Chia sẻ qua

Configuring DirectAccess to Support Citrix Connections

  • Bài viết

We’ve seen a lot of questions on how to get the Citrix client to work with DirectAccess. The following provide some information and procedures that may work to get the Citrix client to work over DirectAccess.

The Citrix client can use IPv6 to connect to one type of server only: the Citrix Secure Gateway (CSG). In order for the Citrix client to work over DA, you need to:

  1. Install the CSG on the internal network
  2. Configure the Citrix Web Interface to use CSG
  3. Create an NRPT rule that uses the internal DNS server directly instead of going through the UAG DNS64

A key issue to be aware of is that Citrix clients do not support IPv6, with the exception of connecting to the Citrix Secure Gateway (CSG). Although it can sit directly on the internet, it’s preferred that it be put it on the LAN, with an IPv6 address (either native or ISATAP). Here’s how it works:

image

  1. The client establishes a DA connection
  2. The user uses the browser to bring up the Citrix Web Interface and authenticates to it.
  3. The Web Interface compiles a list of allowed applications and presents them to the user.
  4. The user clicks an icon that represents an application and the Web Interface invokes the client side Citrix plug-in
  5. The Citrix plug-in initiates a session with the server through the CSG according to the connection information supplied by the Web Interface. In this case this includes information about the SSLProxy (CSG) and Secure ticket authority.

In configuring the CSG, note should be taken in https://support.citrix.com/proddocs/index.jsp?lang=en&topic=/xenapp5fp-w2k8/sg-features-v2.html to use the IPv6 address to listen on.

Note:
The client plug-in needs to be version 11 and above and must trust the CSG’s server certificate.

Finally, it appears that even though the Citrix client is able to connect over IPv6 to the CSG, it needs the CSG’s name to resolve to both the IPv4 address and the IPv6 address. For this to happen, we need to exempt the name of the CSG from the NRPT in the UAG DirectAccess configuration so that it uses an internal DNS server instead of the UAG DNS64. This is done by entering the IP address of the internal DNS server. Not doing this will default to the UAG DirectAccess server’s DNS64 services, which never returns IPv4 addresses (it always returns a NAT64 address), causing issues for the Citrix client.

An example of how you can configure this is included in the figure below.

image

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Microsoft DAIP iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder

Comments

  • Anonymous
    August 25, 2010
    So you need Citrix Secure Gateway to accomplish this?  Citrix EOLed that product over 2 years ago....

  • Anonymous
    September 01, 2010
    The comment has been removed

  • Anonymous
    September 10, 2010
    The comment has been removed

  • Anonymous
    October 05, 2010
    Jason. Could I ask what kind of config you have on your web interface site? XML Port / http/https/SSLRelay? Regards Kristian

  • Anonymous
    October 05, 2010
    The comment has been removed

  • Anonymous
    February 19, 2013
    The comment has been removed

  • Anonymous
    March 18, 2013
    Does anyone know if this works for the Access Gateway Enterprise platform or netscaler as well?  Also the link to the CSG section above appears to be dead: In configuring the CSG, note should be taken in support.citrix.com/.../index.jsp to use the IPv6 address to listen on. I'm not sure what you mean by the IPv6 address that needs to be listened on... was hoping a traditional Access Gateway Enterprise/Web Interface implementation would work without too much reconfiguration. Thanks

  • Anonymous
    July 23, 2013
    Hi All, The latested NetScaler Gateway (10.1) release supports IPv6 on the outside address and can translate this to IPv4 XenApp / XenDesktop / WI / StoreFront servers on the insite. This might help some deployments. Kind regards, Matthijs

  • Anonymous
    August 02, 2013
    Hi guys, followed these instructions to get XA 6.5 up & running succcessfully. How about XD 7 and Direct Access ? - Will I need to buy NS just to get users launching any application ? Any information, suggesttions available `? best, Frank

  • Anonymous
    August 15, 2013
    The comment has been removed

  • Anonymous
    November 13, 2014
    Hi everyone. I knew that Store front already support IPv6, thats correct? I need to eliminate the CSG this because is causing problems now.

    Regards...

  • Anonymous
    December 29, 2014
    The comment has been removed

  • Anonymous
    November 16, 2015
    The comment has been removed