9.4. PSM deployment scenarios in a Citrix environment

This section enlists the available PSM deployment scenarios in a Citrix environment. The text on the arrows are formatted in (<step number>) <target port> format. The target ports define the protocols used in the communication:

  • 80: Web service, HTTP: the list of available resources fetched in an XML format from the broker (v12 and v11 with XenApp only). The broker sends all the necessary information, including secure gateway and server addresses to the client.

  • 8080: XML service, HTTP+XML: application discovery, load balancing (v12 and v11 with XenApp only), used to fetch target to the application/desktop by the client from the broker (used for load balancing, and so on).

  • 443: XML service access or SOCKS/ICA or CGP/ICA wrapped in SSL. The client communicates with the secure gateway on this port for everything.

  • 1080: SOCKS. The client can be configured to access the target server and the broker using a SOCKS proxy.

  • 1494: Plain ICA.

  • 2598: CGP/ICA (reliable mode enabled).

Warning

Accessing XenDesktop is supported only in the following scenarios. Only reliable connections (CGP) are supported.

Client - PSM - Server (Transparent mode)

The PSM is deployed between the client and the server and the clients use predefined connection files or Program Neighbourhood, without a broker or secure gateway. The clients try to connect to their original ICA/CGP server.

Figure 9.2. Client - PSM - Server (Transparent mode)

Client - PSM - Server (Transparent mode)

Client - PSM - Server (Non-transparent mode)

The PSM is deployed between the client and the server and the clients use predefined connection files or Program Neighbourhood, without a broker or secure gateway. The clients try to connect to PSM, which can distinguish between the potential targets for example by source IP, or by having multiple IP addresses itself.

Figure 9.3. Client - PSM - Server (Non-transparent mode)

Client - PSM - Server (Non-transparent mode)

Client - Broker - PSM - Server (Transparent mode)

The clients are using a farm broker which gives them a list of the available applications and servers, but they do not use a secure gateway in the network. The PSM is placed between the clients and the servers in transparent mode, and it catches the connections when the clients try to connect to the server IP addresses they got from the broker.

Figure 9.4. Client - Broker - PSM - Server (Transparent mode)

Client - Broker - PSM - Server (Transparent mode)

Client - Broker - original secure gateway - Secure Ticket Authority (STA) - PSM - Server

In this setup, a secure gateway is used in the network and the PSM is placed between this gateway and the servers in transparent mode. The clients connect to the broker for the list of available applications/servers and then make their further connections through the original secure gateway. That gateway forwards the connections either to the broker or to the CGP/ICA servers, which latter the PSM intercepts and audits/controls.

Figure 9.5. Client - Broker - original secure gateway - Secure Ticket Authority (STA) - PSM - Server

Client - Broker - original secure gateway - Secure Ticket Authority (STA) - PSM - Server

Client - Broker - PSM as socks proxy - Server

In this setup, the PSM acts as a SOCKS proxy for the client. It can be set either manually or specified by the broker. The client then makes all its connections to the broker or to the server using PSM as a proxy and hence it can audit/control these connections.

Figure 9.6. Client - Broker - PSM as socks proxy - Server

Client - Broker - PSM as socks proxy - Server

To configure such a scenario, you must set the ICA Connection Policy as follows:

  • Enter the IP address of PSM into the To field. This must be the public IP address that the clients will target.

  • Select Inband destination selection, and list the IP addresses or networks of target servers in the Targets field. (For details, see Procedure 7.3, Configuring inband destination selection.)

  • Select Act as a SOCKS proxy.

  • Add the IP addresses of your brokers to the Brokers field.