Product Documentation

Completing the Connection

Completing the connection is the fourth and last stage of the user connection process in a double-hop DMZ deployment.

During the connection completion stage, the following basic process occurs:

  • The user clicks a link to a published application in the Web Interface.
  • The web browser receives the ICA file generated by the Web Interface and starts Citrix Receiver. Note: The ICA file contains code that instructs the web browser to start Receiver.
  • Receiver initiates an ICA connection to Citrix Gateway in the first DMZ.
  • Citrix Gateway in the first DMZ communicates with the Secure Ticket Authority (STA) in the internal network to resolve the alias address in the session ticket to the real IP address of a computer running XenApp or StoreFront. This communication is proxied through the second DMZ by the Citrix Gateway proxy.
  • Citrix Gateway in the first DMZ completes the ICA connection to Reciever.
  • Receiver can now communicate through both Citrix Gateway appliances to the computer running XenApp on the internal network.

The detailed steps for completing the user connection process are as follows:

  1. Receiver sends the STA ticket for the published application to Citrix Gateway in the first DMZ.
  2. Citrix Gateway in the first DMZ contacts the STA in the internal network for ticket validation. To contact the STA, Citrix Gateway establishes a SOCKS or SOCKS with SSL connection to the Citrix Gateway proxy in the second DMZ.
  3. The Citrix Gateway proxy in the second DMZ passes the ticket validation request to the STA in the internal network. The STA validates the ticket and maps it to the computer running XenApp that hosts the published application.
  4. The STA sends a response to the Citrix Gateway proxy in the second DMZ, which is passed to Citrix Gateway in the first DMZ. This response completes the ticket validation and includes the IP address of the computer that hosts the published application.
  5. Citrix Gateway in the first DMZ incorporates the address of the XenApp server into the user connection packet and sends this packet to the Citrix Gateway proxy in the second DMZ.
  6. The Citrix Gateway proxy in the second DMZ makes a connection request to the server specified in the connection packet.
  7. The server responds to the Citrix Gateway proxy in the second DMZ. The Citrix Gateway proxy in the second DMZ passes this response to Citrix Gateway in the first DMZ to complete the connection between the server and Citrix Gateway in the first DMZ.
  8. Citrix Gateway in the first DMZ completes the SSL/TLS handshake with the user device by passing the final connection packet to the user device. The connection from the user device to the server is established.
  9. ICA traffic flows between the user device and the server through Citrix Gateway in the first DMZ and the Citrix Gateway proxy in the second DMZ.

Completing the Connection

In this article