Why an outbound ICA proxy ?
Outbound ICA proxy function of Citrix Netscaler allow network administrator to :
- Bypass the LAN routing and use outbound proxy routing table in case of overlaping client subnets in a fusion acquisition scenario.
- Enforce SmartControl functionalities on the HDX flow when Citrix Receiver and Citrix Xendesktop farm are deployed in different organisations.
- Enforce SmartControl functionalities to a subset of the LAN population in the secure network (contractors, unsecure workstations, ...)
What can be blocked with SmartControl on the NetScaler?
- Connect Client LPT Ports – Blocks LPT port redirection used for printers. LPT ports are no more used these days.
- Client Audio Redirection – Redirect audio from VDA to client workstation device.
- Local Remote Data Sharing – Allows or disallows data sharing using Receiver HTML5.
- Client Clipboard Redirection – Redirects client workstation clipboard contents to VDA.
- Client COM Port Redirection – Redirect COM (serial) ports from client workstation to VDA.
- Client Drive Redirection – Redirect client drives from client to VDA.
- Client Printer Redirection – Redirects client printers from client workstation to VDA.
- Multistream – Allow or disable multistream.
- Client USB Drive Redirection – Redirect USB drives from client workstation to desktop VDA only.
Netscaler outbound ICA proxy architecture
HDX proxy cache redirection Virtual Server
HDX proxy is a SOCKS v5 proxy which can be configured as a "Cache Redirection Virtual Server" on Netscaler 12.0.
Despite no AppFlow policy can be bound to the virtual server, appflow data of HDX traffic flowing through the HDX Cache redirection Virtual Server can be pushed to Netscaler MAS using a globally bound AppFlow ICA policy (CA_REQ_OVERRIDE or ICA_REQ_DEFAULT ).
Follow the following steps to configure the HDX proxy :
- Create a Cache Redirection server on the NetScaler. Set the type as HDX and define the port, for example use port 8080.
- Create an Appflow collector/policy/action.
- Bind the Appflow policy globaly for ICA traffic
- Configure proxy settings on Citrix Receiver using group policies.
Storefront load-balancing VirtualServer
The Storefront load-balancing virtual server is an SSL virtual server used to proxy Storefront in the same way than the HDX traffic. Both web and HDX traffic flow symetrically through Netscaler. External routing table can be fully segmented from the workstations routing table.
Request and Response rewrite policies allow translation between internal and external Storefront FQDN.
Authentication and Authorization policies can be configured on Storefront load-balancing Virtual Server to only allow a subset of users to access the "external" Storefront. Authentication methods and SSO capabilities depend on Storefront configuration.