Citrix changing default ICA Protocol from TCP to UDP Q4 2017
For XenApp/XenDesktop versions released in Q4 2017 or later (version 7.16 or newer), the default protocol for ICA traffic will be changed from ICA TCP to Enlightened Data Transport (EDT). EDT is a recently-developed protocol from Citrix and is UDP based, unlike traditional ICA which is is TCP based. One of the reasons Citrix developed EDT is because TCP protocols have some drawbacks related to Congestion Control, leading to sub par performance in certain scenarios.
Citrix realizes however that UDP traffic is not always allowed, or configured, in Citrix environments, so they added a new feature called ’Adaptive Transport’ which will try EDT protocol (UDP) first, and if that does not work it will fallback to using regular ICA over TCP.
So to summarize the protocol changes:
- Citrix has built a new protocol for ICA traffic called EDT, and it is UDP based
- EDT will, according to Citrix, provide 10x faster throughput for File transfers and Printer traffic, 3x more responsive UI and 2x more FPS for audio and video.
- Citrix introduces Adaptive Transport which will attempt UDP first and if that does not work, fall back to using regular ICA TCP protocol
- EDT protocol is available from XenApp/XenDesktop 7.13 already, but you have to manually activate it through Citrix Policy setting
- If you have external users that launch XenApp/XenDesktop resources through a Netscaler and you wish to enable EDT, then you will need to enable the setting ’DTLS’ on the VPN vServer (Gateway server) on Netscaler and allow UDP 443 traffic between client computers and the Netscaler VPN vServer (80/443 TCP should be open already).
- Receiver 4.7 and later versions have support for EDT and Adaptive Transport. Receiver will use EDT if the .ICA file contains the setting ’HDXoverUDP’ with the value set to ’Preferred’. If needed, you can configure the Receiver GPO to override this behavior and force Receiver on specific computers to use EDT (or regular ICA TCP) regardless of protocol settings in the ica.file
- If you plan on using EDT through Netscaler, ensure you are running at least v11 build 55+ or v12 build 53+ on your Netscaler
- VoIP or other audio focused traffic should still be configured to utilize normal UDP protocol and not EDT, because for now regular UDP is better than EDT for this type of traffic.
- Framehawk is unaffected by introduction of EDT since Framehawk uses it’s own special version of UDP.
So what is the impact for us consultants or people who are planning on building new XenApp/XenDesktop environments:
- Ensure you open both TCP and UDP port 443 on your external firewalls, and that any ACLs on Netscaler allows both TCP and UDP traffic to the VPN vServer. You should open TCP port 80 to allow for HTTP->HTTPS redirection.
- Session Reliability needs to be enabled (it is enabled by Default in Citrix Policy settings and Storefront configuration) for EDT to work.
- Ensure the DTLS setting on the VPN vServer is Enabled. From Netscaler v12.0 and later, this setting is Enabled by default. Rebind the server certificate if you change the DTLS setting.
- For internal users starting XenApp/XenDesktop resources directly from the VDA (no Netscaler), ensure both TCP and UDP ports 1494 and 2598 are allowed between VDA’s and client computers.
Citrix EDT Blog – Part 1
Citrix EDT Blog – Part 2. At the end of the blog post are some useful steps on how to test and verify EDT functionality.
Citrix Blog on Adaptive Transport
Netscaler scenarios that support EDT
Technical requirements for EDT and how to configure your XenApp/XenDesktop environment to support it
If you have any questions or comments regarding above, feel free to email me at firstname.lastname@example.org
2017-12-04: Updated some factual statements in the blog that were incorrect – thanks to Fernando Klurfan for pointing them out.