Connectivity Denis Gundarev, Senior Consultant, Entisys Solutions May 21, 2014 @fdwl #BriForum @entisys Name: ENTISYS\Denis Groups: Group1: Bay Area Citrix User Group Group2: Citrix Technology Professional Email: DenisG@entisys.com Twitter: @fdwl [Length: 112] About me 0000 30 45 4E 54 49 53 59 53 5C 44 65 6E 69 73 0D 0A 0ENTISYS\Denis.. 0010 31 0D 0A 32 0D 0A 42 61 79 20 41 72 65 61 20 43 1..2..Bay Area C 0020 69 74 72 69 78 20 55 73 65 72 20 47 72 6F 75 70 itrix User Group 0030 0D 0A 32 43 69 74 72 69 78 20 54 65 63 68 6E 6F ..2Citrix Techno 0040 6C 6F 67 79 20 50 72 6F 66 65 73 73 69 6F 6E 61 logy Professional 0050 6C 0D 0A 33 44 65 6E 69 73 47 40 65 6E 74 69 73 l..3DenisG@entis 0060 79 73 2E 63 6F 6D 0D 0A 34 40 66 64 77 6C 0D 0A ys.com..4@fdwl.. @fdwl #BriForum @entisys Agenda Everything that you need to know about ICA protocol @fdwl #BriForum @entisys What does ICA stand for? Independent Computing Architecture? ICA = Intelligent Console Architecture! @fdwl #BriForum @entisys ICA 1.0 - 1992 Originally for Serial connections IPX and NetBIOS was added later @fdwl #BriForum @entisys ICA 2.0 - 1992 First Graphical version of ICA Citrix WinCredible - add-on to Citrix MultiUser Multiple Operating Systems OS/2 DOS Windows 3.1 TCP/IP stack for OS/2 from FTP Software @fdwl #BriForum @entisys ICA 3.0 - 1995 Introduced in WinFrame For Networks Thinwire 1, Printing, Client drive mapping, audio, Clipboard TCP/IP, IPX, SPX, NetBEUI, Serial, Modems $5,995 for 15 concurrent users @fdwl #BriForum @entisys PRD Product Renaming Disorder Before After Core Virtual channels HDX Broadcast Thinwire HDX SmartRendering Virtual Channel fallback HDX Adaptive Orchestration Flash and Windows media redirection HDX MediaStream Server-side flash rendering HDX MediaStream Network Conditions 3D Pro and RemoteFX HDX RichGraphics Bidirectional audio and UDP Audio HDX RealTime Device mapping HDX Plug-n-Play Built-In compression and Branch Repeater HDX WAN Optimization NetScaler session policies HDX SmartAccess @fdwl #BriForum @entisys ICA Overview The ICA protocol is a protocol optimized for Wide Area Networks or WANs with high latency links. It also supports Quality-Of-Service (QoS) and other bandwidth optimization features. Since this is OSI-Layer 6, what does ICA do for optimization. The ICA packet contains the following headers: Frame Head, Reliable, Encryption, Compression, Command, Command Data, Frame Trail. The command is the only required information. Within ICA are virtual channels for KVM, printing, audio, Drive Mapping, Clipboard, Seamless windows, etc. that can be encapsulated. You can have a max of 32 virtual channels. RDP channels are different. Each channel has a counter-point on the server. These channels sit on top of the ICA Winstation Driver, on top of Protocol driver, on Transport Driver. @fdwl #BriForum @entisys ICA In Real Life T C P S S L C G P / W i n S o c k s I C A P r o t o c o l
d r i v e r F r a m e
d r i v e r E n c r y p t i o n W i n S t a t i o n C o m p r e s s i o n AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM @fdwl #BriForum @entisys Virtual Channels T C P S S L C G P / W i n S o c k s I C A P r o t o c o l
d r i v e r F r a m e
d r i v e r E n c r y p t i o n W i n S t a t i o n C o m p r e s s i o n AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM @fdwl #BriForum @entisys Virtual Channels Channel Name Priority Description Virtual Driver CTXCAM 0 Client Audio Mapping vdcamN.dll CTXCCM 3 Client COM Port Mapping vdcom30N.dll CTXCDM 2 Client Drive Mapping vdcdm30n.dll CTXCLIP 2 Client Clipboard Mapping vdclipn.dll CTXCM 3 Client Management (Auto-Update) vdcmN.dll CTXCOM1 3 Legacy COM1 Port Mapping vdcom30N.dll CTXCOM2 3 Legacy COM2 Port Mapping vdcom30N.dll CTXCPM 3 Printer Mapping for Spooling Clients vdcpm30N.dll CTXCTL 1 ICA Session Control vdctln.dll CTXD3D 1 Direct3D Virtual Channel Adapter vd3dn.dll CTXEUEM 1 End User Experience Monitoring vdeuemn.dll CTXFLSH 2 Multimedia - Flash vdflash.dll CTXGUSB 2 USB Redirection vdgusbn.dll CTXLIC 1 License Management wfica32.exe CTXLPT1 3 Legacy LP1 Port Mapping vdcpm30N.dll CTXLPT2 3 Legacy LPT2 Port Mapping vdcpm30N.dll CTXMM 2 Multimedia - Streaming vdmmn.dll CTXPASS 2 Transparent Key Pass-Through vdkbhook.dll CTXPN 1 Process Notification vdpnn.dll CTXSBR 1 Citrix Browser Acceleration vdtw30n.dll CTXSCRD 1 Smartcard vdscardn.dll CTXTW 1 Remote Session Screen Update (THINWIRE) vdtw30n.dll CTXTWI 1 Seamless Windows Screen Update (THINWIRE) vdtwin.dll CTXTWN 2 Twain Redirection vdtwn.dll CTXZLC 0 Speed Screen Latency Reduction - Screen vdzlcn.dll CTXZLFK 0 Speed Screen Latency Reduction - Fonts vdfon30n.dll OEMOEM 3 OEMOEM2 3 CTXVFM 1 CTXVFM? @fdwl #BriForum @entisys Virtual Channels At client load time, list of channel drivers populated from the registry/.ini file During the connection client passes information about the virtual channels it supports to the XenApp server. XenApp Server opens virtual channel. Data sent using the following two methods: Polling mode Immediate mode VC Server can be on the Client You can remove unneeded channels (http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client. pdf) @fdwl #BriForum @entisys Virtual Channels You can create your own Virtual Channels https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html http://www.citrix.com/community/receiver-ica-sdks.html 3 examples included in SDK RDP2TCP nice example http://rdp2tcp.sourceforge.net/ Citrix ICA Virtual Channels Backgrounder http://support.citrix.com/article/CTX116890 @fdwl #BriForum @entisys Dynamic Virtual Channel Up to 64 Static Virtual Channels (SVCs) for Win32 29 SVCs reserved by Citrix Android client supports up to 32 SVCs Dynamic Virtual Channels (or DVCs) are multiplexed over traditional SVCs To write the DVC component over ICA, Microsofts DVC API can be used. http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx @fdwl #BriForum @entisys Virtual Channel Priority XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities http://support.citrix.com/article/CTX131001 How to Change Virtual Channel Priority in XenDesktop 5 http://support.citrix.com/article/CTX128190 Multi-Stream ICA and Cisco QOS http://www.citrixirc.com/?p=182 Check the VC utilization using Perfmon http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.html @fdwl #BriForum @entisys ICA Drivers T C P S S L C G P / W i n s o c k s I C A P r o t o c o l
d r i v e r F r a m e
d r i v e r E n c r y p t i o n W i n S t a t i o n C o m p r e s s i o n DRIVE PRINTING COM @fdwl #BriForum @entisys WinStation Driver Establishes the ICA session Encodes ICA command information into ICA Packet ICA packet = Command + Command Data < 2048 bytes Compresses the ICA packet Combines or separates compressed ICA packets to 1460 bytes buffers Determines the priority of each output buffer @fdwl #BriForum @entisys Compression Driver Enabled by default VC-specific compression methods Be careful with WAN optimization recommendations Disabled compression + Bandwidth limit = Fail http://support.citrix.com/article/CTX121353 @fdwl #BriForum @entisys Encryption Driver Basic. Encrypts the client connection using a non-RC5 algorithm. http://www.monkey.org/~dugsong/icadecry pt.c.txt RC5 AKA SecureICA RC5 (128 bit) logon only. Encrypts the logon data with RC5 128-bit encryption and the client connection using Basic encryption. RC5 (40 bit). Encrypts the client connection with RC5 40-bit encryption. RC5 (56 bit). Encrypts the client connection with RC5 56-bit encryption. RC5 (128 bit). Encrypts the client connection with RC5 128-bit encryption. @fdwl #BriForum @entisys Framing Driver Rearranges ICA packets according to priority Citrix ICA Priority Packet Tagging http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf Fit ICA packets into the frame Send frames to protocol driver @fdwl #BriForum @entisys Protocol Driver Transfers frame to underlying protocol without modification Result is ICA stream, ready for transmission @fdwl #BriForum @entisys More Info About ICA Citrix ICA Virtual Channels Backgrounder http://support.citrix.com/article/CTX116890 Virtual channel names must not be more than seven characters in length Configuring Citrix MetaFrame XP for Windows by Syngress et al. http://amzn.com/1931836531 Citrix ICA Technology Brief http://web.archive.org/web/20000408170851/http://www.bocaresearch.com/technologies/icate ch.html @fdwl #BriForum @entisys CGP T C P S S L C G P / W i n S o c k s I C A P r o t o c o l
d r i v e r F r a m e
d r i v e r E n c r y p t i o n W i n S t a t i o n C o m p r e s s i o n AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM @fdwl #BriForum @entisys What does CGP stand for? Certified Guitar Player Common Gateway Protocol Formerly known as Citrix Gateway Protocol @fdwl #BriForum @entisys Common Gateway Protocol CGP = binary protocol designed for efficient tunneling of one or more TCP streams Used by Session Reliability Based on SOCKS proxy protocol @fdwl #BriForum @entisys What is SOCKS SOCKS is a generic, proxy protocol for TCP/IP based networking application. SOCKS consists of two parts: SOCKS server and SOCKS client. SOCKS server can communicate directly with both the Internet and the internal computers. SOCKS client contacts the SOCKS server instead of sending requests directly to the Internet @fdwl #BriForum @entisys SOCKS Connection TCP Server User SOCKS Proxy SOCKS Request TCP Connect SYN TCP Connect ACK SOCKS Reply DATA DATA DATA DATA @fdwl #BriForum @entisys Secure Gateway Proxy/NetScaler Gateway Next Hop Unauthenticated SOCKS, tunnels any TCP traffic When configured with a certificate, the Secure Gateway Proxy/NetScaler Gateway Next Hop expects traffic to be SOCKS+SSL on port 443 @fdwl #BriForum @entisys What is the difference between CGP and SOCKS? CGP is completely different protocol, but share the same idea CGP support ticket-based authentication and addressing CGP server sends keep-alive messages (60 sec by default) CGP drop TCP connection without response if ticket is invalid CGP support TCP Multiplexing, but its not really used SOCKS is still in Citrix Products @fdwl #BriForum @entisys Ticket Types Name Issued by Purpose Logon Ticket XenApp Data Collector/ XenDesktop Controller Authenticate user to ICA session; ticket replaces user credentials LogonTicket=34B79930FBFC20BEF54D597A6A1595 LogonTicketType=CTXS1 ACR Ticket XenApp Server/ XenDesktop VDA Allow reconnection via Auto Client Reconnect without requiring user to enter credentials, stored in memory of the client Gateway Traversal Ticket (v1) AppController Allow ICA connection through SOCKS; ticket replaces destination server address Common Gateway Protocol Token Citrix XTE Service/ICA-CGP Listener Allow reconnection via Auto Client Reconnect without requiring user to enter credentials, stored in memory of the client Gateway Traversal Ticket (v4) XenApp ctxsta.dll or XenDesktop Broker Service Allow ICA connection through Gateway with Session Reliability; ticket replaces server address Address=;40;STA403126471;54D2368FFFD32A448EA55350100553 @fdwl #BriForum @entisys Session Reliability Explaining ICA Session Reliability, Common Gateway Protocol, on TCP Port 2598 http://support.citrix.com/article/CTX104147 Session Reliability, Frozen Screens and The Hourglass of Death By Nick Rintalan http://blogs.citrix.com/2013/01/23/session- reliability/
@fdwl #BriForum @entisys
CGP Implementations: XTE Service Extensible Transformation Engine (XTE) is an Apache-based proxy server that support: CGP SOCKS HTTP All of the above over SSL Can be seen on XenApp <= 6.5 and XenDesktop <=5.x as Citrix XTE Service providing: Session Reliability SSL Relay Password Manager Service Universal Print Server @fdwl #BriForum @entisys CGP Implementations: RDS Listeners @fdwl #BriForum @entisys CGP Implementations: CSG Gateway between an SSL enabled ICA client and XenApp Servers Tunnels ICA/CGP traffic inside SSL Citrix Secure Gateway is a deprecated component that is still supported for XenApp 6.5 Similar to XTE Service, based on Apache Basically XTE + 3 additional Apache modules + GUI Supports STA Ticketing Authentication @fdwl #BriForum @entisys STA Ticket Request The following data are included as part of the ticket request sent by the Web server: User name and domain name Published application name Least-busy Presentation Server address <?xml version="1.0" encoding="UTF-8"?> <!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"-- > <CtxConnInfo version="1.0"> <ServerAddress>192.168.1.176:1494</ServerAddress> <UserName>fdwl</UserName> <UserDomain>corp</UserDomain> <ApplicationName>XA75 $S4-5</ApplicationName> <Protocol>ICA</Protocol> </CtxConnInfo> @fdwl #BriForum @entisys STA Ticket Response The encoding format is a string of the form: ;STA_VERSION;STA_ID;TICKET STA_VERSION. 40 for XenApp and XenDesktop. 10 for AppController. STA_ID is a sequence of 0 16 characters usually generated from the MAC address. Each STA ID must be unique. This allows the gateway to locate the STA that created the ticket and return to that STA for ticket validation. TICKET is a randomly-generated sequence of 32 uppercase alphabetic or numeric characters. Example: ;40; STA403126471;FE0A7B2CE2E77DDC17C7FD3EE7959E79 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE CtxSTAProtocol SYSTEM "CtxSTA.dtd" > <CtxSTAProtocol version="1"> <ResponseTicket> <AuthorityID authorityType="STA-v1"> STA403126471 </AuthorityID> <Ticket ticketType="STA-v1">245489CECBC3CAA3B88446F12FF80B6A</Ticket> <TicketVersion>40</TicketVersion> </ResponseTicket> </CtxSTAProtocol> @fdwl #BriForum @entisys CGP Implementations: NetScaler Gateway/Access Gateway ICA Proxy Mode The Only supported gateway for XenDesktop 7.x ICA Proxy Session Migration in 10.1 @fdwl #BriForum @entisys WebSockets SOCKS over HTTP HTTP Upgrade TCP 8008 by default, but can be changed <html5 enabled="Always" platforms="Force" launchURL="clients/HTML5Client/src/Session Window.html preferences="wsPort:8080" singleTabLaunch="true" chromeAppOrigins="chrome- extension://haiffjcadagjlijoggckpgfnoeiflne m" /> XTE Service on XA 6.5 HRP3 is required for StoreFront 2.x RDS Listener ICA-HTML5 on XD 7.x Server OS ICA Service on XD 7.x Client OS @fdwl #BriForum @entisys Direct connection Component Connecting to Session Reliability Protocol TCP Port ICA Client version 8.0 or later XenApp Server/XenDesktop VDA Enabled ICA in Common Gateway Protocol 2598 ICA Client version 8.0 or later XenApp Server/XenDesktop VDA Disabled ICA 1494 HTML5 Receiver XenApp Server/XenDesktop VDA N/A ICA in WebSockets 8008 @fdwl #BriForum @entisys One hop DMZ Component Connecting to Session Reliability Protocol TCP Port ICA Client version 9.0 or later Secure Gateway/Access Gateway/NetScaler Enabled ICA in Common Gateway Protocol in SSL 443 ICA Client version 9.0 or later Secure Gateway/Access Gateway/NetScaler Disabled ICA in SSL 443 HTML5 Receiver Secure Gateway/Access Gateway/NetScaler N/A ICA in WebSockets in SSL 443 Secure Gateway/Access Gateway/NetScaler XenApp Server/XenDesktop VDA Enabled ICA in Common Gateway Protocol 2598 Secure Gateway/Access Gateway/NetScaler XenApp Server/XenDesktop VDA Disabled ICA 1494 @fdwl #BriForum @entisys Dual hop DMZ Component Connecting to Session Reliability Protocol TCP Port Secure Gateway/Access Gateway/NetScaler in DMZ1 Secure Gateway/Access Gateway/NetScaler in DMZ2 with SSL N/A SOCKS in SSL 443 Secure Gateway/Access Gateway/NetScaler in DMZ1 Secure Gateway/Access Gateway/NetScaler in DMZ2 without SSL N/A SOCKS 1080 @fdwl #BriForum @entisys Multi-Stream ICA @fdwl #BriForum @entisys Multi-Stream ICA Citrix Receiver for Windows XenDesktop Windows 7 HTTP Server Router ICA Real Time HTTP HTTP ICA Interactive ICA Background ICA Bulk ICA Real Time ICA Interactive ICA Background ICA Bulk ICA UDP/RTP Audio * ICA UDP Audio * * UDP/RTP Audio initially only in VDI FlexCast model (XenDesktop) @fdwl #BriForum @entisys Multi-Stream vs. Multi-Port ICA Single-port, Multi-StreamICA 4 random ports at client, 1 primary port on server Multi-port, Multi-Stream ICA 4 random ports at client, 1 primary and up to 3 secondary ports on server Single-port, Single-stream ICA 1 random port at client, 1 primary port on server The default connection type Multi-Stream with NetScaler 4 random ports at client, 1 primary port on NetScaler VIP 4 random ports at NetScaler SNIP/MIP, 1 primary and up to 3 secondary ports on server @fdwl #BriForum @entisys Multi-Stream ICA @fdwl #BriForum @entisys Multi-Stream ICA XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities http://support.citrix.com/article/CTX131001 Very High (numeric 0): Real time channels, such as audio and webcam conferences High (numeric 1): Interactive channels, such as graphics, keyboard, and mouse Medium (numeric 2): Bulk channels, such as drive mapping, scanners, USB redirection, clipboard, Flash Low (numeric 3): Background channels, such as printing, COM port mapping, LPT port mapping Requirements: XenDesktop 5.5+ XenApp 6.5+ Receiver 3.0+ @fdwl #BriForum @entisys UDP Audio Speex codec Real-time Transport Protocol (RTP) Quality must be set to Medium Not using ICA or CGP Citrix Receiver creates a listener on a client device during session initialization Not supported with NetScaler @fdwl #BriForum @entisys SSL T C P S S L C G P / W i n S o c k s I C A P r o t o c o l
d r i v e r F r a m e
d r i v e r E n c r y p t i o n W i n S t a t i o n C o m p r e s s i o n AUDIO CLIPBOARD DRIVE PRINTING VIDEO SPEEDSCREEN COM @fdwl #BriForum @entisys SSL Citrix uses custom SSLSDK library to wrap native OS SSL functions and form Secured Socket Recommended for every connection SSL Relay is no longer available in XenDesktop 7.x, Use IPSec to enforce encryption Wildcard and SAN certificates are supported @fdwl #BriForum @entisys SSL on NetScaler SNI (Server Name Indication) is not supported by Receiver yet. NetScaler VPX does not support TLS 1.1 and TLS 1.2 Always add CA certificates chain to vserver @fdwl #BriForum @entisys Q&A