Citrix Virtual Apps and Desktops

NAT Compatibility

To establish a direct connection between an external user device and the session host, HDX Direct leverages hole punching for NAT traversal and STUN to facilitate the exchange of the public IP address and port mappings for the client device and session host. This is similar to how VoIP, unified communications, and P2P solutions work.

As long as firewalls and other network components are configured to allow the UDP traffic for the STUN requests and the HDX sessions, HDX Direct for external users is expected to work. However, there are certain scenarios where the NAT types of the user and session host networks lead to an incompatible combination, thus causing HDX Direct to fail.

Validations

You can validate the NAT type on the client and the session host by using STUNTMAN’s STUN client utility:

  1. Download the appropriate package for the target platform from stunprotocol.org, and extract the contents.
  2. Open a terminal prompt and navigate to the directory where the contents were extracted.
  3. Run the following command: .\stunclient.exe stunserver2024.stunprotocol.org --mode behavior
  4. Take note of the output.

If the binding and behavior tests are successful, both binding test and behavior test report the success and a NAT behavior is specified:

NAT Success

If the tests fail, both binding test and behavior test report the failure.

NAT Failure

See the following table to determine if HDX Direct for external users is expected to work based on the test results of both the client and session host:

Client device Session host Expected to work?
Endpoint Independent Mapping Endpoint Independent Mapping Yes
Endpoint Independent Mapping Endpoint Dependent Mapping Yes
Endpoint Dependent Mapping Endpoint Independent Mapping Yes
Endpoint Dependent Mapping Endpoint Dependent Mapping No
Address and port dependent mapping Any NAT type No
Any NAT type Address and port dependent mapping No
fail Any NAT type No
Any NAT type fail No
fail fail No
NAT Compatibility