A brief introduction to the Citrix ICA protocol

Source: Internet
Author: User
Tags passthrough windows remote access

With regard to Citrix's ICA protocol, his full English name, which is called Independent computingarchitecture, is translated into Chinese as an independent computing architecture. But according to Citrix's internal material, it can also be referred to as ICA = Intelligent Console architecture! Translation into Chinese is the Intelligent console architecture!

1.       History

ICA 1.0–1992

In the ICA1.0 version, it was initially opened on a serial connection, and later added support for IPX and NetBIOS. Therefore, in the ICA1.0 version, serial, IPX, and NetBIOS are supported.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/79/48/wKiom1aNvymAafgyAAFKA1MDYts296.png "title=" 6.png " alt= "Wkiom1anvymaafgyaafka1mdyts296.png"/>

ICA 2.0–1992

The ICA2.0 version is the first version of the ICA protocol that has a graphical interface and integrates Citrix Wincredible technology into the ICA protocol to support multiple users. and supports multiple operating systems: OS/2, DOS, Windows 3.1, and TCP/IP stack for OS/2 from FTP software.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/79/48/wKiom1aNv1uT5zgoAAB8MrgBGSw871.png "title=" 7.png " alt= "Wkiom1anv1ut5zgoaab8mrgbgsw871.png"/>

citrixwincredible Technology

"Citrix Wincredible Technology is a technology solution that Citrix's Microsoft-based Windows 3.1 has introduced to make desktop systems accessible to multiple users, greatly extending the benefits of Windows3.1 and enabling high-performance remote access to Windows." Wincredible technology is a complete Windows system-based scaling technology that enables multiple concurrent users to access the server over a local LAN or serial connection or remotely through a dial-up modem. Wincredible can be used to configure Windows Remote access server, Windows Application Server on LAN, wide area network Windows App Performance enhancer, and build a low-cost boot system for multiple Windows users. 】

ICA 3.0–1995

August 1995 Citrix released the WinFrame for networks product to build a Windows NT-based architecture for remote access to a window server. The corresponding remote access Protocol ICA has been upgraded to version 3.0. In 3.0, features such as Thinwire1.0, printing, client drive mapping, audio, and Clipboard are integrated. and support more network protocols and Access methods: TCP/IP, ipx,spx, NetBEUI, Serial, modems.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/79/48/wKiom1aNv4yyMweBAABggdWO1Z4597.png "title=" 6.png " alt= "Wkiom1anv4yymwebaabggdwo1z4597.png"/>

August 1996 Citrix released the Web browser client for the world's first Windows application.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/79/48/wKiom1aNv6jw4xfOAACnkdaRt1s134.png "title=" 7.png " alt= "Wkiom1anv6jw4xfoaacnkdart1s134.png"/>

Microsoft announced in 1997 that Windows Server NT systems, multi-user access support enable the Terminal Server protocol. June 1998 Citrix Released MetaFrame 1.0 for the Windows NT Server 4.0 Terminal Server version.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/79/47/wKioL1aNv-zQopEkAABWco9MYmY489.png "title=" 6.png " alt= "Wkiol1anv-zqopekaabwco9mymy489.png"/>

MetaFrame is a Citrix company with a remote centralized access to the Enterprise Information Center products, and Microsoft's Terminal Services (Terminal service) tightly integrated, is based on Microsoft's Terminal Services technology developed. Citrix MetaFrame offers one of the simplest solutions to centrally manage all enterprise applications at the enterprise's Information center, allowing employees or users to access them securely and quickly from any location. This was the predecessor of the then-famous XenApp.

ICA renaming and chaotic times

Since the advent of virtualization technology, desktop virtualization technology temporarily exposed, Citrix on the basis of the original ICA protocol, modify the ICA protocol display technology, add some appropriate functionality to provide XenDesktop desktop virtualization use, in the interior is called Portica, The original ICA protocol that differs from XenApp. At the time of the XenDesktop3.0 release, Citrix internally renamed the names of some of the function modules of the Portica protocol, and the list is as follows:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/79/47/wKioL1aNwMbhpi3SAACNboBX-C8074.png "title=" 6.png " alt= "Wkiol1anwmbhpi3saacnbobx-c8074.png"/>

These renamed functional modules are primarily provided for desktop virtualization use. In the XenDesktop4.0 version, Citrix extracted the functional modules that were differentiated from the original ICA protocol, packaged in HDX, and named HDX, the high-definition user experience.

Fusion era

In the latest version of Citrix Products, Citrix integrates XenApp and XenDesktop to integrate the IMA architecture of the original XenApp and XenDesktop 4.0 into the new version of the FMA architecture of XenDesktop. The FMA architecture was first seen in the Citrix XenDesktop 5.x family of products, which distinguishes it from traditional IMA architectures and is more manageable and convenient.

The ICA protocol is now integrated with HDX, which is collectively referred to by Citrix as the ICA/HDX protocol.


2.       ICA protocol Stack

The ICA protocol is a high-latency link optimization protocol for a pan-area network or WAN. It also supports quality-of-service quality of service (QoS) and other bandwidth optimization features.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/79/48/wKiom1aNwOGw03RAAAB6NCtms-E612.png "title=" 7.png " alt= "Wkiom1anwogw03raaab6nctms-e612.png"/>

The ICA protocol works on the sixth layer of the OSI seven layer model.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/79/48/wKiom1aNwPnzdII1AAF7dZitcuo383.png "title=" 6.png " Width= "height=" 249 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" WIDTH:500PX;HEIGHT:249PX; "alt=" Wkiom1anwpnzdii1aaf7dzitcuo383.png "/>

The ICA packet contains the following headings: frame header, reliability, encryption, compression, command, data command, frame path. This command is the only required information.

In the ICA, the KVM, print, audio, drive mapping, clipboard, seamless window and other virtual channels are encapsulated. The current ICA protocol is based on 32bit development and supports a maximum of 32 virtual channels. RDP channels are different from ICA, and RDP supports 30 virtual channels. Each channel has a corresponding point on the server. These channels are located on top of the Icawinstation drive, and each channel has its own corresponding virtual channel driver.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/79/48/wKiom1aNwT6yw3-nAAEESgvYV1Q466.png "title=" 6.png " Width= "height=" 236 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px;height:236px; "alt=" Wkiom1anwt6yw3-naaeesgvyv1q466.png "/>

In order to understand the ICA protocol better, and understand how ICA protocol interacts with TCP/IP, and how to accept and send packets in Ethernet. Below I will accept the details of the ICA protocol's database transfer. The ICA protocol stack looks like this:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/79/47/wKioL1aNwYaDrTDWAAA9cDt2Keo074.png "title=" 7.png " alt= "Wkiol1anwyadrtdwaaa9cdt2keo074.png"/>

In, it describes how ICA data flows through each protocol layer. ICA protocol packets are generated and packaged by a client application (or server) through a TCP/IP network for delivery to the server (or client application).

The ICA data received by the destination (client or server) passes through the appropriate protocol layer. All ICA protocol tiers reside within the OSI network model.

2.1. Virtual Channel Driver

Each virtual channel is driven by his own dedicated virtual channel to send data to the WinStation driver. Because the implementation of each virtual channel is inconsistent, so its own drive to invoke the corresponding system is not the same and specification. Therefore, the driver of the virtual channel is based on the function that needs to be implemented to develop the corresponding driver, which depends entirely on the virtual channel implementation.

2.2, WinStation Drive

The WinStation driver receives and sends data from multiple ICA virtual channel-driven virtual channels through a lower network layer. The WinStation drive works in the application layer, presentation layer, and Session layer of the OSI network model. The WinStation driver performs the following functions:

    • Establishes an ICA session between the client and the server and maintains session information such as whether the compression and encryption features on the ICA session are turned on and the ICA packet priority identification is enabled.

    • The encoded ICA command information and the transform input virtual channel data are partitioned into ICA messages, which are placed in the input buffer of the WinStation driver. An ICA package consists of a command byte followed by an optional command data as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/79/48/wKiom1aNwZqgKS9AAAAFCrMTHgY540.png "title=" 6.png " alt= "Wkiom1anwzqgks9aaaafcrmthgy540.png"/>

ICA packets that contain instruction data are not a hard requirement, so an ICA packet may contain only a single command byte here in the command format. An ICA packet contains a virtual channel data. The maximum length of a single ICA package cannot exceed 2048 bytes (2KB).

    • Compresses the ICA packet (compressed when the packet is connected).

    • Merge or Detach compressed ICA packets (if no compressed or uncompressed ICA packets are used) into an available output buffer. The WinStation driver determines the amount of data in each output buffer, so that the length of the included ICA packet does not exceed 1460 bytes when the framing protocol driver leaves (keeping the ICA packet from being decomposed or discarded when it is transmitted over TCP/IP).

    • Attaches a compression header when added to the output buffer (when compression is turned on).

    • When multiple ICA packets are assigned to an output buffer, the WinStation driver determines in the output buffer which ICA virtual channel packets have the highest priority. Determines the priority of each output buffer based on the virtual channel and provides this information to the driver for the framing protocol. For example, if the output buffer contains ThinWire (priority 0) and a print (priority 3) of the ICA packet, then the ThinWire data is the highest priority, the output data when the first output ThinWire virtual channel ICA packet.

    • Forwards the output buffers to the cryptographic protocol driver (when encrypted).

2.3. Encryption protocol Driver

When encryption is turned on, the cryptographic protocol driver adds an encryption header to the data passed by the winstation that drives the output buffer data. All data is encrypted with the encryption header, including the compression header (if compression is turned on).

2.4. Frame Protocol Driver

The frame protocol driver computes the byte count of the output buffer and adds a frame header. In addition to the byte count, the frame header includes a two-bit priority value determined by the WinStation driver. For example, if the total bytes output buffer number is 1320 bytes, the packet is high priority, and the binary value of the frame header is as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/79/48/wKiom1aNwb7whsVTAAAQ9t5O8PI887.png "title=" 7.png " alt= "Wkiom1anwb7whsvtaaaq9t5o8pi887.png"/>

The lower order and higher order bytes are the reverse of the network transmission, and the frame header is created as follows:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/79/48/wKiom1aNwdjixE1EAAAPOjOTffw275.png "title=" 6.png " alt= "Wkiom1anwdjixe1eaaapojotffw275.png"/>

The first time the ICA Priority group labeling feature described in the above frame header was introduced in the MetaFrame 1.8 release, also includes MetaFrame XP. Earlier versions of MetaFrame used a frame header, which does not contain precedence bits. All 16-bit frame headers are used for byte counts. Since the byte count will never exceed 2048 bytes (the ICA package 2 KB limit), the first two bits will always be zero when the previous version of the frame header is used.

2.5, tdtcp

The ICA protocol controls the TCP/IP protocol stack via the TDTCP (TCP Transport Driver) transport. TDTCP is the TCP/IP protocol stack for the ICA (RDP) interface. TDTCP does not attach any additional header or trailer information to the ICA data.

2.6. TCP/IP protocol

Once the Tdtcp control is transferred to the TCP/IP protocol stack, the TCP/IP protocol driver prepares to transmit ICA data over the network. The TCP/IP standard and the encapsulation of TCP/IP network transmission data are described in detail, which can be found and viewed on the Internet Files (http://www.faqs.org/).


3.       Service Quality of ICA protocol

QoS (Quality of services, quality of service) refers to the ability of a network to use a variety of basic technologies to provide better service capabilities for specified network traffic, a security mechanism for the network, and a technique for solving problems such as network latency and congestion. Under normal circumstances, if the network is only used for a specific time-limited application, there is no need for QoS, such as Web applications, or e-mail settings. But it is necessary for critical applications and multimedia applications. When the network is overloaded or congested, QoS ensures that critical traffic is not delayed or discarded, while ensuring efficient operation of the network. There is a description of the QoS on RFC 3644. This solution is able to identify the ICA traffic in network traffic, either based on the TCP port (1494 by default) or by identifying when a new ICA session is established to initiate the initialization handshake (which is more secure than using TCP ports because the number of TCP ports is configurable). Some QoS solutions can also identify ICA communications based on other information, such as published applications or source IP addresses. This recognition allows the ICA session to prioritize the entire network as it travels. For example, when a user runs a business-critical application such as PeopleSoft through an ICA session, all ICA sessions can get high-priority execution functionality.

ICA Priority packet tagging provides the opportunity for a QoS solution that internally identifies the virtual channel priority so that the higher-priority data of the ICA session is transmitted first. ICA priority packet tagging requires the following considerations when used in conjunction with a QoS solution:

    • TCP and IP are stream-oriented protocols. When the ICA data is received through TCP/IP, it cannot be combined or decomposed, depending on how the ICA protocol driver packages the ICA data. ICA output buffers are specifically limited to 1460 bytes of ICA packet size, so that they are passed to the TCP/IP protocol stack unchanged. However, there is no guarantee that the output buffers will remain unchanged after the TCP/IP protocol stack. Therefore, the priority bit of ICA in the frame header has to always be in the same place in the TCP segment or IP packet. This prevents the quality of service solution from relying on a data offset that is not recognized in the TCP and IP layer priority bits. To avoid this potential problem, the QoS solution ICA data must verify that the byte count of the header information in the TCP and IP layer matches the first two bytes of bytes (after the correct alignment, the first two bytes will include the priority bit and the number of ICA bytes into the frame header). If the byte count does not match, the ICA packets that are output to the TCP/IP protocol stack in the ICA output buffer may be incomplete or abnormal packets.

    • The ICA priority packet token is implemented at the presentation layer (layer sixth of the OSI Network model). Most routers read data in the lower layer (two through four in a layer). Therefore, the router does not have access to the ICA priority packet tag information. When IP packets are sent over the router, packets may be fragmented. If this is the case, the first grouping will be included into the frame header, including the priority bit and a now incorrect byte count (due to the grouping being fragmented). The subsequent data fragments segment will not have a framing header, which will not include the priority bit (or number of bytes). Therefore, if the quality of service solution receives an incomplete packet, there is a problem with ICA communication. It is therefore necessary to verify the byte header between the IP layer and ICA framing to ensure that the priority bits are correctly identified.

    • TCP requires that each TCP segment received in the TCP buffer send an additional pre-confirmation segment. This prevents QoS solutions from being able to implement QoS priority functions. If there is no priority tag header, TCP reports the receipt of the failed TCP segment.


4.       ICA protocol Virtual channel 4.1, what is the ICA virtual channel?

The core of Citrix is the ICA protocol, which connects the application processes and remote client devices running on the Citrix server through the ICA's 32 virtual channels (each of which transmits various input and output data such as mouse, keyboard, image, sound, port, print, etc.). The input and output data of the application process running on the InfoCenter server is redirected to the input of the remote client machine. ICA has a default of 32 virtual channels, and Citrix uses the first 29 virtual channels. The rest allows the third party to customize the virtual channel, which is an integral part of the Citrix Server Remote computing experience. " according to Citrix part of the data show: Now the ICA protocol supports 64 static virtual channels, pending authoritative data to confirm that the Android system developed Citrix receiver only support 32 virtual channels "

The schema diagram for the virtual channel is as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/79/47/wKioL1aNwonA7VOVAABzVk000ao951.png "title=" 6.png " alt= "Wkiol1anwona7vovaabzvk000ao951.png"/>

A virtual channel is a virtual driver that communicates with a server-side driver. On the client side, the virtual channel corresponds to the virtual driver, each providing specific functionality. Similarly, on the server side there is a server-side driver relative to the client to be responsible for one by one correspondence, and to achieve bidirectional data communication.

The virtual drive of the virtual channel works in the presentation layer of the protocol layer.

The following is a list of features that are included in the * * * * * * * * * * * * * Virtualdriver registry key:

Hkey_local_machine\software\citrix\ica client\engine\configuration\advanced\modules\ica3.0

This registry location allows us to see what the capabilities of the virtual channels that are contained in our environment and the corresponding capabilities of the virtual channel drivers.

We can delete virtual channels that we don't need. For details, refer to this link to document Http://www.dell.com/downloads/global/solutions/customization_of_the_citrix_ica_web_client.pdf

4.2. How the ICA virtual channel works

We know that the operating system is divided into user mode and kernel mode. In the ICA virtual channel, some virtual channels work with user mode, and some virtual channels work with kernel mode.

In the server-side user mode, some virtual channels are loaded by Wfshell.exe, for example: Speedbrowse,euem, voice microphones, dual audio, clipboard, multimedia, seamless session sharing, SpeedScreen, etc. These virtual channels are user modes that work in the operating system.

Other virtual channels work in the kernel mode of the operating system, and are loaded into kernel mode, such as Cdm.sys and Vdtw30.sys, when they need to be used.

All customer virtual channel upper layer through the WinStation drive for data transmission, if the ICA client installed, on the server side and the client, there is a corresponding winstation driver, Built into the Wdica.sys on the server, built into the Wfica32.exe in the client.

Shows the client-server connection for the virtual channel

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/79/47/wKioL1aNwqbyucwXAABNEoXlqwo285.png "title=" 7.png " alt= "Wkiol1anwqbyucwxaabneoxlqwo285.png"/>

The following is an overview of the client-server process for data exchange using virtual channels.

1, the client connects to the Citrix backend server for service acquisition, such as launching an application.

2. When the server-side application starts, it obtains a virtual channel handle, which needs to push the application's startup display graphical interface information to the front-end client. Therefore, when the application-tier application commands the display function to the display driver layer on the VM according to the command, the ICA virtual channel driver intercepts the corresponding display fetch and data information and sends it to the winstation-driven buffer.

3, after the data and the command reaches the WinStation Drive, the WinStation drive processing mode has two kinds, the polling mode and the direct mode:

    • Direct mode: If the server application has data to be sent to the client, the data is immediately sent to the client. When data received by the virtual channel driver is stored in the WinStation drive buffer, the WinStation driver forwards the data to the compression or encryption driver according to the priority of the high virtual channel. After the encryption and compression is completed, it is forwarded to the frame protocol driver, the packet is encapsulated into a data frame, and the TCP/IP protocol stack is connected, and TCP/IP immediately passes it to the client.

    • Polling mode: If the client's virtual driver has data to be sent to the server, the priority of the data needs to wait a bit longer, waiting for the winstation driver to execute or read him in the polling manner. That is, if the client sends data to the server, the packet is cached and queued, waiting for the winstation driver to read the queued queue until the WinStation driver reads it.

4, after the client receives the packet, the ICA accept module installed on the client will parse the data, decode the corresponding data and commands, and then invoke the appropriate interface for the specific driver through the client OS.

5, when the server through the virtual channel to the application display push completion and use completed, close the virtual channel, and release all allocated resources.

4.3. ICA virtual Channel priority

The ICA packet priority is marked as the transferred ICA session virtual channel data that defines the priority of the transfer. This is achieved by having a 2-bit priority associated with each virtual channel. This 2-bit priority is included within the ICA data message. Their 2-bit precedence values combine to form four precedence values:

00 (0) High-priority

01 (1) Medium priority

10 (2) Low-priority

11 (3) Background priority

Each virtual channel is assigned one of these priority values. The default virtual channel priority is as follows:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/79/47/wKioL1aNwy6wdo9UAACNAazGkLc990.png "title=" 6.png " alt= "Wkiol1anwy6wdo9uaacnaazgklc990.png"/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/79/47/wKioL1aNwzrBGI3uAAC26rc6SSo622.png "title=" 7.png " alt= "Wkiol1anwzrbgi3uaac26rc6sso622.png"/>

The priority settings for all virtual channels are stored in the * * * Table entry:

[Hklm\system\currentcontrolset\control\terminalserver\wds\icawd\priority] (REG_MULTI_SZ)

This entry contains a row in the format of each virtual channel:

Virtualchannelname,priority

Virtualchannelname is a standard virtual channel as specified in the above table.

Virtualchannelname must be 7 characters, so trailing spaces must be comma-joined when necessary. The emphasis is on one of the following numbers priority values: 0,1,2,3.

The ThinWire virtual channel (CTXTW and Ctxtwi) is the only default high-priority virtual channel, which ensures that latency-sensitive user interface data is sent preferentially.

4.4., custom virtual channel

The following is a document connection for a custom virtual channel:

Https://www.citrix.com/downloads/citrix-receiver/sdks/virtual-channel-sdk.html

Https://www.citrix.com/community/receiver-ica-sdks.html

4.5. Dynamic virtual Channel

Dynamic virtual channel technology its implementation of the mechanism and multiplexing sub-mechanism almost, we can install such a way to understand it. Dynamic virtual channel technology is encapsulated in the ICA protocol and can also be used by invoking the Microsoft RDP dynamic virtual Channel API. The virtual channel API, which uses the RDP protocol, calls its virtual channel to implement functionality, in the case of insufficient ICA virtual channels.

Dynamic virtual channel for Microsoft's RDP protocol: http://msdn.microsoft.com/en-us/library/bb540860 (v=vs.85). aspx

4.6. Virtual channel with direct function

In the Citrix ICA protocol, the following virtual channels operate in the same way as single-hop or multiple-hop:

    • Client Drive Mapping,

    • Client COM Port Mapping,

    • Client Printer Mapping,

    • Smartcard Support,

    • Kerberos

    • Twain

    • Client Local Text echo/speed screen Latency Reduction (ZLC),

    • Program Neighborhood Support,

    • Transparent Key Pass-through,

    • Multimedia support,

    • Client UPD and End User Experience monitoring.

Because of the importance of latency, such as compressing and decompressing and rendering features in each hop may slightly affect the performance of the user experience. In particular, the following virtual channel areas:

    • Seamless,

    • ThinWire,

    • Philips Speech Mike Recorder and foot pedal and bi-directional Audio

Although some specific scenarios are not tested, Citrix provides virtual channels in most cases, using XenDesktop's ICA sessions in Windows, most of which are passthrough sessions.

Specifically, on the Zxendesktop server, there is a VDA hook "Hook" run, named Picapassthruhook, whose sole purpose is to convince the client that it is running on the CPS server, thus entering the client into its traditional passthrough mode.

The following are the virtual channels that support the Passthrough mode feature:

    • SSON,

    • Client Drive Mapping,

    • Client COM Port Mapping,

    • Client Printer Mapping,

    • Smartcard Support,

    • Kerberos

    • Client Local Text echo/speed screen Latency Reduction (ZLC),

    • Transparent Key Pass-through,

    • Multimedia support, Client UPD.


This article is from "I take fleeting chaos" blog, please be sure to keep this source http://tasnrh.blog.51cto.com/4141731/1732342

A brief introduction to the Citrix ICA protocol

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.