First Look: Citrix Secure Gateway 3.0

Note: This review is based on the tech preview version of Secure Gateway 3.0. You never know what Citrix might change to the final version.

Note: This review is based on the tech preview version of Secure Gateway 3.0. You never know what Citrix might change to the final version.

Citrix Secure Gateway (CSG) is another great free component for Citrix customers that works in a MetaFrame Presentation Server (MPS) or MetaFrame Secure Access Manager (MSAM) environment. It allows thousands of users to access many MetaFrame servers from outside of the corporate network via a single IP address and single port while simultaneously handling the SSL or TLS encryption of the individual sessions. MetaFrame Access Suite 4.0, due out next year, will include a new version of CSG.

CSG is one of those great products that just “works.” Even when it’s playing a major role in a company, there’s not much you can see when it’s up and running which can make it hard to figure out if there’s anything that’s new. Well, let’s put it this way: Even though Secure Gateway 1.1 to 2.0 had big changes, most of the changes were under the hood. CSG 3.0 was also rewritten from the gound-up, and again most of the changes are under the hood.

Secure Gateway Under the Hood

So what big changes did Citrix make for CSG 3.0? First of all, they rebuilt it based on Apache. Citrix already uses Apache technology for their XTE Service which is responsible for the Session Reliability introduced in MPS 3. In the MPS 4 Technical Preview, the Secure Gateway Service is also named “Citrix XTE Server” and has still the Apache icon. Most likely Citrix used an early version of the XTE development kit to build the new Secure Gateway. Doing so provides two advantages for Citrix: They can share a development team for XTE/CSG and it will be easier to build the support for the Session Reliability through the Citrix Secure Gateway.

The Tech Preview showed a lot of things to indicate CSG’s support of Session Reliability, but the development on that part is not yet finished and therefore Session Reliability through CSG is not available in this beta version. (Besides, support for Session Reliability through the Gateway also needs development on the Web Interface and the ICA Client.)

Common Gateway Protocol

The next big change in CSG 3.0 is the way CSG handles the client connections. Speaking in a simple way, with CSG 2.0 the ICA traffic is enveloped in SOCKS as the carrying protocol. Then, SOCKS is enveloped in SSL packages and finally send to the CSG where the procedure is reversed. Secure Gateway 3.0 now uses Citrix Common Gateway Protocol (CGP) that was introduced with the Session Reliability feature of MPS 3. This eliminates the use of SOCKS as the carrying protocol. Future ICA Clients (including the Advanced Gateway Client) will use CGP (although CSG 3.0 will continue to support SOCKS for backward compatibility with older clients). The advantage of the Citrix Common Gateway Protocol is the “built-in” Session Reliability capability and a lower bandwidth overhead as compared to SOCKS.

Wildcard Certificate Support

Have you ever wanted to use wildcards certificates for your Secure Gateway? If so, this feature is now supported with CSG 3.0. For example, if you host, an SSL Wildcard Certificate for * would allow you to secure unlimited first-level subdomains.

Relay Mode!

A lot of people asked how to enable “relay mode” in Secure Gateway 2.0. The answer is that it’s not officially supported in 2.0. (Citrix claimed it broke a basic rule of security because it forwarded unauthenticated traffic.) Fortunately, relay mode is back in CSG 3.0!

When enabled, this mode will allow the gateway to accept connections without the need for a ticket from the Secure Ticket Authority (STA). This will also allow the full Program Neighborhood client to connect to the CSG without using a Citrix Web Interface or STA. (Of course from a security point of view, it’s not advisable to enable relay mode to get access from the Internet, but it might be a good solution for internal use.)

Advanced Double-Hop DMZ Support

Secure Gateway 3.0 will support round-robin, load-balancing and failover of multiple Gateway servers. This is a great feature that will support highly available access solutions with MSA- or MetaFrame Presentation Server deployments. If one of or two secure proxy servers fail the Secure Gateway can still accept connections since it will route the traffic to another running secure proxy server.

Advanced Logging

Since CSG 3.0 is based on Apache, logging is already “build-in” (but has been extended for Secure Gateway.) All four log files (Access, SocksAccess, CgpAccess, Error) are available and can be automatically rotated. The access log is simply a web server log for the HTTP/S access. In addition to errors, the error log includes CSG notices (startup, shutdown) and warnings. The SocksAccess log is for the logging of clients accessing CSG with SOCKS (old clients). The last one, CgpAccess, is used for connections to the Secure Gateway using the new Citrix Common Gateway Protocol (new clients).

These logs made it easy for Citrix developers to build a report facility for Secure Gateway access. Taking it a step further, Citrix could import the logging into the Citrix summary database and put reports in the Access Suite Console (ASC) (Actually, full CSG ASC integration would be great. Maybe we’ll see this in version 4.0...?)

Secure Gateway Components

The Secure Gateway Management Console now has direct links to all other components: the configuration, diagnostic and the logon agent configuration. The Secure Gateway performance counter has now some additional entries like the CGP, SOCKS and SSL handshakes counters. (There are 22 more counters in the tech preview version.)

In the final version we’ll probably see links or integration to the new advanced logging feature. This will make the Management Console the central point for the Secure Gateway 3.0 and may be the first step for full MetaFrame Access Suite Console integration.

The SG Configuration now has an important new option: the deployment mode.

Both CSG 2.0 and 3.0 can work as a reverse proxy to support installations of the Web Interface and Secure Gateway on the same server using only one certificate. CSG 2.0 had some minor issues with this configuration, but these issues seem to have been solved in 3.0.

(The “Real IP” problem still exists in the tech preview and might also be in the final version. The “Real IP” problem is encountered when CSG and WI are installed on the same box with CSG working in reverse proxy mode. The problem is that IIS / WI will only detect the IP address of the server itself since all incoming the requests are funnelled through the CSG acting as the reverse proxy. If this is a problem in your environment, Sam Jacobs from IPM has written a Web Interface 3.0 modification, which is available here from my website.)

Secure Ticket Authority in XML

Previous versions of the Secure Ticket Authority (STA) had to be installed on an Internet Information Server (IIS) but only used an absolute minimum of server resources, even if the STA was creating 200 tickets per second. Most people wanted to choose a MetaFrame server to be their STA server, but there were issues with the STA and the Citrix XML Service sharing the same port. With MPS 4.0, the Citrix XML Service can act as the STA directly—no separate server is needed anymore.


Citrix Secure Gateway is a core component for MetaFrame Secure Access Manager. Therefore the new version of MSAM depends on the CSG functionalities to make new features possible (such as the support of “smart clients.”) The further development of the Secure Gateway is important for Citrix, since it will make MSAM more interesting for customers. I have to admit, I really have to dive into MSAM...

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This message was originally posted by Berdt on November 17, 2004
Great review Thomas! This stuff is really cool.
This message was originally posted by Brian Madden on November 17, 2004
I think what you're asking is "Is CSG 3.0 a real SSL VPN?" :) (See Doc# 214 for me info.) So far the answer is "no," but I'll bet we'll see this at some point (either through Citrix expanding the functionality or via an acquisition).
This message was originally posted by an anonymous visitor on November 17, 2004
Great review and article! One question, CSG 1 & 2 have been geared solely at connecting to MF farms. Does CSG 3.0 and the new version of MSAM begin to creep out of this and enable customers to connect to other non-Citrix web services securely (Lotus, IBM Websphere, Oracle, etc...) or will you still have to have Metaframe Pres Server to use this product?
This message was originally posted by an anonymous visitor on November 17, 2004
The details mixed with screen shots, Explainig what goes on "under the hood" is what I like to read about. Thomas & Brian, appreciate you taking the time to explain & post. Look forward to more!
This message was originally posted by Help4ctx on November 19, 2004
<i>Can be achieved by modifying one config file on the STA</i> - If you want to do it properly, two need to also modify the Logon Agent.
This message was originally posted by an anonymous visitor on November 19, 2004
Can be achieved by modifying one config file on the STA
This message was originally posted by Andy Smith on November 18, 2004
Very useful article.

When I explain CSG to network security types, I always call it an SSL VPN to simplify the conversation. It's basically what CSG does, just for a lot fewer protocols. It's not as full-featured as a Neoteris or Aventail, but then again CSG is not sold as a standalone product either. It wasn't until recently that Neoteris and Aventail supported ICA!!
This message was originally posted by Help4ctx on November 18, 2004
By the way, nice article Thomas :-)
This message was originally posted by Help4Ctx on November 18, 2004
The Alternate UI features of MSAM 2.2 (the STA and LA) allow you to secure access to an alternate interface such as WebSphere or Sharepoint, instead of the default Access Centre. As far as 'Is CSG 3.0 a real SSL VPN', well again with the STA and LA components of SAM 2.2 you can extend the functionality of CSG to secure other SOCKS compliant traffic. For example, you can deliver RDP via SG via SSL with a few config changes.
This message was originally posted by MAUREL Stephane on November 18, 2004
I've try it and I've like it. it is mandatory for everyone have a network. THANKS
This message was originally posted by Kevin Ray on November 24, 2004
Where does CSG fit in now that Citrix are in the process of Acquiring Net6
This message was originally posted by Sam Jacobs on November 29, 2004
Very focused and informative...thanks, Thomas !
This message was originally posted by Bärbel Fischer on November 26, 2004
The comments are the reason, why you should make further.
Whenever you need my assistance, I participate.

CSG 3.0 is awesome!  As a FREE Citrix product, it really scales very well.

CSG 3.0 is awesome!  As a FREE Citrix product, it really scales very well.

What is the future of CSG now that Citrix are pushing CAG? I have heard rumours that it won't be developed any further but AFAICT it has no end of life date. Also the CAG is licenced per concurrent users but the CSG is free - why would people not in need of the additional functionality of the CAG ditch the CSG?
Appreciate your view.
I just tried to download Citrix Secure Access Gateway 3.0 off of the Citrix Web Site and it said it was corrupt when I tried to open it.  Called Citrix who told me it is not available anymore.  She told me to download CAG 4.2 which as I understand it, is an appliance.  I want to build my own Citrix Secure Gateway in a lab.  Does anyone know where I can get a download of 3.0?  Also, can I run Web Interface and CSG on the same box?  Any info on how to do that would be great.
Charleston SC
btw.....the download location will be awarded 1 gozillion points the other question will only be awarded 1/2 gozillion points.
Is there a way to make this work with XPa 1.0?? or it only works with Presentation Server 3.0 and 4.0???
I just downloaded 3.0 Today and it works fine
Where can you download this from?.....I can't find it anywhere on Citrix's website, all I can find Citrix Access Gateway, which isn't free.