This article discusses running Citrix Secure Gateway 1.1 and NFuse Classic 1.7 on the same Windows 2000 server.

Although not recommended by Citrix for large production environments, it is possible to configure a single Windows 2000 server to run Internet Information Services (IIS) with NFuse Classic and the Citrix Secure Gateway (CSG) service concurrently. In such a setup, the server becomes a self-contained gateway to your MetaFrame server farm.

Issues to Overcome

The following issues surface when attempting to run IIS and Citrix Secure Gateway on the same machine:

• Both IIS and Secure Gateway, by default, attempt to obtain an exclusive handle on TCP port 443.

• If one or the other component is configured to use a port other than 443, traffic may not be permitted to traverse firewalls between the client and the server.

• If multiple TCP interfaces or IP addresses are available on the server, IIS binds to all interfaces by default, preventing the Citrix Secure Gateway service from starting. This is discussed in Microsoft Technet article Q238131

Follow the steps below to overcome these obstacles and allow CSG to run on the same server with IIS:

1. Open the Network and Dial-up Connections control panel and view the properties of the Local Area Connection.

2. View the Internet Protocol (TCP/IP) properties and ensure that a static IP address (not DHCP) is being used. Click the Advanced button and add a second IP address to this interface. Alternatively, you can add a second network card to the server, each with its own static IP address.

3. At this point your server should have two IP addresses. For example, IP1 is 192.168.0.50 and IP2 is 192.168.0.51. Type ipconfig at a command prompt to confirm.

4. Stop the Citrix Secure Gateway service and the IIS Admin service, along with all its dependent services.

5. Run the CSG Secure Gateway Service Configuration tool. On the panel that says Select interface, remove the option to listen on all interfaces (0.0.0.0:443) and add only the first server IP address on port 443. For example, the panel will show only 192.168.0.50:443 as the listening interface. Continue through the configuration wizard and restart the Citrix Secure Gateway service.

6. As discussed in Q238131, perform the following commands at the server command prompt:

cd \InetPub\AdminScripts
cscript adsutil.vbs set w3svc/disablesocketpooling true

The following output should be returned:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
disablesocketpooling : (BOOLEAN) True

7.

Open the Internet Services Manager snap-in, right-click the Default Web Site, and view its properties. On the Web Site tab beneath Web site Identification, change the IP address from All unassigned to the second IP address on your server; for example 192.168.0.51. Click OK.

8. At a command prompt, type IISRESET.

Your server is now capable of accepting Citrix Secure Gateway requests on IP1 and IIS/NFuse requests on IP2.

9. To support HTTPS connections to IIS and SSL connections to Secure Gateway, each IP address on the server must have its own Fully-Qualified Domain Name (FQDN) and its own corresponding SSL server certificate with the appropriate FQDN listed as the subject of each certificate. For example:

csg.company.com resolves to 192.168.0.50

nfuse.company.com resolves to 192.168.0.51

10. Note that while it may be possible to configure this same machine to act as the Secure Ticket Authority (STA) as well, do this only for demonstration purposes. In a production deployment, do not expose the STA to the Internet. If server consolidation is a priority, consider hosting the STA on a combination MetaFrame/IIS server.