How do I protect Citrix ICA traffic?
search cancel

How do I protect Citrix ICA traffic?


Article ID: 166154


Updated On:




Citrix traffic comes in two types: ICA traffic, also known as published applications; and SB, server browser flows.

It is common to classify Citrix traffic, especially ICA traffic, by published application name. For instance, PeopleSoft is usually more mission-critical than HTTP even though both may be running over Citrix.

This is beneficial since you can adjust the burstable priority in the policy based on the mission-criticality of the application.

Citrix is potentially delay-sensitive since users expect snappy thin-client response time.


Link speed and number of concurrent Citrix users you need to support are the determining factors in your policy assignment. Generally, you will want to use a rate policy with a guaranteed bandwidth in the range of 5-20K, burstable at priority 4 or 5.

If you have a slow link or a larger number of concurrent Citrix users, use a smaller guarantee.

For added protection, consider a partition on the Citrix parent class of 25-50% of the link size burstable to the full link size.

For details, see Manage Citrix Performance in PacketGuide.

Note that if LAN-attached printers are used, you will need to assign policies to Netbios-IP or Printer classes as appropriate. If your printers are directly attached to terminals, print jobs are within ICA. In this latter case, you may need to consider per-session guarantees, or per-session limits of 20K.