Product Documentation

Establishing the Secure Tunnel

When users connect with the NetScaler Gateway Plug-in, Worx Home, or Citrix Receiver, the client software establishes a secure tunnel over port 443 (or any configured port on NetScaler Gateway) and sends authentication information. When the tunnel is established, NetScaler Gateway sends configuration information to the NetScaler Gateway Plug-in, Worx Home, or Receiver describing the networks to be secured and containing an IP address if you enable address pools.

Tunneling Private Network Traffic over Secure Connections

When the NetScaler Gateway Plug-in starts and the user is authenticated, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to NetScaler Gateway. Receiver must support the NetScaler Gateway Plug-in to establish the connection through the secure tunnel when users log on.

Worx Home, Worx Mail, and WorxWeb use Micro VPN to establish the secure tunnel for iOS and Android mobile devices.

NetScaler Gateway intercepts all network connections that the user device makes and multiplexes them over Secure Sockets Layer (SSL) to NetScaler Gateway, where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination.

The connections are subject to administrative security policies that apply to a single application, a subset of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs) that remote users can access through the VPN connection.

The NetScaler Gateway Plug-in intercepts and tunnels the following protocols for the defined intranet applications:

  • TCP (all ports)
  • UDP (all ports)
  • ICMP (types 8 and 0 - echo request/reply)

Connections from local applications on the user device are securely tunneled to NetScaler Gateway, which reestablishes the connections to the target server. Target servers view connections as originating from the local NetScaler Gateway on the private network, thus hiding the user device. This is also called reverse Network Address Translation (NAT). Hiding IP addresses adds security to source locations.

Locally, on the user device, all connection-related traffic, such as SYN-ACK, PUSH, ACK, and FIN packets, is recreated by the NetScaler Gateway Plug-in to appear from the private server.

Establishing the Secure Tunnel