Citrix: How to Configure Access Gateway 5 Standalone for Use with XenDesktop 5

Share Button

I just found the following article which is helpful when configuring a CAG with XD5; http://support.citrix.com/article/CTX128869

Summary

This article describes how to record the configuration of a Citrix Access Gateway 5.0 (in standalone mode) for use in a standard DeskSide Lab test environment.

While this article only attempts to record a single Access Gateway Standard Edition configuration, it can provide a good starting point for anyone wishing to create more complex configurations.

Environment

The following diagram shows the network layout of a Deskside Lab test environment and its typical components.

Initial Setup

  1. Download the latest Access Gateway Standard Edition (version 5 and later) VPX from www.citrix.com
  2. Import the VPX appliance into your XenServer. This example is configured with a single network interface on an appropriate DMZ LAN.
  3. When importing completes, log on to the VPX appliance from a XenCenter console, using the credentials user name = admin and password = admin.
  4. Use the menu to set your initial network settings. If you are putting this VPX appliance in a standard Deskside Lab environment, you may use the following recommended settings:

 

    Internal Management Interface = eth0 (assuming that you only have a single network interface)
    IP address = 192.168.2.2
    netmask = 255.255.255.0
    gateway = 192.168.2.1
  1. Once this completes, save the settings and reboot the VPX appliance.

Configuring the Access Gateway

Administration console

All the remaining configuration is done from the administration console, which can be found at the following address:

https://192.168.2.2/lp/AdminLogonPoint

The logon credentials are admin and admin.

Networking

Open the System Administration > Networking tab and give the Access Gateway a Host name. This should be the Fully Qualified Domain Name (FQDN) of the host and should be the same as the name in the security certificate (see the details below).

Licensing

Initially, there are no licenses installed, so the next thing to do is install them.

Upload your license files using the Upload button on the Licensing page:

  1. Access Gateway – Concurrent users
  2. Access gateway – Platform License

Citrix Dev & Test licenses:-
CAG_PLATFORM_RETAIL_720GP_1SA_50CCU(Retail 4).lic
CAGU_Retail-5000CCU.lic

Licensing notes:

    a. In retail mode, only the platform license is required. With a platform license installed, you can create and use Basic logon points. The Access Gateway Universal licenses are optional and enable SmartAccess logon points. 

    b. In Express mode, an Express license is required and is the only type of license allowed. The Express license enables Basic and SmartAccess logon points but limits the gateway to a maximum of five concurrent sessions. The retail platform and Access Gateway Universal licenses cannot be used in Express mode.

    c. If you are in the Debug Log, you might not have a valid platform license if you see something like the following:

201011281302.44 319459559 ns | :A1-1 (014):MAIN (00) | BASE license checkout user [123456789:d42ae974-db43-f463-f296-3d74f960f00c -> gU9EWe4Aqu/kwvE2ORhnyqPar+dCDK6bIljLkOswszg=] FAIL: -18 License server system does not support this feature.
Feature: CAG_BASE_SERVER
License path: 27000@mycag.com:
FLEXnet Licensing error:-18,147. System Error: 2 “No such file or directory”
For further information, refer to the FLEXnet Licensing documentation,
available at “www.acresso.com”.
201011281302.44 319532049 ns | :A1-1 (014):DISPATCH (02) | received license response
201011281302.44 319543761 ns | :A1-1 (014):LOGIN (12) | license response received: status = -18, context = 124

Certificates

Within development and test environments, the most likely source of a security certificate for a web service is from a private Microsoft Windows Certificate Server. In this environment, there is one at 192.168.1.83 (mycertserver).

Below are the steps necessary to install a new certificate onto the Access Gateway .

Create a certificate request

  1. Create a Certificate Request and give it a Common Name (other than tokfw.eng.citrite.net).
    In a standard Deskside Lab environment, the Common Name would be the FQDN of the router that is forwarding client network traffic to the Access Gateway.
  2. Copy certificate request (to Notepad)

  1. Use Copy to extract the certificate request data (paste it into Notepad).

Use Microsoft Active Directory Certificate Services to create a certificate

  1. Use Microsoft Certificate Services to Request a Certificate.

  1. Click Advanced Certificate Request.

  1. Submit a certificate request by using a base-64-encoded file.

  1. Paste the certificate request data (previously saved to Notepad) into your Microsoft Certificate Request page.
  2. Set the Certificate Template to Web Server.

  1. Download the Base 64 certificate and save it.

Download a CA certificate

Restart the certificate request page and click Download a CA certificate… Download it in Base 64 format.

Note: You also need a CA certificate in DER format to install on your XenDesktop controller.

Import Certificates into Access Gateway

Import (server/pem) your new certificates, and make the Server Certificate active.

Note: The CA root certificate has been installed so that the traffic between the Access Gateway and the DDC can be secured. However, in subsequent steps of this document, this traffic was not secured.

Authentication

This document assumes that you want to authenticate your users at the Access Gateway, rather than at the Web Interface.

 

Authenticating at the Access Gateway and then passing the users credentials down to the Web Interface for single sign on is known to work on XenDesktop 4, and XenDesktop 5. However, there is an issue with XenDesktop 5, meaning that credentials are not correctly passed from Access Gateway Standard Edition to the XenDesktop Controller. Because of this, authentication should be done at the Web Interface rather than at the Access Gateway. 

OneBug – 25393

In this example, the users are being authenticated using Active Directory.

Authentication Example:

Administrator DN     CN=Administrator,CN=Users,DC=phony,DC=com
(or administrator@phony.com)
Base DN              CN=Users,DC=phony,DC=com

Logon Point

Although greater functionality can be achieved by using a SmartAccess Logon Point, this document describes the simplified Basic Logon Point.

Logon Point

Type = Basic
Web Interface = http://192.168.42.21/Citrix/XenAppCAG
Authentication profile = the one created above
Single sign-on to WebInterface = Yes

XenApp or XenDesktop – ICA Access Control List

Define a range of IP addresses to which the Access Gateway allows access. These are the IP addresses of your Virtual Desktop Agents (VDA).

In this example, all the VDAs have a Dynamic Host Configuration Protocol (DHCP) allocated address in this range.

In this example, ICA and Session reliability are allowed.

Secure Ticket Authority

Typically, your Secure Ticket Authority is located in your Desktop Delivery Controller (DDC).

Configure the XenDesktop DDC and Web Interface

  • Add a Certificate Authority (CA) certificate to the Trusted Root Certificate Authorities store of your Web Interface server.
  • [To secure traffic between the Access Gateway and the Web Interface, you may add a Web Server certificate to your Web Interface server, but this is strictly optional for the purposes of this document.]
  • Add the following line to the hosts file on your DDC.
    192.168.2.2     FQDN of your Access Gateway (also the Common Name in Access Gateway certificate)

Set up a Web interface site with Authentication at the Access Gateway

Secure Access

(Access) Gateway Settings.

Address (FQDN) = FQDN of the Access Gateway (also the Common Name of the Access Gateway’s certificate, and the name you have just put in your hosts file).

Secure Ticket Authority

  1. Type the URL of the Secure Ticket Authority in the following format:
    http://XXXXXX/scripts/ctxsta.dll
    The XXXXXX is typically the IP address or FQDN of your XenDesktop Controller (DDC).
  2. Make sure that this is the same as the one entered into the Access Gateway configuration. See the example configuration above.

Manage Server Farms

Identify which XenDesktop and XenApp farms you wish to access through this Web Interface.

Note: The names used in the image above are out of date.

Authentication method

The Authentication Service URL is https://YYYYYY/CitrixAuthService/AuthService.asmx (it must be https form).

The YYYYYY is the FQDN of your Access Gateway / router (also the Common Name in Access Gateway certificate).

 

Share Button
  1. Assad BaigAssad Baig05-25-2011

    nice post. this save me a lot of time when i switched from direct to gateway direct mode.

Leave a Reply