Citrix NetScaler 12 supports VMware Horizon PCoIP – What you need to know
On April 27th Citrix released the latest version of their NetScaler product, Release 12 Build 41.16. This release enables proxying PCoIP which is the primary protocol used with VMware Horizon. The protocol was licensed from Teradici in 2008, Amazon also licensed the protocol for their AWS offering in 2013. Remote access to VMware Horizon is provided with VMware products like Security server, the new Unified Access Gateway or 3rd party solutions like F5. Many customers are using a Citrix solution as well and with that the NetScaler is pretty common. Until now Citrix didn’t support proxying PCoIP which left customer with no other option than picking a different solution. Now with the latest release the option is there to use Citrix NetScaler to proxy PCoIP traffic. There are a few things you need to understand and my goal in this article is to give clarity. I know that two wonderful guys, Andrew Morgan and Philip Jones are setting up a lab to do the real testing so look out for their blogs on this.
—- a little error (a little to big I think) was in the article, so I rewrote parts of it. —-
First I will go into remote access and VMware Horizon as you need to understand how things are communicating. VMware Horizon consists of a couple of components, They got a broker called the connection server. The connection server can tunnel the connection to the desktop but when you enable that it becomes a SPOF. when your connection server goes down so will all connections provided by that server. That’s the main reason internal connections are never tunnelled. The connection is initially setup over 443 with the connection broker and after the desktop is picked the client will have a direct connection.
VMware started of with their security server as mentioned earlier. The security server was proxying the traffic for the client, the server had to be paired with an internal connection server. This pairing was done to enable the PCoIP secure gateway and all traffic was tunnelled through the security server. You understand that this external connection, as it was tunnelled, could be interrupted when a security server went down. Also you couldn’t mix and match so you need extra servers for external access. That was one reason we didn’t like Security servers that much.
VMware recognized this and came with their Access Point (already renamed to Unified Access Gateway). It is a virtual appliance (SLES) and is a transparant client in the perimeter network. With Access Point things changed, pairing with extra internal connection servers was not needed anymore. This made it possible to skip those extra connection servers for external access. All traffic internal and external now had the same path, much easier to manage and with less Single Point of Failures.
One thing to remember is that the client needs to have access over UDP 4172 to the VDI desktop. initially 443 is used to connect to the broker (the connection server). External traffic needs to be proxied as you don’t open up 4172UDP all the way.
So now you know how VMware Horizon operates, now lets look at the new Citrix NetScaler PCoIP proxy offering.
Citrix NetScaler offering
Citrix designed their offering based on the Unified Access Gateway solution. It will connect to the connection servers you address in the console.
The Citrix NetScaler will use the Endpoint IP address for the PCoIP External URL address. When configuring the NetScaler you will connect to the connection server(load balanced) URL over port 443. So from the client you connect to the Citrix NetScaler over TCP 443, 4172 and UDP 4172 bi directional. The NetScaler will connect to the Connection server over TCP443, 4172 and UDP4172 bi directional.
Release notes are found here – https://docs.citrix.com/content/dam/docs/en-us/netscaler/12/release-notes/NS_12_0_41_16.html
The support KB is found here – https://support.citrix.com/article/CTX223370
Looking at the offering I welcome the support as we see a lot of NetScalers around – Citrix NetScaler, an overview. The market is split between VMware’s own offerings like Security server and Unified Access Gateway or F5 which has a partnership with VMware to offer remote access. We don’t see much F5 around over here as they have interesting pricing and we Dutch are cheap ;). So now we have a new option on the market, time to check it out.