Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Verisign Certificate Necessary for CSG?

Status
Not open for further replies.
netadminTO

netadminTO

IS-IT--Management
Feb 21, 2003
46
US
I am trying to deploy a CSG in my environment - complete rookie at this but trying! Please disregard any silly questions, I really am out to lunch with this stuff! This was a project thrown at me with a VERY short timeline.

I have a windows 2003 server running Secure Gateway and Web Interface on the same hardwarein the DMZ. I also have a 2003 server running STA on the LAN with port 443 opened from the firewall. I have generated a certificate through Administrative Tools on the server, however, it is my understanding that this will only work if you purchase a valid SSL certificate from i.e. Verisign (even though I was told otherwise). I can hit this server no problem from the outside world, but cannot login and/or authenticate. The web server can ping/resolve the STA server and picks up the certificate, but does not seem to communicate. I get the "authority server specified cannot be contacted message.

The Web server has an external IP address which can be hit, but I also have a 192.168.X.X nat policy on our firewall setup to hit this server in the DMZ

My questions are:
1. If I only want to publish applications on the Web using a Citrix MetaFrame XP server, what specifically needs to be intsalled on what server?
2. Is the Logon Agent Configuration necessary if you're not running a Secure Access Manager Enterprise environment? Is there another way of authenticating applications?
3. Lastly, any help would be greatly appreciated!


N.A.TO
 
Sort by date Sort by votes
First - get your SSL certs from InstantSSL. $49 and works fine for CSG (but make sure to add root certificates from InstantSSL to all your farm servers).

1. Web Interface and CSG on the server in the DMZ. SSL cert goes here. STA on one or more of your Farm servers. SSL cert optional here if you want SSL between the CSG and the STA.

2. No logon agent for farm access. Only if you use Secure access manager.

3. There is documentation on putting the Web Interface and CSG on the same server. Trick is to bind 2 IP addresses to that server - one for IIS and one for CSG. Then find the document that describes how to keep IIS and CSG listening only on their own respective IPs.

A thorough read of the CSG admin manual is essential.

R.Sobelman
 
Upvote 0 Downvote
Microsoft Certificate Server certificates work too.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott
 
Upvote 0 Downvote
If you are using CSG 2.0 then you do not need any "tricks" to install the secure gateway component and web interface on the same box. The easiest configuration has Secure gateway listening to the Internet on port 443 and redirecting HTTPS requests to your local Web Interface server and ICA traffic to your internal LAN. In this configuration Web Interface does not listen directly to the Internet.

Also, because you only use one IP address externally, you can get away with just one certificate, and one NAT/firewall rule.

The original Citrix Guru...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SpenceWaller
  • Locked
  • Question
Citrix CSG - Allow users to change password
Replies
0
Views
232
SpenceWaller
SpenceWaller
spi200
  • Locked
  • Question
CSG and RSA secuid question
Replies
0
Views
196
spi200
spi200
MartijnNL
  • Locked
  • Question
searching for files reaching file version limit
Replies
2
Views
406
MartijnNL
MartijnNL
MartijnNL
  • Locked
  • Question
DCL: Counting number of user processes for a period of time
Replies
1
Views
322
yamyam
yamyam
sneakerware
  • Locked
  • Question
Need Picker Belt for RW530 Optical Jukebox on VAX
Replies
2
Views
298
sneakerware
sneakerware

Part and Inventory Search

Sponsor

Back
Top