Tech Brief: Gateway service for HDX Proxy

Citrix Gateway service for HDX Proxy provides users with secure remote access to Citrix DaaS without having to deploy a NetScaler Gateway appliance in the on-premises DMZ or reconfigure firewalls. Citrix Cloud Services hosts a suite of services provided by Citrix DaaS, Citrix Gateway service, and so forth. All these services are delivered in a single pane using Workspace experience.

On-Premises vs. Cloud

On-Premises

Citrix Gateway is a hardened appliance (physical or virtual) that proxies and secures all Citrix DaaS traffic with standards-based SSL/TLS encryption. The most common deployment configuration is to place the Citrix Gateway appliance in the DMZ. That places the NetScaler Gateway between an organization’s secure internal network and the Internet (or any external network).

NetScaler Gateway appliance has served enterprises well for decades, yet they have extra requirements to provide remote access such as:

• Implementing and maintaining on-premises NetScaler Gateway appliances.
• Implementing and maintaining multiple sites for redundancy.
• Implementing and maintaining public IP addresses.
• Implementing and maintaining network devices.
• Implementing and maintaining firewall rules.

Cloud

Citrix Gateway service for HDX Proxy provides users with secure remote access to Citrix DaaS without having to deploy NetScaler Gateway appliance in the on-premises DMZ or reconfigure firewalls. Citrix hosts the entire infrastructure overhead of managing remote access in the cloud. With Citrix Cloud and Citrix Gateway service enterprises now can provide remote access to Citrix DaaS without those additional requirements along with other benefits:

• Multiple sites are implemented and maintained globally by Citrix.
• Public IP addresses are implemented and maintained by Citrix.
• Citrix Cloud advanced security with Citrix Analytics.
• Predictive DNS provides a better user experience.
• No changes to the Virtual Apps and Desktops environment are required.
• Certificates are implemented and maintained by Citrix.
• Elastic scalability and High Availability are provided and managed by Citrix.
• Enterprises pay as they grow and reduce operating expenses.
• Faster onboarding for new customers.

Citrix Cloud services

Citrix Workspace

Citrix Workspace aggregates and integrates Citrix Cloud services, enabling unified access to all the resources available to your end-users either through the browser with the Workspace URL, or through the Citrix Workspace app, which replaces Citrix Receiver. For more information on how users access their Citrix Workspace, visit Workspace access.

Citrix Cloud Connector

The Citrix Cloud Connector is a software package that deploys a set of services that run on Microsoft Windows servers. The machine hosting the Cloud Connector resides within the network where the resources that you use with Citrix Cloud reside. The Cloud Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. Once installed, the Cloud Connector initiates communication with Citrix Cloud through an outbound connection. All connections are established from the Cloud Connector to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are accepted.

• For requirements for installing the Cloud Connector, see System requirements.
• For recommended configurations, see Scale and size considerations for Cloud Connectors.

Citrix Gateway service

The Citrix Gateway service is a part of the Citrix Cloud Services to provide secure remote access. Citrix Gateway service is a globally distributed multitenant service. End users use the nearest Point-of-Presence (PoP) where the particular function that they need is available, regardless of Citrix Cloud Control plane geo-selection or the location of the applications being accessed. Configuration, such as authorization meta-data is replicated to all PoPs.

The Citrix Gateway service provides the following capabilities:

• HDX Connectivity: The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises.
• DTLS 1.2 protocol support: Citrix Gateway service supports Datagram Transport Layer Security (DTLS) 1.2 for HDX sessions over EDT (UDP-based transport protocol):
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS protocol support: The Citrix Gateway service supports the following TLS cipher suites:
  • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
  • TLS1.2-ECDHE-RSA-AES-256-SHA384
  • TLS1-ECDHE-RSA-AES128-SHA
  • TLS1.2-AES256-GCM-SHA384
  • TLS1-AES-256-CBC-SHA
• Endpoint Management integration: When integrated with Citrix Endpoint Management plus Citrix Workspace, the Citrix Gateway service provides secure remote device access to your internal network and resources. Onboarding the Citrix Gateway service with Endpoint Management is fast and simple. The Citrix Gateway service includes full support of Citrix SSO for apps such as Secure Mail and Secure Web.

Data flow

The Citrix Gateway service is a globally distributed multitenant service. End users use the nearest Point-of-Presence (PoP) where the particular function that they need is available, regardless of Citrix Cloud Control plane geo-selection or the location of the applications being accessed. Configuration, such as authorization meta-data is replicated to all PoPs.

• Logs used by Citrix for diagnostic, monitoring, business, and capacity planning are secured and stored in one central location.
• Customer configuration is stored in one central location and distributed globally to all PoPs.
• Data flowing between the cloud and customer premises uses secure TLS connections over port 443.
• Encryption keys used for user authentication and single sign-on are stored in hardware security modules.

Rendezvous protocol

When using the Citrix Gateway service, the Rendezvous protocol allows traffic to bypass the Citrix Cloud Connectors and connect directly and securely with the Citrix Cloud control plane. There are two types of traffic to consider:

1. Control traffic for VDA registration and session brokering.
2. HDX session traffic.

Rendezvous V1 - When using the Citrix Gateway Service, the Rendezvous protocol version V1 allows VDAs to bypass the Citrix Cloud Connectors to connect directly to gateway PoP for data-path traffic. Refer to the Rendezvous V1 for the requirements to implement Rendezvous V1 protocol.

Rendezvous V2 - The Rendezvous protocol version V2 supports bypassing the Citrix Cloud Connectors for both control traffic and HDX session traffic. Refer to the Rendezvous V2 for the requirements to implement Rendezvous protocol.

Rendezvous traffic flow

The following diagram illustrates the sequence of steps about Rendezvous traffic flow.

1. The VDA establishes a WebSocket connection with Citrix Cloud and registers.
2. The VDA registers with Citrix Gateway service and obtains a dedicated token.
3. The VDA establishes a persistent control connection with the Gateway Service.
4. The user navigates to Citrix Workspace.
5. Workspace evaluates authentication configuration and redirects users to the appropriate IdP for authentication.
6. The user enters their credentials.
7. After successfully validating the user credentials, the user is redirected to Workspace.
8. Workspace counts resources for the user and displays them.
9. The user selects a desktop or application from Workspace. Workspace sends the request to Citrix DaaS, which brokers the connection and instructs the VDA to prepare for the session.
10. The VDA responds with the Rendezvous capability and its identity.
11. Citrix DaaS generates a launch ticket and sends it to the user device through Workspace.
12. The user’s endpoint connects to the Citrix Gateway service and provides the launch ticket to authenticate and identify the resource to connect to.
13. The Gateway Service sends the connection information to the VDA.
14. The VDA establishes a direct connection for the session with the Gateway Service.
15. The Citrix Gateway service completes the connection between the endpoint and the VDA.
16. The VDA verifies licensing for the session.
17. Citrix DaaS sends applicable policies to the VDA.

Resiliency

The Citrix Gateway service is built to be highly available with multiple instances of the service, deployed on multiple Points of Presence (PoP) across various locations in the world. Also, the service is hosted on different cloud providers. For the list of Citrix Gateway service PoPs, see Citrix Gateway service – Points-of-Presence (PoPs). Within a Citrix Gateway service PoP, the micro services and tenants are deployed in a fully redundant active-active model. This functionality allows any component to switch over to the standby if there is a failure. Only in rare cases, if all the services of a component within a PoP fail, does the Gateway service mark itself as down. Citrix uses the Intelligent Traffic Manager to monitor PoP health and automatically uses DNS to switch traffic to an alternate PoP if necessary.

Citrix Gateway service support on the Google Cloud Platform (GCP)

With Citrix Gateway Service support on the Google Cloud Platform (GCP), customers running their workloads on Google Cloud can take advantage of Google Cloud’s high-performing global network using the Citrix Gateway optimal routing feature. The optimal gateway routing feature directs clients to the closest GCP Citrix Gateway Service PoP. Also, the Citrix Gateway Service on Google Cloud provides secure connectivity between Citrix Workspace clients and virtualization resources to deliver sessions with the lowest latency and the best user experience possible. For details, Citrix Gateway service on Google Cloud Platform

Deployment

Enable the Citrix Gateway service

Customers who are entitled for the Citrix DaaS get the Citrix Gateway service enabled by default. Customers do not have to request a separate Citrix Gateway service trial. For details, see Sign-up for the service.

Following are the steps to enable the Citrix Gateway service for Citrix Workspace users.

1. Sign into Citrix Cloud Services as an admin user.
2. Click the hamburger icon and choose Workspace Configuration.
3. In the Access tab under External Connectivity section, locate the ellipses next to My Resource Location presented under Citrix DaaS. Click the ellipses, click Configure Connectivity.

   

4. Choose Citrix Gateway service in the pop-up window and click Save.

   

Web/SSL Proxy

When SSL decryption is enabled on certain proxies, some services may have trouble connecting to Citrix Cloud. These connection difficulties may be observed as a reliable connection failure, an intermittent connection failure, or a timeout. Proxies can cause the following issues:

• Randomize the DNS source IP, which leads to users being directed to a sub-optimal PoP.
• Add latency to connections that are directed to the wrong PoP (100 ms+, with excessive jitter).
• TLS inspection breaks the Citrix Gateway service since it does not support TLS interception.

It is recommended to exclude Citrix Gateway service FQDNs from any DNS filtering and traffic inspection. Refer to the System and Connectivity Requirements for required contactable Internet addresses, and considerations for establishing connectivity between your resources and Citrix Cloud.

The allowlist.json file is located at https://fqdnallowlistsa.blob.core.windows.net/fqdnallowlist-commercial/allowlist.json and lists the FQDNs that the Cloud Connector accesses. This list is grouped by product and includes a change log for each group of FQDNs.

If using Zscaler Private Access (ZPA), it is recommended that you configure bypass settings for the Citrix Gateway service to avoid increased latency and the associated performance impact. To do so, you must define application segments for the Citrix Gateway service addresses – specified in the requirements – and set them to always bypass. For information on configuring application segments to bypass ZPA, see the Secure Private Access (ZPA) – Configuring Bypass Settings.

VPN

It is recommended for VPNs to implement local breakout for Citrix Gateway service domains - https://*.*.nssvc.net, https://*.g.nssvc.net, and https://*.c.nssvc.net

• Enable split tunnelling, so that the VPN Client sends only traffic destined for internal networks protected by the VPN tunnel.
• Traffic destined for the Citrix Gateway service would be sent directly via their local internet, rather than being backhauled over the VPN tunnel and internal network.

To implement it with Citrix Gateway VPN, make the following changes:

• Enable spit tunneling under the VPN session policy Client Experience tab by setting the “Split Tunnel” field to “ON”.
• Configure transparent Intranet Application entries with the Internal Network IP address ranges.
• Under the Client Experience tab, advanced setting, ensure that “Split DNS” is set to Local. Also configure the DNS Suffix List under Traffic Management > DNS > DNS Suffix. Matching queries are forwarded to the gateway, while others are forwarded to the local DNS.

For more information see Full VPN setup on NetScaler Gateway - Configure split tunneling

Manageability

Citrix Gateway service, as a cloud-based remote access solution, can simplify operational overhead by centralizing management, reducing infrastructure complexity, providing automated updates, and offering scalable and elastic solutions. Organizations can benefit from the convenience of cloud services, allowing IT teams to focus on strategic initiatives rather than day-to-day operational tasks.

• Centralized Management: With the Citrix Gateway service being part of Citrix Cloud, administrators can manage the Citrix Gateway service centrally through a unified console. Eliminates the need to individually manage multiple on-premises NetScaler Gateways, reducing the complexity of operations.
• Reduced Infrastructure Management: Citrix Gateway service eliminates the need for organizations to manage and maintain on-premises NetScaler Gateway appliances. Significantly reduce the operational burden associated with maintaining physical servers, networking equipment, and related components.
• Automatic Updates and Patching: Citrix Gateway service includes automated updates and patch management. Ensures that the service is running the latest security enhancements and feature updates without requiring manual intervention from administrators.
• Scalability and Elasticity: Citrix Gateway service allows organizations to easily scale their remote access infrastructure up or down as needed, without the complexities associated with traditional infrastructure scaling.
• Outsourced Maintenance and Support: By using a cloud-based service, organizations can use the expertise and support services provided by Citrix. Offloading some of the maintenance tasks and troubleshooting responsibilities from the organization's internal IT team.

Citrix’s service commitment is to maintain at least 99.9% monthly uptime on Services. For additional information, refer to the Citrix Cloud Service Level Agreement. The Citrix Cloud Health Dashboard provides status updates about significant incidents or scheduled maintenance of our Cloud services, per geographical region. For additional information, refer to Citrix Cloud Service Health documentation.