Gateway

Communication flow in a double-hop DMZ deployment

To understand the configuration issues involved in a double-hop DMZ deployment, you must have a basic understanding of how the various NetScaler Gateway and Citrix Virtual Apps components in a double-hop DMZ deployment communicate to support a user connection. The connection process for StoreFront and the Web Interface is the same.

Although the user connection process occurs in one continuous flow, the following high-level steps are involved in the process.

  • Authenticate users
  • Create a session ticket
  • Start the Citrix Workspace app
  • Complete the connection

The following figure shows the steps that occur in the user connection process to either StoreFront or the Web Interface. In the secure network, computers running Citrix Virtual Apps are also running the Secure Ticket Authority (STA), XML Service, and published applications.

Connection Process in a Double-Hop DMZ

Connection process

Authenticating users is the first step of the user connection process in a double-hop DMZ deployment.

The following figure shows the user connection process in this deployment.

User authentication process in a double-hop DMZ

During the user authentication stage, the following basic process occurs:

  1. A user types the address of NetScaler Gateway, such as https://www.ng.wxyco.com in a web browser to connect to NetScaler Gateway in the first DMZ. If you enabled logon page authentication on NetScaler Gateway, NetScaler Gateway authenticates the user.
  2. NetScaler Gateway in the first DMZ receives the request.
  3. NetScaler Gateway redirects the web browser connection to the Web Interface.
  4. The Web Interface sends the user credentials to the Citrix XML service running in the server farm in the internal network.
  5. The Citrix XML Service authenticates the user.
  6. The XML Service creates a list of the published applications that the user is authorized to access and sends this list to the Web Interface.

    Note:

    • If you enable authentication on NetScaler Gateway, the appliance sends the NetScaler Gateway logon page to the user. The user enters authentication credentials on the logon page and the appliance authenticates the user. NetScaler Gateway then returns the user credentials to the Web Interface.

    • If you do not enable authentication, NetScaler Gateway does not perform authentication. The appliance connects to the Web Interface, retrieves the Web Interface logon page, and sends the Web Interface logon page to the user. The user enters authentication credentials on the Web Interface logon page and NetScaler Gateway passes the user credentials back to the Web Interface.

    Creating the session ticket is the second stage of the user connection process in a double-hop DMZ deployment.

    During the session ticket creation stage, the following basic process occurs:

  7. The Web Interface communicates with both the XML Service and the Secure Ticket Authority (STA) in the internal network to produce session tickets for each of the published applications the user is authorized to access. The session ticket contains an alias address for the computer running Citrix Virtual Apps that hosts a published application.
  8. The STA saves the IP addresses of the servers that host the published applications. The STA then sends the requested session tickets to the Web Interface. Each session ticket includes an alias that represents the IP address of the server that hosts the published application, but not the actual IP address.
  9. The Web Interface generates an ICA file for each of the published applications. The ICA file contains the ticket issued by the STA. The Web Interface then creates and populates a webpage with a list of links to the published applications and sends this webpage to the web browser on the user device.

    Starting Citrix Workspace app is the third stage of the user connection process in a double-hop DMZ deployment. The basic process is as follows:

  10. The user clicks a link to a published application in the Web Interface. The Web Interface sends the ICA file for that published application to the browser for the user device.

    The ICA file contains data instructing the web browser to start Receiver.

    The ICA file also contains the fully qualified domain name (FQDN) or the Domain Name System (DNS) name of the NetScaler Gateway in the first DMZ.

  11. The web browser starts Receiver and the user connects to NetScaler Gateway in the first DMZ by using the NetScaler Gateway name in the ICA file. Initial SSL/TLS handshaking occurs to establish the identity of the server running NetScaler Gateway.

    Completing the connection is the fourth and last stage of the user connection process in a double-hop DMZ deployment.

    During the connection completion stage, the following basic process occurs:

    • The user clicks a link to a published application in the Web Interface.
    • The web browser receives the ICA file generated by the Web Interface and starts Citrix Workspace app. Note: The ICA file contains code that instructs the web browser to start Citrix Workspace app.
    • Citrix Workspace app initiates an ICA connection to NetScaler Gateway in the first DMZ.
    • NetScaler Gateway in the first DMZ communicates with the Secure Ticket Authority (STA) in the internal network to resolve the alias address in the session ticket to the real IP address of a computer running Citrix Virtual Apps or StoreFront. This communication is proxied through the second DMZ by the NetScaler Gateway proxy.
    • NetScaler Gateway in the first DMZ completes the ICA connection to Citrix Workspace app.
    • Citrix Workspace app can now communicate through both NetScaler Gateway appliances to the computer running Citrix Virtual Apps on the internal network.

    The detailed steps for completing the user connection process are as follows:

  12. Citrix Workspace app sends the STA ticket for the published application to NetScaler Gateway in the first DMZ.
  13. NetScaler Gateway in the first DMZ contacts the STA in the internal network for ticket validation. To contact the STA, NetScaler Gateway establishes a SOCKS or SOCKS with SSL connection to the NetScaler Gateway proxy in the second DMZ.
  14. The NetScaler Gateway proxy in the second DMZ passes the ticket validation request to the STA in the internal network. The STA validates the ticket and maps it to the computer running Citrix Virtual Apps that hosts the published application.
  15. The STA sends a response to the NetScaler Gateway proxy in the second DMZ, which is passed to NetScaler Gateway in the first DMZ. This response completes the ticket validation and includes the IP address of the computer that hosts the published application.
  16. NetScaler Gateway in the first DMZ incorporates the address of the Citrix Virtual Apps server into the user connection packet and sends this packet to the NetScaler Gateway proxy in the second DMZ.
  17. The NetScaler Gateway proxy in the second DMZ makes a connection request to the server specified in the connection packet.
  18. The server responds to the NetScaler Gateway proxy in the second DMZ. The NetScaler Gateway proxy in the second DMZ passes this response to NetScaler Gateway in the first DMZ to complete the connection between the server and NetScaler Gateway in the first DMZ.
  19. NetScaler Gateway in the first DMZ completes the SSL/TLS handshake with the user device by passing the final connection packet to the user device. The connection from the user device to the server is established.
  20. The ICA traffic flows between the user device and the server through NetScaler Gateway in the first DMZ and the NetScaler Gateway proxy in the second DMZ.
Communication flow in a double-hop DMZ deployment