Citrix Internals: ICA Connectivity: Denis Gundarev, Senior Consultant, Entisys Solutions May 21, 2014

Citrix Internals: ICA
Connectivity
Denis Gundarev, Senior Consultant, Entisys Solutions
May 21, 2014
@fdwl #BriForum @entisys

About me
Name: ENTISYS\Denis
Groups:
Group1: Bay Area Citrix User Group
Group2: Citrix Technology Professional
Email: DenisG@entisys.com
Twitter: @fdwl
[Length: 112]
0000 30 45 4E 54 49 53 59 53 5C 44 65 6E 69 73 0D 0A 0ENTISYS\Denis..
0010 31 0D 0A 32 0D 0A 42 61 79 20 41 72 65 61 20 43 1..2..Bay Area C
0020 69 74 72 69 78 20 55 73 65 72 20 47 72 6F 75 70 itrix User Group
0030 0D 0A 32 43 69 74 72 69 78 20 54 65 63 68 6E 6F ..2Citrix Techno
0040 6C 6F 67 79 20 50 72 6F 66 65 73 73 69 6F 6E 61 logy Professional
0050 6C 0D 0A 33 44 65 6E 69 73 47 40 65 6E 74 69 73 l..3DenisG@entis
0060 79 73 2E 63 6F 6D 0D 0A 34 40 66 64 77 6C 0D 0A ys.com..4@fdwl..
Agenda
 Everything that you need to know about ICA protocol

What does ICA stand for?
Independent Computing Architecture?
ICA = Intelligent Console

Architecture!

ICA 1.0 - 1992
 Originally for Serial connections

 IPX and NetBIOS was added later

ICA 2.0 - 1992
 First Graphical version of ICA

 Citrix WinCredible - add-on to Citrix
MultiUser
 Multiple Operating Systems
 OS/2
 DOS
 Windows 3.1
 TCP/IP stack for OS/2 from FTP Software

ICA 3.0 - 1995
 Introduced in WinFrame For Networks

 Thinwire 1, Printing, Client drive mapping,
audio, Clipboard
 TCP/IP, IPX, SPX, NetBEUI, Serial, Modems
 $5,995 for 15 concurrent users

PRD – Product Renaming Disorder
Before After
Core Virtual channels HDX Broadcast
Thinwire HDX SmartRendering
Virtual Channel fallback HDX Adaptive Orchestration
Flash and Windows media redirection HDX MediaStream
Server-side flash rendering HDX MediaStream Network Conditions
3D Pro and RemoteFX HDX RichGraphics
Bidirectional audio and UDP Audio HDX RealTime
Device mapping HDX Plug-n-Play
Built-In compression and Branch Repeater HDX WAN Optimization
NetScaler session policies HDX SmartAccess

ICA Overview
The ICA protocol is a protocol optimized for Wide

Area Networks or WANs with high latency links. It also
supports Quality-Of-Service (QoS) and other
bandwidth optimization features.
Since this is OSI-Layer 6, what does ICA do for
optimization. The ICA packet contains the following
headers: Frame Head, Reliable, Encryption,
Compression, Command, Command Data, Frame
Trail. The command is the only required information.
Within ICA are virtual channels for KVM, printing,
audio, Drive Mapping, Clipboard, Seamless windows,
etc. that can be encapsulated. You can have a max
of 32 virtual channels. RDP channels are different.
Each channel has a counter-point on the server.
These channels sit on top of the ICA Winstation Driver,
on top of Protocol driver, on Transport Driver.

ICA In Real Life
CGP/WinSocks
Protocol driver
Compression
Frame driver
Encryption
WinStation
AUDIO
CLIPBOARD
ICA
TCP
DRIVE
SSL
PRINTING
COM
SPEEDSCREEN
VIDEO

Virtual Channels
CGP/WinSocks
Protocol driver
Compression
Frame driver
Encryption
WinStation
AUDIO
CLIPBOARD
ICA
TCP
DRIVE
SSL
PRINTING
COM
SPEEDSCREEN
VIDEO

Channel Name Priority Description Virtual Driver
Virtual CTXCAM
CTXCCM
CTXCDM
0
3
2
Client Audio Mapping
Client COM Port Mapping
Client Drive Mapping
vdcamN.dll
vdcom30N.dll
vdcdm30n.dll
Channels CTXCLIP
CTXCM
2
3
Client Clipboard Mapping
Client Management (Auto-Update)
vdclipn.dll
vdcmN.dll
CTXCOM1 3 Legacy COM1 Port Mapping vdcom30N.dll
CTXCOM2 3 Legacy COM2 Port Mapping vdcom30N.dll
CTXCPM 3 Printer Mapping for Spooling Clients vdcpm30N.dll
CTXCTL 1 ICA Session Control vdctln.dll
CTXD3D 1 Direct3D Virtual Channel Adapter vd3dn.dll
CTXEUEM 1 End User Experience Monitoring vdeuemn.dll
CTXVFM?
CTXFLSH 2 Multimedia - Flash vdflash.dll
CTXGUSB 2 USB Redirection vdgusbn.dll
CTXLIC 1 License Management wfica32.exe
CTXLPT1 3 Legacy LP1 Port Mapping vdcpm30N.dll
CTXLPT2 3 Legacy LPT2 Port Mapping vdcpm30N.dll
CTXMM 2 Multimedia - Streaming vdmmn.dll
CTXPASS 2 Transparent Key Pass-Through vdkbhook.dll
CTXPN 1 Process Notification vdpnn.dll
CTXSBR 1 Citrix Browser Acceleration vdtw30n.dll
CTXSCRD 1 Smartcard vdscardn.dll
CTXTW 1 Remote Session Screen Update (THINWIRE) vdtw30n.dll
CTXTWI 1 Seamless Windows Screen Update (THINWIRE) vdtwin.dll
CTXTWN 2 Twain Redirection vdtwn.dll
CTXZLC 0 Speed Screen Latency Reduction - Screen vdzlcn.dll
CTXZLFK 0 Speed Screen Latency Reduction - Fonts vdfon30n.dll
OEMOEM 3
OEMOEM2 3
CTXVFM 1
Virtual Channels
 At client load time, list of channel drivers populated from the registry/.ini file
 During the connection client passes information about the virtual channels it supports to the
XenApp server.
 XenApp Server opens virtual channel.
 Data sent using the following two methods:
 Polling mode
 Immediate mode
 VC Server can be on the Client
 You can remove unneeded channels
(http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.
pdf)

Virtual Channels
 You can create your own Virtual Channels

 https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html
 http://www.citrix.com/community/receiver-ica-sdks.html
 3 examples included in SDK
 RDP2TCP – nice example 
 http://rdp2tcp.sourceforge.net/
 Citrix ICA Virtual Channels Backgrounder
 http://support.citrix.com/article/CTX116890

Dynamic Virtual Channel
 Up to 64 Static Virtual Channels (SVCs) for Win32

 29 SVCs reserved by Citrix
 Android client supports up to 32 SVCs
 Dynamic Virtual Channels (or DVCs) are multiplexed over traditional SVCs
 To write the DVC component over ICA, Microsoft’s DVC API can be used.
 http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx

Virtual Channel Priority
 XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and
Priorities
 How to Change Virtual Channel Priority in XenDesktop 5
 Multi-Stream ICA and Cisco QOS
 http://www.citrixirc.com/?p=182
 Check the VC utilization using Perfmon
 http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.html

TCP
SSL
ICA Drivers
CGP/Winsocks
ICA

Protocol driver
Frame driver
Encryption
WinStation
Compression
COM
DRIVE
PRINTING
WinStation Driver
 Establishes the ICA session
 Encodes ICA command information into
ICA Packet
 ICA packet = Command + Command
Data < 2048 bytes
 Compresses the ICA packet
 Combines or separates compressed ICA
packets to 1460 bytes buffers
 Determines the priority of each output
buffer

Compression Driver
 Enabled by default
 VC-specific compression methods
 Be careful with WAN optimization recommendations
 Disabled compression + Bandwidth limit = Fail

Encryption Driver
 Basic. Encrypts the client connection using

a non-RC5 algorithm.
 http://www.monkey.org/~dugsong/icadecry
pt.c.txt
 RC5 AKA SecureICA
 RC5 (128 bit) logon only. Encrypts the logon
data with RC5 128-bit encryption and the
client connection using Basic encryption.
 RC5 (40 bit). Encrypts the client connection
with RC5 40-bit encryption.

Framing Driver
 Rearranges ICA packets according to priority

 Citrix ICA Priority Packet Tagging
 http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf
 Fit ICA packets into the frame
 Send frames to protocol driver

Protocol Driver
 Transfers frame to underlying protocol

without modification
 Result is ICA stream, ready for transmission

More Info About ICA
 Citrix ICA Virtual Channels Backgrounder

 Virtual channel names must not be more than seven characters in length
 Configuring Citrix MetaFrame XP for Windows by Syngress et al.
 http://amzn.com/1931836531
 Citrix ICA Technology Brief
 http://web.archive.org/web/20000408170851/http://www.bocaresearch.com/technologies/icate
ch.html

TCP
CGP
SSL
CGP/WinSocks
ICA

Protocol driver
Frame driver
Encryption
WinStation
Compression
COM
DRIVE
PRINTING
AUDIO
VIDEO
CLIPBOARD
SPEEDSCREEN
What does CGP stand for?
 Certified Guitar Player

 Common Gateway Protocol
 Formerly known as Citrix Gateway
Protocol

Common Gateway Protocol
 CGP = binary protocol designed for

efficient tunneling of one or more TCP
streams
 Used by Session Reliability
 Based on SOCKS proxy protocol

What is SOCKS
 SOCKS is a generic, proxy protocol for TCP/IP based networking application.
 SOCKS consists of two parts: SOCKS server and SOCKS client.

 SOCKS server can communicate directly with both the Internet and the internal computers.
 SOCKS client contacts the SOCKS server instead of sending requests directly to the Internet

SOCKS Connection
SOCKS Request TCP Connect SYN
DATA DATA
SOCKS Reply TCP Connect ACK
User DATA SOCKS Proxy DATA TCP Server

Secure Gateway Proxy/NetScaler
Gateway Next Hop
 Unauthenticated SOCKS, tunnels any TCP

traffic
 When configured with a certificate, the
Secure Gateway Proxy/NetScaler
Gateway Next Hop expects traffic to be
SOCKS+SSL on port 443

What is the difference between CGP and
SOCKS?
 CGP is completely different protocol, but share the same idea 

 CGP support ticket-based authentication and addressing
 CGP server sends keep-alive messages (60 sec by default)
 CGP drop TCP connection without response if ticket is invalid
 CGP support TCP Multiplexing, but it’s not really used
 SOCKS is still in Citrix Products

Ticket Types
Name Issued by Purpose

Logon Ticket XenApp Data Collector/ XenDesktop Authenticate user to ICA session; ticket replaces user
Controller credentials
LogonTicket=34B79930FBFC20BEF54D597A6A1595
LogonTicketType=CTXS1
ACR Ticket XenApp Server/ XenDesktop VDA Allow reconnection via Auto Client Reconnect without
requiring user to enter credentials, stored in memory of the
client
Gateway Traversal AppController Allow ICA connection through SOCKS; ticket replaces
Ticket (v1) destination server address
Common Gateway Citrix XTE Service/ICA-CGP Listener Allow reconnection via Auto Client Reconnect without
Protocol Token requiring user to enter credentials, stored in memory of the
client
Gateway Traversal XenApp ctxsta.dll or XenDesktop Broker Allow ICA connection through Gateway with Session Reliability;
Ticket (v4) Service ticket replaces server address
Address=;40;STA403126471;54D2368FFFD32A448EA55350100553

Session Reliability
 Explaining ICA Session Reliability,

Common Gateway Protocol, on TCP Port
2598
 Session Reliability, Frozen Screens and The
Hourglass of Death By Nick Rintalan
 http://blogs.citrix.com/2013/01/23/session-
reliability/


CGP Implementations: XTE Service
 Extensible Transformation Engine (XTE) is an Apache-based proxy server that support:

 CGP
 SOCKS
 HTTP
 All of the above over SSL
 Can be seen on XenApp <= 6.5 and XenDesktop <=5.x as Citrix XTE Service providing:
 Session Reliability
 SSL Relay
 Password Manager Service
 Universal Print Server

CGP Implementations: RDS Listeners

CGP Implementations: CSG
 Gateway between an SSL enabled ICA client and XenApp Servers

 Tunnels ICA/CGP traffic inside SSL
 Citrix Secure Gateway is a deprecated component that is still supported for XenApp 6.5
 Similar to XTE Service, based on Apache
 Basically XTE + 3 additional Apache modules + GUI
 Supports STA Ticketing Authentication

<?xml version="1.0" encoding="UTF-8"?>
STA Ticket Request

<!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"--
> <CtxConnInfo version="1.0">
<ServerAddress>192.168.1.176:1494</ServerAddress>
<UserName>fdwl</UserName>
<UserDomain>corp</UserDomain>
<ApplicationName>XA75 $S4-5</ApplicationName>
<Protocol>ICA</Protocol>
</CtxConnInfo>
 The following data are included as part of

the ticket request sent by the Web server:
 User name and domain name
 Published application name
 Least-busy Presentation Server address

STA Ticket Response
 The encoding format is a string of the form:

 ;STA_VERSION;STA_ID;TICKET <?xml version="1.0" encoding="UTF-8"?>
 STA_VERSION. 40 for XenApp and XenDesktop. 10 for <!DOCTYPE CtxSTAProtocol SYSTEM "CtxSTA.dtd" >
AppController. <CtxSTAProtocol version="1">
<ResponseTicket>
 STA_ID is a sequence of 0 – 16 characters usually
<AuthorityID authorityType="STA-v1"> STA403126471 </AuthorityID>
generated from the MAC address. Each STA ID must be
unique. This allows the gateway to locate the STA that <Ticket ticketType="STA-v1">245489CECBC3CAA3B88446F12FF80B6A</Ticket>
created the ticket and return to that STA for ticket <TicketVersion>40</TicketVersion>
validation. </ResponseTicket>
</CtxSTAProtocol>
 TICKET is a randomly-generated sequence of 32
uppercase alphabetic or numeric characters.
 Example:
 ;40; STA403126471;FE0A7B2CE2E77DDC17C7FD3EE7959E79

CGP Implementations: NetScaler
Gateway/Access Gateway
 ICA Proxy Mode

 The Only supported gateway for
XenDesktop 7.x
 ICA Proxy Session Migration in 10.1

WebSockets
 “SOCKS over HTTP”

 HTTP Upgrade
 XTE Service on XA 6.5
 TCP 8008 by default, but can be
changed  HRP3 is required for StoreFront 2.x
 <html5 enabled="Always"  RDS Listener ICA-HTML5 on XD 7.x Server

platforms="Force" OS
launchURL="clients/HTML5Client/src/Session
Window.html“ preferences="wsPort:8080"  ICA Service on XD 7.x Client OS
singleTabLaunch="true"
chromeAppOrigins="chrome-
extension://haiffjcadagjlijoggckpgfnoeiflne
m" />

Direct connection
Component Connecting to Session Protocol TCP

Reliability Port
ICA Client version XenApp Enabled ICA in Common 2598
8.0 or later Server/XenDesktop VDA Gateway Protocol
ICA Client version XenApp Disabled ICA 1494
8.0 or later Server/XenDesktop VDA
HTML5 Receiver XenApp N/A ICA in WebSockets 8008
Server/XenDesktop VDA

One hop DMZ
Reliability Port
ICA Client version Secure Gateway/Access Enabled ICA in Common 443
9.0 or later Gateway/NetScaler Gateway Protocol
in SSL
ICA Client version Secure Gateway/Access Disabled ICA in SSL 443
9.0 or later Gateway/NetScaler
HTML5 Receiver Secure Gateway/Access N/A ICA in WebSockets in 443
Gateway/NetScaler SSL
Secure XenApp Enabled ICA in Common 2598
Gateway/Access Server/XenDesktop VDA Gateway Protocol
Gateway/NetScaler
Secure XenApp Disabled ICA 1494
Gateway/Access Server/XenDesktop VDA
Gateway/NetScaler
Dual hop DMZ
Reliability Port
Secure Secure Gateway/Access N/A SOCKS in SSL 443
Gateway/Access Gateway/NetScaler in
Gateway/NetScaler DMZ2 with SSL
in DMZ1
Secure Secure Gateway/Access N/A SOCKS 1080
Gateway/Access Gateway/NetScaler in
Gateway/NetScaler DMZ2 without SSL
in DMZ1

Multi-Stream ICA

Multi-Stream ICA
ICA Real Time ICA Real Time
ICA Interactive ICA Interactive

XenDesktop
ICA Bulk ICA Bulk
Citrix Windows 7
Receiver
ICA Background Router ICA Background
for
Windows ICA UDP/RTP Audio * ICA UDP Audio *
HTTP
HTTP HTTP Server
* UDP/RTP Audio initially only in VDI FlexCast model (XenDesktop)

Multi-Stream vs. Multi-Port ICA
 Single-port, Multi-Stream ICA

 4 random ports at client, 1 primary port on server
 Multi-port, Multi-Stream ICA
 4 random ports at client, 1 primary and up to 3 secondary ports on server
 Single-port, Single-stream ICA
 1 random port at client, 1 primary port on server
 The default connection type
 Multi-Stream with NetScaler
 4 random ports at client, 1 primary port on NetScaler VIP
 4 random ports at NetScaler SNIP/MIP, 1 primary and up to 3 secondary ports on server

Multi-Stream ICA

Multi-Stream ICA
 XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities
 Very High (numeric 0): Real time channels, such as audio and webcam conferences
 High (numeric 1): Interactive channels, such as graphics, keyboard, and mouse
 Medium (numeric 2): Bulk channels, such as drive mapping, scanners, USB redirection, clipboard, Flash
 Low (numeric 3): Background channels, such as printing, COM port mapping, LPT port mapping
 Requirements:
 XenDesktop 5.5+
 XenApp 6.5+
 Receiver 3.0+

UDP Audio
 Speex codec
 Real-time Transport Protocol (RTP)
 Quality must be set to Medium
 Not using ICA or CGP
 Citrix Receiver creates a listener on a
client device during session initialization
 Not supported with NetScaler

SSL
TCP
SSL
CGP/WinSocks
ICA

Protocol driver
Frame driver
Encryption
WinStation
Compression
COM
DRIVE
PRINTING
AUDIO
VIDEO
CLIPBOARD
SPEEDSCREEN
SSL
 Citrix uses custom SSLSDK library to wrap native OS SSL functions and form Secured Socket
 Recommended for every connection
 SSL Relay is no longer available in XenDesktop 7.x, Use IPSec to enforce encryption
 Wildcard and SAN certificates are supported

SSL on NetScaler
 SNI (Server Name Indication) is not

supported by Receiver yet.
 NetScaler VPX does not support TLS 1.1
and TLS 1.2
 Always add CA certificates chain to
vserver

Q&A

Citrix Internals: ICA Connectivity: Denis Gundarev, Senior Consultant, Entisys Solutions May 21, 2014

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Citrix Internals: ICA Connectivity: Denis Gundarev, Senior Consultant, Entisys Solutions May 21, 2014

Caricato da

Copyright:

Formati disponibili

Citrix Internals: ICA

@fdwl #BriForum @entisys

 Everything that you need to know about ICA protocol

@fdwl #BriForum @entisys

Independent Computing Architecture?

ICA = Intelligent Console

@fdwl #BriForum @entisys

 Originally for Serial connections

@fdwl #BriForum @entisys

 First Graphical version of ICA

@fdwl #BriForum @entisys

 Introduced in WinFrame For Networks

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

The ICA protocol is a protocol optimized for Wide

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

 You can create your own Virtual Channels

@fdwl #BriForum @entisys

 Up to 64 Static Virtual Channels (SVCs) for Win32

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

 Basic. Encrypts the client connection using

@fdwl #BriForum @entisys

 Rearranges ICA packets according to priority

@fdwl #BriForum @entisys

 Transfers frame to underlying protocol

@fdwl #BriForum @entisys

 Citrix ICA Virtual Channels Backgrounder

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

 Certified Guitar Player

@fdwl #BriForum @entisys

 CGP = binary protocol designed for

@fdwl #BriForum @entisys

 SOCKS is a generic, proxy protocol for TCP/IP based networking application.

 SOCKS consists of two parts: SOCKS server and SOCKS client.

@fdwl #BriForum @entisys

SOCKS Request TCP Connect SYN

SOCKS Reply TCP Connect ACK

User DATA SOCKS Proxy DATA TCP Server

@fdwl #BriForum @entisys

 Unauthenticated SOCKS, tunnels any TCP

@fdwl #BriForum @entisys

 CGP is completely different protocol, but share the same idea 

@fdwl #BriForum @entisys

Name Issued by Purpose

@fdwl #BriForum @entisys

 Explaining ICA Session Reliability,

@fdwl #BriForum @entisys

 Extensible Transformation Engine (XTE) is an Apache-based proxy server that support:

@fdwl #BriForum @entisys

@fdwl #BriForum @entisys

 Gateway between an SSL enabled ICA client and XenApp Servers

@fdwl #BriForum @entisys

STA Ticket Request

 The following data are included as part of

@fdwl #BriForum @entisys