Configure Citrix Gateway to support Enlightened Data Transport and HDX Insight

EDT traffic through Gateway now has end-to-end visibility. Availability of both real-time and historical visibility data enables Citrix ADM to support a wide variety of use cases.

The following scenarios are supported:

Scenario EDT support
Citrix Gateway Yes
Citrix Gateway with High Availability (HA) Yes
Citrix Gateway with High Availability (HA) optimization Yes
Citrix ADC with Unified Gateway Yes
Citrix Gateway with GSLB Yes
Citrix Gateway with Cluster Yes
Citrix Workspace app to Citrix Gateway DTLS encryption Yes
Dual Secure Ticket Authority (STA) on Citrix Gateway Yes
Citrix Gateway ICA session timeout Yes
Citrix Gateway Multi-Stream ICA Yes
Citrix Gateway session reliability (Port 2598) Yes
Citrix Gateway Double-Hop Yes
Citrix ADC to VDA DTLS encryption Yes
HDX Insight Yes
Citrix Gateway in IPv6 mode No
Citrix Gateway SOCKS (Port 1494) No
Citrix ADC pure LAN proxy No

Configure Citrix Gateway to support Enlightened Data Transport

If you use Enlightened Data Transport (EDT), Datagram Transport Layer Security (DTLS) must be enabled to encrypt the UDP connection used by EDT. The DTLS parameter must be enabled at the Gateway VPN virtual-server level, and Citrix Virtual Apps and Desktops components must be correctly upgraded and configured to achieve encrypted traffic between the Gateway VPN virtual server and the user device.

Note: UDP port (for example port 443) configured for the Citrix Gateway frontend virtual server must be opened in the DMZ for the virtual server to receive the DTLS connections. DTLS and CGP are prerequisites for EDT to work with Citrix Gateway.

To configure Citrix Gateway to support EDT using GUI

  1. Deploy and configure Citrix Gateway to communicate with StoreFront and authenticate users for Citrix Virtual Apps and Desktops.

  2. On the Configuration tab in the Citrix ADC GUI, expand Citrix Gateway and select Virtual Servers.

    localized image

  3. Click Edit to display Basic Settings for the VPN Virtual Server, and then verify the state of the DTLS setting.

    localized image

  4. Click More to display additional configuration option.

    localized image

  5. Select DTLS to provide communications security for datagram protocols. Click OK. The Basic Settings area for the VPN Virtual Server shows that the DTLS flag is set to True.

    localized image

  6. Reopen the Server Certificate Binding screen and click the plus icon (+) to bind the certificate-key pair.

    localized image

  7. click Select next to the certificate-key pair that you bound.

    localized image

  8. Save the changes to the server-certificate binding.

  9. When the certificate key pair appears, click Bind.

To configure Citrix Gateway for EDT support using CLI, type the following command

set vpn vserver vs1 -DTLS ON

Configure Citrix Gateway to support HDX Insight

HDX Insight provides end-to-end visibility for HDX traffic to virtual apps and desktops passing through Citrix ADC. It also enables administrators to view real-time client and network latency metrics, historical reports, end-to-end performance data, and troubleshoot performance issues.

To configure Citrix Gateway to support HDX Insight using GUI, follow the steps below

  1. On the Configuration tab navigate to System> AppFlow>Collectors, and click Add.

    localized image

  2. On the Create AppFlow Collector page, populate the following fields and click Create. Name – Name for the collector

    IP address – IPv4 address of the collector

    Port – Port on which the collector listens

    Net Profile - Netprofile to associate with the collector. The IP address defined in the profile is used as the source IP address for AppFlow traffic for this collector. If you do not set this parameter, the Citrix ADC IP (NSIP) address is used as the source IP address.

    Transport – Transport type of collector.

    localized image

  3. Navigate to System> AppFlow>Actions, click Add.

    localized image

  4. On the Create AppFlow Action page, populate the following fields and click Create. AppFlow Action Name – Name for the action

    Comment – Any comment about the action

    Collector – Select the names of collectors to be associated with the AppFlow action.

    Transaction Log – Transactions type to be logged.

    localized image

  5. Navigate to System> AppFlow>Policies, click Add.

    localized image

  6. On the Create AppFlow Policy page, populate the following fields, and click Create.

    Name – Name for the policy.

    Action – Name of the action to be associated with the policy.

    UNDEF - Name of the AppFlow action to be associated with this policy when an undefined event occurs.

    Expression - Expression or other value against which the traffic is evaluated. Must be a Boolean expression.

    Comments – Any comments about this policy.

    localized image

  7. Navigate to Citrix Gateway>Virtual Servers, select the virtual server and click Edit.

    localized image

  8. Scroll down the VPN Virtual Server page and under Policies section, click +.

    localized image

  9. On the Choose Type screen, in the Choose Policy drop-down menu, select AppFlow. In the Choose Type drop-down menu, choose Request or ICA Request and click Continue.

    localized image

  10. Click the highlighted arrow under Select Policy.

    localized image

  11. Select the AppFlow policy and click Select.

    localized image

  12. Finally click Bind.

    localized image

To configure Citrix Gateway for HDX Insight support using CLI, type the following command

add appflow collector col3 -IPAddress<ip_mas>
add appflow action act1 <action_name>
add appflow policy <policy_name> true <action_name>
bind vpn Vserver <vserver_name>  -pol <policy_name> - priority101 END -type <ICA_Request>

Disable HDX Insight for non-NSAP HDX session

In a Citrix ADC appliance, you can now disable HDX Insight for the non-NSAP HDX sessions.

At the command prompt, type:

set ica parameter
DisableHDXInsightNonNSAP(YES | NO )

By default, HDX Insight for non-NSAP session is enabled.