Summary
This article describes how to configure Citrix Access Gateway 4.5 Advanced Edition in Double-hop DMZ configuration using Citrix Access Gateway 4.6.x appliance.
Requirements
Two Citrix Access Gateway 4.6.x appliances
One Citrix Advanced Access Control
Make sure to open the necessary ports across all firewalls to guarantee a successful communication between Access Gateway appliances, Advanced Access Control and the XenApp farm. As a reference, use the following diagram:
Important:
From Citrix Access Gateway 4.6.x Proxy
Advanced Access Control sends information to Access Gateway Proxy:
PUT /refresh_configuration HTTP/1.0
Access Gateway Proxy response:
HTTP/1.0 200 OK
Connection: close
Accept-Ranges: none
Network Trace
In this example, 10.12.37.231 is Access Gateway Proxy and 10.12.37.173 is Advanced Access Control server.
This article describes how to configure Citrix Access Gateway 4.5 Advanced Edition in Double-hop DMZ configuration using Citrix Access Gateway 4.6.x appliance.
Requirements
Two Citrix Access Gateway 4.6.x appliances
One Citrix Advanced Access Control
Make sure to open the necessary ports across all firewalls to guarantee a successful communication between Access Gateway appliances, Advanced Access Control and the XenApp farm. As a reference, use the following diagram:
Important:
- For Advanced Access Control Notification Port (9005), the firewall rule must be an outbound ACL and not bi-directional between Advanced Access Control server and Access Gateway Proxy.
- If securing the traffic across both Access Gateway appliances and Advanced Access Control, make sure to install the corresponding root / intermediate certificate(s) on each appliance to validate the trust.
- Access Gateway Plugin (VPN) does not work in double-hop configuration.
- Remember to use HOST entries on the Access Gateway appliance if Name Resolution port is being blocked at any of the DMZ zones.
- For this article, Citrix Access Gateway 4.6.3 and Citrix Advanced Access Control 4.5 Hotfix 5 were used.
From Citrix Access Gateway 4.6.x Proxy
- Open the Citrix Access Gateway Administration Tool > General Networking > DMZ Configuration and select Second hop in double DMZ.
- Click on Configure and select which protocol to use – SOCKS (port 1080) or SOCKS over SSL (port 443).
- Select Advanced Access Control.
- Enter the FQDN of the first appliance in DMZ and click Submit but do not reboot the appliance yet when prompted.
- Go to the Advanced Options tab and enter the Advanced Access Control server IP Address or FQDN.
- Reboot the appliance.
- Open the Citrix Access Gateway Administration Tool > General Networking > DMZ Configuration and select First hop in double DMZ.
- Select Configure for Advanced Access Control, click on Add, and enter the IP address or FQDN of appliance from second hop as shown below. You can select either SOCKS (port 1080) or SOCKS over SSL (port 443) for Protocol. Click Submit but do not reboot the appliance yet when prompted.
- Go to the Advanced Options tab and enter the Advanced Access Control server IP Address or FQDN.
- Reboot the appliance.
- Open the Citrix Access Management Console.
- Expand the Advanced Access Control Farm and go to Gateway Appliances.
- Make sure all the information displayed is correct (example below):
- Any refresh changes applied to the Gateway Appliances properties (such as STA information) and/or Logon Point will be pushed to the Access Gateway Proxy (using Advanced Access Control Notification port 9005) and then, to the Access Gateway appliance in the first hop. Example of a header and network trace when Advanced Access Control pushes information to the Access Gateway Proxy:
Advanced Access Control sends information to Access Gateway Proxy:
PUT /refresh_configuration HTTP/1.0
Access Gateway Proxy response:
HTTP/1.0 200 OK
Connection: close
Accept-Ranges: none
Network Trace
In this example, 10.12.37.231 is Access Gateway Proxy and 10.12.37.173 is Advanced Access Control server.
No comments:
Post a Comment