Workspace ONE Access uses the Virtual App service and the Citrix StoreFront REST API to launch Citrix-published applications and desktops from the Workspace ONE Intelligent Hub portal or app. You can configure internal and external access to the Citrix-published resources. End users must install Citrix Workspace app or Citrix Receiver on their systems or devices to launch the applications and desktops to which they are entitled.

Note: Workspace ONE Access does not support Citrix Web Interface.

Internal Access

Figure 1. Launch Architecture Diagram for Internal Access to Citrix-Published Applications and Desktops

Components include Workspace ONE, Citrix Receiver, Workspace ONE Access, Virtual App service, and a Citrix components box with StoreFront, XML server, and STA server.

  1. A user launches a Citrix-published application or desktop from the Workspace ONE Intelligent Hub portal or app.
  2. The request goes to the Workspace ONE Access service, which sends it to the Virtual App service.
  3. The Virtual App service communicates with the Citrix server farm through the StoreFront REST API to authenticate and request the ICA file.
  4. The ICA file is retrieved and passed to the Intelligent Hub portal or app.
  5. The ICA file is passed to the Citrix Workspace app or Citrix Receiver.
  6. The Citrix Workspace app or Citrix Receiver launches the application or desktop.

External Access With Citrix Gateway (NetScaler) Configured to Allow User Name and Password Access

Figure 2. Launch Architecture Diagram for External Access to Citrix-Published Applications and Desktops through Citrix Gateway (NetScaler)
Components include Workspace ONE, Citrix Receiver, Workspace ONE Access service, Virtual App service, Citrix components including StoreFront, and NetScaler.
  1. A user launches a Citrix-published application or desktop from the Workspace ONE Intelligent Hub portal or app.
  2. The request goes to the Workspace ONE Access service, which sends it to the Virtual App service.
  3. To communicate with the Citrix server farm to authenticate and request the ICA file, the Virtual App service sends a request to Citrix Gateway (formerly called NetScaler) through the StoreFront REST API.
  4. Citrix Gateway forwards the request to the StoreFront server.
  5. The ICA file is retrieved and passed to the Intelligent Hub portal or app.
  6. The ICA file is passed to the Citrix Workspace app or Citrix Receiver.
  7. Citrix Workspace app or Citrix Receiver communicates with Citrix Gateway.
  8. Citrix Gateway communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information.
  9. Citrix Gateway communicates with the Citrix Session Host server and creates a session for application launch.
    Note: In version 7.x, the Citrix Session Host server is referred to as the Citrix VDA server.

External Access With Citrix Gateway (NetScaler) Configured as ICA Proxy

Figure 3. Launch Architecture Diagram for External Access to Citrix-Published Applications and Desktops through StoreFront
Components include Workspace ONE, Citrix Receiver, Workspace ONE Access service, Virtual App service, a Citrix components box with two StoreFronts, and NetScaler.

In this architecture, Citrix Gateway (formerly called NetScaler) is configured as a simple ICA proxy and allows only ICA requests. The external launch URL in Workspace ONE Access is configured to point to a separate internal StoreFront, which is configured to always return an ICA file that points to Citrix Gateway. Users cannot connect to Citrix Gateway directly using their user name and password.

  1. A user launches a Citrix-published application or desktop from the Workspace ONE Intelligent Hub app or portal.
  2. The request goes to the Workspace ONE Access service, which sends it to the Virtual App service.
  3. To communicate with the Citrix server farm to authenticate and request the ICA file, the Virtual App service sends a request to a separate StoreFront that always returns an ICA file that points to Citrix Gateway.
  4. Citrix Gateway forwards the request to the StoreFront server.
  5. The ICA file is retrieved and passed to the Intelligent Hub portal or app.
  6. The ICA file is passed to the Citrix Workspace app or Citrix Receiver.
  7. Citrix Workspace app or Citrix Receiver communicates with Citrix Gateway.
  8. Citrix Gateway communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information.
  9. Citrix Gateway communicates with the Citrix Session Host server and creates a session for application launch.
    Note: In version 7.x, the Citrix Session Host server is referred to as the Citrix VDA server.