This is probably the 2nd most FAQ after printing.
There are three ways to handle Internet access to the Web Interface to get access to published apps.
1. The not totally safe way. Access the Web Interface directly using ALTADDR on every XenApp server. The downside to that is you have to have a separate Public IP for every XenApp server. That, obviously, doesn't scale very well. You do not have to create a 2nd site to do this. Just add the proper DMZ setting in the Access Mgmt Console.
2. Better. Use the FREE Citrix Secure Gateway software. See the directions here:
http://msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.htmlhttp://msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.htmlWith this you only need one Public IP address. But you will also need an SSL Certificate. The FREE CSG is limited, by default, to 250 concurrent connections (and I wouldn't recommend going any higher).
3. Best. Use a hardware SSL appliance in front of your Web Interface server. This will also only require one Public IP address, will also require an SSL cert and, depending on the device, handle thousands of concurrent connections.
Most Citrix installs are best served by option #2. Citrix will push you to #3.
