Citrix Internals: ICA Connectivity

@fdwl #BriForum @entisys
Citrix Internals: ICA
Connectivity
Denis Gundarev, Senior Consultant, Entisys Solutions
May 21, 2014

Name: ENTISYSDenis
Groups:
Group1: Bay Area Citrix User Group
Group2: Citrix Technology Professional
Email: DenisG@entisys.com
Twitter: @fdwl
[Length: 112]
About me
0000 30 45 4E 54 49 53 59 53 5C 44 65 6E 69 73 0D 0A 0ENTISYSDenis..
0010 31 0D 0A 32 0D 0A 42 61 79 20 41 72 65 61 20 43 1..2..Bay Area C
0020 69 74 72 69 78 20 55 73 65 72 20 47 72 6F 75 70 itrix User Group
0030 0D 0A 32 43 69 74 72 69 78 20 54 65 63 68 6E 6F ..2Citrix Techno
0040 6C 6F 67 79 20 50 72 6F 66 65 73 73 69 6F 6E 61 logy Professional
0050 6C 0D 0A 33 44 65 6E 69 73 47 40 65 6E 74 69 73 l..3DenisG@entis
0060 79 73 2E 63 6F 6D 0D 0A 34 40 66 64 77 6C 0D 0A ys.com..4@fdwl..

Agenda
 Everything that you need to know about ICA protocol

What does ICA stand for?
Independent Computing Architecture?
ICA = Intelligent Console
Architecture!

ICA 1.0 - 1992
 Originally for Serial connections
 IPX and NetBIOS was added later

ICA 2.0 - 1992
 First Graphical version of ICA
 Citrix WinCredible - add-on to Citrix
MultiUser
 Multiple Operating Systems
 OS/2
 DOS
 Windows 3.1
 TCP/IP stack for OS/2 from FTP Software

ICA 3.0 - 1995
 Introduced in WinFrame For Networks
 Thinwire 1, Printing, Client drive mapping,
audio, Clipboard
 TCP/IP, IPX, SPX, NetBEUI, Serial, Modems
 $5,995 for 15 concurrent users

PRD – Product Renaming Disorder
Before After
Core Virtual channels HDX Broadcast
Thinwire HDX SmartRendering
Virtual Channel fallback HDX Adaptive Orchestration
Flash and Windows media redirection HDX MediaStream
Server-side flash rendering HDX MediaStream Network Conditions
3D Pro and RemoteFX HDX RichGraphics
Bidirectional audio and UDP Audio HDX RealTime
Device mapping HDX Plug-n-Play
Built-In compression and Branch Repeater HDX WAN Optimization
NetScaler session policies HDX SmartAccess

ICA Overview
The ICA protocol is a protocol optimized for Wide
Area Networks or WANs with high latency links. It also
supports Quality-Of-Service (QoS) and other
bandwidth optimization features.
Since this is OSI-Layer 6, what does ICA do for
optimization. The ICA packet contains the following
headers: Frame Head, Reliable, Encryption,
Compression, Command, Command Data, Frame
Trail. The command is the only required information.
Within ICA are virtual channels for KVM, printing,
audio, Drive Mapping, Clipboard, Seamless windows,
etc. that can be encapsulated. You can have a max
of 32 virtual channels. RDP channels are different.
Each channel has a counter-point on the server.
These channels sit on top of the ICA Winstation Driver,
on top of Protocol driver, on Transport Driver.

ICA In Real Life
TCP
SSL
CGP/WinSocks
ICA
Protocoldriver
Framedriver
Encryption
WinStation
Compression
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM

Virtual Channels
TCP
SSL
CGP/WinSocks
ICA
Protocoldriver
Framedriver
Encryption
WinStation
Compression
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM

Virtual
Channels
Channel Name Priority Description Virtual Driver
CTXCAM 0 Client Audio Mapping vdcamN.dll
CTXCCM 3 Client COM Port Mapping vdcom30N.dll
CTXCDM 2 Client Drive Mapping vdcdm30n.dll
CTXCLIP 2 Client Clipboard Mapping vdclipn.dll
CTXCM 3 Client Management (Auto-Update) vdcmN.dll
CTXCOM1 3 Legacy COM1 Port Mapping vdcom30N.dll
CTXCOM2 3 Legacy COM2 Port Mapping vdcom30N.dll
CTXCPM 3 Printer Mapping for Spooling Clients vdcpm30N.dll
CTXCTL 1 ICA Session Control vdctln.dll
CTXD3D 1 Direct3D Virtual Channel Adapter vd3dn.dll
CTXEUEM 1 End User Experience Monitoring vdeuemn.dll
CTXFLSH 2 Multimedia - Flash vdflash.dll
CTXGUSB 2 USB Redirection vdgusbn.dll
CTXLIC 1 License Management wfica32.exe
CTXLPT1 3 Legacy LP1 Port Mapping vdcpm30N.dll
CTXLPT2 3 Legacy LPT2 Port Mapping vdcpm30N.dll
CTXMM 2 Multimedia - Streaming vdmmn.dll
CTXPASS 2 Transparent Key Pass-Through vdkbhook.dll
CTXPN 1 Process Notification vdpnn.dll
CTXSBR 1 Citrix Browser Acceleration vdtw30n.dll
CTXSCRD 1 Smartcard vdscardn.dll
CTXTW 1 Remote Session Screen Update (THINWIRE) vdtw30n.dll
CTXTWI 1 Seamless Windows Screen Update (THINWIRE) vdtwin.dll
CTXTWN 2 Twain Redirection vdtwn.dll
CTXZLC 0 Speed Screen Latency Reduction - Screen vdzlcn.dll
CTXZLFK 0 Speed Screen Latency Reduction - Fonts vdfon30n.dll
OEMOEM 3
OEMOEM2 3
CTXVFM 1
CTXVFM?

Virtual Channels
 At client load time, list of channel drivers populated from the registry/.ini file
 During the connection client passes information about the virtual channels it supports to the
XenApp server.
 XenApp Server opens virtual channel.
 Data sent using the following two methods:
 Polling mode
 Immediate mode
 VC Server can be on the Client
 You can remove unneeded channels
(http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.
pdf)

Virtual Channels
 You can create your own Virtual Channels
 https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html
 http://www.citrix.com/community/receiver-ica-sdks.html
 3 examples included in SDK
 RDP2TCP – nice example 
 http://rdp2tcp.sourceforge.net/
 Citrix ICA Virtual Channels Backgrounder
 http://support.citrix.com/article/CTX116890

Dynamic Virtual Channel
 Up to 64 Static Virtual Channels (SVCs) for Win32
 29 SVCs reserved by Citrix
 Android client supports up to 32 SVCs
 Dynamic Virtual Channels (or DVCs) are multiplexed over traditional SVCs
 To write the DVC component over ICA, Microsoft’s DVC API can be used.
 http://msdn.microsoft.com/en-us/library/bb540860(v=vs.85).aspx

Virtual Channel Priority
 XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and
Priorities
 How to Change Virtual Channel Priority in XenDesktop 5
 Multi-Stream ICA and Cisco QOS
 http://www.citrixirc.com/?p=182
 Check the VC utilization using Perfmon
 http://support.citrix.com/proddocs/topic/xenapp65-admin/ps-ref-counters-ica-sess-count-v2.html

ICA Drivers
TCP
SSL
CGP/Winsocks
ICA
Protocoldriver
Framedriver
Encryption
WinStation
Compression
DRIVE
PRINTING
COM

WinStation Driver
 Establishes the ICA session
 Encodes ICA command information into
ICA Packet
 ICA packet = Command + Command
Data < 2048 bytes
 Compresses the ICA packet
 Combines or separates compressed ICA
packets to 1460 bytes buffers
 Determines the priority of each output
buffer

Compression Driver
 Enabled by default
 VC-specific compression methods
 Be careful with WAN optimization recommendations
 Disabled compression + Bandwidth limit = Fail

Encryption Driver
 Basic. Encrypts the client connection using
a non-RC5 algorithm.
 http://www.monkey.org/~dugsong/icadecry
pt.c.txt
 RC5 AKA SecureICA
 RC5 (128 bit) logon only. Encrypts the logon
data with RC5 128-bit encryption and the
client connection using Basic encryption.
 RC5 (40 bit). Encrypts the client connection
with RC5 40-bit encryption.

Framing Driver
 Rearranges ICA packets according to priority
 Citrix ICA Priority Packet Tagging
 http://theether.net/download/Citrix/ICA_Priority_Packet_Tagging.pdf
 Fit ICA packets into the frame
 Send frames to protocol driver

Protocol Driver
 Transfers frame to underlying protocol
without modification
 Result is ICA stream, ready for transmission

More Info About ICA
 Citrix ICA Virtual Channels Backgrounder
 Virtual channel names must not be more than seven characters in length
 Configuring Citrix MetaFrame XP for Windows by Syngress et al.
 http://amzn.com/1931836531
 Citrix ICA Technology Brief
 http://web.archive.org/web/20000408170851/http://www.bocaresearch.com/technologies/icate
ch.html

CGP
TCP
SSL
CGP/WinSocks
ICA
Protocoldriver
Framedriver
Encryption
WinStation
Compression
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM

What does CGP stand for?
 Certified Guitar Player
 Common Gateway Protocol
 Formerly known as Citrix Gateway
Protocol

Common Gateway Protocol
 CGP = binary protocol designed for
efficient tunneling of one or more TCP
streams
 Used by Session Reliability
 Based on SOCKS proxy protocol

What is SOCKS
 SOCKS is a generic, proxy protocol for TCP/IP based networking application.
 SOCKS consists of two parts: SOCKS server and SOCKS client.
 SOCKS server can communicate directly with both the Internet and the internal computers.
 SOCKS client contacts the SOCKS server instead of sending requests directly to the Internet

SOCKS Connection
TCP ServerUser SOCKS Proxy
SOCKS Request TCP Connect SYN
TCP Connect ACKSOCKS Reply
DATA DATA
DATADATA

Secure Gateway Proxy/NetScaler
Gateway Next Hop
 Unauthenticated SOCKS, tunnels any TCP
traffic
 When configured with a certificate, the
Secure Gateway Proxy/NetScaler
Gateway Next Hop expects traffic to be
SOCKS+SSL on port 443

What is the difference between CGP and
SOCKS?
 CGP is completely different protocol, but share the same idea 
 CGP support ticket-based authentication and addressing
 CGP server sends keep-alive messages (60 sec by default)
 CGP drop TCP connection without response if ticket is invalid
 CGP support TCP Multiplexing, but it’s not really used
 SOCKS is still in Citrix Products

Ticket Types
Name Issued by Purpose
Logon Ticket XenApp Data Collector/ XenDesktop
Controller
Authenticate user to ICA session; ticket replaces user
credentials
LogonTicket=34B79930FBFC20BEF54D597A6A1595
LogonTicketType=CTXS1
ACR Ticket XenApp Server/ XenDesktop VDA Allow reconnection via Auto Client Reconnect without
requiring user to enter credentials, stored in memory of the
client
Gateway Traversal
Ticket (v1)
AppController Allow ICA connection through SOCKS; ticket replaces
destination server address
Common Gateway
Protocol Token
Citrix XTE Service/ICA-CGP Listener Allow reconnection via Auto Client Reconnect without
requiring user to enter credentials, stored in memory of the
client
Gateway Traversal
Ticket (v4)
XenApp ctxsta.dll or XenDesktop Broker
Service
Allow ICA connection through Gateway with Session Reliability;
ticket replaces server address
Address=;40;STA403126471;54D2368FFFD32A448EA55350100553

Session Reliability
 Explaining ICA Session Reliability,
Common Gateway Protocol, on TCP Port
2598
 Session Reliability, Frozen Screens and The
Hourglass of Death By Nick Rintalan
 http://blogs.citrix.com/2013/01/23/session-
reliability/


CGP Implementations: XTE Service
 Extensible Transformation Engine (XTE) is an Apache-based proxy server that support:
 CGP
 SOCKS
 HTTP
 All of the above over SSL
 Can be seen on XenApp <= 6.5 and XenDesktop <=5.x as Citrix XTE Service providing:
 Session Reliability
 SSL Relay
 Password Manager Service
 Universal Print Server

CGP Implementations: RDS Listeners

CGP Implementations: CSG
 Gateway between an SSL enabled ICA client and XenApp Servers
 Tunnels ICA/CGP traffic inside SSL
 Citrix Secure Gateway is a deprecated component that is still supported for XenApp 6.5
 Similar to XTE Service, based on Apache
 Basically XTE + 3 additional Apache modules + GUI
 Supports STA Ticketing Authentication

STA Ticket Request
 The following data are included as part of
the ticket request sent by the Web server:
 User name and domain name
 Published application name
 Least-busy Presentation Server address
<?xml version="1.0" encoding="UTF-8"?>
<!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"--
> <CtxConnInfo version="1.0">
<ServerAddress>192.168.1.176:1494</ServerAddress>
<UserName>fdwl</UserName>
<UserDomain>corp</UserDomain>
<ApplicationName>XA75 $S4-5</ApplicationName>
<Protocol>ICA</Protocol>
</CtxConnInfo>

STA Ticket Response
 The encoding format is a string of the form:
 ;STA_VERSION;STA_ID;TICKET
 STA_VERSION. 40 for XenApp and XenDesktop. 10 for
AppController.
 STA_ID is a sequence of 0 – 16 characters usually
generated from the MAC address. Each STA ID must be
unique. This allows the gateway to locate the STA that
created the ticket and return to that STA for ticket
validation.
 TICKET is a randomly-generated sequence of 32
uppercase alphabetic or numeric characters.
 Example:
 ;40; STA403126471;FE0A7B2CE2E77DDC17C7FD3EE7959E79
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE CtxSTAProtocol SYSTEM "CtxSTA.dtd" >
<CtxSTAProtocol version="1">
<ResponseTicket>
<AuthorityID authorityType="STA-v1"> STA403126471 </AuthorityID>
<Ticket ticketType="STA-v1">245489CECBC3CAA3B88446F12FF80B6A</Ticket>
<TicketVersion>40</TicketVersion>
</ResponseTicket>
</CtxSTAProtocol>

CGP Implementations: NetScaler
Gateway/Access Gateway
 ICA Proxy Mode
 The Only supported gateway for
XenDesktop 7.x
 ICA Proxy Session Migration in 10.1

WebSockets
 “SOCKS over HTTP”
 HTTP Upgrade
 TCP 8008 by default, but can be
changed
 <html5 enabled="Always"
platforms="Force"
launchURL="clients/HTML5Client/src/Session
Window.html“ preferences="wsPort:8080"
singleTabLaunch="true"
chromeAppOrigins="chrome-
extension://haiffjcadagjlijoggckpgfnoeiflne
m" />
 XTE Service on XA 6.5
 HRP3 is required for StoreFront 2.x
 RDS Listener ICA-HTML5 on XD 7.x Server
OS
 ICA Service on XD 7.x Client OS

Direct connection
Component Connecting to Session
Reliability
Protocol TCP
Port
ICA Client version
8.0 or later
XenApp
Server/XenDesktop VDA
Enabled ICA in Common
Gateway Protocol
2598
ICA Client version
8.0 or later
XenApp
Disabled ICA 1494
HTML5 Receiver XenApp
N/A ICA in WebSockets 8008

One hop DMZ
Reliability
Protocol TCP
Port
ICA Client version
9.0 or later
Secure Gateway/Access
Gateway/NetScaler
Gateway Protocol
in SSL
443
ICA Client version
9.0 or later
Gateway/NetScaler
Disabled ICA in SSL 443
HTML5 Receiver Secure Gateway/Access
Gateway/NetScaler
N/A ICA in WebSockets in
SSL
443
Secure
Gateway/Access
Gateway/NetScaler
XenApp
Gateway Protocol
2598
Secure
Gateway/Access
Gateway/NetScaler
XenApp
Disabled ICA 1494

Dual hop DMZ
Reliability
Protocol TCP
Port
Secure
Gateway/Access
Gateway/NetScaler
in DMZ1
Gateway/NetScaler in
DMZ2 with SSL
N/A SOCKS in SSL 443
Secure
Gateway/Access
Gateway/NetScaler
in DMZ1
Gateway/NetScaler in
DMZ2 without SSL
N/A SOCKS 1080

Multi-Stream ICA

Multi-Stream ICA
Citrix
Receiver
for
Windows
XenDesktop
Windows 7
HTTP
Server
Router
ICA Real Time
HTTP HTTP
ICA Interactive
ICA Background
ICA Bulk
ICA Real Time
ICA Interactive
ICA Background
ICA Bulk
ICA UDP/RTP Audio * ICA UDP Audio *
* UDP/RTP Audio initially only in VDI FlexCast model (XenDesktop)

Multi-Stream vs. Multi-Port ICA
 Single-port, Multi-Stream ICA
 4 random ports at client, 1 primary port on server
 Multi-port, Multi-Stream ICA
 4 random ports at client, 1 primary and up to 3 secondary ports on server
 Single-port, Single-stream ICA
 1 random port at client, 1 primary port on server
 The default connection type
 Multi-Stream with NetScaler
 4 random ports at client, 1 primary port on NetScaler VIP
 4 random ports at NetScaler SNIP/MIP, 1 primary and up to 3 secondary ports on server

Multi-Stream ICA
 XenApp 6.5 - Implementing ICA Multi-Stream or Multi-Port - Virtual Channel Groups and Priorities
 Very High (numeric 0): Real time channels, such as audio and webcam conferences
 High (numeric 1): Interactive channels, such as graphics, keyboard, and mouse
 Medium (numeric 2): Bulk channels, such as drive mapping, scanners, USB redirection, clipboard, Flash
 Low (numeric 3): Background channels, such as printing, COM port mapping, LPT port mapping
 Requirements:
 XenDesktop 5.5+
 XenApp 6.5+
 Receiver 3.0+

UDP Audio
 Speex codec
 Real-time Transport Protocol (RTP)
 Quality must be set to Medium
 Not using ICA or CGP
 Citrix Receiver creates a listener on a
client device during session initialization
 Not supported with NetScaler

SSL
TCP
SSL
CGP/WinSocks
ICA
Protocoldriver
Framedriver
Encryption
WinStation
Compression
AUDIO
CLIPBOARD
DRIVE
PRINTING
VIDEO
SPEEDSCREEN
COM

SSL
 Citrix uses custom SSLSDK library to wrap native OS SSL functions and form Secured Socket
 Recommended for every connection
 SSL Relay is no longer available in XenDesktop 7.x, Use IPSec to enforce encryption
 Wildcard and SAN certificates are supported

SSL on NetScaler
 SNI (Server Name Indication) is not
supported by Receiver yet.
 NetScaler VPX does not support TLS 1.1
and TLS 1.2
 Always add CA certificates chain to
vserver

Citrix Internals: ICA Connectivity

More Related Content

What's hot

Viewers also liked

Similar to Citrix Internals: ICA Connectivity

More from Denis Gundarev

Recently uploaded

Citrix Internals: ICA Connectivity