Jump to content
  • 0

3 different CVAD sites on 3 different continents, but only 1 login URL?


tylital520

Question

Posted

Hi,

 

let's say we have a setup described in the picture: Citrix CVAD site is created to site A on continent A to provide access to private network A. The private network A is protected by firewall, and only the traffic to Gateway vServer URL https://gateway.contoso.com is allowed (port 443).

 

If a user from Site B want's to connect to private network A on Site A (to access servers in private network A), she/he connect to that URL and uses Citrix applications or desktop to connect to servers in private network A. 

 

Site B and Site C also have private networks (B and C), but no CVAD site in place. What we would like to do is to implement CVAD sites to these location too, to provide access to private network B and private network C. We would not however want to have 3 different URL's for these sites. We would like to have 1 URL, so that when a user logs in, she/he sees all the apps from each site (e.g. Google Chrome Site A, Google Chrome Site B, Google Chrome Site C). When a user launches an application from Site A, B or C, her/his traffic goes through the NetScaler on that site.

 

So basically this is not a disaster recovery setup where, if a site goes down user is directed to use applications from another site. Application/desktops on each site provide access to server on that site, and those applications/desktops cannot be used to connect to servers on another private networks.

 

Any ideas how could we achieve this?

 

image.thumb.png.f8ebf8f7a8bd42c5b825b411bad8ffed.png

8 answers to this question

Recommended Posts

  • 0
Posted

StoreFront can aggregate icons from multiple sites/farms. One URL to StoreFront. If you have StoreFront in all three locations, then GSLB the URL.

 

HDX Optimal Routing can send ICA traffic through a different Gateway URL for each site/farm. 

 

Typically your Gateway certificate has the one FQDN for StoreFront, plus FQDNs for each of the sites so HDX Optimal Routing works.

 

I have some info at https://www.carlstalhood.com/storefront-cr-configuration-for-citrix-gateway/#multipledatacenters

  • 0
Posted
On 6/30/2020 at 2:38 PM, Carl Stalhood1709151912 said:

StoreFront can aggregate icons from multiple sites/farms. One URL to StoreFront. If you have StoreFront in all three locations, then GSLB the URL.

 

HDX Optimal Routing can send ICA traffic through a different Gateway URL for each site/farm. 

 

Typically your Gateway certificate has the one FQDN for StoreFront, plus FQDNs for each of the sites so HDX Optimal Routing works.

 

I have some info at https://www.carlstalhood.com/storefront-cr-configuration-for-citrix-gateway/#multipledatacenters

 

Hi Carl!

Thank you for the reply. I checked your instructions + the following links:
https://www.jgspiers.com/storefront-high-availability-optimal-routing/
https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/ns-optimal-gateway-routing-tech-wp.pdf

 

Based on what I read here's my plan:

  • Separate Citrix farm/site for each site (A, B, C)
  • Separate ADC for each site
  • On site A StoreFront Configure optimal HDX routing by selecting the Store -> Configure Store Settings -> Optimal HDX Routing -> Add Gateway -> Add the gateway from site B

                    -> Select Site A Gateway -> Manage Delivery Controllers -> Select Site A Delivery Controllers
                    -> Select Site B Gateway -> Manage Delivery Controllers -> Select Site B Delivery Controllers

 

After this add site C Gateway & delivery Controllers on Site A StoreFront. That should do it? Basically I don't see any reason to use GSLB because each site "has a unique FQDN that resolves to a specific Citrix Gateway VIP in a specific datacenter." There is no need to aggregate icons either because each datacenter/site has its unique apps/desktops that can only be used to connect to private network on that site.

 

So basically the HTTP traffic can always go to site A, but when a user clicks an application/desktop from site B/C, the ICA traffic goes through the site B/C Citrix Gateway.

 

Or am I missing something? What about the Gateway certificate on Site A; do I need to create Subject Alternative Names for StoreFront + site B & C Gateway FQDN's?

  • 0
Posted

Hi Carl,

 

maybe a stupid question, but how about if I add our ADC and Delivery Controllers from Site A to Site B's StoreFront and after this Site A's apps and desktops are available via Site B's StoreFront - Can I still access the StoreFront from Site A directly and launch the apps and desktops from there?

  • 0
Posted
On 11/30/2020 at 3:06 PM, Carl Stalhood1709151912 said:

Yes. That's typically how you do it. If you have the same icons in both sites/farms, then you can configure Icon Aggregation in StoreFront and prioritize the sites/farms.

Thanks Carl,

 

I should have explained myself better. Let's imagine the following setup. User A accesses "Internal network" from the Internet via ns.contoso.com (ADC). He/she sees apps and desktops from Citrix site 1, and can access with those services in "Internal Network".

 

User B, who is already inside "Internal network" want's to access services in "Protected network". The user connects to ns.internal.com (not available directly from Internet) and the traffic goes through a firewall and ADC. He/she sees the apps and desktops from Citrix site 2, and can access with those services in "Protected Network".

image.thumb.png.9652c51e1fe1472f167a0c186f3d8d20.png

Question:

Is there some way to get applications and desktops from Citrix site 2 to a Citrix site 1 StoreFront, and enable user A to access "Protected network" directly via ns.contoso.com? At the moment, if user A wants to connect to "Protected network" he/she needs to first open desktop from Citrix site 1, and then from inside that desktop access Citrix site 2 URL and launch app or desktop.

 

Perhaps we could add Delivery Controllers from Citrix site 2 to a Store in Citrix site 1? This would bring apps and desktops from Citrix site 2 to a ns.contoso.com StoreFront, right? And in that scenario we would need to allow traffic between ns.contoso.com SNIP and Citrix site 2 VDAs, and between Citrix site 1 StoreFront's and Citrix site 2 Delivery Controllers?

 

In this setup traffic would completely bypass ns.internal.com ADC, am I right? If what I've said is correct, would the User B still be able to use ns.internal.com to access Citrix site 2?

 

And how about if we would like to use HDX Optimal routing so that when user A clicks an application or desktop on Citrix site 1 Store which is from Citrix site 2, the traffic would go through ns.internal.com ADC; I guess in this scenario ns.internal.com ADC would need to be reachable from the Internet?

 

 

 

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...