Professional Documents
Culture Documents
Standard Edition
325-1631
Copyright and Trademark Notice
Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable
copy of the End User License Agreement is included on your product CD-ROM.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
© 2005 - 2006 Citrix Systems, Inc. All rights reserved.
Citrix, ICA (Independent Computing Architecture), and Program Neighborhood are registered trademarks, and SpeedScreen
and Citrix Access Gateway are trademarks of Citrix Systems, Inc. in the United States and other countries.
RSA © 1996-1997 RSA Security Inc., All Rights Reserved.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org).
Win32 Client: Portions of this software are based on code owned and copyrighted by O'Reilly Media, Inc. 1998. (CJKV
Information Processing, by Ken Lunde. ISBN: 1565922247.) All rights reserved.
Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright © 2005
Macrovision Corporation. All rights reserved.
Trademark Acknowledgements
Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or
other countries.
Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc.
Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product.
Portions of this software are based in part on the work of the Independent JPEG Group.
Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights
reserved.
Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory,
and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
UNIX is a registered trademark of The Open Group.
Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation.
All other trademarks and registered trademarks are the property of their respective owners.
Document Code: October 16, 2007 (KW)
C ONTENTS
Contents
Chapter 1 Introduction
How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Knowledge Center Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Education and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Introduction
This chapter describes who should read Getting Started with Citrix Access
Gateway and related documentation.
Before installing the Access Gateway, review the Access Gateway Standard
Edition Pre-Installation Checklist. The checklist provides a single place to record
the necessary information for successfully setting up the Access Gateway.
Subscription Advantage
Your product includes a one-year membership in the Subscription Advantage
program. The Citrix Subscription Advantage program gives you an easy way to
stay current with the latest software version and information for your Citrix
products. Not only do you get automatic access to download the latest feature
releases, software upgrades, and enhancements that become available during the
term of your membership, you also get priority access to important Citrix
technology information.
You can find more information on the Citrix Web site at http://www.citrix.com/
services/ (select Subscription Advantage). You can also contact your sales
representative, Citrix Customer Care, or a member of the Citrix Solutions
Advisors program for more information.
Related Documentation
For additional information about the Access Gateway, refer to these documents:
• Access Gateway Standard Edition Administrator’s Guide
• Access Gateway Standard Edition Pre-Installation Checklist
• Access Gateway Standard Edition, Version 4.5.5 Readme
For additional information about Access Gateway Advanced Edition, refer to
these documents:
• Access Gateway Advanced Edition Administrator’s Guide
• Access Gateway Advanced Edition Upgrade Guide
• Readme for Citrix Access Gateway Advanced Edition, Version 4.5
8 Getting Started with Citrix Access Gateway Standard Edition
C HAPTER 2
Citrix Access Gateway is a universal SSL virtual private network (VPN) that
provides secure, always on, single-point-of-access to any information resource. It
combines the best features of IP Security (IPSec) and typical SSL VPNs —
without the costly and cumbersome implementation and management — to make
access easy for users, secure for the company, and low cost for IT administrators.
Key features include:
• Supports most applications and protocols, including Voice over IP
• Industry standard encryption that secures and protects information with
SSL/TLS encryption
• Desk-like access provides users with the same network and application
access as if they are physically connected to the network
• Integrated endpoint security provides a combination of logon time and
continuous real-time monitoring to ensure that the device is safe to remain
connected to the network
• Integration with Citrix Presentation Server providing secure gateway
functionality and support for applications that are published in a server
farm
• Integration with Access Gateway Advanced Edition using the Advanced
Access Control software providing secure, single-point access to any
enterprise resource, including email, applications, network file services,
Internet and intranet sites, and documents.
Load balancing provides a solution for balancing user connections to the Access
Gateway. The load balancer checks the Access Gateway appliances that are
installed behind the load balancer and then sends the connection to the appliance
that has the least load and best response time providing more effective use of the
Access Gateway.
Caution: When you select Advanced Access Control for managing Access
Gateway global settings, the corresponding settings in the Administration Tool
are deactivated. If you configured these settings with the Administration Tool
before selecting Advanced Access Control, you must configure these settings
again using the Access Management Console. For more information about
configuring these settings in the console, see the Access Gateway Advanced
Edition Administrator’s Guide.
1. On the Access Gateway Cluster tab, open an Access Gateway window and
click the Advanced Options tab.
2. Do one of the following:
• If the Access Gateway is going to be configured using the
Administration Tool, select The Administration Tool and then click
Submit.
• If the Access Gateway is going to be configured using the Access
Management Console, select Advanced Access Control. Continue
with Steps 3 through 7.
3. In Server running Advanced Access Control, type the IP address or
FQDN of the server that is running Advanced Access Control.
4. To encrypt communication between the Access Gateway and the server
running Advanced Access Control, select Secure server communication.
5. Click Submit.
The server or servers that are configured to connect to the Access Gateway are
listed in Servers Running Advanced Access Control. To remove a server from
the list, select the server and then click Remove.
Note: When the Access Gateway is deployed with Access Gateway Advanced
Edition, the appliance is the only component that can be in the DMZ and
communicating with the access server farm. All version of the Secure Gateway
do not work with Access Gateway Advanced Edition.
C HAPTER 3
Note: The Access Gateway requires the use of static IP addresses and does not
support Dynamic Host Configuration Protocol (DHCP).
Chapter 3 Installing the Access Gateway for the First Time 19
Access Gateway connection options using a cross-over cable, a network switch, or a serial
cable and terminal emulation
20 Getting Started with Citrix Access Gateway Standard Edition
Note: Citrix recommends using both network adapters on the appliance. After
configuring the TCP/IP settings for Interface 0, use the Administration Tool to
configure TCP/IP settings for Interface 1.
The serial console provides the following options for configuring the Access
Gateway:
• [0] Express Setup configures the TCP/IP settings for Interface 0 on the
Access Gateway Cluster > General Networking tab
• [1] Ping is used to ping other network devices to check for connectivity
• [2] Link Modes is used to set the duplex mode and speed mode for
Interface 0 on the Access Gateway Cluster > General Networking tab
• [3] External Administration Port enables or disables connections to the
Administration Tool from a remote computer
• [4] Display Log displays the Access Gateway log
• [5] Reset Certificate resets the certificate to the default certificate that
comes with the Access Gateway
• [6] Change Administrative Password allows you to change the default
administrator password of rootadmin
1. Connect the serial cable to the 9-pin serial port on the Access Gateway and
connect the cable to a computer that is capable of running terminal
emulation software.
2. On the computer, start a terminal emulation application such as
HyperTerminal.
3. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1
stop bit. Hardware flow control is optional.
4. Turn on the Access Gateway. The serial console appears on the computer
terminal after about three minutes. If using HyperTerminal, press Enter.
5. On the serial console, enter the default administrator credentials. The user
name is root and the password is rootadmin.
6. To set the IP address and subnet mask and the default gateway device for
Interface 0, type 0 and press Enter to choose Express Setup. After you
respond to the prompts, the information you entered appears. To commit
your changes, type y; the Access Gateway restarts.
7. To verify that the Access Gateway can ping a connected network device,
type 1 and enter the IP address of the device.
8. Remove the serial cable and connect the Access Gateway using either a
cross-over cable to a Windows computer or a network cable to a network
switch and then turn on the Access Gateway.
Additional Access Gateway settings are configured using the Administration
Tool.
Important: The FQDN must match what is on the digital certificate and
the license for the Access Gateway.
The default setting is auto. You can also select 10 Mbps, 100 Mbps, or
1000 Mbps.
11. In Maximum Transmission Unit (MTU), select the maximum
transmission unit that defines the maximum size of the transmitted packet.
The default setting is 1500.
12. In Port select the incoming port that is used for connections. The default is
443.
13. To configure a default gateway, in IP address type the IP address of the
gateway. In Interface, select the network adapter on the Access Gateway
with which the Default Gateway communicates.
The IP address is the default gateway device, such as the main router,
firewall, or server load balancers, depending on your network
configuration. This should be the same as the Default Gateway setting that
is on computers on the same subnet.
After you configure your network settings on the Access Gateway, restart the
appliance.
Note: You do not need to restart the Access Gateway until you complete all
configuration steps. These include configuring network access for the appliance
and installing certificates and licenses. For more information, see the Access
Gateway Standard Edition Administrator’s Guide.
When you have the initial TCP/IP settings configured on the Access Gateway,
you then need to configure the appliance for your network environment. This
chapter discusses the administrative tools you can use to configure the Access
Gateway, installing licenses, and creating user connections. For information
about configuring other settings, see the Access Gateway Standard Edition
Administrator’s Guide.
Note: If you are upgrading from a previous version of the Access Gateway,
uninstall the Administration Tool before installing a new version. To uninstall the
Administration Tool, use Add or Remove Programs in Control Panel.
Installing Licenses
This section discusses how to obtain and install the licenses for the Access
Gateway.
Chapter 4 Configuring Basic Settings 27
Note: If you cannot locate either of these items, contact Citrix Customer Care.
• The FQDN of the Access Gateway. The entry field for this name on
MyCitrix is case-sensitive so ensure that you copy the FQDN exactly as it
appears on the Access Gateway Cluster > General Networking tab.
• How many licenses you want to include in the license file. You do not
have to download all of the licenses you are entitled to at once. For
example, if your company purchases 100 licenses, you can choose to
download 50. At a later date, you can allocate some or all of the rest in
another license file. Multiple licenses can be installed on the Access
Gateway.
1. In the Administration Tool, click the Access Gateway Cluster tab and open
the window for the Access Gateway.
2. Click the Licensing tab.
3. Select Use this appliance as the license server.
4. Next to Install a license file, click Browse. Navigate to the license file and
then click Open.
5. Click Submit after the license file is uploaded to the Access Gateway.
Important: Citrix recommends that you retain a local copy of all license files
that you receive. When you save a backup copy of the configuration file, all
uploaded license files are included in the backup. If you need to reinstall the
Access Gateway server software and do not have a backup of the configuration,
you will need the original license files.
1. On the Access Gateway Cluster tab, open a window for an appliance that
is not the license server.
2. Click the Licensing tab.
3. Select Use a different appliance as the license server.
4. In FQDN or IP address, type the FQDN or IP address of the license server.
5. In Manager port and Vendor port, change the port numbers or leave the
defaults as 27000 and 27001.
6. Click Submit.
7. Repeat this procedure for each appliance in the cluster.
Chapter 4 Configuring Basic Settings 29
The manager port makes the initial contact from the remote Access Gateway and
passes it to the license server. Then, it passes communication from the manager
port to the vendor port. The vendor port runs on the license server and grants the
license using port number 27001. The port number can be changed depending on
your firewall configuration. Port 27001 also tracks the licenses that are checked
out and which Access Gateway is using them.
5. In a Web browser, type the address of the Access Gateway using either the
IP address or fully qualified domain name (FQDN) to connect to either the
internal or external interface. The format should be either https://ipaddress
or https://FQDN.
6. Type the logon credentials. The Access Gateway Secure Access page
appears.
7. Click My own computer and then click Connect.
30 Getting Started with Citrix Access Gateway Standard Edition
The Secure Access Client connection icon appears in the notification area,
indicating a successful connection.
After completing the initial configuration, you can configure network access so
users can connect to all of your network resources, such as email, Web servers,
and file shares as if users are in the office. For more information about
configuring network access, see the Access Gateway Standard Edition
Administrator’s Guide.
Configuring Firewalls
Configure your firewall so that the port is open for the external IP address of the
Access Gateway. The default port is 443.
For specific information about configuring your firewall, see the manufacturer’s
documentation.
Third-Party Software
Citrix does not support the installation of third-party software on the Access
Gateway appliance.
C HAPTER 5
The Access Gateway Rack Mounting Kit is used to install the Access Gateway in
a four-post or two-post rack. This chapter describes installing the Access
Gateway in a rack for the Model 2000 and Model 2010 versions of the appliance.
Read this chapter in its entirety before you begin the installation.
Separating the rails and the mounting holes in the Access Gateway
1. Pull the fixed chassis rail (A) out as far as possible — you will hear a click
as a locking tab emerges from inside the rail assembly and locks the inner
rail.
2. Depress the locking tab to pull the inner rail completely out. Do this for
both the left and right side rack rail assemblies.
1. Position the fixed chassis rail sections (A) that you just removed along the
side of the appliance, making sure the five screw holes align. Note that the
right and left rails are specific.
2. Screw the rail securely to the side of the chassis, as illustrated below.
3. Repeat this procedure for the other rail on the other side of the chassis.
4. If you are installing the appliance in a two-post rack, also attach the rail
brackets.
1. Line up the rear of the chassis rails with the front of the rack rails.
34 Getting Started with Citrix Access Gateway Standard Edition
2. Slide the chassis rails into the rack rails, keeping pressure even on both
sides. You may have to depress the locking tabs while inserting the Access
Gateway. Refer to the illustration below.
When the Access Gateway is pushed completely into the rack, you will hear
the locking tabs click.
3. Finish by inserting and tightening the thumbscrews that hold the front of
the Access Gateway to the rack.
1. Place the inner rack extensions on the side of the appliance aligning the
hooks of the appliance with the rail extension holes. Make sure the
extension faces outward just like the preattached inner rail.
2. Slide the extension toward the front of the chassis.
3. Secure the chassis with the two screws.
4. Repeat the above steps to mount the rack on the other side of the appliance.
Attaching the rail rack sections to the right side of the Access Gateway
Chapter 5 Installing the Access Gateway in a Rack 37
When the rails are attached to the Access Gateway, install the outer rails to the
rack.
1. Attach the short bracket to the outside of the long bracket. The pins must be
aligned with the slides. Both bracket ends must face the same direction.
2. Adjust both the short and long brackets to the correct distance so the rail fits
tightly into the rack.
3. Secure the long bracket to the front side of the outer rail with two M5
screws and the short bracket to the rear side of the outer rail with three M5
screws.
4. Repeat the above steps for the second rail.
1. Confirm that the Access Gateway appliance includes the inner rails (A) and
rail extensions (B). Confirm that the outer rails (C) are installed on the rack.
Chapter 5 Installing the Access Gateway in a Rack 39
2. Line up the rails on the appliance (A and B) with the front of the rack rails
(C).
3. Slide the appliance rails into the rack rails, keeping the pressure even on
both sides. You might have to depress the locking tabs during insertion.
When the appliance is pushed completely into the rack, you should hear the
locking tabs click.
4. (Optional) Insert and tighten the thumbscrews that hold the front of the
appliance to the rack.
Index
A deploying in
DMZ 10–11, 17
Access Gateway double-hop DMZ 10, 14
Administration Portal 25 secure network 10, 14
Administration Tool 26 deploying with
cluster 24 Access Gateway Advanced Edition 15
installing 17, 19 Citrix Presentation Server 9
installing in a rack 31 load balancer 10, 12
materials 17 multiple appliances 24
multiple appliances 24 DHCP
restarting 23 see Dynamic Host Configuration Protocol
Access Gateway Advanced Edition 9, 15 display log 20
Access Management Console 15 DMZ 10–11
ActiveX 10 installing in 17
Administration Portal 25 double-hop DMZ 14
Administration Tool 15, 26 downloading licenses 29
administrator password 20 duplex mode 20
Advanced Access Control 9, 15–16 Dynamic Host Configuration Protocol
C E
cables education 7
cross-over 22 enabling
RJ-45 22 Advanced Access Control 16
certificates 12 encryption 9
default 20 endpoint analysis 9
reset 20 external administration port 20
Citrix Presentation Server 9
Citrix Presentation Server Clients 10–12, 14
Citrix Solutions Network 5
F
client connections 10 firewall 17, 30
cluster 24
configuring Default Gateway 23 I
connection persistence 13
cross-over cables 22 ICA client
see Citrix Presentation Server Clients
D ICA connections 14
IEEE 802.11 support 17
default certificate 20 installation 17, 19
Default Gateway
configuring 23
42 Getting Started with Citrix Access Gateway Standard Edition
P T
TCP/IP settings
password
configuring a cluster 24
administrator 20
configuring first time 19
persistence 13
configuring using network cables 21
ping 20
configuring using serial console 20
port
technical support 5
external administration 20
testing
portal page 10
licenses 29
preauthentication 10
third-party software 30
pre-installation checklist 18
TLS
Presentation Server 9
see Transport Layer Security
Index 43
training 7
Transport Layer Security 9
U
updating licenses 29
V
Voice over IP 9
W
Windows
single sign-on 10
44 Getting Started with Citrix Access Gateway Standard Edition