The checklist consists of a list of tasks and planning information you should complete before you install Access Gateway 10.
Space is provided so that you can check off each task as you complete it and make notes. Citrix recommends that you make note of the configuration values that you need to enter during the installation process and while configuring Access Gateway.
For instructions about installing and configuring Access Gateway, see Installing the Access Gateway Appliance in the Access Gateway appliances node and Installing Access Gateway 10 in eDocs.
If you are replacing the Secure Gateway with Access Gateway in your network environment, see Replacing the Secure Gateway with Access Gateway.
User Devices
1 Ensure that user devices meet the installation prerequisites described in Configuring User Connections in Access Gateway 10.
Access Gateway Basic Network Connectivity
2 Identify and write down the Access Gateway host name.Note: This is not the fully qualified domain name (FQDN). The FQDN is contained in the signed server certificate that is bound to the virtual server.
3 Obtain universal licenses from My Citrix.
4 Generate a Certificate Signing Request (CSR) and send to a Certificate Authority (CA) (date completed).
5 Write down the system IP address and subnet mask.
6 Write down the mapped IP address and subnet mask.
7 Write down the subnet IP address and subnet mask (optional).
8 Write down the administrator password.The default password that comes with Access Gateway is nsroot.
9 Write down the port number.This is the port on which Access Gateway listens for secure user connections. The default is TCP port 443. This port must be open on the firewall between the unsecured network and the DMZ.
10 Write down the default gateway IP address.
11 Write down the DNS server IP address.
12 Write down the first virtual server IP address and host name.
13 Write down the second virtual server IP address and host name (if applicable).
14 Write down the WINS server IP address (if applicable).
Internal Networks Accessible Through Access Gateway
15 Write down the internal networks that users can access through Access Gateway.Example: 10.10.0.0/24Enter all internal networks and network segments that users need access to when they connect through Access Gateway by using the Access Gateway Plug-in.
High Availability
If you have two Access Gateway appliances, you can deploy them in a configuration in which one Access Gateway accepts and manages connections, while a second Access Gateway monitors the first appliance. If the first Access Gateway stops accepting connections for any reason, the second Access Gateway takes over and begins actively accepting connections.
16 Write down the Access Gateway software version number.The version number must be the same on both Access Gateway appliances.
17 Write down the administrator password (nsroot).The password must be the same on both appliances.
18 Write down the primary Access Gateway IP address and ID.The maximum ID number is 64.
19 Write down the secondary Access Gateway IP address and ID.
20 Obtain and install the Universal license on both appliances.You must install the same Universal license on both appliances.
21 Write down the RPC node password.
Authentication and Authorization
Access Gateway supports several different authentication and authorization types that can be used in a variety of combinations. For detailed information about authentication and authorization, see Configuring Authentication and Authorization.
LDAP Authentication
If your environment includes an LDAP server, you can use LDAP for authentication.
22 Write down the LDAP server IP address and port.If you allow unsecure connections to the LDAP server, the default is port 389. If you encrypt connections to the LDAP server with SSL, the default is port 636.
23 Write down the security type.You can configure security with or without encryption.
24 Write down the administrator bind DN.If your LDAP server requires authentication, enter the administrator DN that Access Gateway should use to authenticate when making queries to the LDAP directory. An example is “cn=administrator, cn=Users, dc=ace, dc=com.”
25 Write down the administrator password.This is the password associated with the administrator bind DN.
26 Write down the Base DN.DN (or directory level) under which users are located; for example, “ou=users, dc=ace, dc=com.”
27 Write down the server logon name attribute.Enter the LDAP directory Person object attribute that specifies a user’s logon name. The default is “sAMAccountName.” If you are not using Active Directory, common values for this setting are “cn” or “uid.”
28 Write down the group attribute.Enter the LDAP directory Person object attribute that specifies the groups to which a user belongs. The default is “memberOf.” This attribute enables Access Gateway to identify the directory groups to which a user belongs.
29 Write down the subattribute name.
RADIUS Authentication and Authorization
If your environment includes a RADIUS server, you can use RADIUS for authentication.
RADIUS authentication includes RSA SecurID, SafeWord, and Gemalto Protiva products.
30 Write down the primary RADIUS server IP address and port.The default port is 1812.
31 Write down the primary RADIUS server secret (shared secret).
32 Write down the secondary RADIUS server IP address and port.The default port is 1812.
33 Write down the secondary RADIUS server secret (shared secret).
34 Write down the type of password encoding (PAP, CHAP, MS-CHAP v1, MSCHAP v2).
Opening Ports Through the Firewalls (Single-Hop DMZ)
If your organization protects the internal network with a single DMZ and you deploy the Access Gateway in the DMZ, open the following ports through the firewalls. If you are installing two Access Gateway appliances in a double-hop DMZ deployment, see Double-Hop DMZ Deployment with Citrix XenApp.
On the Firewall Between the Unsecured Network and the DMZ
35 Open a TCP/SSL port (default 443) on the firewall between the Internet and Access Gateway. User devices connect to Access Gateway on this port.
On the Firewall Between the Secured Network
36 Open one or more appropriate ports on the firewall between the DMZ and the secured network. Access Gateway connects to one or more authentication servers or to computers running XenApp or Citrix XenDesktop in the secured network on these ports.
37 Write down the authentication ports.Open only the port appropriate for your Access Gateway configuration.For LDAP connections, the default is TCP port 389.For a RADIUS connection, the default is UDP port 1812.
Write down the XenApp or XenDesktop ports.If you are using Access Gateway with XenApp or XenDesktop, open TCP port 1494. If you enable session reliability, open TCP port 2598 instead of 1494.Citrix recommends keeping both of these ports open.
XenDesktop, XenApp, the Web Interface, or CloudGateway Express
Complete the following tasks if you are deploying Access Gateway to provide access to XenApp or XenDesktop through the Web Interface or StoreFront. The Access Gateway Plug-in is not required for this deployment. Users access published applications and desktops through Access Gateway by using only Web browsers and Citrix Receiver.
38 Write down the FQDN or IP address of the server running the Web Interface or StoreFront.
39 Write down the FQDN or IP address of the server running the Secure Ticket Authority (STA) (for Web Interface only).
CloudGateway Enterprise
Complete the following tasks if you deploy AppController in your internal network. If users connect to AppController from an external network, such as the Internet, users must connect to Access Gateway before accessing Web and SaaS apps.
40 Write down the FQDN or IP address of AppController.
41 Identify Web, SaaS, and mobile iOS applications users can access.
Double-Hop DMZ Deployment with XenApp
Complete the following tasks if you are deploying two Access Gateway appliances in a double-hop DMZ configuration to support access to servers running XenApp.
Access Gateway in the First DMZ
The first DMZ is the DMZ at the outermost edge of your internal network (closest to the Internet or unsecure network). Clients connect to Access Gateway in the first DMZ through the firewall separating the Internet from the DMZ. Collect this information before installing Access Gateway in the first DMZ.
42 Complete the items in the Access Gateway Basic Network Connectivity section of this checklist for this Access Gateway.When completing those items, note that Interface 0 connects this Access Gateway to the Internet and Interface 1 connects this Access Gateway to Access Gateway in the second DMZ.
43 Configure the second DMZ appliance information on the primary appliance.To configure Access Gateway as the first hop in the double-hop DMZ, you must specify the host name or IP address of Access Gateway in the second DMZ on the appliance in the first DMZ. After specifying when the Access Gateway proxy is configured on the appliance in the first hop, bind it to Access Gateway globally or to a virtual server.
44 Write down the connection protocol and port between appliances.To configure Access Gateway as the first hop in the double DMZ, you must specify the connection protocol and port on which Access Gateway in the second DMZ listens for connections. The connection protocol and port is SOCKS with SSL (default port 443). The protocol and port must be open through the firewall that separates the first DMZ and the second DMZ.
Access Gateway in the Second DMZ
The second DMZ is the DMZ closest to your internal, secure network. Access Gateway deployed in the second DMZ serves as a proxy for ICA traffic, traversing the second DMZ between the external user devices and the servers on the internal network.
45 Complete the tasks in the Access Gateway Basic Network Connectivity section of this checklist for this Access Gateway.When completing those items, note that Interface 0 connects this Access Gateway to Access Gateway in the first DMZ. Interface 1 connects this Access Gateway to the secured network.
Space is provided so that you can check off each task as you complete it and make notes. Citrix recommends that you make note of the configuration values that you need to enter during the installation process and while configuring Access Gateway.
For instructions about installing and configuring Access Gateway, see Installing the Access Gateway Appliance in the Access Gateway appliances node and Installing Access Gateway 10 in eDocs.
If you are replacing the Secure Gateway with Access Gateway in your network environment, see Replacing the Secure Gateway with Access Gateway.
User Devices
1 Ensure that user devices meet the installation prerequisites described in Configuring User Connections in Access Gateway 10.
Access Gateway Basic Network Connectivity
2 Identify and write down the Access Gateway host name.Note: This is not the fully qualified domain name (FQDN). The FQDN is contained in the signed server certificate that is bound to the virtual server.
3 Obtain universal licenses from My Citrix.
4 Generate a Certificate Signing Request (CSR) and send to a Certificate Authority (CA) (date completed).
5 Write down the system IP address and subnet mask.
6 Write down the mapped IP address and subnet mask.
7 Write down the subnet IP address and subnet mask (optional).
8 Write down the administrator password.The default password that comes with Access Gateway is nsroot.
9 Write down the port number.This is the port on which Access Gateway listens for secure user connections. The default is TCP port 443. This port must be open on the firewall between the unsecured network and the DMZ.
10 Write down the default gateway IP address.
11 Write down the DNS server IP address.
12 Write down the first virtual server IP address and host name.
13 Write down the second virtual server IP address and host name (if applicable).
14 Write down the WINS server IP address (if applicable).
Internal Networks Accessible Through Access Gateway
15 Write down the internal networks that users can access through Access Gateway.Example: 10.10.0.0/24Enter all internal networks and network segments that users need access to when they connect through Access Gateway by using the Access Gateway Plug-in.
High Availability
If you have two Access Gateway appliances, you can deploy them in a configuration in which one Access Gateway accepts and manages connections, while a second Access Gateway monitors the first appliance. If the first Access Gateway stops accepting connections for any reason, the second Access Gateway takes over and begins actively accepting connections.
16 Write down the Access Gateway software version number.The version number must be the same on both Access Gateway appliances.
17 Write down the administrator password (nsroot).The password must be the same on both appliances.
18 Write down the primary Access Gateway IP address and ID.The maximum ID number is 64.
19 Write down the secondary Access Gateway IP address and ID.
20 Obtain and install the Universal license on both appliances.You must install the same Universal license on both appliances.
21 Write down the RPC node password.
Authentication and Authorization
Access Gateway supports several different authentication and authorization types that can be used in a variety of combinations. For detailed information about authentication and authorization, see Configuring Authentication and Authorization.
LDAP Authentication
If your environment includes an LDAP server, you can use LDAP for authentication.
22 Write down the LDAP server IP address and port.If you allow unsecure connections to the LDAP server, the default is port 389. If you encrypt connections to the LDAP server with SSL, the default is port 636.
23 Write down the security type.You can configure security with or without encryption.
24 Write down the administrator bind DN.If your LDAP server requires authentication, enter the administrator DN that Access Gateway should use to authenticate when making queries to the LDAP directory. An example is “cn=administrator, cn=Users, dc=ace, dc=com.”
25 Write down the administrator password.This is the password associated with the administrator bind DN.
26 Write down the Base DN.DN (or directory level) under which users are located; for example, “ou=users, dc=ace, dc=com.”
27 Write down the server logon name attribute.Enter the LDAP directory Person object attribute that specifies a user’s logon name. The default is “sAMAccountName.” If you are not using Active Directory, common values for this setting are “cn” or “uid.”
28 Write down the group attribute.Enter the LDAP directory Person object attribute that specifies the groups to which a user belongs. The default is “memberOf.” This attribute enables Access Gateway to identify the directory groups to which a user belongs.
29 Write down the subattribute name.
RADIUS Authentication and Authorization
If your environment includes a RADIUS server, you can use RADIUS for authentication.
RADIUS authentication includes RSA SecurID, SafeWord, and Gemalto Protiva products.
30 Write down the primary RADIUS server IP address and port.The default port is 1812.
31 Write down the primary RADIUS server secret (shared secret).
32 Write down the secondary RADIUS server IP address and port.The default port is 1812.
33 Write down the secondary RADIUS server secret (shared secret).
34 Write down the type of password encoding (PAP, CHAP, MS-CHAP v1, MSCHAP v2).
Opening Ports Through the Firewalls (Single-Hop DMZ)
If your organization protects the internal network with a single DMZ and you deploy the Access Gateway in the DMZ, open the following ports through the firewalls. If you are installing two Access Gateway appliances in a double-hop DMZ deployment, see Double-Hop DMZ Deployment with Citrix XenApp.
On the Firewall Between the Unsecured Network and the DMZ
35 Open a TCP/SSL port (default 443) on the firewall between the Internet and Access Gateway. User devices connect to Access Gateway on this port.
On the Firewall Between the Secured Network
36 Open one or more appropriate ports on the firewall between the DMZ and the secured network. Access Gateway connects to one or more authentication servers or to computers running XenApp or Citrix XenDesktop in the secured network on these ports.
37 Write down the authentication ports.Open only the port appropriate for your Access Gateway configuration.For LDAP connections, the default is TCP port 389.For a RADIUS connection, the default is UDP port 1812.
Write down the XenApp or XenDesktop ports.If you are using Access Gateway with XenApp or XenDesktop, open TCP port 1494. If you enable session reliability, open TCP port 2598 instead of 1494.Citrix recommends keeping both of these ports open.
XenDesktop, XenApp, the Web Interface, or CloudGateway Express
Complete the following tasks if you are deploying Access Gateway to provide access to XenApp or XenDesktop through the Web Interface or StoreFront. The Access Gateway Plug-in is not required for this deployment. Users access published applications and desktops through Access Gateway by using only Web browsers and Citrix Receiver.
38 Write down the FQDN or IP address of the server running the Web Interface or StoreFront.
39 Write down the FQDN or IP address of the server running the Secure Ticket Authority (STA) (for Web Interface only).
CloudGateway Enterprise
Complete the following tasks if you deploy AppController in your internal network. If users connect to AppController from an external network, such as the Internet, users must connect to Access Gateway before accessing Web and SaaS apps.
40 Write down the FQDN or IP address of AppController.
41 Identify Web, SaaS, and mobile iOS applications users can access.
Double-Hop DMZ Deployment with XenApp
Complete the following tasks if you are deploying two Access Gateway appliances in a double-hop DMZ configuration to support access to servers running XenApp.
Access Gateway in the First DMZ
The first DMZ is the DMZ at the outermost edge of your internal network (closest to the Internet or unsecure network). Clients connect to Access Gateway in the first DMZ through the firewall separating the Internet from the DMZ. Collect this information before installing Access Gateway in the first DMZ.
42 Complete the items in the Access Gateway Basic Network Connectivity section of this checklist for this Access Gateway.When completing those items, note that Interface 0 connects this Access Gateway to the Internet and Interface 1 connects this Access Gateway to Access Gateway in the second DMZ.
43 Configure the second DMZ appliance information on the primary appliance.To configure Access Gateway as the first hop in the double-hop DMZ, you must specify the host name or IP address of Access Gateway in the second DMZ on the appliance in the first DMZ. After specifying when the Access Gateway proxy is configured on the appliance in the first hop, bind it to Access Gateway globally or to a virtual server.
44 Write down the connection protocol and port between appliances.To configure Access Gateway as the first hop in the double DMZ, you must specify the connection protocol and port on which Access Gateway in the second DMZ listens for connections. The connection protocol and port is SOCKS with SSL (default port 443). The protocol and port must be open through the firewall that separates the first DMZ and the second DMZ.
Access Gateway in the Second DMZ
The second DMZ is the DMZ closest to your internal, secure network. Access Gateway deployed in the second DMZ serves as a proxy for ICA traffic, traversing the second DMZ between the external user devices and the servers on the internal network.
45 Complete the tasks in the Access Gateway Basic Network Connectivity section of this checklist for this Access Gateway.When completing those items, note that Interface 0 connects this Access Gateway to Access Gateway in the first DMZ. Interface 1 connects this Access Gateway to the secured network.
