Jump to content

Concerns over HDX Routing rather than using Netscaler Gateway


Pearson VUE ATS

Recommended Posts

Posted

Hello.  We are setting up a Storefront system, v3.15 sitting on Windows 2012 R2, which sits behind a Netscaler, 11.1 configuration.  The backend servers are XenApp 6.5 - will also be hosting the XenApp 7.15 from a separate store (Still in configuration).  So, the question.  There have been security concerns around how the Direct HDX Connection configured in the Optimal HDX Routing in the StoreSettings configuration actually works?  We see our Netscaler Gateway, yet, if we bind the Delivery Controllers to the Netscaler Gateway, applications are unable to launch.  If we configure the Direct HDX Connection to use the Delivery Controllers, applications launch, but it appears this would be a mis-configuration not forcing connections through the Netscaler.  Same question goes when selecting External Only assuming that means traffic will be treated as external and routed through the Netscaler.  Security personnel have flagged this as a concern and can also see the individual XenApp server where the app launches if they do a netstat -n | find "2598" on the client's workstation which in turn presents the servers actual IP and host name.  Essentially security seems to think the proxy is not working correctly.

 

I'm not finding a lot around what these options are actually specifying how these mechanisms for these options work.  Is there any more in depth documentation or explanation to validate the working configuration with the security people?


Thanks in advance.

 

Image #1 - works

Citrix_Works.png

Image #2 - Doesn't work

StoreFront_DoesntWork.png

  • 2 months later...
Posted

Optimal Gateway Routing is a complex topic and many StoreFront admins are faced with questions about it.  I will try and summarise how it works as best I can and explain its use cases.  

In a nutshell, Optimal Gateway Routing divorces the concept of logon from launch.  Before its introduction if a user logged on through a Citrix Gateway then all launches would also be proxied through that same gateway by StoreFront.  Even when this didn’t make sense to do so.

Since Optimal Gateway Routing was introduced the following scenarios are possible if StoreFront is configured correctly. 

Authenticate through one Citrix Gateway but proxy the HDX launch traffic through another more suitable gateway. 

This is so HDX sessions to VDAs are proxied through the Citrix Gateway closest to the user/client.  For example, in a GSLB configuration, the end user might log in through a UK gateway and launch a US based resource.  It makes more sense from a traffic routing perspective for StoreFront to pass back the US gateway in the ICA file at launch when the user/client is to be connected to a US based VDA. 


Authenticate through a Citrix Gateway but launch via a direct connection to StoreFront and the VDA.

It is also possible to deliberately prevent all launch traffic from being passed through any Citrix Gateway.  This is because some customers wish to authenticate using a 2 factor auth solution using Citrix Gateway but they do not wish to force user sessions to the VDA through the gateway because they are on the corporate network and the client/user can connect to StoreFront and the VDA directly.  They only use Citrix Gateway for authentication and are not concerned about passing all HDX traffic through it.    
 

Authenticate through StoreFront but use a Citrix Gateway for all launches.

Some customers allow their end users to connect directly to StoreFront and authenticate but all launches are required to pass through a Gateway.  Passing HDX traffic through the gateway may be a requirement so that data can be collected on app and desktop usage using the HDX Insight feature.

I hope this helps with your understanding of the feature and its uses.
 

Regards Mark 

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...