NetScaler Gateway

Establishing the Secure Tunnel

October 5, 2020

Contributed by:

When users connect with the NetScaler Gateway Plug-in, Worx Home, or Citrix Receiver, the client software establishes a secure tunnel over port 443 (or any configured port on NetScaler Gateway) and sends authentication information. When the tunnel is established, NetScaler Gateway sends configuration information to the NetScaler Gateway Plug-in, Worx Home, or Receiver describing the networks to be secured and containing an IP address if you enable address pools.

Tunneling Private Network Traffic over Secure Connections

When the NetScaler Gateway Plug-in starts and the user is authenticated, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to NetScaler Gateway. Receiver must support the NetScaler Gateway Plug-in to establish the connection through the secure tunnel when users log on.

Worx Home, Worx Mail, and WorxWeb use Micro VPN to establish the secure tunnel for iOS and Android mobile devices.

NetScaler Gateway intercepts all network connections that the user device makes and multiplexes them over Secure Sockets Layer (SSL) to NetScaler Gateway, where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination.

The connections are subject to administrative security policies that apply to a single application, a subset of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs) that remote users can access through the VPN connection.

The NetScaler Gateway Plug-in intercepts and tunnels the following protocols for the defined intranet applications:

TCP (all ports)
UDP (all ports)
ICMP (types 8 and 0 - echo request/reply)

Connections from local applications on the user device are securely tunneled to NetScaler Gateway, which reestablishes the connections to the target server. Target servers view connections as originating from the local NetScaler Gateway on the private network, thus hiding the user device. This is also called reverse Network Address Translation (NAT). Hiding IP addresses adds security to source locations.

Locally, on the user device, all connection-related traffic, such as SYN-ACK, PUSH, ACK, and FIN packets, is recreated by the NetScaler Gateway Plug-in to appear from the private server.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Establishing the Secure Tunnel

October 5, 2020

Contributed by:

October 5, 2020

Contributed by:

Establishing the Secure Tunnel

Tunneling Private Network Traffic over Secure Connections

In this article