Is it possible to setup an authentication URL infront of a Citric Gateway on an ADC?

[Samuel Snyder1709163153]

I'm working with a customer that wants to

1) use a MANDATORY user certificate installed on an iGEL device to allow access to an Access Gateway vServer logon screen (easy enough).

&

2) use a separate certificate on a smart card when the app/desktop is launched and the ICA/HDX sessions is starting.

 

I've been able to get the user certificate on the iGEL to present to the vServer and the logon page appear. I can logon and it enumerates the applications & desktops available (Item 1 success). The problem is that when I try to launch a desktop or app it is trying to use that same certificate. It is giving an SSL 47 Handshake error. I believe that the error is caused based on the "Type" of certificate on the iGEL. The iGEL administrator has the certificate added as an SSL certificate instead of a General (all-purpose) certificate to allow ICA/HDX sessions.

 

Is there a way to configure it so that the certificate used to allow access to the Gateway logon screen is not passed to the Citrix Workspace App for use in the ICA/HDX connection? I think if I could figure out that process, I could configure the Windows desktop VDAs & server VDAs to require the smart card at logon and both requirements would be met.

 

On a Windows machine with a copy of the cert that is installed on the iGEL device the ICA/HDX session is connected (without the SSL 47 error). The machines with the VDAs aren't configured to require smart card login yet so the session starts. The same works with the certificate on the smart card. The smart card also fails on the iGEL. If I configure the SSL policy on the Gateway vServer to be OPTIONAL using the smart card on the iGEL devise successfully launches a session.

 

I'd really appreciate any guidance the community has on this.