Citrix Cloud Bridge



NetScaler Cloud Bridge Any-to-Any Access Across Public and e Clouds! Citrix Cloud Networking NetScaler Workspace Suite CloudBridge File Sync and Sharing XenMobile Workspace Suite ShareFile NetScaler Enterprise Mobility Management DesktopPlayer.

  1. Citrix Cloud Bridge Printing
  2. Citrix Adc Cloud Bridge
downloadWhy can't I download this file?License Information'.
  1. Log in to My Account to allocate and download the license file for the above obtained Host id.
  1. Follow the steps outlined below to install the license on Cloud Bridge Physical Appliance:
    1. Log into the web-based management console of the appliance.
    2. Navigate to the “Manage Licenses” page and click the “License Configuration” tab.
    3. Click “Add”.
    4. Click “Browse” to browse and select a license. Optionally, you can edit the license name.
    5. Click “Install” to complete the license installation.

To install licenses locally on Cloud Bridge VPX:

  1. Log onto the web-based management console of the Cloud Bridge VPX.
  2. Navigate to the “Manage Licenses” page and click the “License Server” tab.
  3. For “License Server Location”, select “Local”.
  4. Click on the “Local Licenses” tab
  5. Click “Add”.
  6. Browse and select the license file. Click “Install” to complete the license installation.

To configure Cloud Bridge VPX to consume licenses on a remote Citrix license server:

  1. Log into My Account and activate license using Mac Address of the License Server.
  2. Log onto the web-based management console of the Cloud Bridge VPX.
  3. Navigate to the “Manage Licenses” page and click the “License Server” tab.
  4. For “License Server Location”, select “Remote”.
  5. Enter the IP address of the remote Citrix license server and port (pre-populated with default).
  6. Select the license to consume (e.g. VPX-45).
  7. Click “Apply” to finish the configuration.
downloadWhy can't I download this file?
  • Citrix SD-WAN WANOP
  • NetScaler Gateway

Objective

Cloud

This article contains information about deploying and configuring a Citrix CloudBridge appliance or VPX to accelerate Independent Computing Architecture (ICA) Proxy Mode in NetScaler Gateway.

Requirements

The following are the basic requirements to complete this task:
CloudBridge appliance/VPX installed with any of the following software releases:

  • Version 7.x (Citrix CloudBridge – Recommended).

  • Version 6.x (Citrix Repeater or Branch Repeater).

  • Version 5.7.x (Citrix Repeater or Branch Repeater).

  • Version 3.x (Citrix Branch Repeater with Windows Server).

Notes:

  • Citrix CloudBridge Plug-in is not recommended for ICA Proxy deployments. Refer to CTX128581 - Citrix Branch Repeater Appliance and Access Gateway Enterprise Edition Appliance Supported Deployment Scenarios for more information.

  • Citrix CloudBridge Crypto License to enable SSL traffic acceleration. This might be available through My Account on www.citrix.com.

Background

You can deploy and configure a CloudBridge to optimize ICA across all users in a branch location by using the Proxy Mode to access the published application.

Refer to Citrix Documentation - Providing Access to Published Applications and Virtual Desktops Through the Web Interface for more information about the ICA Proxy Modes.

You must deploy the CloudBridge as shown in the following diagram. The CloudBridge must be on the external facing side of the NetScaler Gateway in the data center.

The CloudBridge in the datacenter is configured with Secure Socket Layer (SSL) traffic acceleration and the SSL server certificate of NetScaler Gateway. The CloudBridge establishes a SSL tunnel to secure the accelerated ICA traffic. End-users log on to the NetScaler Gateway through a web browser (HTTPS) and access the published applications through the StoreFront or Web Interface (WI) site. Clicking on an application icon starts the Online Plug-in, which establishes an SSL connection to the NetScaler Gateway. The ICA connection is tunneled through the SSL connection.

The CloudBridge decrypts the SSL connection from the user device, applies ICA optimization techniques, and re-encrypts the traffic over the Internet. The datacenter side CloudBridge decrypts the optimized ICA traffic and re-encrypts the ICA traffic into the original SSL connection destined to the NetScaler Gateway. The result is a transparent acceleration of ICA traffic on the end-user device and the NetScaler Gateway is not aware of the CloudBridge ICA acceleration and requires no configuration change. If there are multiple users in the branch, then they also realize the benefit of the cross-user nature of the ICA optimization of the CloudBridge.

Note: The CloudBridge is not designed for deployment in a demilitarized zone (DMZ) and this is not recommended by Citrix. Deploying the CloudBridge on the external facing side of the NetScaler Gateway is suitable for private Multiprotocol Label Switching (MPLS) and other scenarios where CloudBridge security is not a concern.

Instructions

To accelerate ICA Proxy Mode on NetScaler Gateway with a CloudBridge, complete the following procedures:

Citrix Cloud Bridge Printing

Collecting Required Certificates

Required Peer Communication Certificates:

  1. It is recommended to use certificates that refer to a trusted certifying authority.
    Note: This is not the certificate used in NetScaler Gateway ICA Proxy virtual server.

  2. For testing purposes, you can generate and use a self-signed X509 certificate based on a private key (which is also generated by you). This certificate /key pair can be used alternatively for Peer Communication. For more information refer to Citrix Documentation.

  3. Set aside when ready to configure Peer Communication.

Required SSL Profile Certificates:

  1. From NetScaler Gateway, verify the Certificate (Server Certificate) referenced by the ICA Proxy virtual server. Navigate to NetScaler Gateway > Virtual Servers >Your ICA Proxy Virtual Server > Edit > Server Certificate. Make note of the certificate name.

  2. Go to Traffic Management > SSL > Certificates to find the actual certificate/key pair referenced by Server Certificate.

  3. Download the referenced certificate/key pair by navigating to Traffic Management > SSL > Manage Certificate / Keys / CSRs.

  4. You will also need to get the company’s root and intermediate certificates (if any). If there are intermediate certificates, it must be concatenated with root certificate to a single certificate file.

  5. At this point, you are expected to have the following certificates:

    • Root + intermediate(s), all must be concatenated into a single file.

    • One certificate/key pair (taken from NetScaler Gateway virtual server).

  6. Set aside the certificates when ready to configure SSL Profile.

Enabling SSL Traffic Acceleration

To enable SSL traffic acceleration on a CloudBridge, complete the following procedure on both client and server-side CloudBridge:

  1. Install the CloudBridge Crypto License.

  2. On the CloudBridge Graphical User Interface (GUI), select SSL Encryption from the Configuration > SSL settings section.

  3. For the Key Store parameter, click Create Password.

  4. Set the password as required.

  5. For the User Data Store parameter, click Enable Encryption.

  6. For the SSL Optimization parameter, click Enable.

Setting up the Peer Communication

To set up the peer communication on a CloudBridge, complete the following procedure:
Note: The following steps must be completed on both client and server-side CloudBridge, unless specified.

  1. On the CloudBridge GUI, select Secure Partners from the Configuration > SSL Settings section.

  2. Select the Enabled option for the Partner State parameter.

  3. Configure the following Partner Security settings:

  • From Certificate/Key name list, select ADD NEW ENTRY, if you must install a certificate. If you have already installed the required certificate, then select the appropriate certificate/key from the list.

  • From CA Certificate Store name list, select ADD NEW ENTRY, if you must install a certificate. If you have already installed the required certificate, then select the appropriate CA certificate from the list.
    Note: For self-signed certificates, CA certificate is the same certificate for the certificate/key pair.

  • Select the Signature/Expiration option for the Certificate Verification parameter.
    Note: This is required to maintain security between CloudBridge.

  1. Ensure that the Enable Auto-Discovery option is selected.

  2. For server-side CloudBridge, populate the Listen On parameter with its IP address that is reachable from the client-side CloudBridge as shown in the following screen shot:

  3. For client-side CloudBridge, populate the Connect To with the same IP address as that in the preceding step.
    Note: On the server-side CloudBridge, do not specify anything for this parameter.

  4. Click Save.

Configuring SSL Profiles on the Server-Side CloudBridge

Citrix Adc Cloud Bridge

To configure SSL profiles on a CloudBridge, complete the following procedure:
Note: This section should be completed only on the server-side CloudBridge.
  1. On the CloudBridge GUI, select SSL Acceleration from the Configuration > SSL Settings section.

  2. Click Add.

  3. In the Profile Name field, specify a SSL Profile name.

  4. Select the Profile Enabled option.

  5. For the Proxy Type parameter, ensure that the Split option is selected.

  6. From the Certificate/Private Key list, select ADD NEW ENTRY, if you must install a certificate. Install gathered NetScaler Gateway virtual server and root (may include concatenated intermediate) certificates. If you have already installed the required certificates, then select the appropriate certificate from the list.

  7. Ensure Build Certificate Chain is checked.

  8. Select Use all configured CA stores for Certificate Chain Store.

  9. Select the Signature/Expiration option for the Certificate Verification parameter.
    Note: This is required to maintain security between the CloudBridge appliance/VPX.

  10. Select Use all configured CA stores for Verification Store.

  11. Retain the default settings for the other fields, as shown in the following screen shot:

  12. Click Add.
    For more information refer to Citrix Documentation.

Configuring Service Class

To configure Service Class on both client and server-side CloudBridge, complete the following procedure:

  1. On the CloudBridge GUI, select Service Classes from the Configuration > Optimization Rules section.

  2. Move the ICA service class to the top of the list.

  3. For ICA service class, click Edit under Action.

  4. Ensure that the Enabled option is selected and Disk is selected from the Acceleration Policy.

  5. Add a new line under Filter Rules with the following field entries:
    Application: HTTPS
    Src IP: Any
    Dst IP: NetScaler Gateway VIP IP address
    VLAN: Any
    DiffServ DSCP Bits: Any
    SSL Profile: ICA Proxy profile that was created in the previous steps.

    Note: This only applies to server-side CloudBridge. For client-side CloudBridge, it must be set to Any.

Server-Side CloudBridge

Client-Side CloudBridge

Configuring an External Firewall

Configure the external Firewall application in the data center to allow the following inbound ports for the CloudBridge:

  • Signaling Address and Port (default 2312) for the CloudBridge peer communication.

  • NetScaler Gateway traffic port (default 443).

Confirming the ICA Acceleration

To confirm the ICA acceleration on a CloudBridge, complete the following procedure:

  1. On the CloudBridge GUI, select Secure Partners from the Monitoring > Partners & Plug-ins section.

  2. Ensure that a secure connection is established between the target client and server-side CloudBridge, as shown in the following screen shot:

Server-Side CloudBridge

Client-Side CloudBridge

Note: Depending on which CloudBridge you are viewing, Peer Name denotes the hostname of the partner CloudBridge on the other end.

  1. On the CloudBridge GUI, select Citrix (ICA/CGP) from the Monitoring > Optimization section.

  2. Ensure that the accelerated ICA connections in Green are listed in the ICA Status page, as shown in the following screen shot:

    Note: If the accelerated ICA connections are not listed, then review the CloudBridge configuration.

Additional Resources

Refer to the latest CloudBridge Documentation for additional details on SSL compression as it applies to ICA Proxy.