Jump to content


XenApp 6.5 Web Interface, Secure Gateway and firewall DMZ

Started by Mark Binnington , 06 October 2011 - 12:24 PM
6 replies to this topic

Mark Binnington Members

Mark Binnington
  • 14 posts

Posted 06 October 2011 - 12:24 PM

Can anyone give me any recommendations on Web Interface and Secure Gateway placement?

I have two XenApp 6.5 servers and a Web Interface 5.4 server on our LAN and a Secure Gateway server in the DMZ. The DMZ uses private IP addresses which are NAT'd through to the real world for external access to the gateway.

My problem is that I can't figure out what access method I should set under secure access on the web server. Direct access works fine if I open a browser and access the web interface from the Secure Gateway server itself. If I understand it correctly then I need to use 'Gateway translated' but I'll be bu**ered if I can figure what needs translating where.

Can anyone recommend an easier, but still secure, way of laying all this out or point me in the direction of something that explains it in words of one syllable or less?

Cheers in advance

Michael Love Members

Michael Love
  • 532 posts

Posted 06 October 2011 - 12:40 PM

I don't do a lot with CSG (or the other ICA Proxy stuff), so hopefully I get this correct.

With CSG in place you don't need to have translations for each XenApp server in place. The CSG acts as a proxy for remote connections in which all traffic to and from the outside travels through the CSG. So you need only permit HTTPS/443 (or HTTP/80 if you don't want SSL) access from the Internet to the DMZ interface of the CSG. You'll then want to permit 80 (or whatever port your XML Brokers are listening over...perhaps 8080), 1494, and maybe 2598 from the private interface of your DMZ to your XenApp servers.

The Web Interface configuration I believe should be set to Secure Gateway Direct in this scenario.

Mark Binnington Members

Mark Binnington
  • 14 posts

Posted 06 October 2011 - 01:01 PM

The direct access method works when I'm trying it from the CSG itself but it doesn't work from outside. I get 'There is no Citrix Xenapp server configured on the specified address.' If I download and open with notepad the ICA file for an app the server address is given as a XenApp server's LAN address rather than the CSG's address.
If I select one of the Gateway based access methods then the address is encrypted and I can't tell what's given to the client.

I always assumed that the CSG is sort of proxying access to the web interface so internet based clients don't need to know about the web interface server. And the web interface is kinda proxying access to the apps themselves so neither the CSG or internet based clients need to know anything about the XenApp servers.


Mark Binnington Members

Mark Binnington
  • 14 posts

Posted 12 October 2011 - 12:47 PM

Never mind, I've sorted it.

Ben Grimm Members

Ben Grimm
  • 1 posts

Posted 16 October 2011 - 09:41 PM

Could you please tell me what you did? I'm having the exact same issue and I'm dying to figure this out. Thank you!

Mark Binnington Members

Mark Binnington
  • 14 posts

Posted 19 October 2011 - 09:37 AM

I changed the web site's access method to Gateway Translated. On the address translation page I added the server's physical address as the 'Internal Address' and the address the real world sees it on as the 'External Address'. You need to put the ports in here too which is annoying seeing as they're the same inside and outside the firewall.

I also realised that I'd not set the port properly in the Secure Ticket Authority Settings page as I'd changed it from the default of 80 to 8080. Mine now has two URLs in there looking like this: 'http://myserver1.here.net:8080/scripts/ctxsta.dll'.

Hope this helps.


  • 5 posts

Posted 09 April 2014 - 03:47 AM

Mark Binington, 


"I changed the web site's access method to Gateway Translated."


this was the solution for me.