One of the features we added in Access Essentials 1.5 is the ability to instantly create temporary 30-day SSL certificates from within the Quick Start tool. If you’re not familiar with obtaining SSL this feature a great way to get Access without worrying about the cost and inconvenience of purchasing the wrong certificates. Even if you’re confident handling SSL certificates, temporary certificates can be to double-check your setup, and to get up and running whilst you wait for a certificate from a Public Certificate Authority to be issued.
Here’s my quick guide on setting up Remote Access in Access Essentials:
- Make sure local access works first
- Get a static IP address
- Register a public DNS name
- Open (only) port 443 in your firewall
- Create a temporary certificate
- Run a test
- Get a from a Public Certificate Authority
- Run a final test
I’ll cover these in more detail below, but one other bit of advice – if you’re used to configuring Secure Gateway in Presentation Server, try to resist the urge to configure Secure Gateway yourself. Most of the broken configurations I’ve seen or heard about result from trying to do things the ‘Presentation Server way’.
Make sure local access works first
Might sound obvious, but before you start, make sure you can successfully start applications hosted on Access Essentials from the LAN. A simple connection test is all that’s required, so make sure you’ve published an application and can start it from Web Interface.
Get a static IP address
Access Essentials should work with a dynamic IP address and a dynamic DNS provider, but my advice is to ask your ISP for a static IP address – it’ll save you time and effort in the long run. To double-check your IP address, use a service like http://www.whatismyip.com/.
Register a public DNS name
A common trap is to try to avoid registering a DNS name, and just use your public IP address. I’m afraid I have some bad news – it ain’t gonna work. The Citrix client software will refuse to play ball, so it’s best to save yourself the effort and register one up front. Once you’ve registered your DNS name, make sure you create an ‘A’ record for your Essentials which resolves to your public IP address.
Open (only) port 443 in your firewall
There are a bunch of well-known ports related to Citrix, but the only one you should open in your firewall is port 443. In most firewalls you want add a rule for the HTTPS protocol. Don’t open any of the other Citrix ports in your firewall, you don’t need them and opening too many ports is a security risk.
Create a temporary certificate
Within the Quick Start tool, click the ‘Manage external access’ link and follow the wizard through. the Specify Certificate Source page, choose the ‘Generate a temporary certificate’. You’ll be prompted to save the CA certificate to disk.
Run a test
To do a basic connectivity test, you can use this tool: http://tools.citrixsmb.co.uk/conncheck/index.php. The tool will connect back to your server and perform some basic checks. If problems are found, it provides guidance than the client software. (This tool is only for Access Essentials. you it at Server, see some errors flagged even if your setup is OK).
If you find you’ve requested a certificate for the wrong name, you can easily generate a new temporary certificate from the Quick Start tool.
When get a green light, the next step is to try a real connection from a device connected to the Internet. First, you need to install the CA certificate you were prompted to save, to your client device:
- Copy the CA certificate to the client
- Double-click the certificate, and choose ‘Install Certificate…’
Then just connect to server as normal.
Get a from a Public Certificate Authority
Once you’re happy with your configuration, you need to decide on a Public Certificate Authority and generate a CSR (Certificate Signing Request). To generate the CSR, use the ‘Create new certificate request’ task Quick Start. All of the necessary details will have been saved, so you should be able to click ‘Next’ through to the ‘Specify Certificate Source’ page. Choose the ‘Manually submit the certificate request to a Certificate Authority’ option.
You’ll need to provide the CSR to your Certificate Authority. Quick Start places the CSR on your clipboard by default, so you can just paste your clipboard into the CSR field on Certificate Authority’s submission form.
When the Certificate Authority sends you your signed certificate, use the ‘Import requested certificate’ link in Quick Start. CAE will automatically switch to use the new certificate.
Run a final test
Everything should ‘just work’, but I like to re-run the connectivity tests to make sure everything’s OK.