Pearson VUE ATS Posted May 6, 2019 Posted May 6, 2019 Hello. We are setting up a Storefront system, v3.15 sitting on Windows 2012 R2, which sits behind a Netscaler, 11.1 configuration. The backend servers are XenApp 6.5 - will also be hosting the XenApp 7.15 from a separate store (Still in configuration). So, the question. There have been security concerns around how the Direct HDX Connection configured in the Optimal HDX Routing in the StoreSettings configuration actually works? We see our Netscaler Gateway, yet, if we bind the Delivery Controllers to the Netscaler Gateway, applications are unable to launch. If we configure the Direct HDX Connection to use the Delivery Controllers, applications launch, but it appears this would be a mis-configuration not forcing connections through the Netscaler. Same question goes when selecting External Only assuming that means traffic will be treated as external and routed through the Netscaler. Security personnel have flagged this as a concern and can also see the individual XenApp server where the app launches if they do a netstat -n | find "2598" on the client's workstation which in turn presents the servers actual IP and host name. Essentially security seems to think the proxy is not working correctly. I'm not finding a lot around what these options are actually specifying how these mechanisms for these options work. Is there any more in depth documentation or explanation to validate the working configuration with the security people? Thanks in advance. Image #1 - works Image #2 - Doesn't work
Mark Dear Posted July 10, 2019 Posted July 10, 2019 Optimal Gateway Routing is a complex topic and many StoreFront admins are faced with questions about it. I will try and summarise how it works as best I can and explain its use cases. In a nutshell, Optimal Gateway Routing divorces the concept of logon from launch. Before its introduction if a user logged on through a Citrix Gateway then all launches would also be proxied through that same gateway by StoreFront. Even when this didn’t make sense to do so. Since Optimal Gateway Routing was introduced the following scenarios are possible if StoreFront is configured correctly. Authenticate through one Citrix Gateway but proxy the HDX launch traffic through another more suitable gateway. This is so HDX sessions to VDAs are proxied through the Citrix Gateway closest to the user/client. For example, in a GSLB configuration, the end user might log in through a UK gateway and launch a US based resource. It makes more sense from a traffic routing perspective for StoreFront to pass back the US gateway in the ICA file at launch when the user/client is to be connected to a US based VDA. Authenticate through a Citrix Gateway but launch via a direct connection to StoreFront and the VDA. It is also possible to deliberately prevent all launch traffic from being passed through any Citrix Gateway. This is because some customers wish to authenticate using a 2 factor auth solution using Citrix Gateway but they do not wish to force user sessions to the VDA through the gateway because they are on the corporate network and the client/user can connect to StoreFront and the VDA directly. They only use Citrix Gateway for authentication and are not concerned about passing all HDX traffic through it. Authenticate through StoreFront but use a Citrix Gateway for all launches. Some customers allow their end users to connect directly to StoreFront and authenticate but all launches are required to pass through a Gateway. Passing HDX traffic through the gateway may be a requirement so that data can be collected on app and desktop usage using the HDX Insight feature. I hope this helps with your understanding of the feature and its uses. Regards Mark
Pearson VUE ATS Posted July 10, 2019 Author Posted July 10, 2019 Mark, thank you for the additional details that helps clarify things a bit. Thank you.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.