Hybrid Parallel deployment of Access Gateways
|
Today I helped a customer (who shall remain nameless) design an Access Gateway solution where they had the following requirements:
Sounds simple enough, right? But there's a problem: the ICA client cannot present client certificates to the gateway when making an ICA+SSL connection, and the gateway cannot be set to "request" client certificates, only to "require" client certificates. When you set AG to require client certificates, you break its ability to act as a Secure Gateway for ICA clients. So the solution I proposed was to use a separate gateway just for ICA connections, and tunnel only the HTTPS traffic through the Access Gateway #1 en route to AAC. The two gateways run parallel to one another, but gateway #2 does not accept user logons, only ticketed ICA traffic. In order to get through gateway #2 you must have a ticket from the Secure Ticket Authority (STA). In order to get a ticket from the STA, you must authenticate to AAC and Web Interface, and in order to do that you must have the client certificate and a valid username/password.
Each gateway will need its own certificate, its own unique FQDN and its own publicly routable IP address. You can use Secure Gateway software for gateway #2 if you want, or you can use a 2nd AG appliance. If you use an appliance for gateway #2, you'll need an AG user license for each concurrent ICA connection that is made through the gateway. Be sure not to join the 2nd gateway to the AAC farm, or it will inherit the "require client certificates" setting. Jay |
