Citrix Gateway

Communication flow in a double-hop DMZ deployment

To understand the configuration issues involved in a double-hop DMZ deployment, you must have a basic understanding of how the various Citrix Gateway and Citrix Virtual Apps components in a double-hop DMZ deployment communicate to support a user connection. The connection process for StoreFront and the Web Interface is the same.

Although the user connection process occurs in one continuous flow, the steps are detailed in the four following topics:

The following figure shows the steps that occur in the user connection process to either StoreFront or the Web Interface. In the secure network, computers running Citrix Virtual Apps are also running the Secure Ticket Authority (STA), XML Service, and published applications.

Figure 1. Double-hop DMZ user connection process

Connection Process in a Double-Hop DMZ

Authenticate users

Authenticating users is the first step of the user connection process in a double-hop DMZ deployment. The following figure shows the user connection process in this deployment.

Figure 1. Communication flow for user authentication in a double-hop DMZ

User authentication process in a double-hop DMZ

During the user authentication stage, the following basic process occurs:

  1. A user types the address of Citrix Gateway, such as https://www.ng.wxyco.com in a web browser to connect to Citrix Gateway in the first DMZ. If you enabled logon page authentication on Citrix Gateway, Citrix Gateway authenticates the user.
  2. Citrix Gateway in the first DMZ receives the request.
  3. Citrix Gateway redirects the web browser connection to the Web Interface.
  4. The Web Interface sends the user credentials to the Citrix XML Service running in the server farm in the internal network.
  5. The Citrix XML Service authenticates the user.
  6. The XML Service creates a list of the published applications that the user is authorized to access and sends this list to the Web Interface.

If you enable authentication on Citrix Gateway, the appliance sends the Citrix Gateway logon page to the user. The user enters authentication credentials on the logon page and the appliance authenticates the user. Citrix Gateway then returns the user credentials to the Web Interface.

If you do not enable authentication, Citrix Gateway does not perform authentication. The appliance connects to the Web Interface, retrieves the Web Interface logon page, and sends the Web Interface logon page to the user. The user enters authentication credentials on the Web Interface logon page and Citrix Gateway passes the user credentials back to the Web Interface.

Create a session ticket

Creating the session ticket is the second stage of the user connection process in a double-hop DMZ deployment.

During the session ticket creation stage, the following basic process occurs:

  1. The Web Interface communicates with both the XML Service and the Secure Ticket Authority (STA) in the internal network to produce session tickets for each of the published applications the user is authorized to access. The session ticket contains an alias address for the computer running Citrix Virtual Apps that hosts a published application.
  2. The STA saves the IP addresses of the servers that host the published applications. The STA then sends the requested session tickets to the Web Interface. Each session ticket includes an alias that represents the IP address of the server that hosts the published application, but not the actual IP address.
  3. The Web Interface generates an ICA file for each of the published applications. The ICA file contains the ticket issued by the STA. The Web Interface then creates and populates a webpage with a list of links to the published applications and sends this webpage to the web browser on the user device.

Start the Citrix Workspace app

Starting Citrix Workspace app is the third stage of the user connection process in a double-hop DMZ deployment. The basic process is as follows:

  1. The user clicks a link to a published application in the Web Interface. The Web Interface sends the ICA file for that published application to the browser for the user device.

    The ICA file contains data instructing the web browser to start Receiver.

    The ICA file also contains the fully qualified domain name (FQDN) or the Domain Name System (DNS) name of the Citrix Gateway in the first DMZ.

  2. The web browser starts Receiver and the user connects to Citrix Gateway in the first DMZ by using the Citrix Gateway name in the ICA file. Initial SSL/TLS handshaking occurs to establish the identity of the server running Citrix Gateway.

Complete the connection

Completing the connection is the fourth and last stage of the user connection process in a double-hop DMZ deployment.

During the connection completion stage, the following basic process occurs:

  • The user clicks a link to a published application in the Web Interface.
  • The web browser receives the ICA file generated by the Web Interface and starts Citrix Workspace app. Note: The ICA file contains code that instructs the web browser to start Citrix Workspace app.
  • Citrix Workspace app initiates an ICA connection to Citrix Gateway in the first DMZ.
  • Citrix Gateway in the first DMZ communicates with the Secure Ticket Authority (STA) in the internal network to resolve the alias address in the session ticket to the real IP address of a computer running Citrix Virtual Apps or StoreFront. This communication is proxied through the second DMZ by the Citrix Gateway proxy.
  • Citrix Gateway in the first DMZ completes the ICA connection to Citrix Workspace app.
  • Citrix Workspace app can now communicate through both Citrix Gateway appliances to the computer running Citrix Virtual Apps on the internal network.

The detailed steps for completing the user connection process are as follows:

  1. Citrix Workspace app sends the STA ticket for the published application to Citrix Gateway in the first DMZ.
  2. Citrix Gateway in the first DMZ contacts the STA in the internal network for ticket validation. To contact the STA, Citrix Gateway establishes a SOCKS or SOCKS with SSL connection to the Citrix Gateway proxy in the second DMZ.
  3. The Citrix Gateway proxy in the second DMZ passes the ticket validation request to the STA in the internal network. The STA validates the ticket and maps it to the computer running Citrix Virtual Apps that hosts the published application.
  4. The STA sends a response to the Citrix Gateway proxy in the second DMZ, which is passed to Citrix Gateway in the first DMZ. This response completes the ticket validation and includes the IP address of the computer that hosts the published application.
  5. Citrix Gateway in the first DMZ incorporates the address of the Citrix Virtual Apps server into the user connection packet and sends this packet to the Citrix Gateway proxy in the second DMZ.
  6. The Citrix Gateway proxy in the second DMZ makes a connection request to the server specified in the connection packet.
  7. The server responds to the Citrix Gateway proxy in the second DMZ. The Citrix Gateway proxy in the second DMZ passes this response to Citrix Gateway in the first DMZ to complete the connection between the server and Citrix Gateway in the first DMZ.
  8. Citrix Gateway in the first DMZ completes the SSL/TLS handshake with the user device by passing the final connection packet to the user device. The connection from the user device to the server is established.
  9. ICA traffic flows between the user device and the server through Citrix Gateway in the first DMZ and the Citrix Gateway proxy in the second DMZ.
Communication flow in a double-hop DMZ deployment