About Citrix Gateway
Citrix Gateway is easy to deploy and simple to administer. The most typical deployment configuration is to locate the Citrix Gateway appliance in the DMZ. You can install multiple Citrix Gateway appliances in the network for more complex deployments.
The first time you start Citrix Gateway, you can perform the initial configuration by using a serial console, the Setup Wizard in the configuration utility, or the Dynamic Host Configuration Protocol (DHCP). On the MPX appliance, you can use the LCD keypad on the front panel of the appliance to perform the initial configuration. You can configure basic settings that are specific to your internal network, such as the IP address, subnet mask, default gateway IP address, and Domain Name System (DNS) address. After you configure the basic network settings, you then configure the settings specific to the Citrix Gateway operation, such as the options for authentication, authorization, network resources, virtual servers, session policies, and endpoint policies.
Before you install and configure Citrix Gateway, review the topics in this section for information about planning your deployment. Deployment planning can include determining where to install the appliance, understanding how to install multiple appliances in the DMZ, and licensing requirements. You can install Citrix Gateway in any network infrastructure without requiring changes to the existing hardware or software running in the secure network. Citrix Gateway supports other networking products, such as server load balancers, cache engines, firewalls, routers, and IEEE 802.11 wireless devices.
You can write your settings in the Pre-Installation Checklist to have on hand before you configure Citrix Gateway.
Citrix Gateway Appliances | Provides information about Citrix Gateway appliances and the appliance installation instructions. |
Pre-Installation Checklist | Provides planning information to review and a list of tasks to complete before you install Citrix Gateway in your network. |
Common Deployments | Provides information about deploying the Citrix Gateway in the network DMZ, in a secure network without a DMZ, and with other appliances to support load balancing and failover. Also provides information about deploying Citrix Gateway with Citrix Virtual Apps and Desktops. |
Licensing | Provides information about installing licenses on the appliance. Also provides information about installing licenses on multiple Citrix Gateway appliances. |
Citrix Gateway architecture
The core components of Citrix Gateway are:
-
Virtual servers. The Citrix Gateway virtual server is an internal entity that is a representative of all the configured services available to users. The virtual server is also the access point through which users access these services. You can configure multiple virtual servers on a single appliance, allowing one Citrix Gateway appliance to serve multiple user communities with differing authentication and resource access requirements.
- Authentication, authorization, and auditing. You can configure authentication, authorization, and accounting to allow users to log on to Citrix Gateway with credentials that either Citrix Gateway or authentication servers located in the secure network, such as LDAP or RADIUS, recognize. Authorization policies define user permissions, determining which resources a given user is authorized to access. For more information about authentication and authorization, see Configuring Authentication and Authorization. Auditing servers maintain data about Citrix Gateway activity, including user logon events, resource access instances, and operational errors. This information is stored on Citrix Gateway or on an external server. For more information about auditing, see Configuring Auditing on Citrix Gateway
-
User connections. Users can log on to Citrix Gateway by using the following access methods:
-
The Citrix Secure Access agent for Windows is software that is installed on a Windows-based computer. Users log on by right-clicking an icon in the notification area on a Windows-based computer. If users are using a computer in which the Citrix Secure Access agent is not installed, they can log on by using a web browser to download and install the plug-in. If users have Citrix Workspace app installed, users log on with the Citrix Secure Access agent from Citrix Workspace app. When Citrix Workspace app and the Citrix Secure Access agent are installed on the user device, Citrix Workspace app adds the Citrix Secure Access agent automatically.
-
The Citrix Secure Access agent for macOS X that allows users running macOS X to log on. It has the same features and functions as the Citrix Secure Access agent for Windows. You can provide endpoint analysis support for this plug-in version by installing Citrix ADC Gateway 10.1, Build 120.1316.e.
-
Citrix Workspace app that allows user connections to published applications and virtual desktops in a server farm by using the Web Interface or Citrix StoreFront.
-
Citrix Workspace app, Secure Hub, WorxMail, and WorxWeb that allows users access to web and SaaS applications, iOS and Android mobile apps, and ShareFile data hosted in Citrix Endpoint Management.
-
Users can connect from an Android device that uses the Citrix Gateway web address. When users start an app, the connection uses Micro VPN to route network traffic to the internal network. If users connect from an Android device, you must configure DNS settings on Citrix Gateway. For more information, see Supporting DNS Queries by Using DNS Suffixes for Android Devices.
-
Users can connect from an iOS device that uses the Citrix Gateway web address. You configure Secure Browse either globally or in a session profile. When users start an app on their iOS device, a VPN connection starts and the connection routes through Citrix Gateway.
-
Clientless access that provides users with the access they need without installing software on the user device.
When configuring Citrix Gateway, you can create policies to configure how users log on. You can also restrict user logon by creating session and endpoint analysis policies.
-
-
Network resources. These include all network services that users access through Citrix Gateway, such as file servers, applications, and websites.
-
Virtual adapter. The Citrix Gateway virtual adapter supports applications that require IP spoofing. The virtual adapter is installed on the user device when the Citrix Secure Access agent is installed. When users connect to the internal network, the outbound connection between Citrix Gateway and internal servers uses the intranet IP address as the source IP address. The Citrix Secure Access agent receives this IP address from the server as part of the configuration.
If you enable split tunneling on Citrix Gateway, all intranet traffic is routed through the virtual adapter. When intercepting intranet bound traffic, the virtual adapter will intercept A and AAAA record type DNS queries while leaving all other DNS queries intact. Network traffic that is not bound for the internal network is routed through the network adapter installed on the user device. Internet and private LAN (LAN) connections remain open and connected. If you disable split tunneling, all connections are routed through the virtual adapter. Any existing connections are disconnected and the user must reestablish the session.
If you configure an intranet IP address, traffic to the internal network is spoofed with the intranet IP address through the virtual adapter.
How user connections work
Users can connect to their emails, file shares, and other network resources from a remote location. Users can connect to internal network resources with the following software:
- Citrix Secure Access agent
- Citrix Workspace app
- WorxMail and WorxWeb
- Android and iOS mobile devices
Connect with the Citrix Secure Access agent
The Citrix Secure Access agent allows user access to resources in the internal network through the following steps:
- A user connects to Citrix Gateway for the first time by typing the web address in a web browser. The logon page appears and the user is prompted to enter a user name and password. If external authentication servers are configured, Citrix Gateway contacts the server and the authentication servers verify the user’s credentials. If local authentication is configured, Citrix Gateway performs the user authentication.
- If you configure a preauthentication policy, when the user types the Citrix Gateway web address in a web browser on a Windows-based computer or a macOS X computer, Citrix Gateway checks to see if any client-based security policies are in place before the logon page appears. The security checks verify that the user device meets the security-related conditions, such as operating system updates, antivirus protection, and a properly configured firewall. If the user device fails the security check, Citrix Gateway blocks the user from logging on. A user who cannot log on must download the necessary updates or packages and install them on the user device. When the user device passes the preauthentication policy, the logon page appears and the user can enter the logon credentials. You can use Advanced Endpoint Analysis on a macOS X computer if you install Citrix Gateway 10.1, Build 120.1316.e.
- When Citrix Gateway successfully authenticates the user, Citrix Gateway initiates the VPN tunnel. Citrix Gateway prompts the user to download and install the Citrix Secure Access agent for Windows or the Citrix Secure Access agent for macOS X. If you are using the Network Gateway plug-in for Java, the user device is also initialized with a list of preconfigured resource IP addresses and port numbers.
- If you configure a post-authentication scan, after a user successfully logs on, Citrix Gateway scans the user device for the required client security policies. You can require the same security-related conditions as for a preauthentication policy. If the user device fails the scan, either the policy is not applied or the user is placed in a quarantine group and the user’s access to network resources is limited.
- When the session is established, the user is directed to a Citrix Gateway home page where the user can select resources to access. The home page that is included with Citrix Gateway is called the Access Interface. If the user logs on by using the Citrix Secure Access agent for Windows, an icon in the notification area on the Windows desktop shows that the user device is connected and the user receives a message that the connection is established. The user can also access resources in the network without using the Access Interface, such as opening Microsoft Outlook and retrieving email.
- If the user request passes both preauthentication and post-authentication security checks, Citrix Gateway then contacts the requested resource and initiates a secure connection between the user device and that resource.
- The user can close an active session by right-clicking the Citrix Gateway icon in the notification area on a Windows-based computer and then clicking Logoff. The session can also time out due to inactivity. When the session is closed, the tunnel is shut down and the user no longer has access to internal resources. The user can also type the Citrix Gateway web address in a browser. When the user presses Enter, the Access Interface appears from which users can log off.
Note: If you deploy Citrix Endpoint Management in your internal network, a user who connects from outside the internal network must connect to Citrix Gateway first. When the user establishes the connection, the user can access web and SaaS applications, Android and iOS mobile apps, and ShareFile data hosted on Citrix Endpoint Management. A user can connect with the Citrix Secure Access agent through clientless access, or by using Citrix Workspace app or Secure Hub.
Connect with Citrix Workspace app
Users can connect with Citrix Workspace app to access their Windows-based applications and virtual desktops. Users can also access applications from Endpoint Management. To connect from a remote location, users also install the Citrix Secure Access agent on their device. Citrix Workspace app automatically adds the Citrix Secure Access agent to its list of plug-ins. When users log on to Citrix Workspace app, they can also log on to the Citrix Secure Access agent. You can also configure Citrix Gateway to perform single sign-on to the Citrix Secure Access agent when users log on to Citrix Workspace app.
Connect with iOS and Android devices
Users can connect from an iOS or Android device by using Secure Hub. Users can access their email by using Secure Mail and connect to websites with WorxWeb.
When users connect from the mobile device, the connections route through Citrix Gateway to access internal resources. If users connect with iOS, you enable Secure Browse as part of the session profile. If users connect with Android, the connection uses the Micro VPN automatically. In addition, Secure Mail and WorxWeb use Micro VPN to establish connections through Citrix Gateway. You do not have to configure Micro VPN on Citrix Gateway.