The Private Cloud Man

Private Cloud Technologies, Architecture and more!

Configuring DirectAccess to Support Citrix Connections

Configuring DirectAccess to Support Citrix Connections

  • Comments 10
  • Likes

We’ve seen a lot of questions on how to get the Citrix client to work with DirectAccess. The following provide some information and procedures that may work to get the Citrix client to work over DirectAccess.

The Citrix client can use IPv6 to connect to one type of server only: the Citrix Secure Gateway (CSG). In order for the Citrix client to work over DA, you need to:

  1. Install the CSG on the internal network
  2. Configure the Citrix Web Interface to use CSG
  3. Create an NRPT rule that uses the internal DNS server directly instead of going through the UAG DNS64

A key issue to be aware of is that Citrix clients do not support IPv6, with the exception of connecting to the Citrix Secure Gateway (CSG). Although it can sit directly on the internet, it’s preferred that it be put it on the LAN, with an IPv6 address (either native or ISATAP). Here’s how it works:

image

  1. The client establishes a DA connection
  2. The user uses the browser to bring up the Citrix Web Interface and authenticates to it.
  3. The Web Interface compiles a list of allowed applications and presents them to the user.
  4. The user clicks an icon that represents an application and the Web Interface invokes the client side Citrix plug-in
  5. The Citrix plug-in initiates a session with the server through the CSG according to the connection information supplied by the Web Interface. In this case this includes information about the SSLProxy (CSG) and Secure ticket authority.

In configuring the CSG, note should be taken in http://support.citrix.com/proddocs/index.jsp?lang=en&topic=/xenapp5fp-w2k8/sg-features-v2.html to use the IPv6 address to listen on.

Note:
The client plug-in needs to be version 11 and above and must trust the CSG’s server certificate.

Finally, it appears that even though the Citrix client is able to connect over IPv6 to the CSG, it needs the CSG’s name to resolve to both the IPv4 address and the IPv6 address. For this to happen, we need to exempt the name of the CSG from the NRPT in the UAG DirectAccess configuration so that it uses an internal DNS server instead of the UAG DNS64. This is done by entering the IP address of the internal DNS server. Not doing this will default to the UAG DirectAccess server’s DNS64 services, which never returns IPv4 addresses (it always returns a NAT64 address), causing issues for the Citrix client.

An example of how you can configure this is included in the figure below.

image

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Microsoft DAIP iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
http://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder

Comments
  • So you need Citrix Secure Gateway to accomplish this?  Citrix EOLed that product over 2 years ago....

  • Hi Tom,

    you entered the FQDN of the CSG Srever,but the radio button "DNS Suffix" is selected. Is this a typo?

    regards Marc

  • Hi Tom,

    From testing onsite with a customer, it would appear that if you are using ISATAP on the CSG server, this negates the need to add an NRPT entry.

    We have a standard NRPT rule for the internal DNS suffix and the CSG hostname is also on the same DNS suffix (and also located internally). We can see client connections to the CSG server using the DA client Teredo address and Citrix applications are fully working.

    Thoughts?

    Cheers

    JJ

  • Jason.

    Could I ask what kind of config you have on your web interface site?

    XML Port / http/https/SSLRelay?

    Regards

    Kristian

  • It was a pretty standard setup using XML on port 80 from memory. The web interface site was installed on the actual CSG server itself so that we could provide settings for DA clients independently...

    Cheers

    JJ

  • Hello Sir

    I tried this on server 2012 but dns fails when i put it in the nrpt rules

    pls advise

  • Does anyone know if this works for the Access Gateway Enterprise platform or netscaler as well?  Also the link to the CSG section above appears to be dead:

    In configuring the CSG, note should be taken in support.citrix.com/.../index.jsp to use the IPv6 address to listen on.

    I'm not sure what you mean by the IPv6 address that needs to be listened on... was hoping a traditional Access Gateway Enterprise/Web Interface implementation would work without too much reconfiguration.

    Thanks

  • Hi All,

    The latested NetScaler Gateway (10.1) release supports IPv6 on the outside address and can translate this to IPv4 XenApp / XenDesktop / WI / StoreFront servers on the insite. This might help some deployments.

    Kind regards,

    Matthijs

  • Hi guys,

    followed these instructions to get XA 6.5 up & running succcessfully. How about XD 7 and Direct Access ? - Will I need to buy NS just to get users launching any application ?

    Any information, suggesttions available `?

    best,

    Frank

  • Matthijs wrote:

    "The latested NetScaler Gateway (10.1) release supports IPv6 on the outside address and can translate this to IPv4 XenApp / XenDesktop / WI / StoreFront servers on the insite. This might help some deployments"

    Yes, this was a great news, specially for using Storefront, because we could not find a way to tell Storefront to go through AGEE when it is connections from internal networks (DA tunnel)

    Is it anybody who knows how this configuration should look like?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment