Product Documentation

Completing the Connection

Completing the connection is the fourth and last stage of the user connection process in a double-hop DMZ deployment.

During the connection completion stage, the following basic process occurs:

  • The user clicks a link to a published application in the Web Interface.
  • The web browser receives the ICA file generated by the Web Interface and starts Citrix Receiver. Note: The ICA file contains code that instructs the web browser to start Receiver.
  • Receiver initiates an ICA connection to NetScaler Gateway in the first DMZ.
  • NetScaler Gateway in the first DMZ communicates with the Secure Ticket Authority (STA) in the internal network to resolve the alias address in the session ticket to the real IP address of a computer running XenApp or StoreFront. This communication is proxied through the second DMZ by the NetScaler Gateway proxy.
  • NetScaler Gateway in the first DMZ completes the ICA connection to Reciever.
  • Receiver can now communicate through both NetScaler Gateway appliances to the computer running XenApp on the internal network.

The detailed steps for completing the user connection process are as follows:

  1. Receiver sends the STA ticket for the published application to NetScaler Gateway in the first DMZ.
  2. NetScaler Gateway in the first DMZ contacts the STA in the internal network for ticket validation. To contact the STA, NetScaler Gateway establishes a SOCKS or SOCKS with SSL connection to the NetScaler Gateway proxy in the second DMZ.
  3. The NetScaler Gateway proxy in the second DMZ passes the ticket validation request to the STA in the internal network. The STA validates the ticket and maps it to the computer running XenApp that hosts the published application.
  4. The STA sends a response to the NetScaler Gateway proxy in the second DMZ, which is passed to NetScaler Gateway in the first DMZ. This response completes the ticket validation and includes the IP address of the computer that hosts the published application.
  5. NetScaler Gateway in the first DMZ incorporates the address of the XenApp server into the user connection packet and sends this packet to the NetScaler Gateway proxy in the second DMZ.
  6. The NetScaler Gateway proxy in the second DMZ makes a connection request to the server specified in the connection packet.
  7. The server responds to the NetScaler Gateway proxy in the second DMZ. The NetScaler Gateway proxy in the second DMZ passes this response to NetScaler Gateway in the first DMZ to complete the connection between the server and NetScaler Gateway in the first DMZ.
  8. NetScaler Gateway in the first DMZ completes the SSL/TLS handshake with the user device by passing the final connection packet to the user device. The connection from the user device to the server is established.
  9. ICA traffic flows between the user device and the server through NetScaler Gateway in the first DMZ and the NetScaler Gateway proxy in the second DMZ.

Completing the Connection

In this article