We’ve seen a lot of questions on how to get the Citrix client to work with DirectAccess. The following provide some information and procedures that may work to get the Citrix client to work over DirectAccess.
The Citrix client can use IPv6 to connect to one type of server only: the Citrix Secure Gateway (CSG). In order for the Citrix client to work over DA, you need to:
A key issue to be aware of is that Citrix clients do not support IPv6, with the exception of connecting to the Citrix Secure Gateway (CSG). Although it can sit directly on the internet, it’s preferred that it be put it on the LAN, with an IPv6 address (either native or ISATAP). Here’s how it works:
In configuring the CSG, note should be taken in http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/xenapp5fp-w2k8/sg-features-v2.html to use the IPv6 address to listen on.
Note: The client plug-in needs to be version 11 and above and must trust the CSG’s server certificate.
Finally, it appears that even though the Citrix client is able to connect over IPv6 to the CSG, it needs the CSG’s name to resolve to both the IPv4 address and the IPv6 address. For this to happen, we need to exempt the name of the CSG from the NRPT in the UAG DirectAccess configuration so that it uses an internal DNS server instead of the UAG DNS64. This is done by entering the IP address of the internal DNS server. Not doing this will default to the UAG DirectAccess server’s DNS64 services, which never returns IPv4 addresses (it always returns a NAT64 address), causing issues for the Citrix client.
An example of how you can configure this is included in the figure below.
HTH,
Tom
Tom Shinder tomsh@microsoft.com Microsoft DAIP iX/SCD iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
So you need Citrix Secure Gateway to accomplish this? Citrix EOLed that product over 2 years ago....
Hi Tom,
you entered the FQDN of the CSG Srever,but the radio button "DNS Suffix" is selected. Is this a typo?
regards Marc
From testing onsite with a customer, it would appear that if you are using ISATAP on the CSG server, this negates the need to add an NRPT entry.
We have a standard NRPT rule for the internal DNS suffix and the CSG hostname is also on the same DNS suffix (and also located internally). We can see client connections to the CSG server using the DA client Teredo address and Citrix applications are fully working.
Thoughts?
Cheers
JJ
Jason.
Could I ask what kind of config you have on your web interface site?
XML Port / http/https/SSLRelay?
Regards
Kristian
It was a pretty standard setup using XML on port 80 from memory. The web interface site was installed on the actual CSG server itself so that we could provide settings for DA clients independently...
Hello Sir
I tried this on server 2012 but dns fails when i put it in the nrpt rules
pls advise
Does anyone know if this works for the Access Gateway Enterprise platform or netscaler as well? Also the link to the CSG section above appears to be dead:
In configuring the CSG, note should be taken in support.citrix.com/.../index.jsp to use the IPv6 address to listen on.
I'm not sure what you mean by the IPv6 address that needs to be listened on... was hoping a traditional Access Gateway Enterprise/Web Interface implementation would work without too much reconfiguration.
Thanks