XenApp Secure Gateway in the cloud

I previously posted how to create a XenApp 5.0 server and a XenApp 6.0 server
in Amazon EC2. In order to secure communications with that server, you will need to install Secure Gateway. A secure gateway XenApp 6.0 AMI already exists for your use, in our Citrix C3 Blueprints section of the Citrix Community site.

The following are the instructions to install Secure Gateway on the XenApp server. The instructions are for the Amazon EC2 Cloud, although they could be adapted for use with any cloud provider. Secure Gateway doesn’t use the default certificate generated by IIS, so you will first create a Certificate Authority (CA) server to generate come certs. Specifically a CA Cert and a Server cert. Then you can install Secure Gateway on the XenApp server.

Certificate Authority

  • Create a Server running WIndows Server 2008R2
  • Name the computer xa6
  • Install Certificate Services
  • Download the CA cert from http://localhost/Certsrv
  • Create a Certificate Request using IIS Manager. (Must be a FQDN, xa6.com)
  • Submit request using http://localhost/Certsrv, Request -> Advanced -> Submit using base64 -> paste -> Submit
  • Issue request using Certification Authority Manager
  • Download Server Certificate from http://localhost/Certsrv -> View Request -> base64
  • Import Server Certificate into Certificates MMC snap-in -> Computer -> Local -> Personal
  • Export CA and Server certificates from MMC Certificates snap-in, as .pfx files, with exportable key

XenApp Server

  • Launch the MMC Certificates snap-in:
    • Import (.pfx) CA cert into Certificates mmc snap-in -> Computer -> Local -> Trusted CAs
    • Import (.pfx) Server Cert into Certificates mmc snap-in -> Computer -> Local -> Personal
  • Create a Web Interface site in XenApp Web Interface Management
  • Use IIS as the default
  • Reconfigure XenApp to use port 8081 for XML
    • Run command prompt as administrator
    • ctxxmlss /u
    • ctxxmlss /r8081
    • iisreset
  • Open IIS Management
    • Sites -> Bindings -> Add -> SSL port 444.
    • Use the xa6.com Server cert. (You may have to install IIS Management service)
    • iisreset from a command prompt
  • Make an entry in the local hosts file
    • <internal Amazon IP Address> xa6.com xa6
    • Save the file
    • Test the connection locally: https://xa6.com:444
  • XenApp Web Interface – Gatewway Direct

Install Secure Gateway

  • Download the XenApp .iso and mount using Virtual Clone Drive
  • Install Secure Gateway from the XenApp media
    • Use the xa6.com Server Certificate
    • Use Port 443
  • STA Details
    • localhost
    • Path -> /scripts/ctxsta.dll
    • ID -> (automatically determined)
    • Uncheck “Secure Traffic between STA and SG”
    • Don’t use default port, use port 8081
  • Access Options details
    • Indirect.
    • Uncheck “Intalled on this computer”
    • FQDN -> xa6.com
    • TCP Port: 444.
    • Check “Secure traffic between the WI and SG”
  • Disable setaltaddress service (if installed)
  • Open the windows firewall for port 443

Test from client machine

  • Make an entry in local client machine’s hosts file
  • Generally located in c:\Windows\System32\drivers\etc
  • <external Amazon ip address> xa6.com xa6
  • save the hosts file
  • Open a browser, and enter https://xa6.com

It’s powerful!