Requirements
The following are the basic requirements to complete this task:
- Repeater or Branch Repeater appliance installed with any of the following software releases:
- Version 5.7.x (Citrix Repeater or Branch Repeater)
- Version 3.x (Citrix Branch Repeater with Windows Server)
- Version 6.x (Citrix Repeater or Branch Repeater)
Note: Citrix Repeater Plug-in is not recommended for ICA Proxy deployments. Refer to the Knowledge Center article CTX128581 - Citrix Branch Repeater Appliance and Access Gateway Enterprise Edition Appliance Supported Deployment Scenarios for more information. - Branch Repeater Crypto License to enable SSL traffic acceleration. This might be available through MyCitrix Web account. If the license is not available on MyCitrix, then refer to the Knowledge Center article CTX128877 - Branch Repeater Crypto License.
You can deploy and configure a Repeater or Branch Repeater appliance to optimize ICA across all users in a branch location by using the Proxy Mode to access the published application.
Refer to the Deploying the Access Gateway to Access Published Applications page of the Access Gateway e-documents for more information about the ICA Proxy Modes.
You must deploy the Repeater or Branch Repeater appliance as shown in the following diagram. The Repeater or Branch Repeater appliance must be on the external facing side of the Access Gateway in the data center.
The Repeater or Branch Repeater appliance in the data center is configured with Secure Socket Layer (SSL) traffic acceleration and the SSL server certificate of Access Gateway. The Repeater or Branch Repeater appliance establishes a SSL tunnel to secure the accelerated ICA traffic. End-users log on to the Access Gateway through a Web browser (HTTPS) and access the published applications through the Web Interface (WI) site. Clicking on an application icon starts the Online Plug-in, which establishes an SSL connection to the Access Gateway. The ICA connection is tunneled through the SSL connection.
The Repeater or Branch Repeater appliance decrypts the SSL connection from the user device, applies ICA optimization techniques, and re-encrypts the traffic over the Internet. The data center side Repeater or Branch Repeater appliance decrypts the optimized ICA traffic and re-encrypts the ICA traffic into the original SSL connection destined to the Access Gateway. The result is transparent acceleration of ICA traffic the end-user device and the Access Gateway are not aware of Repeater or Branch Repeater ICA acceleration and require no configuration changes. If there are multiple users in the branch, then they also realize the benefit of the cross-user nature of the ICA optimization of the Branch Repeater.
Note: The Repeater or Branch Repeater appliance is not designed for deployment in a demilitarized zone (DMZ). Therefore, Citrix recommends against doing so. Deploying the Repeater or Branch Repeater appliance on the external facing side of the Access Gateway is suitable for private Multiprotocol Label Switching (MPLS) and other scenarios where Repeater or Branch Repeater appliance security is not a concern.
Accelerating ICA Proxy Mode in Access Gateway with a Repeater or Branch Repeater Appliance
To accelerate ICA Proxy Mode in Access Gateway with a Repeater or Branch Repeater appliance, complete the following procedures:
To enable SSL traffic acceleration on a Repeater or Branch Repeater appliance, complete the following procedure:
- Install the Branch Repeater Crypto License.
- On the Repeater or Branch Repeater appliance Graphical User Interface (GUI), select Encryption from within the Acceleration Settings section.
Note: For Citrix Branch Repeater software release 6.0 or later, select SSL Encryption from the Configuration section. - For the Key Store parameter, click Create Password.
- Set the password as required.
- For the User Data Store parameter, click Enable Encryption.
- For the SSL Optimization parameter, click Enable.
To configure SSL profiles on a Repeater or Branch Repeater appliance, complete the following procedure:
- On the Repeater or Branch Repeater appliance GUI, select SSL from in the Acceleration Settings section.
Note: For Citrix Branch Repeater software release 6.0 or later, select SSL Acceleration from the Configuration section. - Click Add.
- In the Profile Name field, specify a SSL Profile name.
- Select the Profile Enabled option.
- For the Proxy Type parameter, ensure that the Split option is selected.
- From the Certificate/Private key list, select ADD NEW ENTRY, if you must install a certificate. If you have already installed the required certificate, then select the appropriate certificate from the list.
- Select the Signature/Expiration option for the Certificate Verification parameter.
Note: This is required to maintain security between the Repeater or Branch Repeater appliances. - From the CA Certificate Store list, select the appropriate CA Certificate Store.
- Retain the default settings for the other fields, as shown in the following screenshot:
- Click Add.
To set up the peer communication on a Repeater or Branch Repeater appliance, complete the following procedure:
- On the Repeater or Branch Repeater GUI, select Peers from in the Acceleration Settings section.
Note: For Citrix Branch Repeater software release 6.0 or later, select Secure Partners from the Configuration section. - Select the Enable option for the Peer State parameter.
- Configure the following Peer Security settings:
- From Certificate/Key name list, select the Certificate/key pair you had added in the previous procedure.
- Select the appropriate CA Certificate from the CA Certificate Store list.
- Select the Signature/Expiration option for the Certificate Verification parameter.
Note: This is required to maintain security between Repeater or Branch Repeater appliances. - Ensure that the Enable Auto-Discovery option is selected.
- For the Listen On parameter, add the IP address of the Repeater or Branch Repeater appliance installed on the data center side, as shown in the following screenshot:
- For the Connect To, specify the same IP address as that in the preceding step. This is applicable to client side Repeater or Branch Repeater appliance.
Note: On the Repeater or Branch Repeater appliance installed on the data center side, do not specify anything for this parameter.
- Click Save.
To configure Service Class Policies on a Repeater or Branch Repeater appliance, complete the following procedure:
- On the Repeater or Branch Repeater appliance GUI, select Service Class Policy from in the Acceleration Settings section.
Note: For Citrix Branch Repeater software release 6.0 or later, select Service Classes from the Configuration section. - Move the ICA service class policy to the top of the list.
- Ensure that the Accelerate option is selected for ICA service class policy and Disk is selected from the Compression Type.
- On the Repeater or Branch Repeater GUI, select Service Class from in the Acceleration Settings section.
Note: For Citrix Branch Repeater software release 6.0 or later, select Service Classes from the Configuration section. - Configure ICA as shown in the following screen shots:
Citrix Branch Repeater Software Release 5.7.x – Client Side
Citrix Branch Repeater Software Release 6.0 or Later – Server Side
Citrix Branch Repeater Software Release 6.0 or Later – Client Side
Note: In addition to accelerating and compression ICA over a SSL enabled Branch Repeater appliance, if you also want to accelerate and compress other HTTPS type traffic such as SharePoint, and then proceed to Step 6.
Citrix Branch Repeater Software Release 5.7.x – Client Side
Citrix Branch Repeater Software Release 6.0 or Later – Server Side
Citrix Branch Repeater Software Release 6.0 or Later – Client Side
Configuring an External Firewall
Configure the external Firewall application in the data center to allow the following inbound ports for the Repeater appliance:
- Signaling Address and Port (default 2312) for the Branch Repeater:
Refer to the section within the User’s Guide - Configuring the Appliance: Peer Configuration. - Access Gateway traffic port (default 443)
To confirm the ICA acceleration on a Repeater or Branch Repeater appliance, complete the following procedure:
- On the Repeater or Branch Repeater GUI, select Peer Status from in the Monitoring section.
Note: For Citrix Branch Repeater software release 6.0 or later, select Secure Partners from the Monitoring section. - Ensure that a secure connection is established between the Repeater or Branch Repeater appliances, as shown in the following screenshot:
Note: If a peer connection is not established, refer to the Branch Repeater Installation and User’s Guide for troubleshooting the issue.
- On the Repeater or Branch Repeater GUI, select ICA Status from in the Monitoring section.
Note: For Citrix Branch Repeater software release 6.0 or later, select Citrix (ICA/CGP) from the Monitoring section. - Ensure that the accelerated ICA connections are listed in the ICA Status page, shown in the following screenshot:
Note: If the accelerated ICA connections are not listed, then review the appliance configuration. Additionally, the PROTO_ERROR connections are an internal misrepresentation of the HTTPS connections and can be ignored. These errors do not affect the end-user performance.
Citrix Branch Repeater software release 6.0 or later has additional tabs that provide more information relevant to active ICA connections.
No comments:
Post a Comment