citrix internals: ica connectivity

@fdwl #BriForum @entisys

Citrix Internals: ICA

Connectivity

Denis Gundarev, Senior Consultant, Entisys Solutions

May 21, 2014


Name: ENTISYS\DenisGroups:

Group1: Bay Area Citrix User GroupGroup2: Citrix Technology Professional

Email: [email protected]: @fdwl[Length: 112]

About me

0000 30 45 4E 54 49 53 59 53 5C 44 65 6E 69 73 0D 0A 0ENTISYS\Denis..0010 31 0D 0A 32 0D 0A 42 61 79 20 41 72 65 61 20 43 1..2..Bay Area C0020 69 74 72 69 78 20 55 73 65 72 20 47 72 6F 75 70 itrix User Group0030 0D 0A 32 43 69 74 72 69 78 20 54 65 63 68 6E 6F ..2Citrix Techno0040 6C 6F 67 79 20 50 72 6F 66 65 73 73 69 6F 6E 61 logy Professional0050 6C 0D 0A 33 44 65 6E 69 73 47 40 65 6E 74 69 73 l..3DenisG@entis0060 79 73 2E 63 6F 6D 0D 0A 34 40 66 64 77 6C 0D 0A ys.com..4@fdwl..


Agenda

Everything that you need to know about ICA protocol


What does ICA stand for?

Independent Computing Architecture?

ICA = Intelligent Console

Architecture!


ICA 1.0 - 1992

Originally for Serial connections

IPX and NetBIOS was added later


ICA 2.0 - 1992

First Graphical version of ICA

Citrix WinCredible - add-on to Citrix

MultiUser

Multiple Operating Systems

OS/2

DOS

Windows 3.1

TCP/IP stack for OS/2 from FTP Software


ICA 3.0 - 1995

Introduced in WinFrame For Networks

Thinwire 1, Printing, Client drive mapping,

audio, Clipboard

TCP/IP, IPX, SPX, NetBEUI, Serial, Modems

$5,995 for 15 concurrent users


PRD – Product Renaming Disorder

Before After

Core Virtual channels HDX Broadcast

Thinwire HDX SmartRendering

Virtual Channel fallback HDX Adaptive Orchestration

Flash and Windows media redirection HDX MediaStream

Server-side flash rendering HDX MediaStream Network Conditions

3D Pro and RemoteFX HDX RichGraphics

Bidirectional audio and UDP Audio HDX RealTime

Device mapping HDX Plug-n-Play

Built-In compression and Branch Repeater HDX WAN Optimization

NetScaler session policies HDX SmartAccess


ICA Overview

The ICA protocol is a protocol optimized for Wide Area Networks or WANs with high latency links. It also supports Quality-Of-Service (QoS) and other bandwidth optimization features.

Since this is OSI-Layer 6, what does ICA do for optimization. The ICA packet contains the following headers: Frame Head, Reliable, Encryption, Compression, Command, Command Data, Frame Trail. The command is the only required information.

Within ICA are virtual channels for KVM, printing, audio, Drive Mapping, Clipboard, Seamless windows, etc. that can be encapsulated. You can have a max of 32 virtual channels. RDP channels are different. Each channel has a counter-point on the server. These channels sit on top of the ICA Winstation Driver, on top of Protocol driver, on Transport Driver.


ICA In Real LifeTC

P

SSL

CG

P/W

inSo

cks

ICA

Pro

toc

ol d

riv

er

Fra

me

driv

er

En

cry

ptio

n

Win

Sta

tio

n

Co

mp

ress

ion

AUDIO

CLIPBOARD

DRIVE

PRINTING

VIDEO

SPEEDSCREEN

COM


Virtual ChannelsTC

P

SSL

CG

P/W

inSo

cks

ICA

Pro

toc

ol d

riv

er

Fra

me

driv

er

En

cry

ptio

n

Win

Sta

tio

n

Co

mp

ress

ion

AUDIO

CLIPBOARD

DRIVE

PRINTING

VIDEO

SPEEDSCREEN

COM


Virtual

Channels

Channel Name Priority Description Virtual Driver

CTXCAM 0 Client Audio Mapping vdcamN.dll

CTXCCM 3 Client COM Port Mapping vdcom30N.dll

CTXCDM 2 Client Drive Mapping vdcdm30n.dll

CTXCLIP 2 Client Clipboard Mapping vdclipn.dll

CTXCM 3 Client Management (Auto-Update) vdcmN.dll

CTXCOM1 3 Legacy COM1 Port Mapping vdcom30N.dll

CTXCOM2 3 Legacy COM2 Port Mapping vdcom30N.dll

CTXCPM 3 Printer Mapping for Spooling Clients vdcpm30N.dll

CTXCTL 1 ICA Session Control vdctln.dll

CTXD3D 1 Direct3D Virtual Channel Adapter vd3dn.dll

CTXEUEM 1 End User Experience Monitoring vdeuemn.dll

CTXFLSH 2 Multimedia - Flash vdflash.dll

CTXGUSB 2 USB Redirection vdgusbn.dll

CTXLIC 1 License Management wfica32.exe

CTXLPT1 3 Legacy LP1 Port Mapping vdcpm30N.dll

CTXLPT2 3 Legacy LPT2 Port Mapping vdcpm30N.dll

CTXMM 2 Multimedia - Streaming vdmmn.dll

CTXPASS 2 Transparent Key Pass-Through vdkbhook.dll

CTXPN 1 Process Notification vdpnn.dll

CTXSBR 1 Citrix Browser Acceleration vdtw30n.dll

CTXSCRD 1 Smartcard vdscardn.dll

CTXTW 1 Remote Session Screen Update (THINWIRE) vdtw30n.dll

CTXTWI 1 Seamless Windows Screen Update (THINWIRE) vdtwin.dll

CTXTWN 2 Twain Redirection vdtwn.dll

CTXZLC 0 Speed Screen Latency Reduction - Screen vdzlcn.dll

CTXZLFK 0 Speed Screen Latency Reduction - Fonts vdfon30n.dll

OEMOEM 3

OEMOEM2 3

CTXVFM 1

CTXVFM?


Virtual Channels

At client load time, list of channel drivers populated from the registry/.ini file

During the connection client passes information about the virtual channels it supports to the XenApp server.

XenApp Server opens virtual channel.

Data sent using the following two methods:

Polling mode

Immediate mode

VC Server can be on the Client

You can remove unneeded channels (http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdf)

http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdf


Virtual Channels

You can create your own Virtual Channels

https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html

http://www.citrix.com/community/receiver-ica-sdks.html

3 examples included in SDK

RDP2TCP – nice example

http://rdp2tcp.sourceforge.net/

Citrix ICA Virtual Channels Backgrounder

http://support.citrix.com/article/CTX116890

https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html

http://www.citrix.com/community/receiver-ica-sdks.html

http://rdp2tcp.sourceforge.net/



Dynamic Virtual Channel

Up to 64 Static Virtual Channels (SVCs) for Win32

29 SVCs reserved by Citrix

Android client supports up to 32 SVCs

Dynamic Virtual Channels (or DVCs) are multiplexed over traditional SVCs

To write the DVC component over ICA, Microsoft’s DVC API can be used.

http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx


Virtual Channel Priority

XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and

Priorities


How to Change Virtual Channel Priority in XenDesktop 5


Multi-Stream ICA and Cisco QOS

http://www.citrixirc.com/?p=182

Check the VC utilization using Perfmon

http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.html



http://www.citrixirc.com/?p=182

http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.html


ICA DriversTC

P

SSL

CG

P/W

inso

cks

ICA

Pro

toc

ol d

riv

er

Fra

me

driv

er

En

cry

ptio

n

Win

Sta

tio

n

Co

mp

ress

ion

DRIVE

PRINTING

COM


WinStation Driver

Establishes the ICA session

Encodes ICA command information into

ICA Packet

ICA packet = Command + Command

Data < 2048 bytes

Compresses the ICA packet

Combines or separates compressed ICA

packets to 1460 bytes buffers

Determines the priority of each output

buffer


Compression Driver

Enabled by default

VC-specific compression methods

Be careful with WAN optimization recommendations

Disabled compression + Bandwidth limit = Fail




Encryption Driver

Basic. Encrypts the client connection using a non-RC5 algorithm.

http://www.monkey.org/~dugsong/icadecrypt.c.txt

RC5 AKA SecureICA

RC5 (128 bit) logon only. Encrypts the logon data with RC5 128-bit encryption and the client connection using Basic encryption.

RC5 (40 bit). Encrypts the client connection with RC5 40-bit encryption.



http://www.monkey.org/~dugsong/icadecrypt.c.txt


Framing Driver

Rearranges ICA packets according to priority

Citrix ICA Priority Packet Tagging

http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf

Fit ICA packets into the frame

Send frames to protocol driver

http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf


Protocol Driver

Transfers frame to underlying protocol

without modification

Result is ICA stream, ready for transmission


More Info About ICA

Citrix ICA Virtual Channels Backgrounder


Virtual channel names must not be more than seven characters in length

Configuring Citrix MetaFrame XP for Windows by Syngress et al.

http://amzn.com/1931836531

Citrix ICA Technology Brief

http://web.archive.org/web/20000408170851/http://www.bocaresearch.com/technologies/icate

ch.html


http://amzn.com/1931836531

http://web.archive.org/web/20000408170851/http:/www.bocaresearch.com/technologies/icatech.html


CGPTC

P

SSL

CG

P/W

inSo

cks

ICA

Pro

toc

ol d

riv

er

Fra

me

driv

er

En

cry

ptio

n

Win

Sta

tio

n

Co

mp

ress

ion

AUDIO

CLIPBOARD

DRIVE

PRINTING

VIDEO

SPEEDSCREEN

COM


What does CGP stand for?

Certified Guitar Player

Common Gateway Protocol

Formerly known as Citrix Gateway

Protocol


Common Gateway Protocol

CGP = binary protocol designed for

efficient tunneling of one or more TCP

streams

Used by Session Reliability

Based on SOCKS proxy protocol


What is SOCKS

SOCKS is a generic, proxy protocol for TCP/IP based networking application.

SOCKS consists of two parts: SOCKS server and SOCKS client.

SOCKS server can communicate directly with both the Internet and the internal computers.

SOCKS client contacts the SOCKS server instead of sending requests directly to the Internet


SOCKS Connection

TCP ServerUser SOCKS Proxy

SOCKS Request TCP Connect SYN

TCP Connect ACKSOCKS Reply

DATA DATA

DATADATA


Secure Gateway Proxy/NetScaler

Gateway Next Hop

Unauthenticated SOCKS, tunnels any TCP

traffic

When configured with a certificate, the

Secure Gateway Proxy/NetScaler

Gateway Next Hop expects traffic to be

SOCKS+SSL on port 443


What is the difference between CGP and

SOCKS?

CGP is completely different protocol, but share the same idea

CGP support ticket-based authentication and addressing

CGP server sends keep-alive messages (60 sec by default)

CGP drop TCP connection without response if ticket is invalid

CGP support TCP Multiplexing, but it’s not really used

SOCKS is still in Citrix Products


Ticket Types

Name Issued by Purpose

Logon Ticket XenApp Data Collector/ XenDesktop

Controller

Authenticate user to ICA session; ticket replaces user

credentials

LogonTicket=34B79930FBFC20BEF54D597A6A1595

LogonTicketType=CTXS1

ACR Ticket XenApp Server/ XenDesktop VDA Allow reconnection via Auto Client Reconnect without

requiring user to enter credentials, stored in memory of the

client

Gateway Traversal

Ticket (v1)

AppController Allow ICA connection through SOCKS; ticket replaces

destination server address

Common Gateway

Protocol Token

Citrix XTE Service/ICA-CGP Listener Allow reconnection via Auto Client Reconnect without

requiring user to enter credentials, stored in memory of the

client

Gateway Traversal

Ticket (v4)

XenApp ctxsta.dll or XenDesktop Broker

Service

Allow ICA connection through Gateway with Session Reliability;

ticket replaces server address

Address=;40;STA403126471;54D2368FFFD32A448EA55350100553


Session Reliability

Explaining ICA Session Reliability,

Common Gateway Protocol, on TCP Port

2598


Session Reliability, Frozen Screens and The

Hourglass of Death By Nick Rintalan

http://blogs.citrix.com/2013/01/23/session-

reliability/


http://blogs.citrix.com/2013/01/23/session-reliability/


CGP Implementations: XTE Service

Extensible Transformation Engine (XTE) is an Apache-based proxy server that support:

CGP

SOCKS

HTTP

All of the above over SSL

Can be seen on XenApp <= 6.5 and XenDesktop <=5.x as Citrix XTE Service providing:

Session Reliability

SSL Relay

Password Manager Service

Universal Print Server


CGP Implementations: RDS Listeners


CGP Implementations: CSG

Gateway between an SSL enabled ICA client and XenApp Servers

Tunnels ICA/CGP traffic inside SSL

Citrix Secure Gateway is a deprecated component that is still supported for XenApp 6.5

Similar to XTE Service, based on Apache

Basically XTE + 3 additional Apache modules + GUI

Supports STA Ticketing Authentication

STA Ticket Request

The following data are included as part of

the ticket request sent by the Web server:

User name and domain name

Published application name

Least-busy Presentation Server address

<?xml version="1.0" encoding="UTF-8"?>

<!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"--

> <CtxConnInfo version="1.0">

<ServerAddress>192.168.1.176:1494</ServerAddress>

<UserName>fdwl</UserName>

<UserDomain>corp</UserDomain>

<ApplicationName>XA75 $S4-5</ApplicationName>

<Protocol>ICA</Protocol>

</CtxConnInfo>


STA Ticket Response

The encoding format is a string of the form:

;STA_VERSION;STA_ID;TICKET

STA_VERSION. 40 for XenApp and XenDesktop. 10 for AppController.

STA_ID is a sequence of 0 – 16 characters usually generated from the MAC address. Each STA ID must be unique. This allows the gateway to locate the STA that created the ticket and return to that STA for ticket validation.

TICKET is a randomly-generated sequence of 32 uppercase alphabetic or numeric characters.

Example:

;40; STA403126471;FE0A7B2CE2E77DDC17C7FD3EE7959E79

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE CtxSTAProtocol SYSTEM "CtxSTA.dtd" >

<CtxSTAProtocol version="1">

<ResponseTicket>

<AuthorityID authorityType="STA-v1"> STA403126471 </AuthorityID>

<Ticket ticketType="STA-v1">245489CECBC3CAA3B88446F12FF80B6A</Ticket>

<TicketVersion>40</TicketVersion>

</ResponseTicket>

</CtxSTAProtocol>


CGP Implementations: NetScaler

Gateway/Access Gateway

ICA Proxy Mode

The Only supported gateway for

XenDesktop 7.x

ICA Proxy Session Migration in 10.1


WebSockets

“SOCKS over HTTP”

HTTP Upgrade

TCP 8008 by default, but can be

changed

<html5 enabled="Always"

platforms="Force"

launchURL="clients/HTML5Client/src/Session

Window.html“ preferences="wsPort:8080"singleTabLaunch="true"

chromeAppOrigins="chrome-

extension://haiffjcadagjlijoggckpgfnoeiflne

m" />

XTE Service on XA 6.5

HRP3 is required for StoreFront 2.x

RDS Listener ICA-HTML5 on XD 7.x Server

OS

ICA Service on XD 7.x Client OS


Direct connection

Component Connecting to Session

Reliability

Protocol TCP

Port

ICA Client version

8.0 or later

XenApp

Server/XenDesktop VDA

Enabled ICA in Common

Gateway Protocol

2598

ICA Client version

8.0 or later

XenApp


Disabled ICA 1494

HTML5 Receiver XenApp


N/A ICA in WebSockets 8008


One hop DMZ


Reliability

Protocol TCP

Port

ICA Client version

9.0 or later

Secure Gateway/Access

Gateway/NetScaler


Gateway Protocol

in SSL

443

ICA Client version

9.0 or later


Gateway/NetScaler

Disabled ICA in SSL 443

HTML5 Receiver Secure Gateway/Access

Gateway/NetScaler

N/A ICA in WebSockets in

SSL

443

Secure

Gateway/Access

Gateway/NetScaler

XenApp



Gateway Protocol

2598

Secure

Gateway/Access

Gateway/NetScaler

XenApp


Disabled ICA 1494


Dual hop DMZ


Reliability

Protocol TCP

Port

Secure

Gateway/Access

Gateway/NetScaler

in DMZ1


Gateway/NetScaler in

DMZ2 with SSL

N/A SOCKS in SSL 443

Secure

Gateway/Access

Gateway/NetScaler

in DMZ1


Gateway/NetScaler in

DMZ2 without SSL

N/A SOCKS 1080


Multi-Stream ICA


Multi-Stream ICA

Citrix

Receiver

for

Windows

XenDesktop

Windows 7

HTTP

Server

Router

ICA Real Time

HTTP HTTP

ICA Interactive

ICA Background

ICA Bulk

ICA Real Time

ICA Interactive

ICA Background

ICA Bulk

ICA UDP/RTP Audio * ICA UDP Audio *

* UDP/RTP Audio initially only in VDI FlexCast model (XenDesktop)


Multi-Stream vs. Multi-Port ICA

Single-port, Multi-Stream ICA

4 random ports at client, 1 primary port on server

Multi-port, Multi-Stream ICA

4 random ports at client, 1 primary and up to 3 secondary ports on server

Single-port, Single-stream ICA

1 random port at client, 1 primary port on server

The default connection type

Multi-Stream with NetScaler

4 random ports at client, 1 primary port on NetScaler VIP

4 random ports at NetScaler SNIP/MIP, 1 primary and up to 3 secondary ports on server


Multi-Stream ICA


Multi-Stream ICA

XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities


Very High (numeric 0): Real time channels, such as audio and webcam conferences

High (numeric 1): Interactive channels, such as graphics, keyboard, and mouse

Medium (numeric 2): Bulk channels, such as drive mapping, scanners, USB redirection, clipboard, Flash

Low (numeric 3): Background channels, such as printing, COM port mapping, LPT port mapping

Requirements:

XenDesktop 5.5+

XenApp 6.5+

Receiver 3.0+



UDP Audio

Speex codec

Real-time Transport Protocol (RTP)

Quality must be set to Medium

Not using ICA or CGP

Citrix Receiver creates a listener on a

client device during session initialization

Not supported with NetScaler


SSLTC

P

SSL

CG

P/W

inSo

cks

ICA

Pro

toc

ol d

riv

er

Fra

me

driv

er

En

cry

ptio

n

Win

Sta

tio

n

Co

mp

ress

ion

AUDIO

CLIPBOARD

DRIVE

PRINTING

VIDEO

SPEEDSCREEN

COM


SSL

Citrix uses custom SSLSDK library to wrap native OS SSL functions and form Secured Socket

Recommended for every connection

SSL Relay is no longer available in XenDesktop 7.x, Use IPSec to enforce encryption

Wildcard and SAN certificates are supported


SSL on NetScaler

SNI (Server Name Indication) is not

supported by Receiver yet.

NetScaler VPX does not support TLS 1.1

and TLS 1.2

Always add CA certificates chain to

vserver


Q&A