Gateway

Outbound ICA Proxy support

Outbound ICA Proxy support for NetScaler Gateway enables the network administrators to avail SmartControl functionalities even when Receiver and NetScaler Gateway are deployed in different organizations.

The following scenario illustrates the use of the Outbound ICA Proxy solution:

A network administrator requires control over the ICA session related capabilities when Receiver and NetScaler Gateway are deployed in different organizations.

Understanding the Outbound ICA Proxy support

To bring the SmartControl functionality to the enterprise organization, company A, which has the receiver, we need to add a NetScaler appliance which acts as a LAN Proxy. The NetScaler LAN Proxy enforces SmartControl and proxies the traffic to the NetScaler Gateway of Company B. In this deployment scenario, the Receiver forwards the traffic to the NetScaler LAN Proxy which allows the network administrator of Company A to enforce SmartControl. The deployment is depicted in the following figure.

Outbound ICA Proxy setup

In this scenario, the traffic between the LAN Proxy and the NetScaler Gateway is over SSL.

Note: Do not enable client certificate based authentication on the NetScaler Gateway.

SSL support on NetScaler LAN proxy

From release 13.0 build xx.xx, traffic between Citrix Workspace app and NetScaler LAN proxy is supported over SSL as well. The Citrix Workspace app encrypts the traffic it sends to LAN Proxy over SSL. SSL support on LAN proxy can co-exist with the existing deployment.

To enable traffic encryption over SSL between Citrix Workspace app and NetScaler LAN proxy, you must perform the following on the NetScaler LAN proxy:

  • Disable authentication and enable double-hop on the VPN virtual server.
  • Set the host on the Windows client to the IP address of the VPN virtual server.
  • Enable SNI and certificate validation.
  • Add appropriate CA certificates and enable them globally.
Outbound ICA Proxy support