Gateway

Planning for Security

When planning your Citrix Gateway deployment, you should understand basic security issues associated with certificates, and with authentication and authorization.

Configuring Secure Certificate Management

By default, Citrix Gateway includes a self-signed Secure Sockets Layer (SSL) server certificate that enables the appliance to complete SSL handshakes. Self-signed certificates are adequate for testing or for sample deployments, but Citrix does not recommend using them for production environments. Before you deploy Citrix Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority (CA) and upload it to Citrix Gateway.

If you deploy Citrix Gateway in any environment where Citrix Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on Citrix Gateway. For example, if you deploy Citrix Gateway with Citrix Virtual Apps and the Web Interface, you can encrypt connections from Citrix Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on Citrix Gateway.

Authentication Support

You can configure Citrix Gateway to authenticate users and to control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying Citrix Gateway, your network environment should have the directories and authentication servers in place to support one of the following authentication types:

  • LDAP
  • RADIUS
  • TACACS+
  • Client certificate with auditing and smart card support
  • RSA with RADIUS configuration
  • SAML authentication

If your environment does not support any of the authentication types in the preceding list, or you have a small population of remote users, you can create a list of local users on Citrix Gateway. You can then configure Citrix Gateway to authenticate users against this local list. With this configuration, you do not need to maintain user accounts in a separate, external directory.

Planning for Security