Best practices for ICA encryption, NetScaler, and session reliability

  • Place the NAM Probe sniffing point at the WAN head (in front of the NetScaler or, if there is one, in front of the F5).

  • If ICA is delivered over SSL, have SSL keys on the NAM Probe to enable decryption of this traffic.

    • Check the ports of the HTTP and ICA services that the client connects to. If it’s the same port and the same IP in front of the data center (for example, 443 for the browser and 443 for ICA, both on the same F5’s VIP), you have to choose which decode to use: ICA over SSL or HTTPS. The NAM Probe does not support running both decodes on the same port.
    • If you choose to monitor in front of the load balancer with the ICA decode (and thus ignore HTTP traffic on the same port), you can set up another NAM Probe sniffing point behind the load balancer and in front of the NetScaler, and monitor it with the HTTP/HTTPS decode. This monitoring point will reveal the portion of the client login time spent on the server. This point won't say anything about end-user experience with the login screen (you can’t see WAN latency from this vantage point), but server time for the login will be measured correctly. WAN latency will be measured by the NAM Probe listening in front of the F5 and reported for the ICA traffic.
  • ICA encryption has to be disabled (no SecureICA) or the NAM Probe will not be able to see the channels within the ICA stream. (You don’t need SecureICA if ICA is delivered over SSL.)

  • TCAM can be helpful particularly when NetScaler is in not use. TCAM reports XenApp system statistics and maps any activity originated by the XenApp server to the name of the Citrix user on behalf of whom the XenApp contacts the application. TCAM will not map inbound ICA sessions seen by the NAM Probe in front of the F5 to Citrix user names, but user names for the WAN segment are picked up from the ICA stream itself by the NAM Probe’s ICA decode, assuming no SecureICA is present.