Getting Started with Citrix Access Gateway

Standard Edition

Citrix Access Gateway™ 4.5.6

2000 Series

325-1631
Copyright and Trademark Notice
Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable
copy of the End User License Agreement is included on your product CD-ROM.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
© 2005 - 2006 Citrix Systems, Inc. All rights reserved.
Citrix, ICA (Independent Computing Architecture), and Program Neighborhood are registered trademarks, and SpeedScreen
and Citrix Access Gateway are trademarks of Citrix Systems, Inc. in the United States and other countries.
RSA © 1996-1997 RSA Security Inc., All Rights Reserved.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org).
Win32 Client: Portions of this software are based on code owned and copyrighted by O'Reilly Media, Inc. 1998. (CJKV
Information Processing, by Ken Lunde. ISBN: 1565922247.) All rights reserved.
Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright © 2005
Macrovision Corporation. All rights reserved.
Trademark Acknowledgements
Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or
other countries.
Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc.
Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product.
Portions of this software are based in part on the work of the Independent JPEG Group.
Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights
reserved.
Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory,
and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
UNIX is a registered trademark of The Open Group.
Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation.
All other trademarks and registered trademarks are the property of their respective owners.
Document Code: October 16, 2007 (KW)
 C ONTENTS

Contents

Chapter 1 Introduction
How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Subscription Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Knowledge Center Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Education and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Chapter 2 Selecting an Access Gateway Deployment

Configuring Client Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Connecting using Secure Access Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Connecting Using Citrix Presentation Server Clients . . . . . . . . . . . . . . . . . . . .11
Connecting Using Kiosk Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Deploying the Access Gateway in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Deploying the Access Gateway Behind a Load Balancer . . . . . . . . . . . . . . . . . . . .12
Deploying the Access Gateway in a Double-Hop DMZ . . . . . . . . . . . . . . . . . . . . .14
Deploying the Access Gateway in the Secure Network . . . . . . . . . . . . . . . . . . . . .14
Deploying Access Gateway Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Chapter 3 Installing the Access Gateway for the First Time

Getting Ready to Install the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Materials and Information Needed for Installation. . . . . . . . . . . . . . . . . . . . . . .17
Setting Up the Access Gateway Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Configuring TCP/IP Settings for the Access Gateway . . . . . . . . . . . . . . . . . . . . . .19
Configuring TCP/IP Settings Using the Serial Console. . . . . . . . . . . . . . . . . . .20
Configuring TCP/IP Settings Using Network Cables . . . . . . . . . . . . . . . . . . . .21
Installing Multiple Appliances in a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Chapter 4 Configuring Basic Settings

Configuring Settings Using the Administration Portal . . . . . . . . . . . . . . . . . . . . . .25
4 Getting Started with Citrix Access Gateway Standard Edition

Configuring Settings Using the Administration Tool . . . . . . . . . . . . . . . . . . . . . . .26

Installing Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Obtaining Your License Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Configuring Licenses for Multiple Appliances . . . . . . . . . . . . . . . . . . . . . . . . .28
Updating Existing Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Testing Your License Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Configuring Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Third-Party Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Chapter 5 Installing the Access Gateway in a Rack

Selecting a Location for the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Installing the Model 2000 in a Rack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Separating the Rail Sections for the Model 2000 . . . . . . . . . . . . . . . . . . . . . . . .32
Connecting the Chassis Rails to the Model 2000 . . . . . . . . . . . . . . . . . . . . . . . .32
Connecting the Rack Rails to the Rack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Installing the Model 2010 in a Rack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Identifying the Sections of the Rack Rails for the Model 2010 . . . . . . . . . . . . .35
Installing the Model 2010 in a Four-Post Rack . . . . . . . . . . . . . . . . . . . . . . . . .36
Installing the Access Gateway in a Two-Post Rack. . . . . . . . . . . . . . . . . . . . . . . . .40
 C HAPTER 1

Introduction

This chapter describes who should read Getting Started with Citrix Access
Gateway and related documentation.
Before installing the Access Gateway, review the Access Gateway Standard
Edition Pre-Installation Checklist. The checklist provides a single place to record
the necessary information for successfully setting up the Access Gateway.

How to Use this Guide

The instructions in this document are for deploying the Access Gateway as a
standalone network security appliance residing in the DMZ in your network. In
this deployment, users connect directly to the corporate network through Access
Gateway using the Secure Access Client. After the connection is established,
users can access resources on the secure network.
If your deployment includes Citrix Presentation Server, you can use the Access
Gateway as a replacement for the Secure Gateway. Users connect using Citrix
Presentation Server Clients to access published applications in a server farm. In
this scenario, the Secure Access Client is not used for user connections.
Deploying the Access Gateway with Presentation Server combines the benefits of
a hardened appliance-based network security solution with the functionality of
the Secure Gateway, increasing security and extending user access. For
information about replacing the Secure Gateway with the Access Gateway see the
Access Gateway Standard Edition Administrator’s Guide.
This guide is intended for service technicians who install the Access Gateway and
for administrators who need to troubleshoot the Access Gateway hardware.

Getting Service and Support

Citrix provides technical support primarily through the Citrix Solutions Network
(CSN). Our CSN partners are trained and authorized to provide a high level of
support to our customers. Contact your supplier for first-line support or check for
your nearest CSN partner at http://www.citrix.com/support/.
6 Getting Started with Citrix Access Gateway Standard Edition

In addition to the CSN channel program, Citrix offers a variety of self-service,

Web-based technical support tools from its Knowledge Center at
http://support.citrix.com/. Knowledge Center features include:
• A knowledge base containing thousands of technical solutions to support
your Citrix environment
• An online product documentation library
• Interactive support forums for every Citrix product
• Access to the latest hotfixes and service packs
• Security bulletins
• Online problem reporting and tracking (for users with valid support
contracts)
Another source of support, Citrix Preferred Support Services, provides a range of
options that allows you to customize the level and type of support for your
organization’s Citrix products.

Subscription Advantage
Your product includes a one-year membership in the Subscription Advantage
program. The Citrix Subscription Advantage program gives you an easy way to
stay current with the latest software version and information for your Citrix
products. Not only do you get automatic access to download the latest feature
releases, software upgrades, and enhancements that become available during the
term of your membership, you also get priority access to important Citrix
technology information.
You can find more information on the Citrix Web site at http://www.citrix.com/
services/ (select Subscription Advantage). You can also contact your sales
representative, Citrix Customer Care, or a member of the Citrix Solutions
Advisors program for more information.

Knowledge Center Watches

The Citrix Knowledge Center allows you to configure watches. A watch notifies
you if the topic you are interested in is updated. Watches allow you to stay
notified of updates to Knowledge Base or Forum content. You can set watches on
product categories, document types, individual documents, and on Forum product
categories and individual topics.
To set up a watch, log on to the Citrix Support Web site at
http://support.citrix.com. After you are logged on, in the upper right corner, click
My Watches and follow the instructions.
 Chapter 1 Introduction 7

Education and Training

Citrix offers a variety of instructor-led training and Web-based training solutions.
Instructor-led courses are offered through Citrix Authorized Learning Centers
(CALCs). CALCs provide high-quality classroom learning using professional
courseware developed by Citrix. Many of these courses lead to certification.
Web-based training courses are available through CALCs, resellers, and from the
Citrix Web site.
Information about programs and courseware for Citrix training and certification is
available from http://www.citrix.com/edu/.

Related Documentation
For additional information about the Access Gateway, refer to these documents:
• Access Gateway Standard Edition Administrator’s Guide
• Access Gateway Standard Edition Pre-Installation Checklist
• Access Gateway Standard Edition, Version 4.5.5 Readme
For additional information about Access Gateway Advanced Edition, refer to
these documents:
• Access Gateway Advanced Edition Administrator’s Guide
• Access Gateway Advanced Edition Upgrade Guide
• Readme for Citrix Access Gateway Advanced Edition, Version 4.5
8 Getting Started with Citrix Access Gateway Standard Edition
 C HAPTER 2

Selecting an Access Gateway

Deployment

Citrix Access Gateway is a universal SSL virtual private network (VPN) that
provides secure, always on, single-point-of-access to any information resource. It
combines the best features of IP Security (IPSec) and typical SSL VPNs —
without the costly and cumbersome implementation and management — to make
access easy for users, secure for the company, and low cost for IT administrators.
Key features include:
• Supports most applications and protocols, including Voice over IP
• Industry standard encryption that secures and protects information with
SSL/TLS encryption
• Desk-like access provides users with the same network and application
access as if they are physically connected to the network
• Integrated endpoint security provides a combination of logon time and
continuous real-time monitoring to ensure that the device is safe to remain
connected to the network
• Integration with Citrix Presentation Server providing secure gateway
functionality and support for applications that are published in a server
farm
• Integration with Access Gateway Advanced Edition using the Advanced
Access Control software providing secure, single-point access to any
enterprise resource, including email, applications, network file services,
Internet and intranet sites, and documents.

Note: For detailed information about Access Gateway configuration and

security considerations, including replacing the Secure Gateway with the Access
Gateway, see the Access Gateway Standard Edition Administrator’s Guide. If you
are using Access Gateway Advanced Edition, see the Access Gateway Advanced
Edition Administrator’s Guide.
10 Getting Started with Citrix Access Gateway Standard Edition

The Access Gateway can be deployed in the following scenarios:

• As a standalone appliance in the DMZ
• Behind a server load balancer
• In a double-hop scenario where there are two DMZs with an appliance in
each DMZ
• In the corporate network behind a firewall
The Access Gateway can be seamlessly integrated into your existing network and
used with other Citrix products and components such as Advanced Access
Control in Access Gateway Advanced Edition, the Web Interface, and Citrix
Presentation Server. For detailed information about deployment options, see the
Access Gateway Standard Edition Administrator’s Guide.

Configuring Client Connections

The client software for users to connect to corporate resources depends on your
Access Gateway deployment. The Secure Access Client is used for access to
network resources such as file shares, email servers, and other network resources.
Citrix Presentation Server Clients is used for connections to published
applications in a server farm. For more information about client connections, see
the Access Gateway Standard Edition Administrator’s Guide.

Connecting using Secure Access Client

When a user connects to the default Web portal page of the Access Gateway and
logs on, net6helper.cab, an ActiveX control is installed. This file provides three
main functions:
• It launches the client from the Web page instead of having to manually
download the executable and then launching the Secure Access Client.
• It performs preauthentication checks for the Web page.
• It provides single sign-on with Windows for the Secure Access Client.
When users log on to their computer, the Secure Access Client
automatically connects to the Access Gateway without entering their
credentials a second time.
 Chapter 2 Selecting an Access Gateway Deployment 11

Connecting Using Citrix Presentation Server

Clients
Users can connect to the corporate network using Citrix Presentation Server
Clients to gain access to published applications in the server farm. Client
connections work the same way as in a Secure Gateway deployment. The only
difference is that the Secure Gateway is removed from the DMZ and is replaced
by the Access Gateway. For detailed information about replacing the Secure
Gateway, see the Access Gateway Standard Edition Administrator’s Guide.

Connecting Using Kiosk Mode

Users can connect to a corporate network using kiosk mode. When enabled, users
log on using a Web browser and connecting to the Access Gateway. When the
connection is established, the kiosk windows opens in the Web browser. Users are
able to use applications, such as Remote Desktop, instant messaging, and Telnet,
if the administrator has configured access to these applications. For more
information about kiosk mode, see the Access Gateway Standard Edition
Administrator’s Guide.

Deploying the Access Gateway in the DMZ

The Access Gateway is typically installed in the DMZ between the Internet and
private networks. Citrix recommends placing the Access Gateway in the DMZ for
increased security and protection of corporate resources.
12 Getting Started with Citrix Access Gateway Standard Edition

Access Gateway located in the DMZ

When the Access Gateway is configured as a standalone appliance in the DMZ,
users connect using Secure Access Client or Citrix Presentation Server Clients to
access resources on the network.

Deploying the Access Gateway Behind a Load Balancer

Multiple Access Gateway appliances can be installed in the DMZ behind a load
balancer. When deploying multiple Access Gateway appliances behind a load
balancer, the certificate on each Access Gateway must have the same FQDN. The
load balancer must be able to persist SSL connections using Source IP or Service
Set Identifier (SSID). For more information about using certificates and load
balancers, see the Access Gateway Standard Edition Administrator’s Guide.
 Chapter 2 Selecting an Access Gateway Deployment 13

Load balancing provides a solution for balancing user connections to the Access
Gateway. The load balancer checks the Access Gateway appliances that are
installed behind the load balancer and then sends the connection to the appliance
that has the least load and best response time providing more effective use of the
Access Gateway.

Access Gateway appliances deployed behind a server load balancer

Characteristics of this configuration include the following:
• Incoming Web traffic is intercepted by the server load balancer and load
balanced among multiple Access Gateways.
• Configure the settings to balance connections based on SSL session
identifiers (SSIDs). Load balancing based on source IP (Src IP) is also
supported.
• Configure the server load balancer with a virtual IP address so the external
fully qualified domain name (FQDN) is resolved using DNS.
Persistence is required when deploying the Access Gateway with a load balancer.
Since the Access Gateway must always terminate the SSL connection, all
subsequent network traffic after the initial connection from the client must go to
the same Access Gateway. This is achieved by using SSID or Src IP to maintain
the persistence of connections.
14 Getting Started with Citrix Access Gateway Standard Edition

Deploying the Access Gateway in a Double-Hop DMZ

When the Access Gateway is deployed in a double-hop DMZ, clients connect
using Citrix Presentation Server Clients, which supports both Windows and non-
Windows Clients. When a double-hop DMZ is configured, the Secure Access
Client is not used. Only connections from Citrix Presentation Server Clients,
which use the ICA protocol, are supported. For details about configuring a
double-hop DMZ, see the Access Gateway Standard Edition Administrator’s
Guide.

Access Gateway deployed in a double-hop DMZ with the Web Interface

Deploying the Access Gateway in the Secure Network

When the Access Gateway is deployed in the secure network, connect one
interface on the Access Gateway to the Internet and the other interface to servers
running in the secure network. Putting the Access Gateway in the secure network
provides access for local and remote users; however, it is a less secure method for
users connecting from a remote location because there is only one firewall. While
the Access Gateway intercepts traffic from the Internet, this traffic is let into the
corporate network before authenticating users. When the Access Gateway is
deployed in a DMZ, users are authenticated before network traffic reaches the
secure network.
 Chapter 2 Selecting an Access Gateway Deployment 15

Access Gateway located inside the secure network

Deploying Access Gateway Advanced Edition

Citrix Access Gateway Advanced Edition is a product that is comprised of the
Access Gateway appliance and the Advanced Access Control software. If you
purchased the Access Gateway Advanced Edition, you can enable the Access
Gateway to communicate with the Advanced Access Control software and use
the Access Management Console to manage settings for the Access Gateway. Use
the Access Gateway Administration Tool to select Advanced Access Control to
manage settings for the gateway cluster(s). After you configure Advanced Access
Control, you can use the Administration Tool to manage appliance-specific
settings only.

Caution: When you select Advanced Access Control for managing Access
Gateway global settings, the corresponding settings in the Administration Tool
are deactivated. If you configured these settings with the Administration Tool
before selecting Advanced Access Control, you must configure these settings
again using the Access Management Console. For more information about
configuring these settings in the console, see the Access Gateway Advanced
Edition Administrator’s Guide.

If you disable administration using Advanced Access Control, settings in the

Access Management Console are deactivated and existing configuration values
are removed.
16 Getting Started with Citrix Access Gateway Standard Edition

To enable Advanced Access Control

1. On the Access Gateway Cluster tab, open an Access Gateway window and
click the Advanced Options tab.
2. Do one of the following:
• If the Access Gateway is going to be configured using the
Administration Tool, select The Administration Tool and then click
Submit.
• If the Access Gateway is going to be configured using the Access
Management Console, select Advanced Access Control. Continue
with Steps 3 through 7.
3. In Server running Advanced Access Control, type the IP address or
FQDN of the server that is running Advanced Access Control.
4. To encrypt communication between the Access Gateway and the server
running Advanced Access Control, select Secure server communication.
5. Click Submit.
The server or servers that are configured to connect to the Access Gateway are
listed in Servers Running Advanced Access Control. To remove a server from
the list, select the server and then click Remove.

Note: When the Access Gateway is deployed with Access Gateway Advanced
Edition, the appliance is the only component that can be in the DMZ and
communicating with the access server farm. All version of the Secure Gateway
do not work with Access Gateway Advanced Edition.
 C HAPTER 3

Installing the Access Gateway for

the First Time

The Access Gateway installs in any network infrastructure without requiring

changes to the existing hardware or back-end software. It works with other
networking products such as server load balancers, cache engines, firewalls,
routers, and IEEE 802.11 wireless devices.
Citrix recommends installing the Access Gateway in the corporate demilitarized
zone (DMZ). When installed in the DMZ, the Access Gateway participates on
two networks: a private network and the Internet with a publicly routable IP
address. You can also use the Access Gateway to partition local area networks
internally in the organization for access control and security. You can create
partitions between wired or wireless networks and data and voice networks.
The following topics describe how to prepare for and perform the installation of
the Access Gateway:
• Getting Ready to Install the Access Gateway
• Setting Up the Access Gateway Hardware
• Configuring TCP/IP Settings for the Access Gateway

Getting Ready to Install the Access Gateway

To install the Access Gateway, verify that the contents of the box match the
packing list. If an item on the packing list is missing from the box, contact Citrix
Customer Care.
If you are installing the Access Gateway in a rack, see “Installing the Access
Gateway in a Rack” on page 31 for instructions.

Materials and Information Needed for Installation

Before installing the Access Gateway, collect materials for the initial
configuration and for the connection to your network.
For initial configuration, use one of the following setups:
18 Getting Started with Citrix Access Gateway Standard Edition

• A cross-over cable and Windows computer

• Two network cables, a network switch, and a Windows computer
• A serial cable and a computer with terminal emulation software
For a connection to a local area network, use the following items:
• One network cable to connect the Access Gateway inside a firewall or to a
server load balancer
• Two network cables to connect the Access Gateway located in the
demilitarized zone (DMZ) to the Internet and secure network
Citrix recommends that you use the Access Gateway Standard Edition Pre-
Installation Checklist to collect the following network information for appliances
that are located in the secure network and in the DMZ:
• The Access Gateway internal IP address and subnet mask.
• The Access Gateway external IP address and subnet mask.
• The Access Gateway fully qualified domain name (FQDN) for network
address translation (NAT).
• The IP address of the default gateway device.
• The port to be used for connections. The default is 443.
Collect the following information if connecting the Access Gateway to a server
load balancer:
• The Access Gateway IP address and subnet mask.
• The settings of the server load balancer as the default gateway device (if
required). See the load balancer manufacturer’s documentation for more
information.
• The fully qualified domain name (FQDN) of the server load balancer to be
used as the external public address of the Access Gateway.
• The port to be used for connections. The default is 443.

Note: The Access Gateway requires the use of static IP addresses and does not
support Dynamic Host Configuration Protocol (DHCP).
 Chapter 3 Installing the Access Gateway for the First Time 19

Setting Up the Access Gateway Hardware

This section provides procedures for setting up the Access Gateway for the first
time. For more information about the materials and equipment needed to set up
the Access Gateway, see “Getting Ready to Install the Access Gateway” on page
17.

To physically connect the Access Gateway

1. Install the Access Gateway in a rack if it is rack-mounted.

For more information about installing the Access Gateway in a rack, see
“Installing the Access Gateway in a Rack” on page 31.
2. Connect the power cord to the AC power receptacle.
3. Connect either the serial cable to a Windows computer, a cross-over cable
to a Windows computer, or an RJ-45 network cable to a network switch and
the Access Gateway.
4. Configure the TCP/IP settings using the instructions in “Configuring TCP/
IP Settings for the Access Gateway” on page 19.

Configuring TCP/IP Settings for the Access Gateway

The preconfigured IP address of the Access Gateway is 10.20.30.40. You can
change the IP address using a serial cable and a terminal emulation program, or
by connecting the Access Gateway using network cables and the Administration
Tool.

Access Gateway connection options using a cross-over cable, a network switch, or a serial
cable and terminal emulation
20 Getting Started with Citrix Access Gateway Standard Edition

Configuring TCP/IP Settings Using the Serial

Console
You can use the serial console to set the IP address and subnet of the network
adapter that is called Interface 0, as well as the IP address of the default gateway
device. All other configuration must be done using the Administration Tool. You
can also use the serial console to test a connection with the ping command.
If you want to reach the Access Gateway through the serial console before
making any configuration settings, use a serial cable to connect the Access
Gateway to a computer that has terminal emulation software.

Note: Citrix recommends using both network adapters on the appliance. After
configuring the TCP/IP settings for Interface 0, use the Administration Tool to
configure TCP/IP settings for Interface 1.

The serial console provides the following options for configuring the Access
Gateway:
• [0] Express Setup configures the TCP/IP settings for Interface 0 on the
Access Gateway Cluster > General Networking tab
• [1] Ping is used to ping other network devices to check for connectivity
• [2] Link Modes is used to set the duplex mode and speed mode for
Interface 0 on the Access Gateway Cluster > General Networking tab
• [3] External Administration Port enables or disables connections to the
Administration Tool from a remote computer
• [4] Display Log displays the Access Gateway log
• [5] Reset Certificate resets the certificate to the default certificate that
comes with the Access Gateway
• [6] Change Administrative Password allows you to change the default
administrator password of rootadmin

Important: Citrix recommends changing the administrator password before

connecting the Access Gateway to your network. The new password can be six to
127 characters long and cannot begin or end with a space.

• [7] Help displays help information

• [8] Log Out logs off of the Access Gateway
 Chapter 3 Installing the Access Gateway for the First Time 21

To configure TCP/IP settings using the serial cable

1. Connect the serial cable to the 9-pin serial port on the Access Gateway and
connect the cable to a computer that is capable of running terminal
emulation software.
2. On the computer, start a terminal emulation application such as
HyperTerminal.

Note: HyperTerminal is not automatically installed on Windows 2000

Server or Windows Server 2003. To install HyperTerminal, use Add or
Remove Programs in Control Panel.

3. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1
stop bit. Hardware flow control is optional.
4. Turn on the Access Gateway. The serial console appears on the computer
terminal after about three minutes. If using HyperTerminal, press Enter.
5. On the serial console, enter the default administrator credentials. The user
name is root and the password is rootadmin.
6. To set the IP address and subnet mask and the default gateway device for
Interface 0, type 0 and press Enter to choose Express Setup. After you
respond to the prompts, the information you entered appears. To commit
your changes, type y; the Access Gateway restarts.
7. To verify that the Access Gateway can ping a connected network device,
type 1 and enter the IP address of the device.
8. Remove the serial cable and connect the Access Gateway using either a
cross-over cable to a Windows computer or a network cable to a network
switch and then turn on the Access Gateway.
Additional Access Gateway settings are configured using the Administration
Tool.

Configuring TCP/IP Settings Using Network

Cables
The Access Gateway has two network adapters installed. One network adapter
communicates with the Internet and client computers that are not inside the
corporate network. The other network adapter communicates with the internal
network.
22 Getting Started with Citrix Access Gateway Standard Edition

Citrix recommends that both network adapters be configured for maximum

security. If only one network adapter is used, it has to be routable for internal
resources using Network Address Translation (NAT). Also, if only one network
adapter is used, throughput is cut in half and a traffic bottleneck might occur.
You can install the Access Gateway and configure TCP/IP settings using network
cables, such as two RJ-45 network cables, or cross-over cables. The RJ-45 cables
are connected to a network switch and to the Access Gateway. The cross-over
cables are connected to a Windows computer and the Access Gateway.

To configure TCP/IP settings using network cables

1. Power on the Access Gateway.

After about three minutes, the Access Gateway is ready for its initial
configuration with your network.
2. Open a Web browser and type https://10.20.30.40:9001 to open the
Administration Portal. Use the default user name and password of root and
rootadmin.
3. On the Downloads tab, under Access Gateway Administration Tool, click
Install the Access Gateway Administration Tool.
Follow the prompts to install the Administration Tool.
4. Log on to the Administration Tool using the default user name and
password.
5. On the Access Gateway Cluster tab, open the window for the Access
Gateway.
6. On the General Networking tab, under Interface 0 and Interface 1, next
to IP Address, type the new IP addresses of the appliance.
Citrix recommends selecting Use both interfaces.
7. In Subnet mask, enter the subnet mask that is appropriate for the IP
address entered for the interface(s).
8. In External FQDN type the fully qualified domain name

Important: The FQDN must match what is on the digital certificate and
the license for the Access Gateway.

9. In Duplex Mode select the direction of the transmission data.

The default setting is auto. You can also select full duplex or half duplex.
10. In Speed Mode select the network speed of the adapter.
 Chapter 3 Installing the Access Gateway for the First Time 23

The default setting is auto. You can also select 10 Mbps, 100 Mbps, or
1000 Mbps.
11. In Maximum Transmission Unit (MTU), select the maximum
transmission unit that defines the maximum size of the transmitted packet.
The default setting is 1500.
12. In Port select the incoming port that is used for connections. The default is
443.
13. To configure a default gateway, in IP address type the IP address of the
gateway. In Interface, select the network adapter on the Access Gateway
with which the Default Gateway communicates.
The IP address is the default gateway device, such as the main router,
firewall, or server load balancers, depending on your network
configuration. This should be the same as the Default Gateway setting that
is on computers on the same subnet.
After you configure your network settings on the Access Gateway, restart the
appliance.

Note: You do not need to restart the Access Gateway until you complete all
configuration steps. These include configuring network access for the appliance
and installing certificates and licenses. For more information, see the Access
Gateway Standard Edition Administrator’s Guide.

To restart the Access Gateway

1. In the Administration Tool, click the Access Gateway Cluster tab.

2. On the Administration tab, next to Restart the appliance, click Restart.
-or-
Click the Action menu and click Restart appliance name, where appliance
name is the name of the Access Gateway.
You can also restart the Access Gateway from the Administration Portal.

To restart the Access Gateway from the Administration Portal

1. In the Administration Portal, click Maintenance.

2. Next to Restart the Server, click Restart.
When the appliance is restarted, the computer loses the connection to the Access
Gateway.
24 Getting Started with Citrix Access Gateway Standard Edition

Installing Multiple Appliances in a Cluster

You can install multiple Access Gateway appliances into your network and
configure the appliances to operate together as a cluster. When the appliances
operate as a cluster, the settings that control user access to the internal network
resources are identical on each Access Gateway in the cluster. A user can connect
to any Access Gateway in the cluster and receive the same access privileges to the
internal network resources.
If you are installing additional Access Gateway appliances in your network, use
the procedures above to configure the initial TCP/IP settings for each appliance.
Each appliance in the cluster needs its own certificate with a unique FQDN.

To add additional appliances to the network

1. On the Access Gateway Cluster tab, under Add an Access Gateway to

the Cluster, next to FQDN, type the FQDN of the new appliance.
2. Click Add.
The newly added Access Gateway appears as a new dialog box in the pane. After
the appliance is added to the cluster, you can publish the settings from the main
appliance.
For more information about certificates, licensing, and adding appliances to the
cluster, see the Access Gateway Standard Edition Administrator’s Guide.
 C HAPTER 4

Configuring Basic Settings

When you have the initial TCP/IP settings configured on the Access Gateway,
you then need to configure the appliance for your network environment. This
chapter discusses the administrative tools you can use to configure the Access
Gateway, installing licenses, and creating user connections. For information
about configuring other settings, see the Access Gateway Standard Edition
Administrator’s Guide.

Configuring Settings Using the Administration Portal

The Administration Portal allows you to make basic configuration changes. On
the Administration Portal, you can:
• Change the administrator password
• Upload licenses
• Download documentation
• Download logon page templates
• Download a sample email for end users
• View Access Gateway logs
• Upload certificates
• Upload a saved configuration or a software upgrade
• Save the Access Gateway configuration
• Restart and shut down the Access Gateway

To open the Administration Portal

1. From a Web browser, type https://AccessGatewayFQDN:9001, where

AccessGatewayFQDN is the host name of the appliance and 9001 is the
administration port.
26 Getting Started with Citrix Access Gateway Standard Edition

2. If a digital certificate signed by a Certificate Authority is not installed on

the Access Gateway, a security alert dialog box appears. Click Yes.
If you see a Security Warning dialog box, click Yes to download the
required ActiveX Helper client.
3. When prompted, enter root for user name and rootadmin for password.
The Administration Portal appears.
For more information about using the Administration Portal, see the Access
Gateway Standard Edition Administrator’s Guide.

Configuring Settings Using the Administration Tool

Most of the settings for the Access Gateway can be configured using the
Administration Tool. The Administration Tool is installed on a Windows
computer in the secure network and makes it easy for you to configure network
settings, authentication, users, and group policies. When complete, settings can
be published to all the appliances in the cluster.
The Administration Tool is installed from the Administration Portal.

To install the Administration Tool

1. In the Administration Portal, click Downloads.

2. Under Access Gateway Administration Tool, click Install the Access
Gateway Administration Tool.
3. To open the Administration Tool, on the desktop, double-click the icon.

Note: If you are upgrading from a previous version of the Access Gateway,
uninstall the Administration Tool before installing a new version. To uninstall the
Administration Tool, use Add or Remove Programs in Control Panel.

Installing Licenses
This section discusses how to obtain and install the licenses for the Access
Gateway.
 Chapter 4 Configuring Basic Settings 27

Obtaining Your License Files

After you install the Access Gateway, you are ready to obtain your license files
from Citrix. This process involves going to http://www.mycitrix.com/ to access
your available licenses and generating a license file. When the license file is
generated, download it to the computer where the Administration Tool is
installed. After the license file is on the computer, you can upload it to the Access
Gateway.
Before going to the Citrix Web site, you need the following information:
• The license code. You can find the code on the Access Gateway CD, in an
email you receive from Citrix, or from the Subscription Advantage
Management-Renewal-Information system (SAMRI).
• Your user ID and password for MyCitrix. You can register for this
password on MyCitrix.

Note: If you cannot locate either of these items, contact Citrix Customer Care.

• The FQDN of the Access Gateway. The entry field for this name on
MyCitrix is case-sensitive so ensure that you copy the FQDN exactly as it
appears on the Access Gateway Cluster > General Networking tab.
• How many licenses you want to include in the license file. You do not
have to download all of the licenses you are entitled to at once. For
example, if your company purchases 100 licenses, you can choose to
download 50. At a later date, you can allocate some or all of the rest in
another license file. Multiple licenses can be installed on the Access
Gateway.

To obtain your license file

1. From a Web browser, go to http://www.mycitrix.com/.

2. Enter your user name and password.
If this is the first time you are logging onto the site, you are asked for
additional background information.
3. Select Licensing > Citrix Activation System > Activate or Allocate
Licenses.
4. Follow the process to obtain your license file.
After you successfully download the license file to your computer, you can install
it on the Access Gateway.
28 Getting Started with Citrix Access Gateway Standard Edition

To install a license on the Access Gateway

1. In the Administration Tool, click the Access Gateway Cluster tab and open
the window for the Access Gateway.
2. Click the Licensing tab.
3. Select Use this appliance as the license server.
4. Next to Install a license file, click Browse. Navigate to the license file and
then click Open.
5. Click Submit after the license file is uploaded to the Access Gateway.

Important: Citrix recommends that you retain a local copy of all license files
that you receive. When you save a backup copy of the configuration file, all
uploaded license files are included in the backup. If you need to reinstall the
Access Gateway server software and do not have a backup of the configuration,
you will need the original license files.

Configuring Licenses for Multiple Appliances

If you have installed multiple appliances, select one Access Gateway to be the
license server. Install the licenses on one Access Gateway, which then becomes
the license server. The other appliances obtain their licenses from this Access
Gateway. The other appliances on your network do not have to be a part of a
cluster to connect to the license server and obtain a license. License allocation
occurs for appliances regardless of individual status in the network.

To obtain licenses from the license server

1. On the Access Gateway Cluster tab, open a window for an appliance that
is not the license server.
2. Click the Licensing tab.
3. Select Use a different appliance as the license server.
4. In FQDN or IP address, type the FQDN or IP address of the license server.
5. In Manager port and Vendor port, change the port numbers or leave the
defaults as 27000 and 27001.
6. Click Submit.
7. Repeat this procedure for each appliance in the cluster.
 Chapter 4 Configuring Basic Settings 29

The manager port makes the initial contact from the remote Access Gateway and
passes it to the license server. Then, it passes communication from the manager
port to the vendor port. The vendor port runs on the license server and grants the
license using port number 27001. The port number can be changed depending on
your firewall configuration. Port 27001 also tracks the licenses that are checked
out and which Access Gateway is using them.

Updating Existing Licenses

If you are a current Subscription Advantage member, you can exchange or
migrate your existing Access Gateway licenses to update your license files.
Migrating licenses involves the following steps:
• Migrate existing licenses through MyCitrix.com
• Download a new license file
• Copy the new license file to the license server

Testing Your License Installation

To test that licensing is configured correctly, create a test user and then log on
using the Secure Access Client and credentials that you set up for the user.

To test your configuration

1. Open the Administration Tool.

2. Click the Access Policy Manager tab.
3. Right-click the Local Users folder in the left pane and click New User.
4. In the New User dialog box, in User Name, type a user name. In Password
and Verify Password, type the same password in each field and click OK.

Note: Users who are configured on the Access Gateway are

automatically part of the Default user group.

5. In a Web browser, type the address of the Access Gateway using either the
IP address or fully qualified domain name (FQDN) to connect to either the
internal or external interface. The format should be either https://ipaddress
or https://FQDN.
6. Type the logon credentials. The Access Gateway Secure Access page
appears.
7. Click My own computer and then click Connect.
30 Getting Started with Citrix Access Gateway Standard Edition

The Secure Access Client connection icon appears in the notification area,
indicating a successful connection.
After completing the initial configuration, you can configure network access so
users can connect to all of your network resources, such as email, Web servers,
and file shares as if users are in the office. For more information about
configuring network access, see the Access Gateway Standard Edition
Administrator’s Guide.

Configuring Firewalls
Configure your firewall so that the port is open for the external IP address of the
Access Gateway. The default port is 443.
For specific information about configuring your firewall, see the manufacturer’s
documentation.

Third-Party Software
Citrix does not support the installation of third-party software on the Access
Gateway appliance.
 C HAPTER 5

Installing the Access Gateway in a

Rack

The Access Gateway Rack Mounting Kit is used to install the Access Gateway in
a four-post or two-post rack. This chapter describes installing the Access
Gateway in a rack for the Model 2000 and Model 2010 versions of the appliance.
Read this chapter in its entirety before you begin the installation.

Selecting a Location for the Access Gateway

When selecting where to put the Access Gateway, consider the following:
• If you are installing the Model 2000, leave enough clearance in front of the
rack to enable you to open the front bezel completely
• Leave approximately 30 inches of clearance in the back of the rack to allow
for sufficient airflow and easy servicing
• Install the Access Gateway in a restricted area, such as a dedicated lab or
service closet
• Ground the rack to ensure that a reliable ground is maintained at all times

Installing the Model 2000 in a Rack

The rack-mounting kit for the Model 2000 includes two sets of rail assemblies,
two rail mounting brackets, and the mounting screws that you need to install the
system into the rack. Follow the steps in the order given to complete the
installation process in a minimum amount of time.
This section discusses how to install the Access Gateway Model 2000 in a rack. It
includes:
• Separating the Rail Sections for the Model 2000
• Connecting the Chassis Rails to the Model 2000
32 Getting Started with Citrix Access Gateway Standard Edition

• Connecting the Rack Rails to the Rack

Separating the Rail Sections for the Model 2000

Each of the rail assemblies consist of two sections: an inner fixed chassis rail that
secures to the Access Gateway (A) and an outer fixed rack rail that secures
directly to the rack itself (B), as illustrated below. A sliding rail guide sandwiched
between the two should remain attached to the fixed rack rail.

Separating the rails and the mounting holes in the Access Gateway

To separate rails A and B

1. Pull the fixed chassis rail (A) out as far as possible — you will hear a click
as a locking tab emerges from inside the rail assembly and locks the inner
rail.
2. Depress the locking tab to pull the inner rail completely out. Do this for
both the left and right side rack rail assemblies.

Connecting the Chassis Rails to the Model 2000

Both chassis rails have a locking tab that serve two functions. The first function is
to lock the Access Gateway into place when installed and pushed fully into the
rack, which is its normal position. The second function is to lock the appliance in
place when the rail is fully extended from the rack. This prevents the appliance
from coming out of the rack when you pull it out for servicing.
 Chapter 5 Installing the Access Gateway in a Rack 33

To connect the chassis rails to the Access Gateway

1. Position the fixed chassis rail sections (A) that you just removed along the
side of the appliance, making sure the five screw holes align. Note that the
right and left rails are specific.
2. Screw the rail securely to the side of the chassis, as illustrated below.
3. Repeat this procedure for the other rail on the other side of the chassis.
4. If you are installing the appliance in a two-post rack, also attach the rail
brackets.

Connecting the rails to the Model 2000 Access Gateway

Connecting the Rack Rails to the Rack

Determine where you want to place the Access Gateway in the rack. Position the
fixed rack rail/sliding rail guide assemblies (B) at the desired location in the rack.
Screw the assembly securely to the rack using the brackets provided. Attach the
other assembly to the other side of the rack, making sure that both are at the same
height and the rail guides are facing inward.
You now have the rails attached to both the Access Gateway and the rack unit.
The next step is to install the Access Gateway in the rack.

To install the Model 2000 in a four-post rack

1. Line up the rear of the chassis rails with the front of the rack rails.
34 Getting Started with Citrix Access Gateway Standard Edition

2. Slide the chassis rails into the rack rails, keeping pressure even on both
sides. You may have to depress the locking tabs while inserting the Access
Gateway. Refer to the illustration below.
When the Access Gateway is pushed completely into the rack, you will hear
the locking tabs click.
3. Finish by inserting and tightening the thumbscrews that hold the front of
the Access Gateway to the rack.

Inserting the Model 2000 Access Gateway in a four-post rack

Installing the Model 2010 in a Rack

This section discusses installing the Model 2010 in a rack. It includes:
• Identifying the Sections of the Rack Rails for the Model 2010
 Chapter 5 Installing the Access Gateway in a Rack 35

• Installing the Model 2010 in a Four-Post Rack

Identifying the Sections of the Rack Rails for the

Model 2010
The Model 2010 is delivered with a set of inner rails in two sections: inner rails
and inner rail extensions. The inner rails are attached to the appliance and do not
interfere with normal use of the appliance if you choose not to install the Access
Gateway in a rack. Attach the inner rail extension to stabilize the appliance within
the rack.

Access Gateway Model 2010 rails

36 Getting Started with Citrix Access Gateway Standard Edition

Installing the Model 2010 in a Four-Post Rack

The steps for installing the Model 2010 in a four-post rack are:
• Installing the inner rail extensions on the appliance
• Installing the outer rails to the rack
• Installing the Access Gateway in the rack

To install the inner rail extension

1. Place the inner rack extensions on the side of the appliance aligning the
hooks of the appliance with the rail extension holes. Make sure the
extension faces outward just like the preattached inner rail.
2. Slide the extension toward the front of the chassis.
3. Secure the chassis with the two screws.
4. Repeat the above steps to mount the rack on the other side of the appliance.

Attaching the rail rack sections to the right side of the Access Gateway
 Chapter 5 Installing the Access Gateway in a Rack 37

When the rails are attached to the Access Gateway, install the outer rails to the
rack.

To install the outer rails to the rack

1. Attach the short bracket to the outside of the long bracket. The pins must be
aligned with the slides. Both bracket ends must face the same direction.
2. Adjust both the short and long brackets to the correct distance so the rail fits
tightly into the rack.
3. Secure the long bracket to the front side of the outer rail with two M5
screws and the short bracket to the rear side of the outer rail with three M5
screws.
4. Repeat the above steps for the second rail.

Assembling the outer rails to the rack

38 Getting Started with Citrix Access Gateway Standard Edition

Installing the outer rails to the server rack

When the rails are installed in the rack, install the Access Gateway.

To install the Access Gateway in the rack

1. Confirm that the Access Gateway appliance includes the inner rails (A) and
rail extensions (B). Confirm that the outer rails (C) are installed on the rack.
 Chapter 5 Installing the Access Gateway in a Rack 39

2. Line up the rails on the appliance (A and B) with the front of the rack rails
(C).
3. Slide the appliance rails into the rack rails, keeping the pressure even on
both sides. You might have to depress the locking tabs during insertion.
When the appliance is pushed completely into the rack, you should hear the
locking tabs click.
4. (Optional) Insert and tighten the thumbscrews that hold the front of the
appliance to the rack.

Installing the Access Gateway into the rack

40 Getting Started with Citrix Access Gateway Standard Edition

Installing the Access Gateway in a Two-Post Rack

If you are installing the appliance in a two-post (Telco) rack, follow the directions
given on the previous pages for rack installation. The only difference in the
installation procedure is the positioning of the rack brackets to the rack. Space
them apart just enough to accommodate the width of the Telco rack, as illustrated
below.

Installing the Access Gateway in a two-post (Telco) rack

 I NDEX

Index

A deploying in
DMZ 10–11, 17
Access Gateway double-hop DMZ 10, 14
Administration Portal 25 secure network 10, 14
Administration Tool 26 deploying with
cluster 24 Access Gateway Advanced Edition 15
installing 17, 19 Citrix Presentation Server 9
installing in a rack 31 load balancer 10, 12
materials 17 multiple appliances 24
multiple appliances 24 DHCP
restarting 23 see Dynamic Host Configuration Protocol
Access Gateway Advanced Edition 9, 15 display log 20
Access Management Console 15 DMZ 10–11
ActiveX 10 installing in 17
Administration Portal 25 double-hop DMZ 14
Administration Tool 15, 26 downloading licenses 29
administrator password 20 duplex mode 20
Advanced Access Control 9, 15–16 Dynamic Host Configuration Protocol

C E
cables education 7
cross-over 22 enabling
RJ-45 22 Advanced Access Control 16
certificates 12 encryption 9
default 20 endpoint analysis 9
reset 20 external administration port 20
Citrix Presentation Server 9
Citrix Presentation Server Clients 10–12, 14
Citrix Solutions Network 5
F
client connections 10 firewall 17, 30
cluster 24
configuring Default Gateway 23 I
connection persistence 13
cross-over cables 22 ICA client
see Citrix Presentation Server Clients
D ICA connections 14
IEEE 802.11 support 17
default certificate 20 installation 17, 19
Default Gateway
configuring 23
42 Getting Started with Citrix Access Gateway Standard Edition

installing Presentation Server Clients 12

licenses 26
licenses on multiple appliances 28 R
IP address
preconfigured 19 rack installation 31
model 2000 31
K model 2000 in four-post rack 33
model 2010 34
kiosk mode 11 model 2010 in four-post rack 37
selecting a location 31
L two-post rack 40
restarting 23
license server 29 RJ-45 cables 22
licenses 26
configuring for multiple appliances 28
testing 29
S
updating 29 Secure Access Client 10, 12, 14
link modes 20 secure network
load balancer 10, 12, 17 deployment 14
logging 20 Secure Socket Layer 9
serial console 20
M options 20
Service Set Identifier 12
materials 17 sessions
migrating licenses 29 see ICA sessions
modes single sign-on
duplex 20 Windows 10
link 20 Source IP 12
speed 20 speed mode 20
multiple appliances 24 SSID
licensing 28 see Service Set Identifier
SSL
N see Secure Socket Layer
SSL connections 12
NAT
support 5
see Network Address Translation
education and training 7
net6helper.cab 10
Knowledge Center Watches 6
network adapters 22
Subscription Advantage 6
Network Address Translation 22

P T
TCP/IP settings
password
configuring a cluster 24
administrator 20
configuring first time 19
persistence 13
configuring using network cables 21
ping 20
configuring using serial console 20
port
technical support 5
external administration 20
testing
portal page 10
licenses 29
preauthentication 10
third-party software 30
pre-installation checklist 18
TLS
Presentation Server 9
see Transport Layer Security
 Index 43

training 7
Transport Layer Security 9

U
updating licenses 29

V
Voice over IP 9

W
Windows
single sign-on 10
44 Getting Started with Citrix Access Gateway Standard Edition