Remote Access to XenApp Express / Essentials

Now even if the XenApp Express “Essentials” hasn’t been released yet, there are some tiny bits of information available, and the piece I’m going to talk about is remote access. So let us picture the regular Citrix Cloud setup where we have our management plane in Citrix Cloud and we have our NetScaler (or NetSCaler Gateway on-premises)

So all communication between our end-users and our Desktop / Servers are being proxied via the NetScaler. Now if we look at the Citrix Cloud pricing we can notice that ICA Proxy VPX’s (Two Platform licenses per subscription so we can setup a HA pair) are included as part of the pricing https://www.citrix.com/products/citrix-cloud/buy.html

Now managing a NetScaler is a bit time consuming and requires some specialized knowledge to setup and maintain. It also requires a digital certificate and an public IP of sorts to endpoints can communicate with it externally.

Now there is also an other option called NetScaler Gateway Service (aka HDX Proxy)

hdxproxy.PNG

Which replaces the use for NetScaler for remote access purposes, and it also gives a more simplified setup.

hdxproxy2.png

NetScaler Gateway Service is in essence a Windows Server which runs on the Cloud Connector server and it communicates directly with Citrix Cloud to proxy ICA traffic between the endpoint and the backend VDA.

And this does not require any other firewall openings, public IP’s or certificates besides the ones already configured for the cloud connector

One thing to be aware of is this service was initally setup only in San Jose so all ICA traffic from Receiver was tunneled there and back again, but Citrix have now implemented Geo based load balancing and clients will therefore be routed to the closest AWS location where NetScaler Gateway in Citrix Cloud is running.

NOTE: The price listed about is 9$/month PER user

  • The serviceonly provides HDX traffic as part of the XenApp and XenDesktop Service. Other NetScaler Gateway functionality will not work like Smart Access and such
  • The Citrix Cloud Connector located within your Citrix Cloud resource locations communicates with Citrix-run cloud services over the Internet. Currently this communication channel does not support authentication at outbound proxies for access to the Internet.
  • All network traffic is protected by SSL, but to provide the NetScaler Gateway functionality, HDX traffic is present in memory in an unencrypted form on the CloudConnector VM
  • To use the NetScaler Gateway Service, you must use StoreFront hosted within Citrix Cloud.
  • No HDX insight capabilities

However, configuring the setup for NetScaler Gateway service is pretty simple, you can do it by going into Citrix Cloud –> Manage –> NetScaler and define NetScaler Gateway enabled and choose cloud hosted NetScaler Gateway Service

image

So when this is enabled you will notice a service spinning up on your cloudconnector VM which enables the remote access

hdxproxy3.PNG

Now with NetScaler HDX Proxy enabled you just have to configure you VDA servers / agents an no longer need NetScaler VPX instances. The only downside is that this in all cases will not provide the same low latency and does not scale as high as regular NetScaler does.

Leave a Reply

Scroll to Top