Establishing the Secure Tunnel

When users connect with the Citrix Gateway plug-in, Secure Hub, or Citrix Receiver, the client software establishes a secure tunnel over port 443 (or any configured port on Citrix Gateway) and sends authentication information. When the tunnel is established, Citrix Gateway sends configuration information to the Citrix Gateway plug-in, Secure Hub, or Receiver describing the networks to be secured and containing an IP address if you enable address pools.

Tunneling Private Network Traffic over Secure Connections

When the Citrix Gateway plug-in starts and the user is authenticated, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to Citrix Gateway. Receiver must support the Citrix Gateway plug-in to establish the connection through the secure tunnel when users log on.

Secure Hub, Secure Mail, and WorxWeb use Micro VPN to establish the secure tunnel for iOS and Android mobile devices.

Citrix Gateway intercepts all network connections that the user device makes and multiplexes them over Secure Sockets Layer (SSL) to Citrix Gateway, where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination.

The connections are subject to administrative security policies that apply to a single application, a subset of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs) that remote users can access through the VPN connection.

The Citrix Gateway plug-in intercepts and tunnels the following protocols for the defined intranet applications:

  • TCP (all ports)
  • UDP (all ports)
  • ICMP (types 8 and 0 - echo request/reply)

Connections from local applications on the user device are securely tunneled to Citrix Gateway, which reestablishes the connections to the target server. Target servers view connections as originating from the local Citrix Gateway on the private network, thus hiding the user device. This is also called reverse Network Address Translation (NAT). Hiding IP addresses adds security to source locations.

Locally, on the user device, all connection-related traffic, such as SYN-ACK, PUSH, ACK, and FIN packets, is recreated by the Citrix Gateway plug-in to appear from the private server.

Establishing the Secure Tunnel