Gateway

Configure Citrix Gateway to support Enlightened Data Transport and HDX Insight

EDT traffic through Gateway now has end-to-end visibility. Availability of both real-time and historical visibility data enables Citrix ADM to support a wide variety of use cases.

The following scenarios are supported:

Scenario EDT support
Citrix Gateway Yes
Citrix Gateway with High Availability (HA) Yes
Citrix Gateway with High Availability (HA) optimization Yes
Citrix ADC with Unified Gateway Yes
Citrix Gateway with GSLB Yes
Citrix Gateway with Cluster Yes
Citrix Workspace app to Citrix Gateway DTLS encryption Yes
Dual Secure Ticket Authority (STA) on Citrix Gateway Yes
Citrix Gateway ICA session timeout Yes
Citrix Gateway Multi-Stream ICA No
Citrix Gateway session reliability (Port 2598) Yes
Citrix Gateway Double-Hop Yes
Citrix ADC to VDA DTLS encryption Yes
HDX Insight Yes
Citrix Gateway in IPv6 mode No
Citrix Gateway SOCKS (Port 1494) No
Citrix ADC pure LAN proxy (see note) No

Note:

EDT is not supported if Citrix ADC LAN proxy is configured in the LAN User mode or Transparent mode. However, TCP is supported. For more information, see:

Configure Citrix Gateway to support Enlightened Data Transport

If you use Enlightened Data Transport (EDT), Datagram Transport Layer Security (DTLS) must be enabled to encrypt the UDP connection used by EDT. The DTLS parameter must be enabled at the Gateway VPN virtual-server level. Also, the Citrix Virtual Apps and Desktops components must be correctly upgraded and configured to achieve encrypted traffic between the Gateway VPN virtual server and the user device.

Note: UDP port (for example port 443) configured for the Citrix Gateway front end virtual server must be opened in the DMZ for the virtual server to receive the DTLS connections. DTLS and CGP are prerequisites for EDT to be compatible with Citrix Gateway.

To configure Citrix Gateway to support EDT using GUI

  1. Deploy and configure Citrix Gateway to communicate with StoreFront and authenticate users for Citrix Virtual Apps and Desktops.

  2. On the Configuration tab in the Citrix ADC GUI, expand Citrix Gateway and select Virtual Servers.

    Virtual servers page

  3. Click Edit to display Basic Settings for the VPN Virtual Server, and then verify the state of the DTLS setting.

    Edit DTLS setting

  4. Click More to display other configuration options.

    View other settings

  5. Select DTLS to provide communications security for datagram protocols. Click OK. The Basic Settings area for the VPN virtual server shows that the DTLS flag is set to True.

    Enable DTLS

To configure Citrix Gateway for EDT support using CLI

set vpn vserver vs1 -DTLS ON

Configure Citrix Gateway to support HDX Insight

HDX Insight provides end-to-end visibility for HDX traffic to virtual apps and desktops passing through Citrix ADC. It also enables administrators to view real-time client and network latency metrics, historical reports, end-to-end performance data, and troubleshoot performance issues.

To configure Citrix Gateway to support HDX Insight using GUI

  1. On the Configuration tab navigate to System> AppFlow>Collectors, and click Add.

    Add collector

  2. On the Create AppFlow Collector page, populate the following fields, and click Create. Name – Name for the collector

    IP address – IPv4 address of the collector

    Port – Port on which the collector listens

    Net Profile - Net profile to associate with the collector. The IP address defined in the profile is used as the source IP address for AppFlow traffic for this collector. If you do not set this parameter, the Citrix ADC IP (NSIP) address is used as the source IP address.

    Transport – Transport type of collector.

    AppFlow collector page

  3. Navigate to System> AppFlow>Actions, click Add.

    Add action

  4. On the Create AppFlow Action page, populate the following fields, and click Create. AppFlow Action Name – Name for the action

    Comment – Any comment about the action

    Collector – Select the names of collectors to be associated with the AppFlow action.

    Transaction Log – Transactions type to be logged.

    Create collector

  5. Navigate to System> AppFlow>Policies, click Add.

    Add policies

  6. On the Create AppFlow Policy page, populate the following fields, and click Create.

    Name – Name for the policy.

    Action – Name of the action to be associated with the policy.

    UNDEF - Name of the AppFlow action to be associated with this policy when an undefined event occurs.

    Expression - Expression or other value against which the traffic is evaluated. Must be a Boolean expression.

    Comments – Any comments about this policy.

    Policies page

  7. Navigate to Citrix Gateway>Virtual Servers, select the virtual server and click Edit.

    Virtual servers page

  8. Scroll down the VPN Virtual Server page and under Policies section, click +.

    Add a policy

  9. On the Choose Type screen, in the Choose Policy drop-down menu, select AppFlow. In the Choose Type drop-down menu, choose Request or ICA Request and click Continue.

    Select AppFlow policy page

  10. Click the highlighted arrow under Select Policy.

    Select AppFlow policy

  11. Select the AppFlow policy and click Select.

    Select AppFlow policy2

  12. Finally click Bind.

    Bind policy

To configure Citrix Gateway for HDX Insight support using the CLI, type the following command

add appflow collector col3 -IPAddress<ip_mas>
add appflow action act1 <action_name>
add appflow policy <policy_name> true <action_name>
bind vpn Vserver <vserver_name>  -pol <policy_name> - priority101 END -type <ICA_Request>

Disable HDX Insight for non-NSAP HDX session

In a Citrix ADC appliance, you can now disable HDX Insight for the non-NSAP HDX sessions.

At the command prompt, type:

set ica parameter HDXInsightNonNSAP (YES | NO )
<!--NeedCopy-->

By default, HDX Insight for non-NSAP session is enabled.

Configure Citrix Gateway to support Enlightened Data Transport and HDX Insight