How user connections are handled
To start a XenApp or XenDesktop session, the user connects either via Citrix Receiver, which is installed on the user's device, or via Receiver for Web (RFW).
Within Receiver, the user selects the physical or virtual desktop or virtual application that is needed.
The user's credentials move through this pathway to access the Controller, which determines what resources are needed by communicating with a Broker Service. It is recommended for administrators to put a SSL certificate on StoreFront to encrypt the credentials coming from Receiver.
The Broker Service determines which desktops and applications the user is allowed to access.
Once the credentials are verified, the information about available apps or desktops is sent back to the user through the StoreFront-Receiver pathway. When the user selects applications or desktops from this list, that information goes back down the pathway to the Controller, which determines the proper VDA to host the specific applications or desktop.
The Controller sends a message to the VDA with the user's credentials and sends all the data about the user and the connection to the VDA. The VDA accepts the connection and sends the information back through the same pathways all the way to Receiver. Receiver bundles up all the information that has been generated in the session to create Independent Computing Architecture (ICA). file on the user's device if Receiver is installed locally or on RFW if accessed through the web. As long as the Site was properly set up, the credentials remain encrypted throughout this process.
The ICA file is copied to the user's device and establishes a direct connection between the device and the ICA stack running on the VDA. This connection bypasses the management infrastructure: Receiver, StoreFront, and Controller.
The connection between Receiver and the VDA uses the Citrix Gateway Protocol (CGP). If a connection is lost, the Session Reliability feature enables the user to reconnect to the VDA rather than having to relaunch through the management infrastructure. Session Reliability can be enabled or disabled in Studio.
Once the client connects to the VDA, the VDA notifies the Controller that the user is logged on, and the Controller sends this information to the Site database and starts logging data in the Monitoring database.