Citrix Secure Gateway with Citrix XenDesktop 5

January 31, 2011



Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month.

Since then I have been working to deploy Xendesktop 5 in a small environment with only 2 virtual machines, first thing was to learn the new concepts in XD5 to understand their relationship to XD4. I then began to deploy the required components and got it up and running internally however my main issue to tackle was providing external access which proved  a hassle. The following is what I did to successfully implement external access .

Citrix Secure Gatway

Ok there are different ways of implementing external access notably for one of our clients we used NATing to achieve this, this is not the most ideal way as it required alot of configuration and generally is more time consuming, find out how to do this here 

NATing option basically maps the internal IP of the XD server to an external IP, the problem arises when launching a ICA session as it has to map to an internal virtual desktop which obviously does not carry a public IP.  This is overcome by using port forwarding to the internal IP of the desired desktop, port forwarding is done for all virtual machines and thus is not the best way to implement external access for a large environment. This is where CSG (Citrix Secure Gateay) comes into play.

Citrix have the Access Gateway appliance which is a hardware version of CSG this of course is the preferred way to implement external secure access however in my scenario I am running XD in a small environment and thus it would not be feasible to invest in this appliance.

Step 1 – Obtaining a third part SSL Certificate 

Ok from reading around I learnt that an SSL certificate was required to implement CSG initially i thought that these were paid for certificates however with some searching I came across Once registering with them one is able to generate a free SSL certificate which can be used in conjunction with the given domain name. Following are steps to generate a SSL cert

1) Set up the chosen domain name (
2) In startSSL control panel , validate domain name
3) Email is sent to postmaster of the domain and with activation code in email one can validate the domain
4) Generate certificate request in IIS manager on the given server
5) In startSSL control panel use the wizard to generate a certificate and in there paste the code outputted from the requet in step 4
6) startSSL will then output certificate code which is saved as a .pkt file.
7) Certificcate is now ready to be used for secure access  time for configuring SSL.

Step 2 – Trying to implement CSG on the Controller server along with Web Interface

This proved to be a big hassle mainly because I have to configure CSG to use port 443 as it will manage https:// traffic I could not get it to use port 443 as the configuration stage kept complaining it was in use by another process.

I investigated this further and ran the command netstat -am to show all the processes and what ports were being listened to on the server. In the end using the PID ID I managed to identify the the NT Kernal and System process was using port 443. I searched google frantically and even went on the forums to ask around but no one seemed to be able to help me many assumed that IIS (Internet Information Services) was using this port. I then attempted to use port 444 for CSG but it I could still not get it to direct to the login page and also I did not want users to enter :444 in the address.

Step 3 – Created a new server for Web Interface and CSG

Since port 443 was in use and since I did not know for the love of me what was using it I decided to simply copy my existing vm server and then sysprep the copied server to use as a dedicated webserver for xendesktop.  I read somewhere on citrix forums that a user unintilled the DDC and port 443 was free so I assumed that since DDC would not be on the server the port would be free and as i suspected the port was free.

I then configured CSG to use port 443 and in WI console reconfigured the xedesktop site secure access to use gateway direct on port 443. I also changed XML settings to point to the controller sever so that WI can initiate a ICA connection. Ill summarise things to remember in bullet points below

  • CSG act as DMZ and manages connections between virtual desktops and external world 
  • Secure Ticket Authority is the server that holds the controller 
  • IIS must not be configured to use port 443 use port 444 if binding with https 
  • You can use IIS default site and no need to create a new site in IIS 
  • PNAgent site is the site used by idevices (ipod, ipad) – make sure to configure using  gateway direct
  • SSL Cert must be installed on the controller server and WI/CSG server
  • CSG manges ica connections

Here is a Network Architecture Diagram of the environment

Useful Links:
Citrix Thread regarding configuring WI with CSG – The user Sam helped be greatly here and with his expertise I was abale to get this working.
How to Configure XenDesktop behind Network Address Translation

, , ,

About mohamedridha

Network Systems Engineer with focus on Wireless LAN Infrastructure and Security. Interests in Middle East

View all posts by mohamedridha


Subscribe to our RSS feed and social profiles to receive updates.

6 Comments on “Citrix Secure Gateway with Citrix XenDesktop 5”

  1. Kyle Woodbury Says:

    to free up port 443 on the DDC use the following command:
    C:\Program Files\Citrix\Broker\Service>BrokerService.exe -wisslport 1000


  2. Alternative Energy System Says:

    Just desire to say your article is as amazing. The clarity in your post
    is just nice and i could assume you’re an expert on this subject.
    Well with your permission let me to grab your feed to keep updated with forthcoming post.
    Thanks a million and please continue the gratifying work.


  3. small business Says:

    It’s an amazing article in support of all the web people; they will
    take benefit from it I am sure.


  4. music in movies Says:

    Hello just wanted to give you a quick heads up and let you know
    a few of the pictures aren’t loading correctly. I’m not sure why but I think its
    a linking issue. I’ve tried it in two different browsers and both show the same results.


  5. newest social media technology trends Says:

    As a result, iif a private employer fires aan employee because of thhe employee’s speech, there is noo First Amendment violation. There are quality training courses
    if you’re completely new to help you build up a good social media strategy to make things much easier.
    It is hard to believe that social media did not even exist 6 years ago, but this iss only goees tto prove thee rapid
    growth and evolution of social media as a business tool.



  1. Citrix XenApp 6.5 – Overview integration with XenDesktop 5 | mohamedridha - November 2, 2011

    […] implemented XenDesktop 5 in our small environment see here I then set out to complement the xendesktop environment with XenApp the main reasons are why this […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: