For end users to successfully launch Citrix virtual apps, the Citrix Gateway server or XenApp server to which Workspace ONE Access connects must allow password-based authentication. If multifactor authentication is configured on the Citrix Gateway server, you must set up conditional access policies for the Citrix Gateway server in a way that traffic from the Virtual App service goes through password-based authentication, while other traffic goes through multifactor authentication.
Configure the authentication policies based on the Workspace ONE Access connector instances' IP addresses.
Procedure
- Log into the Citrix ADC console.
- In the Configuration tab, select .
- Click the server you want to configure.
- Under Basic Authentication, Primary Authentication, add two authentication policies, one for LDAP and the other for multifactor authentication.
- Create the LDAP policy with the following expression:
REQ.IP.SOURCEIP == WorkspaceONEAccessConnectorIPaddressWorkspaceONEAccessConnectorIPaddress is the IP address of the Workspace ONE Access connector on which the Virtual App service is running. To specify multiple connector instances, separate the entries with ||. For example:
REQ.IP.SOURCEIP == 198.51.100.0 || 198.51.100.1 - Create the multifactor authentication policy with the following expression:
REQ.IP.SOURCEIP != WorkspaceONEAccessConnectorIPaddressWorkspaceONEAccessConnectorIPaddress is the IP address of the Workspace ONE Access connector on which the Virtual App service is running. To specify multiple instances, separate the entries with ||. For example:
REQ.IP.SOURCEIP != 198.51.100.0 || 198.51.100.1 - Make sure the LDAP policy has higher priority and is evaluated first.
- Create the LDAP policy with the following expression:
Results
With these policies in place, launch traffic from the Virtual App service succeeds even if multifactor authentication is configured on the Citrix Gateway server.
