Rendezvous V2 编辑
Rendezvous V2
When using the Citrix Gateway Service, the Rendezvous protocol allows VDAs to bypass the Citrix Cloud Connectors to connect directly and securely with the Citrix Cloud control plane.
Rendezvous V2 is supported with standard domain joined machines, Azure AD joined machines, and non-domain joined machines.
Note:
Currently, connectorless deployments are possible with Azure AD joined and non-domain joined machines only. Standard AD domain joined machines still require Cloud Connectors for VDA registration and session brokering. However, there are no DNS requirements for using Rendezvous V2.
Cloud Connector requirements for other functions not related to VDA communication, such as connecting to your on-prem AD domain, MCS provisioniong to on-prem hypervisors, etc., remain the same.
Requirements
The requirements for using Rendezvous V2 are:
- Access to the environment using Citrix Workspace and Citrix Gateway Service
- Control plane: Citrix DaaS
- VDA version 2203
- Enable the Rendezvous protocol in the Citrix policy. For more information, see Rendezvous protocol policy setting.
- Session Reliability must be enabled on the VDAs
- The VDA machines must have access to:
https://*.*.nssvc.net
onTCP 443
andUDP 443
for HDX sessions over TCP and EDT, respectively. If you can’t allow all subdomains in that manner, you can usehttps://*.c.nssvc.net
andhttps://*.g.nssvc.net
instead. For more information, see Knowledge Center article CTX270584.https://*.xendesktop.net
onTCP 443
. If you can’t allow all subdomains in that manner, you can usehttps://<customer_ID>.xendesktop.net
, whereis your Citrix Cloud customer ID as shown in the Citrix Cloud administrator portal.
Proxy configuration
The VDA supports connecting through proxies for both control traffic and HDX session traffic when using Rendezvous. The requirements and considerations for both types of traffic are different, so review them carefully.
Control traffic proxy considerations
- Only HTTP proxies are supported.
- Packet decryption and inspection are not supported. Configure an exception so the control traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
- Proxy authentication is not supported.
HDX traffic proxy considerations
- HTTP and SOCKS5 proxies are supported.
- EDT can only be used with SOCKS5 proxies.
- By default, HDX traffic uses the proxy defined for control traffic. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use the Rendezvous proxy configuration policy setting.
- Packet decryption and inspection are not supported. Configure an exception so the HDX traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
- Machine-based authentication is supported only with HTTP proxies and if the VDA machine is AD domain joined. It can use Negotiate/Kerberos or NTLM authentication.
Note:
To use Kerberos, create the service principal name (SPN) for the proxy server and associate it with the proxy’s Active Directory account. The VDA generates the SPN in the format
HTTP/<proxyURL>
when establishing a session, where the proxy URL is retrieved from the Rendezvous proxy configuration policy setting. If you don’t create an SPN, authentication falls back to NTLM. In both cases, the VDA machine’s identity is used for authentication. - Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
- Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.
Transparent proxy
If using a transparent proxy in your network, no additional configuration is required on the VDA.
Non-transparent proxy
If using a non-transparent proxy in your network, specify the proxy during the VDA installation so that control traffic can reach the Citrix Cloud control plane. Make sure to review the control traffic proxy considerations before proceeding with the installation and configuration.
In the VDA installation wizard, select Rendezvous Proxy Configuration in the Additional Components page. This option makes the Rendezvous Proxy Configuration page available later in the installation wizard. Once here, enter the proxy address or the path to the PAC file for the VDA to know which proxy to use. For example:
- Proxy address:
http://<URL or IP>:<port>
- PAC file:
http://<URL or IP>/<path/<filename>.pac
As stated in the HDX traffic proxy considerations, HDX traffic uses the proxy defined during the VDA installation by default. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use the Rendezvous proxy configuration policy setting. When the setting is enabled, specify the HTTP or SOCKS5 proxy address. You can also enter the path to the PAC file so the VDA knows which proxy to use. For example:
- Proxy address:
http://<URL or IP>:<port>
orsocks5://<URL or IP>:<port>
- PAC file:
http://<URL or IP>/<path/<filename>.pac
If you use the PAC file to configure the proxy, define the proxy using the syntax required by the Windows HTTP service: PROXY [<scheme>=]<URL or IP>:<port>
. For example, PROXY socks5=<URL or IP>:<port>.
How to configure Rendezvous
Following are the steps for configuring Rendezvous in your environment:
- Make sure that all requirements are met.
- If you must use a non-transparent HTTP proxy in your environment, configure it during the VDA installation. Refer to the proxy configuration section for details.
After the VDA is installed, add the following registry value:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent Value type: DWORD Value name: GctRegistration Value data: 1
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论