To configure Citrix XenApp and XenDesktop server farms in Workspace ONE Access, you create one or more virtual apps collections in the Virtual Apps Configuration page, which contain configuration information such as the Citrix servers from which to sync resources and entitlements, the Integration Broker to use for sync and SSO, the Workspace ONE Access connector to use for sync, and administrator settings such as the default launch client.
You can add all your Citrix server farms in one collection or create multiple collections, based on your requirements. For example, you may choose to create a separate collection for each farm for easier management and to distribute the sync load across different connectors. Or you may choose to include all server farms in one collection for a test environment and have another identical collection for your production environment.
Before you configure Citrix published resources in Workspace ONE Access, ensure that you meet all the prerequisites.
Also follow these guidelines for Citrix server farm settings.
- Syncing Delivery Groups
A delivery group's Delivery Type setting in Citrix determines how Workspace ONE Access syncs the delivery group.
Workspace ONE Access syncs a delivery group only if its Delivery Type is set to Desktops And Apps or Desktops Only. If the delivery group's Delivery Type is set to Apps Only, its applications are synced but the delivery group itself is not synced and does not appear in the Workspace ONE Access catalog.
Configure your delivery groups accordingly.
- In XenDesktop and XenApp 7.9, if you use the Limited Visibility Group option to restrict users, ensure that the Limited Visibility Group contains users or groups. If it does not contain any users or groups, sync to Workspace ONE Access will not work.
- Ensure that all Citrix published applications and desktops in a Site contain valid users. If you delete a user or group, make sure that you remove the user or group from Citrix-published resources too.
- Make sure that users and groups have been assigned to the correct Delivery Group.
If you select settings to restrict users, make sure that they include users and groups.
- XenDesktop and XenApp 7.x allow you to set entitlements for all authenticated users at the delivery group level with the "Allow any authenticated user to use this delivery group" setting. Workspace ONE Access does not support this setting. To ensure that users have the correct entitlements in Workspace ONE Access, set explicit entitlements for the users and groups.
- Workspace ONE Access does not support the Citrix anonymous user group feature.
Note: Beginning with
Workspace ONE Access (formerly called VMware Identity Manager) 3.3, XenApp 5.x is no longer supported. You cannot update or save existing configurations that include a XenApp 5.x server unless you remove the server from the configuration. After you remove the 5.x server from the configuration and save the configuration, all resources associated with the 5.x server will be removed from the catalog during the next sync. Users will be able to run the resources until they are removed from the catalog.
Prerequisites
- Configure Workspace ONE Access. See Installing and Configuring Workspace ONE Access and Workspace ONE Access Administration for information.
- Make sure that users and groups with Citrix entitlements have been synced from your enterprise directory to Workspace ONE Access using directory sync.
While creating the directory, ensure that you make userPrincipalName a required attribute.
Users must have the distinguishedName attribute. If the attribute is not set for a user, the user may not be able to run desktops and applications.
- Deploy the Integration Broker and ensure that you have met all the prerequisites described in Prerequisites for Citrix Integration.
-
If you are using a load balancer in front of the Integration Broker, note the host name or IP address of the load balancer for use during this task.
- If you want to use the StoreFront option, available in Workspace ONE Access (formerly called VMware Identity Manager) 2.9.1 and later, ensure the following requirements are met.
- If your Citrix deployment includes a Citrix NetScaler Gateway server and you intend to connect to the Citrix server farm using the Web Interface SDK, obtain the URL of the Citrix Secure Ticket Authority (STA) server associated with the NetScaler Gateway server. See Obtain the STA Server URL for the NetScaler Gateway.
- Review Citrix documentation for your version of Citrix XenApp or XenDesktop.
- To perform this procedure in Workspace ONE Access, use an administrator role that includes the Manage Desktop Apps action in the Catalog service.
- At the end of this procedure, you are redirected to the Network Ranges page to configure Client Access FQDNs. To edit and save the Network Ranges page, you require a Super Admin role. You can choose to perform that step separately.
Procedure
- Log in to the Workspace ONE Access console.
- Select the tab.
- Click New.
- Select Citrix Published Application as the source type.
- In the New Citrix XenApp wizard, enter the following information in the Connector and Broker page.
Option |
Description |
Name |
Enter a unique name for the Citrix virtual apps collection. |
Connector |
Select the connector that you want to use to sync this collection. To select the connector, select the directory that is associated with it. If you have set up a cluster of connectors, all the connector instances appear in the Host list and you can arrange them in failover order for this collection. To rearrange the list, click and drag the rows to the desired position.
Important: After you create the collection, you cannot select a different directory.
|
Sync Integration Broker |
Enter the connection information for the Integration Broker instance that you want to use to sync the resources in this collection.
- Host: Enter the fully qualified domain name of the Integration Broker instance. For example, ibserver.exaample.com.
If you have configured a load balancer in front of multiple Integration Broker instances dedicated to sync, enter the host name or IP address of the load balancer.
- Port: Enter the port number of the Integration Broker instance or load balancer.
- Use SSL: To connect to the Integration Broker over SSL, enable Use SSL and copy and paste the SSL certificate of the Integration Broker server into the SSL Certificate box. Enter all the lines including ---BEGIN CERTIFICATE---- and -----END CERTIFICATE----.
The certificate will be used when resources in this virtual apps collection are synced to Workspace ONE Access.
|
Launch Integration Broker |
Enter the connection information for the Integration Broker instance that you want to use to process launch requests for this collection. You must connect to the SSL Integration Broker over SSL. The SSL Integration Broker can be the same as the SSO Integration Broker.
- Host: Enter the fully qualified domain name of the Integration Broker instance. For example, ibserver.example.com.
If you have configured a load balancer in front of multiple Integration Broker instances dedicated to launch, enter the fully qualified domain name of the load balancer.
Note: Do not use the IP address.
- Port: Enter the port number of the Integration Broker instance or load balancer.
- SSL Certificate: Copy and paste the SSL certificate of the Integration Broker server into the SSL Certificate box. Enter all the lines including ---BEGIN CERTIFICATE---- and -----END CERTIFICATE----.
The certificate will be used during the launch of resources from this virtual apps collection.
|
- Click Next.
- In the Server Farm page, click Add Server Farm and enter your Citrix server farm information.
Option |
Description |
Version |
Select the version of your Citrix XenApp or XenDesktop deployment: 6.0, 6.5, or 7.x. |
Server |
Click Add Server and add the fully-qualified domain name of your Citrix XML server (XML broker). For example, xenappserver.example.com. You must add at least one Citrix XML server. To add multiple servers, click Add Server and add the server. Arrange the servers in failover order. Workspace ONE Access follows this order for SSO and under failover conditions. To rearrange the list, click and drag the rows to the desired position. To delete a server from the list, click the x icon at the right of the row.
Note: The XML brokers must have PowerShell Remoting enabled.
|
Launch Preference |
Select how you want Workspace ONE Access to process launch requests for Citrix resources. If you have Citrix StoreFront deployed, select StoreFront, otherwise select Web Interface SDK. You need to select and enter information for only one of the options. |
StoreFront |
Select this option if you want Citrix resources to be launched using the Citrix StoreFront REST API. When this option is selected, the Integration Broker uses the Citrix StoreFront REST API to communicate with the StoreFront server and retrieve the ICA file.
- StoreFront Server URL
Enter the StoreFront server URL in the following format: transportType://storefrontServerFQDN/Citrix/storenameWeb For example, http://xen76.example.com/Citrix/mystoreWeb.
Note: This is the StoreFront server Website URL.
Important: Later, after creating the virtual apps collection, when you configure internal network ranges for XenApp ensure that you enter the same URL in the
Client Access URL Host field.
Note: After creating and syncing the virtual apps collection, if you choose not to use the
StoreFront option, ensure that you update the Client Access URL for network ranges as well.
|
Web Interface SDK |
Select this option if you want Citrix resources to be launched using the Citrix Web Interface SDK. When this option is selected, the Integration Broker uses the Citrix Web Interface SDK to communicate with Citrix components and retrieve the ICA file.
- Transport type
Select the transport type used in your Citrix server configuration: HTTP, HTTPS, or SSL RELAY. This must match your Citrix server configuration.
- Port
Enter the port used in your Citrix server configuration. This must match your Citrix server configuration.
- SSL Relay Port
Enter the SSL Relay port used in your Citrix server configuration. This option appears only if you select SSL RELAY as the transport type.
- STA Server
If your Citrix deployment includes a NetScaler Gateway server, specify the Secure Ticket Authority (STA) server associated with it. The STA server is used to control access for a NetScaler Gateway server.
- Click Add STA Server and enter the STA server URL in the following format:
transporttype://server:port For example: http://staserver.example.com:80 Only alphanumeric characters, period (.), and hyphen (-), are allowed in the URL.
- To add multiple STA servers, click Add STA server and add the servers.
- Arrange the STA servers in failover order. To move a row, click the handle on the left of the row and drag to the desired location. To delete a server from the list, click the x icon at the right of the row.
|
- Click Next.
- In the Configuration page, enter the following information.
Option |
Description |
Sync Frequency |
Select how often you want to sync the resources in the collection from the Citrix server farm to Workspace ONE Access. You can set up an automatic sync schedule or choose to sync manually. To set a schedule, select the interval such as daily or weekly and select the time of day to run the sync. If you select Manual, you must click Sync on the Virtual Apps Collections page after you create the collection and whenever there is a change in your Citrix resources or entitlements. |
Sync Duplicate Apps |
Set to No if you want to prevent duplicate applications from being synced from multiple servers. When Workspace ONE Access is deployed in multiple data centers, the same resources are set up in the multiple data centers. Setting this option to No prevents duplication of the applications and desktops in your Workspace ONE Access catalog. |
Sync Categories from Server Farms |
Enable this option if you want to sync categories from the Citrix servers to Workspace ONE Access. |
Activation Policy |
Select how you want to make resources in this collection available to users in the Workspace ONE portal and app. If you intend to set up an approval flow, select User-Activated, otherwise select Automatic. With both the User-Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app. The activation policy applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the user or group page in the Users & Groups tab. |
- Click Next.
- In the Summary page, review your selections, then click Save & Configure Network Range.
The collection is created but the resources in the collection are not yet synced. The Network Ranges page appears.