VDA failure to register behind NAT in Azure

[Terry Rebstein]

Hi, we are finding our VDA's in an isolated subnet do not register when they are behind a NAT in Azure. The NAT is required for security reasons. If we bypass the NAT registration works. We need it to work behind the NAT.

 

There is this article applying to XenDesktop but I want to know if there is something similar for the citrix cloud connector.

 

https://support.citrix.com/article/CTX215734

 

[Christopher Curatolo]

Hi, I am not sure I understand why this is needed. you pretty much keep the Cloud Connector and vda inside the same isolated network and configure the vnet to allow the connector to go outbound 443 with the list of url outlined in https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html 

 

And as the VMS are in azure, unless you are doing an express route to your local datacenter network where the users clients exists, you would need to use either a NS vpx in your azure vnet where the vda reside or take advantage of the optional netscaler gateway service add on available with the Citrix Cloud Desktops and Apps Service which provides remote ica proxy capabilities to your hosted azure resources. 

[Graham Caparulo]

Cloud connectors need layer 3 routing to your VDA's.  You might be able to do a 1:to:1 NAT for all VDA's, then open a ton of ports, but that would be a lot of work.

 

Out of curiosity, what is the security requirement to firewall off your VDA's from the controllers?

[Terry Rebstein]

This was done originally to isolate the VDA's into a workstation type subnet and the other servers into an infrastructure subnet. I've moved the connector now and all is well.

 

Thanks for the feedback.

[Chris Lakey1709158722]

For what its worth, this is still not enabled with the Cloud Connector VDA registration process.

 

We have a use case whereby we want to register VDAs in our DMZ to facilitate ICA proxy->RDP sessions to other DMZ workloads in multiple/separate non-routable DMZ Subscriptions/vNets.

- There is no chance that we will put Cloud Connectors in the DMZ & this even goes against Citrix's documented best practice.

                ref: https://docs.citrix.com/en-us/citrix-cloud/overview/secure-deployment-guide-for-the-citrix-cloud-platform.html

               "Additionally, the machines on which the Cloud Connector software is installed should be inside the customer’s private network and not in the DMZ. For network and system requirements and instructions for installing the Cloud Connector.."

 

This has been logged and escalated with Citrix.

- I've been told that this is not possible within the existing architecture so the feature request that the support team logged has been cancelled.

Citrix case ref: 78849907 

 

In azure SNAT is pretty much a requirement for HA firewalls/NVAs to ensure symmetry of return traffic.

 - I'm surprised that there is not more on this due to this azure architectural 'requirement'.

     -- I guess people have no DMZ VDA workloads or are ok putting in Cloud connectors in the DMZ or allow direct routing (not via NVA/Firewall) from DMZ to other vNet (Cloud Connector subnet).

 

Each unto their own, its obviously not a 1 size fits all platform but our requirements security/risk mandate that we must use a nextgen firewall appliance when routing traffic from the DMZ->internal.

 

And if anyone was wondering, this is supported with the existing "onPrem" Delivery Controllers (broker service) VDA registration:

https://support.citrix.com/article/CTX215734

 

Might save someone some time in future.

 

Cheers,