Citrix Gateway service for HDX Proxy

Citrix Gateway service for HDX Proxy provides users with secure remote access to CVAD without having to deploy Citrix Gateway in the on-premises DMZ or reconfigure firewalls. Citrix hosts the entire infrastructure overhead of managing remote access in the cloud.

On-Premises vs. Cloud


Citrix Virtual Apps and Desktops have served Enterprises well for decades, yet they have extra requirements to provide remote access such as:

  • Implementing and maintaining multiple sites for redundancy
  • Implementing and maintaining public IP addresses
  • Implementing and maintaining network devices
  • Implementing and maintaining firewall rules



With Citrix Cloud and Citrix Gateway service Enterprises now can provide remote access to Citrix Virtual Apps and Desktops without those additional requirements along with other benefits:

  • Multiple sites are implemented and maintained globally by Citrix
  • Public IP addresses are implemented and maintained by Citrix
  • Citrix Cloud advanced security with Citrix Analytics
  • Predictive DNS provides better user experience
  • No changes to the Virtual Apps and Desktops environment are required
  • Certificates are implemented and maintained by Citrix
  • Elastic scalability and High Availability is provided and managed by Citrix
  • Enterprises pay as they grow and reduce operating expenses
  • Faster onboarding for new customers


Citrix Cloud services

Citrix Workspace

The Citrix Workspace aggregates all user resources into a single, personalized interface using a locally installed Workspace app (desktop and mobile) or a local browser. The Citrix Workspace communicates with the Citrix Virtual Apps and Desktops controller over a Citrix Cloud Connector.

Citrix Cloud Connector

Citrix Cloud Connector runs on Windows Server instances hosted in Resource Locations and creates a reverse proxy to route traffic between the site/s and Citrix Cloud. It provides connectivity from Citrix Cloud to Resource Locations. It also includes access to Active Directory and delivery of control channel traffic between the Citrix Workspace and Citrix Virtual Apps and Desktops controllers. Cloud Connector also creates a connection from the Resource Location to the nearest Citrix POP to establish an initial data channel.

Citrix Gateway service

The Citrix Gateway service is a part of the Citrix Cloud Services to provide secure remote access. It has been developed upon for more than a decade, all the while being used by the largest companies in the world. It relies on the Citrix Intelligent Traffic Management (ITM) service to direct clients to the closest global Citrix Gateway service POP. From there, it coordinates secure connectivity between Citrix Workspace clients and virtualization resources to deliver sessions with the lowest latency and the best user experience possible.

Rendezvous protocol

Each Cloud Connector supports a limit of 1,000 concurrent sessions, and while adding more connectors grows capacity Citrix provides a more efficient solution to scale. Rendezvous protocol enables HDX sessions to be set up, through secure TLS transport, directly from the Virtual Delivery Agent (VDA) to the Citrix Gateway service without going through the Cloud Connector first. It is available in Citrix Virtual Apps and Desktops release 1912+ and can be enabled through a Citrix Policy setting. If the Rendezvous protocol is enabled and it cannot reach the Gateway service for any reason, it falls back to proxying traffic through the Cloud Connector.

Citrix Intelligent Traffic Management (ITM) service

The Citrix Gateway service uses the Citrix Intelligent Traffic Management (ITM) service to help provide fast and reliable sessions. Developed to use a broad set of monitoring sources and robust algorithms,Citrix ITM directs workspace users from anywhere in the world to their nearest Citrix POP to help deliver the most efficient and reliable sessions possible.

Citrix ITM provides resiliency and a better user experience by directing workspace endpoints and Virtual Delivery Agents (VDAs) to the closest Citrix POP. ITM acts as the authoritative DNS for Citrix Gateway service Fully Qualified Domain Names (FQDNs), yet instead of providing static IP addresses to Citrix POPs, and following simple load balancing methods like round robin, it provides dynamic responses based on near real-time traffic analysis from various sources including active users of the FQDN. Based on analysis of data sources, Citrix ITM responds to each DNS query with the nearest, fastest, most reliable POP available at the moment. Using proprietary collectors and analysis algorithms ITM can adapt to various factors that can affect user experience such as CDN caching issues, ISP congestion, International Internet backbone outages.

Citrix Intelligent Traffic Management (ITM)


Citrix Gateway service operates in multiple POPs around the world with ITM, which monitors the health of each site. If for any reason a POP goes down or connectivity is degraded past thresholds, Citrix ITM responds to subsequent DNS queries with the public IP address of the next closest POP. The Workspace app and the Citrix Virtual Apps and Desktops controller will initiate retries and timeouts based on session connection and timer settings.

  • Each POP is configured for High Availability
  • Four 9 s of reliability
  • 19 Global POPs

Citrix Global Points of Presence


Initial Setup

Transitioning access from your On-premises Gateway to Citrix Gateway service begins with creating your Citrix Cloud environment. Afterwards you log in to your environment from Windows Server instances, with network access to your Citrix Virtual Apps and Desktops controllers. Then you can install Citrix Cloud Connectors to provide connectivity to Citrix Cloud. Cloud Connector

Initial Configuration

Once the Citrix Cloud Connectors are installed and up at your Resource Location the Citrix Workspace can be configured in Citrix Cloud. After specifying whether Authentication occurs using Active Directory (AD) or Azure Active Directory (AAD), and implementing any desired customizations to the Workspace app, Gateway, and Citrix Virtual Apps and Desktops On-Premises Sites must be enabled under Service Integrations. Then the site can be added and configured. The site configuration includes: specifying whether the controller is pre or post version 6.5, specifying the FQDN of the controller hosted in your Resource Location, verifying the domain identified through the Citrix Cloud Connector install, and specifying that the Gateway service is used for connectivity. Workspace Configuration

Initial Deployment

After the Citrix Workspace is configured in Citrix Cloud the new FQDN can be added to the Workspace app. Users can log in with the same AD credentials they would use with the On-premises Citrix Gateway and have the same apps and desktops enumerated. Workspace app


Citrix Gateway service simplifies the requirements to access On-Premises Virtual Apps and Desktops and thus reduces the needed infrastructure and the operational overhead to maintain it. The need to maintain gateways with SSL Certificates and public IPs in multiple POPs are eliminated. Admins can then focus more on the management of their own IT business service priorities.

  • 24x7x365 monitoring and maintenance by Citrix Cloud experts
  • Deliver a unified Workspace faster with existing IT staff
  • Reduce the need for specialized IT skills

Citrix Cloud Operations

Session Connectivity

A user selects a virtual app or desktop, from their Workspace, and their endpoint receives a launch ticket. It is directed to connect to the Citrix Gateway service which, in turn, contacts the VDA. If configured to use the Rendezvous protocol the VDA establishes a TLS connection directly back to the requesting Citrix Gateway service POP, otherwise it uses Cloud Connector. Then the Citrix Gateway service establishes the session between the endpoint and the VDA.

  • Sessions are linked via Citrix Gateway service across cloud partner’s WANs
  • VDAs and Workspace endpoints rendezvous at the Citrix Gateway service POP closest to the user
  • High quality sessions

Citrix Gateway service and HDX Proxy: Traffic Flow

Citrix Gateway service for HDX Proxy