Citrix Gateway

Gateway pre-installation checklist

The checklist consists of a list of tasks and planning information you must complete before you install Citrix Gateway.

Space is provided so that you can check off each task as you complete it and make notes. Citrix recommends that you make note of the configuration values that you need to enter during the installation process and while configuring Citrix Gateway.

For steps to install and configure Citrix Gateway, see Installing Citrix Gateway.

User devices

  • Ensure that user devices meet the installation prerequisites described in Citrix Secure Access System Requirements
  • Identify the mobile devices with which users connect. Note: If users connect with an iOS device, you must enable Secure Browse in a session profile.

Citrix Gateway basic network connectivity

Citrix recommends that you obtain licenses and signed server certificates before you start to configure the appliance.

  • Identify and write down the Citrix Gateway host name. Note: This is not the fully qualified domain name (FQDN). The FQDN is contained in the signed server certificate that is bound to the virtual server.
  • Obtain Universal licenses from the Citrix Website
  • Generate a Certificate Signing Request (CSR) and send to a Certificate Authority (CA). Enter the date you send the CSR to the Certificate Authority.
  • Write down the system IP address and subnet mask.
  • Write down the subnet IP address and subnet mask.
  • Write down the administrator password. The default password that comes with Citrix Gateway is nsroot.
  • Write down the port number on which Citrix Gateway listens for secure user connections. The default is TCP port 443. This port must be open on the firewall between the unsecured network (Internet) and the DMZ.
  • Write down the default gateway IP address.
  • Write down the DNS server IP address and port number. The default port number is 53. In addition, if you are adding the DNS server directly, you must also configure ICMP (ping) on the appliance.
  • Write down the first virtual server IP address and host name.
  • Write down the second virtual server IP address and host name (if applicable).
  • Write down the WINS server IP address (if applicable).

Internal networks accessible through Citrix Gateway

  • Write down the internal networks that users can access through Citrix Gateway. Example: 10.10.0.0/24
  • Enter all internal networks and network segments that users need access to when they connect through Citrix Gateway by using the Citrix Secure Access agent.

High availability

If you have two Citrix Gateway appliances, you can deploy them in a high availability configuration in which one Citrix Gateway accepts and manages connections, while a second Citrix Gateway monitors the first appliance. If the first Citrix Gateway stops accepting connections for any reason, the second Citrix Gateway takes over and begins actively accepting connections.

  • Write down the Citrix Gateway software version number.
  • The version number must be the same on both Citrix Gateway appliances.
  • Write down the administrator password (nsroot). The password must be the same on both appliances.
  • Write down the primary Citrix Gateway IP address and ID. The maximum ID number is 64.
  • Write down the secondary Citrix Gateway IP address and ID.
  • Obtain and install the Universal license on both appliances.
  • Install the same Universal license on both appliances.
  • Write down the RPC node password.

Authentication and Authorization

Citrix Gateway supports several different authentication and authorization types that can be used in various combinations. For detailed information about authentication and authorization, see Authentication and Authorization.

LDAP authentication

If your environment includes an LDAP server, you can use LDAP for authentication.

  • Write down the LDAP server IP address and port.

    If you allow unsecure connections to the LDAP server, the default port is 389. If you encrypt connections to the LDAP server with SSL, the default port is 636.

  • Write down the security type.

    You can configure security with or without encryption.

  • Write down the administrator bind DN.

    If your LDAP server requires authentication, enter the administrator DN that Citrix Gateway must use to authenticate when making queries to the LDAP directory. An example is cn=administrator,cn=Users,dc=ace, dc=com.

  • Write down the administrator password.

    The password is associated with the administrator bind DN.

  • Write down the Base DN.

    DN (or directory level) under which users are located; for example, ou=users,dc=ace,dc=com.

  • Write down the server logon name attribute.

    Enter the LDAP directory person object attribute that specifies a user’s logon name. The default is sAMAccountName. If you are not using Active Directory, the common values for this setting are cn or uid. For more information about LDAP directory settings, see Configuring LDAP Authentication

  • Write down the group attribute. Enter the LDAP directory person object attribute that specifies the groups to which a user belongs. The default is memberOf. This attribute enables Citrix Gateway to identify the directory groups to which a user belongs.
  • Write down the subattribute name.

RADIUS authentication and authorization

If your environment includes a RADIUS server, you can use RADIUS for authentication. RADIUS authentication includes RSA SecurID, SafeWord, and Gemalto Protiva products.

  • Write down the primary RADIUS server IP address and port. The default port is 1812.
  • Write down the primary RADIUS server secret (shared secret).
  • Write down the secondary RADIUS server IP address and port. The default port is 1812.
  • Write down the secondary RADIUS server secret (shared secret).
  • Write down the type of password encoding (PAP, CHAP, MS-CHAP v1, MSCHAP v2).

SAML Authentication

The Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization between Identity Providers (IdP) and Service Providers.

  • Obtain and install on Citrix Gateway a secure IdP certificate.
  • Write down the redirect URL.
  • Write down the user field.
  • Write down the signing certificate name.
  • Write down the SAML issuer name.
  • Write down the default authentication group.

Opening ports through the firewalls (single-hop DMZ)

If your organization protects the internal network with a single DMZ and you deploy the Citrix Gateway in the DMZ, open the following ports through the firewalls. If you are installing two Citrix Gateway appliances in a double-hop DMZ deployment, see Opening the Appropriate Ports on the Firewalls.

On the firewall between the unsecured network and the DMZ

  • Open a TCP/SSL port (default 443) on the firewall between the Internet and Citrix Gateway. User devices connect to Citrix Gateway on this port.

On the firewall between the secured network

  • Open one or more appropriate ports on the firewall between the DMZ and the secured network. Citrix Gateway connects to one or more authentication servers or to computers running Citrix Virtual Apps and Desktops in the secured network on these ports.
  • Write down the authentication ports.

    Open only the port appropriate for your Citrix Gateway configuration.

    • For LDAP connections, the default is TCP port 389.
    • For a RADIUS connection, the default is UDP port 1812. Write down the Citrix Virtual Apps and Desktops ports.
  • If you are using Citrix Gateway with Citrix Virtual Apps and Desktops, open TCP port 1494. If you enable session reliability, open TCP port 2598 instead of 1494. Citrix recommends keeping both of these ports open.

Citrix Virtual Desktops, Citrix Virtual Apps, the Web Interface, or StoreFront

Complete the following tasks if you are deploying Citrix Gateway to provide access to Citrix Virtual Apps and Desktops through the Web Interface or StoreFront. The Citrix Secure Access agent is not required for this deployment. Users access published applications and desktops through Citrix Gateway by using only web browsers and Citrix Receiver.

  • Write down the FQDN or IP address of the server running the Web Interface or StoreFront.
  • Write down the FQDN or IP address of the server running the Secure Ticket Authority (STA) (for Web Interface only).

Citrix Endpoint Management

Complete the following tasks if you deploy Citrix Endpoint Management in your internal network. If users connect to Endpoint Management from an external network, such as the Internet, users must connect to Citrix Gateway before accessing mobile, web, and SaaS apps.

  • Write down the FQDN or IP address of Endpoint Management.
  • Identify web, SaaS, and mobile iOS or Android applications users can access.

Double-Hop DMZ deployment with Citrix Virtual Apps

Complete the following tasks if you are deploying two Citrix Gateway appliances in a double-hop DMZ configuration to support access to servers running Citrix Virtual Apps.

Citrix Gateway in the first DMZ

The first DMZ is the DMZ at the outermost edge of your internal network (closest to the Internet or unsecure network). Clients connect to Citrix Gateway in the first DMZ through the firewall separating the Internet from the DMZ. Collect this information before installing Citrix Gateway in the first DMZ.

  • Complete the items in the Citrix Gateway Basic Network Connectivity section of this checklist for this Citrix Gateway.

    When completing those items, Interface 0 connects this Citrix Gateway to the Internet and Interface 1 connects this Citrix Gateway to Citrix Gateway in the second DMZ.

  • Configure the second DMZ appliance information on the primary appliance.

    To configure Citrix Gateway as the first hop in the double-hop DMZ, you must specify the host name or IP address of Citrix Gateway in the second DMZ on the appliance in the first DMZ. After specifying when the Citrix Gateway proxy is configured on the appliance in the first hop, bind it to Citrix Gateway globally or to a virtual server.

  • Write down the connection protocol and port between appliances.

    To configure Citrix Gateway as the first hop in the double DMZ, you must specify the connection protocol and the port on which Citrix Gateway in the second DMZ listens for connections. The connection protocol and port is SOCKS with SSL (default port 443). The protocol and port must be open through the firewall that separates the first DMZ and the second DMZ.

Citrix Gateway in the second DMZ

The second DMZ is the DMZ closest to your internal, secure network. Citrix Gateway deployed in the second DMZ serves as a proxy for ICA traffic, traversing the second DMZ between the external user devices and the servers on the internal network.

  • Complete the tasks in the Citrix Gateway Basic Network Connectivity section of this checklist for this Citrix Gateway.

    When completing those items, Interface 0 connects this Citrix Gateway to Citrix Gateway in the first DMZ. Interface 1 connects this Citrix Gateway to the secured network.