Configure Citrix Gateway for AWS

It’s great to have virtual servers in the AWS cloud, but how do your end users access them. In this blog I will be adding a Citrix Gateway to the VPC (Virtual Private Cloud) so I can configure access to access resources in the VPC

Prerequisites

1. Add a Citrix ADC to your VPC environment in AWS – see Setup Citrix ADC in Amazon Web Services AWS
2. Have resources in your VPC to access such as Citrix Virtual App Servers, Storefront Servers, Databases and other resources to connect to.
3. Allocate Subnet IP and Virtual IP for the gateway. Add 2 additional network interfaces for separate subnets.
4. increase user timeout as to not get dropped in the middle of these processes.
5. Click Continue then save for specific user. Click Done
6. Note: this cannot be done to nsroot so create a new user and increase that timeout
7. Configure modes: In Citrix ADC go to System, Setting, Configure Modes like this.
8. Click OK
9. Click Configure Basic Features
10. Click OK

Create SSL Certificate for the gateway

1. Open Traffic Management. SSL, SSL Files
2. First we will create an RSA key – click RSA key
3. 
4. Compete the fields and click Create
5. Next we will create the CSR
6. Click on CSR Tab and click on Create Certificate Signing Request (CSR)
7. Once completing the fields click Create
8. Now we want to create the certificate using a CA. In this example I have purchased a comodo certificate through Namecheap.com
9. Open another browser tab and logon to the ADC and browse to Traffic Management\SSL
10. 
11. Under tools click on Manage Certificates / Keys / CSR’s
12. Browse and view the CSR file aws-test-2019
13. 
14. Click View and view the file
15. Now on namecheap.com logged in after purchasing the certificate click manage.
16. Copy and paste into certificate request
17. Click Next
18. 
19. Select Apache option, click next
20. Choose approver email, click next
21. Add Admin email, click Next
22. Review the approver and receiver email address, click Submit
23. Check the approver email address. You will get an email with a link to click to approve. Once you have approved the receiver email address will receive the certificate in a few moments.
24. Download the certificate file and unzip
25. Upload into ADC using Manage Certificates / Keys / CSR’s tool.
26. Click Upload and browse to the unzipped location.
27. Upload both the certificate and the CA-Bundle files.

Creating a Certificate-Key Pair

1. To create certificate-key pair, complete the following procedure:
2. Log in to the NetScaler appliance by using the nsroot credentials.
3. Expand Traffic Management – SSL
4. Select Certificate , then Server Certificates
5. On the Server Certificates page, click install.
6. In the Certificate-Key Pair Name field, specify the certificate-key pair name.
7. Complete the form by browsing for Certificate and key files, click Install

Create the CA Intermediary Bundle

1. Click Install
2. 
3. Complete by giving the intermediary cert a name
4. browse the intermediary file. Notice that you don’t choose a key file
5. click Install

Link Certificate

1. Now we need to link the certificate to the Intermediate Bundle
2. In SSL \ Server Certificates view, check aws.test.com.2019
3. Select Action drop down and select Link, then choose certificate to link
4. Select PositiveSSL-2019 and Click OK
5. Save configuration
6. 

Configure Citrix Gateway

1. Enable Citrix Gateway
2. 
3. Right Click Citrix Gateway, click on Enable Feature
   1. Open Citrix Gateway and click on Virtual Servers
   2. Click Add to start configuring
   3. 
   4. Give it a name and an IP address, click OK
   5. Click Continue
   6. Under Basic Authentication click the +
   7. 
   8. We’re just going to choose LOCAL for the policy on here instead of LDAP as we don’t have an Active Directory Server in the environment. We will create local accounts for access later.
   9. Click Continue
   10. name local policy “local” and add the expression as ns_true, Bind
   11. Click Continue, Click Done
4. Add Profile and Policies
   1. go to Session Policies to add the Policies and Profiles
   2. Click on Session, then to the right click on Session Profiles Tab
   3. Click Add to create a Windows Session Profile
   4. First click on Client Experience Tab
   5. Configure like this
   6. Click on Published Applications Tab
   7. Configure like this, Using an ip address for the storefront server built.
   8. Scroll down to the bottom and click the + by Policies
   9. First create a session policy
   10. The policy itself if straight forward, but the order is difficult to document. In order to configure the Policy, you have to attach a profile which we have not yet created. I added a blank profile and gave it the name Windows_Profile. We will configure it later.
   11. Click Bind
   12. Click Done
   13. Edit

Configure the Gateway with the policies and certificate

1. Note that the State is down. This is because we have not connected the policies and the certificates yet. This is what we will do now.
2. Check the box next to NSGW and click Edit
3. First click on No Server Certificate
4. Browse and select the certificate we created above.
5. Click the blue Select button to link it
6. 
7. now click Bind
8. Back at the Virtual Server we will now click + below Basic Authentication to add the local authentication policy we created.
9. 
10. choose LOCAL policy and Primary as type
11. Click Continue
12. Now we will click to select 
13. Select local and click the blue Select button
14. Now click Bind
15. now scroll down to policies section. Click No Session Policy
16. click Add Binding
17. Click Select then click Bind
18. Notice that the Profile we created previously and bound do the policy is linked
19. Click Close
20. You will now see 1 Session Policy
21. Click Done
22. 
23. Notice that the State is now UP
24. we’re close to testing, but first we need to configure DNS
25. Salve the configuration
26. 
27. I’ll go to Network Solutions to create an a record to match the IP address and the name of the certificate.
28. Since this could ta