• User opens Netscaler page and enters their credentials over 443.
• User’s credentials are sent from the netscaler gateway to active directory domain controllers over ldap or secure ldap using TCP ports 389 or 636 as well as Global catalog request / TCP 3268 and 3269. If a radius server is used, authentication and accounting messages are sent over TCP or UDP ports 1645, 1812 and 1813.
• Once authenticated, user’s request is forwarded to storefront over 443 by Netscaler.
• StoreFront then checks with Delivery Controller for apps/desktops.
• Delivery controller checks with sql database(1433) for which apps/desktops does user has access to.
• Delivery controller passes this information to storefront, and storefront(443/80) sends it to user via Netscaler, NS back to user’s device. So far enumeration is done.
• When user clicks on an app/desktop, connection goes through Netscaler to storefront.
• Storefront checks with Delivery Controller and controller queries sql database with the least loaded server available to host the app.
• (If it is VDA, controller checks with the sql db and gets the VDI details and brokers that session to user’s device.)
• Delivery controller passes this information back to Storefront. If user is on LAN, and no Netscaler is used, Storefront creates connection file(ica file) and sent to user’s machine and launches it in user’s machine.
• If Netscaler is used, SF need to create a file and it need to send it to user over internet. These details can be exploited, so Storefront server contacts delivery controller again and gets a ticket(Secure Ticket Authority, STA) for this session(life time of 100 seconds by default). This ticket has information on requested application, server address and port number. These details are sent back to Netscaler and to user. STA tickets are requested by netscaler to a delivery controller.  Delivery controllers generate secure tickets in exchange for session information and these tickets are used to avoid transporting user-specific data over unsecured networks.
• When user launches the app, Netscaler checks with Delivery Controller with the ticket and launches the app. Note: This launch request already has requested application name, server address and port in it.
• Netscaler connects to the end resource(user’s app server or VDI) via 1494/2598(if session reliability is used).
• If using VDA, registration bewtween VDA and delivery controller  happens over port 80.

It also checks with citrix license server for a license before launching the app.