Workspace ONE Access uses the Integration Broker component and the Citrix Web Interface SDK or Citrix StoreFront REST API to launch Citrix-published applications from the Workspace ONE Intelligent Hub portal or app. You can configure internal and external access to the Citrix-published resources. End users must install Citrix Receiver on their systems or devices to launch the applications and desktops.
Launch Architecture Diagram (Internal Access)
- A user launches a Citrix-published application or desktop from the Intelligent Hub portal or app.
- The request goes to the Workspace ONE Access service, connector, and Integration Broker.
- The Integration Broker communicates with the Citrix server farm through the Web Interface SDK or StoreFront REST API to authenticate and request the ICA file.
- The ICA file is retrieved and passed to the Intelligent Hub portal or app.
- The ICA file is passed to the Citrix Receiver.
- The Citrix Receiver launches the application or desktop.
Launch Architecture Diagram (External Access with StoreFront)
- A user launches a Citrix-published application or desktop from the Intelligent Hub portal or app.
- The request goes to the Workspace ONE Access service, connector, and Integration Broker.
- To communicate with the Citrix server farm to authenticate and request the ICA file, the Integration Broker sends a request to NetScaler through the StoreFront REST API.
- NetScaler forwards the request to the StoreFront server.
- The ICA file is retrieved and passed to the Intelligent Hub portal or app.
- The ICA file is passed to the Citrix Receiver.
- Citrix Receiver communicates with Netscaler.
- NetScaler communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information.
- NetScaler communicates with the Citrix Session Host server and creates a session for application launch.
Note: In version 7.x, the Citrix Session Host server is the Citrix VDA server. In version 6.5, it is the Citrix Worker server.
Launch Architecture Diagram (External Access with Web Interface SDK)
- A user launches a Citrix-published application or desktop from the Intelligent Hub portal or app.
- The request goes to the Workspace ONE Access service, connector, and Integration Broker.
- The Integration Broker communicates with the Citrix server farm through the Web Interface SDK to authenticate and request the ICA file.
- The ICA file is retrieved and passed to the Intelligent Hub portal or app.
- The ICA file is passed to the Citrix Receiver.
- Citrix Receiver communicates with Netscaler.
- NetScaler communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information.
- NetScaler communicates with the Citrix Session Host server and creates a session for application launch.
Note: In version 7.x, the Citrix Session Host server is the Citrix VDA server. In version 6.5, it is the Citrix Worker server.
Using StoreFront REST API or Web Interface SDK for Launch
The Integration Broker can use the Citrix Web Interface SDK and the Citrix StoreFront REST API to communicate with your Citrix deployment to launch applications or desktops. When the StoreFront REST API is used, the Integration Broker acts like a REST client. The Web Interface SDK and the StoreFront REST API are used to authenticate with and generate the ICA file from the Citrix deployment.
You can specify which option to use by selecting the Use StoreFront or Use Web Interface SDK option in the Citrix configuration page in the Workspace ONE Access console.
An Integration Broker instance can use both the Web Interface SDK and the StoreFront REST API. If you want to communicate with one Citrix farm using the Web Interface SDK and another Citrix farm using the StoreFront REST API, make the appropriate selections for each.
To use the StoreFront REST API option, ensure the following requirements are met.
- Use StoreFront API 2.6 or later.
- Install Integration Broker 2.9.1 or later.
- Ensure that StoreFront is supported by the XenApp or XenDesktop version you are using.
- Ensure that the Integration Broker can communicate with the StoreFront server.
When you enable the StoreFront REST API, the Integration Broker communicates with the StoreFront server to generate the ICA file.
- Ensure that you specify the same farm name in StoreFront and in the Citrix Delivery Controller or XML Broker.
- If the StoreFront URL is behind a load balancer, ensure that the load balancer does not have any additional authentication requirements such as MFA. The Integration Broker must be able to access the StoreFront URL without additional authentication requirements from the load balancer.
The Integration Broker only supports the NetScaler load balancer. It does not support any other load balancers.
- In the StoreFront server, when you configure authentication for a store, trusted domains can be configured for the "User name and password" authentication method. If you configure trusted domains, ensure that you add domain names in the fully qualified domain name format to the "Trusted domains" list. If you use NetBIOS names for StoreFront, add the fully qualified domain name in addition to the NetBIOS name. Workspace ONE Access requires the fully qualified domain name. If only the NeTBIOS name is added, Citrix application and desktop launch from Workspace ONE will fail.
Supported Authentication Methods on Citrix Server
- Smart Card
- HTML 5
- 2 Factor Authentication
- SAML Authentication (Citrix FAS)