To configure Citrix XenApp and XenDesktop server farms in VMware Identity Manager, you create one or more virtual apps collections in the Virtual Apps Configuration page, which contain configuration information such as the Citrix servers from which to sync resources and entitlements, the Integration Broker to use for sync and SSO, the VMware Identity Manager connector to use for sync, and administrator settings such as the default launch client.

You can add all your Citrix server farms in one collection or create multiple collections, based on your requirements. For example, you may choose to create a separate collection for each farm for easier management and to distribute the sync load across different connectors. Or you may choose to include all server farms in one collection for a test environment and have another identical collection for your production environment.

Before you configure Citrix published resources in VMware Identity Manager, ensure that you meet all the prerequisites.

Also follow these guidelines for Citrix server farm settings.
  • Syncing Delivery Groups

    A delivery group's Delivery Type setting in Citrix determines how VMware Identity Manager syncs the delivery group.

    VMware Identity Manager syncs a delivery group only if its Delivery Type is set to Desktops And Apps or Desktops Only. If the delivery group's Delivery Type is set to Apps Only, its applications are synced but the delivery group itself is not synced and does not appear in the VMware Identity Manager catalog.

    Configure your delivery groups accordingly.

  • In XenDesktop and XenApp 7.9, if you use the Limited Visibility Group option to restrict users, ensure that the Limited Visibility Group contains users or groups. If it does not contain any users or groups, sync to VMware Identity Manager will not work.
  • Ensure that all Citrix published applications and desktops in a Site contain valid users. If you delete a user or group, make sure that you remove the user or group from Citrix-published resources too.
  • Make sure that users and groups have been assigned to the correct Delivery Group.

    If you select settings to restrict users, make sure that they include users and groups.

  • XenDesktop and XenApp 7.x allow you to set entitlements for all authenticated users at the delivery group level with the "Allow any authenticated user to use this delivery group" setting. VMware Identity Manager does not support this setting. To ensure that users have the correct entitlements in VMware Identity Manager, set explicit entitlements for the users and groups.
Note: Beginning with VMware Identity Manager 3.3, XenApp 5.x is no longer supported. You cannot update or save existing configurations that include a XenApp 5.x server unless you remove the server from the configuration. After you remove the 5.x server from the configuration and save the configuration, all resources associated with the 5.x server will be removed from the catalog during the next sync. Users will be able to run the resources until they are removed from the catalog.

Prerequisites

  • Configure VMware Identity Manager. See Installing and Configuring VMware Identity Manager and VMware Identity Manager Administration for information.
  • Make sure that users and groups with Citrix entitlements have been synced from your enterprise directory to VMware Identity Manager using directory sync.

    While creating the directory, ensure that you make userPrincipalName a required attribute.

    Users must have the distinguishedName attribute. If the attribute is not set for a user, the user may not be able to run desktops and applications.

  • Deploy the Integration Broker and ensure that you have met all the prerequisites described in Prerequisites for Citrix Integration.

  • If you are using a load balancer in front of the Integration Broker, note the host name or IP address of the load balancer for use during this task.

  • If you want to use the Use StoreFront option, available in VMware Identity Manager 2.9.1 and later, ensure the following requirements are met.
    • Install Integration Broker 2.9.1 or later.
    • Ensure that StoreFront is supported by the XenApp or XenDesktop version you are using.
    • Ensure that the Integration Broker can communicate with the StoreFront server.

      When you enable the StoreFront REST API, the Integration Broker communicates with the StoreFront server to generate the ICA file.

    • In the StoreFront server, if you configure trusted domains for the "User name and password" authentication method, ensure that you add domain names in the fully qualified domain name format to the "Trusted domains" list. VMware Identity Manager requires the fully qualified domain name. For more information, see Launch of Citrix-published Applications and Desktops.
  • Review Citrix documentation for your version of Citrix XenApp or XenDesktop.
  • You must use an administrator role that can perform the Manage Desktop Apps action in the Catalog service.

Procedure

  1. Log in to the VMware Identity Manager console.
  2. Select the Catalog > Virtual Apps tab, then click Virtual Apps Configuration.
  3. Click Add Virtual Apps and select Citrix Published Application.
  4. Enter a unique name for the collection.
  5. From the Sync Connectors drop-down menu, select the connector that you want to use to sync the resources in this collection.

    If you have set up multiple connectors for high availability, click Add Connector and select the connectors. The order in which the connectors are listed determines the failover order.

  6. In the Sync Integration Broker section, provide information about the Integration Broker instance that you want to use to sync resources.
    1. Enter the fully qualified domain name and port number of the Sync Integration Broker.

      If you have configured a load balancer in front of multiple Integration Broker instances dedicated to sync, enter the host name or IP address and port number of the load balancer.

    2. To connect to the Integration Broker over SSL, select the Use SSL check box and copy and paste the SSL certificate of the Integration Broker server.

      The certificate will be used when resources in this virtual apps collection are synced to VMware Identity Manager.

  7. In the SSO Integration Broker section, provide information about the Integration Broker instance that you want to use to launch resources. You must connect to the SSL Integration Broker over SSL.
    1. Enter the fully qualified domain name and port number of the SSO Integration Broker.

      If you have configured a load balancer in front of multiple Integration Broker instances dedicated to providing SSO, enter the fully qualified domain name and port number of the load balancer.

      Note: Do not use the IP address.
    2. In the SSL Certificate field, copy and paste the SSL certificate of the Integration Broker server.

      The certificate will be used during the launch of resources from this virtual apps collection.

  8. In the Server Farms section, enter the Citrix server farm details.
    To add multiple farms, click +Add Server Farm.
    Option Description
    Version Select the Citrix server farm version: 6.0, 6.5, or 7.x.
    Server name
    1. Enter the Citrix server (XML broker) name. For example:

      citrixserver.example.com

    2. Click Add to List.
    3. To specify multiple servers, enter each server name and click Add to List.

    The servers appear in the Servers (failover order) list.

    Note: The XML brokers must have PowerShell Remoting enabled.
    Servers (failover order) Organize the Citrix XML brokers in failover order by using the up and down arrows. VMware Identity Manager follows this order during SSO and under failover conditions.

    To remove a server from the list, select it and click Remove.

    Use StoreFront Select this option if you want XenApp resources to be launched using the Citrix StoreFront REST API. When this option is selected, the Integration Broker uses the Citrix StoreFront REST API to communicate with the StoreFront server and retrieve the ICA file.
    • StoreFront Server

      Enter the StoreFront server URL in the following format:

      transportType://storefrontServerFQDN/Citrix/storenameWeb

      For example, http://xen76.example.com/Citrix/mystoreWeb.

      Note: This is the StoreFront server Website URL.
      Important: Also enter this URL in the Client Access URL Host field when you configure internal network ranges for XenApp.
    Note: If you select or deselect the Use StoreFront option after the initial setup and synchronization, ensure that you update the Client Access URL for network ranges.
    Use Web Interface SDK Select this option if you want XenApp resources to be launched using the Citrix Web Interface SDK. When this option is selected, the Integration Broker uses the Citrix Web Interface SDK to communicate with Citrix components and retrieve the ICA file.
    • Transport type
      Select the transport type used in your Citrix server configuration: HTTP, HTTPS, or SSL RELAY.
      Note: The transport type and port must match your Citrix server configuration.
    • Port
      Enter the port used in your Citrix server configuration.
      Note: The transport type and port must match your Citrix server configuration.
    • SSL Relay Port

      Enter the SSL Relay port used in your Citrix server configuration. This option appears only if you select SSL RELAY as the transport type.

    • STA Server

      If you are using NetScaler, you must specify an STA server for the farm.

      1. Specify the STA Server for the Citrix farm.

        Enter the STA server URL in the following format:

        transporttype://server:port

        For example: http://staserver.example.com:80

        Only alphanumeric characters, period (.), and hyphen (-), are allowed in the URL.

      2. Click Add To List.

        The server appears in the XenApp STA Servers (failover order) list.

      3. Enter additional STA servers, if necessary. For example, you may want to specify a second STA server for failover purposes.
    • XenApp STA Servers (failover order)

      Organize the STA servers in failover order by using the up and down arrows.

      To remove a server from the list, select it and click Remove.

  9. To add another farm, click Add Farm and enter the configuration information for the farm.
  10. Select Sync categories from server farms if you want to sync categories from Citrix farms to VMware Identity Manager.
  11. Select Do not sync duplicate applications to prevent duplicate applications from being synced from multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Checking this option prevents duplication of the desktops or applications in your VMware Identity Manager catalog.
  12. From the Sync Frequency drop-down menu, select how often you want to sync the resources in this collection.
    You can set up a regular sync schedule or choose to sync manually. If you select Manual, you must click Sync on the Virtual Apps Configuration page after you set up the collection and whenever there is a change in your Citrix published resources or entitlements.
  13. From the Activation Policy drop-down list, select how Citrix published resources are made available to users in Workspace ONE.
    With both the User Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy that you select on this page applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the application or desktop's Entitlements page.

    Setting the activation policy for the collection to User Activated is recommended if you intend to set up an approval flow.

  14. Click Save.
    The collection is created and appears in the Virtual Apps page. The resources in the collection are not synced yet.
  15. To sync the resources in the collection to VMware Identity Manager, click Sync in the Virtual Apps Configuration page.
    Each time resources or entitlements change in Citrix, a sync is required to propagate the changes to VMware Identity Manager.
    Note: The anonymous user group feature in the Citrix product is not supported with VMware Identity Manager.

Results

Citrix-published resources and corresponding entitlements are synchronized with VMware Identity Manager.

What to do next

Configure network ranges for resource launch.