by Christiaan Brinkhoff, CTP
Citrix did some great innovations on their product line throughout last two years. One of them was the release of the Enlightened Data Transport Protocol. I always thought to write an article on this specific topic, but it actually never came to writing, and that’s gonna change today…
“Citrix sessions over 200ms latency long-haul WAN connections? Citrix takes care of that…”
With Citrix solutions, it was already possible to connect to your desktop from everywhere around the globe. Now, with EDT activated, it even optimizes the connection for the short and longer distance datacenter connections. The future of work is not a place, but rather a thing you do. The Digital Workspace of the future will mostly be built-up in a Public Cloud, such as Microsoft Azure. So, the distance between an Azure datacenter location and the end-user is something you need to take care of–proactively–when you design a new Citrix (hybrid) Cloud environment.
There is a gap in documentation on this product that I’d like to fill with this blog article. I hope you’ll understand the EDT protocol more and use it as default for your XenApp and XenDesktop–whether its a Cloud or on-premise -implementations in the near future! I’m excited about the technology, so I hope I transfer a bit of my enthusiasm to you…
See the following architecture drawing – How it technically works from the end-user to Azure:
In this article, I’ll walk you through the required steps for configuring EDT for your Citrix XenApp and XenDesktop Cloud Service environment in Microsoft Azure.
Note: The EDT protocol is currently only available when you use a Bring-Your-Own NetScaler in combination with XenApp and XenDesktop Service in Citrix Cloud or On-premises versions. EDT support for the Citrix Workspace in Citrix Cloud is following soon, very soon…
Table of contents
- Deploy the Cloud Connector(s) inside Microsoft Azure
- NetScaler – Azure NSG Network Requirements
- Deploy the Citrix NetScaler from the Azure marketplace
- Activate DTLS on NetScaler virtual server
- Activate the EDT Citrix Policy in Citrix Cloud
- Perform a Citrix UDP – EDT ICA session
Did you know these facts?
- That the internal traffic also performs over the UDP protocol and not only for external sessions?
- Up to 2.5x Interactivity depending on nature of the load and network conditions; Up to 10x faster file transfer.
- The Citrix Workspace and NetScaler-As-a-Service remote access possibility in Citrix Cloud doesn’t support EDT yet, you’ll need to setup an own NetScaler in Azure IaaS to use this feature, when using the Citrix Cloud XenApp and XenDesktop Service.
- Local Host Cache also works when using Citrix Cloud – XenApp and XenDesktop Service?
- Fast connect time: no timeouts when UDP is unavailable before falling back to TCP
- Always use UDP whenever it becomes available: any time in the lifetime of an HDX session. For example, when switching from data plan to WiFi, or between network subnets with different access policies, etc.
- EDT is not designed to necessarily save bandwidth: it’s to optimize the end-user experience for long-distance (Public Cloud) Datacenter connections
- It is not a compression protocol nor a more efficient encoder.
- It just gets the data where it needs to go faster (it’s a transport protocol).
- Might actually use more bandwidth if it is available (but this is good for interactivity and bulk data transfer speed).
Differences between UDP and TCP, background insights…
As you may know, the ICA Protocol is currently (without EDT activated) working on the TCP protocol. Both perform the same job but the way is different. TCP stands for “Transmission Control Protocol.” UDP stands for “User Datagram Protocol.” The main difference between them is that the TCP is connection oriented while UDP is connection-less. In TCP, after the connection is setup, bidirectional sending of data is possible. But in UDP, packets are sent in v. TCP is more reliable than UDP, but UDP is faster than TCP.
So, what is Enlightened Data Transport Protocol?
Adaptive transport is a new data transport technology for Remote Access to XenApp and XenDesktop environments. It is faster, more scalable, improves application interactivity, and is more interactive on challenging long-haul WAN and internet connections. Adaptive transport maintains high server scalability and efficient use of bandwidth. By using adaptive transport, ICA virtual channels automatically respond to changing network conditions. They intelligently switch the underlying protocol between the new Citrix protocol called Enlightened Data Transport (EDT) and TCP to deliver the best performance. It improves data throughput for all ICA virtual channels including Thinwire display remoting, file transfer (Client Drive Mapping), printing, and multimedia redirection. The same setting is applicable for both LAN and WAN conditions.
When set to Preferred, data transport over EDT is used as primary, with fallback to TCP. By default, adaptive transport is disabled (Off) and TCP is always used. For testing purposes, you can set Diagnostic mode, in which case only EDT is used, and fallback to TCP is disabled.
More in-depth info? Please check the following source: https://www.citrix.com/blogs/2017/11/20/hdx-adaptive-transport-and-edt-icas-new-default-transport-protocol-part-ii/
Requirements for EDT
- Citrix Cloud XenApp and XenDesktop Service
- VDA for Desktop OS 7.13 or higher
- VDA for Server OS 7.13 or higher
- StoreFront 3.9 (in Azure) or higher
- Citrix Receiver for Windows 4.7 or higher
- Citrix Receiver for Mac 12.5 or higher
- Citrix Receiver for iOS 7.2 or higher
- IPv4 VDAs only. IPv6 and mixed IPv6 and IPv4 configurations are not supported.
- NetScaler 11.1 build 55.x is the minimum supported (stable) version in Azure.
Note: Citrix just announced New EDT behavior in XenApp/XenDesktop 7.16 and Q4 Receivers. Please check the following Citrix support article for more information.
Citrix Cloud Connector
I already mentioned it in one of my previous articles, therefore now as an extra reminder: keep in mind that you’ll need to configure the NetScaler STA (Secure Ticket Authority) to the Citrix Cloud Connectors FQDN address over port 80.
Citrix Cloud Connector – Local Host Cache
Some of the great advancements of the Cloud, which most people are not aware of when thinking about the Cloud, are already part of local advantages–such as Local Host Cache–are also available when using Citrix Cloud – XenApp and XenDesktop Service. The technology works the same as the on-premises FMA 7.x version of XenApp and XenDesktop, so you’ll find the same Config Sync and High Availability service from the Desktop Broker on the Citrix Cloud Connector services console.
Always install two or more Citrix Cloud Connectors in Microsoft Azure and place them in the same Availability Group, including two fault and two update domains! Citrix just made a comprehensive whitepaper article available on Citrix Cloud Connector sizing and best practices. Please check it out here, when you need more information about this.
Note: It is required to have a StoreFront and NetScaler installed in Microsoft Azure Infrastructure-As-a-Service. When the connections break to Citrix Cloud, the Citrix Workspace/Hosted StoreFront will (obviously) not respond.
Analysing Desktop Protocols
When you work with Virtual Desktop environments, such as Citrix XenDesktop or VMware Blast, you always want the best user experience for the end-user. You definitely (if you haven’t got this tool in your IT Professional toolbox already) need to check out the Remote Display Analyzer tool. Bram Wolfs (Citrix CTA) and Barry Schiffer (Citrix CTP) are the great creators of this tool, and what is more awesome, it’s freely available for the community!
It also supports active transport protocol detection, which is very useful for this article. The tool pops up in the Virtual Desktop environment during a session, see the picture below as example. Another awesome new feature since release 2.0 is the support for basic GPU information with extended functionality for Nvidia vGPU cards.
Interested in the software or want to know more? Please check it over here.
Networking Requirements in Azure
The following network ports need to be opened on the internal Azure Virtual Network and on the external Network Security Group, which’ll need to be attached to the NetScaler(s) in Microsoft Azure. Those rules need to be attached to the XenApp and XenDesktop servers, StoreFront server(s) and NetScaler(s) to communicate to the back-end.
TCP and UDP SSL port 443 is only required for the outside to the NetScaler VIPs. The UDP magic all happens inside the virtual network.
Inbound rules NetScaler
Extra: Add HTTP port 80 if you want to provide http -> https redirection for your end users.
Deploy the Cloud Connector(s) Inside Microsoft Azure
Before we start with the installation of the Citrix Cloud Connectors, we need to deploy 1 or 2 (recommended) basic VM’s in Microsoft Azure.
Note: I assume that you already have an Azure account and have a Virtual Network, storage account and (optional) a resource group. This is required for all the upcoming steps in Microsoft Azure!
Just log into your Azure account and deploy a Windows Server 2016 machine from the marketplace. Follow the next steps…
Note: There is no need for SSD premium storage for this type of machine. Just to save out costs, make use of a Basic Resource size, such as A2_v2.
Note: Make sure to place (when you install two) the Citrix Cloud servers in the same Availability Set. Finish the deployment in Azure, join the Citrix Cloud Servers to the domain and go to the next step
Note: Make sure to disable IE Enhanced Security Configuration before you start the cwconnector.exe installation
Switch back to the Citrix Cloud and click on + Connector to download the Citrix Cloud Connector(s).
Click on download and save the file (cwcconnector.exe) somewhere on the Citrix Cloud servers in Azure, the installation needs (of course) to be run from inside that machine.
Install the Citrix Cloud Connector software on the Servers in Azure, first sign in with your Citrix Cloud Account.
Testing the Connection…
Note: Troubles with the connection? Please check out this troubleshooting article.
Connection successfully verified, click on Close
Click on refresh All
The new resource location must now be added to the list. Perform the same steps for the other Cloud Connectors.
Note: The yellow / orange mark is active because there is only one Citrix Cloud Connector active. When you install another Citrix Cloud server in Azure, the warning will disappear. And remember: place them in the same Availability Set!
After the second; the warning is gone.
Now open the Hamburger menu – click on Resource Locations
Rename the resource location to Azure – DC location.
Save the new Resource Location name and check if it’s changed in the menu.
Deploy the Citrix NetScaler from the Azure Marketplace
I’m assuming that you already have a XenApp and XenDesktop Service environment (or trial) activated. If not, please check one of my previous articles before continuing to the next step.
The next step is to prepare the NetScaler in Azure. I’d already covered all the initial configuration steps of NetScaler in Microsoft Azure Infrastructure-As-a-Service in the article below.
Extra: I also advise to add Azure Multi-Factor Authentication to the NetScaler configuration. Check another article of my blog for providing the configuration steps.
Remember to point the Delivery Controller StoreFront site configuration to the Citrix Cloud connectors!
Activate DTLS on the NetScaler Virtual Server
To activate the EDT functionality on the NetScaler, you’ll need to activate the DTLS Basic settings on the VPN Virtual Server.
Open the VPN Gateway Virtual Server
Activate the DTLS setting
Activate the EDT Citrix Policy
Go to citrix.cloud.com
Open the Citrix Policy management console in Citrix Cloud – Studio
Create a new Policy
Search for HDX Adaptive Transport
Activate the Policy – value on Preferred.
Note: By activating the Preferred option, you’ll have the possibility to switch back to the normal Session Reliability 2498 TCP port when the EDT UDP port in not reachable. When you activate the Diagnostic mode – the policy will force you to use EDT.
Click on Assign – next to Delivery Group
Assign the policy to the Delivery Group
Give in a name for the Citrix policy, click on Finish
Enable the policy
Perform a Citrix UDP – EDT ICA Session
Click on Monitor – in the Citrix Cloud Console
Search for a user that is logged on to the Desktop environment in Azure
Open the Session Details menu
Check if the Connection Type is on HDX – with protocol UDP
You can also open the Client Connection Status of the local Receiver to check if the EDT DTLS protocol is activated.
Open the Properties screen
If EDT is running, you’ll see the DTLSv1 encryption level and DTLSv1 TLS version.
That’s it, I hope this solves your problem.
(Read the rest of the article on my own personal blog here.)