Citrix Cloud customers can now define networks and optimise internal network traffic.
Traditionally, in a Citrix Cloud deployment, all VADS users had to access VDA’s via the Gateway Service. This was regardless of whether the user that was accessing the VDA was External or Internal. While this behaviour is expected for external users, it is not optimal for internal users because traffic is first routed out to the Citrix Gateway Service, only to be rerouted back into the network to access a VDA on the same network as the user.
In order to reduce latency and increase user performance, Citrix Network Location Service can now be used to route internal users directly to internal VDA’s, eliminating the need to traverse the Citrix Gateway Service and further enhancing the Citrix VADS offering.
“This feature is currently in Technical Preview. Citrix recommends using technical preview features only in test environments.”
See diagram below:
Here is a step-by-step guide on how to set up Network Location Service.
First we need to set up a new “Secure Client” within our Citrix Cloud portal. To do this, access your Citrix Cloud portal at https://citrix.cloud.com and login with your admin credentials. Now, using the “Hamburger Menu” in th top left hand corner, select “Identity and Access Management”.
Now click “API Access” from the top level menu, and click “Secure Clients” from the sub menu.
Make a copy of the “Client ID” and paste it somehwere safe, Notepad for example.
Choose a friendly name for the “Secure Client” and click “Create Client”.
Make a copy of the “ID” and “Secret” using the Copy button. Again, paste them somewhere safe, Notepad maybe.
Now that’s everything needed on the Citrix Cloud end, we need start configuring the Network Locations on the VDA’s.
For this we can use the Poweshell Script (nls.psm1) which is available on Citrix GitHub repository, download here:
Save somewhere convinient, C:\ as an example.
Now open up PowerShell.
Next import the nls.psm1 module.
Now define the following variables, using the Client ID, Customer and Secret Key you copied to Notepad earlier from the Citrix Cloud Secure Client Setup.
Now set security protocol to TLS 1.2 (This is important, if you miss this step, the subsequent steps will fail).
Now we can go ahead and connect the Network Location Service.
If successful, you will receive the following message:
If you didn’t set the security protocol to TLS1.2 you will receive the following error message:
Assuming that you didn’t receive any error messages, you can now go ahead and create your network location.
The PowerShell command is:
New-NLSSite -name ”YOUR SITE NAME” -tags @(”YOUR TAGS”) -timezone “LOCATION TIMEZONE” -ipv4Ranges @(”EXTERNAL IP OF YOUR VDA’S”) -longitude 12.3456 -latitude 12.3456
Where “YOUR SITE NAME”, “YOUR TAGS”, “LOCATION TIMEZONE”, “EXTERNAL IP OF YOUR VDA’S” “-LONGITUDE / -LATITUDE” will be provided by you and is unique to your infrastructure.
If successful, you will receive the following message
Double check the details. Make sure everything is how it should be.
That’s it, Network Location Service is now set up successfully. All we need to do now is verify that your “Internal Users” are connecting directly to the VDA without traversing the Citrix Gateway Service. We can do this a number of ways but the easiest and most convinient way for me is through Citrix Director.
Go back to Citrix Cloud, from the “Hamburger Menu”, navigate to “Virtual Apps and Desktops”
Open up Citrix Director by clicking the “Monitor” button
Click the “Sessions Connected” to view the active sessions list.
Click the machine name you wish to view the sesssions for.
Choose the session that you want to view the details of
If the “Internal User” is connecting directly to the VDA without traversing Citrix Gateway Service (using Network Location Service), the protocol will show as UDP under “Session Details”
If the “External User” is connecting via the Gatway Service to the VDA (normal behaviour), or if the “Internal User” is connecting to the VDA while traversing the Citrix Gateway Service (not using Network Location Service) the protocol will show as TCP under “Session Details”
You have successfully configured Network Location Service.
Some key requirements and caveats for Network Location Service are;
- Network Location Service is in Tech Preview. Citrix recommends using technical preview features only in test environments.
- VDA’s must have an external IP address.
- Internal Users must have direct network access to the VDA’s.
- TLS 1.2 must be enabled in PowerShell.
- Virtual Apps and Desktops Service must be enabled.
- Secure Browser, Citrix Virtual Apps Essentials, and Citrix Virtual Desktops Essentials will always use the Citrix Gateway Service.
- Network Location Service for Citrix Managed Desktops and Citrix SD-WAN is in Tech Preview.
- HTML5 Receiver requires certificates on the VDAs due to Browser Websocket behaviour – See https://support.citrix.com/article/CTX134123.
- VDA’s must be delivered On-Premises.
- If your environment includes Managed Desktops alongside on-premises VDAs, configuring the Network Location Service causes Managed Desktops launches from the internal network to fail.