Setting Up Citrix Access Gateway VPX 5.0.1 and SSL Certificate for use with Citrix Desktop Delivery Controller - Walkthrough

Credit: This is an edit of Lupa Mooncak's (another anagram of real name) document, published with permission. Thanks Lupa!

Part A: Download OVF template and import to your vSphere environments

1: Go to or Google “Get Citrix Access Gateway” and click on the first result

2: On the web page there is a 'Try it' button and from here follow the prompts to download cag_5.0.1.183500.ova or similar

3: Once the .ova file is downloaded, via the vSphere client click File → Deploy OVF Template...

Browse to the .ova file, and follow the wizard (mostly next, next, next ...) to import the CAG (Citrix Access Gateway) VPX to the virtual infrastructure.

The CAG requires 13GB free space on a datastore (12GB disk, 1GB memory)

Part B: Configure Citrix Access Gateway VPX 5.0.1

1: Before booting it up, choose the networks that the CAG will be connected to. The CAG comes with 4 virtual network adapters. This walkthrough will only use 3 of the virtual network adapters.

Network adapter 1: DMZ
Network adapter 2: Management Network
Network adapter 3: Server Network (with access to the Citrix Desktop Delivery Controller)

Feel free to set this up as preferred; it will work fine with just one network adapter configured for web access, management, and internal server communication. If this is a hosting environment, additional network adapters might be used to talk to different controllers.

2: Power on the CAG VPX

3: Once the CAG has completed boot up, log in to the console with the default credentials -

login: admin
password: admin

Access Gateway,, { date }

Main Menu
[0] Express Setup
[1] System
[2] Troubleshooting
[3] Help
[4] Log Out

Choose 0 for Express Setup

4: Express menu – run through the options inputting configuration as required

Express Menu
(After all the required configuration changes, please use '[6]Commit Changes' to save the changes.)
[0] Internal Management Interface
[1] Interface IP, Netmask
[2] Default Gateway
[3] DNS Server
[4] NTP Servers
[5] AG Deployment Mode
[6] Commit Changes
[7] Back to Main Menu

Only options 0,1, and 2 need to be completed here, the rest can be done via the Web UI

5: Once options 0,1, and 2 from the Express Setup Menu have been configured via the console, and the option 6 to commit changes has been applied; after reboot of the CAG connect to the Management Console on

https://AccessGatewayIPAddress/lp/adminlogonpoint  (Note after the IP Address it is 'ell' 'pee')

- and login with the default credentials – username = admin , password = admin

After login, the Access Gateway Management web page loads:

6: Further configuration via the Access Gateway Management (ACM) Web UI

The ACM Web UI contains a lot of menus and settings, which will be left for another time, another article, or the excellent Citrix documentation at . Here we will skip to Part C regarding getting the SSL certificate to work with the Citrix Desktop Delivery Controller.

A quick overview of things to be configured via the Management web page include:

Networking (set the 'Host Name' to be the same as what is to be on your external SSL certificate)
Name Service Providers (enter internal DNS server's IP, a DNS suffix, and can add any internal controllers into the 'HOSTS File' to be sure they resolve)
Password (change from default one ASAP)
Date and Time
Licensing (either point to the internal license server, upload an express license {the express license must match the host name of the CAG, and is case sensitive} … )
Authentication Profiles (configure an LDAP profile for Active Directory communication)
Logon Points (point the CAG to Web Interface of your XenApp/XenDesktop web interface)
XenApp or XenDesktop (type in your internal IP address ranges for both ICA and Session Reliability, which creates an access control list, also include the VDI IP Address range)
Secure Ticket Authority (type in the IP or hostname to the internal secure ticket authority)

Part C: Install SSL certificate on CAG for use with the Citrix Desktop Delivery Controller (CDDC)

1: Obtain an SSL certificate for the external DNS name (e.g

If this is a proof of concept then can use a free for 12 month SSL certificate from
The startssl cert will be of type .p12 (Personal Information Exchange/PFX) and will need to be converted to a .pem file with the password used when the cert was created. Can convert from .p12 to .pem at

2: Log on to the Access Gateway Management Web UI and go to 'Certificates'

Under 'Certificate Management'
Select the 'Import' drop down
Choose 'Server (.pem)' or 'Server (.pfx)'
Enter the password for the private key as required
Mark the imported SSL certificate as active (the CAG comes with an internal self-signed SSL cert which is initially marked as the active SSL certificate)

Note: At this point the certificate can be tested on the external web address to check all is okay

Steps 3 to 7 resolve proxy connection type errors if these are encountered:

3: On the Citrix Desktop Delivery Controller (CDDC) open a new mmc and add to it two snap-ins -
Certificates → My user account
Certificates → Computer account

4: Take screenshots of -
Certificates – Current User → Personal → Certificates
Certificates – Current User → Trusted Root Certification Authorites → Certificates
Certificates – Current User → Intermediate Certification Authorities → Certificates
(this step is required to identify new keys that get installed when the import is done in step 5)

5: Import the key -
Download the .p12 key to the CDDC
Right-click and choose 'Install PFX'
Follow the 'Certificate Import Wizard' entering password for the private key, leaving the tick on 'Include all extended properties', let it 'Automatically select the certificate store based on the type of certificate', finish

6: For convenience copy newly installed certificates from -
Certificates – Current User → Trusted Root Certification Authorites → Certificates
Certificates – Current User → Intermediate Certification Authorities → Certificates
- into -
Certificates – Current User → Personal → Certificates
- also taking note of the newly installed certificate in Personal

7: Copy all the new installed certificates from -
Certificates – Current User → Personal → Certificates
- into -
Certificates (Local Computer) → Trusted Root Certification Authorities → Certificates
Certificates (Local Computer) → Intermediate Certification Authorities → Certificates
Certificates (Local Computer) → Third-Party Root Certification Authorities → Certificates

And voila! The proxy connection type errors should be resolved.


  1. hi there
    great document. i have on question about cag and xendesktop5. i want to use a dyndns adress to connect to the xendesktop 5 environment.
    if i follow your instructions i always get a blank page when i want to access the cag. do you have any tips ?

  2. Thank you for the comment dk!
    Regarding dyndns, I can see no reason why it shouldn't work, possibly if the external reverse-DNS and internal reverse-DNS points to a different IP address, this could cause a problem.

  3. I was able to export my Certificate from the Citrix Web Interface as a PFX, and import it into the CAG as a PFX. No conversion to a PEM at all. Is this incorrect?

  4. One issue i have found with dydns, you cannot get a SSL Certificate. I tried to get one through StartSSL and typed in my registered DyDNS domain and it said it was on a blacklist and subdomains are not supported. I ended up having to purchase a proper domain to test this.

    1. i want to try with dyndns i m getting the same black scrrn , can u help me pls

  5. Thanks for this useful information really helpful
    and dont forget to visit Adapters for Access Control


Post a Comment