Configuring Citrix Access Gateway (CAG) VPX 5.0.1 with XenDesktop 5


CAG with basic configuration – that is:
- IP Addressing for web, internal, and management interfaces (this could be the same interface)
- host name matching external web address and SSL certificate
- license (express edition or better)
SSL Certificate Installed on CAG
{If required} SSL Certificate Imported into CDDC
Connection to working Citrix Desktop Delivery Controller
Connection to working Windows Active Directory


Part 1: Configuration on the CAG

Log in to the CAG Web UI at

From 'Management' configure:

System Administration

1) Name Service Providers:
Enter the internal DNS server(s) IP Address
Enter a DNS suffix
Can manually add any internal controller(s) into the 'HOSTS File' to be sure of name resolution

2) Date and Time
Either set manually or point to an NTP server

Access Control

3) Logon Points
Create a new logon point

Fields to be completed:
Under 'General Properties'
Name: << choose a name for the Logon Point >>
Type: Basic
Tick 'Authenticate with Web Interface'

And set the logon point as default (so interfaces with the XenDesktop installation)

Applications and Desktops

4) XenApp or XenDesktop
Create a new ICA Access Control List for ICA protocol and
Create a new ICA Access Control List for Session reliability protocol
with beginning and ending IP address for range used by IP Addresses

Part 2: Configuration on the Citrix Desktop Delivery Controller

Open 'Citrix Desktop Studio' Management Console
Expand Access -> Citrix Web Interface -> XenApp Web Sites
Select the Internal Site ( http://CDDC.ADOMAIN.priv/Citrix/DesktopWeb )
Select the 'Secure Access' tab
Click 'Edit secure access settings'

Click 'Add' to Specify a new Access Method
Enter IP address and subnet mask of the CAGs internal interface
Select 'Gateway alternate' for an internal CAG behind a NAT firewall

Click OK
Click Next

Specify the Address (FQDN) of the Access Gateway
Port: 443
Enable session reliability (default)

Click Next

Add the Secure Ticket Authority URLs: << https://CDDC.ADOMAIN.priv/scripts/ctxsta.dll >>
Click Finish

All done and ready to test XenDesktop 5 via the external CAG interface!


1) LDAP authentication profile and working Secure Ticket Authority (STA) setup are not required on the CAG here since the CAG redirects straight through to the XenDesktop internal login page

2) Following through these four articles posted this month -
- will result in a fully working web accessible XenDesktop proof of concept (or Small Business setup) with £0 Citrix Licensing costs – thank you Citrix for making this possible (request to Citrix – this might be asking a little too much but please can the 12 month CAG VPX express up to 5 concurrent connections license be turned into perpetual? Cheers!)

CORRECTION: The CAG VPX express license does not work with the XenDesktop Express  past a short grace period. In order to use CAG VPX with XenDesktop, at a minimum will need the XenDesktop VDI license. 


  1. Excellent!
    Thank you for your help with these posts!
    And Thank to Citrix!

  2. Excellent...thanks for this website.

  3. Hi,

    I get message when using CAG ok internal

    An error occurred while making the requested connection. this is at the point of connecting to desktop

  4. Thanks very much for these posts - I was going nuts trying to configure the device as the documentation is very very poor indeed. This (and your other articles) have helped a lot.

  5. Hi Andrew, thank you for the comment. Cheers!

  6. Hi is it possible to use a public IP address instead of a FQDN under the gateway setting configuration?

    1. Hello Anonymous, I am pretty certain you need to use a FQDN for the gateway setting configuration. Please let me know if you manage to get it working with a public IP address. Cheers!


Post a Comment