| The Secure Gateway for Presentation Server is a component of Citrix's Access Suite infrastructure and is used to secure access to server farms and access centers. Communication with the servers is both authenticated and encrypted, ensuring maximum security for the environment. The Secure Gateway also eases firewall traversal by eliminating the need for users to establish connections to specific MetaFrame servers via port 1494. With the Secure Gateway, all communications take place through port 443 (SSL/TLS port), a commonly used port open on most firewalls. Figure 14.8 demonstrates a simple implementation of the Secure Gateway with the Web Interface, securing access to published resources in one or more server farms. The different communication paths are illustrated in this figure. Notice that the client device has only one point of entry into that environment. That is through the Secure Gateway. Figure 14.8. Typical Web Interface implementation with Secure Gateway. 
Alert The Secure Gateway can be used to secure either a MetaFrame server farm or an environment running the MetaFrame Secure Access Manager. This exam focuses only on securing a MetaFrame Server farm using the Secure Gateway.
The behavior of a Web Interface environment when Secure Gateway has been deployed differs from running the Web Interface on its own. The following steps illustrate how a user would access an application set and launch a published application when the Secure Gateway and Web Interface are deployed together to secure access to a server farm: | 1. | The user enters the address of the Secure Gateway in his or her web browser, not the address of the Web Interface. The Secure Gateway receives the request and then forwards it onto the Web Interface, which in turn presents the user with the logon page.
| | 2. | The user enters his or her credentials, and the information is routed through the Secure Gateway to the Web Interface.
| | 3. | The Web Interface contacts the Citrix XML Service on one of the servers in the farm and retrieves the application set for that user. The generated page is passed back through the Web Interface to the user.
| | 4. | After the user clicks an application link, the Web Interface retrieves a server IP address and port from the XML Service. It then passes this information to the Secure Ticket Authority (STA), requesting a session ticket.
| | 5. | The STA stores the server address information and issues an associated ticket to the Web Interface.
| | 6. | The Web Interface includes this ticket in the ICA file generated for the client. This file also contains the server name of the Secure Gateway. It does not contain the name of the MetaFrame Server associated with that ticket. In a Secure Gateway deployment, the specific server name is never revealed to the Presentation Server client.
| | 7. | The Presentation Server connection is initiated on the client using the generated ICA file. The client contacts the Secure Gateway and presents the session ticket.
| | 8. | The Secure Gateway then contacts the STA and presents the ticket for validation. If the ticket is valid, the corresponding server address is returned to the Secure Gateway. If it is invalid, an error message is returned to the client.
| | 9. | After receiving a valid server address, the Gateway establishes a connection with the Presentation Server and then brokers the flow of data between that server and the client.
| The following components interact in this scenario: -
Secure Gateway This is the single point of user access to the server farm. Every client request for a MetaFrame server is brokered through the Secure Gateway. The Secure Gateway can run on the same server as the Web Interface, or it can be deployed on its own dedicated server. For maximum security, it should run on its own server. Secure communications require that the Secure Gateway has a server certificate installed. -
Web Interface The Web Interface is deployed in the DMZ along with the Secure Gateway. The Web Interface must be configured to function with the Secure Gateway as described earlier in this chapter. -
Secure Ticket Authority (STA) Residing in the secure network, the STA is responsible for creating and issuing session tickets . Session tickets are created when a user requests access to a published resource. A ticket is passed through the Web Interface to the client, which in turn passes the ticket to the Secure Gateway. The Secure Gateway returns the ticket to the STA in exchange for the appropriate server and application information, which is then used to establish the actual connection with the published application. Tickets themselves contain no server or user authentication information. To ensure secured communications, the STA must have a server certificate installed. -
Citrix XML Service The Web Interface contacts the server farm via the Citrix XML Service running on a MetaFrame server. Communications to the Citrix XML Service are secured using SSL Relay. You can also deploy the Secure Gateway in a double-hop DMZ . Figure 14.9 shows a simplified diagram illustrating how this would appear. The illustration is almost identical to that shown in Figure 14.8, except that an additional firewall and the Secure Gateway Proxy machine have been added. The Secure Gateway Proxy is responsible for directing traffic to and from the Secure Gateway and the secured internal network. In this configuration, the Web Interface must be located in the second-stage DMZ. This allows it to communicate directly with the internal MetaFrame servers as required. Figure 14.9. Secure Gateway deployed in a double-hop DMZ. 
Installing the Secure Gateway Before you begin the actual installation of the Secure Gateway components, note the following: -
The Secure Gateway or Secure Gateway Proxy servers require the minimum Windows 2000 Server (latest service pack) or Windows Server 2003 (latest service pack) configuration in addition to having at least 512MB RAM. The Secure Gateway components do not require IIS to be installed on the server to be able to function properly. -
The Secure Ticket Authority server should meet the minimum requirements for running Windows 2000 Server or Windows Server 2003. It should have a minimum of 256MB RAM. IIS must also be installed to be able to use the STA. -
In addition to the certificate requirements discussed earlier for securing a Web Interface environment, the Secure Gateway, Secure Gateway Proxy (if used), and the STA all require digital certificates to allow for the use of SSL. -
Citrix provides the Secure Gateway Pre-installation Checklist PDF with the other documents on the Presentation Server CD-ROM. It is highly recommended that this document be printed and completed prior to beginning the installation. It simply ensures that the necessary information is readily available prior to your starting the different component installations. When you are installing the various components of the Secure Gateway, Citrix recommends the following sequence. It is important that you follow this sequence to ensure that everything is detected and validated properly. If a component cannot be validated , the Secure Gateway may fail to start. | 1. | Install components of the internal (secure) network first. This means that Presentation Server should be installed first, followed by the Secure Ticket Authority.
During the STA installation, the one piece of information required from the checklist is the location where the STA will be stored. It needs to go into the < InetPub >\Scripts folder, so if your website is located somewhere other than the default location, you may need to update this setting. You should also double-check to ensure that a server certificate is installed on the server running STA. This is required for authentication during communications.
| | 2. | The next set of components to install resides in the DMZ (or the second-stage DMZ in double-hop DMZ deployments). This would be the Web Interface and either the Secure Gateway or the Secure Gateway Proxy. The Web Interface is installed exactly as described earlier in this chapter. Make certain that the Web Interface has a root certificate installed that corresponds to the server certificate installed on the STA. This is required to ensure that the Web Interface can validate the STA's certificate when required.
| | 3. | The next component to install is the Secure Gateway Proxy, if you are implementing a double-hop DMZ, and finally the Secure Gateway component itself. The same installation package installs either product. You make the choice of proxy or service during the installation.
| Installing the Secure Ticket Authority The STA is installed from the Components CD that accompanies the Presentation Server software. If you are performing the installation through the Autorun feature, you can find the STA installation under the Secure Gateway option. You can also initiate the installation by directly launching the MSI file located in the Secure Gateway\Windows\ folder. This file is called CSG_STA.msi. When the appropriate path to the Scripts folder has been provided, the STA components are copied to the server, and the Configuration Wizard starts immediately. Basic configuration options are allowed at this time. Namely, you can specify STA ID, ticket timeout (the default is 100 seconds), and the maximum number of tickets to generate. You need to restart the web service for the STA service to start. Installing the Secure Gateway The Secure Gateway is also installed from the Components CD and is found in the same location as the Secure Ticket Authority. The Secure Gateway MSI file is called CSG_GWY.msi. Note Prior to beginning the Secure Gateway installation, you should have the required server certificate installed on the server.
When the installation begins, the first pair of choices is whether this is the Secure Gateway Service or the Secure Gateway Proxy, followed by the version of Presentation Server that is being secured. No Presentation Server 3.0 option is explicitly listed, so you must choose the MetaFrame XP Server Only option. During the advanced installation of the Secure Gateway, which prompts for all parameter values, you are asked the following: -
Server Certificate All server certificates found on the server are listed, and you are asked to select the certificate that the Secure Gateway will use when requested for authentication. -
Secure Protocol You choose whether to support TSL only or SSL and TSL. Unless your organization specifically requires one or the other, selecting both protocols provides the widest available support for different clients . -
Cipher Suite This setting asks you to choose GOV, COM, or ALL. COM represents commercial-strength cipher suites, and GOV represents government-strength cipher suites. When ALL is selected, both suites are available, with preference given to the highest encryption strength. -
Inbound Client Connections This setting allows you to define the IP addresses and ports to monitor for client traffic. The default is all addresses and port 443. -
Outbound Connections This setting represents outbound connections from the Secure Gateway to servers within the DMZ or the secure network. There are three choices. No Outbound Traffic Restrictions allows the Secure Gateway to connect with any server in the DMZ or secure network. Use the Secure Gateway Proxy forces the Gateway to communicate through the Secure Gateway Proxy. You are required to provide the fully qualified domain name and port of the proxy. The Secured check box forces communications to be encrypted between the two servers. The final choice on the page is Use an Access Control List (ACL). The use of ACL limits the Secure Gateway to accessing only servers at the specified addresses. An ACL increases security by limiting the destination of the host. -
STA Details You must provide one or more STAs that the Secure Gateway can communicate with. For each STA you define, you specify the FQDN and whether to secure communications with HTTPS. After you have provided the required information and click OK, the Secure Gateway attempts to establish a connection with the STA and verify the ID. If successful, the STA is added to the list along with the valid identifier. After all STAs have been added, you can continue. -
Connection Parameters This setting allows you to specify the connection timeout settings as well as whether limits should exist on the maximum number of connections. While the default is unlimited, Citrix highly recommends that you define a realistic limit on connections based on your environment. When a maximum number of connections has been defined, the connection resume value is automatically set to 90% of that. This setting dictates when the Secure Gateway should resume allowing connections after new connections have been temporarily disabled. -
Logging Exclusions You define any network devices that should be ignored when generating event logs. This setting is included to allow network load balancers or other monitoring software to "ping" the gateway without filling its logs with extraneous information. -
Logging Parameters Here, you choose the level of logging detail. All noninformational events are logged by default. -
Web Interface Details Here, you indicate where the Web Interface is running. If it is installed locally, this option is selected by default. If it is located on an alternate server, you need to provide the FQDN along with port address and whether to secure with HTTPS. After you have provided the Web Interface information, the Secure Gateway validates that port 443 is available upon which to listen and then completes the installation. A reboot is required to complete the Secure Gateway installation. Configuring and Managing the Secure Gateway After completing the installation, you're ready to configure and manage your Secure Gateway environment. The three applications that have been installed along with the Secure Gateway are used to perform these tasks. We conclude this chapter with a brief review of each tool and what common tasks can be performed with each. Secure Gateway Service Configuration When executed, the Secure Gateway Service Configuration tool presents the same wizard that appeared when the Gateway was initially installed. You can modify any of the settings that you defined earlier, such as certificate to use, desired cipher suites, and so on. Secure Gateway Diagnostics Secure Gateway Diagnostics is a handy utility for quickly viewing configuration settings and validating other components of the Secure Gateway. Figure 14.10 shows a sample diagnostic report from a Secure Gateway running on the same server as the Web Interface. Issues with access to the Web Interface or the STAs are easily identified through this tool. Figure 14.10. Secure Gateway Diagnostics quickly summarizes the state of the Secure Gateway environment. 
Secure Gateway Management Console The Secure Gateway Management Console is an MMC snap-in that provides some basic management capabilities for the Gateway. Within this console, you can perform the following tasks: -
Launch Configuration and Diagnostics tools You can access both tools directly from within the Management Console by selecting the Secure Gateway Management Console icon and choosing the desired utility from the All Tasks menu. -
Manage the Secure Gateway Service From the same All Tasks menu, you are able to start, stop, pause, resume, or restart the Secure Gateway Service. -
View connection information You can view both current ICA and HTTPS session information. Figure 14.11 shows an example of the current HTTPS session information displayed. Figure 14.11. Current ICA and HTTPS session information is available in the Management Console.  -
Use Windows Event view You can quickly view the Windows Event logs from within the Console. Event log information is not filtered specifically for Secure Gateway events, although the Secure Gateway event log node is accessible. -
Check Secure Gateway performance statistics There is also direct access to the Windows Performance tool, although the tool is not prepopulated with Secure Gateway-specific performance counters. The desired counters must be added manually. From the available Secure Gateway performance object, you can add specific counters and quickly assess the load on the gateway. After it is installed and configured properly, the Secure Gateway provides an effective method of properly securing client access to a Presentation Server farm. |
