citrixinternals ica new 140521053339 phpapp01

8/11/2019 Citrixinternals Ica New 140521053339 Phpapp01

1/52

@fdwl #BriForum @entisys

Citrix Internals: ICA

ConnectivityDenis Gundarev, Senior Consultant, Entisys Solutions

May 21, 2014


2/52


Name: ENTISYS\DenisGroups:

Group1: Bay Area Citrix User GroupGroup2: Citrix Technology Professional

Email: [email protected]: @fdwl[Length: 112]

About me

0000 30 45 4E 54 49 53 59 53 5C 44 65 6E 69 73 0D 0A 0ENTISYS\Denis..0010 31 0D 0A 32 0D 0A 42 61 79 20 41 72 65 61 20 43 1..2..Bay Area C0020 69 74 72 69 78 20 55 73 65 72 20 47 72 6F 75 70 itrix User Group0030 0D 0A 32 43 69 74 72 69 78 20 54 65 63 68 6E 6F ..2Citrix Techno0040 6C 6F 67 79 20 50 72 6F 66 65 73 73 69 6F 6E 61 logy Professional

0050 6C 0D 0A 33 44 65 6E 69 73 47 40 65 6E 74 69 73 l..3DenisG@entis0060 79 73 2E 63 6F 6D 0D 0A 34 40 66 64 77 6C 0D 0A ys.com..4@fdwl..


3/52


Agenda

Everything that you need to know about ICA protocol


4/52


What does ICA stand for?

Independent Computing Architecture?

ICA = Intelligent ConsoleArchitecture!


5/52@fdwl #BriForum @entisys

ICA 1.0 - 1992

Originally for Serial connections

IPX and NetBIOS was added later


6/52



ICA 3.0 - 1995

Introduced in WinFrame For Networks

Thinwire 1, Printing, Client drive mapping,audio, Clipboard

TCP/IP, IPX, SPX, NetBEUI, Serial, Modems $5,995 for 15 concurrent users



PRD Product Renaming Disorder

Before After

Core Virtual channels HDX Broadcast

Thinwire HDX SmartRendering

Virtual Channel fallback HDX Adaptive Orchestration

Flash and Windows media redirection HDX MediaStream

Server-side flash rendering HDX MediaStream Network Con3D Pro and RemoteFX HDX RichGraphics

Bidirectional audio and UDP Audio HDX RealTime

Device mapping HDX Plug-n-Play

Built-In compression and Branch Repeater HDX WAN Optimization

NetScaler session policies HDX SmartAccess


9/52


ICA Overview

The ICA protocol is a protocol optimized for WideArea Networks or WANs with high latency links. It alsosupports Quality-Of-Service (QoS) and otherbandwidth optimization features.

Since this is OSI-Layer 6, what does ICA do foroptimization. The ICA packet contains the followingheaders: Frame Head, Reliable, Encryption,Compression, Command, Command Data, FrameTrail. The command is the only required information.

Within ICA are virtual channels for KVM, printing,audio, Drive Mapping, Clipboard, Seamless windows,etc. that can be encapsulated. You can have a maxof 32 virtual channels. RDP channels are different.Each channel has a counter-point on the server.These channels sit on top of the ICA Winstation Driver,on top of Protocol driver, on Transport Driver.


10/52


ICA In Real Life

TC

P

SSL

CGP/W

inSocks

ICA

Protocoldriver

Fram

edriver

Enc

ryption

Win

Station

Com

pression


11/52


Virtual Channels

TC

P

SSL

CGP/W

inSocks

ICA

Protocoldriver

Fram

edriver

Enc

ryption

Win

Station

Com

pression

Channel Name Priority Description


12/52


Virtual

Channels

C a e a e o y esc p o

CTXCAM 0 Client Audio Mapping

CTXCCM 3 Client COM Port Mapping

CTXCDM 2 Client Drive Mapping

CTXCLIP 2 Client Clipboard Mapping

CTXCM 3 Client Management (Auto-Update)

CTXCOM1 3 Legacy COM1 Port Mapping

CTXCOM2 3 Legacy COM2 Port Mapping

CTXCPM 3 Printer Mapping for Spooling Clients

CTXCTL 1 ICA Session Control

CTXD3D 1 Direct3D Virtual Channel Adapter

CTXEUEM 1 End User Experience Monitoring

CTXFLSH 2 Multimedia - Flash

CTXGUSB 2 USB Redirection

CTXLIC 1 License Management

CTXLPT1 3 Legacy LP1 Port Mapping

CTXLPT2 3 Legacy LPT2 Port Mapping

CTXMM 2 Multimedia - Streaming

CTXPASS 2 Transparent Key Pass-Through

CTXPN 1 Process Notification

CTXSBR 1 Citrix Browser Acceleration

CTXSCRD 1 Smartcard

CTXTW 1 Remote Session Screen Update (THINWIRE)

CTXTWI 1 Seamless Windows Screen Update (THINWIRE)

CTXTWN 2 Twain Redirection

CTXZLC 0 Speed Screen Latency Reduction - Screen

CTXZLFK 0 Speed Screen Latency Reduction - Fonts

OEMOEM 3OEMOEM2 3CTXVFM 1

CTXVFM?


13/52


Virtual Channels

At client load time, list of channel drivers populated from the registry/.ini file

During the connection client passes information about the virtual channels it suppXenApp server.

XenApp Server opens virtual channel.

Data sent using the following two methods:

Polling mode

Immediate mode

VC Server can be on the Client

You can remove unneeded channels(http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_icapdf)
http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdfhttp://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdfhttp://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdfhttp://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdfhttp://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdfhttp://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdf


14/52


Virtual Channels

You can create your own Virtual Channels

https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html

http://www.citrix.com/community/receiver-ica-sdks.html

3 examples included in SDK

RDP2TCPnice example

http://rdp2tcp.sourceforge.net/

Citrix ICA Virtual Channels Backgrounder

http://support.citrix.com/article/CTX116890
https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.htmlhttps://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.htmlhttp://www.citrix.com/community/receiver-ica-sdks.htmlhttp://www.citrix.com/community/receiver-ica-sdks.htmlhttp://www.citrix.com/community/receiver-ica-sdks.htmlhttp://rdp2tcp.sourceforge.net/http://rdp2tcp.sourceforge.net/http://rdp2tcp.sourceforge.net/http://support.citrix.com/article/CTX116890http://support.citrix.com/article/CTX116890http://support.citrix.com/article/CTX116890http://support.citrix.com/article/CTX116890http://rdp2tcp.sourceforge.net/http://www.citrix.com/community/receiver-ica-sdks.htmlhttps://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html


15/52


Dynamic Virtual Channel

Up to 64 Static Virtual Channels (SVCs) for Win32

29 SVCs reserved by Citrix

Android client supports up to 32 SVCs

Dynamic Virtual Channels (or DVCs) are multiplexed over traditional SVCs

To write the DVC component over ICA, Microsofts DVC API can be used.

http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx


16/52


Virtual Channel Priority

XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel GPriorities


How to Change Virtual Channel Priority in XenDesktop 5


Multi-Stream ICA and Cisco QOS

http://www.citrixirc.com/?p=182

Check the VC utilization using Perfmon

http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-ses
http://support.citrix.com/article/CTX131001http://support.citrix.com/article/CTX131001http://support.citrix.com/article/CTX131001http://support.citrix.com/article/CTX128190http://support.citrix.com/article/CTX128190http://support.citrix.com/article/CTX128190http://www.citrixirc.com/?p=182http://www.citrixirc.com/?p=182http://www.citrixirc.com/?p=182http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.htmlhttp://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.htmlhttp://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.htmlhttp://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.htmlhttp://www.citrixirc.com/?p=182http://support.citrix.com/article/CTX128190http://support.citrix.com/article/CTX131001


17/52


ICA Drivers

TCP

S

SL

CGP/W

insocks

ICA

Protocoldriver

Fram

edriver

Enc

ryption

Win

Station

Com

pression


18/52


WinStation Driver

Establishes the ICA session

Encodes ICA command information intoICA Packet

ICA packet = Command + CommandData < 2048 bytes

Compresses the ICA packet

Combines or separates compressed ICApackets to 1460 bytes buffers

Determines the priority of each outputbuffer


19/52


Compression Driver

Enabled by default

VC-specific compression methods

Be careful with WAN optimization recommendations

Disabled compression + Bandwidth limit = Fail

http://support.citrix.com/article/CTX121353http://support.citrix.com/article/CTX121353http://support.citrix.com/article/CTX121353http://support.citrix.com/article/CTX121353


20/52


Encryption Driver

Basic. Encrypts the client connection usinga non-RC5 algorithm.

http://www.monkey.org/~dugsong/icadecrypt.c.txt

RC5 AKA SecureICA

RC5 (128 bit) logon only. Encrypts the logondata with RC5 128-bit encryption and theclient connection using Basic encryption.

RC5 (40 bit). Encrypts the client connectionwith RC5 40-bit encryption.


http://www.monkey.org/~dugsong/icadecrypt.c.txthttp://www.monkey.org/~dugsong/icadecrypt.c.txthttp://www.monkey.org/~dugsong/icadecrypt.c.txthttp://www.monkey.org/~dugsong/icadecrypt.c.txthttp://www.monkey.org/~dugsong/icadecrypt.c.txt


21/52


Framing Driver

Rearranges ICA packets according to priority

Citrix ICA Priority Packet Tagging

http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf

Fit ICA packets into the frame

Send frames to protocol driver
http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdfhttp://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdfhttp://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdfhttp://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf


22/52


Protocol Driver

Transfers frame to underlying protocolwithout modification

Result is ICA stream, ready for transmission


23/52


More Info About ICA

Citrix ICA Virtual Channels Backgrounder


Virtual channel names must not be more than seven characters in length

Configuring Citrix MetaFrame XP for Windows by Syngress et al.

http://amzn.com/1931836531

Citrix ICA Technology Brief http://web.archive.org/web/20000408170851/http://www.bocaresearch.com/tec

ch.html
http://support.citrix.com/article/CTX116890http://support.citrix.com/article/CTX116890http://support.citrix.com/article/CTX116890http://amzn.com/1931836531http://amzn.com/1931836531http://web.archive.org/web/20000408170851/http:/www.bocaresearch.com/technologies/icatech.htmlhttp://web.archive.org/web/20000408170851/http:/www.bocaresearch.com/technologies/icatech.htmlhttp://web.archive.org/web/20000408170851/http:/www.bocaresearch.com/technologies/icatech.htmlhttp://web.archive.org/web/20000408170851/http:/www.bocaresearch.com/technologies/icatech.htmlhttp://amzn.com/1931836531http://support.citrix.com/article/CTX116890


24/52


CGP

TCP

S

SL

CGP/W

inSocks

ICA

Proto

coldriver

Fram

edriver

Enc

ryption

Win

Station

Com

pression


25/52


What does CGP stand for?

Certified Guitar Player

Common Gateway Protocol

Formerly known as Citrix GatewayProtocol


26/52


Common Gateway Protocol

CGP = binary protocol designed forefficient tunneling of one or more TCPstreams

Used by Session Reliability

Based on SOCKS proxy protocol


27/52


What is SOCKS

SOCKS is a generic, proxy protocol for TCP/IP based networking application.

SOCKS consists of two parts: SOCKS server and SOCKS client.

SOCKS server can communicate directly with both the Internet and the internal co

SOCKS client contacts the SOCKS server instead of sending requests directly to the


28/52


SOCKS Connection

User SOCKS Proxy

SOCKS Request TCP Connect SYN

TCP Connect ACKSOCKS Reply

DATA DATA

DATADATA

Secure Gateway Proxy/NetScaler


29/52


Secure Gateway Proxy/NetScaler

Gateway Next Hop

Unauthenticated SOCKS, tunnels any TCPtraffic

When configured with a certificate, theSecure Gateway Proxy/NetScaler

Gateway Next Hop expects traffic to beSOCKS+SSL on port 443

What is the difference between CGP


30/52


What is the difference between CGP

SOCKS?

CGP is completely different protocol, but share the same idea

CGP support ticket-based authentication and addressing

CGP server sends keep-alive messages (60 sec by default)

CGP drop TCP connection without response if ticket is invalid

CGP support TCP Multiplexing, but its not really used

SOCKS is still in Citrix Products


31/52


Ticket Types

Name Issued by PurposeLogon Ticket XenApp Data Collector/ XenDesktop

Controller

Authenticate user to ICA session; ticket r

credentials

LogonTicket=34B79930FBFC20BEF54D597

LogonTicketType=CTXS1

ACR Ticket XenApp Server/ XenDesktop VDA Allow reconnection via Auto Client Reco

requiring user to enter credentials, stored

client

Gateway TraversalTicket (v1) AppController Allow ICA connection through SOCKS; tidestination server address

Common Gateway

Protocol Token

Citrix XTE Service/ICA-CGP Listener Allow reconnection via Auto Client Reco

requiring user to enter credentials, stored

client

Gateway Traversal

Ticket (v4)

XenApp ctxsta.dll or XenDesktop Broker

Service

Allow ICA connection through Gateway

ticket replaces server address

Address=;40;STA403126471;54D2368FFFD


32/52


Session Reliability

Explaining ICA Session ReliabCommon Gateway Protoco2598

http://support.citrix.com/ar

Session Reliability, Frozen Scr

Hourglass of Death By Nick R http://blogs.citrix.com/2013

reliability/
http://support.citrix.com/article/CTX104147http://support.citrix.com/article/CTX104147http://support.citrix.com/article/CTX104147http://blogs.citrix.com/2013/01/23/session-reliability/http://blogs.citrix.com/2013/01/23/session-reliability/http://blogs.citrix.com/2013/01/23/session-reliability/http://blogs.citrix.com/2013/01/23/session-reliability/http://support.citrix.com/article/CTX104147


33/52


CGP Implementations: XTE Service

Extensible Transformation Engine (XTE) is an Apache-based proxy server that s

CGP

SOCKS

HTTP

All of the above over SSL

Can be seen on XenApp


34/52


CGP Implementations: RDS Listeners


35/52


CGP Implementations: CSG

Gateway between an SSL enabled ICA client and XenApp Servers

Tunnels ICA/CGP traffic inside SSL

Citrix Secure Gateway is a deprecated component that is still supported for X

Similar to XTE Service, based on Apache

Basically XTE + 3 additional Apache modules + GUI

Supports STA Ticketing Authentication


36/52


STA Ticket Request

The following data are included as part ofthe ticket request sent by the Web server:

User name and domain name

Published application name

Least-busy Presentation Server address


37/52


STA Ticket Response

The encoding format is a string of the form:

;STA_VERSION;STA_ID;TICKET

STA_VERSION. 40 for XenApp and XenDesktop. 10 forAppController.

STA_ID is a sequence of 016 characters usuallygenerated from the MAC address. Each STA ID must beunique. This allows the gateway to locate the STA thatcreated the ticket and return to that STA for ticket

validation. TICKET is a randomly-generated sequence of 32

uppercase alphabetic or numeric characters.

Example:

;40; STA403126471;FE0A7B2CE2E77DDC17C7FD3EE7959E79


38/52


CGP Implementations: NetScaler

Gateway/Access Gateway

ICA Proxy Mode

The Only supported gateway forXenDesktop 7.x

ICA Proxy Session Migration in 10.1


39/52


WebSockets

SOCKS over HTTP

HTTP Upgrade

TCP 8008 by default, but can bechanged


40/52


Direct connection

Component Connecting to SessionReliability

Protocol

ICA Client version8.0 or later

XenAppServer/XenDesktop VDA

Enabled ICA in CommonGateway Protocol



Disabled ICA

HTML5 Receiver XenAppServer/XenDesktop VDA

N/A ICA in WebSockets


41/52


One hop DMZ

Component Connecting to Session

Reliability

Protocol


Secure Gateway/AccessGateway/NetScaler

Enabled ICA in CommonGateway Protocolin SSL


Secure Gateway/AccessGateway/NetScaler

Disabled ICA in SSL

HTML5 Receiver Secure Gateway/AccessGateway/NetScaler

N/A ICA in WebSocketsSSL

SecureGateway/AccessGateway/NetScaler


Enabled ICA in CommonGateway Protocol

SecureGateway/AccessGateway/NetScaler


Disabled ICA


42/52


Dual hop DMZ

Component Connecting to Session

Reliability

Protocol

SecureGateway/AccessGateway/NetScalerin DMZ1

Secure Gateway/AccessGateway/NetScaler inDMZ2 with SSL

N/A SOCKS in SSL

SecureGateway/Access

Gateway/NetScalerin DMZ1

Secure Gateway/AccessGateway/NetScaler in

DMZ2 without SSL

N/A SOCKS


43/52


44/52


Multi-Stream ICA

CitrixReceiver

forWindows

XenDeWindo

HTTServ

Router

ICA Real Time

HTTP HTTP

ICA Interactive

ICA Background

ICA Bulk

ICA Real Time

ICA Interactive

ICA Background

ICA Bulk

ICA UDP/RTP Audio * ICA UDP Audio *

* UDP/RTP Audio initially only in VDI FlexC


45/52


46/52


Multi-Stream ICA


47/52


48/52


UDP Audio

Speex codec

Real-time Transport Protocol (RTP)

Quality must be set to Medium

Not using ICA or CGP

Citrix Receiver creates a listener on aclient device during session initialization

Not supported with NetScaler


49/52


SSL

TCP

SSL

CGP/WinSocks

ICA

Protocoldriver

Fra

medriver

En

cryption

WinStation

Compression


50/52


SSL

Citrix uses custom SSLSDK library to wrap native OS SSL functions and form Se

Recommended for every connection

SSL Relay is no longer available in XenDesktop 7.x, Use IPSec to enforce encry

Wildcard and SAN certificates are supported


51/52


SSL on NetScaler

SNI (Server Name Indication) is notsupported by Receiver yet.

NetScaler VPX does not support TLS 1.1and TLS 1.2

Always add CA certificates chain tovserver


52/52


Q&A

citrixinternals ica new 140521053339 phpapp01

Documents