How does the ICA traffic flow via PNAgent and via Citrix Web Access?

Posted on 2014-08-13
Last Modified: 2014-09-04
Hello there,

I would like to know the difference between how the ICA traffic flow when user launch Citrix Publish apps by right clicking Citrix Online Plugin and when user launch app via Citrix Web Access.

Please advise.

Citrix Thanks and Regards
Question by:goprasad
    LVL 23

    Accepted Solution

    Hey traffic always goes the same route because the PNAgent uses the Citrix Web Access site (if you are referring to the Web Interface/StoreFront) for both options.

    What happens when you log into the Storefront site is than an XML request is being send to the Citrix server to first check and see what applications have have rights to. After that, the website is shown with applications available for you (PNAgent publishes this within your startmenu directly.

    After that, when you click on one of the applications the StoreFront server connects to the datacollector and asks it what server has the smallest load at that point and the datacollector gives a server name back to the StoreFront. At that point a launch.ica file is created that connects to the Citrix server of the datacollectors choice and sets up a session to that server.

    The PNAgent uses the exact same technique because if you e.g. start up Word from within the startmenu of your computer you will see an active session on one of the Citrix servers. ICA after that does nothing more and nothing less encapsulating the information within it's protocol to make sure bandwidth is limited as much as possible.

    Author Comment

    I just wanted to know the traffic flow when user hits internally (WI) by rigjht clicking on the Published app in Citrix Online plugin and when users hits Netscaler when accessed from external network
    LVL 23

    Assisted Solution

    What you see above is the internal traffic. Externally not much more happens. The only thing is that your NetScaler encapsulates all traffic into a 443 port.

    What you see when opening the launch.ica file is that when you go internally this file will hold the ip address of one of the Citrix servers (because it can connect to it internally). When you get the launch.ica file from a NetScaler the ip address of the netscaler (with port 443 instead of 1494) will be inthere as the server. The Netscaler takes care of the traffic to the internal WI.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now