EDT-Adaptive Transport with Azure Netscaler

[Franco Koenig]

hi all

i try to get my Azure VDI Windows 10-1703 to run with EDT over a own Netscaler in Azure, but it will not work. What i have:

Citrix Cloud Subscription - Create Deliverygroup and Hosting Connection to Azure

on Azure i have: Netscaler NS12.0 53.18.nc, own Storefron 3.13, and the Windows 10 VDI - NV6 Series

Citrix Policy i have enabled HDX Adaptive Transport

Netscaler i enabled DTLS and rebind Certificate

try it with VDA Version 7.15 and also 7.16, but i get always only TCP

Azure Firewall Rules i make inbound rules for tcp and udp to ports 80,443,1494,2598

no luck

 

is EDT on Azure Netscaler not supported, or did i miss something?

 

regards

frank

[Jonathan Clark1709155079]

Session reliability is enabled in Storefront correct? For the firewall you only need 443 on TCP/UDP to the NetScaler.  Then you need TCP/UDP FROM the NetScaler to the virtual desktop on 1494/2598. 

[Franco Koenig]

hmm you are right, the netscaler config file what i imported into storefront, have not enabled session realibility, so i turn it now on, and will try it again. maybe this was the fault, for sure from internal storefront udp is working, and yes i have create the nsg´s on azure. let me look if the session realiblity is the trick. thx

[Franco Koenig]

hi jonathan

i set this option now to enabled session reliability, but i get only the TCP Protocol. i am not sure if this netscaler in azure have a edt bug or so! maybe i should try a 11.x Version?

[Jonathan Clark1709155079]

Can you verify that EDT is set as "preferred" in your Citrix Policy settings?  Also, now that you Session Reliability enabled, can you verify that when your end-users connect you see it going over 2598?  You can do this by opening the Receiver client and looking at properties of the Client connection.  You should see Session Reliability set to "Enabled"

 

[Franco Koenig]

yes it is enabled: german :)

 

 

[Franco Koenig]

i am not sure if EDT is supported over Citrix Cloud with an Azure Ressource Location, where Storefront and Netscaler come from the Azure Location. Maybe the Citrix Cloud is here the problem?

[Jonathan Clark1709155079]

Does EDT work if you connect to ICA internally?  That will tell us if it is the NS or something else.   When you issue a "netstat –a –p UDP" does the VDA show as listening on UDP?

[Franco Koenig]

i try it over Storefront direct, also TCP

Citrix Cloud Policy - HDX Adaptive Transport - Prefered

 

 

[Jonathan Clark1709155079]

Okay, 2598 and 1494 should be listening and they are not.  We need to take the NetScaler out of the mix, until we can get your VDA to listen on the appropriate ports.  If the VDA is not listening, it will not work. If CTXSESSION shows TCP it will use TCP.  Can you run a GPUPDATE /FORCE to ensure you are getting the EDT policy?  Are these random pooled machines? if so, they may not cache the GPO and therefore can get weird when they startup.  

[Franco Koenig]

ok, citrix policy come from the citrix cloud delivery broker, so it is a static desktop, i make gpupdate /force and looks now better. from internal storefront it works now, both UDP Ports are listening 1494/2598, and ctxsession show me UDP. Over Netscaler it is again at TCP. so it is a Netscaler Issue i think. but i have enabled dtls, rebind certificate, disable mac forwarding, so what did i forget?

[Jonathan Clark1709155079]

Okay great!  Do you have UDP 443 opened from outside to the NetScaler VIP?  Do you have UDP 2598/1494 opened from the SNIP to the backend static machine?  

[Franco Koenig]

hmm i think i have opened all rules, i have a single arm mode, so all 3 IP´s in the same subnet. and i have this rules:

 

[Jonathan Clark1709155079]

YOu don't need UDP inbound on port 1494 or 2598 only 443.  1494 and 2598 should be FROM the NS to the backend.  Do you have the backend rules? I don't see any source of the NS to the backend virtual desktop. 

[Franco Koenig]

hmm good question, i am not so fit in this nsg rules on azure

 

netscaler is configured:

10.1.1.101 - NSIP

10.1.1.102 - SNIP

10.1.1.103 - VIP

10.1.1.21 - Windows 10 VDI with VDA 7.15.1

Backend LAN is 10.1.1.0/24

NSG Rule is associated to Backend LAN how it is in the picture above.

i am not sure if i have here with this rules a problem?

 

[Jonathan Clark1709155079]

So are you using the "VNET Inbound" rule where it is from VirtualNetwork to VirtualNetwork on Any Any?

[Franco Koenig]

no it is working with priority, so the rules with prio 100-103 will working, the other are defaults from azure when you create a NSG Rule. so i also put in outbound rule with tcp/udp 1494/2598 but not working.

[Jonathan Clark1709155079]

Okay, I am lost on that one then.  Did you fully unbind and then rebind the certificate?

[Franco Koenig]

maybe it is also this netscaler version in azure, maybe i try again the version 12? i have now NS11.1 49.16.nc

[Jonathan Clark1709155079]

Sure, give it a try. I don't have an Azure NS to try with, only my local MPX and VPX device. 

[Stefan Wendrich1709156509]

i have the same issue. Netscaler 12 build 53 deployed in single ip mode on azure.  (No citrix cloud subscription) 

I use the netscaler only for the HDX connection. My storefront tells the users through hdx optimal routing, they should use the netscaler on azure, where the XenApp 7.16 (win 2016) is deployed.

 

TCP connection is working well. If i connect through EDT, is see on the ICA Connection page on netscaler the session, but my client not connect to the xenapp server. (there is no firewall or nsg between netscaler and the xenapp server. And also on the xenapp Server the firewall is disabled.

On Prem is edt working well with an on prem netscaler 12 build 53.

[Franco Koenig]

Maybe a Azure Guru and also a Netscaler Guru can write a article how to configure Netscaler in Azure with a working EDT Support? I see there are no Citrix DOCS to this Scenario, and it would realy help us. So please Citrix Team, let us working all with EDT Protocol over Netscaler in Azure. Big Thx.

[Christiaan Brinkhoff]

I dedicated a complete article on EDT in Microsoft Azure, which I’d posted online last week.

 

Maybe you’ll find it interesting as follow up on this discussion thread.

 

Read the complete article here:

https://www.christiaanbrinkhoff.com/2018/02/23/how-to-configure-the-enlighted-data-transport-udp-protocol-edt-when-using-the-citrix-cloud-xenapp-and-xendesktop-service-with-the-vda-and-netscaler-placed-in-the-microsoft-azure-cloud/

 

Hope this helps.

 

Cheers,

Christiaan Brinkhoff

[Fernando Klurfan1709153904]

We (HDX) have found that sometimes a VDA running on Azure freezes up every 5-15 minutes requiring a session reconnect to resolve the issue.

 

Microsoft's Azure Support confirmed that Azure Gateway limits the packet size to 1420. Packets greater than 1420 may be dropped, and definitely truncated.

By default, Azure Gateway set TCP MSS=1350, and MTU=1400.

So we must reduce EDT MSS to 1400 or lower.
https://support.citrix.com/article/CTX231821

Relevant Azure documentation here:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec

[Franco König]

for me i test it today again. win10-1709 with vda 7.17, citrix session will open short, than citrix receiver message disapears, try to reconnect in 5 minutes, blabla. so it is not working. when i install vda 7.15 ltsr agent, than UDP is working. so you can say what you want, it must have to do with vda version or the combination of vda version and nvidia grid tesla m60 azure vm´s.