Application Delivery Management

Enabling HDX Insight data collection

HDX Insight enables IT to deliver an exceptional user experience by providing unprecedented end-to-end visibility into the ICA traffic that passes through the Citrix ADC instances or Citrix SD-WAN appliances, and is a part of Citrix Application Delivery Management (ADM) Analytics. HDX Insight delivers compelling and powerful business intelligence and failure analysis capabilities for the network, virtual desktops, applications, and application fabric. HDX Insight can both instantly triage on user issues, collects data about virtual desktop connections, and generates AppFlow records and presents them as visual reports.

The configuration to enable data collection in the Citrix ADC differs with the position of the appliance in the deployment topology.

Enabling data collection for monitoring Citrix ADCs deployed in LAN user mode

External users who access Citrix Virtual App and Desktop applications must authenticate themselves on the Citrix Gateway. Internal users, however, might not require to be redirected to the Citrix Gateway. Also, in a transparent mode deployment, the administrator must manually apply the routing policies, so that the requests are redirected to the Citrix ADC appliance.

To overcome these challenges, and for LAN users to directly connect to Citrix Virtual App and Desktop applications, you can deploy the Citrix ADC appliance in a LAN user mode by configuring a cache redirection virtual server, which acts as a SOCKS proxy on the Citrix Gateway appliance.

Deploy ADC in LAN user mode

Note Citrix ADM and Citrix Gateway appliance reside in the same subnet.

To monitor Citrix ADC appliances deployed in this mode, first add the Citrix ADC appliance to the NetScaler Insight inventory, enable AppFlow, and then view the reports on the dashboard.

After you add the Citrix ADC appliance to the Citrix ADM inventory, you must enable AppFlow for data collection.

Note

  • On an ADC instance, you can navigate to System > AppFlow > Collectors, to check if the collector (that is, Citrix ADM) is up or not. Citrix ADC instance sends AppFlow records to Citrix ADM using NSIP. But the instance uses its SNIP to verify connectivity with Citrix ADM. So, ensure that the SNIP is configured on the instance.
  • You cannot enable data collection on a Citrix ADC deployed in LAN User mode by using the Citrix ADM configuration utility.
  • For detailed information about the commands and their usage, see Command Reference.
  • For information on policy expressions, see Policies and Expressions.

To configure data collection on a Citrix ADC appliance by using the command line interface:

At the command prompt, do the following:

  1. Log on to an appliance.

  2. Add a forward proxy cache redirection virtual server with the proxy IP and port, and specify the service type as HDX.

    add cr vserver <name> <servicetype> [<ipaddress> <port>] [-cacheType <cachetype>] [ - cltTimeout <secs>]
    <!--NeedCopy-->
    

    Example

    add cr vserver cr1 HDX 10.12.2.2 443 –cacheType FORWARD –cltTimeout 180
    <!--NeedCopy-->
    

    Note: If you are accessing the LAN network by using a Citrix Gateway appliance, add an action to be applied by a policy that matches the VPN traffic.

    add vpn trafficAction <name> <qual> [-HDX ( ON or OFF )]
    
    add vpn trafficPolicy <name> <rule> <action>
    <!--NeedCopy-->
    

    Example

    add vpn trafficAction act1 tcp -HDX ON
    
    add vpn trafficPolicy pol1 "REQ.IP.DESTIP == 10.102.69.17" act1
    <!--NeedCopy-->
    
  3. Add Citrix ADM as an AppFlow collector on the Citrix ADC appliance.

    add appflow collector <name> -IPAddress <ip_addr>
    <!--NeedCopy-->
    

    Example:

    add appflow collector MyInsight -IPAddress 192.168.1.101
    <!--NeedCopy-->
    
  4. Create an AppFlow action and associate the collector with the action.

    add appflow action <name> -collectors <string>
    <!--NeedCopy-->
    

    Example:

    add appflow action act -collectors MyInsight
    <!--NeedCopy-->
    
  5. Create an AppFlow policy to specify the rule for generating the traffic.

    add appflow policy <policyname> <rule> <action>
    <!--NeedCopy-->
    

    Example:

    add appflow policy pol true act
    <!--NeedCopy-->
    
  6. Bind the AppFlow policy to a global bind point.

    bind appflow global <policyname> <priority> -type <type>
    <!--NeedCopy-->
    

    Example:

    bind appflow global pol 1 -type ICA_REQ_DEFAULT
    <!--NeedCopy-->
    

    Note

    The value of type must be ICA_REQ_OVERRIDE or ICA_REQ_DEFAULT to apply to ICA traffic.

  7. Set the value of the flowRecordInterval parameter for AppFlow to 60 seconds.

    set appflow param -flowRecordInterval 60
    <!--NeedCopy-->
    

    Example:

    set appflow param -flowRecordInterval 60
    <!--NeedCopy-->
    
  8. Save the configuration. Type: save ns config

Enabling data collection for Citrix Gateway appliances deployed in single-hop mode

When you deploy Citrix Gateway in single-hop mode, it is at the edge of the network. The Gateway instance provides proxy ICA connections to the desktop delivery infrastructure. Single-hop is the simplest and most common deployment. Single-hop mode provides security if an external user tries to access the internal network in an organization. In single-hop mode, users access the Citrix ADC appliances through a virtual private network (VPN).

To start collecting the reports, you must add the Citrix Gateway appliance to the Citrix Application Delivery Management (ADM) inventory and enable AppFlow on ADM.

To enable the AppFlow feature from Citrix ADM:

  1. In a web browser, type the IP address of the Citrix ADM (for example, http://192.168.100.1).

  2. In User Name and Password, enter the administrator credentials.

  3. Navigate to Networks > Instances, and select the Citrix ADC instance you want to enable analytics.

  4. From the Select Action list, select Configure Analytics.

  5. Select the VPN virtual servers, and click Enable Analytics.

  6. Select HDX Insight and then select ICA.

  7. Click OK.

Note

when you enable AppFlow in single-hop mode, the following commands run in the background. These commands are explicitly specified here for troubleshooting purposes.

-  add appflow collector <name> -IPAddress <ip_addr>

-  add appflow action <name> -collectors <string>

-  set appflow param -flowRecordInterval <secs>

-  disable ns feature AppFlow

-  enable ns feature AppFlow

-  add appflow policy <name> <rule> <expression>

-  set appflow policy <name> -rule <expression>

-  bind vpn vserver <vsname> -policy <string> -type <type> -priority <positive_integer>

-  set vpn vserver <name> -appflowLog ENABLED

-  save ns config
<!--NeedCopy-->

EUEM virtual channel data is part of HDX Insight data that the Citrix ADM receives from Gateway instances. EUEM virtual channel provides the data about ICA RTT. If EUEM virtual channel is not enabled, the remaining HDX Insight data are still displayed on Citrix ADM.

Enabling data collection for Citrix Gateway appliances deployed in double-hop mode

The Citrix Gateway double-hop mode provides additional protection to an organization’s internal network because an attacker would need to penetrate multiple security zones or Demilitarized zones (DMZ) to reach the servers in the secure network. If you want to analyze the number of hops (Citrix Gateway appliances) through which the ICA connections pass, and also the details about the latency on each TCP connection and how it fairs against the total ICA latency perceived by the client, you must install Citrix ADM so that the Citrix Gateway appliances report these vital statistics.

Enable analytics

The Citrix Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This Citrix Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.

The Citrix Gateway in the second DMZ serves as a Citrix Gateway proxy device. This Citrix Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm.

The Citrix ADM can be deployed either in the subnet belonging to the Citrix Gateway appliance in the first DMZ or the subnet belonging to the Citrix Gateway appliance second DMZ. In the above image, the Citrix ADM and Citrix Gateway in the first DMZ are deployed in the same subnet.

In a double-hop mode, Citrix ADM collects TCP records from one appliance and ICA records from the other appliance. After you add the Citrix Gateway appliances to the Citrix ADM inventory and enable data collection, each of the appliances exports the reports by keeping track of the hop count and connection chain ID.

For Citrix ADM to identify which appliance is exporting records, each appliance is specified with a hop count and each connection is specified with a connection chain ID. Hop count represents the number of Citrix Gateway appliances through which the traffic flows from a client to the servers. The connection chain ID represents the end- to end connections between the client and server.

Citrix ADM uses the hop count and connection chain ID to co-relate the data from both the Citrix Gateway appliances and generates the reports.

To monitor Citrix Gateway appliances deployed in this mode, you must first add the Citrix Gateway to Citrix ADM inventory, enable AppFlow on Citrix ADM, and then view the reports on the Citrix ADM dashboard.

Configure HDX Insight on virtual servers used for Optimal Gateway

Steps to configure HDX Insight on virtual servers used for Optimal Gateway:

  1. Navigate to Networks > Instances, and select the Citrix ADC instance you want to enable analytics.

  2. From the Select Action list, select Configure Analytics.

  3. Select the VPN virtual server configured for authentication, and click Enable Analytics.

  4. Select HDX Insight and then select ICA.

  5. Select other advanced options as required.

  6. Click OK.

  7. Repeat steps 3 through 6 on the other VPN virtual server.

Enable data collection on Citrix ADM

If you enable Citrix ADM to start collecting the ICA details from both the appliances, the details collected are redundant. That is both the appliances report the same metrics. To overcome this situation, you must enable AppFlow for ICA on one of the first Citrix Gateway appliances, and then enable AppFlow for TCP on the second appliance. By doing so, one of the appliances exports ICA AppFlow records and the other appliance exports TCP AppFlow records. This also saves the processing time on parsing the ICA traffic.

To enable the AppFlow feature from Citrix ADM:

  1. In a web browser, type the IP address of the Citrix ADM (for example, http://192.168.100.1).

  2. In User Name and Password, enter the administrator credentials.

  3. Navigate to Networks > Instances, and select the Citrix ADC instance you want to enable analytics.

  4. From the Select Action list, select Configure Analytics.

  5. Select the VPN virtual servers, and click Enable Analytics.

  6. Select HDX Insight and then select ICA or TCP for ICA traffic or TCP traffic respectively.

    Note

    If AppFlow logging is not enabled for the respective services or service groups on the Citrix ADC appliance, the Citrix ADM dashboard does not display the records, even if the Insight column shows Enabled.

  7. Click OK.

Configuring Citrix Gateway appliances to export data

After you install the Citrix Gateway appliances, you must configure the following settings on the Citrix Gateway appliances to export the reports to Citrix ADM:

  • Configure virtual servers of the Citrix Gateway appliances in the first and second DMZ to communicate with each other.

  • Bind the Citrix Gateway virtual server in the second DMZ to the Citrix Gateway virtual server in the first DMZ.

  • Enable double hop on the Citrix Gateway in the second DMZ.

  • Disable authentication on the Citrix Gateway virtual server in the second DMZ.

  • Enable one of the Citrix Gateway appliances to export ICA records

  • Enable the other Citrix Gateway appliance to export TCP records:

  • Enable connection chaining on both the Citrix Gateway appliances.

Configure Citrix Gateway Using the Command Line Interface:

  1. Configure the Citrix Gateway virtual server in the first DMZ to communicate with the Citrix Gateway virtual server in the second DMZ.

    add vpn nextHopServer <name> <nextHopIP> <nextHopPort> [-secure (ON or OFF)] [-imgGifToPng]
    
    add vpn nextHopServer nh1 10.102.2.33 8443 –secure ON
    <!--NeedCopy-->
    
  2. Bind the Citrix Gateway virtual server in the second DMZ to the Citrix Gateway virtual server in the first DMZ. Run the following command on the Citrix Gateway in the first DMZ:

    bind vpn vserver <name> -nextHopServer <name>
    
    bind vpn vserver vs1 -nextHopServer nh1
    
    <!--NeedCopy-->
    
  3. Enable double hop and AppFlow on the Citrix Gateway in the second DMZ.

    set vpn vserver <name> [- doubleHop ( ENABLED or DISABLED )] [- appflowLog ( ENABLED or DISABLED )]
    
    set vpn vserver vpnhop2 –doubleHop ENABLED –appFlowLog ENABLED
    <!--NeedCopy-->
    
  4. Disable authentication on the Citrix Gateway virtual server in the second DMZ.

    set vpn vserver <name> [-authentication (ON or OFF)]
    
    set vpn vserver vs -authentication OFF
    <!--NeedCopy-->
    
  5. Enable one of the Citrix Gateway appliances to export TCP records.

    bind vpn vserver <name> [-policy <string> -priority <positive_integer>] [-type <type>]
    
    bind vpn vserver vpn1 -policy appflowpol1 -priority 101 –type OTHERTCP_REQUEST
    <!--NeedCopy-->
    
  6. Enable the other Citrix Gateway appliance to export ICA records:

    bind vpn vserver <name> [-policy <string> -priority <positive_integer>] [-type <type>]
    
    bind vpn vserver vpn2 -policy appflowpol1 -priority 101 -type ICA_REQUEST
    <!--NeedCopy-->
    
  7. Enable connection chaining on both the Citrix Gateway appliances:

    set appFlow param [-connectionChaining (ENABLED or DISABLED)]
    
    set appflow param -connectionChaining ENABLED
    <!--NeedCopy-->
    

Configure Citrix Gateway using Configuration Utility:

  1. Configure the Citrix Gateway in the first DMZ to communicate with the Citrix Gateway in the second DMZ and bind the Citrix Gateway in the second DMZ to the Citrix Gateway in the first DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Published Applications.

    3. Click Next Hop Server and bind a next hop server to the second Citrix Gateway appliance.

  2. Enable double hop on the Citrix Gateway in the second DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Basic Settings group, click the edit icon.

    3. Expand more, select Double Hop and click OK.

  3. Disable authentication on the virtual server on the Citrix Gateway in the second DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Basic Settings group, click the edit icon.

    3. Expand More, and clear Enable Authentication.

  4. Enable one of the Citrix Gateway appliances to export TCP records.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Policies.

    3. Click the + icon and from the Choose Policy list, select AppFlow, and from the Choose Type list, select Other TCP Request.

    4. Click Continue.

    5. Add a policy binding, and click Close.

  5. Enable the other Citrix Gateway appliance to export ICA records:

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Policies.

    3. Click the + icon and from the Choose Policy list, select AppFlow, and from theChoose Type list, select Other TCP Request.

    4. Click Continue.

    5. Add a policy binding, and click Close.

  6. Enable connection chaining on both the Citrix Gateway appliances.

    1. On the Configuration tab, navigate to System > Appflow.

    2. In the right Pane, in the Settings group, double-click Change Appflow Settings.

    3. Select Connection Chaining and Click OK.

  7. Configure the Citrix Gateway in the first DMZ to communicate with the Citrix Gateway in the second DMZ and bind the Citrix Gateway in the second DMZ to the Citrix Gateway in the first DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Published Applications.

    3. Click Next Hop Server and bind a next hop server to the second Citrix Gateway appliance.

  8. Enable double hop on the Citrix Gateway in the second DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Basic Settings group, click the edit icon.

    3. Expand More, select Double Hop, and click OK.

  9. Disable authentication on the virtual server on the Citrix Gateway in the second DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Basic Settings group, click the edit icon.

    3. Expand More, and clear Enable Authentication.

  10. Enable one of the Citrix Gateway appliances to export TCP records.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Policies.

    3. Click the + icon and from the Choose Policy list, select AppFlow, and from the Choose Type list, select Other TCP Request.

    4. Click Continue.

    5. Add a policy binding, and click Close.

  11. Enable the other Citrix Gateway appliance to export ICA records.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Policies.

    3. Click the + icon and from the Choose Policy list, select AppFlow, and from the Choose Type list, select Other TCP Request.

    4. Click Continue.

    5. Add a policy binding, and click Close.

  12. Enable connection chaining on both the Citrix Gateway appliances.

Enable data collection for monitoring Citrix ADCs deployed in transparent mode

When a Citrix ADC is deployed in transparent mode the clients can access the servers directly, with no intervening virtual server. If a Citrix ADC appliance is deployed in transparent mode in a Citrix Virtual Apps and Desktop environment, the ICA traffic is not transmitted over a VPN.

After you add the Citrix ADC to the Citrix ADM inventory, you must enable AppFlow for data collection. Enabling data collection depends on the device and the mode. In that case, you have to add Citrix ADM as an AppFlow collector on each Citrix ADC appliance, and you must configure an AppFlow policy to collect all or specific ICA traffic that flows through the appliance.

Note

  • You cannot enable data collection on a Citrix ADC deployed in transparent mode by using the Citrix ADM configuration utility.
  • For detailed information about the commands and their usage, see Command Reference.
  • For information on policy expressions, see Policies and Expressions.

The following figure shows the network deployment of a Citrix ADM when a Citrix ADC is deployed in a transparent mode:

Transparent mode

To configure data collection on a Citrix ADC appliance by using the command line interface:

At the command prompt, do the following:

  1. Log on to an appliance.

  2. Specify the ICA ports at which the Citrix ADC appliance listens for traffic.

    set ns param --icaPorts <port>...
    <!--NeedCopy-->
    

    Example:

    set ns param -icaPorts 2598 1494
    <!--NeedCopy-->
    

    Note

    • You can specify up to 10 ports with this command.
    • The default port number is 2598. You can modify the port number as required.
  3. Add NetScaler Insight Center as an AppFlow collector on the Citrix ADC appliance.

    add appflow collector <name> -IPAddress <ip_addr>
    <!--NeedCopy-->
    

    Example:

    add appflow collector MyInsight -IPAddress 192.168.1.101
    <!--NeedCopy-->
    

    Note To view the AppFlow collectors configured on the Citrix ADC appliance, use the show appflow collector command.

  4. Create an AppFlow action and associate the collector with the action.

    add appflow action <name> -collectors <string> ...
    <!--NeedCopy-->
    

    Example:

    add AppFlow action act-collectors MyInsight

  5. Create an AppFlow policy to specify the rule for generating the traffic.

    add appflow policy <policyname> <rule> <action>
    <!--NeedCopy-->
    

    Example:

    add appflow policy pol true act
    <!--NeedCopy-->
    
  6. Bind the AppFlow policy to a global bind point.

    bind appflow global <policyname> <priority> -type <type>
    <!--NeedCopy-->
    

    Example:

    bind appflow global pol 1 -type ICA_REQ_DEFAULT
    <!--NeedCopy-->
    

    Note

    The value of type must be ICA_REQ_OVERRIDE or ICA_REQ_DEFAULT to apply to ICA traffic.

  7. Set the value of the flowRecordInterval parameter for AppFlow to 60 seconds.

    set appflow param -flowRecordInterval 60
    <!--NeedCopy-->
    

    Example:

    set appflow param -flowRecordInterval 60
    <!--NeedCopy-->
    
  8. Save the configuration. Type: save ns config