citrix access gateway enterprise edition administrator’s guide

Citrix Access Gateway 9.1, Enterprise Edition

Citrix Access Gateway Enterprise EditionAdministrators Guide

Copyright and Trademark NoticeUse of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included with the installation media.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

2009 Citrix Systems, Inc. All rights reserved.

Citrix and ICA (Independent Computing Architecture) are registered trademarks and Citrix Access Gateway is a trademark of Citrix Systems, Inc. in the United States and other countries.

All other trademarks and registered trademarks are the property of their respective owners.

Document Code: September 3, 2009 (KKW)

CONTENTS

Contents

Chapter 1 WelcomeHow to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Additional Maintenance Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Knowledge Center Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Education and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Chapter 2 Introducing Citrix Access Gateway Enterprise EditionNew Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Access Gateway Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19How the Access Gateway Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Hardware Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Access Gateway MPX 5500 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Access Gateway Model 7000 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Access Gateway Model 9000 Appliance with FIPS Option . . . . . . . . . . . . . . .23Access Gateway Model 9010 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Access Gateway Model 10010 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Chapter 3 Planning Your DeploymentPlanning for Security with the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Configuring Secure Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . .25Configuring Authentication Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Deploying the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Deploying the Access Gateway in the Network DMZ . . . . . . . . . . . . . . . . . . . . . .27

Installing the Access Gateway in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Access Gateway Connectivity in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

4 Access Gateway Enterprise Edition Administrators Guide

Deploying the Access Gateway in a Secure Network. . . . . . . . . . . . . . . . . . . . . . . 28Access Gateway Connectivity in a Secure Network . . . . . . . . . . . . . . . . . . . . . 28

Deploying the Access Gateway to Access Published Applications . . . . . . . . . . . . 29Deploying the Access Gateway in the DMZ with a Server Farm . . . . . . . . . . . 29

Deploying the Access Gateway in a Double-Hop DMZ. . . . . . . . . . . . . . . . . . . . . 31

Chapter 4 Getting Started with Citrix Access GatewayIdentifying Access Gateway Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Using the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configuring the Access Gateway Using Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . 36

How the Setup Wizard Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36How the Access Gateway Wizard Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37How the Published Applications Wizard Works . . . . . . . . . . . . . . . . . . . . . . . . 37

Installing the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Getting Ready to Install the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 38Installing the Access Gateway MPX 5500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Installing the Access Gateway Model 7000. . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Installing the Access Gateway Model 9010 or 10010 . . . . . . . . . . . . . . . . . . . . 41

Configuring Settings Using the Serial Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Configuring Settings Using the Configuration Utility . . . . . . . . . . . . . . . . . . . . . . 44

Configuring TCP/IP Settings Using the Setup Wizard . . . . . . . . . . . . . . . . . . . 45Configuring Settings Using the Access Gateway Wizard . . . . . . . . . . . . . . . . . 46Configuring Auto Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring the Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Defining the Fully-Qualified Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Installing Licenses on the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47What the Platform License Is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48What the Universal License Is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuring Settings with the Access Gateway Policy Manager . . . . . . . . . . . . . . 51Creating Additional Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuring IPv6 for Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Configuring IP Addresses on the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . 55

Changing the Mapped IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Configuring Subnet IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56How the Access Gateway Uses IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Configuring Routing on the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Testing Your Access Gateway Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Configuring Name Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Contents 5

Chapter 5 Configuring High AvailabilityHow High Availability Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Gathering Information for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . .62Configuring the Access Gateway for High Availability . . . . . . . . . . . . . . . . . . . . .63

Adding a High Availability Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63Adding an RPC Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64Configuring the Primary and Secondary Appliances for High Availability . . .65Disabling Access Gateway Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . .65

Customizing Your High Availability Deployment . . . . . . . . . . . . . . . . . . . . . . . . .66Synchronizing Access Gateway Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

Enabling and Disabling Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66Enabling High Availability Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Disabling Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68Troubleshooting Command Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Forcing the Primary Access Gateway to Stay Primary . . . . . . . . . . . . . . . . . . . . . .69Forcing the Secondary Appliance to Stay Secondary . . . . . . . . . . . . . . . . . . . . . . .70Forcing Failover between Access Gateway Appliances . . . . . . . . . . . . . . . . . . . . .71

Forcing Failover on the Primary Access Gateway . . . . . . . . . . . . . . . . . . . . . . .72Forcing Failover on the Secondary Access Gateway . . . . . . . . . . . . . . . . . . . . .72Forcing Failover in Listen Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Configuring the Virtual MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73Configuring the Virtual MAC Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73Deleting a Virtual MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Binding and Unbinding a Virtual MAC Address . . . . . . . . . . . . . . . . . . . . . . . .74

Configuring High Availability Pairs over Routed Networks. . . . . . . . . . . . . . . . . .74How Independent Network Configuration Works . . . . . . . . . . . . . . . . . . . . . . .75Configuring an Independent Network Computing High Availability Pair . . . .76

Configuring Route Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76Configuring Link Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Chapter 6 Installing and Managing CertificatesInstalling Certificates on the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Creating a Private Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81Creating a Certificate Signing Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82Installing the Signed Certificate on the Access Gateway. . . . . . . . . . . . . . . . . .83Unbinding Test Certificates from the Virtual Server . . . . . . . . . . . . . . . . . . . . .84Configuring Intermediate Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84Importing an Existing Certificate to the Access Gateway . . . . . . . . . . . . . . . . .87


Chapter 7 Configuring Policies and Profiles on the Access GatewayHow Policies Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Setting Priorities of Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Configuring Conditional Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring System Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Configuring Client Security Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Creating Simple Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Creating Compound Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Adding Custom Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Creating Policies on the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93How Session Policies Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Creating a Session Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Binding Session Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

How a Traffic Policy Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Creating a Traffic Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Binding a Traffic Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Removing Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Allowing File Type Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Creating a Web Interface Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Configuring the Access Gateway for File Type Association . . . . . . . . . . . . . 102Configuring Citrix XenApp for File Type Association . . . . . . . . . . . . . . . . . . 104

How TCP Compression Policies Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Creating a TCP Compression Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Monitoring TCP Compression on Client Connections . . . . . . . . . . . . . . . . . . 109

Chapter 8 Configuring Authentication and AuthorizationConfiguring Authentication on the Access Gateway . . . . . . . . . . . . . . . . . . . . . . 112

Authentication Types Supported on the Access Gateway. . . . . . . . . . . . . . . . 112Configuring Authentication without Authorization. . . . . . . . . . . . . . . . . . . . . 113

Configuring Local Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Configuring Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Adding Users to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Configuring Session Policies with Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

How Authentication Policies Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Configuring Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Binding Authentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Setting Priorities for Authentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . 120

Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Determining Attributes in your LDAP Directory . . . . . . . . . . . . . . . . . . . . . . 124

Contents 7

Configuring RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125Choosing RADIUS Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . .126Configuring IP Address Extraction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Configuring the Access Gateway to Use One-Time Passwords . . . . . . . . . . . . . .127Configuring RSA SecurID Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .127Configuring Password Return with RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . .129Configuring SafeWord Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130Configuring Gemalto Protiva Authentication. . . . . . . . . . . . . . . . . . . . . . . . . .131

Configuring NTLM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131Configuring TACACS+ Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132Configuring Client Certificate Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Configuring a Client Certificate as a Secondary Method of Authentication . .136Configuring a Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136Configuring a Common Access Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Configuring Multifactor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Setting Priorities for Authentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . .137Configuring Double-Source Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . .139

Disabling Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142Configuring the Number of User Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Configuring the Global User Limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143Configuring Authentication for Specific Times. . . . . . . . . . . . . . . . . . . . . . . . . . .143Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Setting Default Global Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144Configuring Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145Setting the Priority for Authorization Policies . . . . . . . . . . . . . . . . . . . . . . . . .147

Configuring LDAP Group Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147Group Memberships from Group Objects Working Evaluations . . . . . . . . . .148Group Memberships from Group Objects Non-Working Evaluations . . . . . .148LDAP Group Attribute Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149Configuring LDAP Nested Group Extraction . . . . . . . . . . . . . . . . . . . . . . . . .149

Configuring RADIUS Group Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150Configuring LDAP Group Extraction for Multiple Domains . . . . . . . . . . . . . . . .152

Creating Session Policies for Group Extraction . . . . . . . . . . . . . . . . . . . . . . . .153Creating LDAP Authentication Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154Creating Groups and Binding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Chapter 9 Access Gateway Client Connection MethodsChoosing the Client Access Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160Configuring Citrix XenApp Plug-in for Hosted Apps. . . . . . . . . . . . . . . . . . . . . .160

How Users Connect to a Server Farm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161


Configuring the Access Gateway Plug-in for Windows. . . . . . . . . . . . . . . . . . . . 163Installing the Access Gateway Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Deploying the Access Gateway Plug-in from Active Directory . . . . . . . . . . . 164Monitoring and Ending User Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Configuring Access to Published Applications Using the Access Gateway Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

How the Access Gateway Plug-in for ActiveX Works. . . . . . . . . . . . . . . . . . . . . 170Using the Access Gateway Plug-in for ActiveX . . . . . . . . . . . . . . . . . . . . . . . 170

Selecting the Plug-in Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Connecting Using the Access Gateway Plug-in for Java . . . . . . . . . . . . . . . . . . . 172How Clientless Access Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Enabling Clientless Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174How Clientless Access Policies Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Configuring Domain Access for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Configuring Clientless Access for SharePoint 2003 and SharePoint 2007. . . 179

Configuring the Client Choices Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Showing the Client Choices Page at Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . 182Configuring Client Choices Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Configuring Access Scenario Fallback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Using the Repeater Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189How SmartAccess Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Chapter 10 Configuring Connections for the Access Gateway Plug-inHow User Connections Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Establishing the Secure Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Tunneling Private Network Traffic over Secure Connections . . . . . . . . . . . . 195Terminating the Secure Tunnel and Returning Packets to the Client . . . . . . . 196Supporting the Access Gateway Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Connecting to Internal Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Enabling Proxy Support for Client Connections. . . . . . . . . . . . . . . . . . . . . . . . . . 198Configuring Time-Out Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Configuring Single Sign-On with Windows . . . . . . . . . . . . . . . . . . . . . . . . . . 202Configuring Single Sign-On to Web Applications . . . . . . . . . . . . . . . . . . . . . 203Configuring Single Sign-On to a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Configuring Client Interception. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Configuring Intranet Applications for the Access Gateway Plug-in. . . . . . . . 206Configuring Intranet Applications for the Access Gateway Plug-in for Java. 208

Configuring IP Pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Defining the IP Pooling Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Contents 9

Configuring Split Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214Configuring Split Tunneling and Authorization. . . . . . . . . . . . . . . . . . . . . . . .215

Configuring Name Service Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215Supporting Voice over IP Phones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216Configuring Application Access for the Access Gateway Plug-in for Java . . . . .217

Accessing Applications using the HOSTS File Modification Method . . . . . .217Accessing Applications Using the SourceIP and SourcePort Method. . . . . . .218

Chapter 11 Configuring the Access InterfaceEnabling the Access Interface or Customized Home Page . . . . . . . . . . . . . . . . . .220

Changing the Access Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221Creating and Applying Web and File Share Links. . . . . . . . . . . . . . . . . . . . . .221

Chapter 12 Configuring Endpoint PolicesHow Endpoint Policies Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223

System Requirements for Endpoint Analysis . . . . . . . . . . . . . . . . . . . . . . . . . .224Evaluating Client Logon Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225

Configuring Preauthentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226Configuring Preauthentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226Configuring Endpoint Analysis Expressions . . . . . . . . . . . . . . . . . . . . . . . . . .227Binding Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231Setting the Priority of Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232Unbinding and Removing Preauthentication Polices . . . . . . . . . . . . . . . . . . . .232

Configuring Post-Authentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233Configuring a Post-Authentication Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . .233Configuring the Frequency to Run a Post-Authentication Policy . . . . . . . . . .234Configuring Quarantine and Authorization Groups . . . . . . . . . . . . . . . . . . . . .234

Configuring Client Security Preauthentication Expressions . . . . . . . . . . . . . . . . .237Configuring Antivirus, Firewall, Internet Security or Antispam Expressions.238Configuring Service Policies for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .239Configuring Process Policies for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .240Configuring Operating System Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241Configuring File Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242Configuring Registry Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242

Configuring Compound Client Security Expressions . . . . . . . . . . . . . . . . . . . . . .245Configuring Policies with the AND (&&) Operator . . . . . . . . . . . . . . . . . . . .245Configuring Policies with the OR ( || ) Operator . . . . . . . . . . . . . . . . . . . . . . .245Configuring Policies Using the NOT ( ! ) Operator . . . . . . . . . . . . . . . . . . . . .246


Chapter 13 Maintaining the Access GatewayUpgrading the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Configuring Delegated Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Configuring Command Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Viewing Access Gateway Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . 252

Saving the Configuration to Your Computer. . . . . . . . . . . . . . . . . . . . . . . . . . 253Viewing the Saved Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Viewing the Current Running Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . 254Comparing the Saved and Running Configuration . . . . . . . . . . . . . . . . . . . . . 254

Clearing the Access Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Managing User Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Configuring Auditing on the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Configuring Logs on the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Appendix A Configuring Security SettingsSecuring Connections with Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Introduction to Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Introduction to Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Digital Certificates and Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . 266Getting Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Getting Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Using Windows Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Unencrypting the Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Requiring Certificates for Internal Connections . . . . . . . . . . . . . . . . . . . . . . . 274Using Wildcard Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Configuring FIPS 140-2 on the Model 9000 FIPS Series. . . . . . . . . . . . . . . . . . . 275How FIPS 140-2 Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Configuring the Hardware Security Module . . . . . . . . . . . . . . . . . . . . . . . . . . 276Creating Private Keys for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Exporting FIPS 140-2 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Importing FIPS 140-2 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Importing External Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Configuring High Availability with FIPS 140-2 . . . . . . . . . . . . . . . . . . . . . . . 282

Appendix B Advanced ConceptsConfiguring DNS Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Resolving DNS Name Servers Located in the Secure Network. . . . . . . . . . . . . . 286Using Operators and Operands in Policy Expressions . . . . . . . . . . . . . . . . . . . . . 287Configuring Server-Initiated Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292


Enabling Access Gateway Plug-in Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

CHAPTER 1

Welcome

This chapter describes who should read the Citrix Access Gateway Enterprise Edition Administrators Guide, how it is organized, and its document conventions.

How to Use this GuideThis guide is intended for system administrators responsible for installing and configuring the Access Gateway. This document assumes that the Access Gateway is connected to an existing network and that the administrator has experience configuring that network

The configuration steps in this document assume that the Access Gateway is deployed as a standalone appliance and that users connect directly to the Access Gateway.

Document ConventionsAccess Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Convention Meaning

Boldface Commands, names of interface items such as text boxes, option buttons, and user input.

Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books.

%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other name you specify when you install Windows.

Monospace Text displayed in a text file or command-line interface.{ braces } A series of items, one of which is required in command statements.

For example, { yes | no } means you must type yes or no. Do not type the braces themselves.


Getting Service and SupportCitrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support, or check for your nearest CSN partner at http://www.citrix.com/support/.

In addition to the CSN channel program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center athttp://support.citrix.com/. Knowledge Center features include:

A knowledge base containing thousands of technical solutions to support your Citrix environment

An online product documentation library

Interactive support forums for every Citrix product

Access to the latest hotfixes and service packs

Security bulletins

Online problem reporting and tracking (for organizations with valid support contracts)

Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organizations Citrix products.

Additional Maintenance SupportIn addition to the support options provided by Citrix, all Access Gateway Enterprise Edition appliances are available with Silver and Gold maintenance options. If you purchased either of these options, documentation is provided with the appropriate Citrix Technical Support numbers if you need to call.

[ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves.

| (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold | /release | /delete } means you type /hold or/release or /delete.

(ellipsis) You can repeat the previous item or items in command statements. For example, /route:devicename[,] means you can type additional devicenames separated by commas.

Convention Meaning

Chapter 1 Welcome 15

Silver Maintenance OptionThe Silver maintenance option provides unlimited Access Gateway support for one year. This option provides basic coverage hours, one assigned support account manager for non-technical relations management, four named contacts, and advanced replacement for materials.

Technical support is available at the following times:

North America, Latin America, and the Caribbean: 8 a.m. to 9 p.m. US Eastern time, Monday through Friday

Asia (excluding Japan): 8 a.m. to 6 p.m. Hong Kong time, Monday through Friday

Australia and New Zealand: 8 a.m. to 6 p.m. Australian Eastern Standard Time (AEST), Monday through Friday

Europe, Middle East, and Africa: 8 a.m. to 6 p.m. Coordinated Universal Time (Greenwich Mean Time), Monday through Friday

Gold Maintenance OptionThe Gold maintenance option provides unlimited Access Gateway support for one year. Support is available 24 hours a day, 7 days a week. This option provides assigned support account manager for non-technical relations management and six named contacts.

Subscription AdvantageYour product includes a one-year membership in the Citrix Subscription Advantage program. The Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information.

You can find more information on the Citrix Web site at http://www.citrix.com/services/ (select Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Network program for more information.

Knowledge Center AlertsThe Citrix Knowledge Center allows you to configure alerts, which notify you when the topic you are interested in is updated. You can set an alert on product categories. When there are updates to the product, you are notified of the update.


To set up an alert, log on to the Citrix Support Web site at http://support.citrix.com. After you are logged on, under Products, select a product. Under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the Knowledge Center product and click Remove from your Hotfix Alerts.

Education and TrainingCitrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification.

Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.

Information about programs and courseware for Citrix training and certification is available from http://www.citrix.com/edu/.

Related DocumentationFor additional information about the Access Gateway, refer to the following guides:

Getting Started with Citrix Access Gateway Enterprise Edition

Citrix Access Gateway Enterprise Edition Pre-Installation Checklist

Citrix Web Interface Administrators Guide

Secure Gateway to Access Gateway Migration Guide

Citrix Access Gateway Enterprise Edition Readme

CHAPTER 2

Introducing Citrix Access Gateway Enterprise Edition

The Access Gateway is a network appliance that securely delivers any application with policy-based SmartAccess control anywhere. Users can obtain easy-to-use secure access to all of the enterprise applications and data they need to be productive. IT organizations can cost-effectively extend access to applications outside the data center while maintaining strict control through SmartAccess application-level policies. IT organizations are empowered to cost-effectively meet the demands of all workers, deliver flexible working options, and implement business continuity while ensuring the highest-level of information security and reducing support calls.

Access Gateway Enterprise Edition offers the following benefits:

Remote access for the most demanding and complex environments that require increased scalability and/or performance

High availability for uninterrupted access to critical applications and resources

Tightest level of integration and control of remotely delivered Citrix XenApp applications, data through SmartAccess and published desktops with XenDesktop

Natural replacement for existing Citrix XenApp customers who use the Secure Gateway

Enterprise-class SSL VPN features including client-side cache clean-up, detailed auditing, and policy-based access control for Web and server applications

Remote users can work with files on shared network drives, access email and intranet sites, and run applications just as if they are working inside of your organizations firewall

Certified to meet government and commercial security standards such as Federal Information Processing Standard (FIPS) 140-2 and ICSA


Supports the Access Gateway universal license (included in Citrix XenApp Platinum Edition, Citrix XenDesktop Platinum Edition and Citrix NetScaler Platinum Edition)

New FeaturesThis release of the Access Gateway includes the following new features:

Support for Nested LDAP Group Extraction. If users belong to more than one group on the LDAP server, the Access Gateway extracts user information from each LDAP group.

Support for the MPX 5500 Appliance. Access Gateway 9.1 Classic is supported on the new MPX 5500 appliance.

Support for Imprivata OneSign. The Access Gateway support single sign-on using one-time passwords provided by Imprivata OneSign single sign-on. Users logon using the passcode provided by Imprivata and then the Imprivata server returns the Windows password to the Access Gateway.

Support for Session Identifiers. The log signature Context is replaced with a SessionID. This allows you to track logs per session rather than per user. Logs that are generated as part of a session have the same SessionID. If a user establishes two sessions from the same client device with the same IP address, each session has a unique SessionID.

Support for Citrix Receiver. Access Gateway Enterprise Edition supports Citrix Receiver and Citrix Merchandising Server, which are components of the Citrix Delivery Center. Citrix Merchandising Server and Citrix Receiver streamline the installation and management of application delivery to user desktops. Citrix Receiver and Citrix Merchandising Server together provide two very important features. First, the Merchandising Server allows you to configure, deliver, and upgrade plug-ins on your clients devices. Citrix Receiver manages all the operations for Citrix plug-ins on client devices.

The orchestrated system consists of the Citrix Receiver for Windows application that is installed on client devices, the Merchandising Server that is installed on a virtual machine in your data center, and the Citrix Update Service that is hosted on Citrix.com.

The Merchandising Server Administrator Console is the interface on the Merchandising Server that you use to configure Citrix applications (and application plug-ins) and schedule their delivery to client devices. The Merchandising Server broadcasts the plug-ins and their installation instructions to your users on the scheduled date. Your users simply install Receiver for Windows on their client devices. Once installed, Receiver for

Chapter 2 Introducing Citrix Access Gateway Enterprise Edition 19

Windows gets the delivery information from the Merchandising Server and installs the plug-ins. After installation is complete, Receiver for Windows starts its plug-ins in the correct order ensuring that connectivity services are available for plug-ins that require it.

For more information, see the Citrix Merchandising Server Administrator's Guide or the Citrix Receiver for Windows User's Guide.

Terminology ChangesSome of the terminology used to describe product components have changed. The following list contains updated terminology used in this document. There are several name changes you need to be aware of for client software and Citrix XenApp.:

Access Gateway ArchitectureThe core components of the Access Gateway are:

Virtual servers. The Access Gateway virtual server is an internal entity that is a representative of all the configured services available to clients. The virtual server is also the access point through which clients access these services. Multiple virtual servers can be configured on a single appliance, allowing one Access Gateway appliance to serve multiple user communities with differing authentication and resource access requirements.

Authentication, authorization, and accounting. Authentication, authorization, and accounting can be configured to allow users to log on to the Access Gateway with credentials that are recognized by either the

From To

navigation page or home page Access Interface

Secure Access Access Gateway Plug-in

Citrix Presentation Server Citrix XenApp

Citrix Presentation Server Clients Citrix XenApp Plug-in for Hosted Apps

Web Client Citrix XenApp Web Plug-in

Program Neighborhood Agent Citrix XenApp Plug-in

Endpoint Analysis Client Endpoint Analysis Plug-in

WANScaler Client or Accelerator Plug-in

Repeater Plug-in


Access Gateway or by authentication servers located in the secure network, such as LDAP or RADIUS. Authorization policies define user permissions, determining which resources a given user is authorized to access. For more information about authentication and authorization, see Configuring Authentication and Authorization on page 111. For more information about accounting, see Configuring Auditing on the Access Gateway on page 257.

The Access Gateway uses policies to manage this information. Accounting servers maintain data about Access Gateway activity, including user logon events, resource access instances, and operational errors. This information is stored on the Access Gateway or on an external server.

Client connections. Users can log on to the Access Gateway using the following access methods:

The Access Gateway Plug-in is client software that is downloaded to the client device. Users log on by right-clicking an icon in the notification area on a Windows computer. Users can add an icon to the desktop that they can click to log on. If users are using a computer where the Access Gateway Plug-in is not installed, they can log on using a Web browser to download and install the plug-in.

The Access Gateway Plug-in for ActiveX is a version of client software that users can use only through Internet Explorer. The Access Gateway Plug-in for ActiveX works only on Windows XP.

The Access Gateway Plug-in for Java, which enables Mac OS X, Linux, and optionally, Windows users to log on using a Web browser.

Citrix XenApp Plug-in for Hosted Apps allow connections to published applications in a server farm.

Clientless access that provides users with the access they need without installing client software

When configuring the Access Gateway, you can configure how users log on using policies. You can also restrict user logon with session and endpoint analysis policies.

Network resources. These include all network services to be accessed using the Access Gateway, such as file servers, applications, and Web sites.


How the Access Gateway WorksA user connects to the Access Gateway by typing the Web address in the browser. The user is presented with the logon page where the user name and password are entered. If external authentication servers are configured, the Access Gateway contacts the server and the authentication servers verify the users credentials. If local authentication is configured, user authentication is performed by the Access Gateway.

When the user is successfully authenticated, the Access Gateway tunnel is initiated. The user is now prompted by the Access Gateway to permit the appropriate client software to be downloaded and installed. If you are using the Access Gateway Plug-in for Java, the client is also initialized with a list of preconfigured resource IP addresses and port numbers.

When the user types the Access Gateway Web address, the Access Gateway checks to see if there are any client-based security policies in place. This is called a pre-authentication policy. If there are, it checks for the specified condition on the client device. These are generally security checks that verify that the client device has the necessary security-related operating system updates, antivirus protection, and perhaps a properly configured firewall. If the client device fails the security check, the Access Gateway blocks the user from logging on. A user unable to log on needs to download the necessary updates or packages and install them on the client device.

After a user successfully logs on, the client device can be scanned for the required client security policies. This is called a post-authentication scan. If the client device fails the scan, either the policy is not applied or the user is placed in a quarantine group.

Configuring preauthentication and post-authentication policies are optional.

When the session is established, users are directed to an Access Gateway home page where they can select resources to access. The home page that is included with the Access Gateway is called the Access Interface. If the users log on using the Access Gateway Plug-in for Windows, an icon in the notification area on Windows shows that it is connected and users receive a message that the connection is established.

If the clients request passes both checks, the Access Gateway then contacts the requested resource and initiates a secure connection between the client and that resource.

The client can close an active session by right-clicking the Access Gateway icon in the notification area and then clicking Logoff. The session can also time out due to inactivity. When the session is closed, the tunnel is shut down and the client no longer has access to internal resources.


Hardware PlatformsAccess Gateway Enterprise Edition is available on the following hardware platforms:

Access Gateway MPX 5500 appliance

Access Gateway Model 7000 appliance

Access Gateway Model 9000 series appliance

Access Gateway Model 10010 appliance

Access Gateway Enterprise Edition is available as an optional feature on all versions of Citrix NetScaler.

The following table shows which Access Gateway software versions are supported on the appliance:

(1) The MPX 5500 is supported on Version 8.1, build 65 or later.

(2) Warning: Installing Version 9.0, build 68 or earlier on the MPX 5500 results in a boot failure.

(3) Support for Version 9.1 nCore on the MPX 5500 is expected at a later date.

Access Gateway MPX 5500 ApplianceThe Access Gateway MPX 5500 supports up to 5,000 concurrent users per appliance.

The appliance has the following ports:

Four 10/100/1000 Base-T Ethernet network interfaces

Two 10/100/1000 Base-T management interfaces

One serial port

Four 1 gigabyte (GB) network interfaces (copper)

Access Gateway Version

MPX 5500 7000 9000/9010 10010

8.0 No Yes Yes Yew

8.1 Yes (1) Yes Yes Yes

9.0 No (2) Yes Yes Yes

9.1 Classic Yes Yes Yes Yes

9.1 nCore No (3) No No No


Two 1 GB management interfaces

LCD display with keypad

Access Gateway Model 7000 ApplianceThe Access Gateway Model 7000 supports 2,500 concurrent users per appliance.


Six 10/100 Base-T Ethernet network interfaces

Two 10/100/1000 Base-T Ethernet network interfaces

One serial port

Access Gateway Model 9000 Appliance with FIPS OptionThe Access Gateway Model 9000 supports 5,000 concurrent users per appliance. This version of the Access Gateway includes the Federal Information Processing Standard (FIPS) 140-2, level 2-validated hardware security module.


Four 1000-Base-SX or four 10/100/1000 Base-T copper Ethernet network interfaces

One 10/100/1000 Base-T network Ethernet network interface

One serial port

Access Gateway Model 9010 ApplianceThe Access Gateway Model 9010 supports 5,000 concurrent users per appliance. It has the same Ethernet network interfaces as the Model 9000 appliance.

Access Gateway Model 10010 ApplianceThe Access Gateway Model 10010 supports 10,000 concurrent users per appliance. It has the same Ethernet network interfaces as the Model 9010 appliance.

You can use the serial port on each appliance to connect a computer directly to the appliance using a serial cable to access the appliance command-line interface.

CHAPTER 3

Planning Your Deployment

This chapter discusses deployment scenarios for the Access Gateway.

You can deploy the Access Gateway at the perimeter of your organizations internal network to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network. All remote users must connect to the Access Gateway before they can access any resources on the internal network.

In This Chapter

Planning for Security with the Access Gateway

Deploying the Access Gateway in the Network DMZ

Deploying the Access Gateway in a Secure Network

Deploying the Access Gateway to Access Published Applications

Deploying the Access Gateway in a Double-Hop DMZ

Planning for Security with the Access GatewayWhen planning your Access Gateway deployment, consider how you are going to secure user connections. Security considerations include the types of certificates you need and the authentication type for user logon.

Configuring Secure Certificate ManagementBefore you deploy the Access Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority (CA) and upload it to the Access Gateway.

If you deploy the Access Gateway in any environment where the Access Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on the Access Gateway.


For example, if you deploy the Access Gateway with Citrix XenApp and the Web Interface, you can encrypt connections from the Access Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on the Access Gateway.

For more information, see Installing Certificates on the Access Gateway on page 80 and Securing Connections with Digital Certificates on page 263.

Configuring Authentication SupportYou can configure the Access Gateway to authenticate users and control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying the Access Gateway, have your directories and authentication servers in place to support one of these authentication types:

LDAP

RADIUS

RSA SecurID (using RADIUS)

NTLM

SafeWord products (using RADIUS)

Smart card using client certificates for authentication

TACACS+

If your environment supports none of the authentication types listed above or you have a small population of remote users, you can create a list of local users on the Access Gateway and configure the Access Gateway to authenticate users against this local list. With this configuration, it is not necessary to maintain user accounts in a separate, external directory.

For more information about authentication and authorization, see Configuring Authentication and Authorization on page 111.

Deploying the Access GatewayThis section discusses the following Access Gateway deployments:

Deploying the Access Gateway in the network demilitarized zone (DMZ)

Deploying the Access Gateway in a secure network that does not have a DMZ

Chapter 3 Planning Your Deployment 27

Deploying additional Access Gateway appliances to support load balancing and failover

Deploying the Access Gateway in the Network DMZMany organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organizations secure internal network and the Internet (or any external network). When the Access Gateway is deployed in the DMZ, users access it using the Access Gateway Plug-in or Citrix XenApp Plug-in for Hosted Apps.

Access Gateway deployed in the DMZ

Installing the Access Gateway in the DMZIn this configuration, you install the Access Gateway in the DMZ and configure it to connect to both the Internet and the internal network. Follow the instructions in Installing the Access Gateway on page 38 to perform installation and configuration.

Access Gateway Connectivity in the DMZWhen you deploy the Access Gateway in the DMZ, client connections must traverse the first firewall to connect to the Access Gateway. By default, clients use Secure Sockets Layer (SSL) on port 443 to establish this connection. To support this connectivity, you must allow SSL on port 443 through the first firewall.


The Access Gateway decrypts the SSL connections from the client and establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access.

For example, if you authorize external users to access a Web server in the internal network and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall.

Deploying the Access Gateway in a Secure NetworkYou can install the Access Gateway in the secure network. In this scenario, there is typically one firewall between the Internet and the secure network. The Access Gateway resides inside the firewall to control access to network resources.

Access Gateway deployed in a secure network

Access Gateway Connectivity in a Secure NetworkWhen an Access Gateway is deployed in the secure network, the Access Gateway Plug-in connection must traverse the firewall to connect to the Access Gateway. By default, both of these clients use the SSL protocol on port 443 to establish the connection. To support this connectivity, you must open port 443 on the firewall.


Deploying the Access Gateway to Access Published Applications

When you deploy the Access Gateway to provide secure remote access to a server farm, the Access Gateway works with the Web Interface and the Secure Ticket Authority (STA) to provide access to published applications and resources hosted within a server farm.

This section covers the basic aspects of deploying the Access Gateway with a server farm. For a detailed discussion of this deployment, see Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.

The configuration of your organizations network determines where you deploy the Access Gateway when it operates with a server farm. There are two options:

If your organization protects the internal network with a single DMZ, deploy the Access Gateway in the DMZ.

If your organization protects the internal network with two DMZs , deploy one Access Gateway in each of the two network segments in a double-hop DMZ configuration. For more information about deploying the Access Gateway in a double-hop DMZ, see Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.

Note: You can also configure a double-hop DMZ with the second Access Gateway appliance in the secure network.

Deploying the Access Gateway in the DMZ with a Server FarmDeploying the Access Gateway in the DMZ is the most common configuration when the Access Gateway operates with a server farm.

In this configuration, the Access Gateway provides a secure single point-of-access for the Web browsers and Citrix XenApp Plug-in for Hosted Apps that access the published resources through the Web Interface.


Access Gateway and Web Interface deployed in the DMZ. Computers in the secure network are running Citrix XenApp.

When the Access Gateway is deployed in the DMZ to provide remote access to a server farm, you can implement one of the following three deployment possibilities:

Deploy the Web Interface behind the Access Gateway in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ. The initial client connection goes to the Access Gateway and is then redirected to the Web Interface.

Deploy the Access Gateway parallel to the Web Interface in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ, but the initial client connection goes to the Web Interface instead of the Access Gateway.

The Web Interface interacts with the Secure Ticket Authority (STA) and generates an ICA file to ensure the XenApp plug-in traffic is routed through the Access Gateway to a computer running XenApp in the server farm.

Deploy the Access Gateway in the DMZ and deploy the Web Interface in the internal network. In this configuration, user requests are authenticated by the Access Gateway before they are relayed to the Web Interface in the secure network. The Web Interface does not perform authentication, but interacts with the STA and generates an ICA file to ensure ICA traffic is routed through the Access Gateway to the server farm.

For more information about deploying the Web Interface behind or parallel to the Access Gateway, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.


Deploying the Access Gateway in a Double-Hop DMZSome organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ.

You can deploy the Access Gateway in a double-hop DMZ configuration to provide a single point of access to a server farm residing in an internal network. With this configuration, you must deploy two Access Gateway appliances: one in the first stage of the DMZ and one in the second stage of the DMZ.

Important: When the Access Gateway is deployed in a double-hop scenario, clients can access resources only in a server farm using Citrix XenApp Plug-in for Hosted Apps. Users cannot use the Access Gateway Plug-in to access internal network resources in a double-hop DMZ scenario. Only ICA traffic is supported.

Two Access Gateway appliances deployed in a double-hop DMZ

The figure above shows two Access Gateway appliances deployed in a double-hop DMZ to control access to a server farm.

You can also deploy one Access Gateway in the DMZ and the second Access Gateway in the secure network. When you deploy a double-hop scenario in this manner, you can simplify your firewall rules.

In this deployment, the clients, the Access Gateway appliances, and the Web Interface perform these operations:

Users from the Internet use a Web browser and Citrix XenApp Plug-in for Hosted Apps to connect to the Access Gateway in the first DMZ.

The Access Gateway in the first DMZ receives the client connections and redirects these connections to the Web Interface in the second DMZ. This


Access Gateway also handles connections from the clients that connect to the server farm on the internal network.

The Web Interface performs various interactions with the Web browser clients and components of the server, including the XML Service and the Secure Ticket Authority (STA). These interactions provide users with a list of published applications and enable the user to access a published application by clicking a link in this list.

Important: The Web Interface must be installed parallel to the Access Gateway in the second DMZ.

The Access Gateway in the second DMZ acts as a proxy that enables ICA traffic to traverse the second DMZ and connect to the server farm in the internal network. The Access Gateway in the second DMZ also enables the Access Gateway in the first DMZ to communicate with the STA in the internal network.

Alternatively, you can deploy a double-hop scenario with one appliance in the DMZ and the second appliance in the secure network.

For detailed information about these interactions and the configurations required to deploy two Access Gateway appliances in a double-hop DMZ configuration, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.

CHAPTER 4

Getting Started with Citrix Access Gateway

The Access Gateway installs in any network infrastructure without requiring changes to the existing hardware or internal network. It works with other networking products, such as server load balancers, firewalls, routers, and IEEE 802.11 wireless devices.

Citrix recommends installing the Access Gateway in the demilitarized zone (DMZ). When installed in the DMZ, the Access Gateway participates on two networks: a private network and a public network with a publicly routable IP address. Typically, the private network is the internal enterprise network and the public one is the Internet. You can also use the Access Gateway to partition local area networks internally in the organization for access control and security.

In This Chapter

Identifying Access Gateway Prerequisites

Using the Configuration Utility

Configuring the Access Gateway Using Wizards

Installing the Access Gateway

Configuring Settings Using the Serial Console

Configuring Settings Using the Configuration Utility

Configuring the Host Name

Installing Licenses on the Access Gateway

Creating Additional Virtual Servers

Configuring IP Addresses on the Access Gateway

Configuring Routing on the Access Gateway

Testing Your Access Gateway Configuration

Configuring Name Service Providers


Identifying Access Gateway Prerequisites Before you start to configure settings on the Access Gateway, review the prerequisites needed for a successful deployment.

The Access Gateway is physically installed in your network and has access to the network. The Access Gateway is deployed in the demilitarized zone (DMZ) or internal network behind a firewall. You can also configure the Access Gateway in a double-hop DMZ and for connections to a server farm.

The Access Gateway needs to be configured with a default gateway or static routes to the internal network so users can access resources in the network. The Access Gateway is configured to use static routes by default.

The external servers used for authentication and authorization are configured and running. For more information, see Configuring Authentication and Authorization on page 111.

The network has a DNS or WINS server for name resolution to provide correct Access Gateway user connection functionality.

The licenses for user connections are downloaded from My Citrix and ready to be installed on the Access Gateway.

The Access Gateway has a certificate that is signed by a trusted Certificate Authority (CA). For more information, see Installing and Managing Certificates on page 79.

Using the Configuration UtilityThe Access Gateway can be configured using the configuration utility. The configuration utility is comprised of the following components:

Navigation Pane. The navigation tree extends down the left side of the screen, and provides a collapsible menu that contains links to all nodes in the configuration utility. To navigate to a node, click the plus (+) sign to expand that category. The plus sign changes to a minus (-) sign and all nodes and categories within that node are displayed.

At the bottom of the navigation pane are three links you can use to quickly navigate through the configuration utility. These include:

Navigation Pane. This button takes you back to the navigation pane.

Favorites. This button shows the nodes you have marked as favorites. You can use favorites to quickly go to the parts of the configuration utility you use the most.

Chapter 4 Getting Started with Citrix Access Gateway 35

Quick Links. This is a list of commonly used wizards and policy managers on the appliance. You can use this button to quickly navigate to the task you want to complete.

Details Pane. The details pane is the right portion of the configuration utility displays tasks and entities of the corresponding node in the navigation pane.

Configuration Buttons. These are located at the bottom of the details pane. The buttons change depending on that path you opened in the navigation pane.

Other Links. The following are description for some of the links:

Settings. When you click this link, your settings are saved to your computer.

Save. This saves the configuration on the Access Gateway.

Refresh All. When ever you do any operation in the configuration utility, the configuration utility checks whether the configuration is same as on the kernel. This link helps you synchronize the latest configuration changes.

Help. This links opens the online help for the configuration utility.

Refresh. This button helps you to reflect the latest data.

Add to Favorites. This button allows you to save the current details pane to a favorites list on the Access Gateway. You can access your favorites by clicking Favorites at the bottom of the navigation pane.


Configuration utility

Configuring the Access Gateway Using WizardsThe Access Gateway has three wizards to configure settings on the appliance. These include:

The Setup Wizard

The Access Gateway wizard

The Published Applications wizard

How the Setup Wizard WorksThe Setup Wizard is used to configure the initial settings on the appliance. The Setup Wizard configures the following settings:

System IP address and subnet mask

Mapped IP address and subnet mask


Host name

Default gateway

Administrator password

Licenses

Note: Before running the Setup Wizard, download your licenses from the Citrix Web site. For more information, see Installing Licenses on the Access Gateway on page 47.

How the Access Gateway Wizard WorksThe Access Gateway wizard helps you quickly configure additional settings on the appliance. These are settings that configure how users connect to the Access Gateway. The settings include:

Virtual servers

Certificates

Name service providers

Authentication

Authorization

Port redirection

Clientless access

Clientless access for SharePoint

How the Published Applications Wizard WorksThe Published Applications Wizard helps you to configure the Access Gateway to connect to servers running Citrix XenApp or Citrix XenDesktop in the internal network. With the Published Applications Wizard, you can:

Select a virtual server for connections to the server farm

Configure the settings for client connections for the Web Interface, single sign-on, and Secure Ticket Authority

Configure Web Interface failover

Create or select session policies for SmartAccess


Within the wizard, you can also create session policy expressions for client connections. For more information about configuring the Access Gateway to connect to a server farm, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.

Installing the Access GatewayThis section describes how to install the Access Gateway in your network. To install the appliance successfully, use the following guidelines:

Plan your deployment. Before you deploy the appliance, you need to determine if the appliance is going to provide access to resources on single or multiple networks, and then choose the installation type you want.

Install your appliance. Install the appliance on your network.

Getting Ready to Install the Access GatewayTo install the Access Gateway, verify that the contents of the box match the packing list. If an item on the packing list is missing from the box, contact Citrix Customer Care.

Before starting the installation, complete the Access Gateway Enterprise Edition Pre-Installation Checklist to verify the settings you need to configure. These settings include IP addresses, virtual servers, and authentication.

Materials and Information Needed for InstallationThe box that contains the appliance should have the following items:

An Access Gateway appliance

The accessory kit that includes:

One RJ-45-to-RJ-45 serial cable

One RJ-45-to-DB-25 adapter

Two RJ-45-to-DB-9 adapters

One AC power cable for the Model 7000 appliance

Two AC power cables for the Model 9000 or 10000 series appliances

Getting Started with Citrix Access Gateway Enterprise Edition

Citrix Access Gateway Enterprise Edition Pre-Installation Checklist

When configuring the Access Gateway for the first time, identify the IP addresses you need to configure the appliance. These include:


The system IP address that the Access Gateway administrator uses to configure the appliance

The mapped IP address that routes network traffic to servers in the secure network (required)

The subnet IP address that is an optional IP address to a different subnet in your network

The default gateway IP address

The IP addresses for virtual servers to which users connect

The community name and IP address of the management station for SNMP access (optional)

For additional information for the settings you need to configure, see the Access Gateway Enterprise Edition Pre-Installation Checklist.

Caution: The flash disk cannot be changed when the appliance is powered on. Remove the flash disk only when the appliance is turned off.

Installing the Access Gateway MPX 5500The tasks for installing the MPX 5500 appliance are:

Installing the Access Gateway in a rack

Connecting Ethernet cables to the appliance and network

Installing the MPX 5500 in a RackThe Access Gateway ships with rack rail hardware. This hardware consists of two rear inner rails that are secured to the chassis, one on each side just behind the preinstalled front inner rails. These two rails are left- and right-specific. Both chassis rails have a locking tab, which serves two functions. The first is to lock the system into place when installed in the rack. The second is to lock the system in place when fully extended from the rack, preventing the appliance from coming out of the rack when pulled out for servicing.

Note: You might need to remove the rack mount ears before installing the rack rails.

To install the rear inner rails

1. The inner rails are secured to the front half of the chassis.


2. Starting from the right side, align the two square holes on the rail against the hooks on the right side of the chassis.

3. Attach the rail to the chassis with screws.

4. Repeat Steps 2 and 3 to install the left rear inner rail.

To install the rack rails

1. Determine where you want to place the appliance in the rack.

2. Position the chassis rail guides at the desired location in the rack, keeping the sliding rail guide facing inwards.

3. Screw the assembly to the rack using the brackets provided.

4. Repeat Steps 2 and 3 for attaching the assembly to the other side of the rack. Ensure that both the rack rails are at the same height and that the rail guides are facing inward.

To install the appliance into the rack

1. Line up the rear inner rails with the rack rails.

2. Slide the chassis rails in the rack rails, keeping the pressure even on both sides. You may have to depress the locking tabs when inserting the chassis.

3. When the system is pushed completely into the rack, you will hear the locking tabs click.

4. Insert and tighten the thumbscrews to secure the front of the chassis to the rack.

Installing the Access Gateway MPX 5500After installing the Access Gateway in the rack, connect the Access Gateway to your network.

To install the Access Gateway MPX 5500

1. Connect the Ethernet cables.

2. Connect a computer to the serial console on the front of the appliance.

The terminal emulation application must have a baud rate and character format configured to 9600 baud, 8 data bits, 1 stop bit, and no parity.

3. Power on the Access Gateway.

Installing the Access Gateway Model 7000The tasks for installing the Access Gateway Model 7000 are:


Installing the Access Gateway in the rack


Installing the Access Model 7000 in a RackBefore connecting the Access Gateway to your network, install the appliance in a rack.

To install the Model 7000 in a rack

1. Place the Access Gateway appliance in your server room rack, and secure it to the rack using the screws provided with the appliance.

2. Position the appliance in the rack. Make sure that there is adequate ventilation.

3. Verify that the screw holes are aligned with the corresponding holes on the rack.

4. Insert two mounting screws on each side.

5. Tighten the mounting screws.

Installing the Access Gateway Model 7000After you install the Access Gateway appliance in the rack, connect the appliance to the network.

To connect the Model 7000 to the network





Caution: Ensure that you do not create a network loop. This occurs if you connect any two cables to the same switch or virtual local area network (VLAN).

Installing the Access Gateway Model 9010 or 10010The tasks for installing the Model 9010 or 10010 are:


Installing the Access Gateway in a rack

Installing Small Form-factor Pluggable (SFP) network ports


Rack Mounting the 9010 or 10010 ModelThe Access Gateway ships with rack rail hardware. This hardware consists of two rear inner rails that are secured to the chassis, one on each side just behind the preinstalled front inner rails. These two rails are left- and right-specific. Both chassis rails have a locking tab, which serves two functions. The first is to lock the appliance into place when installed in the rack. The second is to lock the appliance in place when fully extended from the rack, preventing the appliance from coming out of the rack when pulled out for servicing.

Note: You might need to remove the rack mount ears before installing the rack rails.

To install the rear inner rails

1. Starting from the right side, align the two square holes on the rail against the hooks on the right side of the chassis.

2. Attach the rail to the chassis with screws.

3. Repeat Steps 2 and 3 to install the left rear inner rail.

To install the rack rails

1. Determine where you want to place the system in the rack.

2. Position the chassis rail guides at the desired location in the rack, keeping the sliding rail guide facing inward.

3. Screw the assembly to the rack using the brackets provided.

4. Repeat Steps 2 and 3 for attaching the assembly to the other side of the rack. Ensure that both the rack rails are at same height and that the rail guides are facing inward.

To install the appliance in the rack

1. Line up the rear inner rails with the rack rails.

2. Slide the chassis rails into the rack rails keeping the pressure even on both sides. You may have to depress the locking tabs when inserting the chassis.

3. When the system is pushed completely into the rack, you hear the locking tabs click.


4. Insert and tighten the thumbscrews to secure the front of the chassis to the rack.

Installing Small Form-Factor Pluggable Network PortsIf you purchase the Model 9010 Small Form-factor Pluggable (SFP) appliance, there are four SFP network ports.

The Model 10010 appliance supports four SFP ports and four 10/100/1000 Ethernet ports.

Two types of SFP come with the Access Gateway. One is copper and one is fiber.

Caution: Only those SFPs provided by Citrix are supported. If you try to install a third-party SFP port on the Access Gateway, the warranty becomes void.

To install the copper SFP

1. Carefully remove the copper SFP module from the box.

2. Insert the copper SFP in the socket with the locking hinge in the DOWN position.

3. Push the copper SFP until it is in the locking position.

4. Move the locking hinge to the UP position and push it inward into the socket.

Installing the fiber SFP

1. Carefully remove the fiber SFP module from the box.

2. Insert the fiber SFP in the socket with the locking hinge in the UP position.

3. Push the fiber SFP until it is in the locking position.

4. Move the locking hinge to the DOWN position.

5. Remove the fiber dust protector.

6. Move the locking hinge to the UP position and push it inward into the socket.

Installing the Access Gateway Model 9010 or 10010After installing the Access Gateway in the rack and installing the SFP network ports, connect the Access Gateway to your network.

To install the Access Gateway Model 9010 or 10010






Important: The Access Gateway 9000 or 10000 series appliance have two power supplies. Citrix recommends that you use both power supplies. If only one power supply is used, the Access Gateway emits a high-pitched alert.

Some models of the Access Gateway allow you to turn off the alert by pushing the small red button on the back of the appliance or under the face plate, near the LCD screen. If your appliance does not have this button, you cannot override the alert and you must use both power supplies.

Configuring Settings Using the Serial ConsoleWhen you first install the Access Gateway, you can configure the initial settings using the serial console. Connect a serial cable to the port on the Access Gateway and the other end to a computer. With the serial console, you can change the system IP address, create a mapped IP address, configure advanced network settings, and change the time zone.

The terminal emulation application, such as Telnet or HyperTerminal, must have a baud rate of 9600, use eight data bits, one stop bit, and no parity.

To configure initial settings using the serial console

1. At a command prompt, log on using the default user name and password, nsroot.

2. At a command prompt, type:config ns

3. Follow the instructions on the screen.

Configuring Settings Using the Configuration UtilityThe configuration utility allows you to configure most of the Access Gateway settings. You log on to the configuration utility using a Web browser.


To log on to the configuration utility

1. In a Web browser, type the system IP address of the Access Gateway, such as http://192.168.100.1.

Note: The Access Gateway is configured with a default IP address of 192.168.100.1 and subnet mask of 255.255.0.0.

2. In User Name and Password, type nsroot.

Note: Citrix recommends changing the administrator password using the Setup Wizard.

3. In Start in, select Configuration and click Login.

When you start the configuration utility, you are given the option of starting it one of two ways. The Applet Client is a Java-based client that allows you to start the configuration utility in a Web browser. The Web Start Client allows you to download Java components and start future connections to the configuration utility without typing the system IP address. Both clients require Java Runtime Environment (JRE) Version 1.4.x or later.

The configuration utility has left and details panes that you can use to configure the Access Gateway. The left pane, called the navigation pane, contains the nodes that are used to configure settings on the Access Gateway. Depending on the node that you select in the navigation pane, the details pane displays the information for the node. After you log on, you can run the Setup Wizard to configure the initial settings on the Access Gateway.

Configuring TCP/IP Settings Using the Setup WizardWhen you first start the configuration utility, it opens on the System node in the navigation pane. From this node, you can run the Setup Wizard.

If you did not configure the Access Gateway using the serial console, you can configure TCP/IP settings using the Setup Wizard and the Access Gateway wizard in the configuration utility.

If you are configuring the Access Gateway using the Setup Wizard, connect the RJ-45 cables to the Access Gateway and then to the internal network.

To run the Setup Wizard

1. In the configuration utility, in the navigation pane, click System.


2. In the details pane, click Setup Wizard.

3. Click Next and follow the directions in the wizard.

Configuring Settings Using the Access Gateway WizardAfter running the Setup Wizard, run the Access Gateway wizard to configure additional settings on the Access Gateway. The Access Gateway wizard is run from the configuration utility.

To configure the Access Gateway using the Access Gateway wizard

1. In the configuration utility, in the navigation pane, click Access Gateway.

2. In the details pane, under Getting Started, click Access Gateway wizard.

3. Click Next and follow the instructions in the wizard.

The Access Gateway comes with a test certificate. If you do not have a signed certificate from a Certificate Authority, you can use the test certificate when using the Access Gateway wizard. When you receive the signed certificate, you can remove the test certificate and install the signed certificate. Citrix recommends obtaining the signed certificate before making the Access Gateway publicly available for users.

Important: You can create a Certificate Signing Request (CSR) from within the Access Gateway wizard. If you create the CSR using the Access Gateway wizard, you must exit from the wizard and then start it again when the signed certificate is received from the Certificate Authority (CA). For more information about certificates, see Installing and Managing Certificates on page 79.

Your can configure client connections for Internet Protocol version 6 (IPv6) in the Access Gateway wizard when you configure a virtual server. For more information about using IPv6 for client connections, see Configuring IPv6 for Client Connections on page 54.

Configuring Auto NegotiationBy default, the appliance is configured to use auto negotiation, which sets the direction for transmitted data. This is either half-duplex or full-duplex. For a first time installation, configure the Access Gateway to use auto negotiation for those ports connected to the appliance. After initial logon and configuration, auto negotiation can be disabled. Auto negotiation cannot be configured globally. It must be enabled or disabled for each interface.


To enable or disable auto negotiation

1. In the configuration utility, in the navigation pane, expand Network and click Interfaces.

2. In the details pane, select the interface and click Open.

3. Do one of the following:

To enable auto negotiation, click Yes and click OK. When this is enabled, the Access Gateway uses full duplex.

To disable auto negotiation, click No and cli

citrix access gateway enterprise edition administrator’s guide

Documents