Citrix Secure Gateway (CSG) 3.1 Deployment Issue

by Jeremy Saunders on December 19, 2008

Something I found after installing Citrix Secure Gateway (CSG) 3.1 on a server running Web Interface (WI) 5.0.1. It removed permissions from the “%ProgramFiles%\Citrix\Web Interface\5.0.1\Clients” folder and instructed it to inherrit from its parent.

Therefore, only the Administrators local group had full control.

This was causing problems for client updates and downloads via the CSG server.

An error in the Application Event Log was…

Event Type: Error
Event Source: Citrix Web Interface
Event Category: None
Event ID: 0
Date: 19/12/2008
Time: 8:33:45 AM
User: N/A
Computer: NOT-TELLING-01
Description:
Site path: c:\inetpub\wwwroot\Citrix\XenApp.

Due to an error, the file watcher could not be created at the path C:\Program Files\Citrix\Web Interface\5.0.1\Clients. [Log ID: e22724f9]

This could be correlated to a Security Log event that was suggesting that the Network Service account could not traverse the filesystem.

So after comparing it to a standard Web Interface 5.0.1 deployment without CSG 3.1 installed, I found that this folder had been given explicit permissions for the local Administrators, Authenticated Users and NETWORK SERVICE security principles.

So I guess I just needed to add them back in with the appropriate access.

  • Administrators – Full Control
  • Authenticated Users – Read & Execute
  • NETWORK SERVICE – Read & Execute

Here is the XCACLS.vbs script I ran…

cscript.exe “%SystemRoot%\xcacls.vbs” “%ProgramFiles%\Citrix\Web Interface\5.0.1\Clients” /P ADMINISTRATORS:F “NETWORK SERVICE”:X “Authenticated Users”:X

I’m still not 100% sure what caused this in the first place, and haven’t had a chance to prove it, but I’m dubious about the CSG 3.1 deployment, so just thought I’d post this article for anyone else that may run into the same problem.

FYI, I use the Network Service account as the CSG services account as per the following deployment script…

@Echo Off
Echo Citrix XenApp Deployment
Echo ------------------------
Echo. 
Echo  Revision History: 
Echo.
Echo     v2.0 04/12/08 Jeremy@jhouseconsulting.com
Echo                   Updated for Secure Gateway 3.1
Echo.
Echo        ....Installing Secure Gateway 3.1.....
Echo.
Echo.

Set CSGVersion=3.1
Set WIVersion=5.0.1

Set loglocation=%systemDrive%\bldlogs
if not exist %loglocation% md %loglocation%

:: Installing CSG
Set SetupProperties=/qb
Set SetupProperties=%SetupProperties% CTX_INSTALL_TYPE=GATEWAY
Set SetupProperties=%SetupProperties% CTX_SERVICE_ACCOUNT="Network Service"
Set SetupProperties=%SetupProperties% /Lv* %loglocation%\CSG_GWY%CSGVersion%.log
Set SetupProperties=%SetupProperties% REBOOT=ReallySuppress

start "Installing" /wait msiexec /i "%~dp0%CSGVersion%\CSG_GWY.MSI" %SetupProperties%

:: Fixing up Web Interface Client Deployment Issues...
cscript.exe "%SystemRoot%\xcacls.vbs" "%ProgramFiles%\Citrix\Web Interface\%WIVersion%\Clients" /P ADMINISTRATORS:F "NETWORK SERVICE":X "Authenticated Users":X

Exit /b 0
Jeremy Saunders

Jeremy Saunders

Independent Consultant | Contractor | Microsoft & Citrix Specialist | Desktop Virtualization Specialist at J House Consulting
Jeremy is a highly respected, IT Professional, with over 30 years’ experience in the industry. He is an independent IT consultant providing expertise to enterprise, corporate, higher education and government clients. His skill set, high ethical standards, integrity, morals and attention to detail, coupled with his friendly nature and exceptional design and problem solving skills, makes him one of the most highly respected and sought after Microsoft and Citrix technical resources in Australia. His alignment with industry and vendor best practices puts him amongst the leaders of his field.
Jeremy Saunders
Jeremy Saunders
Jeremy Saunders

Previous post:

Next post: