Archive for November, 2011

Access Gateway 5.0 – a deeper look – Part 2

November 19, 2011 Leave a comment


Meanwhile Citrix released Access Gateway 5.0.3 you can find the download here. A mycitrix account is necessary.

So, in “Access Gateway 5.0 – a deeper look – Part 1” I gave you an overview and demonstrated how to install and configure the appliance, now let’s take a look at the basic configuration. This is a sample configuration, of course there are other ways, especially regarding the network configuration.

This is only about the basic logonpoint to grant access to your XenApp/XenDesktop farm via ICA/HDX. Smart access is coming next in part 3.

The first thing you have to think about is: How do I reach my Access Gateway via browser after setting an IP address in the DMZ. The CAG has two interfaces, you can use one or both. I always prefer both NIC’s, it’s more secure. The first NIC is for external communication only on port 443. The second NIC is used for management and internal communication (also VPN traffic). This doesn’t mean that this interface is connected to your LAN, don’t do that, because you will bypass the firewall. In our environments we often have a “private DMZ” , it’s a transfer net for traffic that has to be passed from the DMZ in the LAN. So the first NIC has a public internet IP address or you use NAT on your firewall and the second interface is in a private DMZ and communicates with the LAN. Of course both interfaces can also be in the same DMZ.
You can only define one standard gateway, this is used for the external interface, you have to define one or more static routes for your internal interface if you operate in two networks.

First you have to change the management NIC of the CAG in the console:


After changing the management interface to eth1 you can connect to this IP address with a client in the same subnet. You can’t connect with a client on the secure LAN because you have to static route configured yet and the default gateway is configured for the external interface! I use a Windows 2003 or XP VM on the same Hypervisor and connect an additional NIC to the DMZ network. This VM gets a static temporary IP address, just for the initial setup of the appliance.

Your CAG should look similar to this on your XenServer or ESX host. Alternatively you have both NIC’s connected in the same DMZ network.


After you configured a Windows VM you can use for administration, use your browser on this server and navigate to (use your IP instead, of course). Remember you need flash installed! Login with admin, admin and go to Networking.


Make sure you set the proper hostname, this is the fully qualified domain name, that your users enter in the browser to access the logon page, also keep in mind that the certificate for your Access Gateway must match with this hostname. The first NIC should be external and the second NIC is for internal traffic and management. The default gateway is used for the external NIC eth0.

Here is my network setup:

Internal IP address (management):
External IP address:
Default Gateway:
Static routes: via via via

  Next we configure one or more static routes for the internal communication. Navigate to “Static Routes” and show the CAG the way to you secure LAN’s.



The deployment mode is “Appliance only”, we don’t use an Access Controller

Make sure the date and time settings are correct, use a NTP server if possible (Port 123).

For the Access Gateway you need at least a platform license, you can use the appliance as the license server or your Windows server with Citrix License Server 11.9. If you want to use the windows server you have to open port 27000 and 7279 (Vendor Daemon Port) on your firewall. If you want to use SSL VPN (Smart Access LP) you also need an Access Gateway Universal License.


Next we need authentication profiles. Let’s start with a profile for MS Active Directory (LDAP).
Type your profile name, NETBIOS domain name for single sign on and select Active Directory. I recommend to secure the connection to your domain controllers (port 639) and open it on the firewall. The DC needs a certificate. Add at least one domain controller with fully qualified domain name (must match the certificate). The administrator DN must be For Base DN (location of users) you can take your entire domain (DC=domain,DC=com) or define a specific organization unit. Leave the rest as default.


Network resources, device profiles and smart groups are not necessary for a basic logonpoint.

Always make sure you configure an ICA access control list. You have to define all XenApp /XenDesktop servers the Access Gateway has to access. Define a list for ICA (port 1494) and or CGP (port 2598). Make sure to open these ports on your firewall.

Also define one or two Secure Ticket Authorities and use secure connections if possible. Open port 443 (80) on your firewall.

The last step is the configuration of the basic logonpoint. Select new, define the name and use basic as type. Type the URL of your web interface site that is configured for Gateway Direct connections. The primary authentication profile is LDAP. Select single sign on to web interface.


On your web interface server, make sure you create a web interface site and select Access Gateway for authentication. Type the authentication service URL of the Access Gateway ( The web interface server must have access to port 443 of the CAG and must be able to resolve the FQDN (entry in the hosts file, use the internal CAG IP). Open port 443 from LAN to DMZ.


Specify Gateway direct as access method and configure the CAG and STA.


The network configuration is finished, we only need a server certificate for the Access Gateway. Simply change to “Certificates” and make a signing request. Make sure the certificate matches the FQDN of the CAG. Install the issued certificate and make it active.

That’s it, you should be able to connect to your CAG now!

%d bloggers like this: