Configuring DirectAccess to Support Citrix Connections

We’ve seen a lot of questions on how to get the Citrix client to work with DirectAccess. The following provide some information and procedures that may work to get the Citrix client to work over DirectAccess.

The Citrix client can use IPv6 to connect to one type of server only: the Citrix Secure Gateway (CSG). In order for the Citrix client to work over DA, you need to:

  1. Install the CSG on the internal network
  2. Configure the Citrix Web Interface to use CSG
  3. Create an NRPT rule that uses the internal DNS server directly instead of going through the UAG DNS64

A key issue to be aware of is that Citrix clients do not support IPv6, with the exception of connecting to the Citrix Secure Gateway (CSG). Although it can sit directly on the internet, it’s preferred that it be put it on the LAN, with an IPv6 address (either native or ISATAP). Here’s how it works:


  1. The client establishes a DA connection
  2. The user uses the browser to bring up the Citrix Web Interface and authenticates to it.
  3. The Web Interface compiles a list of allowed applications and presents them to the user.
  4. The user clicks an icon that represents an application and the Web Interface invokes the client side Citrix plug-in
  5. The Citrix plug-in initiates a session with the server through the CSG according to the connection information supplied by the Web Interface. In this case this includes information about the SSLProxy (CSG) and Secure ticket authority.

In configuring the CSG, note should be taken in to use the IPv6 address to listen on.

The client plug-in needs to be version 11 and above and must trust the CSG’s server certificate.

Finally, it appears that even though the Citrix client is able to connect over IPv6 to the CSG, it needs the CSG’s name to resolve to both the IPv4 address and the IPv6 address. For this to happen, we need to exempt the name of the CSG from the NRPT in the UAG DirectAccess configuration so that it uses an internal DNS server instead of the UAG DNS64. This is done by entering the IP address of the internal DNS server. Not doing this will default to the UAG DirectAccess server’s DNS64 services, which never returns IPv4 addresses (it always returns a NAT64 address), causing issues for the Citrix client.

An example of how you can configure this is included in the figure below.




Tom Shinder
Microsoft DAIP iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
Follow me on Twitter:

Comments (13)

  1. Jeff25 says:

    So you need Citrix Secure Gateway to accomplish this?  Citrix EOLed that product over 2 years ago….

  2. Marc Grote says:

    Hi Tom,

    you entered the FQDN of the CSG Srever,but the radio button "DNS Suffix" is selected. Is this a typo?

    regards Marc

  3. Jason Jones says:

    Hi Tom,

    From testing onsite with a customer, it would appear that if you are using ISATAP on the CSG server, this negates the need to add an NRPT entry.

    We have a standard NRPT rule for the internal DNS suffix and the CSG hostname is also on the same DNS suffix (and also located internally). We can see client connections to the CSG server using the DA client Teredo address and Citrix applications are fully working.




  4. Kristian Aasen says:


    Could I ask what kind of config you have on your web interface site?

    XML Port / http/https/SSLRelay?



  5. Jason Jones says:

    It was a pretty standard setup using XML on port 80 from memory. The web interface site was installed on the actual CSG server itself so that we could provide settings for DA clients independently…



  6. vj says:

    Hello Sir

    I tried this on server 2012 but dns fails when i put it in the nrpt rules

    pls advise

  7. cmh says:

    Does anyone know if this works for the Access Gateway Enterprise platform or netscaler as well?  Also the link to the CSG section above appears to be dead:

    In configuring the CSG, note should be taken in…/index.jsp
    to use the IPv6 address to listen on.

    I’m not sure what you mean by the IPv6 address that needs to be listened on… was hoping a traditional Access Gateway Enterprise/Web Interface implementation would work without too much reconfiguration.


  8. Matthijs says:

    Hi All,

    The latested NetScaler Gateway (10.1) release supports IPv6 on the outside address and can translate this to IPv4 XenApp / XenDesktop / WI / StoreFront servers on the insite. This might help some deployments.

    Kind regards,


  9. Frank says:

    Hi guys,

    followed these instructions to get XA 6.5 up & running succcessfully. How about XD 7 and Direct Access ? – Will I need to buy NS just to get users launching any application ?

    Any information, suggesttions available `?



  10. Karina says:

    Matthijs wrote:

    "The latested NetScaler Gateway (10.1) release supports IPv6 on the outside address and can translate this to IPv4 XenApp / XenDesktop / WI / StoreFront servers on the insite. This might help some deployments"

    Yes, this was a great news, specially for using Storefront, because we could not find a way to tell Storefront to go through AGEE when it is connections from internal networks (DA tunnel)

    Is it anybody who knows how this configuration should look like?

  11. Jair says:

    Hi everyone. I knew that Store front already support IPv6, thats correct? I need to eliminate the CSG this because is causing problems now.


  12. Sohail Pendhari says:

    We have XD 7.5 environment , but still unable to launch Desktops via Direct Access Client .. I see i dont get ping from Broker server from DA client , other citrix server i am able to get ipv6 response …any clue what could be the issue ?

  13. ithamster says:

    Sohail: Just use Citrix receiver 4(supports ipv6) on the endpoints and configure controllers with Set-BrokerSite -DnsResolutionEnabled 1> Returns DNS hostname instead of IPv4 address. So very easy setup in newer Citrix environment. Check also NRPT rules
    on DA, but should work already since internal domain should already be there