Application Delivery Management

Enable data collection for Citrix Gateway appliances deployed in double-hop mode

The Citrix Gateway double-hop mode provides extra protection to an organization’s internal network, because an attacker would need to penetrate multiple security zones or Demilitarized zones (DMZ) to reach the servers in the secure network. If you want to analyze the number of hops (Citrix Gateway appliances) through which the ICA connections pass, and also the details about the latency on each TCP connection and how it fairs against the total ICA latency perceived by the client, you must install Citrix ADM, so that the Citrix Gateway appliances report these vital statistics.

Figure 3. Citrix ADM deployed in double-hop mode

Double hop mode

The Citrix Gateway in the first DMZ handles user connections and performs the security functions of an SSL VPN. This Citrix Gateway encrypts user connections, determines how the users are authenticated, and controls access to the servers in the internal network.

The Citrix Gateway in the second DMZ serves as a Citrix Gateway proxy device. This Citrix Gateway enables the ICA traffic to traverse the second DMZ to complete user connections to the server farm.

The Citrix ADM can be deployed either in the subnet belonging to the Citrix Gateway appliance in the first DMZ or the subnet belonging to the Citrix Gateway appliance second DMZ. In the above image, the Citrix ADM and Citrix Gateway in the first DMZ are deployed in the same subnet.

In a double-hop mode, Citrix ADM collects TCP records from one appliance and ICA records from the other appliance. After you add the Citrix Gateway appliances to the Citrix ADM inventory and enable data collection, each appliance exports the reports by keeping track of the hop count and connection chain ID.

For Citrix ADM to identify which appliance is exporting records, each appliance is specified with a hop count and each connection is specified with a connection chain ID. Hop count represents the number of Citrix Gateway appliances through which the traffic flows from a client to the servers. The connection chain ID represents the end- to end connections between the client and server.

Citrix ADM uses the hop count and connection chain ID to co-relate the data from both the Citrix Gateway appliances and generates the reports.

To monitor Citrix Gateway appliances deployed in this mode, you must first add the Citrix Gateway to Citrix ADM inventory, enable AppFlow on Citrix ADM, and then view the reports on the Citrix ADM dashboard.

Enable data collection on Citrix ADM

If you enable Citrix ADM to start collecting the ICA details from both the appliances, the details collected are redundant. That is both the appliances report the same metrics. To overcome this situation, you must enable AppFlow for TCP on one of the first Citrix Gateway appliances, and then enable AppFlow for ICA on the second appliance. By doing so, one of the appliances exports ICA AppFlow records and the other appliance exports TCP AppFlow records. This also saves the processing time on parsing the ICA traffic.

To enable the AppFlow feature from Citrix ADM:

  1. Navigate to Infrastructure > Instances, and select the Citrix ADC instance you want to enable analytics.

  2. From the Action list, select Enable/Disable Insight.

  3. Select the VPN virtual servers, and click Enable AppFlow.

  4. In the Enable AppFlow field, type true, and select ICA/TCP for ICA traffic a TCP traffic respectively.

    Note

    If AppFlow logging is not enabled for the services or service groups on the Citrix ADC appliance, the Citrix ADM dashboard does not display the records, even if the Insight column shows Enabled.

  5. Click OK.

Configure Citrix Gateway appliances to export data

After you install the Citrix Gateway appliances, you must configure the following settings on the Citrix Gateway appliances to export the reports to Citrix ADM:

  • Configure virtual servers of the Citrix Gateway appliances in the first and second DMZ to communicate with each other.

  • Bind the Citrix Gateway virtual server in the second DMZ to the Citrix Gateway virtual server in the first DMZ.

  • Enable double hop on the Citrix Gateway in the second DMZ.

  • Disable authentication on the Citrix Gateway virtual server in the second DMZ.

  • Enable one of the Citrix Gateway appliances to export ICA records

  • Enable the other Citrix Gateway appliance to export TCP records:

  • Enable connection chaining on both the Citrix Gateway appliances.

Configure Citrix Gateway using the command line interface:

  1. Configure the Citrix Gateway virtual server in the first DMZ to communicate with the Citrix Gateway virtual server in the second DMZ.

    add vpn nextHopServer  [**-secure**(ON OFF)] [-imgGifToPng] …
    add vpn nextHopServer nh1 10.102.2.33 8443 –secure ON
    <!--NeedCopy-->
    
  2. Bind the Citrix Gateway virtual server in the second DMZ to the Citrix Gateway virtual server in the first DMZ. Run the following command on the Citrix Gateway in the first DMZ:

    bind vpn vserver <name> -nextHopServer <name>

    bind vpn vserver vs1 -nextHopServer nh1
    <!--NeedCopy-->
    
  3. Enable double hop and AppFlow on the Citrix Gateway in the second DMZ.

    set vpn vserver  [**- doubleHop** ( ENABLED DISABLED )] [- appflowLog ( ENABLED DISABLED )]
    set vpn vserver vpnhop2 –doubleHop ENABLED –appFlowLog ENABLED
    <!--NeedCopy-->
    
  4. Disable authentication on the Citrix Gateway virtual server in the second DMZ.

    set vpn vserver [**-authentication** (ON OFF)]
    set vpn vserver vs -authentication OFF
    <!--NeedCopy-->
    
  5. Enable one of the Citrix Gateway appliances to export TCP records.

    bind vpn vserver<name> [-policy<string> -priority<positive_integer>] [-type<type>]

    bind vpn vserver vpn1 -policy appflowpol1 -priority 101 –type OTHERTCP\_REQUEST
    <!--NeedCopy-->
    
  6. Enable the other Citrix Gateway appliance to export ICA records:

    bind vpn vserver<name> [-policy<string> -priority<positive_integer>] [-type<type>]

    bind vpn vserver vpn2 -policy appflowpol1 -priority 101 -type ICA\_REQUEST
    <!--NeedCopy-->
    
  7. Enable connection chaining on both the Citrix Gateway appliances:

    set appFlow param [-connectionChaining (ENABLED DISABLED)]
    set appflow param -connectionChaining ENABLED
    <!--NeedCopy-->
    

Configuring Citrix Gateway using configuration utility:

  1. Configure the Citrix Gateway in the first DMZ to communicate with the Citrix Gateway in the second DMZ and bind the Citrix Gateway in the second DMZ to the Citrix Gateway in the first DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Published Applications.

    3. Click Next Hop Server and bind a next hop server to the second Citrix Gateway appliance.

  2. Enable double hop on the Citrix Gateway in the second DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Basic Settings group, click the edit icon.

    3. Expand More , select Double Hop and click OK.

  3. Disable authentication on the virtual server on the Citrix Gateway in the second DMZ.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Basic Settings group, click the edit icon.

    3. Expand More, and clear Enable Authentication.

  4. Enable one of the Citrix Gateway appliances to export TCP records.

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Policies.

    3. Click the + icon and from the Choose Policy list, select AppFlow, and from the Choose Type drop-down list, select Other TCP Request.

    4. Click Continue.

    5. Add a policy binding, and click Close.

  5. Enable the other Citrix Gateway appliance to export ICA records:

    1. On the Configuration tab expand Citrix Gateway and click Virtual Servers.

    2. In the right pane, double-click the virtual server, and in the Advanced group, expand Policies.

    3. Click the + icon and from the Choose Policy drop-down list, select AppFlow, and from theChoose Type drop-down list, select Other TCP Request.

    4. Click Continue.

    5. Add a policy binding, and click Close.

  6. Enable connection chaining on both the Citrix Gateway appliances.

    1. On the Configuration tab, navigate to System > Appflow.

    2. In the right Pane, in the Settings group, click Change Appflow Settings.

    3. Select Connection Chaining and Click OK.

Enable data collection for Citrix Gateway appliances deployed in double-hop mode