To configure Citrix XenApp and XenDesktop server farms in VMware Identity Manager, you create one or more virtual apps collections in the Catalog > Virtual Apps Collection page, which contain configuration information such as the Citrix servers from which to sync resources and entitlements, the Integration Broker to use for sync and SSO, the VMware Identity Manager connector to use for sync, and administrator settings such as the default launch client.

About this task

You can add all your Citrix server farms in one collection or create multiple collections, based on your requirements. For example, you may choose to create a separate collection for each farm for easier management and to distribute the sync load across different connectors. Or you may choose to include all server farms in one collection for a test environment and have another identical collection for your production environment.

Before you configure Citrix published resources in VMware Identity Manager, ensure that you meet all the prerequisites.

Also follow these guidelines for Citrix server farm settings.

  • Syncing Delivery Groups

    A delivery group's Delivery Type setting in Citrix determines how VMware Identity Manager syncs the delivery group.

    VMware Identity Manager syncs a delivery group only if its Delivery Type is set to DesktopsAndApps or DesktopsOnly. If the delivery group's Delivery Type is set to AppsOnly, its applications are synced but the delivery group itself is not synced and does not appear in the VMware Identity Manager catalog.

    Configure your delivery groups accordingly.

  • In XenDesktop and XenApp 7.9, if you use the Limited Visibility Group option to restrict users, ensure that the Limited Visibility Group contains users or groups. If it does not contain any users or groups, sync to VMware Identity Manager will not work.

  • Ensure that all Citrix published applications and desktops in a Site contain valid users. If you delete a user or group, make sure that you remove the user or group from Citrix-published resources too.

  • Make sure that users and groups have been assigned to the correct Delivery Group.

    If you select settings to restrict users, make sure that they include users and groups.

  • XenDesktop and XenApp 7.x allow you to set entitlements for all authenticated users at the delivery group level with the "Allow any authenticated user to use this delivery group" setting. VMware Identity Manager does not support this setting. To ensure that users have the correct entitlements in VMware Identity Manager, set explicit entitlements for the users and groups.

Prerequisites

  • Configure VMware Identity Manager. See Installing and Configuring VMware Identity Manager and VMware Identity Manager Administration for information.

  • Make sure that users and groups with Citrix entitlements have been synced from your enterprise directory to VMware Identity Manager using directory sync.

    Users must have the distinguishedName attribute. If the attribute is not set for a user, the user may not be able to run desktops and applications.

  • Deploy the Integration Broker and ensure that you have met all the prerequisites described in Prerequisites for Citrix Integration.

  • If you are using a load balancer in front of the Integration Broker, note the host name or IP address of the load balancer for use during this task.

  • If you want to use the Use StoreFront option, available in VMware Identity Manager 2.9.1 and later, ensure the following requirements are met.

    • Install Integration Broker 2.9.1 or later.

    • Ensure that StoreFront is supported by the XenApp or XenDesktop version you are using.

    • Ensure that the Integration Broker can communicate with the StoreFront server.

      When you enable the StoreFront ReST API, the Integration Broker communicates with the StoreFront server to generate the ICA file.

    • Enable HTTP Basic Authentication as an authentication method in the Citrix StoreFront store. Thisi requirement is for internal access only.

      Caution:

      If you do not enable HTTP Basic Authentication, authentication will fail.

  • Review Citrix documentation for your version of Citrix XenApp or XenDesktop.

Procedure

  1. Log in to the VMware Identity Manager administration console.
  2. Select the Catalog > Virtual Apps Collection tab.
  3. Click Add Virtual Apps and select Citrix Published Application.
  4. Enter a unique name for the collection.
  5. From the Sync Connectors drop-down menu, select the connector that you want to use to sync the resources in this collection.

    If you have set up multiple connectors for high availability, click Add Connector and select the connectors. The order in which the connectors are listed determines the failover order.

  6. In the Sync Integration Broker section, provide information about the Integration Broker instance that you want to use to sync resources.
    1. Enter the fully qualified domain name and port number of the Sync Integration Broker.

      If you have configured a load balancer in front of multiple Integration Broker instances dedicated to sync, enter the host name or IP address and port number of the load balancer.

    2. To connect to the Integration Broker over SSL, select the Use SSL check box and copy and paste the SSL certificate of the Integration Broker server.

      Note:

      If you are using a self-signed certificate, also upload the certificate on the Appliance Settings > Manage Configuration > Install SSL Certificates > Trusted CAs page. For external connectors, the page is at https://connectorFQDN:8443/cfg/ssl. If you selected more than one sync connector, add the certificate to the Install SSL Certificates > Trusted CAs page of all the connectors.

  7. In the SSO Integration Broker section, provide information about the Integration Broker instance that you want to use to launch resources. You must connect to the SSL Integration Broker over SSL.
    1. Enter the fully qualified domain name and port number of the SSO Integration Broker.

      If you have configured a load balancer in front of multiple Integration Broker instances dedicated to providing SSO, enter the fully qualified domain name and port number of the load balancer.

      Note:

      Do not use the IP address.

    2. In the SSL Certificate field, copy and paste the SSL certificate of the Integration Broker server.

      Note:

      If you are using a self-signed certificate, also upload the certificate on the Appliance Settings > Manage Configuration > Install SSL Certificates > Trusted CAs page. For external connectors, the page is at https://connectorFQDN:8443/cfg/ssl. If you selected more than one launch connector, add the certificate to the Install SSL Certificates > Trusted CAs page of all the connectors.

  8. In the Server Farms section, enter the Citrix server farm details.

    To add multiple farms, click +Add Server Farm.

    Option

    Description

    Version

    Select the Citrix server farm version: 5.0, 6.0, 6.5, or 7.x.

    Use StoreFront

    Select this option if you want XenApp resources launched using the Citrix StoreFront REST API. When this option is selected, the Integration Broker uses the Citrix StoreFront REST API to communicate with the StoreFront server and retrieve the ICA file. If this option is not selected, the Integration Broker uses the Citrix Web Interface SDK to communicate with Citrix components and retrieve the ICA file.

    Note:

    If you select or deselect this option after the initial setup and synchronization, save your settings and then sync again for the change to take effect.

    StoreFront URL

    Enter the StoreFront server URL in the following format: transportType://storefrontServerFQDN/Citrix/storenameWeb

    For example: http://xen76.example.com/Citrix/mystoreWeb

    Note:

    This is the Store Web Receiver Website URL.

    Important:

    Also enter this URL in the Client Access URL Host field in the XenApp section of Network Range settings.

    Server name

    Server name assigned in your environment.

    Servers (failover order)

    Organize the Citrix XML brokers (servers) in failover order. VMware Identity Manager respects this order during SSO and under failover conditions.

    Note:

    The XML brokers must have PowerShell Remoting enabled.

    Transport type

    Transport type used in your Citrix server configuration: HTTP, HTTPS, or SSL RELAY.

    Note:

    The transport type and port must match your Citrix server configuration.

    Port

    Port setting used in your Citrix server configuration

    Note:

    The transport type and port must match your Citrix server configuration.

    STA Server

    If you are using NetScaler, you must specify an STA server for the farm.

    1. Specify the STA Server for the Citrix farm.

      Enter the STA server URL in the following format:

      transporttype://server:port

      For example: http://staserver.example.com:80

      Only alphanumeric characters, period (.), and hyphen (-), are allowed in the URL.

    2. Click Add To List.

      The server appears in the XenApp STA Servers list.

    3. Enter additional STA servers, if necessary. For example, you may want to specify a second STA server for failover purposes.

    Specify the STA Server for the Citrix farm, if you are using NetScaler.

    XenApp STA Servers (failover order)

    Specify the failover order for the STA servers that you added.

  9. To add another farm, click Add Farm and enter the configuration information for the farm.
  10. Select Sync categories from server farms if you want to sync categories from Citrix farms to VMware Identity Manager.
  11. Select Do not sync duplicate applications to prevent duplicate applications from being synced from multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Checking this option prevents duplication of the desktops or applications in your VMware Identity Manager catalog.
  12. From the Sync Frequency drop-down menu, select how often you want to sync the resources in this collection.

    You can set up a regular sync schedule or choose to sync manually. If you select Manual, you must click Sync on the Catalog > Virtual Apps Collection page after you set up the collection and whenever there is a change in your Citrix published resources or entitlements.

  13. From the Activation Type drop-down list, select how Citrix published resources are made available to users in Workspace ONE.

    With both the User Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy that you select on this page applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the application or desktop's Entitlements page.

    Setting the activation policy for the collection to User Activated is recommended if you intend to set up an approval flow.

  14. Click Save.

    The collection is created and appears in the Virtual Apps Collection page. The resources in the collection are not synced yet.

  15. To sync the resources in the collection to VMware Identity Manager, click Sync in the Virtual Apps Collection page.

    Each time resources or entitlements change in Citrix, a sync is required to propagate the changes to VMware Identity Manager.

    Note:

    The anonymous user group feature in the Citrix product is not supported with VMware Identity Manager.

Results

Citrix-published resources and corresponding entitlements are synchronized with VMware Identity Manager.

What to do next

If you selected the Use StoreFront option, edit the network range settings and, in the Client Access URL Host field in the XenApp section, enter the same URL that you entered in the StoreFront URL field.