in the logs when troubleshooting service or network errors thought to be caused by the gateway. 15. Click Finish to start the Secure Gateway. Note: If the service does not start, make sure that no other process is running on the secure socket port 443. 39

Modify the Hostfile so the Secure Gateway server can accept the connections on the FQDN Because the Secure Gateway listens for incoming connections by common name of a server certificate, and that certificate name may or may not be the same as the full qualified domain name of the machine, we have to ensure the localdns file on the Citrix Secure Gateway server has a host entry in it and we can ping that name on the server and it resolves to itself. 1. Click Start and navigate to the file above c:\windows\system32\drivers\etc\hosts. Open with Notepad. 40

2. Enter the following data: Your hosts file, as seen above, IP address of your server, <tab>, SSL common name of the certificate. For example, the FQDN of my server, based on domain membership, is csg.mojicalab.com and the SSL common name of my certificate is remoteapps.mycsg.com. Normally, the SSL common name would not resolve to my IP address, but by entering this entry into the hosts file, as seen above, it will. Save and close. 41

3. Open a command line and ping the name you entered in the hostfile. It should resolve to the local IP. 4. Open the Web Interface management console, highlight XenApp Web Sites > External or XenApp > Secure Access. 42

5. Select the default access method Gateway direct and click Edit. Note: This wizard will configure Web Interface to generate launch.ica files that route user connections through the gateway. 6. Enter the FQDN and uncheck the box for Enable session reliability. 7. Click Next. 43

8. Enter the same secure ticket authority STA as listed on Secure Gateway. If you entered the IP address on Secure Gateway then enter the address here as well for Web Interface. As you see above, the STA is listed by ip:port if XML is not sharing with IIS. 9. The Secure access tab should have a check next to Gateway Direct. 44

Making a connection through secure gateway 1. Open Internet explorer and go to the FQDN of Secure Gateway. You will see the Web Interface logon page is secured, behind the name of the certificate. 2. Log on and launch your application. 45

3. After you application starts, go to the Connection Center. In the system tray, right-click on the Citrix icon then click Connection Center. 4. Highlight the farm name, click properties on the right-hand side of the Connection Center. 5. See that the encryption level is 256 Bit SSL/TLS. 46

6. Go to Start > All Programs > citrix > management consoles > Secure Gateway Management console. 47

Creating a Web Server certificate with IIS 6.0 1. Open the Internet Information Server (ISS) 6.0 Manager. 2. Click on the Default Web Site. 3. Right click and choose Properties. 48

4. Once in Properties, notice there is no SSL port configured then go to Directory Security 5. Click Server Certificate. 6. Click Next. 49

7. Accept the defaults and click Next. 50

8. Give the certificate a friendly name and accept the default Bit length. 9. Click Next. 10. Complete the required fields. 11. Click Next. 51

12. Enter the name of your certificate, known as the common name or FQDN. 13. Complete the required fields. 14. Click Next. 52

15. Accept the defaults. 16. Click Next. 17. Review the entries. 18. Click Next. 53

19. Click Finish. 54

Sending the request to be signed 1. Copy the text from the certreq.txt file in the root of the c:\ drive the on the Windows 2003 CA server. Go to the http://localhost/certsrv URL. 2. Click Request a certificate. 3. Click advanced certificate request. 4. Click Submit a certificate request by using a base 64 encoded CMC. 55

5. Paste the certificate into the Saved Request field. 6. For certificate template, choose Web Server. 7. Click Submit. 8. Choose DER Encoded then click Download. 56

Completing the Certificate request 1. Go to the Properties of the Default website again within IIS 6.0 Manger. 2. Click Server Certificate. 3. Click Next. 4. Choose the option to Process the pending request and install the certificate. 57

5. Click Browse. 6. Navigate to the location where the certnew.cer file was downloaded to, default path is the root of the c:\ drive. 7. Change the SSL port to 444. This is required if Secure Gateway will listen on port 443. 58

8. Click Next. 9. Click Finish. 10. View the completed certificate by clicking View Certificate. 59

11. You should see You have the private key that corresponds to the certificate. This means that the signed certificate has been successfully bound to the paired private key, creating a complete web server certificate. 60