Jump to content
Welcome to our new Citrix community!
  • 0

VDA failure to register behind NAT in Azure

Terry Rebstein


Hi, we are finding our VDA's in an isolated subnet do not register when they are behind a NAT in Azure. The NAT is required for security reasons. If we bypass the NAT registration works. We need it to work behind the NAT.


There is this article applying to XenDesktop but I want to know if there is something similar for the citrix cloud connector.




Link to comment

4 answers to this question

Recommended Posts

  • 0

Hi, I am not sure I understand why this is needed. you pretty much keep the Cloud Connector and vda inside the same isolated network and configure the vnet to allow the connector to go outbound 443 with the list of url outlined in https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html 


And as the VMS are in azure, unless you are doing an express route to your local datacenter network where the users clients exists, you would need to use either a NS vpx in your azure vnet where the vda reside or take advantage of the optional netscaler gateway service add on available with the Citrix Cloud Desktops and Apps Service which provides remote ica proxy capabilities to your hosted azure resources. 

  • Like 1
Link to comment
  • 0

For what its worth, this is still not enabled with the Cloud Connector VDA registration process.


We have a use case whereby we want to register VDAs in our DMZ to facilitate ICA proxy->RDP sessions to other DMZ workloads in multiple/separate non-routable DMZ Subscriptions/vNets.

- There is no chance that we will put Cloud Connectors in the DMZ & this even goes against Citrix's documented best practice.

                ref: https://docs.citrix.com/en-us/citrix-cloud/overview/secure-deployment-guide-for-the-citrix-cloud-platform.html

               "Additionally, the machines on which the Cloud Connector software is installed should be inside the customer’s private network and not in the DMZ. For network and system requirements and instructions for installing the Cloud Connector.."


This has been logged and escalated with Citrix.

- I've been told that this is not possible within the existing architecture so the feature request that the support team logged has been cancelled.

Citrix case ref: 78849907 


In azure SNAT is pretty much a requirement for HA firewalls/NVAs to ensure symmetry of return traffic.

 - I'm surprised that there is not more on this due to this azure architectural 'requirement'.

     -- I guess people have no DMZ VDA workloads or are ok putting in Cloud connectors in the DMZ or allow direct routing (not via NVA/Firewall) from DMZ to other vNet (Cloud Connector subnet).


Each unto their own, its obviously not a 1 size fits all platform but our requirements security/risk mandate that we must use a nextgen firewall appliance when routing traffic from the DMZ->internal.


And if anyone was wondering, this is supported with the existing "onPrem" Delivery Controllers (broker service) VDA registration:



Might save someone some time in future.




Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...