Citrix HDX Adaptive Transport, Datagram Transport Layer Security (DTLS)

With the new release of Citrix XenDesktop/XenApp 7.16 the HDX Adaptive Transport it now turned on by default.

With that turned on, clients connecting through NetScaler Gateway will try to connect using UDP 443. If Firewall and NetScaler Gateway is not configured to communicate on UDP 443, the client will fallback to TCP 433.

I have noticed that it takes a short time before it will do the fallback (2-5 sec.). This give a longer logon time when the users are connecting through NetScaler Gateway. With the right configuration, you can eliminate that extra wait time for the users.

First, enable DTLS (Datagram Transport Layer Security) on the NetScaler Gateway configuration:

After enabling DTLS, you need to rebind the Server Certificate again. Do a unbind and a bind, then it will work.

The next is to enable UDP 443 on the Firewall Access and NAT rules. As there are many different Firewall’s I cannot tell you the way to do it one your Firewall.

I found that you can use nMap/Xenmap to test if your configuration of the Firewall and NetScaler Gateway configuration.

Use the flowing command to do the test:

nmap -sT -sU -p 443 -Pn <FQDN>

The test has to be run from a external computer, as we are testing the Firewall and NetScaler Gateway configuration.

This will test TCP 443 and UDP 443, and give this result if you’re Firewall and NetScaler Gateway is configured to accept TCP 433 and UDP 443:

There are different ways to see if a user is connected using UDP 443.

NetScaler Gateway GUI:

NetScaler Gateway CLI:

XenDesktop/XenApp Director:

Server/VDI VDA:

Citrix HDX Adaptive Transport, Datagram Transport Layer Security is supported with Citrix Receiver 4.7 or newer.

 

Previous

Citrix NetScaler Gateway Enterprise Edition, Storefront High Availability, Poor man’s solution

Next

Citrix Advanced Content Switching Policy/Action

3 Comments

  1. Fk

    Great article, smart and to the point.
    I would only add Wireshark as a tool the admin can use. More details in CTX230011

    • Jørgen Rosenkvist Pedersen

      Thx for the responce. Yes your are right a trace can display any error/problems. I use nmap as simple test to se if the Firewall is configured as required.

  2. I needed to thank you for this wonderful read!! I certainly enjoyed every little bit of
    it. I’ve got you bookmarked to look at new things you
    post…

Powered by WordPress & Theme by Anders Norén