Gateway

Establishing the Secure Tunnel

January 8, 2024

Contributed by:

C S C

When users connect with the Citrix Gateway plug-in, Secure Hub, or Citrix Receiver, the client software establishes a secure tunnel over port 443 (or any configured port on Citrix Gateway) and sends authentication information. When the tunnel is established, Citrix Gateway sends configuration information to the Citrix Gateway plug-in, Secure Hub, or Receiver describing the networks to be secured and containing an IP address if you enable address pools.

Tunneling Private Network Traffic over Secure Connections

When the Citrix Gateway plug-in starts and the user is authenticated, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to Citrix Gateway. Receiver must support the Citrix Gateway plug-in to establish the connection through the secure tunnel when users log on.

Secure Hub, Secure Mail, and WorxWeb use Micro VPN to establish the secure tunnel for iOS and Android mobile devices.

Citrix Gateway intercepts all network connections that the user device makes and multiplexes them over Secure Sockets Layer (SSL) to Citrix Gateway, where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination.

The connections are subject to administrative security policies that apply to a single application, a subset of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs) that remote users can access through the VPN connection.

The Citrix Gateway plug-in intercepts and tunnels the following protocols for the defined intranet applications:

TCP (all ports)
UDP (all ports)
ICMP (types 8 and 0 - echo request/reply)

Connections from local applications on the user device are securely tunneled to Citrix Gateway, which reestablishes the connections to the target server. Target servers view connections as originating from the local Citrix Gateway on the private network, thus hiding the user device. This is also called reverse Network Address Translation (NAT). Hiding IP addresses adds security to source locations.

Locally, on the user device, all connection-related traffic, such as SYN-ACK, PUSH, ACK, and FIN packets, is recreated by the Citrix Gateway plug-in to appear from the private server.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Establishing the Secure Tunnel

January 8, 2024

Contributed by:

C S C

January 8, 2024

Contributed by:

C S C

Establishing the Secure Tunnel

Tunneling Private Network Traffic over Secure Connections

In this article