optimizing citrix ica rios 8.0 solution guide

SOLUTION GUIDE

Optimizing Citrix ICA Traffic with RiOS 8.0 Solution Guide Version 1.0 June 2013

OPTIMIZING CITRIX ICA TRAFFIC WITH RIOS 8.0 SOLUTION GUIDE 1.0

1

© 2013 Riverbed Technology. All rights reserved.

Riverbed®, Cloud Steelhead®, Granite™, Interceptor®, RiOS®, Steelhead®, Think Fast®, Virtual Steelhead®, Whitewater®, Mazu®, Cascade®, Shark®, AirPcap®, BlockStream™, SkipWare®, TurboCap®, WinPcap®, Wireshark®, TrafficScript®, FlyScript™, WWOS™, and Stingray™ are trademarks or registered trademarks of Riverbed Technology, Inc. in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners.

Akamai® and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iSeries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries.

This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.

NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at http://communities.netapp.com/docs/DOC-1152, and are included in a NOTICES file included within the downloaded files.

For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com.

This documentation is furnished “AS IS” and is subject to change without notice and should not be construed as a commitment by Riverbed Technology. This documentation may not be copied, modified or distributed without the express authorization of Riverbed Technology and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as “commercial computer software documentation” and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation.


2

CONTENTS

INTRODUCTION......................................................................................................................................................................................................... 3

CITRIX XENAPP VS XENDESKTOP ......................................................................................................................................................................... 3

CITRIX ENHANCEMENTS BY RIOS VERSION ........................................................................................................................................................ 4 Citrix Version Support ............................................................................................................................................................................................. 4

On XenDesktop: ......................................................................................................................................................................... 4 On XenApp: ................................................................................................................................................................................ 4

EXAMPLE TEST CONFIGURATION FOR XENAPP ................................................................................................................................................ 5

EXAMPLE TEST CONFIGURATION FOR XENDESKTOP ...................................................................................................................................... 6

TUNING STEELHEAD APPLIANCES ....................................................................................................................................................................... 7

TEST RESULTS FOR CLIENT DRIVE MAPPING LATENCY OPTIMIZATION ....................................................................................................... 8 Citrix Version Support ............................................................................................................................................................................................. 8

Server to Client: ......................................................................................................................................................................... 8 Client to Server: ......................................................................................................................................................................... 8

Test Results #1 for XA 5.0 CDM Download Test ................................................................................................................................................... 9 Test Results #2 for XA 5.0 CDM Upload Test ...................................................................................................................................................... 10 Test Results #3 for XA 6.5 CDM Download Test ................................................................................................................................................. 11

TEST RESULTS FOR XENDESKTOP..................................................................................................................................................................... 12 Test Results #1 for Multimedia Application .......................................................................................................................................................... 12 Test Results #2 for Microsoft Office Applications ................................................................................................................................................. 13 Test Results #3 for PowerPoint Slideshow ........................................................................................................................................................... 14

QOS TUNING ........................................................................................................................................................................................................... 15

MULTI-STREAM / MULTI-PORT ICA ...................................................................................................................................................................... 18 CONFIGURING XENAPP 6.5 OR XENDESKTOP 5.5 ........................................................................................................................................ 19 CONFIGURING STEELHEAD APPLIANCES ...................................................................................................................................................... 20 QOS IMPACT ....................................................................................................................................................................................................... 21

CITRIX OVER SSL ................................................................................................................................................................................................... 22 CONFIGURE THE XENAPP SERVER FOR SSL ................................................................................................................................................ 22

1. Export the Server Certificate ......................................................................................................................................... 22 2. Import the CA Certificate and the Server Certificate ..................................................................................................... 23 3. Configure the SSL Relay ............................................................................................................................................... 25 4. Configure the Web-plugin Client .................................................................................................................................... 26

CONFIGURE THE STEELHEAD APPLIANCES FOR SSL ................................................................................................................................. 27

1. Add the CA Certificate ................................................................................................................................................... 27 2. Add the Certificate Authority .......................................................................................................................................... 27 3. Add the Auto Discover Rule .......................................................................................................................................... 27

CONFIGURE THE CLIENT MACHINE FOR SSL ................................................................................................................................................ 28

1. Add the CA Certificate to Trusted Root Certificate Authorities on Client Machine ........................................................ 28 2. Verify Citrix over SSL connection on Client Machine .................................................................................................... 28

BEST PRACTICES FOR INTERACTIVE CITRIX ICA TRAFFIC ............................................................................................................................ 30 1. Citrix Small Packets Optimization .................................................................................................................................................................... 30 2. SDR-M .............................................................................................................................................................................................................. 30

CONCLUSION .......................................................................................................................................................................................................... 31


3

INTRODUCTION Virtual desktops and centralized computing provide many valuable benefits to the enterprise; however, there are some inherent risks as well when deployed over the wide-area network (WAN). Performance limitations such as insufficient bandwidth or high latency across the WAN can impact the usability and effectiveness. Fortunately, WAN optimization can help mitigate these performance issues to ensure user effectiveness and productivity. In this paper, we’ll describe how the Riverbed Steelhead appliance was deployed in both the Citrix XenApp and Citrix XenDesktop environments to demonstrate the effectiveness of WAN optimization. Extensive testing from this analysis show that the Steelhead appliances show WAN bandwidth reduction up to 70% for most applications. For interactive and latency-sensitive tests, such as application load times, performance improved up to 46%. This document has been updated with detailed information on the new multi-stream/multi-port capabilities of XenApp/XenDesktop, Client Drive Mapping optimization and a Best Practices section for Interactive traffic.

CITRIX XENAPP VS XENDESKTOP

Citrix XenApp is an application delivery system that offers client-side and server-side application virtualization, for optimal application performance and flexible deliver options. Users connect to their desktop and applications using a thin client which communicates with the server using a custom-built and proprietary protocol known as ICA (Independent Computing Architecture). Citrix XenDesktop is a next-generation, user-centric desktop virtualization solution that provides a complete system for desktop delivery. Citrix XenDesktop allows IT to centrally manage its virtual desktops - by maintaining single instances of the

desktop OS, applications, and user settings - inside the data center. Users enjoy flexible access to either hosted or

streamed desktops from any device, anywhere, at any time. Citrix XenDesktop is also based on the same custom-built and proprietary protocol, ICA. Optimization for the ICA protocol was originally added in RiOS 6.0 (including enhanced QoS capabilities to prioritize Citrix ICA traffic). RiOS 7.0 added Client Drive Mapping optimization and RiOS 8.0 added multi-stream/multi-port capabilities. In the following sections, we highlight performance examples for both Citrix XenApp and Citrix XenDesktop. In these examples, we assume that Steelhead appliances are used to optimize interactive ICA traffic. Interactive ICA traffic is sensitive to latency, and the Steelhead configurations described below are intended to minimize latency while optimizing the interactive ICA traffic.


4

CITRIX ENHANCEMENTS BY RIOS VERSION RiOS v7.0.4 and later supports multiport ICA. Multiport ICA is available on Citrix XenApp v6.5 and later, and XenDesktop v5.5 and later. RiOS v7.0 and later supports Citrix ICA-over-SSL and client drive mapping (CDM) optimization. RiOS v6.0 and later provides the following ways to recognize, prioritize, encrypt, and optimize Citrix traffic:

Optimize the native ICA traffic bandwidth. Classify and shape Citrix traffic using QoS.

Citrix Version Support

RiOS v6.0 and later provides support for the following Citrix software versions on the client side. Citrix software running on an ICA Client or Receiver:

Version 9 (starting in RiOS v6.0.4 and v6.1.2)

Version 10 (RiOS v6.0.0 and later)

Version 11 (RiOS v6.0.0 and later)

Version 12 (RiOS v6.1.2a and later)

Wyse V10L and S10 thin clients (RiOS v6.0.2 and later) Note: Receiver for Windows 3.0 (formerly known as Version 13) has not been officially qualified at this time.

On XenDesktop:

XenDesktop version 4 (RiOS v6.1.2a and later) XenDesktop version 5 (RiOS v6.1.2a and later)

Note: XenDesktop version 5.5 has not been officially qualified at this time.

RiOS v6.0 and later provides support for the following Citrix software versions on the server side.

On XenApp:

RiOS can automatically negotiate session encryption and compression for basic and secure ICA, and can create QoS classes from Citrix virtual channels. Currently, RiOS does not provide the capacity to add pass-through Citrix traffic into the ICA channel (RiOS does provide data reduction).

Presentation Server version 4.5 (RiOS v6.0.0 and later)

XenApp Server version 5.0 (RiOS v6.0.0 and later)

XenApp Server version 6.0 (RiOS 6.1.2a and later) Note: XenApp Server version 6.5 has not been officially qualified at this time.


5

EXAMPLE TEST CONFIGURATION FOR XENAPP The following configuration serves as an example environment in which XenApp can be tested. Actual deployments may involve greater number of users, different WAN speeds, and different software versions.

Desktop Client with the following: o Citrix Receiver version 13.0.0.6685 for XA 6.5 (not officially qualified) o Citrix online plug-in version 11.2.0.31560 for XA 5.0

Steelhead appliance EX1260 in the Branch with RiOS 8.0.2

Steelhead appliance EX1260 in the Datacenter with RiOS 8.0.2

Apposite Linktropy Mini2 WAN Emulator o 1.5 Mbps with 100 millisecond round-trip time

Microsoft Windows Server 2008 R2 Enterprise Edition with the following: o Citrix XenApp version 6.5 (not officially qualified)

Microsoft Windows Server 2003 R2 Enterprise Edition with the following: o Citrix XenApp version 5.0

WAN

Citrix XenApp 6.5 Server

BRANCHDATACENTER

1.5 Mbps /100 ms

USER

Citrix XenApp 5.0 Server


6

EXAMPLE TEST CONFIGURATION FOR XENDESKTOP Similarly, this configuration serves as an example environment in which XenDesktop can be tested.

Desktop Client with the following: o Citrix online plug-in web version 11.2.0.31560

Steelhead appliance 1050M in the Branch with RiOS 8.0.2

Steelhead appliance 1050M in the Datacenter with RiOS 8.0.2

Apposite Linktropy Mini2 WAN Emulator o 1.5 Mbps with 100 millisecond round-trip time

Microsoft Windows Server 2003 R2 Enterprise Edition configured as a Domain Controller

Microsoft Windows Server 2003 R2 Enterprise Edition with the following: o Citrix XenDesktop version 4

Two Microsoft Windows 7 Virtual Machines running on VMware ESX 4.1 Server o 1024 x 768 resolution o 16 bit color o 1 Gbyte Memory

WAN

USER

Citrix XenDesktopDesktop Delivery

Controller

Virtual Machines hosted on

Vmware ESX 4.1

BRANCH DATACENTER1.5 Mbps /

100 ms

Domain Controller


7

TUNING STEELHEAD APPLIANCES On the client-side Steelhead appliance only: 1. Configure Port Labels so ports 1494 and 2598 can be optimized.

a. Go to Configure > Networking > Port Labels. b. Remove the Citrix ICA ports 1494 and 2598 from the Interactive Ports label. c. Create a New Port Label, called “Citrix” and add ports 1494 and 2598. d. Click Apply.

On both the client-side and server-side Steelhead appliances: 2. Enable Citrix Optimization.

a. Go to Configure > Optimization > Citrix ICA. b. Check “Enable Citrix ICA Optimization”. c. Optional – click “Enable SecureICA Encryption” if you want to use RC5 algorithm to encrypt the ICA protocol. d. Click Apply.

3. Click Save to save your settings permanently. 4. Click Restart for changes to take effect.


8

TEST RESULTS FOR CLIENT DRIVE MAPPING LATENCY OPTIMIZATION Starting in RiOS 7.0, latency optimization was added for Client Drive Mapping (CDM) over port 1494. CDM allows a remote application running on the server to access printers and disk drives attached to the local client machine. The applications and system resources appear to the user at the client machine as if they are running locally during the session; for example, in the remote session, C: is the C drive of the remote machine and the C drive of the local thin client appears as H:. Bidirectional file transfers between the local and remote drives use one of many virtual channels within the ICA protocol. The individual data streams that form the communication in each virtual channel are all multiplexed on a single ICA data stream. This feature provides latency optimization for file transfers in both directions. No additional performance enhancements were added in RiOS 8.0.

Citrix Version Support

Server to Client:

Presentation Server version 4.5

XenApp Server version 5.0

XenApp Server version 6.0

XenApp Server version 6.5 Client to Server:

Presentation Server version 4.5

XenApp Server version 5.0 CDM latency optimization for both directions is available only for XenApp 5.0 and earlier. In XenApp 6.0 and later, CDM latency optimization is available only for file download transfers from the virtual machine (server) to the client mapped drive (client). In a future RiOS release, file upload transfers from the client to server will be supported. To enable this feature on both Steelhead appliances:

a. Go to Configure > Optimization > Citrix. b. Check “Enable Citrix CDM Optimization”. c. Click Apply. d. Click Restart for changes to take effect.


9

Test Results #1 for XA 5.0 CDM Download Test

In this scenario, we measured the WAN bandwidth data reduction and performance speedup when downloading a local folder consisting of various file types from the server to the client mapped drive. The local folder consist of 18 files (xls, doc, ppt, pdf, zip), totaling 103 Mbytes in size. Cold performance numbers indicate the first pass when the Steelhead appliances see the data for the first time. Warm performance numbers indicate the performance on subsequent runs of the same data. As shown below in figure 1, we observed a 91% WAN bandwidth data reduction for Steelhead warm performance when compared to native ICA. Additionally, a 10.3 times speedup factor in performance was observed as shown in figure 2.

Figure 1 – Kbytes transferred over the WAN for CDM Download Test on XA 5.0

Figure 2 – Time in Seconds for CDM Download Test on XA 5.0


10

Test Results #2 for XA 5.0 CDM Upload Test

In this scenario, we measured the WAN bandwidth data reduction and performance speedup when uploading a local folder consisting of various file types from the client mapped drive to the server. The local folder consist of 18 files (xls, doc, ppt, pdf, zip), totaling 103 Mbytes in size. Cold performance numbers indicate the first pass when the Steelhead appliances see the data for the first time. Warm performance numbers indicate the performance on subsequent runs of the same data. As shown below in figure 3, we observed a 99% WAN bandwidth data reduction for Steelhead warm performance when compared to native ICA. Additionally, a 5.1 times speedup factor in performance was observed as shown in figure 4.

Figure 3 – Kbytes transferred over the WAN for CDM Upload Test on XA 5.0

Figure 4 – Time in Seconds for CDM Upload Test on XA 5.0


11

Test Results #3 for XA 6.5 CDM Download Test

In this scenario, we measured the WAN bandwidth data reduction and performance speedup when downloading a local folder consisting of various file types from the server to the client mapped drive. The local folder consist of 18 files (xls, doc, ppt, pdf, zip), totaling 103 Mbytes in size. Cold performance numbers indicate the first pass when the Steelhead appliances see the data for the first time. Warm performance numbers indicate the performance on subsequent runs of the same data. As shown below in figure 5, we observed an 81% WAN bandwidth data reduction for Steelhead warm performance when compared to native ICA. Additionally, a 6.3 times speedup factor in performance was observed as shown in figure 6.

Figure 5 – Kbytes transferred over the WAN for CDM Download Test on XA 6.5

Figure 6 – Time in Seconds for CDM Download Test on XA 6.5


12

TEST RESULTS FOR XENDESKTOP To measure the impact and effectiveness of the Riverbed Steelhead appliances, we conducted several tests to identify the typical range of performance improvement that could be expected from Steelheads. In all tests, native compression and advanced encryption (128-bit RC5) was configured for the XenDesktop environment.

Test Results #1 for Multimedia Application

In this scenario, we measured the WAN bandwidth data reduction when streaming compressed multimedia content with the Citrix HDX Monitor / MediaStream application. More information on this tool can be found here: http://hdx.citrix.com/hdx-monitor. As shown below in figure 7, we observed a 65% WAN bandwidth data reduction for Steelhead Warm performance when compared to native ICA.

Figure 7 - Kbytes transferred over the WAN for Multimedia Application

http://hdx.citrix.com/hdx-monitor


13

Test Results #2 for Microsoft Office Applications

In this scenario, we measured the WAN bandwidth data reduction when using Microsoft Office applications (such as Excel, Word or PowerPoint) to run basic file operations (open, save and close). The test file sizes ranged from 50 Kbytes to 2 Mbytes. As shown below in figure 8, we observed a 59% WAN bandwidth data reduction for Steelhead warm performance when compared to native ICA.

Figure 8 - Kbytes transferred over the WAN for Microsoft Office Applications


14

Test Results #3 for PowerPoint Slideshow

In this scenario, we measured the WAN bandwidth data reduction when running a complex PowerPoint presentation in slideshow mode. The presentation is 15 Mbytes in size and contains several animations and graphics. As shown below in figure 9, we observed a 59% WAN bandwidth data reduction for Steelhead warm performance when compared to native ICA.

Figure 9 - Kbytes transferred over the WAN for PowerPoint Slideshow


15

QOS TUNING Starting with RiOS 6.0, support was added for priority classification of Session Reliability and ICA traffic. The Citrix ICA-specific capabilities in the Steelhead can examine priority in standard ICA (port 1494) as well as Session Reliability (port 2598) traffic. Once the ICA traffic has been classified using the application priorities, QoS rules can be created to separate low importance traffic (printing) from high importance traffic (interactive screen updates). ICA Priority Packet Tagging provides a mechanism for prioritizing ICA sessions based on the virtual channel from which the data originated. This is accomplished by associating each virtual channel with a two-bit priority. This two-bit priority is included as part of each ICA framing header. The two priority bits combine to form four priority values:

Value Priority Description

0 High Priority Realtime keystrokes, bitmap updates, mouse movements

1 Medium Priority Clipboard, client audio, license management

2 Low Priority Client COM Port Mapping, Client Drive Mapping

3 Background Priority Print Traffic, Auto client update

The Riverbed QoS solution takes advantage of ICA Priority Packet Tagging to provide more granular QoS benefits compared to generally prioritizing all ICA traffic. More information on understanding ICA Priority Packet Tagging and virtual channel priorities can be found at Citrix’s Support Site: http://support.citrix.com/article/CTX19314 The following QoS configuration example is for the server-side Steelhead appliance adjacent to the Citrix XenApp or XenDesktop server for RiOS 7.0 (and later) using the Advanced QoS mode. You may apply the same QoS configuration to the client-side Steelhead with changes to the WAN link size and the IP/port combination for the Citrix traffic. 1. Enable the Advanced QoS Classification on the server-side Steelhead – In our example, the WAN link is 1.5 Mbps

a. Go to Configure > Networking > Outbound QoS (Advanced) b. Click “Enable QoS Shaping and Enforcement” c. Click and enter a value for “Enable QoS on wan0_0 with WAN Bandwidth d. Click Apply and Save.

http://support.citrix.com/article/CTX19314


16

2. QoS Classes – Create an ICA Parent QoS Class and four ICA application priority classes. An arbitrary percentage was used for each ICA application priority.

NOTE - The following settings are a sample configuration for this document and not necessarily optimal. Please use percentages for each application priority that fit your customer environment.

3. QoS Rules for the four ICA Application Priority Classes

a. Select “ICA0” for the Class Name. b. Enter “Citrix” or port “2598” or port “1494’ for the Source Subnet. c. In the Application Protocol section, select “ICA”. d. In the ICA Priority 0-2, select the corresponding ICA application priority class. e. Click Apply.


17

4. To verify that the QoS Classification is working correctly, the following graph depicts various activities for the four Citrix traffic types. From the graph, you can see traffic for bitmap updates (ICA0), client audio (ICA1), client drive mapping (ICA2) and print traffic (ICA3).


18

MULTI-STREAM / MULTI-PORT ICA The Citrix ICA protocol consists of 24 virtual channels representing different activities. Each virtual channel is assigned one of four application priorities. More information can be found here: http://support.citrix.com/article/CTX131001 The following table lists the four application priority levels:

Value Priority Description

0 High Priority Realtime keystrokes, bitmap updates, mouse movements

1 Medium Priority Clipboard, client audio, license management

2 Low Priority Client COM Port Mapping, Client Drive Mapping

3 Background Priority Print Traffic, Auto client update

XenApp 6.5 and XenDesktop 5.5 introduced multi-stream ICA. In a multi-stream ICA session, traffic that is assigned to each priority level is transported on a separate TCP connection using port 1494 or port 2598. Older versions of XenApp and XenDesktop used single-stream ICA. In single stream ICA, all traffic is sent over a single TCP connection. One notable limitation of single-stream ICA is that network administrators cannot separate low importance traffic (printing) from high importance traffic (interactive screen updates), thus hampering true network based Quality of Service (QoS). However, starting with RiOS 6.0, support was added for priority classification of ICA traffic in the Riverbed Steelhead appliances via the Advanced QoS features. Once the ICA traffic has been classified using the application priorities, QoS rules can be created to separate the different types of traffic. Multi-Stream ICA / Multi-Port ICA was created by Citrix to allow enhanced QoS support. Multi-Port ICA is a version of Multi-Stream ICA that allows the Citrix administrator to configure three additional CGP ports. By default, the primary port (2598) has a High Priority. Below is a table that reflects the new application priorities for Multi-Stream ICA / Multi-Port ICA:

Very High High Medium Low

Audio ThinWire/DX Command Remoting

MediaStream (Windows Media and Flash)

Printing

Seamless USB Redirection COM Port Mapping

MSFT TS Licensing Clipboard LPT Port Mapping

SmartCard Redirection Client Drive Mapping Legacy OEM Virtual Channels

Control Virtual Channel

End User Experience

Monitoring

http://support.citrix.com/article/CTX131001


19

CONFIGURING XENAPP 6.5 OR XENDESKTOP 5.5

To enable Multi-Stream and Multi-Port on the XenApp 6.5 or XenDesktop 5.5, perform the following steps: 1. Enable the Multi-Stream Policy for both the Computer and User Configuration via the Group Policy Editor or Citrix AppCenter

in the XenApp server or via the Group Policy Editor or Desktop Studio in the XenDesktop server.

2. Enable and configure the Multi-Port Policy for the Computer Configuration via the Group Policy Editor or the Citrix AppCenter. (PLEASE SEE SUPPORT NOTE IN THE CONFIGURING STEELHEAD SECTION)

3. Restart the server.


20

CONFIGURING STEELHEAD APPLIANCES

Multi-Stream ICA is supported by RiOS 6.0 or later without any changes. Each of the four TCP connections over port 2598 will contain a unique application priority. 1. After enabling the Multi-Stream Policy in XenApp 6.5 or XenDesktop 5.5, you should see four TCP connections upon

launching an ICA session in the “Current Connections” screen on the client-side Steelhead appliance.

2. After enabling and configuring the Multi-Port Policy in XenApp 6.5 or XenDesktop 5.5, configure the additional CGP ports

using the same TCP port numbers by navigating to Configure > Optimization > Citrix on the client-side Steelhead appliance.

3. You should see four unique TCP connections matching those configured in the Multi-Port Policy and in the CLI upon

launching an ICA session in the “Current Connections” screen on the client-side Steelhead appliance.


21

QOS IMPACT

If you already have QoS classes and rules to prioritize ICA traffic, no changes are necessary.

Port Labels: If you are using a port label to represent all ICA traffic over ports 1494 and 2598, be sure to add the new CGP ports for supporting Multi-Port ICA.


22

CITRIX OVER SSL Starting with RiOS 7.0, support was added to optimize Citrix over SSL. Citrix over SSL can be performed using one of the following two methods:

SSL Relay – The Citrix SSL Relay Service is a XenApp server component that provides encryption, authentication, and forwarding capabilities. This service can be installed on any XenApp server; it must be installed on all XenApp servers to which clients will attempt SSL connections. Typically, the Citrix SSL Relay Service listens for encrypted SSL traffic on TCP port 443 and decrypts and forwards information to other services on the XenApp server, such as the XML service or the ICA listener.

Citrix Access Gateway (CAG) – A hardware appliance that provides secure access to Citrix XenDesktop and Citrix XenApp deployments.

In this section, we will provide detailed instructions on how to deploy Citrix over SSL using the SSL Relay only. In addition, we make the following assumptions:

- SSL Relay has not been configured - A valid Certificate Authority (CA) exists - A valid certificate for the XenApp Server signed by the above CA exists

If the preceding assumptions have not been met, please consult the “Deployment Guide – Optimizing Microsoft 2008 R2 SSL-based traffic” on Salesforce.com at https://na2.salesforce.com/sfc/#version?selectedDocumentId=069A0000000TTNa to learn how to create server certificates before continuing on.

CONFIGURE THE XENAPP SERVER FOR SSL

1. Export the Server Certificate

Launch the Internet Information Services (IIS) to view the installed certificates.

https://na2.salesforce.com/sfc/#version?selectedDocumentId=069A0000000TTNa


23

Now export the server certificate and private key using the “Export” action on the right column.

Fill in the blanks with a suitable name and password. Remember your file save location.

2. Import the CA Certificate and the Server Certificate

Launch the Microsoft Management Console (MMC).


24

Locate the CA Certificate and import to the Trusted Root Certificate Authorities folder using the Certificate Import Wizard.

Locate the Server Certificate and import to the Personal Certificates folder.


25

3. Configure the SSL Relay

Navigate to Windows Start > Programs > Administrative Tools > Citrix > Administrative Tools to launch the Citrix SSL Relay Configuration tool. If the Server certificate has been added successfully, this certificate will show up in the drop-down menu. Select this certificate and “Enable SSL Relay”

Under the Connection tab, add the new Server Name with Destination ports (1494, 2598) and input port 444 as our Relay listening port (leave the port 443 for other SSL applications such as HTTPS).

Hit “Apply”


26

4. Configure the Web-plugin Client

If using the Citrix Web Interface, go to c:\inetpub\wwwroot\Citrix\YOUR_SITE_NAME\conf\default.ica. The default.ica file is a configuration file that contains information required to connect to the remote system, including session properties and (optionally) authentication. Add these new settings to the [Application] section to support SSL for the Web-plugin client. [Application] SSLCiphers=all SSLEnable=On SSLProxyHost=*:444 SecureChannelProtocol=Detect Save and restart the XenApp Server.


27

CONFIGURE THE STEELHEAD APPLIANCES FOR SSL

Follow the regular steps to configure and enable SSL on the Steelhead appliances. 1. Add the CA Certificate

On the server-side Steelhead appliance, navigate to Configure > Optimization > SSL Main Settings to add the CA Certificate.

2. Add the Certificate Authority

On the server-side Steelhead appliance, navigate to Configure > Optimization > Certificate Authorities to add the new Certificate Authority.

3. Add the Auto Discover Rule

On the client-side Steelhead appliance, navigate to Configure > Optimization > In-Path Rules to add a new Auto Discover rule with the following:

Source = all-IPv4:* Destination = all-IPv4:444 Preoptimization Policy = SSL Latency Policy = Citrix


28

CONFIGURE THE CLIENT MACHINE FOR SSL

1. Add the CA Certificate to Trusted Root Certificate Authorities on Client Machine

On the client machine, launch an internet browser and import the CA Certificate to the list of Trusted Root Certificate Authorities.

2. Verify Citrix over SSL connection on Client Machine

On the client machine, launch the Citrix Web Interface and select one of the published applications.


29

On the client-side Steelhead appliance, navigate to Reports > Networking > Current Connections and note the optimized and encrypted (SSL) Citrix connection to destination port 444 using the newly created Citrix SSL Relay.


30

BEST PRACTICES FOR INTERACTIVE CITRIX ICA TRAFFIC

1. Citrix Small Packets Optimization

Description - A large number of our customers have raised an issue where our Steelheads show a negative amount of reduction for upstream traffic. This traffic mainly consists of keyboard and mouse events from the client. This type of data consists of very small packets (10-12 bytes) which do not get good data reduction from the Steelheads Recommendation – Enable small packet optimization by performing the following on the command line interface for both Steelhead appliances.

2. SDR-M

Description – Internal lab testing has found that Interactive/Latency-sensitive traffic has benefited from SDR-M. However, in real world deployments, SDR-M has been ineffective. This ineffectiveness is due to the fact that SDR-M has a smaller data store (all in memory) and there is a lot of Interactive/Latency-sensitive traffic resulting in the data store wrapping. Recommendation – If there is a small amount of Interactive/Latency-sensitive traffic, use SDR-M. Otherwise, allow the default of SDR-disk to be used. Note: If multi-stream/multi-port ICA is enabled, you may configure SDR-M for your high priority channels (real-time and interactive) based on the custom port settings (see section on Multi-Stream/Multi-Port ICA). On the client-side Steelhead appliance only: 1. Go to Configure > Optimization > In-Path Rules. 2. Click “Add a New In-Path Rule”. 3. Select “Auto Discover” for Type. 4. Enter “Citrix” for Port: in Destination Subnet, 5. Select “SDR-M” for Optimization Policy. 6. Click Apply.


31

CONCLUSION Enterprises that have deployed Citrix XenApp or XenDesktop will be able to leverage the benefits of the Steelhead appliance when deployed over the WAN. The Steelhead appliance enables XenApp and XenDesktop users to overcome the WAN limitations such as bandwidth and latency. Our test results have shown WAN data reduction values as high as 70% compared to native performance, resulting in additional bandwidth for additional users or for running additional applications. XenApp and XenDesktop users depend heavily on fast response times for their interactive sessions, especially for keystrokes and mouse clicks. Starting with RiOS 6.0, QoS enhancements were added to support priority classification of session reliability and ICA traffic. QoS classification and rules allow for prioritization of high and low priority ICA traffic to ensure sufficient bandwidth. Deploying Steelhead appliances with QoS support will enable these users to remain productive. In RiOS 7.0, Client Drive Mapping (CDM) performance was improved significantly to show up to 99% WAN data reduction and application performance run-times increased by a factor of 10 times. In RiOS 8.0, official support was added for Multi-Stream ICA and Multi-Port ICA.

Riverbed Technology, Inc. 199 Fremont Street San Francisco, CA 94105 Tel: (415) 247-8800 www.riverbed.com

Riverbed Technology Ltd. One Thames Valley Wokingham Road, Level 2 Bracknell. RG42 1NG United Kingdom Tel: +44 1344 31 7100

Riverbed Technology Pte. Ltd. 391A Orchard Road #22-06/10 Ngee Ann City Tower A Singapore 238873 Tel: +65 6508-7400

Riverbed Technology K.K. Shiba-Koen Plaza Building 9F 3-6-9, Shiba, Minato-ku Tokyo, Japan 105-0014 Tel: +81 3 5419 1990

http://www.riverbed.com/

optimizing citrix ica rios 8.0 solution guide

Documents

united states

registered trademarks

riverbed products

riverbed support site

solution guide version

thirdparty software

akamai wave logo

service mark of akamai