This article describes how to configure Framehawk support on NetScaler Gateway.

Use Case

With the increase of mobile users adopting tablets and smartphones, it is critical to ensure a rich virtual application and desktop user experience on Wi-Fi and cellular networks where network quality may be intermittent or poor due to congestion, high packet loss and high latency. The mobile workers need anywhere, anytime access to their business resources with a user experience that is equal to what they have in a LAN environment.

Introduction to Framehawk

Citrix HDX technology is a set of capabilities that work together to deliver a high definition in-session user experience of virtual desktops and applications for users running Citrix Receiver. Framehawk, a new ICA virtual channel, extends HDX technology to further improve user experience. The Framehawk virtual channel optimizes the delivery of virtual desktops and applications to users on less optimal connections, where high packet loss or congestion occurs. Framehawk is integrated with XenApp and XenDesktop 7.6 Feature Pack 3.

Framehawk is UDP-based, taking a “best effort” approach at data transmission. TCP-based solutions do not work well with lossy or overburdened network as it must retransmit packets, leading to lag in the user experience. Though UDP-based, Framehawk provides reliability of data transmission because it is maintained in Framehawk application layer control plane. By default, Framehawk uses UDP ports in the range 3224-3324 which can be customised in policy.

Instructions

Framehawk needs to be installed first followed by configuring XenApp and XenDesktop for Framehawk. Find this information here – http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-6/downloads/Framehawk%20Administration%20Guide.pdf

For remote access to the apps and desktop, a NetScaler Gateway must be deployed. Following are the steps to configure Gateway to use Framehawk.

Step 1: Configure basic setup

Deploy and configure NetScaler Gateway to communicate with StoreFront, as per standard operating practices, and correctly authenticate users for XenApp and XenDesktop.

Step 2: Check ports

NetScaler Gateway might be installed in the DMZ, flanked by firewalls on both the external as well as the internal side. Ensure UDP port 443 is open on the external firewall, and UDP ports 3224-3324 are open on the internal firewall if the environment is using the default port ranges. Also ensure CGP port (default 2598) is open on any internal firewalls between NetScaler and XenApp and XenDesktop servers as session reliability is required for Framehawk to work through Netscaler Gateway.

Step 3: Enable DTLS

To enable gateway to use Framehawk virtual channel, Datagram Transport Layer Security (DTLS) should be enabled on Gateway vserver for using UDP over port 443.

CLI:
> set vpn vserver <Gateway virtual server name> -dtls ON

GUI:
Go to NetScaler Gateway > Virtual Servers > select the virtual server and click Edit > Basic Settings > More > select DTLS.

Step 4: Binding certificate

If you have not bound a certificate to the Gateway virtual server then server certificate should be bound to the virtual server. If you have already bound a certificate as a part of Step 1, then you need to unbind the certificate and bind it back so that it gets bound to DTLS also.
Note: This step is not needed if you are using a NetScaler build 11.0 64.34 or newer.

CLI:
> unbind ssl vserver <Gateway virtual server name> -certkeyName <cert key pair name>
> bind ssl vserver <Gateway virtual server name> -certkeyName <cert key pair name>

GUI:
Go to Gateway > Virtual Server Certificates > select the virtual server and click Edit > Certificates. Select the certificate and press Unbind button. Then go to bind a certificate and select the same certificate and bind.

Troubleshooting tips

When user tries to launch an app we should see communication from client machine to netscaler gateway on protocol UDP and port 443. On a trace captured on netscaler we should see packets sourcing from client's ip and destination as netscaler gateway VIP. The packets can be filtered by protocol QUIC. (QUIC : Quick UDP Internet Connections)

Refer to "NetScaler: How Do I?" page for more easy to implement articles on commonly used features of NetScaler.