Gateway

Before Getting Started

Before you install Citrix Gateway, you must evaluate your infrastructure and collect information to plan an access strategy that meets the specific needs of your organization. When you define your access strategy, you need to consider the security implications and complete a risk analysis. You also need to determine the networks to which users are allowed to connect and decide on policies that enable user connections.

In addition to planning for the resources available for users, you also need to plan your deployment scenario. Citrix Gateway is compatible the following Citrix products:

  • Citrix Endpoint Management
  • Citrix Virtual Apps
  • Citrix Virtual Desktops
  • StoreFront
  • Web Interface
  • Citrix SD-WAN

For more information about deploying Citrix Gateway, see Common Deployments and Integrating With Citrix Products

As you prepare your access strategy, take the following preliminary steps:

  • Identify resources. List the network resources for which you want to provide access, such as Web, SaaS, mobile or published applications, virtual desktops, services, and data that you defined in your risk analysis.
  • Develop access scenarios. Create access scenarios that describe how users access network resources. An access scenario is defined by the virtual server used to access the network, endpoint analysis scan results, authentication type, or a combination thereof. You can also define how users log on to the network.
  • Identify client software. You can provide full VPN access with the Citrix Gateway plug-in, requiring users to log on with Citrix Workspace app, Secure Hub, or by using clientless access. You can also restrict email access to Outlook Web App or WorxMail. These access scenarios also determine the actions users can perform when they gain access. For example, you can specify whether users can modify documents by using a published application or by connecting to a file share.
  • Associate policies with users, groups, or virtual servers. The policies you create on Citrix Gateway enforce when the individual or set of users meets specified conditions. You determine the conditions based on the access scenarios that you create. You then create policies that extend the security of your network by controlling the resources users can access and the actions users can perform on those resources. You associate the policies with appropriate users, groups, virtual servers, or globally.

This section includes the following topics to help you plan your access strategy:

  • Planning for Security includes information about authentication and certificates.
  • Prerequisites that define network hardware and software you might need.
  • The Pre-Installation Checklist that you can use to write down your settings before you configure Citrix Gateway.

Prerequisites for installing Citrix Gateway

Before you configure settings on Citrix Gateway, review the following prerequisites:

  • Citrix Gateway is physically installed in your network and has access to the network. Citrix Gateway is deployed in the DMZ or internal network behind a firewall. You can also configure Citrix Gateway in a double-hop DMZ and configure connections to a server farm. Citrix recommends deploying the appliance in the DMZ.
  • You configure Citrix Gateway with a default gateway or with static routes to the internal network so users can access resources in the network. Citrix Gateway is configured to use static routes by default.
  • The external servers used for authentication and authorization are configured and running. For more information, see Authentication and Authorization.
  • The network has a domain name server (DNS) or Windows Internet Naming Service (WINS) server for name resolution to provide correct Citrix Gateway user functionality.
  • You downloaded the Universal licenses for user connections with the Citrix Gateway plug-in from the Citrix website and the licenses are ready to be installed on Citrix Gateway.
  • Citrix Gateway has a certificate that is signed by a trusted Certificate Authority (CA). For more information, see Installing and Managing Certificates.

Before you install Citrix Gateway, use the Pre-Installation Checklist to write down your settings.

Planning for security

When planning your Citrix Gateway deployment, you must understand the basic security issues associated with certificates, and with authentication and authorization.

Configure secure certificate management

By default, Citrix Gateway includes a self-signed Secure Sockets Layer (SSL) server certificate that enables the appliance to complete SSL handshakes. Self-signed certificates are adequate for testing or for sample deployments, but Citrix does not recommend using them for production environments. Before you deploy Citrix Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority (CA) and upload it to Citrix Gateway.

If you deploy Citrix Gateway in any environment where Citrix Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on Citrix Gateway. For example, if you deploy Citrix Gateway with Citrix Virtual Apps and the Web Interface, you can encrypt connections from Citrix Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on Citrix Gateway.

Authentication support

You can configure Citrix Gateway to authenticate users and to control the level of access (or authorization) that users have to the network resources on the internal network.

Before deploying Citrix Gateway, your network environment must have the directories and authentication servers in place to support one of the following authentication types:

  • LDAP
  • RADIUS
  • TACACS+
  • Client certificate with auditing and smart card support
  • RSA with RADIUS configuration
  • SAML authentication

If your environment does not support any of these authentication types, or you have a small population of remote users, you can create a list of local users on Citrix Gateway. You can then configure Citrix Gateway to authenticate users against this local list. With this configuration, you do not need to maintain user accounts in a separate, external directory.

Secure your Citrix Gateway deployment

Different deployments might require different security considerations. The Citrix ADC secure deployment guidelines provide general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.

For details, see Citrix ADC secure deployment guidelines.

Before Getting Started