Citrix: How to Configure Access Gateway 5 Standalone for Use with XenDesktop 5
I just found the following article which is helpful when configuring a CAG with XD5; http://support.citrix.com/article/CTX128869
While this article only attempts to record a single Access Gateway Standard Edition configuration, it can provide a good starting point for anyone wishing to create more complex configurations.
The following diagram shows the network layout of a Deskside Lab test environment and its typical components.
- Download the latest Access Gateway Standard Edition (version 5 and later) VPX from www.citrix.com
- Import the VPX appliance into your XenServer. This example is configured with a single network interface on an appropriate DMZ LAN.
- When importing completes, log on to the VPX appliance from a XenCenter console, using the credentials user name = admin and password = admin.
- Use the menu to set your initial network settings. If you are putting this VPX appliance in a standard Deskside Lab environment, you may use the following recommended settings:
|Internal Management Interface||= eth0 (assuming that you only have a single network interface)|
|IP address||= 192.168.2.2|
- Once this completes, save the settings and reboot the VPX appliance.
All the remaining configuration is done from the administration console, which can be found at the following address:
The logon credentials are admin and admin.
Open the System Administration > Networking tab and give the Access Gateway a Host name. This should be the Fully Qualified Domain Name (FQDN) of the host and should be the same as the name in the security certificate (see the details below).
Initially, there are no licenses installed, so the next thing to do is install them.
Upload your license files using the Upload button on the Licensing page:
- Access Gateway – Concurrent users
- Access gateway – Platform License
Citrix Dev & Test licenses:-
- a. In retail mode, only the platform license is required. With a platform license installed, you can create and use Basic logon points. The Access Gateway Universal licenses are optional and enable SmartAccess logon points.
b. In Express mode, an Express license is required and is the only type of license allowed. The Express license enables Basic and SmartAccess logon points but limits the gateway to a maximum of five concurrent sessions. The retail platform and Access Gateway Universal licenses cannot be used in Express mode.
c. If you are in the Debug Log, you might not have a valid platform license if you see something like the following:
201011281302.44 319459559 ns | :A1-1 (014):MAIN (00) | BASE license checkout user [123456789:d42ae974-db43-f463-f296-3d74f960f00c -> gU9EWe4Aqu/kwvE2ORhnyqPar+dCDK6bIljLkOswszg=] FAIL: -18 License server system does not support this feature.
License path: firstname.lastname@example.org:
FLEXnet Licensing error:-18,147. System Error: 2 “No such file or directory”
For further information, refer to the FLEXnet Licensing documentation,
available at “www.acresso.com”.
201011281302.44 319532049 ns | :A1-1 (014):DISPATCH (02) | received license response
201011281302.44 319543761 ns | :A1-1 (014):LOGIN (12) | license response received: status = -18, context = 124
Within development and test environments, the most likely source of a security certificate for a web service is from a private Microsoft Windows Certificate Server. In this environment, there is one at 192.168.1.83 (mycertserver).
Below are the steps necessary to install a new certificate onto the Access Gateway .
- Create a Certificate Request and give it a Common Name (other than tokfw.eng.citrite.net).
In a standard Deskside Lab environment, the Common Name would be the FQDN of the router that is forwarding client network traffic to the Access Gateway.
- Use Copy to extract the certificate request data (paste it into Notepad).
- Use Microsoft Certificate Services to Request a Certificate.
- Click Advanced Certificate Request.
- Submit a certificate request by using a base-64-encoded file.
- Paste the certificate request data (previously saved to Notepad) into your Microsoft Certificate Request page.
- Set the Certificate Template to Web Server.
- Download the Base 64 certificate and save it.
Restart the certificate request page and click Download a CA certificate… Download it in Base 64 format.
Note: You also need a CA certificate in DER format to install on your XenDesktop controller.
Import (server/pem) your new certificates, and make the Server Certificate active.
Note: The CA root certificate has been installed so that the traffic between the Access Gateway and the DDC can be secured. However, in subsequent steps of this document, this traffic was not secured.
This document assumes that you want to authenticate your users at the Access Gateway, rather than at the Web Interface.
|Authenticating at the Access Gateway and then passing the users credentials down to the Web Interface for single sign on is known to work on XenDesktop 4, and XenDesktop 5. However, there is an issue with XenDesktop 5, meaning that credentials are not correctly passed from Access Gateway Standard Edition to the XenDesktop Controller. Because of this, authentication should be done at the Web Interface rather than at the Access Gateway.
OneBug – 25393
In this example, the users are being authenticated using Active Directory.
Administrator DN CN=Administrator,CN=Users,DC=phony,DC=com
Base DN CN=Users,DC=phony,DC=com
Although greater functionality can be achieved by using a SmartAccess Logon Point, this document describes the simplified Basic Logon Point.
Type = Basic
Web Interface = http://192.168.42.21/Citrix/XenAppCAG
Authentication profile = the one created above
Single sign-on to WebInterface = Yes
XenApp or XenDesktop – ICA Access Control List
Define a range of IP addresses to which the Access Gateway allows access. These are the IP addresses of your Virtual Desktop Agents (VDA).
In this example, all the VDAs have a Dynamic Host Configuration Protocol (DHCP) allocated address in this range.
In this example, ICA and Session reliability are allowed.
Secure Ticket Authority
Typically, your Secure Ticket Authority is located in your Desktop Delivery Controller (DDC).
- Add a Certificate Authority (CA) certificate to the Trusted Root Certificate Authorities store of your Web Interface server.
- [To secure traffic between the Access Gateway and the Web Interface, you may add a Web Server certificate to your Web Interface server, but this is strictly optional for the purposes of this document.]
- Add the following line to the hosts file on your DDC.
192.168.2.2 FQDN of your Access Gateway (also the Common Name in Access Gateway certificate)
Address (FQDN) = FQDN of the Access Gateway (also the Common Name of the Access Gateway’s certificate, and the name you have just put in your hosts file).
- Type the URL of the Secure Ticket Authority in the following format:
The XXXXXX is typically the IP address or FQDN of your XenDesktop Controller (DDC).
- Make sure that this is the same as the one entered into the Access Gateway configuration. See the example configuration above.
Identify which XenDesktop and XenApp farms you wish to access through this Web Interface.
Note: The names used in the image above are out of date.
The Authentication Service URL is https://YYYYYY/CitrixAuthService/AuthService.asmx (it must be https form).
The YYYYYY is the FQDN of your Access Gateway / router (also the Common Name in Access Gateway certificate).