Configure server-initiated connections

For each user logged on to NetScaler Gateway with IP addresses enabled, the DNS suffix is appended to the user name and a DNS address record is added to the appliance’s DNS cache. This technique helps in providing users with a DNS name rather than the IP addresses of the users.

When an IP address is assigned to a user’s session, it is possible to connect to the user’s device from the internal network. For example, users connecting with the Remote Desktop or a virtual network computing (VNC) client can access the user device for diagnosing a problem application. It is also possible for two NetScaler Gateway users with internal network IP addresses who are remotely logged on to communicate with each other through NetScaler Gateway. Allowing discovery of the internal network IP addresses of the logged-on users on the appliance aids in this communication.

A remote user can use the following ping command to discover the internal network IP address of a user who can be logged on to NetScaler Gateway then:

ping \<username.domainname\>

A server can initiate a connection to a user device in the following different ways:

  • TCP or UDP connections. The connections can originate from an external system in the internal network or from another computer logged on to NetScaler Gateway. The internal network IP address that is assigned to each user device logged on to NetScaler Gateway is used for these connections. The different types of server-initiated connections that NetScaler Gateway supports are described. For TCP or UDP server-initiated connections, the server has prior knowledge about the user device’s IP address and port and makes a connection to it. NetScaler Gateway intercepts this connection.

    Then, the user device makes an initial connection to the server and the server connects to the user device on a port that is known or derived from the first configured port.

    In this scenario, the user device makes an initial connection to the server and then exchanges ports and IP addresses with the server by using an application-specific protocol where this information is embedded. This enables the NetScaler Gateway to support applications, such as active FTP connections.

  • Port command. This is used in an active FTP and in certain Voice over IP protocols.

  • Connections between plug-ins. NetScaler Gateway supports connections between plug-ins by using the internal network IP addresses.

    With this type of connection, two NetScaler Gateway user devices that use the same NetScaler Gateway can initiate connections with each other. An example of this type is using instant messaging applications, such as Office Communicator or Yahoo! Messenger.

If a user logs off NetScaler Gateway and the logoff request did not reach the appliance, the user can log on again by using any device and replace the previous session with a new session. This feature might be beneficial in deployments where one IP address is assigned per user.

When a user logs on to NetScaler Gateway for the first time, a session is created and an IP address is assigned to the user. If the user logs off but the logoff request is lost or the user device fails to perform a clean logoff, the session is maintained on the system. If the user tries to log on again from the same device or another device, after successful authentication, a transfer logon dialog box appears. If the user chooses to transfer the logon, the previous session on NetScaler Gateway is closed and a new session is created. The transfer of logon is active for only two minutes after logoff, and if logon is attempted from multiple devices simultaneously, the last logon attempt replaces the original session.

Configure private port range for server-initiated connections

Starting from Citrix Secure Access client release 23.10.1.7, you can configure a private port ranging from 49152 to 64535 for server-initiated connections (SIC). Configuring private ports avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. This is applicable only if the WFP driver is in use.

You can configure the private ports by using the SicBeginPort Windows VPN registry. Alternatively, you can configure the private port range by using a VPN plug-in customization JSON file on NetScaler.

If a server initiates a connection, Citrix Secure Access client uses the first 1000 ports starting from the SicBeginPort Windows VPN registry, to create the sockets. If the registry is configured on a client machine, the registry setting takes precedence over the NetScaler JSON setting.

The following is an example of the VPN plug-in JSON configuration on NetScaler:

root@ADC# cat /var/netscaler/gui/vpn/pluginCustomization.json

{"SicBeginPort" : 51000}
<!--NeedCopy-->

For details about the registry settings, see NetScaler Gateway Windows VPN client registry keys.

Note:

The default port range that is used to create sockets is 62500–63500.

Configure server-initiated connections