To configure Citrix-published resources in VMware Identity Manager, you enter the Integration Broker and Citrix server farm information in the VMware Identity Manager administration console, and schedule the synchronization frequency between VMware Identity Manager and the Citrix server farm.

About this task

Before you configure Citrix-published resources in VMware Identity Manager, ensure that you meet all the prerequisites.

Also follow these guidelines for Citrix server farm settings.

  • Syncing Delivery Groups

    A delivery group's Delivery Type setting in Citrix determines how VMware Identity Manager syncs the delivery group.

    VMware Identity Manager syncs a delivery group only if its Delivery Type is set to DesktopsAndApps or DesktopsOnly. If the delivery group's Delivery Type is set to AppsOnly, its applications are synced but the delivery group itself is not synced and does not appear in the VMware Identity Manager catalog.

    Configure your delivery groups accordingly.

  • In XenDesktop and XenApp 7.9, if you use the Limited Visibility Group option to restrict users, ensure that the Limited Visibility Group contains users or groups. If it does not contain any users or groups, sync to VMware Identity Manager will not work.

  • Ensure that all Citrix-published applications and desktops in a Site contain valid users. If you delete a user or group, make sure that you remove the user or group from Citrix-published resources too.

  • Make sure that users and groups have been assigned to the correct Delivery Group.

    If you select settings to restrict users, make sure that they include users and groups.

Prerequisites

  • Configure VMware Identity Manager. See Installing and Configuring VMware Identity Manager and VMware Identity Manager Administration for information.

  • Make sure that users and groups with Citrix entitlements have been synced from your enterprise directory to VMware Identity Manager using directory sync.

    Verify that distinguishedName is marked as a required attribute in the VMware Identity Manager directory. Citrix-published resources cannot be synced without this. Required attributes must be set before a directory is created. If you have already created a directory and distinguishedName is not a required attribute, delete the directory, make distinguishedName a required attribute in the Identity & Access Management > Setup > User Attributes page and then create a new directory.

  • Deploy the Integration Broker and ensure that you have met all the prerequisites described in Prerequisites for Citrix Integration.

  • To distribute the load in a large-scale enterprise deployment, dedicate two or more Integration Broker instances for sync purposes and two or more Integration Broker instances for SSO purposes.

    If you use multiple Integration Broker instances for sync purposes or for SSO purposes, put a load balancer in front of the Integration Broker instances, and note the host name or IP address of the load balancer for use during this task.

  • If you want to use the Use StoreFront option, available in VMware Identity Manager 2.9.1 and later, ensure the following requirements are met.

    • Install Integration Broker 2.9.1 or later.

    • Ensure that StoreFront is supported by the XenApp or XenDesktop version you are using.

    • Ensure that the Integration Broker can communicate with the StoreFront server.

      When you enable the StoreFront ReST API, the Integration Broker communicates with the StoreFront server to generate the ICA file.

    • Enable HTTP Basic Authentication as an authentication method in the Citrix StoreFront store. Thisi requirement is for internal access only.

      Caution:

      If you do not enable HTTP Basic Authentication, authentication will fail.

  • Review Citrix documentation for your version of Citrix XenApp or XenDesktop.

Procedure

  1. Log in to the VMware Identity Manager administration console.
  2. Select the Catalog tab.
  3. Click Manage Desktop Applications and select Citrix Published Applications from the drop-down menu.
  4. In the Published Apps - Citrix page, select the Enable Citrix-based Applications check box.
  5. Enter the Sync Integration Broker or load balancer host name and port number.

    If you configured a load balancer in front of multiple Integration Broker instances used for sync purposes, enter the host name or IP address and port name of the load balancer.

    Select Use SSL if you are connecting to the Integration Broker over SSL.

  6. Enter the SSO Integration Broker information.
    • If you are using the same Integration Broker instance for both sync and single sign-on, click the Use same as Sync Integration Broker button.

    • If you configured dedicated sync and SSO Integration Broker instances, enter the following information.

      1. Type the SSO Integration Broker or load balancer host name and port number.

        If you configured a load balancer in front of multiple Integration Broker instances dedicated to providing SSO, enter the host name or IP address and port number of the load balancer.

      2. Select Use SSL if you are connecting to the Integration Broker over SSL.

  7. Enter the Citrix server farm details.

    To add multiple farms, click +Add Server Farm.

    Option

    Description

    Version

    Select the Citrix server farm version: 5.0, 6.0, 6.5, or 7.x.

    Use StoreFront

    Select this option if you want XenApp resources launched using the Citrix StoreFront ReST API. When this option is selected, the Integration Broker uses the Citrix StoreFront ReST API to communicate with the StoreFront server and retrieve the ICA file. If this option is not selected, the Integration Broker uses the Citrix Web Interface SDK to communicate with Citrix components and retrieve the ICA file.

    Note:

    If you select or deselect this option after the initial setup and synchronization, click Save and then click Sync Now to sync again for the change to take effect.

    StoreFront URL

    Enter the StoreFront server URL in the following format:

    transportType://storefrontServerFQDN/Citrix/storenameWeb

    For example: http://xen76.example.com/Citrix/mystoreWeb

    Note:

    This is the Store Web Receiver Website URL.

    Important:

    Also enter this URL in the Client Access URL Host field in the XenApp section of Network Range settings.

    Server name

    Server name assigned in your environment.

    Servers (failover order)

    Organize the Citrix XML brokers (servers) in failover order. VMware Identity Manager respects this order during SSO and under failover conditions.

    Note:

    The XML brokers must have PowerShell Remoting enabled.

    Transport type

    Transport type used in your Citrix server configuration: HTTP, HTTPS, or SSL RELAY.

    Note:

    The transport type and port must match your Citrix server configuration.

    Port numbers

    Port setting used in your Citrix server configuration

    Note:

    The transport type and port must match your Citrix server configuration.

  8. From the Deployment Type drop-down list, select how Citrix-published resources are made available to users in Workspace ONE.
    • User-Activated - VMware Identity Manager adds Citrix resources to the Catalog page. To use a resource, users must move the resource from the Catalog page to the Bookmarks page.

    • Automatic - VMware Identity Manager adds the resource directly to the Bookmarks page for users' immediate use.

    The deployment type that you select here is a global setting that applies to all user entitlements for all the resources in your Citrix integration. You can modify the deployment type for individual users or groups per resource, from the application or desktop's Entitlements page.

    Setting the global deployment type to User-Activated is recommended. You can then modify the setting for specific users or groups per resource.

    For more information about setting the deployment type, see Setting the Deployment Type for Citrix Entitlements.

  9. Select Sync categories from server farms if you want to sync categories from Citrix farms to VMware Identity Manager.
  10. Select Do not sync duplicate applications to prevent duplicate applications from being synced from multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Checking this option prevents duplication of the desktops or applications in your VMware Identity Manager catalog.
  11. In the Choose frequency field, select how frequently you want to sync resources and entitlements automatically from the Citrix farms. If you do not want to set up an automatic sync schedule, select Manually.
  12. Click Sync Now to synchronize Citrix-published resources to VMware Identity Manager.

    At times, when you synchronize Integration Broker with SSL, the synchronization can be slow depending on factors in your environment, such as network speed and traffic. Synchronization can also be slow if your Citrix deployment is very large, for example, over 300 applications.

    Note:

    The anonymous user group feature in the Citrix product is not supported with VMware Identity Manager.

  13. Click Save.

    A dialog box appears that lists the number of applications, delivery groups (desktops), and entitlements that will be synced. You can click on the links to view details. Click Save and continue in the dialog box.

Results

Citrix-published resources and corresponding entitlements are synchronized with VMware Identity Manager.

What to do next

If you selected the Use StoreFront option, edit the network range settings and, in the Client Access URL Host field in the XenApp section, enter the same URL that you entered in the StoreFront URL field.