Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Citrix Secure Gateway 3

With Web Interface (WI) you can easily present your applications to users via the Internet. But only using WI is not completely secure. When the  user clicks one of the application icons normal ICA traffic (on port 1494) is started. You are right to mention that the ICA traffic can be secured, but the 128 bit encryption method used by Citrix is not the strongest one. Therefore Citrix developed Citrix Secure Gateway (CSG), now at version 3. The Citrrix Secure Gateway encapsulates all ICA traffic in a SSL bundle. SSL is still the security standard and is using port 443, which is allowed as inbound traffic on almost every infrastructure. Normally many organizations will be blocking port 1494.

Version 3 is released after Citrix Presentation Server 4. The expectation this will be the latest version of Citrix Secure Gateway, because the functionality is also available within the Citrix Access Gateway appliance. If you already using version two, not many things are changed. The new version now support Session Reliability and the STA functionality is now implemented within the Citrix Presentation Server software it selves.


Obviously CSG needs to be installed in the DMZ environment. It can be easily combined together with WI on the same server. Just like WI CSG can be installed on Windows or Solaris. CSG can also be deployed in a Double hop DMZ environment, using a second CSG server as Proxy server. CSG also needs a ticketing authority called STA. With earlier version this component was a separate item that should be installed on a IIS webserver. With Presentation Server this component is integrated in the Presentation Server 4 sofware, so every Citrix server can be used as STA server now.

The installation itself is straightly forwarded. During installation you need to select the function. Proxy functionality is used in a double hop DMZ and Service for the encapsulation functionality. After the installation the installation software would like to start configuration wizard immediately.


If you are not using Presentation Server 4 already but would like to version three of the Citrix Secure Gateway, you still can use the STA component out of CSG version 2.


As described the configuration is completely done via a wizard.  The most important is the availability of a certificate for the SSL communication and firewall configuration allowing activity on the needed ports. From Internet to the CSG server(s) only port 443 is needed. From the DMZ to your local network the ports should be opened for ICA traffic (1494) and the XML Service (normally 80). If necassry you can also secure this traffic using SSL connection between the CSG server and the Citrix servers.

The certificate need to be selected during the wizard followed by the IP address for listening for incoming request (can be every IP-address). Next the STA server need to be specified (with PS4 this can any Citrix server, so specify more than one for fault tolerance) and the Web Interface server FQDN and port number. The last step is to configure the log level of the CSG.

Changes are only activated after a restart of the Secure Gateway service. Stopping this service interrupts the functionality, so active users will loose connectivity.

Image Image


Citrix has a done a nice job with the management possibilities within CSG. Besides a addition Event log in the standard MS Event Viewer, also two useful tools are added to CSG. The first tool Secure Gateway Diagnostics monitors all components which are used by CSG, using obvious icons the current status of the components is displayed. Clicking on the component detailed configuration settings will be displayed. The second tool Secure Gateway Management Console displays the current usage of CSG combined with the additional CSG Event Log  and Performance monitor, with some special CSG counters.

Image Image


Version 3 of the Citrix Secure Gateway is not changed much in comparison with the version 2. Session Reliability support is the only big feature update included in this version. Also the STA functionality is moved from a web based solution into the Presentation Server 4 software it selves. But these two subjects were the only two minus points of my review in Secure Gateway 2.

Therefore Citrix Secure Gateway is still an excellent addition to Citrix Presentation Server, supporting SSL encapsulation for the ICA traffic. Also the managing and monitoring tools are very useful.

The expectation is that this will be the last Secure Gateway version released by Citrix and the functionality will be taken over by the Citrix Access Gateway. Considering the viewpoint looking through Citrix mind it is obvious choice, but from a technical viewpoint is will be pity if Citrix Secure Gateway will go into retirement.

- No additonal cost for the product
- Great Management tools
- STA functionality integrated into the PS software

- Unkown support from Citrix (is this the last version)
- Troubleshooting is sometimes difficult