SteelHead™ Deployment Guide - Protocols : Citrix ICA Optimization : Citrix ICA Optimization over SSL
  
Citrix ICA Optimization over SSL
Citrix Access Gateway (CAG) is an appliance that provides secure remote access to users of XenApp and XenDesktop over SSL VPN. CAG is also known as Access Gateway Enterprise Edition (AGEE) and Netscaler Gateway. CAG proxies the Citrix ICA traffic delivered from these applications and passes them securely over HTTPS or SSL to the end user.
For more information about SSL, see Configuring SSL Optimization on SteelHeads.
Figure 5‑15. Citrix ICA Client Communication Through a Citrix Access Gateway
Figure 5‑15 shows a CAG deployment. The user reaches the login page by entering the XenApp or XenDesktop secure remote access URL (https://<CAG URL>) in a browser. This page is hosted on the CAG. The user enters their credentials for authentication.
Upon a successful authentication, a list of published applications and desktops is displayed. When the user accesses these applications and desktops, an ICA connection is launched from the user desktop to the XenApp and XenDesktop server. The CAG functions as a gateway to intercept and proxy the user ICA connection to the XenApp and XenDesktop servers on one end, while providing secure remote access over SSL VPN to the user on the other end.
RiOS v7.0 and later can optimize ICA traffic wrapped in SSL using an SSL preoptimization policy to the in-path rule. The in-path rule has several parameters that allow for the chaining of multiple optimization features.
Figure 5‑16 shows a SteelHead deployment with CAG.
Figure 5‑16. SteelHead Deployment with CAG
Figure 5‑17 shows an in-path rule configuration to optimize Citrix ICA traffic wrapped in SSL.
Figure 5‑17. SteelHead In-Path Rule to Optimize Citrix ICA Traffic Through a CAG
Citrix ICA traffic optimization with CAG has the following requirements:
  • Both the client-side and server-side SteelHead must have RiOS v7.0 or later.
  • The proxy certificate you use on the SteelHead must be a valid certificate.
  • You must import self-signed proxy certificates to the client trusted-root certificate authority certificate store. The Citrix client does not connect if you use an invalid certificate.