Overview

Citrix Gateway is the best secure remote access solution for Citrix Workspace. It provides a myriad of unique integrations that enhance security and user experience. Moreover, Citrix Gateway consolidates access to any app from any device through a single URL.

Citrix Gateway enables encrypted and contextual access (authentication and authorization) to Citrix Workspace. Its NetScaler ADC-powered load balancing distributes user traffic across the Citrix Virtual Apps and Desktops servers. Citrix Gateway also accelerates, optimizes, and provides visibility into the traffic flow, which is useful for ensuring optimal user performance in a Citrix Virtual Apps and Desktops deployment.

The following integrations add value to a Citrix Workspace deployment:

• Contextual Authentication – Validate the user and device with multifactor (nFactor) authentication
• Contextual Authorization - Limit app and desktop availability based on the user, location, and device properties
• Contextual Access - Limit access to HDX capabilities by modifying Citrix HDX connection behavior
• End-to-End Monitoring – Identify the source of delays and triage issues which impact user performance
• Adaptive Network Transport – Deliver a superior user experience by dynamically responding to changing network conditions
• Optimal Routing – Ensure a better user experience by always launching apps and desktops from the local gateway
• Custom Availability Monitors – Provide deep application health monitoring of back-end services running on the StoreFront and Delivery Controller servers

Conceptual architecture

Citrix Gateway is a hardened appliance (physical or virtual) that proxies and secures all Citrix Workspace traffic with standards-based SSL/TLS encryption. The most common deployment configuration is to place the Citrix Gateway appliance in the DMZ, which places it between an organization’s secure internal network and the Internet (or any external network).

Many organizations protect their internal network with a single DMZ (Figure 1). However, multiple Citrix Gateway appliances can be deployed for more complex deployments requiring a double-hop DMZ (Figure 2).

Some organizations use multiple firewalls to protect their internal networks. The three firewalls in Figure 2 divide the DMZ into two stages (double-hop) to provide an extra layer of security for the internal network.

Citrix administrators can deploy Citrix Gateway appliances in a double-hop DMZ to control access to servers running Citrix Virtual Apps and Desktops. The security functions are split across the two appliances in a double-hop deployment.

The Citrix Gateway in the first DMZ handles user connections and performs security functions such as encryption, authentication, and access to the internal network's servers.

The Citrix Gateway in the second DMZ serves as a Citrix Gateway proxy device. This Citrix Gateway enables the HDX traffic to traverse the second DMZ to complete user connections to the server farm. Communications between Citrix Gateway in the first DMZ and the Secure Ticket Authority (STA) in the internal network are also proxied through Citrix Gateway in the second DMZ.

In enterprises with multiple StoreFront and Delivery Controllers servers, Citrix recommends load balancing the services using the NetScaler ADC appliance. One virtual server load balances all StoreFront servers, and another load balances all Delivery Controller servers. Application intelligent health monitoring ensures that only fully functioning servers are marked available to take user requests.

NetScaler ADC appliances configured for global server load balancing (GSLB) can balance the Citrix Workspace load across data centers. GLSB directs user requests to the closest or best-performing data center or to surviving data centers if there is an outage. Using GSLB provides for disaster recovery across multiple data centers and ensures continuous application availability by protecting against points of failure.

In Figure 3, the ADCs use the Metric Exchange Protocol (MEP) and the DNS infrastructure to connect users to the data center that best meets the administrators' criteria. The criteria can designate the least loaded, closest, or quickest data center to respond to requests.

Contextual Authentication (nFactor and EPA)

Citrix Gateway consolidates remote access authentication infrastructure for all applications whether in a data center, in a cloud, or if the apps are delivered as SaaS apps. Moreover, Citrix Gateway provides:

• The single point of access to all applications
• Secure access management, granular and consistent access control across all apps
• A better user experience that improves productivity
• Multifactor authentication that improves security

Citrix Gateway authentication incorporates local and remote authentication for users and groups. Citrix Gateway includes support for the following authentication types.

• Local
• Lightweight Directory Access Protocol (LDAP)
• RADIUS
• SAML
• TACACS+
• Client certificate authentication (including smart card authentication)

Citrix Gateway also supports multifactor authentication solutions such RSA SecurID, Gemalto Protiva (Thales), Duo (Cisco), and SafeWord (Aladdin) using a RADIUS server configuration.

nFactor Authentication

Citrix Gateway extends two-factor authentication with true multifactor capabilities and gives flexibility to administrators for authentication, authorization, and auditing. For example, dynamic login forms and on-failure actions are possible by using nFactor authentication. Administrators can configure two types of multifactor authentication on Citrix Gateway:

• Two-factor authentication that requires users to log on by using two types of authentication
• Cascading authentication that sets the authentication priority level

If the Citrix Gateway deployment has multiple authentication servers, administrators can prioritize the authentication polices. The priority levels determine the order in which the authentication server validates users’ credentials. When administrators configure a cascade, the system traverses each authentication server to validate a user’s credentials.

nFactor authentication enables dynamic authentication flows based on the user profile. The flows can be simple or coupled with more complex security requirements using other authentication servers. The following are some use cases enabled by Citrix Gateway:

1. Dynamic user name and password selection: Traditionally, the Citrix clients (including browsers and the Workspace app) use the Active Directory (AD) password as the first password field. The second password is reserved for the One-Time-Password (OTP). However, to secure AD servers against brute force and lockout attacks, customers can require that the second factor such as OTP is to be validated first. nFactor can do this without requiring client modifications.
2. Multitenant authentication endpoint: Some organizations use different Citrix Gateway login points for certificate and non-certificate users. With users using their own devices to log in, their access levels can vary on the Citrix Gateway based on the device being used. Citrix Gateway can cater to different authentication needs on the same login point – reducing complexity and improving user experience.
3. Authentication based on group membership: Some organizations obtain user properties from AD servers to determine authentication requirements, which can vary for individual users. For example, group extraction can be used to determine whether a user is an employee or a vendor and present the appropriate second-factor authentication.

End Point Analysis Scans

Endpoint Analysis (EPA) scans check user device compliance to endpoint security requirements. They are policy-based pre-authentication and post-authentication scans configured on the Citrix Gateway appliance. EPA scans are a part of contextual authentication if the endpoint state is involved in the authentication policies.

When a user device tries to access Citrix Workspace through the Citrix Gateway appliance, the device is scanned for compliance before being granted access. For example, EPA can check parameters such as operating system, antivirus, web browser, specific processes, file system or registry key, and user or device certificates.

Administrators can configure two types of EPA scans: an OPSWAT EPA engine scan and a System scan using the Client Security engine. Using the OPSWAT EPA engine, administrators can configure product, vendor, and generic scans. These checks look for a particular product offered by a particular vendor, a vendor in a specific category, or a category across all vendors and products.

System scans validate system-level attributes such as MAC address or device certificates. Device certificates can be configured in nFactor as an EPA component, and administrators can selectively allow or block access to corporate intranet resources based on device certificate authentication.

Contextual Authorization (SmartAccess)

SmartAccess uses EPA post-authentication policies to limit user access to apps and desktops. For example, a sensitive Human Resources application can be enabled or disabled when a user connects from a managed or unmanaged device respectively.

Using SmartAccess policies, administrators can identify the resources available on a per-user and per-app basis. Factors such as the end user, source IP range, specific registry key, or file on the user endpoint are used to determine if compliance is met. Similarly, SmartAccess scans can identify specific peripherals attached to a computer and show applications that require that device.

SmartAccess is configured on both the Citrix Gateway and inside Citrix Studio. The results of an EPA scan match the corresponding access policies in Citrix Studio. In Figure 6, a user logs on to Citrix Workspace through Citrix Gateway with the managed device and passes the compliance scan. Since the scan passed, the associated Citrix Gateway virtual server and session policy trigger the Citrix Studio policy to enable access for the app.

In Figure 7, the same user logs on to Citrix Workspace through Citrix Gateway with a personal device and fails the compliance scan. Conversely, failing the EPA scan doesn’t trigger the enabling of the app for this user and device.

Contextual Access (SmartAccess and SmartControl)

Citrix administrators can also modify Citrix HDX connection behavior based on how users connect to Citrix Gateway. Some examples include disabling client drive mappings, disabling access to specific apps and desktops, and disabling access to printing.

In Figure 8, a user logs on to Citrix Workspace through Citrix Gateway with a personal device and fails the compliance scan. The results of the EPA scan performed by the Citrix Gateway are communicated with Citrix Workspace. Using SmartAccess, the Delivery Controller enforces the scan results and prohibits clipboard access and client drive mappings.

In Figure 9, the user connects to the same Citrix Gateway with a compliant device. The EPA results now allow clipboard access and client drive mappings.

SmartControl helps customers meet security requirements that stipulate that access conditions are evaluated at the edge of the network. Customer security policies can require the ability to block access to resources even before a user has gained access to the corporate network. SmartControl can block or allow certain components such as printer access, audio redirection, and client device drive redirection – at the Citrix Gateway.

SmartAccess and SmartControl are similar. However, SmartControl is configured exclusively on Citrix Gateway, while SmartAccess requires configuration on both Citrix Gateway and inside Citrix Studio. When administrators want to make access policy decisions for the entire farm, they can use SmartControl on Citrix Gateway that applies to the entire farm. One difference is that SmartAccess lets administrators control the visibility of published icons, while SmartControl does not. Figure 10 compares SmartAccess and SmartControl feature support.

SmartControl policies are designed not to enable access if prohibited at the individual Delivery Controller level. The options are to default to the policy setting at the Delivery Controller level or prohibit certain access even if it is allowed at the Delivery Controller. SmartAccess and SmartControl policies can be defined concurrently, and the most restrictive policy set is applied. Below is a list of SmartControl settings:

• Connect Client LPT Ports – Blocks LPT port redirection used for printers
• Client Audio Redirection – Redirect audio from VDA to client device
• Local Remote Data Sharing – Allows or disallows data sharing using Receiver HTML5
• Client Clipboard Redirection – Redirects client clipboard contents to VDA
• Client COM Port Redirection – Redirect COM (serial) ports from client to VDA
• Client Drive Redirection – Redirect client drives from client to VDA
• Client Printer Redirection – Redirects client printers from client to VDA
• Multistream – Allow or disable multistream
• Client USB Drive Redirection – Redirect USB drives from client to desktop VDA only

Adaptive Network Transport (EDT)

Citrix HDX is a set of technologies that ensure an unparalleled user experience when connecting to a remote Citrix resource. With the HDX engine in the Citrix Workspace app and the HDX protocol, Citrix HDX lets users interact seamlessly with resources even in challenging network conditions.

A recent optimization to HDX is the Citrix UDP-based reliable transport protocol called Enlightened Data Transport (EDT). EDT is faster, improves application interactivity, and is more interactive on challenging long-haul WAN and internet connections. EDT delivers a superior user experience by dynamically responding to changing network conditions while maintaining high server scalability and efficient bandwidth use.

EDT is built on UDP and improves data throughput for all ICA virtual channels, including Thinwire display remoting, file transfer (Client Drive Mapping), printing, and multimedia redirection. When EDT is unavailable, EDT intelligently switches to TCP ICA to deliver the best performance. Citrix Gateway supports EDT and Datagram Transport Layer Security (DTLS), which must be enabled to encrypt the UDP connection used by EDT.

End-to-End Monitoring (HDX Insight)

Citrix HDX Insight provides end-to-end visibility for HDX traffic to Virtual Apps and Desktops passing through Citrix Gateway. Using Citrix Application Delivery Management (ADM), administrators can view real-time client and network latency metrics, historical reports, end-to-end performance data, and troubleshoot performance issues.

By parsing HDX traffic, HDX Insight can identify the source of delays and triage issues that impact user performance. For example, users may experience delays while accessing Citrix Virtual Apps and Desktops. To identify the root cause of the issue, administrators can use HDX Insight to analyze WAN Latency, Data Center Latency, and Host Delay. Using HDX Insight helps determine the server, data center network, or client network side latency.

Figure 12 shows an example where a specific user has normal WAN latency but high Data Center latency. This information is crucial to helping administrators triage a performance issue.

An important capability of HDX Insight is the ability to capture and display latency at Layer 7 (L7). L7 latency calculation is done at the HDX layer and thus provides end-to-end latency detection regardless of the existence of TCP proxies. Looking at Figure 10, visibility into the application layers helps administrators diagnose latency by detecting that it is coming from apps and not the network, for example, in an overloaded server or back end.

The L7 latency thresholding actively detects end-to-end network latency issues at the application. This capability is contrasted to capturing Layer 4 network latency, which does not require HDX parsing but suffers from the major drawback of an incomplete view of latency end-to-end.

HDX Insight provides successful user logons, latency, and application-level details for virtual HDX applications and desktops. Gateway Insight provides endpoint analysis (EPA), authentication, single sign-on (SSO), and application launch failures for a user.

Gateway Insight also provides visibility into the reasons for application launch failure for virtual applications. Gateway Insight enhances an administrator’s ability to troubleshoot any logon or application launch failure issues and also view the:

• Number of applications launched
• Number of total and active sessions
• Number of total bytes and bandwidth consumed by the applications
• Details of the users, sessions, bandwidth, and launch errors for an application
• Number of gateways
• Number of active sessions
• Total bytes and bandwidth used by all gateways associated with a Citrix Gateway appliance at any given time
• Details of all users associated with a gateway and their logon activity

HDX Optimal Gateway Routing

Citrix delivers the best app and desktop user experience with Citrix Workspace. In a hybrid cloud deployment, customers simplify the user experience with Global Server Load Balancing (GSLB). GSLB makes it easy for users to access apps, desktops and data regardless of their location. But with multiple Citrix Gateways, customers ask: “how can we send users to a specific data center where users’ unique data or back end application dependencies reside?”

HDX Optimal Gateway Routing allows administrators to point Citrix Gateway connections to zones. This ensures that the Citrix Gateway picks the zone it typically has the best connection as defined by the administrator. Using GSLB also routes the user to the optimal Citrix Gateway based on their location, and that Gateway would be connected to a zone for complete optimal gateway routing.

HDX Optimal Gateway Routing ensures the user experience is simple and consistent by de-coupling the authentication gateway from the optimal launch gateway. This ensures that users always launch their apps and desktops from the local gateway, thus ensuring a better user experience when working from anywhere, on any device.

GSLB-powered zone preference is a feature that integrates with Workspace, StoreFront, and the ADC appliance to provide user access to the most optimized data center based on the user's location. With this feature, the client IP address is examined when an HTTP request arrives at the Citrix Gateway appliance, and the real client IP address is used to create the data center preference list forwarded to StoreFront.

If the ADC is configured to insert the zone preference header, StoreFront 3.5 or later can use the information provided by the appliance to reorder the list of delivery controllers and connect to an optimal delivery controller in the same zone as the client. StoreFront selects the optimal gateway VPN virtual server for the selected data center zone, adds this information to the ICA file with appropriate IP addresses, and sends it to the client. StoreFront then tries to launch applications hosted on the preferred data center’s delivery controllers before contacting equivalent controllers in other data centers.

Custom Availability Monitors

Citrix Gateway deployed with Citrix Workspace ensures the efficient delivery of applications. Using Citrix Gateway, incoming user requests from the Citrix Workspace app can be load-balanced between multiple StoreFront nodes in a server group. While some other solutions utilize simple ICMP-Ping or TCP port monitors, Citrix Gateway has deep application health monitoring of back-end services running on the StoreFront and Delivery Controller servers.

StoreFront services are monitored by probing a Windows service on the StoreFront server. The Citrix Service Monitor Windows service has no other service dependencies and can monitor and report the failure of the following critical services on which StoreFront relies for correct operation:

• W3SVC (IIS)
• WAS (Windows Process Activation Service)
• CitrixCredentialWallet
• CitrixDefaultDomainService

Citrix Gateway also has custom Delivery Controller monitors to ensure the Delivery Controllers are alive and responding before the Citrix Gateway load balances to the resource. The monitors' probe will validate a user’s credentials and confirm application enumeration to confirm whether the XML service works. This prevents black hole scenarios where requests might be sent to an unresponsive server.

Summary

Citrix Gateway has the most integration points with Citrix Workspace of any HDX proxy solution. Citrix Gateway provides secure remote access to Citrix Virtual Apps and Desktops and is augmented with visibility and optimization features that are useful to ensure optimal user performance. The NetScaler ADC provides intelligent global server load balancing, enhancing availability and user experience. The following features enhance security and user experience:

• Contextual Authentication – Multifactor (nFactor) authentication to validate the user and device
• Contextual Authorization - Limit app and desktop availability based on the user, location, and device properties
• Contextual Access - Limit access to HDX capabilities by modifying Citrix HDX connection behavior
• End-to-End Monitoring - Identify the source of delays and triage issues which impact user performance
• Adaptive Network Transport – Delivers a superior user experience by dynamically responding to changing network conditions
• Optimal Routing – Ensure a better user experience by always launching apps and desktops from the local gateway
• Custom Availability Monitors – Deep application health monitoring of back-end services running on the StoreFront and Delivery Controller servers