cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Citrix ICA with TCAM Agent

We currently have several applications onboarded using the TCAM agent for their citrix environments. I was wondering if we should be seeing the user name carry through to the various back end tiers? For instance:

User -> Citrix (TCAM) -> Application Servers (HTTP) -> NAS (SMB) and Database (MSSQL)

Would we only get the user ids on the citrix tier (be able to see the published applications they are using) or should we also expect to the the user names carried back to the application servers for the operations that user is doing?

Best Regards,

William

8 REPLIES 8

wojciech_kurek
Inactive

William,

TCAM provides data allowing the AMD to map usernames to both frontend (User -> Citrix) and backend (Citrix -> Application Servers) traffic. Further tiers (like Application Servers -> Database) won't receive the Citrix username.

Wojtek.

Is there any configuration that is needed to use the username provided by the TCAM agent for the Application server tier? Currently only seeing the citrix server ip / name for the user name on the application tiers clients.

Im guessing since we are using endace probes with 4 vm amds and dedicating the tcam agent traffic to an individual amd for processing that the correlation to the backend tiers isnt happening because their traffic is going to a separate amd.

Is the traffic for the citrix servers (tcam) and the next tier back (application servers) required to go to the same amd for this user name correlation?

The frontend and backend traffic does not need to be seen by the same AMD, but the following preconditions need to apply:

  • TCAM(s) are sending data to all AMDs
  • The AMDs which analyze backend traffic still need to have the appropriate ICA software services defined in their configuration (even though they don't see the traffc).

Please also check the username mapping configuration (RUM Console -> AMD config -> Global -> Advanced -> User-IP Mapping):

  • Listening for username mappings on UDP port 514 is enabled
  • The mapping parser is set to "citrixParser"
  • The "Enabled" checkbox next to the "Session client name mappings timeout" parameter is checked and the timeout is greater than 0.

Wojtek.

This is really helpful, thanks. Would you happen to know if I would be able to send syslog messages from the one amd they are currently coming into and send it to the rest? I know that I could make the change on the agents to send to all amds just wondering if there was a way to send it from the one amd to prevent changes done by the application teams.

No, the AMDs are not capable of retransmitting received mappings to other AMDs.

Within the TCAM Manager im seeing that only 1 amd ip can be checked at a time however multiple can be added to the list. Is there any importance to this checkbox? Is it indicating only one amd can receive the syslog messages from the agent?

Username information will be sent to all AMD IPs on the list. The one with the checkbox ticked will additionally receive performance statistics (CPU, disk, etc. data from the Citrix server).