VMware Workspace ONE Access supports Citrix deployments that include Citrix Gateway. Citrix Gateway is typically used to provide external access to Citrix applications and desktops.

If your Citrix deployment includes a Citrix Gateway appliance, you can configure VMware Workspace ONE Access with the appropriate settings so that when users launch Citrix resources, the traffic is routed through the Citrix Gateway appliance to the XenApp server.

You set policies on client network IP ranges that specify whether launch traffic is routed through Citrix Gateway to the XenApp server or whether it is routed directly to the XenApp server. This allows you to meet both external and internal access needs.

Note: VMware Workspace ONE Access also supports Citrix Secure Gateway. The configuration steps in this section are applicable to both Citrix Gateway and Citrix Secure Gateway.

Configure Network Range for Citrix Gateway in Workspace ONE Access

You can configure the network ranges for which you want users' application or desktop launch traffic (ICA traffic) to be routed through Citrix Gateway to the XenApp server. This configuration is typically used to provide external access to Citrix-published resources integrated with Workspace ONE Access.

When a user launches an application or desktop from the Workspace ONE Intelligent Hub portal or app, if the user's IP address falls in the IP range configured for Citrix Gateway, the ICA traffic is routed through Citrix Gateway to the XenApp server.

Note: To configure resource launch for internal networks, see Configuring Citrix Resource Launch for Internal Networks in Workspace ONE Access.


  • A Super Admin role, or a custom role that can perform the Manage Settings action in the Identity and Access Management service in Workspace ONE Access, is required to create and edit network ranges.


  1. In the Workspace ONE Access console, select Resources > Virtual Apps Collections.
  2. Click the Citrix collection for which you want to configure network ranges.
  3. Select the Network Ranges tab.
  4. In the Network Ranges page, click the network range to configure for Citrix Gateway.
    1. Click the network range to edit or create a new network range, if necessary.
    2. If you are creating a new network range, enter a name, optional description, and the IP address range.
    3. Scroll to the Server Farm section.
      This section lists all the XenApp servers configured in the Citrix virtual apps collection.
    4. For each XenApp server, enter the appropriate values for this network range.
      Option Description
      Client Access FQDN

      The Citrix Gateway appliance host name. For example:


      Port The Citrix Gateway appliance port. For example: 443
      NetScaler Set this option to Yes.

      edit network range dialog box

      Note: If you are using Citrix Secure Gateway instead of Citrix Gateway, enter the Citrix Secure Gateway host name and port, and set the NetScaler option to Yes.
    5. Click Save.
    6. Repeat these steps to edit the other network ranges, if required.
    Important: Verify that each network range in your environment has a Client Access FQDN set. If a network range is missing the Client Access FQDN, users accessing resources through that network range cannot launch their Citrix desktops and applications.