Citrix NetScaler

Citrix NetScaler 12 supports VMware Horizon PCoIP – What you need to know

On April 27th Citrix released the latest version of their NetScaler product, Release 12 Build 41.16. This release enables proxying PCoIP which is the primary protocol used with VMware Horizon. The protocol was licensed from Teradici in 2008, Amazon also licensed the protocol for their AWS offering in 2013. Remote access to VMware HorizonCitrix NetScaler is provided with VMware products like Security server, the new Unified Access Gateway or 3rd party solutions like F5. Many customers are using a Citrix solution as well and with that the NetScaler is pretty common. Until now Citrix didn’t support proxying PCoIP which left customer with no other option than picking a different solution. Now with the latest release the option is there to use Citrix NetScaler to proxy PCoIP traffic. There are a few things you need to understand and my goal in this article is to give clarity. I know that two wonderful guys, Andrew Morgan and Philip Jones are setting up a lab to do the real testing so look out for their blogs on this.

—- a little error (a little to big I think) was in the article, so I rewrote parts of it. —-

Remote access

First I will go into remote access and VMware Horizon as you need to understand how things are communicating. VMware Horizon consists of a couple of components, They got a broker called the connection server. The connection server can tunnel the connection to the desktop but when you enable that it becomes a SPOF. when your connection server goes down so will all connections provided by that server. That’s the main reason internal connections are never tunnelled. The connection is initially setup over 443 with the connection broker and after the desktop is picked the client will have a direct connection.

VMware started of with their security server as mentioned earlier. The security server was proxying the traffic for the client, the server had to be paired with an internal connection server. This pairing was done to enable the PCoIP secure gateway and all traffic was tunnelled through the security server. You understand that this external connection, as it was tunnelled, could be interrupted when a security server went down. Also you couldn’t mix and match so you need extra servers for external access. That was one reason we didn’t like Security servers that much.

VMware recognized this and came with their Access Point (already renamed to Unified Access Gateway). It is a virtual appliance (SLES) and is a transparant client in the perimeter network. With Access Point things changed, pairing with extra internal connection servers was not needed anymore. This made it possible to skip those extra connection servers for external access. All traffic internal and external now had the same path, much easier to manage and with less Single Point of Failures.

One thing to remember is that the client needs to have access over UDP 4172 to the VDI desktop. initially 443 is used to connect to the broker (the connection server). External traffic needs to be proxied as you don’t open up 4172UDP all the way.

So now you know how VMware Horizon operates, now lets look at the new Citrix NetScaler PCoIP proxy offering.

Citrix NetScaler offering

Citrix designed their offering based on the Unified Access Gateway solution. It will connect to the connection servers you address in the console.

The Citrix NetScaler will use the Endpoint IP address for the PCoIP External URL address. When configuring the NetScaler you will connect to the connection server(load balanced) URL over port 443. So from the client you connect to the Citrix NetScaler over TCP 443, 4172 and UDP 4172 bi directional. The NetScaler will connect to the Connection server over TCP443, 4172 and UDP4172 bi directional.

Release notes are found here –

The support KB  is found here –

Looking at the offering I welcome the support as we see a lot of NetScalers around – Citrix NetScaler, an overview.  The market is split between VMware’s own offerings like Security server and Unified Access Gateway or F5 which has a partnership with VMware to offer remote access. We don’t see much F5 around over here as they have interesting pricing and we Dutch are cheap ;). So now we have a new option on the market, time to check it out.

5 thought on “Citrix NetScaler 12 supports VMware Horizon PCoIP – What you need to know”
  1. Hi Rob,

    I think there is some misinformation regarding your view on how VMware’s Security Servers and Citrix Netscaler works.

    With Security Servers, PCoIP connection goes thru Security Servers towards VDAs. It never goes thru Connection Servers (unless Connection servers also act as Security Server), and a failure of Connection server does not affect any active PCoIP connections going thru Security servers.

    The only traffic that goes thru Connection servers is the broker communication such as user authentication, entitlements enumeration and app/desktop launch request. The actual PCoIP connection never goes thru Connection server (again, unless it acts as a Security server).

    Same story with Citrix Netscaler and F5. PCoIP connection always goes from the gayeway towards the VDA, not going thru Connection server.

    1. you’re right… don’t know what i was thinking when i wrote that.. changed it – Thanks

  2. How come you believe that the NetScaler PCoIP proxy requires dedicated Horizon Brokers (for external access) to be setup? My understanding is, that NetScaler works in the very same way as VMware´s Unified Access Gateway. This is also pretty much what the documentation (which you linked to) states.

    1. Thanks for noticing that… at the time of release the information said you had to enable secure gateway on the connection server which was why I wrote what I wrote.
      I reread the docs now and there is more clear info now. You are right it is as it should be. I deleted the lines that contained wrong information.

      again thanks for giving me a message

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.