-
-
Migrate workloads between resource locations using Image Portability Service
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Rendezvous V1
When using the Citrix Gateway Service, the Rendezvous protocol allows VDAs to bypass the Citrix Cloud Connectors to connect directly and securely with the Citrix Cloud control plane.
Requirements
- Access to environment using Citrix Workspace and Citrix Gateway service.
- Control Plane: Citrix DaaS (Citrix Cloud).
- VDA: Version 1912 or later.
- Version 2012 is the minimum required for EDT Rendezvous.
- Version 2012 is the minimum required for non-transparent proxy support (no PAC file support).
- Version 2103 is the minimum required for proxy configuration with a PAC file.
- Enable the Rendezvous protocol in the Citrix policy. For more information, see Rendezvous protocol policy setting.
- The VDAs must have access to
https://*.nssvc.net
, including all subdomains. If you can’t add all subdomains to the allow list in that manner, usehttps://*.c.nssvc.net
andhttps://*.g.nssvc.net
instead. For more information, see the Internet Connectivity Requirements section of the Citrix Cloud documentation (under Citrix DaaS) and the Knowledge Center article CTX270584. - The VDAs must be able to connect to the addresses mentioned previously on TCP 443 and UDP 443 for TCP Rendezvous and EDT Rendezvous, respectively.
- Cloud Connectors must obtain the VDAs’ FQDNs when brokering a session. Accomplish this task in one of these two ways:
-
Enable DNS resolution for the site. Navigate to Settings and turn on the Enable DNS resolution setting. Alternatively, use the Citrix Virtual Apps and Desktops Remote PowerShell SDK and run the command
Set-BrokerSite -DnsResolutionEnabled $true
. For more information about the Citrix Virtual Apps and Desktops Remote PowerShell SDK, see SDKs and APIs. - DNS Reverse Lookup Zone with PTR records for the VDAs. If you choose this option, we recommend that you configure VDAs to always attempt to register PTR records. To do so, use the Group Policy Editor or Group Policy Object, navigate to Computer Configuration > Administrative Templates > Network > DNS Client, and set Register PTR Records to Enabled and Register. If the connection’s DNS suffix does not match the domain’s DNS suffix, you must also configure the Connection-specific DNS suffix setting for the machines to register PTR records successfully.
Note:
If using the DNS resolution option, the Cloud Connectors must be able to resolve the fully qualified domain names (FQDNs) of the VDA machines. In the case that internal users connect directly to the VDA machines, the client devices also must be able to resolve the VDA machines’ FQDNs.
If using a DNS reverse lookup zone, the FQDNs in the PTR records must match the FQDNs of the VDA machines. If the PTR record contains a different FQDN, the Rendezvous connection fails. For example, if the machine’s FQDN is
vda01.domain.net
, the PTR record must containvda01.domain.net
. A different FQDN such asvda01.sub.domain.net
does not work. -
Enable DNS resolution for the site. Navigate to Settings and turn on the Enable DNS resolution setting. Alternatively, use the Citrix Virtual Apps and Desktops Remote PowerShell SDK and run the command
Proxy configuration
The VDA supports establishing Rendezvous connections through a proxy.
Proxy considerations
Consider the following when using proxies with Rendezvous:
- Transparent proxies, non-transparent HTTP proxies, and SOCKS5 proxies are supported.
- Packet decryption and inspection are not supported. Configure an exception so that the ICA traffic between the VDA and the Gateway Service is not intercepted, decrypted, or inspected. Otherwise, the connection breaks.
-
HTTP proxies support machine-based authentication by using Negotiate and Kerberos or NT LAN Manager (NTLM) authentication protocols.
When you connect to the proxy server, the Negotiate authentication scheme automatically selects the Kerberos protocol. If Kerberos isn’t supported, Negotiate falls back to NTLM for authentication.
Note:
To use Kerberos, you must create the service principal name (SPN) for the proxy server and associate it with the proxy’s Active Directory account. The VDA generates the SPN in the format
HTTP/<proxyURL>
when establishing a session, where the proxy URL is retrieved from the Rendezvous proxy policy setting. If you don’t create an SPN, authentication falls back to NTLM. In both cases, the VDA machine’s identity is used for authentication. - Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, you must configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
- Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.
Transparent proxy
If using a transparent proxy in your network, no additional configuration is required on the VDA.
Non-transparent proxy
If using a non-transparent proxy in your network, configure the Rendezvous proxy configuration setting. When the setting is enabled, specify the HTTP or SOCKS5 proxy address, or enter the path to the PAC file so the VDA knows which proxy to use. For example:
- Proxy address:
http://<URL or IP>:<port>
orsocks5://<URL or IP>:<port>
- PAC file:
http://<URL or IP>/<path>/<filename>.pac
If you use the PAC file to configure the proxy, define the proxy using the syntax required by the Windows HTTP service: PROXY [<scheme>=]<URL or IP>:<port>
. For example, PROXY socks5=<URL or IP>:<port>
.
Rendezvous validation
If you meet all requirements, follow these steps to validate if Rendezvous is in use:
- Launch PowerShell or a command prompt within the HDX session.
- Run
ctxsession.exe –v
. - The transport protocols in use indicate the type of connection:
- TCP Rendezvous: TCP > SSL > CGP > ICA
- EDT Rendezvous: UDP > DTLS > CGP > ICA
- Proxy through Cloud Connector: TCP > CGP > ICA
Other considerations
Windows cipher suite order
For a custom cipher suite order, make sure that you include the VDA-supported cipher suites from the following list:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
If the custom cipher suite order does not contain these cipher suites, the Rendezvous connection fails.
Zscaler Private Access
If using Zscaler Private Access (ZPA), it is recommended that you configure bypass settings for the Gateway Service to avoid increased latency and the associated performance impact. To do so, you must define application segments for the Gateway Service addresses – specified in the requirements – and set them to always bypass. For information on configuring application segments to bypass ZPA, see the Zscaler documentation.
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.