Citrix Gateway service has proved to be useful to customers looking for a cloud-based HDX proxy that provides secure remote access through a cloud-based gateway to front-end their Citrix Virtual Apps and Desktops environments.

If you’re familiar with the solution, you might know that when using the Citrix Gateway service, ICA sessions must be proxied through the Citrix Cloud Connector to reach the Gateway and, subsequently, the user. These Cloud Connectors can support up to 1,000 concurrent sessions. While this may be fine for small deployments, once the user base grows from hundreds to thousands, the Cloud Connectors can become a bottleneck.

For a time, the only solution to solve this has been just to add more Cloud Connectors. But, depending on how many users we’re talking about, you can end up with a lot of Cloud Connectors. That might not be ideal because it can possibly lead to increased costs and management.

To get around this problem, we decided to literally go around it. That’s how the Rendezvous protocol came to be. This feature enables the ICA session to go directly from the VDA to the Gateway service without going through the Cloud Connector first. It’s that simple. And in case you are wondering, we use TLS to secure ICA traffic in transit.

This is an exciting feature for our Citrix Cloud customers. Below, I’ve outlined everything you need to know about Rendezvous’ requirements and configuration in a mini FAQ. All this information is also available in the documentation.

Are there specific requirements for using Rendezvous?
Yes. The requirements for using Rendezvous are as follows:

  • Control plane: You must have Citrix Virtual Apps and Desktops Service (Citrix Cloud)
  • VDA version: 1912+
  • DNS Resolution must be enabled for the CVAD site, or, Reverse Lookup Zone configured in DNS with PTR records for VDA machines (see documentation for more details)
  • SSL Cipher Suite Order must be configured on the VDA machines via GPO or Local Policy as follows:
    Computer Configuration > Policies > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite OrderTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

How do you enable or disable Rendezvous?
It is disabled by default and it can be enabled via Citrix Policy using the Rendezvous Protocol setting.

What if I want or need to continue to proxy ICA sessions through a Cloud Connector? How do we get around the scalability issue?
We continue to work on that and will keep you posted.

Are proxies supported with Rendezvous?
Proxies are not supported at the moment. If you must use a proxy, you have to continue to proxy ICA traffic through the Cloud Connector.

What happens if Rendezvous is enabled and the ICA traffic cannot reach the Gateway service directly?
It will fall back to proxying traffic through the Cloud Connector.

What are the internet connectivity requirements?
You can find the requirements and considerations for establishing connectivity between the customer’s resources and Citrix Cloud in the documentation.

How can I tell if Rendezvous is working?
At the moment the only way to validate whether the session is using Rendezvous is via PowerShell or Command Prompt on the VDA. A few options to access PowerShell and/or the Command Prompt in a Citrix session include publishing a desktop so you can access either one of the applications within the desktop, publish PowerShell or Command Prompt, or within a published application open PowerShell or Command Prompt.

In PowerShell or Command Prompt run the following command: “ctxsession.exe -v”.

If Rendezvous is being used, the “Local Address” listed will be “0.0.0.0” followed by a random five-digit port number (e.g. 0.0.0.0:50343).

For further validation, run “netstat -a -n -p TCP”. Under “Local address” you should see the VDA’s IP listed along with the same port shown in the previous step (e.g. 10.4.0.50:50343). Right next to it, under Foreign Address, you should see a public IP along with port 443 (e.g. 52.163.x.x:443), which would correspond to the Gateway service’s IP and the port for the connection.

In short, Cloud Connector scalability considerations — as it relates to Citrix Gateway service — are a thing of the past. No more having to add additional Cloud Connector capacity for proxying ICA sessions as you add more users to your environment.

Be sure you look out for future blogs on all the feature enhancements we’re rolling out for Citrix Cloud customers!