Jump to content
Welcome to our new Citrix community!
  • 0

Citrix CVAD remote access ressource for external user

Emmanuel Mergirie


HI everyone 

I  can't understand which issue I facing to  provide storefront to my external user.

Lauching ressource the wors! in big company context.

Ours network team have in place a fortinetADC frontoff  the  external firewall wich the communicate over 443 with the  internal storefront.

Like you can see the 1494 and 2598  ports missing in my configset  but after discussing  they can't open thoses  through the DMZ to target the FortiADC for understandtable  security reason

Which option I try :
                     -Push the purshase of a citrix ADC , or gateway Vpx. ( Answer will be consider for next years budget by management )

                     - Tried Azure proxy app ( Same issue.launchi wront work )

Can I use two storefront ( one in DMS and one Internal ) to route 1494 and 2598 behind ir.

or ? I haven't other secure option.

Could you help me please 


thanks for your assistance




Link to comment

4 answers to this question

Recommended Posts

  • 0

IF I understand your question, you want to try to provide external users access to your CVAD environment without a Gateway but also without a VPN solution as an alternative.  (And it appears you think you only need access to storefront for this to work.)  If I misunderstood, I apologize.

Basically for remote access you do need a Gateway to do HDX Proxy or equivalent tech or a vpn solution (whether Citrix ADC or other is also possible).


It is not advisable to support external access to Storefront/CVAD in a direct mode (meaning without a Gateway/HDX Proxy config or other external access method like a vpn).  If you just have direct access to storefront without the gateway, then you must also expose every destnation VDA publically as well.


If you do not have a current gateway deployment for HDX Proxy (which only requires the Citrix Receiver/Workspace App client side), you could provide external access via an existing vpn solution. The storefront/VDA access would then follow the same communication flow as internal users, but the vpn would allow the client to storefront and client to VDA over VPN.


The whole purpose of a GAteway/HDX Proxy solution is that 1) you provide secure, remote external access to your citrix CVAD resources where 2) the user only requires a citrix receiver or workspace app, the connection is limited to an HDX connection only, and 3) no external names or ips are exposed beyond the gateway.  The Client to gateway connection is all SSL:443 or DTLS:443 only.  The gatway communicates to the internal componetns for authentication, storefront (SSL:443), the STA's (HTTP or SSL), and all destnation VDA's (which would be either TCP:2598/1494 or EDT (UDP): 2598/1494 depending on protocol)


For reference an internal/storefront only launch process involves:

client to storefront (https) and storefront then communicates to AD for authentication and the CVAD Controllers.

When the user goes to launch a resource the first part of the communication goes to storefront, who talks to the controllers again to figure out where to send you. The VDA destination is returned to storefront, which creates the .ica file. The .ica file is returned to the client which now the client connects to the VDA specified 2598 or 1494 (TCP or EDT (UDP).  STorefront is only involved in enumerating your list of resources and telling the client where to go.  Client still talks directly to vda in the session connection phase (not via storefront).

So to do this publically without a gateway (hdx proxy) or a vpn, you would have public access directly to your VDA's which is very, very insecure and not recommended.

Link to comment
  • 0

This is the Citrix ADC-WAF- forum, so you went to the wrong forum. No matter.

You need an ICA proxy. You may do this using F5. It is not a perfect solution, as F5 does not understand Citrix, but it exists, I already implemented it (and removed it, as my customer was unhappy with this solution and replaced all F5 boxes with Citrix ADC). You won't like it, the Citrix Gateway solution is way more handy.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...