Citrix Secure Gateway (CSG) 3.1 Deployment Issue

by Jeremy Saunders on December 19, 2008

Something I found after installing Citrix Secure Gateway (CSG) 3.1 on a server running Web Interface (WI) 5.0.1. It removed permissions from the “%ProgramFiles%\Citrix\Web Interface\5.0.1\Clients” folder and instructed it to inherrit from its parent.

Therefore, only the Administrators local group had full control.

This was causing problems for client updates and downloads via the CSG server.

An error in the Application Event Log was…

Event Type: Error
Event Source: Citrix Web Interface
Event Category: None
Event ID: 0
Date: 19/12/2008
Time: 8:33:45 AM
User: N/A
Computer: NOT-TELLING-01
Description:
Site path: c:\inetpub\wwwroot\Citrix\XenApp.

Due to an error, the file watcher could not be created at the path C:\Program Files\Citrix\Web Interface\5.0.1\Clients. [Log ID: e22724f9]

This could be correlated to a Security Log event that was suggesting that the Network Service account could not traverse the filesystem.

So after comparing it to a standard Web Interface 5.0.1 deployment without CSG 3.1 installed, I found that this folder had been given explicit permissions for the local Administrators, Authenticated Users and NETWORK SERVICE security principles.

So I guess I just needed to add them back in with the appropriate access.

  • Administrators – Full Control
  • Authenticated Users – Read & Execute
  • NETWORK SERVICE – Read & Execute

Here is the XCACLS.vbs script I ran…

cscript.exe “%SystemRoot%\xcacls.vbs” “%ProgramFiles%\Citrix\Web Interface\5.0.1\Clients” /P ADMINISTRATORS:F “NETWORK SERVICE”:X “Authenticated Users”:X

I’m still not 100% sure what caused this in the first place, and haven’t had a chance to prove it, but I’m dubious about the CSG 3.1 deployment, so just thought I’d post this article for anyone else that may run into the same problem.

FYI, I use the Network Service account as the CSG services account as per the following deployment script…

@Echo Off
Echo Citrix XenApp Deployment
Echo ------------------------
Echo. 
Echo  Revision History: 
Echo.
Echo     v2.0 04/12/08 Jeremy@jhouseconsulting.com
Echo                   Updated for Secure Gateway 3.1
Echo.
Echo        ....Installing Secure Gateway 3.1.....
Echo.
Echo.

Set CSGVersion=3.1
Set WIVersion=5.0.1

Set loglocation=%systemDrive%\bldlogs
if not exist %loglocation% md %loglocation%

:: Installing CSG
Set SetupProperties=/qb
Set SetupProperties=%SetupProperties% CTX_INSTALL_TYPE=GATEWAY
Set SetupProperties=%SetupProperties% CTX_SERVICE_ACCOUNT="Network Service"
Set SetupProperties=%SetupProperties% /Lv* %loglocation%\CSG_GWY%CSGVersion%.log
Set SetupProperties=%SetupProperties% REBOOT=ReallySuppress

start "Installing" /wait msiexec /i "%~dp0%CSGVersion%\CSG_GWY.MSI" %SetupProperties%

:: Fixing up Web Interface Client Deployment Issues...
cscript.exe "%SystemRoot%\xcacls.vbs" "%ProgramFiles%\Citrix\Web Interface\%WIVersion%\Clients" /P ADMINISTRATORS:F "NETWORK SERVICE":X "Authenticated Users":X

Exit /b 0
Jeremy Saunders

Jeremy Saunders

Technical Architect | DevOps Evangelist | Software Developer | Microsoft, NVIDIA, Citrix and Desktop Virtualisation (VDI) Specialist/Expert | Rapper | Improvisor | Comedian | Property Investor | Kayaking enthusiast at J House Consulting
Jeremy Saunders is the Problem Terminator. He is a highly respected IT Professional with over 35 years’ experience in the industry. Using his exceptional design and problem solving skills with precise methodologies applied at both technical and business levels he is always focused on achieving the best business outcomes. He worked as an independent consultant until September 2017, when he took up a full time role at BHP, one of the largest and most innovative global mining companies. With a diverse skill set, high ethical standards, and attention to detail, coupled with a friendly nature and great sense of humour, Jeremy aligns to industry and vendor best practices, which puts him amongst the leaders of his field. He is intensely passionate about solving technology problems for his organisation, their customers and the tech community, to improve the user experience, reliability and operational support. Views and IP shared on this site belong to Jeremy.
Jeremy Saunders
Jeremy Saunders

Previous post:

Next post: