Citrixinternals Ica New 140521053339 Phpapp01

@fdwl #BriForum @entisys
Citrix Internals: ICA

Connectivity
Denis Gundarev, Senior Consultant, Entisys Solutions
May 21, 2014
Name: ENTISYS\Denis
Groups:
Group1: Bay Area Citrix User Group
Group2: Citrix Technology Professional
Email: DenisG@entisys.com
Twitter: @fdwl
[Length: 112]
About me
0000 30 45 4E 54 49 53 59 53 5C 44 65 6E 69 73 0D 0A 0ENTISYS\Denis..
0010 31 0D 0A 32 0D 0A 42 61 79 20 41 72 65 61 20 43 1..2..Bay Area C
0020 69 74 72 69 78 20 55 73 65 72 20 47 72 6F 75 70 itrix User Group
0030 0D 0A 32 43 69 74 72 69 78 20 54 65 63 68 6E 6F ..2Citrix Techno
0040 6C 6F 67 79 20 50 72 6F 66 65 73 73 69 6F 6E 61 logy Professional
0050 6C 0D 0A 33 44 65 6E 69 73 47 40 65 6E 74 69 73 l..3DenisG@entis
0060 79 73 2E 63 6F 6D 0D 0A 34 40 66 64 77 6C 0D 0A ys.com..4@fdwl..
Agenda
Everything that you need to know about ICA protocol
What does ICA stand for?
Independent Computing Architecture?
ICA = Intelligent Console
Architecture!
ICA 1.0 - 1992
Originally for Serial connections
IPX and NetBIOS was added later
ICA 2.0 - 1992
First Graphical version of ICA
Citrix WinCredible - add-on to Citrix
MultiUser
Multiple Operating Systems
OS/2
DOS
Windows 3.1
TCP/IP stack for OS/2 from FTP Software
ICA 3.0 - 1995
Introduced in WinFrame For Networks
Thinwire 1, Printing, Client drive mapping,
audio, Clipboard
TCP/IP, IPX, SPX, NetBEUI, Serial, Modems
$5,995 for 15 concurrent users
PRD Product Renaming Disorder
Before After
Core Virtual channels HDX Broadcast
Thinwire HDX SmartRendering
Virtual Channel fallback HDX Adaptive Orchestration
Flash and Windows media redirection HDX MediaStream
Server-side flash rendering HDX MediaStream Network Conditions
3D Pro and RemoteFX HDX RichGraphics
Bidirectional audio and UDP Audio HDX RealTime
Device mapping HDX Plug-n-Play
Built-In compression and Branch Repeater HDX WAN Optimization
NetScaler session policies HDX SmartAccess
ICA Overview
The ICA protocol is a protocol optimized for Wide
Area Networks or WANs with high latency links. It also
supports Quality-Of-Service (QoS) and other
bandwidth optimization features.
Since this is OSI-Layer 6, what does ICA do for
optimization. The ICA packet contains the following
headers: Frame Head, Reliable, Encryption,
Compression, Command, Command Data, Frame
Trail. The command is the only required information.
Within ICA are virtual channels for KVM, printing,
audio, Drive Mapping, Clipboard, Seamless windows,
etc. that can be encapsulated. You can have a max
of 32 virtual channels. RDP channels are different.
Each channel has a counter-point on the server.
These channels sit on top of the ICA Winstation Driver,
on top of Protocol driver, on Transport Driver.
ICA In Real Life
T
C
P
S
S
L
C
G
P
/
W
i
n
S
o
c
k
s
I
C
A
P
r
o
t
o
c
o
l

d
r
i
v
e
r
F
r
a
m
e

d
r
i
v
e
r
E
n
c
r
y
p
t
i
o
n
W
i
n
S
t
a
t
i
o
n
C
o
m
p
r
e
s
s
i
o
n
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM
Virtual Channels
T
C
P
S
S
L
C
G
P
/
W
i
n
S
o
c
k
s
I
C
A
P
r
o
t
o
c
o
l

d
r
i
v
e
r
F
r
a
m
e

d
r
i
v
e
r
E
n
c
r
y
p
t
i
o
n
W
i
n
S
t
a
t
i
o
n
C
o
m
p
r
e
s
s
i
o
n
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM
Virtual
Channels
Channel Name Priority Description Virtual Driver
CTXCAM 0 Client Audio Mapping vdcamN.dll
CTXCCM 3 Client COM Port Mapping vdcom30N.dll
CTXCDM 2 Client Drive Mapping vdcdm30n.dll
CTXCLIP 2 Client Clipboard Mapping vdclipn.dll
CTXCM 3 Client Management (Auto-Update) vdcmN.dll
CTXCOM1 3 Legacy COM1 Port Mapping vdcom30N.dll
CTXCOM2 3 Legacy COM2 Port Mapping vdcom30N.dll
CTXCPM 3 Printer Mapping for Spooling Clients vdcpm30N.dll
CTXCTL 1 ICA Session Control vdctln.dll
CTXD3D 1 Direct3D Virtual Channel Adapter vd3dn.dll
CTXEUEM 1 End User Experience Monitoring vdeuemn.dll
CTXFLSH 2 Multimedia - Flash vdflash.dll
CTXGUSB 2 USB Redirection vdgusbn.dll
CTXLIC 1 License Management wfica32.exe
CTXLPT1 3 Legacy LP1 Port Mapping vdcpm30N.dll
CTXLPT2 3 Legacy LPT2 Port Mapping vdcpm30N.dll
CTXMM 2 Multimedia - Streaming vdmmn.dll
CTXPASS 2 Transparent Key Pass-Through vdkbhook.dll
CTXPN 1 Process Notification vdpnn.dll
CTXSBR 1 Citrix Browser Acceleration vdtw30n.dll
CTXSCRD 1 Smartcard vdscardn.dll
CTXTW 1 Remote Session Screen Update (THINWIRE) vdtw30n.dll
CTXTWI 1 Seamless Windows Screen Update (THINWIRE) vdtwin.dll
CTXTWN 2 Twain Redirection vdtwn.dll
CTXZLC 0 Speed Screen Latency Reduction - Screen vdzlcn.dll
CTXZLFK 0 Speed Screen Latency Reduction - Fonts vdfon30n.dll
OEMOEM 3
OEMOEM2 3
CTXVFM 1
CTXVFM?
Virtual Channels
At client load time, list of channel drivers populated from the registry/.ini file
During the connection client passes information about the virtual channels it supports to the
XenApp server.
XenApp Server opens virtual channel.
Data sent using the following two methods:
Polling mode
Immediate mode
VC Server can be on the Client
You can remove unneeded channels
(http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.
pdf)
Virtual Channels
You can create your own Virtual Channels
https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html
http://www.citrix.com/community/receiver-ica-sdks.html
3 examples included in SDK
RDP2TCP nice example
http://rdp2tcp.sourceforge.net/
Citrix ICA Virtual Channels Backgrounder
http://support.citrix.com/article/CTX116890
Dynamic Virtual Channel
Up to 64 Static Virtual Channels (SVCs) for Win32
29 SVCs reserved by Citrix
Android client supports up to 32 SVCs
Dynamic Virtual Channels (or DVCs) are multiplexed over traditional SVCs
To write the DVC component over ICA, Microsofts DVC API can be used.
http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx
Virtual Channel Priority
XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and
Priorities
How to Change Virtual Channel Priority in XenDesktop 5
Multi-Stream ICA and Cisco QOS
http://www.citrixirc.com/?p=182
Check the VC utilization using Perfmon
http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.html
ICA Drivers
T
C
P
S
S
L
C
G
P
/
W
i
n
s
o
c
k
s
I
C
A
P
r
o
t
o
c
o
l

d
r
i
v
e
r
F
r
a
m
e

d
r
i
v
e
r
E
n
c
r
y
p
t
i
o
n
W
i
n
S
t
a
t
i
o
n
C
o
m
p
r
e
s
s
i
o
n
DRIVE
PRINTING
COM
WinStation Driver
Establishes the ICA session
Encodes ICA command information into
ICA Packet
ICA packet = Command + Command
Data < 2048 bytes
Compresses the ICA packet
Combines or separates compressed ICA
packets to 1460 bytes buffers
Determines the priority of each output
buffer
Compression Driver
Enabled by default
VC-specific compression methods
Be careful with WAN optimization recommendations
Disabled compression + Bandwidth limit = Fail
Encryption Driver
Basic. Encrypts the client connection using
a non-RC5 algorithm.
http://www.monkey.org/~dugsong/icadecry
pt.c.txt
RC5 AKA SecureICA
RC5 (128 bit) logon only. Encrypts the logon
data with RC5 128-bit encryption and the
client connection using Basic encryption.
RC5 (40 bit). Encrypts the client connection
with RC5 40-bit encryption.
Framing Driver
Rearranges ICA packets according to priority
Citrix ICA Priority Packet Tagging
http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf
Fit ICA packets into the frame
Send frames to protocol driver
Protocol Driver
Transfers frame to underlying protocol
without modification
Result is ICA stream, ready for transmission
More Info About ICA
Citrix ICA Virtual Channels Backgrounder
Virtual channel names must not be more than seven characters in length
Configuring Citrix MetaFrame XP for Windows by Syngress et al.
http://amzn.com/1931836531
Citrix ICA Technology Brief
http://web.archive.org/web/20000408170851/http://www.bocaresearch.com/technologies/icate
ch.html
CGP
T
C
P
S
S
L
C
G
P
/
W
i
n
S
o
c
k
s
I
C
A
P
r
o
t
o
c
o
l

d
r
i
v
e
r
F
r
a
m
e

d
r
i
v
e
r
E
n
c
r
y
p
t
i
o
n
W
i
n
S
t
a
t
i
o
n
C
o
m
p
r
e
s
s
i
o
n
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM
What does CGP stand for?
Certified Guitar Player
Common Gateway Protocol
Formerly known as Citrix Gateway
Protocol
Common Gateway Protocol
CGP = binary protocol designed for
efficient tunneling of one or more TCP
streams
Used by Session Reliability
Based on SOCKS proxy protocol
What is SOCKS
SOCKS is a generic, proxy protocol for TCP/IP based networking application.
SOCKS consists of two parts: SOCKS server and SOCKS client.
SOCKS server can communicate directly with both the Internet and the internal computers.
SOCKS client contacts the SOCKS server instead of sending requests directly to the Internet
SOCKS Connection
TCP Server User SOCKS Proxy
SOCKS Request TCP Connect SYN
TCP Connect ACK SOCKS Reply
DATA
DATA
DATA DATA
Secure Gateway Proxy/NetScaler
Gateway Next Hop
Unauthenticated SOCKS, tunnels any TCP
traffic
When configured with a certificate, the
Secure Gateway Proxy/NetScaler
Gateway Next Hop expects traffic to be
SOCKS+SSL on port 443
What is the difference between CGP and
SOCKS?
CGP is completely different protocol, but share the same idea
CGP support ticket-based authentication and addressing
CGP server sends keep-alive messages (60 sec by default)
CGP drop TCP connection without response if ticket is invalid
CGP support TCP Multiplexing, but its not really used
SOCKS is still in Citrix Products
Ticket Types
Name Issued by Purpose
Logon Ticket XenApp Data Collector/ XenDesktop
Controller
Authenticate user to ICA session; ticket replaces user
credentials
LogonTicket=34B79930FBFC20BEF54D597A6A1595
LogonTicketType=CTXS1
ACR Ticket XenApp Server/ XenDesktop VDA Allow reconnection via Auto Client Reconnect without
requiring user to enter credentials, stored in memory of the
client
Gateway Traversal
Ticket (v1)
AppController Allow ICA connection through SOCKS; ticket replaces
destination server address
Common Gateway
Protocol Token
Citrix XTE Service/ICA-CGP Listener Allow reconnection via Auto Client Reconnect without
requiring user to enter credentials, stored in memory of the
client
Gateway Traversal
Ticket (v4)
XenApp ctxsta.dll or XenDesktop Broker
Service
Allow ICA connection through Gateway with Session Reliability;
ticket replaces server address
Address=;40;STA403126471;54D2368FFFD32A448EA55350100553
Session Reliability
Explaining ICA Session Reliability,
Common Gateway Protocol, on TCP Port
2598
Session Reliability, Frozen Screens and The
Hourglass of Death By Nick Rintalan
http://blogs.citrix.com/2013/01/23/session-
reliability/

CGP Implementations: XTE Service
Extensible Transformation Engine (XTE) is an Apache-based proxy server that support:
CGP
SOCKS
HTTP
All of the above over SSL
Can be seen on XenApp <= 6.5 and XenDesktop <=5.x as Citrix XTE Service providing:
Session Reliability
SSL Relay
Password Manager Service
Universal Print Server
CGP Implementations: RDS Listeners
CGP Implementations: CSG
Gateway between an SSL enabled ICA client and XenApp Servers
Tunnels ICA/CGP traffic inside SSL
Citrix Secure Gateway is a deprecated component that is still supported for XenApp 6.5
Similar to XTE Service, based on Apache
Basically XTE + 3 additional Apache modules + GUI
Supports STA Ticketing Authentication
STA Ticket Request
The following data are included as part of
the ticket request sent by the Web server:
User name and domain name
Published application name
Least-busy Presentation Server address
<?xml version="1.0" encoding="UTF-8"?>
<!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"--
> <CtxConnInfo version="1.0">
<ServerAddress>192.168.1.176:1494</ServerAddress>
<UserName>fdwl</UserName>
<UserDomain>corp</UserDomain>
<ApplicationName>XA75 $S4-5</ApplicationName>
<Protocol>ICA</Protocol>
</CtxConnInfo>
STA Ticket Response
The encoding format is a string of the form:
;STA_VERSION;STA_ID;TICKET
STA_VERSION. 40 for XenApp and XenDesktop. 10 for
AppController.
STA_ID is a sequence of 0 16 characters usually
generated from the MAC address. Each STA ID must be
unique. This allows the gateway to locate the STA that
created the ticket and return to that STA for ticket
validation.
TICKET is a randomly-generated sequence of 32
uppercase alphabetic or numeric characters.
Example:
;40; STA403126471;FE0A7B2CE2E77DDC17C7FD3EE7959E79
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE CtxSTAProtocol SYSTEM "CtxSTA.dtd" >
<CtxSTAProtocol version="1">
<ResponseTicket>
<AuthorityID authorityType="STA-v1"> STA403126471 </AuthorityID>
<Ticket ticketType="STA-v1">245489CECBC3CAA3B88446F12FF80B6A</Ticket>
<TicketVersion>40</TicketVersion>
</ResponseTicket>
</CtxSTAProtocol>
CGP Implementations: NetScaler
Gateway/Access Gateway
ICA Proxy Mode
The Only supported gateway for
XenDesktop 7.x
ICA Proxy Session Migration in 10.1
WebSockets
SOCKS over HTTP
HTTP Upgrade
TCP 8008 by default, but can be
changed
<html5 enabled="Always"
platforms="Force"
launchURL="clients/HTML5Client/src/Session
Window.html preferences="wsPort:8080"
singleTabLaunch="true"
chromeAppOrigins="chrome-
extension://haiffjcadagjlijoggckpgfnoeiflne
m" />
XTE Service on XA 6.5
HRP3 is required for StoreFront 2.x
RDS Listener ICA-HTML5 on XD 7.x Server
OS
ICA Service on XD 7.x Client OS
Direct connection
Component Connecting to Session
Reliability
Protocol TCP
Port
ICA Client version
8.0 or later
XenApp
Server/XenDesktop VDA
Enabled ICA in Common
Gateway Protocol
2598
ICA Client version
8.0 or later
XenApp
Disabled ICA 1494
HTML5 Receiver XenApp
N/A ICA in WebSockets 8008
One hop DMZ
Reliability
Protocol TCP
Port
ICA Client version
9.0 or later
Secure Gateway/Access
Gateway/NetScaler
Gateway Protocol
in SSL
443
ICA Client version
9.0 or later
Gateway/NetScaler
Disabled ICA in SSL 443
HTML5 Receiver Secure Gateway/Access
Gateway/NetScaler
N/A ICA in WebSockets in
SSL
443
Secure
Gateway/Access
Gateway/NetScaler
XenApp
Gateway Protocol
2598
Secure
Gateway/Access
Gateway/NetScaler
XenApp
Disabled ICA 1494
Dual hop DMZ
Reliability
Protocol TCP
Port
Secure
Gateway/Access
Gateway/NetScaler
in DMZ1
Gateway/NetScaler in
DMZ2 with SSL
N/A SOCKS in SSL 443
Secure
Gateway/Access
Gateway/NetScaler
in DMZ1
Gateway/NetScaler in
DMZ2 without SSL
N/A SOCKS 1080
Multi-Stream ICA
Multi-Stream ICA
Citrix
Receiver
for
Windows
XenDesktop
Windows 7
HTTP
Server
Router
ICA Real Time
HTTP HTTP
ICA Interactive
ICA Background
ICA Bulk
ICA Real Time
ICA Interactive
ICA Background
ICA Bulk
ICA UDP/RTP Audio *
ICA UDP Audio *
* UDP/RTP Audio initially only in VDI FlexCast model (XenDesktop)
Multi-Stream vs. Multi-Port ICA
Single-port, Multi-StreamICA
4 random ports at client, 1 primary port on server
Multi-port, Multi-Stream ICA
4 random ports at client, 1 primary and up to 3 secondary ports on server
Single-port, Single-stream ICA
1 random port at client, 1 primary port on server
The default connection type
Multi-Stream with NetScaler
4 random ports at client, 1 primary port on NetScaler VIP
4 random ports at NetScaler SNIP/MIP, 1 primary and up to 3 secondary ports on server
Multi-Stream ICA
Multi-Stream ICA
XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities
Very High (numeric 0): Real time channels, such as audio and webcam conferences
High (numeric 1): Interactive channels, such as graphics, keyboard, and mouse
Medium (numeric 2): Bulk channels, such as drive mapping, scanners, USB redirection, clipboard, Flash
Low (numeric 3): Background channels, such as printing, COM port mapping, LPT port mapping
Requirements:
XenDesktop 5.5+
XenApp 6.5+
Receiver 3.0+
UDP Audio
Speex codec
Real-time Transport Protocol (RTP)
Quality must be set to Medium
Not using ICA or CGP
Citrix Receiver creates a listener on a
client device during session initialization
Not supported with NetScaler
SSL
T
C
P
S
S
L
C
G
P
/
W
i
n
S
o
c
k
s
I
C
A
P
r
o
t
o
c
o
l

d
r
i
v
e
r
F
r
a
m
e

d
r
i
v
e
r
E
n
c
r
y
p
t
i
o
n
W
i
n
S
t
a
t
i
o
n
C
o
m
p
r
e
s
s
i
o
n
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM
SSL
Citrix uses custom SSLSDK library to wrap native OS SSL functions and form Secured Socket
Recommended for every connection
SSL Relay is no longer available in XenDesktop 7.x, Use IPSec to enforce encryption
Wildcard and SAN certificates are supported
SSL on NetScaler
SNI (Server Name Indication) is not
supported by Receiver yet.
NetScaler VPX does not support TLS 1.1
and TLS 1.2
Always add CA certificates chain to
vserver
Q&A

Citrixinternals Ica New 140521053339 Phpapp01

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Citrixinternals Ica New 140521053339 Phpapp01

Enviado por

Direitos autorais:

Formatos disponíveis

@fdwl #BriForum @entisys

Citrix Internals: ICA

@fdwl #BriForum @entisys

Você também pode gostar