In a Citrix Virtual Apps and Desktops environment, the LoadMaster sits at the edge (behind a firewall) and accepts connections from remote clients, load balancing connections across the available StoreFront servers. The LoadMaster manages the authentication to the external authentication systems such as Active Directory or RADIUS. When StoreFront returns the ICA file to the client, LoadMaster intercepts and modifies the information with the appropriate load balanced VDI server information.

The high-level flow is as follows:

  1. The client connects to StoreFront using the LoadMaster.
  2. The LoadMaster authenticates the client against Active Directory (AD) and assigns an "LMData" authentication cookie.
  3. The LoadMaster POSTs credentials to StoreFront where StoreFront authenticates against AD.
  4. StoreFront forwards credentials to the Delivery Controller in an XML query.
  5. The Delivery Controller enumerates the user's applications by querying Active Directory for the Users Security Groups and queries the database for a list of the client’s applications.
  6. The client selects their application where StoreFront queries the Delivery Controller to find a suitable VDI server which contains the application.
  7. The Delivery Controller returns the application information back to StoreFront in an XML file.
  8. StoreFront creates an ICA file with the connection details such as the IP address of the VDI server and a launch reference.
  9. The LoadMaster consumes the ICA file and rewrites the settings which enables the client to make a secure, publicly resolvable connection.
  10. The LoadMaster forwards the ICA file to the client where the client automatically initiates a new connection over a secure port such as port 4431.
  11. The LoadMaster receives the encrypted connection, decrypts, and forwards to the chosen VDI server.