In the previous blog we configured Citrix receiver SSO and domain pass through authentication and configured Receiver to connect to our storefront store automatically without any configuration required by the user . In this blog we will take the configuration one step further by setting up optimal HDX routing on storefront so authentication is handled by storefront (We have SSO/Domain pass through enabled) but when resources Apps/Desktops are launched from Receiver the connection will be proxied through the Netscaler gateway rather than connecting to the VDA server directly (Direct HDX connection) which is the default configuration when launching applications and desktops from storefront on the LAN. Benefits of this is we can use HDX insight on Netscaler MAS for all connections internal/external as they have to all pass through the Netscaler and the connection is more secure as its encrypted with TLS 1.2 as it is proxied from the Netscaler to the VDA
Default configuration when launch a published resource from storefront Direct HDX connection is established between the client /VDA as you can see there is no type of encryption
We need to configure Optimal HDX routing on our storefront store. With the store selected choose store settings and under Optimal HDX routing our NS GW appliance should be listed. We now need to map the delivery controllers for our XenDesktop site to our NS GW appliance and make sure External only is not selected which means internal connections to this store will now be routed to the NS GW appliance as we have configured HDX optimal routing
What this does is change the below section in the store’s web.config file. As the HDX optimal routing configuration is now in the storefront GUI i have no need to change the web.config file
If i now login to my machine with domain credentials i am automatically logged onto Storefront as i have Receiver SSO / Domain pass through authentication configured on storefront
If i now launch one of the published resources such as Notepad the connection is now proxied through the Netscaler gateway and is Encrypted using TLS 1.2
If i check the ICA connections on my Netscaler the connection is listed
Job done 🙂
c4rm0 