Citrix Gateway

Additional Configuration Guidelines

When you configure the Web Interface for single sign-on, use the following guidelines:

  • The Authentication Service URL must begin with https.
  • The server running the Web Interface must trust the Citrix Gateway certificate and be able to resolve the certificate fully qualified domain name (FQDN) to the virtual server IP address.
  • The Web Interface must be able to open a connection to the Citrix Gateway virtual server. Any Citrix Gateway virtual server can be used for this purpose; it does not have to be the virtual server to which users log on.
  • If there is a firewall between the Web Interface and Citrix Gateway, firewall rules can prevent user access, which disables single sign-on to the Web Interface. To work around this issue, either relax your firewall rules or create another virtual server on Citrix Gateway to which the Web Interface can connect. The virtual server must have an IP address that is in the internal network. When connecting to the Web Interface, use the secure port 443 as the destination port.
  • If you are using a certificate from a private Certificate Authority (CA) for the virtual server, in the Microsoft Management Console (MMC), use the certificates snap-in to install the CA root certificate in the local computer certificate store on the server running the Web Interface.
  • When users log on and receive an access denied error message, check the Web Interface event viewer for more information.
  • For successful user connections to published applications or desktops, the Secure Ticket Authority (STA) that you configured on Citrix Gateway must match the STA that you configured on the Web Interface.
Additional Configuration Guidelines