Gateway

Configure NetScaler Gateway to support Enlightened Data Transport and HDX Insight

EDT traffic through Gateway now has end-to-end visibility. Availability of both real-time and historical visibility data enables NetScaler ADM to support a wide variety of use cases.

The following scenarios are supported:

Scenario EDT support
NetScaler Gateway Yes
NetScaler Gateway with High Availability (HA) Yes
NetScaler Gateway with High Availability (HA) optimization Yes
NetScaler with Unified Gateway Yes
NetScaler Gateway with GSLB Yes
NetScaler Gateway with Cluster Yes
Citrix Workspace app to NetScaler Gateway DTLS encryption Yes
Dual Secure Ticket Authority (STA) on NetScaler Gateway Yes
NetScaler Gateway ICA session timeout Yes
NetScaler Gateway Multi-Stream ICA No
NetScaler Gateway session reliability (Port 2598) Yes
NetScaler Gateway Double-Hop Yes
NetScaler to VDA DTLS encryption Yes
HDX Insight Yes
NetScaler Gateway in IPv6 mode No
NetScaler Gateway SOCKS (Port 1494) No
NetScaler pure LAN proxy (see note) No

Note:

EDT is not supported if NetScaler LAN proxy is configured in the LAN User mode or Transparent mode. However, TCP is supported. For more information, see:

Configure NetScaler Gateway to support Enlightened Data Transport

If you use Enlightened Data Transport (EDT), Datagram Transport Layer Security (DTLS) must be enabled to encrypt the UDP connection used by EDT. The DTLS parameter must be enabled at the Gateway VPN virtual-server level. Also, the Citrix Virtual Apps and Desktops components must be correctly upgraded and configured to achieve encrypted traffic between the Gateway VPN virtual server and the user device.

Note: UDP port (for example port 443) configured for the NetScaler Gateway front end virtual server must be opened in the DMZ for the virtual server to receive the DTLS connections. DTLS and CGP are prerequisites for EDT to be compatible with NetScaler Gateway.

To configure NetScaler Gateway to support EDT using GUI

  1. Deploy and configure NetScaler Gateway to communicate with StoreFront and authenticate users for Citrix Virtual Apps and Desktops.

  2. On the Configuration tab in the NetScaler GUI, expand NetScaler Gateway and select Virtual Servers.

    Virtual servers page

  3. Click Edit to display Basic Settings for the VPN Virtual Server, and then verify the state of the DTLS setting.

    Edit DTLS setting

  4. Click More to display other configuration options.

    View other settings

  5. Select DTLS to provide communications security for datagram protocols. Click OK. The Basic Settings area for the VPN virtual server shows that the DTLS flag is set to True.

    Enable DTLS

To configure NetScaler Gateway for EDT support using CLI

set vpn vserver vs1 -DTLS ON

Configure NetScaler Gateway to support HDX Insight

HDX Insight provides end-to-end visibility for HDX traffic to virtual apps and desktops passing through NetScaler. It also enables administrators to view real-time client and network latency metrics, historical reports, end-to-end performance data, and troubleshoot performance issues.

To configure NetScaler Gateway to support HDX Insight using GUI

  1. On the Configuration tab navigate to System> AppFlow>Collectors, and click Add.

    Add collector

  2. On the Create AppFlow Collector page, populate the following fields, and click Create. Name – Name for the collector

    IP address – IPv4 address of the collector

    Port – Port on which the collector listens

    Net Profile - Net profile to associate with the collector. The IP address defined in the profile is used as the source IP address for AppFlow traffic for this collector. If you do not set this parameter, the NetScaler IP (NSIP) address is used as the source IP address.

    Transport – Transport type of collector.

    AppFlow collector page

  3. Navigate to System> AppFlow>Actions, click Add.

    Add action

  4. On the Create AppFlow Action page, populate the following fields, and click Create. AppFlow Action Name – Name for the action

    Comment – Any comment about the action

    Collector – Select the names of collectors to be associated with the AppFlow action.

    Transaction Log – Transactions type to be logged.

    Create collector

  5. Navigate to System> AppFlow>Policies, click Add.

    Add policies

  6. On the Create AppFlow Policy page, populate the following fields, and click Create.

    Name – Name for the policy.

    Action – Name of the action to be associated with the policy.

    UNDEF - Name of the AppFlow action to be associated with this policy when an undefined event occurs.

    Expression - Expression or other value against which the traffic is evaluated. Must be a Boolean expression.

    Comments – Any comments about this policy.

    Policies page

  7. Navigate to NetScaler Gateway>Virtual Servers, select the virtual server and click Edit.

    Virtual servers page

  8. Scroll down the VPN Virtual Server page and under Policies section, click +.

    Add a policy

  9. On the Choose Type screen, in the Choose Policy drop-down menu, select AppFlow. In the Choose Type drop-down menu, choose Request or ICA Request and click Continue.

    Select AppFlow policy page

  10. Click the highlighted arrow under Select Policy.

    Select AppFlow policy

  11. Select the AppFlow policy and click Select.

    Select AppFlow policy2

  12. Finally click Bind.

    Bind policy

To configure NetScaler Gateway for HDX Insight support using the CLI, type the following command

add appflow collector col3 -IPAddress<ip_mas>
add appflow action act1 <action_name>
add appflow policy <policy_name> true <action_name>
bind vpn Vserver <vserver_name>  -pol <policy_name> - priority101 END -type <ICA_Request>

Disable HDX Insight for non-NSAP HDX session

In a NetScaler appliance, you can now disable HDX Insight for the non-NSAP HDX sessions.

At the command prompt, type:

set ica parameter HDXInsightNonNSAP (YES | NO )
<!--NeedCopy-->

By default, HDX Insight for non-NSAP session is enabled.

Configure loss tolerant mode for audio

Starting from release 14.1 build 34.x, NetScaler Gateway supports the loss-tolerant mode for audio of Citrix Virtual Apps and Desktops. This mode enhances the audio experience for users connecting to networks with high latency and packet loss. Users must use Citrix Virtual Apps and Desktops 7 2407 LTSR or later versions to use this functionality.

The loss-tolerant mode for audio policy is based on the EDT Lossy transport protocol. EDT Lossy is a loss-tolerant transport protocol that allows packet loss in transmission without resending multimedia content, resulting in a more real-time experience for users. It is also the preferred mode for audio that ensures superior audio quality compared to EDT during lossy network conditions.

By default, the loss tolerant mode for audio is disabled. When enabled, audio is sent over the loss tolerant mode.

To configure NetScaler Gateway to enable loss tolerant mode using GUI

  1. Navigate to System > Settings > Change ICA Parameters.

  2. Select EDT Lossy to enable the loss tolerant mode.

    EDT lossy

To configure NetScaler Gateway to enable loss tolerant mode using CLI

At the command prompt, enter the following command to enable loss tolerant mode:

set ica parameter -EDTLossy ENABLED
<!--NeedCopy-->
Configure NetScaler Gateway to support Enlightened Data Transport and HDX Insight