Citrix Gateway Service - Citrix Product Documentation | docs.citrix.com
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Citrix Gateway Service Citrix Product Documentation | docs.citrix.com October 15, 2020
Citrix Gateway Service Contents Release Notes 3 Get started 10 Technical Security Overview 11 Migrate Citrix Gateway to Citrix Gateway service for HDX proxy 14 HDX Adaptive transport with EDT support for Citrix Gateway service - Tech Preview 20 Support for Citrix Virtual Apps and Desktops 23 Read-only access to SaaS and Web apps 25 Support for Software as a Service apps 28 Apps configuration using a template 40 SaaS app server specific configuration 46 Citrix Gateway Connector 60 Gateway Connector dashboard 79 Support for Enterprise web apps 80 Support for Citrix Endpoint Management 93 FAQ 97 © 1999-2020 Citrix Systems, Inc. All rights reserved. 2
Citrix Gateway Service
Release Notes
October 15, 2020
The Citrix Gateway service release to cloud release notes describe the new features, enhancements
to existing features, fixed issues, and known issues available in a service release. The release notes
include one or more of the following sections:
What’s new: The new features and enhancements available in the current release.
Fixed issues: The issues that are fixed in the current release.
Known issues: The issues that exist in the current release and their workarounds, wherever applica-
ble.
V8.2 (October 15, 2020)
What’s new
• Enhanced security option to launch SaaS and Enterprise Web apps within Secure Browser
service
Admins can now use the enhanced security option, Select Launch application always in Citrix
Secure Browser service to always launch an application in the Secure Browser service regard-
less of other enhanced security settings.
[ACS-123]
V7.6 (October 8, 2020)
What’s new
• Configure session timeouts for the Citrix Secure Workspace Access browser extension
Admins can now configure session timeouts for the Citrix Secure Workspace Access browser
extension. Admins can configure this setting from the Manage tab in the Citrix Gateway service
user interface.
[NGSWS-13754]
• RBAC control on Citrix Secure Workspace Access browser extension admin settings
RBAC control is now enforced on Citrix Secure Workspace Access browser extension admin set-
tings.
[NGSWS-14427]
© 1999-2020 Citrix Systems, Inc. All rights reserved. 3
Citrix Gateway Service
V7.5 (September 24, 2020)
What’s new
• Enable VPN-less access to Enterprise Web apps through a local browser
You can now use the Citrix Secure Workspace Access browser extension to enable VPN-less
access to Enterprise Web apps through a local browser. The Citrix Secure Workspace Access
browser extension is supported on both Google Chrome and Microsoft Edge browsers.
[ACS-286]
V7.1 (July 7, 2020)
What’s new
• Validate Kerberos configuration on Citrix Gateway Connector
You can now use the Test button in the Single sign on section to validate the Kerberos configu-
ration.
[NGSWS-8581]
V6.6 (June 19, 2020)
What’s new
• Read-only access to admins of the Citrix Gateway service and Citrix Access Control service
Security admin teams using the Citrix Gateway service can now provide granular controls, such
as read-only access to admins of the Citrix Gateway service and Citrix Access Control service.
– Admins with read-only access to the Citrix Gateway service have access to only view the
app details.
– Admins with read-only access to the Citrix Access Control service can only view the content
access settings.
[ACS-205]
V6.3 (May 8, 2020)
What’s new
• New troubleshooting tools in Citrix Gateway Connector 13.0
© 1999-2020 Citrix Systems, Inc. All rights reserved. 4
Citrix Gateway Service
– Network tracing: You can now use the Trace feature to troubleshoot Citrix Gateway Con-
nector registration issues. You can download the trace files and share it with the adminis-
trators for troubleshooting. For details, see Troubleshoot Citrix Gateway Connector regis-
tration issues.
[NGSWS-10799]
– Connectivity tests: You can now use the Connectivity Test feature to confirm that there
are no errors in the Gateway Connector configuration and the Gateway Connector is able
to connect to the URLs. For details, see Log on and set up the Citrix Gateway Connector.
[NGSWS-8580]
V3.5 (August 19, 2019)
Known issues
• Launching an Enterprise Web app for an NTLM authentication enabled resource from Citrix
Workspace fails if both of the following conditions are met:
– Customer’s data center has a proxy server and that proxy server is configured on the Gate-
way Connector
– Web App is configured with no SSO (Don’t use SSO)
Workaround:
– Publish the Web app as a Basic SSO app or
– Do not have a proxy server configured on Gateway Connector
[NGSWS-8266]
• If there are SSL intercepting devices in the on-premises data center where the Citrix Gateway
Connector must be deployed, the connector registration does not succeed if SSL interception is
enabled for the following FQDNs.
– *.nssvc.net
– *.netscalermgmt.net
– *.citrixworkspacesapi.net
– *.citrixnetworkapi.net
– *.citrix.com
– *.servicebus.windows.net
– *.adm.cloud.com
The SSL interception must be disabled for these FQDNs for successful connector registration.
[NGSWS-8923]
© 1999-2020 Citrix Systems, Inc. All rights reserved. 5
Citrix Gateway Service
• Download logs option is available in Gateway Connector from version 401.251. If you are on an
earlier version of the connector and you upgrade the connector to version 401.251, you cannot
download the logs even though the Download Logs link is available.
[NGSWS-8438]
V2019.06.01
Fixed issues
• Edits made in the Access Control page are not propagated to the database because the failed
jobs were retried incorrectly. [NGSWS-7733]
V2019.05.01
Fixed issues
• If a customer’s data center has an authentication-enabled proxy server configured for Gateway
Connector, the connector fails to register itself with Citrix Cloud. [NGSWS-7231]
• When adding an Enterprise Web app, if the FQDN contains an underscore ( _ ) in the domain
name, an error is displayed. [NGSWS-7033]
• If the SSO type for a SaaS app is changed from Don’t use SSO to SAML, the configuration change
fails. [NGSWS-7466]
V2019.04.02
What’s new
• Kerberos authentication support for Citrix Gateway Connector to outbound proxy [NGSWS-
6410]
Kerberos authentication is now supported for the traffic from Citrix Gateway Connector to the
outbound proxy. Gateway Connector uses the configured proxy credentials to authenticate to
the outbound proxy.
Fixed issues
• In rare cases, web filtering UI configuration changes do not take effect to the tenant traffic.
[NGSWS-7147]
• Memory leaks on ICA service nodes, resulting in a high memory usage. [NGSWS-7014]
• Application fails to launch because the Citrix Gateway service node does not send the X-NGS-
Session-Id header as part of the policy document retrieval request to the CVMs. [NGSWS-6963]
© 1999-2020 Citrix Systems, Inc. All rights reserved. 6
Citrix Gateway Service
• Authentication and app enumeration on the Citrix Gateway service fail if the token size for au-
thentication exceeds 64 KB. [NGSWS-5932]
V2019.04.01
What’s new
• Web/SaaS apps traffic can now be routed via a corporate-network-hosted Gateway-
Connector thus avoiding two factor authentication. If a customer has published a SaaS app
that is hosted outside the corporate network, support is now added to authenticate traffic for
that app to go through an on-premises Gateway Connector.
For example, consider that a customer has an Okta protected SaaS app (like Workday). The cus-
tomer might want that even though the actual Workday data traffic is not routed via the Citrix
Gateway service, the authentication traffic to the Okta server is routed through the Citrix Gate-
way service via an on-premises Gateway Connector. This helps a customer to avoid a second
factor authentication from the Okta server as the user is connecting to the Okta server from
within the corporate network.
[NGSWS-6445]
• Disabling Filtering Website Lists and Website Categorization. Filtering Website Lists and
Website Categorization can be disabled if the admin chooses not to apply these functionalities
for a specific customer.
[NGSWS-6532]
• Automatic geo routing for secure browser service redirects. Automatic geo routing is now
enabled for secure browser service redirects.
[ NGSWS-6926]
Fixed issues
• Web app launch fails for a customer when the value of the CustomerId is in the camel case.
[NGSWS-6705]
• Connection to a Secure Mail server is not possible with FQDN. If the customer configuration has
FQDN configured for the mail server, then the connection fails.
[NGSWS-6566]
• App launch fails after the Gateway Service session times out. The end user must relogin to ac-
cess the apps.
[NGSWS-6917]
© 1999-2020 Citrix Systems, Inc. All rights reserved. 7
Citrix Gateway Service
• When renaming a SaaS app, the name changes in the GUI but does not change in the Workspace
app. Similarly, when changing or adding an icon of certain SaaS apps and Web apps, the icon
updates in the GUI but is not propagated to the Workspace app.
[NGSWS-6915]
• If Enhanced Security is enabled on a Web app (hosted inside the corporate network) and if that
app is launched from a native browser, then the app launch is redirected to the secure browser
service because the native browser cannot enforce enhanced security policies.
[NGSWS-6804]
• An app fails to launch if the app FQDN is in the camel case.
[NGSWS-6587]
• Deleted applications still show up in the cloud library.
[NGSWS-6525]
• When there is an outbound proxy configured for Gateway Connector and if the proxy has authen-
tication enabled, Gateway Connector cannot perform authentication with the proxy server.
[NGSWS-6374]
• In race conditions, app configuration does not get propagated intermittently.
[NGSWS-4958]
• App launch fails intermittently with a “Failed to fetch Policy Document.” error.
[NGSWS-6963]
• Deleted apps still show up in the Workspace app.
[NGSWS-6732]
• Gateway Service supports form response sizes up to 32k for Web applications with form based
SSO which is not sufficient for certain applications. With this fix, Gateway ServiceNow supports
form response sizes of up to 64k for Web Applications with form based SSO type.
[NGSWS-6511]
V2019.03.01
What’s new
• “Detect” button is added in the “Add a Gateway Connector” page. The Detect button is used
to refresh the list of connectors, allowing the newly added connector to reflect in the Web app
connectivity section.
[CGOP-6358]
© 1999-2020 Citrix Systems, Inc. All rights reserved. 8
Citrix Gateway Service
• A new category “Malicious and Dangerous” is added in the “Access Control Web Filtering”
categories. A new category named Malicious and Dangerous in the Access Control Web Fil-
tering categories is added under the Malware and Spam group.
[CGOP-6205]
Fixed issues
• Sometimes, the Gateway Connector crashes when multiple threads access the same resource.
[CGOP-6359]
• Sometimes, delete operation using an administrator credential for a Web or SaaS application
that does not have subscribed users or groups fails.
[CGOP-6310]
• Configurations for the Citrix Gateway Connector are lost upon editing Form based SSO parame-
ters.
[CGOP-6158]
• Add another app option does not work when you access the option navigating as follows, Edit
app > Overview > Add another app.
[NGSWS-6089]
• A newly added connector takes too long to show up in the UI.
[NGSWS-5505]
• Outbound connections from a connector fail when the connector uses the external FQDN value
for the connection via an outbound proxy.
[NGSWS-6451, NGSWS-6431]
• Sometimes, app enumeration fails for a customer when the value of the CC-Customer-Id field
has letters in lower case and in upper case.
[NGSWS-4924]
• Upon launching an application in a Secure Browser session, the display message incorrectly
shows “Connecting to [application id]” instead of “Connecting to “[application name].”
[NGSWS-6061]
• Athena tokens which exceed 64k bytes in size upon decompressing is not supported.
[NGSWS-5932]
© 1999-2020 Citrix Systems, Inc. All rights reserved. 9
Citrix Gateway Service Get started April 22, 2020 This document walks you through how to get started with onboarding and setting up the SaaS apps delivery for the first time. This document is intended for application administrators. The following are the steps you need to perform to get started: 1. Sign up for Citrix Cloud. 2. Request for the Citrix Gateway service entitlement. 3. Post entitlement, Citrix Gateway service is provisioned under My Services. 4. Access the Citrix Gateway service UI. Step 1: Sign Up for Citrix Cloud To start using Citrix Gateway service, you must first create a Citrix Cloud account or join an existing one that is created by someone else in your company. For detailed processes and instructions on how to proceed, see Signing Up for Citrix Cloud. Step 2: Request for the Citrix Gateway service entitlement To request for the Citrix Gateway service entitlement, on the Citrix Cloud screen, under the Available Services section, click the Request Trial tab present in the Citrix Gateway service tile. Step 3: Post entitlement, Citrix Gateway service is provisioned under My Services After you receive the Citrix Gateway service entitlement, the Citrix Gateway service tile moves to My Services section. © 1999-2020 Citrix Systems, Inc. All rights reserved. 10
Citrix Gateway Service
Step 4: Access the Citrix Gateway service UI
Click the Manage tab present on the tile to access the Citrix Gateway service UI. After you click the
Manage tab, an Overview screen explaining the available services appears.
Technical Security Overview
April 22, 2020
This document applies to all the features pertaining to Citrix Gateway service hosted in Citrix Cloud,
including HDX transport, SaaS apps, and Enterprise Web apps.
Citrix Cloud manages the operation for Citrix Gateway services, replacing the need for customers to
manage the Citrix Gateway appliance. Citrix Gateway service is provisioned through Citrix Workspace
app.
Citrix Gateway service provides the following capabilities:
• HDX connectivity for XenApp users – a globally available service providing secure connectivity
from users in any location to virtual apps and desktops.
• Secure access to SaaS applications – a unified user experience bringing configured SaaS ap-
plications to end-users.
• Secure access to Enterprise web applications – a unified user experience bringing configured
Enterprise web applications to end-users.
• Secure access to all apps and files in a digital workspace – a modern approach to managing
all your devices through a single platform, Citrix Endpoint Management. Supported platforms
include desktops, laptops, smartphones, tablets, and IoT.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 11Citrix Gateway Service HDX Connectivity: The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These compo- nents are connected to the cloud service using an agent called the Citrix Cloud Connector. SaaS apps: Software as a Service (SaaS) is a software distribution model to deliver software remotely as a web-based service. Commonly used SaaS apps include Salesforce, Workday, Concur, GoToMeet- ing, and so forth. Enterprise web apps: Enterprise web apps delivery using Citrix Gateway service enables enterprise specific applications to be delivered remotely as a web-based service. Commonly used Enterprise web apps include SharePoint, Confluence, OneBug, and so on. You need Citrix Gateway Connector to access the Enterprise web apps. SaaS apps and Enterprise web apps are provisioned through Citrix Workspace using Citrix Gateway service. The Citrix Gateway service coupled with Citrix Workspace provides a unified user experience for the configured Enterprise web apps, SaaS apps, configured virtual apps, or any other workspace resources. Along with Secure Access, Citrix Gateway service also protects users from untrusted links embedded in user-generated content. Endpoint Management integration: When integrated with Citrix Endpoint Management plus Citrix Workspace, Citrix Gateway service provides secure remote device access to your internal network and resources. Onboarding Citrix Gateway service with Endpoint Management is fast and simple. Citrix Gateway service includes full support of Citrix SSO for apps such as Secure Mail and Secure Web. Data flow Citrix Gateway service is a globally distributed multitenant service. End-users utilize the nearest Point- of-Presence (PoP) where the particular function they need is available, regardless of Citrix Cloud Con- trol plane geo-selection or location of the applications being accessed. Configuration, such as autho- rization meta-data is replicated to all PoPs. Logs used by Citrix for diagnostic, monitoring, business, and capacity planning are secured and stored in one central location. Customer configuration is stored in one central location and distributed globally to all PoPs. Data flowing between the cloud and customer premises uses secure TLS connections over port 443. Encryption keys used for user authentication and single sign-on are stored in hardware security mod- ules. Data isolation The Citrix Gateway service stores the following data: © 1999-2020 Citrix Systems, Inc. All rights reserved. 12
Citrix Gateway Service
• Configuration data needed for the brokering and monitoring of the customer’s applications –
data is scoped by customer when persisted.
• TOTP seeds for each user device – TOTP seeds are scoped by customer, user, and device.
Audit and Change Control
Currently Citrix Gateway service does not make auditing and change control logs available to cus-
tomers. Logs are available to Citrix which can be used to audit activities of end-user and adminis-
trator.
Credential handling
The service handles two types of credentials:
• User credentials: End-user credentials (passwords and authentication tokens) might be made
available to Citrix Gateway service to perform the following:
– Access control - The service uses the user’s identity to determine access to SaaS and Enter-
prise web applications and other resources.
– Single sign-on - The service might have access to the user’s password to complete the SSO
function to internal web applications using HTTP Basic, NTLM, or forms-based authentica-
tion. The encryption protocol used for password is TLS unless you specifically configure
HTTP Basic authentication.
• Administrator credentials: Administrators authenticate against Citrix Cloud. This generates a
one-time signed JSON Web Token (JWT) which gives the administrator access to the manage-
ment consoles in Citrix Cloud.
Points to note
• All traffic over public networks is encrypted by TLS, using certificates managed by Citrix.
• Keys used for SaaS app SSO (SAML signing keys) are fully managed by Citrix.
• For MFA, Citrix Gateway service stores per-device keys used to seed the TOTP algorithm.
• To enable Kerberos Single Sign-On functionality, customers might configure Gateway Connec-
tor with credentials (user name + password) for a service account trusted to perform Kerberos
Constrained Delegation.
Deployment considerations
Citrix recommends that users consult the published best practices documentation for deploying Citrix
Gateway services. More considerations regarding SaaS apps and Enterprise web apps deployment,
and network connector are as follows.
Selecting the correct Connector: The correct connector must be selected, depending on the use
case:
© 1999-2020 Citrix Systems, Inc. All rights reserved. 13Citrix Gateway Service
Use Case Connector Form factor
User Authentication: Active Citrix Cloud Connector Windows software
Directory
HDX Connectivity Citrix Cloud Connector Windows software
SaaS apps access Citrix Cloud Connector N/A
Enterprise web apps access Citrix Cloud Connector, Citrix N/A
Gateway Connector
Enterprise apps and files Citrix Cloud Connector, Citrix N/A
delivered by Citrix Endpoint Gateway Connector
Management
Citrix Cloud Connector network access requirements
For information on Citrix Cloud Connector network access requirements, see https://docs.citrix.com/
en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html
Citrix Gateway Connector network access requirements
For information on Citrix Cloud Connector network access requirements, see https://docs.citrix.com/
en-us/citrix-gateway-service/gateway-connector.html
Citrix Gateway service HDX Connectivity
Using the Citrix Gateway service avoids the need to deploy Citrix Gateway within the customer data
centers. To use the Citrix Gateway service, it is a prerequisite to use the StoreFront service delivered
from Citrix Cloud.
Customer Best Practices
Customers are recommended to use TLS within their network and not enable SSO for applications
over HTTP.
Migrate Citrix Gateway to Citrix Gateway service for HDX proxy
June 24, 2020
© 1999-2020 Citrix Systems, Inc. All rights reserved. 14Citrix Gateway Service You can migrate from a Citrix Gateway for HDX proxy and to a fully managed cloud-based HDX proxy powered by Citrix Gateway service on Citrix Cloud. Cloud based HDX Proxy When Citrix Cloud customers purchase Citrix Virtual App Service, Virtual Desktop Service, Virtual App and Desktop Service, or Workspace Service they might use an on-premises Citrix Gateway for secure remote access. The Citrix Gateway is purchased separately. Figure 1. Deployment with Citrix Gateway as HDX Proxy Citrix Gateway service is a cloud based HDX proxy that provides secure remote access through a cloud- based gateway that front-ends virtual apps and desktop environments that are Citrix Virtual Apps and Desktops environments. Figure 2. Deployment with Citrix Gateway service as HDX Proxy © 1999-2020 Citrix Systems, Inc. All rights reserved. 15
Citrix Gateway Service
This feature is now included with your Citrix Virtual Apps service, Citrix Virtual Desktops service, Citrix
Virtual Apps and Desktops service, and Workspace Service entitlements. You can enable this feature.
Migration from an on-premises Citrix Gateway to cloud based Citrix Gateway service
On-premises Citrix Gateway appliance is customer managed and cloud based Citrix Gateway service
is Citrix managed. This section explains how to migrate from an on-premises Citrix Gateway to cloud
hosted Citrix Gateway service for HDX proxy. Though Citrix Gateway and Citrix Gateway service pro-
vide HDX proxy, the underlying infrastructure and working mechanism is different. However, steps to
enable HDX proxy on cloud is simple and straight forward with just a few clicks.
To enable this migration, enable Citrix Gateway service for Citrix Virtual Apps and Desktops. Once
enabled, traffic starts traversing through Citrix Gateway service and an on-premises Citrix Gateway is
no longer required.
Following are the assumptions made before you begin migration from an on-premises Citrix Gateway
to cloud based Citrix Gateway service.
• The customer has subscribed for Citrix Cloud service and has purchased Citrix Virtual Apps and
Desktops.
• The customer uses an on-premises Active Directory to authenticate users on cloud.
Enable the Citrix Gateway service
Following are the steps to enable Citrix Gateway service for Citrix Virtual Apps and Desktops service
users:
1. Sign into Citrix Cloud Services as an admin user.
2. Click the hamburger icon and choose Workspace Configuration.
3. Click Service Integrations.
4. Locate ellipsis next to Gateway, click the ellipsis, and then click Enable.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 16Citrix Gateway Service
Following are the steps to enable Citrix Gateway Service for Citrix Workspace users.
1. Sign into Citrix Cloud Services as an admin user.
2. Click the hamburger icon and choose Workspace Configuration.
3. In the Access tab, under External Connectivity section, locate ellipsis next to My Resource
Location present under Citrix Virtual Apps and Desktops service.
4. Click the ellipsis, click Configure Connectivity.
5. Choose Gateway Service in the pop-up window and then click Save.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 17Citrix Gateway Service
Roll back to Citrix Gateway
To roll back the HDX proxy to an on-premises Citrix Gateway, perform the following.
1. Sign into Citrix Cloud Services as an admin user.
2. Click the hamburger icon on the top left and choose Workspace Configuration.
3. In the Access tab under External Connectivity section, locate ellipsis next to My Resource Lo-
cation present under Virtual Apps and Desktops.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 18Citrix Gateway Service 4. Click the ellipsis, click Configure Connectivity. 5. Choose Traditional Gateway and enter the FQDN. 6. Click Add and then click Save. © 1999-2020 Citrix Systems, Inc. All rights reserved. 19
Citrix Gateway Service
HDX Adaptive transport with EDT support for Citrix Gateway service -
Tech Preview
October 9, 2020
EDT transport mechanism for Citrix Virtual Apps and Desktops is faster, improves application interac-
tivity, and is more interactive on challenging long-haul WAN and internet connections. EDT delivers a
superior user experience by dynamically responding to changing network conditions while maintain-
ing high server scalability and efficient use of bandwidth.
Compared to TCP ICA, EDT delivers a superior user experience. When EDT is not available, EDT intelli-
gently switches to TCP ICA to deliver the best performance.
EDT through Gateway Service is supported only for VDA versions 1912 and later, so any machines run-
ning VDA versions older than 1912 will only be able to establish sessions over TCP
Create a Delivery Group to facilitate isolating the configuration to the desired machines and VDA ver-
sion 1912 and later.
Requirements for HDX Adaptive transport with EDT support
• Virtual Delivery Agent (VDA) 1912 or later.
• Adaptive Transport must be enabled in Citrix policy. See the Adaptive Transport setting docu-
mentation for details.
• Rendezvous protocol must be enabled for EDT. See the Rendezvous Protocol documentation for
details.
• Firewall rules must be configured to allow EDT (UDP) traffic. See the Network Ports documen-
tation for details.
• All prerequisites for rendezvous must be met. See the Rendezvous Protocol documentation for
details.
Recommendations
1. Create a Delivery Group to facilitate isolating the configuration to the desired machines and
required version. For details see Create Delivery Groups and Manage Delivery Groups.
2. Enable MTU discovery for use with Windows devices. Refer to the EDT MTU Discovery documen-
tation for more details.
3. Reorder the cipher suites on the VDA machines as outlined in the Rendezvous protocol docu-
mentation.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 20Citrix Gateway Service
Connection fallback
If EDT negotiation fails for any reason, the session falls back to TCP with Rendezvous. And if that fails,
then the session falls back to proxying through the Cloud Connectors.
Customers entitled for EDT
Customers who are entitled for Gateway Service for HDX Proxy get EDT at no additional cost.
Customers using Gateway Service for site aggregation cannot use EDT yet.
Check your connection type
To know if your sessions are using EDT, look at the following:
• Connection protocol in Citrix Director: https://support.citrix.com/article/CTX220730.
• After you launch an app or a desktop, go to Citrix Workspace app > Connection Center > Prop-
erties tab > Transport encryption (DTLS/TLS) to know if the connection is going to TCP or EDT.
• If you launched a desktop, then you can run “ ctxsession -v” on the command prompt
within the session and check the Transport Protocols to determine how the session is estab-
lished:
– EDT Rendezvous shows “UDP > DTLS > CGP > ICA”
– TCP Rendezvous shows “TCP > SSL > CGP > ICA”
– Non-Rendezvous shows “TCP > CGP > ICA”
© 1999-2020 Citrix Systems, Inc. All rights reserved. 21Citrix Gateway Service
Troubleshooting
There can be multiple reasons for the connection not going over EDT, such as;
• Open your ICA file and it must have “HDXOverUDP=Preferred”.
• UDP service is not allowed in client firewall or client subnet for Citrix Gateway service. Enable
the firewall rule (Port 443, Protocol: UDP, Target: *.g.nssvc.net) to allow UDP service.
• VDA version is 1912 or later and UDP service is allowed in the firewall and subnet for Citrix Gate-
way service. See the Network Ports documentation for details.
• Check for the cipher settings in VDA. See Rendezvous protocol for details.
MTU discovery
It is possible that the user might be trying to connect via a network that requires a Maximum Trans-
mission Unit (MTU) lower than 1380, which is mostly seen in some mobile networks (3G, 4G) or VPN
connections. This can result in heavy fragmentation of EDT packets, which can cause issues in session
establishment over EDT.
• If you are having issues establishing sessions with EDT enabled and your users are using Win-
dows devices, we suggest you enable EDT MTU Discovery. For details see EDT MTU Discovery.
• If your users are using devices that do not support EDT MTU Discovery, then consider disabling
Adaptive Transport. If the session launch continues to fail with Adaptive Transport disabled,
contact Citrix Technical Support.
FAQs
Why are HDX sessions being established over TCP even though EDT is enabled?
One of the following reasons might be causing EDT failures.
• VDA version might be lower than the version (V1912) that supports EDT.
• Firewall rules might be blocking UDP traffic from client or VDA to Citrix Gateway service.
• Cipher suites not configured correctly on the VDA.
• Required encryption protocol is disabled (DTLS 1.0).
• Connector might be on a lower version than that of the version in which EDT is supported.
• Citrix policy in Studio might be disabling Adaptive Transport.
• Rendezvous protocol is either not enabled in Citrix policy or not working in your environment.
Why is my session launch taking longer time than expected?
If EDT fails and an application falls back to TCP, the fallback sequence adds more time to the launch
process.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 22Citrix Gateway Service
• To continue with EDT, check for the causes listed in the previous question. If you are still facing
the EDT failure issues, contact Citrix Technical Support.
• To continue without EDT, disable EDT in broker policy to avoid fallback delay.
Can I enable EDT MTU Discovery if I have users that use non-Windows devices?
Yes. Enabling EDT MTU Discovery does not affect clients that do not support the feature. These clients
simply continue to use a static MTU.
Why am I facing longer than usual launch duration of Virtual App and Desktop?
The issue might be with the registry key setting in your client setting. For more information, see https:
//support.citrix.com/article/CTX272399.
Is there a particular CWA version user need to run?
Any currently supported version of the Workspace app works. However, if using EDT MTU Discovery
with Windows endpoints, users must use the Workspace app for Windows 1912 or newer.
Do we support all Windows platforms that support VDA 1912?
Although EDT is supported on all currently supported Windows versions, Citrix recommends using EDT
through Gateway Service only with VDAs running on Windows 10 and Windows Server 2019. There are
limitations on Windows Server 2012 R2 and 2016 that affect the performance of ICA sessions over EDT
when using the gateway service.
If you have multiple versions of Windows in your environment, consider enabling Adaptive Transport
in Delivery Groups that contain machines running Windows 10 and Windows Server 2019, and dis-
abling Adaptive Transport for the others.
Support for Citrix Virtual Apps and Desktops
October 14, 2020
Citrix Gateway service provides users with secure access to Citrix Virtual Apps and Desktops across a
range of devices including laptops, desktops, thin clients, tablets, and smartphones.
Citrix Gateway service enables secure, remote access to Citrix Virtual Apps and Desktops, without hav-
ing to deploy the Citrix Gateway service in the DMZ or reconfigure your firewall. The entire infrastruc-
ture overhead of using Citrix Gateway moves to the cloud and hosted by Citrix.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 23Citrix Gateway Service
You enable Citrix Gateway service in Citrix Cloud. After enabling the service, users can access their
VDAs from outside their network, as shown in the following diagram.
How it works
Users’ endpoints and their on-premises hosted resources VDAs are connected to their nearest respec-
tive POPs via Citrix Cloud Connectors. Later, when users select a virtual app or desktop to launch
from their Workspace app, the nearest POP hosting that connection identifies the pertinent resource
location and directs it to establish a Citrix Cloud Connector session to that POP forming an end-to-end
connection and then a virtual session is established.
• Sessions are linked via Citrix Gateway service across cloud partner’s WANs.
• VDAs and Workspace endpoints rendezvous at the Citrix Gateway service POP closest to the
user.
• High quality sessions.
For more details, see Citrix Gateway service for HDX Proxy
Enable the Citrix Gateway service
Following are the steps to enable Citrix Gateway service for Citrix Workspace users.
1. Sign into Citrix Cloud Services as an admin user.
2. Click the hamburger icon and choose Workspace Configuration.
3. In the Access tab under External Connectivity section, locate ellipses next to My Resource Lo-
cation present under Citrix Virtual Apps and Desktops Service. Click the ellipses, click Con-
figure Connectivity.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 24Citrix Gateway Service
4. Choose Citrix Gateway service in the pop-up window and click Save.
Read-only access to SaaS and Web apps
May 21, 2020
Organizations usually comprise of multiple administrators and admins must be provided with differ-
ent levels of access privileges. Security admin teams using Citrix Gateway Service can provide granular
controls, such as read-only access to admins. Administrators who do not add or modify an app can be
provided with read-only access to view the app details. Citrix Gateway service admins with read-only
access cannot perform the following tasks.
• Add Enterprise Web or SaaS apps.
• Add new Gateway connectors in existing or new resource locations.
How to provide read only access to admins
After signing in to Citrix Cloud, select Identity and Access Management from the menu.
On the Identity and Access Management page, click Administrators. The console shows all the current
administrators in the account.
Add an administrator with read only access
1. In Add administrators, select the identity provider from which you want to select the admin-
istrator. Sometimes, Citrix Cloud might prompt you to sign in to the identity provider first (for
example, Azure Active Directory).
2. If Citrix Identity is selected, enter the user’s email address and then click Invite.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 25Citrix Gateway Service
3. If Azure Active Directory is selected, type the name of the user you want to add and then click
Invite.
4. Select Custom access. The following options appear:
• Select Full Access Administrator (Technical Preview) – Provides full access.
• Read Only Administrator (Technical Preview) – Provides read-only access.
5. Select Read Only Administrator (Technical Preview).
6. Click Send Invite.
Important:
• When you provide Read Only Administrator access to Citrix Gateway Service admins, you
must also enable Library from the General Management list for those admins. Only then
the View option for the apps is enabled for the admins.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 26Citrix Gateway Service
• The Add a Web/SaaS App button is disabled for users with Read Only Administrator ac-
cess.
To view the app details when admins have read only access
1. After signing in to Citrix Cloud, select Library from the menu.
2. Select the app that you want to view the details and click the ellipsis.
Only the View option is enabled. All other options are disabled.
3. Click View.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 27Citrix Gateway Service
Support for Software as a Service apps
October 13, 2020
Software as a Service (SaaS) is a software distribution model to deliver software remotely as a web-
based service. Commonly used SaaS apps include Salesforce, Workday, Concur, GoToMeeting, and so
forth.
SaaS apps can be accessed using Citrix Workspace using the Citrix Gateway service. The Citrix Gate-
way service coupled with Citrix Workspace provides a unified user experience for the configured SaaS
apps, configured virtual apps, or any other workspace resources.
SaaS apps delivery using the Citrix Gateway service provides you an easy, secure, robust, and scalable
solution to manage the apps. SaaS apps delivered on the cloud have the following benefits:
• Simple configuration – Easy to operate, update, and consume.
• Single sign-on – Hassle free logon with Single sign-on.
• Standard template for different apps – Template based configuration of popular apps.
How SaaS apps are supported with the Citrix Gateway service
1. Customer admin configures SaaS apps using Citrix Gateway service UI (citrix.cloud.com). The
admin then adds subscribers (users) for the apps.
2. Admin provides the service URL to the users to access Citrix Workspace.
3. Users subscribed for an app can see the app upon logon to Citrix Workspace.
4. To launch the app, a user clicks the enumerated SaaS app icon.
5. SaaS app trusts the SAML assertion provided by the Citrix Gateway service and the app is
launched.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 28Citrix Gateway Service
Note:
Configured SaaS apps are aggregated along with virtual apps and other resources in Citrix
Workspace for a unified user experience.
Ways to configure SaaS apps
SaaS apps can be configured and published in the following two ways:
• Template based configuration - For configuration steps, see Configuring and publishing apps
using template
• Manual configuration - Configuration steps are as follows.
Configure and publish apps manually
The following configuration takes the Splunk app as an example to configure and publish an app
manually:
1. On the Citrix Gateway service tile, click Manage.
2. Click Add a Web/SaaS app tab below the Single Sign On tile.
3. Click Skip to configure the Splunk app manually.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 29Citrix Gateway Service
4. Select Outside my corporate network.
5. Enter the following details in the App Details section and click Save.
Name – Name of the application.
URL – URL with your customer ID. If SSO fails or when the Don’t use SSO option is selected, the
user is redirected to this URL.
Customer domain name and Customer domain ID - Customer domain name and ID are used
to create an app URL and other subsequent URLs in the SAML SSO page.
For example, if you are adding a Salesforce app, your domain name is salesforceformyorg
and ID is 123754, then the app URL is https://salesforceformyorg.my.salesforce.com
/?so=123754.
Customer domain name and Customer ID fields are specific to certain apps.
Related Domains – The related domain is auto-populated based on the URL that you have pro-
vided. Related domain helps the service to identify the URL as part of the app and route traffic
accordingly. You can add more than one related domain.
Icon – Click Change to change the app icon. The icon file size must be 128x128 pixels. If you do
not change the icon, the default icon is displayed.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 30Citrix Gateway Service
6. In the Enhanced Security section, select Enable enhanced security to choose the security op-
tions you would like to apply to the application.
Important:
The Enhanced Security section is available only if you are entitled to Access Control ser-
vice. For details, see https://www.citrix.com/products/citrix-cloud/.
• The following enhanced security options can be enabled for the application.
– Restrict clipboard access: Disables cut/copy/paste operations between the app and
system clipboard
– Restrict printing: Disables ability to print from within the Citrix Workspace app
browser
– Restrict navigation: Disables the next/back app browser buttons
– Restrict downloads: Disables the user’s ability to download from within the app
– Display watermark: Displays a watermark on the user’s screen displaying the user
name and IP address of the user’s machine
© 1999-2020 Citrix Systems, Inc. All rights reserved. 31Citrix Gateway Service
• The following advanced app protection policies can be enabled for the application.
Restrict keylogging: Protects against key loggers. When a user tries to log on to the app
using the user name and password, all the keys are encrypted on the key loggers. Also, all
activities that a user performs on the app are protected against key logging. For example,
if app protection policies are enabled for Office365 and the user edit an Office365 word
document, all key strokes are encrypted on key loggers.
Restrict screen capture: Disables the ability to capture the screens using any of the screen
© 1999-2020 Citrix Systems, Inc. All rights reserved. 32Citrix Gateway Service
capture programs or apps. If a user tries to capture the screen, a blank screen is captured.
Important:
– You can enable the advanced app protection policies only after enabling the En-
able enhanced security option.
– The app protection policies are enabled per app because not all apps might re-
quire these restrictions.
– The app protection policies work only when the app is delivered through the Cit-
rix embedded browser.
• Select Launch application always in Citrix Secure Browser service to always launch an
application in Secure Browser service regardless of other enhanced security settings.
Note:
– The other enhanced security options are still enforced once the app is launched
inside the Secure Browser.
– If you are accessing the app from the Citrix Workspace app or from the Citrix
Workspace for web, then the app is launched in the embedded browser or the
native browser respectively until the policy is enforced on mobile devices.
• Select Enforce policy on mobile device to enable the previously mentioned enhanced
security options on your mobile device.
Note:
When Enforce Policy on Mobile Device is selected along with Enable enhanced security,
the user experience for the application access is negatively impacted for the desktop users
and the mobile users.
7. Select your preferred single sign-on type to be used for your application and click Save. SAML
and Don’t use SSO single sign-on types are available.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 33Citrix Gateway Service
SAML: Enter the following details for the SAML single sign-on section and click Save.
• Assertion URL – Assertion URL is provided by the application vendor. The SAML assertion
is sent to this URL.
• Relay State – The Relay State parameter is used to identify the specific resource the users
access after they are signed in and directed to the relying party’s federation server. Relay
State generates a single URL for the users. Users can click this URL to log on to the target
application.
• Audience – Audience is provided by the application vendor. This value confirms the SAML
assertion is generated for the correct application.
• Name ID Format – Select the supported name identifier format.
• Name ID – Select the supported name ID.
Don’t use SSO – Use the Don’t use SSO option when you do not need to authenticate a user on
the back-end server. When you select Don’t use SSO option the user is redirected to the URL
configured under the App details section.
8. Download the metadata file by clicking the link under SAML Metadata. Use the downloaded
metadata file to configure SSO on the SaaS apps server.
Note:
• You can copy the SSO login URL under Login URL and use this URL when configuring SSO
on the SaaS apps server.
• You can also download the certificate from the Certificate list and use the certificate when
configuring SSO on the SaaS apps server.
9. Click Finish.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 34Citrix Gateway Service
After you click Finish, the app is added to the library and you are presented with the following three
options.
• Add Another App
• Edit App
• Go to the Library
Assign users or user groups for the published apps
After an app is published, you can assign users or groups to the app.
1. On the Citrix Cloud screen, click Go to the Library. Alternatively, you can also click Library in
the upper left menu.
Notice that the newly added app features in your library.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 35Citrix Gateway Service
2. To assign users for the app, hover your pointer over the ellipses on the right, and click Manage
Subscribers.
3. Click Choose a domain list and select a domain. Click Choose a group or user and assign users.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 36Citrix Gateway Service
Note: A subscribed user can be unsubscribed by selecting the user and clicking the delete icon
next to Status.
4. To obtain the Workspace URL to be shared with app users, on Citrix Cloud, click the menu icon
and navigate to Workspace Configuration.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 37Citrix Gateway Service Manage published apps You can edit or delete a published app, and add more subscribers to the published app. Edit a published app To edit a published app, perform the following steps: 1. Go to Library and identify the app to be edited. 2. Hover your pointer over the ellipses on the right and click Edit. 3. Edit the entries under the App Details section and click Save. 4. Edit the entries under the Single Sign On section, click Save, and click Finish. © 1999-2020 Citrix Systems, Inc. All rights reserved. 38
Citrix Gateway Service 5. The following screen appears indicating that the app has been modified. Delete a published app To delete a published app, perform the following steps: 1. Go to Library and identify the app to be deleted. 2. Click the dot icon on the right and click Delete. Manage subscribers for published app To add more subscribers, perform the following steps: 1. Go to Library and identify the app to be modified. 2. Hover your pointer over the ellipses on the right, and click Manage Subscribers. Launch a configured app - end-user flow To launch a configured app, perform the following steps: © 1999-2020 Citrix Systems, Inc. All rights reserved. 39
Citrix Gateway Service
1. Log on to Citrix Workspace with AD user credentials.
The admin configured apps are displayed.
2. Click the app to launch the app.
The app is launched and the user is signed-in to the app.
Apps configuration using a template
October 13, 2020
SaaS apps configuration with single sign-on on the Citrix Gateway service is simplified by provisioning
a template list for popular SaaS apps. The SaaS app to be configured can be selected from the list.
The template pre-fills much of the information required for configuring applications. However, the
information specific to the customer must still be provided.
Note:
The following section has the steps to be performed on the Citrix Gateway service for configuring
and publishing an app using a template. The configuration steps to be performed on the app
server is presented in the subsequent section.
Configuring and publishing apps using template - Citrix Gateway service specific
configuration
The following configuration takes the Aha app as an example to configure and publish an app
using a template.
1. On the Citrix Gateway service tile, click Manage.
2. Click Add a Web/SaaS app tab below the Single Sign On tile.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 40Citrix Gateway Service
3. Select the app you want to configure using the Choose a Template list and click Next.
4. Enter the following details in the App Details section and click Save.
Name – Name of the application.
URL – URL with your customer ID. The user is redirected to this URL if;
- SSO fails or
- Don’t use SSO option is selected.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 41Citrix Gateway Service
Customer domain name and Customer domain ID - Customer domain name and ID are used
to create an app URL and other subsequent URLs in the SAML SSO page.
For example, if you are adding a Salesforce app, your domain name is salesforceformyorg
and ID is 123754, then the app URL is https://salesforceformyorg.my.salesforce.com
/?so=123754.
Customer domain name and Customer ID fields are specific to certain apps.
Related Domains – The related domain is auto-populated based on the URL that you have pro-
vided. Related domain helps the service to identify the URL as part of the app and route traffic
accordingly. You can add more than one related domain.
Icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. If
you do not change the icon, the default icon is displayed.
5. In the Enhanced Security section, select Enable enhanced security to choose the security op-
tions you would like to apply to the application and click Next.
Important:
The Enhanced Security section is available only if you are entitled to Access Control ser-
vice. For details, see https://www.citrix.com/products/citrix-cloud/.
• The following enhanced security options can be enabled for the application.
– Restrict clipboard access: Disables cut/copy/paste operations between the app and
system clipboard
© 1999-2020 Citrix Systems, Inc. All rights reserved. 42Citrix Gateway Service
– Restrict printing: Disables ability to print from within the Citrix Workspace app
browser
– Restrict navigation: Disables the next/back app browser buttons
– Restrict downloads: Disables the user’s ability to download from within the app
– Display watermark: Displays a watermark on the user’s screen displaying the user
name and IP address of the user’s machine
• The following advanced app protection policies can be enabled for the application.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 43Citrix Gateway Service
Restrict keylogging: Protects against key loggers. When a user tries to log on to the app
using the user name and password, all the keys are encrypted on the key loggers. Also, all
activities that a user performs on the app are protected against key logging. For example,
if app protection policies are enabled for Office365 and the user edit an Office365 word
document, all key strokes are encrypted on key loggers.
Restrict screen capture: Disables the ability to capture the screens using any of the screen
capture programs or apps. If a user tries to capture the screen, a blank screen is captured.
Important:
– You can enable the advanced app protection policies only after enabling the En-
able enhanced security option.
– The app protection policies are enabled per app because not all apps might re-
quire these restrictions.
– The app protection policies work only when the app is delivered through the Cit-
rix embedded browser.
• Select Launch application always in Citrix Secure Browser service to always launch an
application in Secure Browser service regardless of other enhanced security settings.
Note:
– The other enhanced security options are still enforced once the app is launched
inside the Secure Browser.
– If you are accessing the app from the Citrix Workspace app or from the Citrix
Workspace for web, then the app is launched in the embedded browser or the
native browser respectively until the policy is enforced on mobile devices.
• Select Enforce policy on mobile device to enable the previously mentioned enhanced
security options on your mobile device.
Note:
When Enforce Policy on Mobile Device is selected along with Enable enhanced se-
curity, the user experience for the application access is negatively impacted for the
desktop users and the mobile users.
6. Enter the following SAML configuration details in the Single Sign On section and click Save.
Assertion URL – SaaS app SAML assertion URL provided by the application vendor. The SAML
assertion is sent to this URL.
Relay State – The Relay State parameter is used to identify the specific resource the users ac-
cess after they are signed in and directed to the relying party’s federation server. Relay State
generates a single URL for the users. Users can click this URL to log on to the target application.
Audience – Service provider for whom the assertion is intended.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 44Citrix Gateway Service
Name ID Format – Supported format type of user.
Name ID – Name of the format type of user.
Note: When the Don’t use SSO option is selected, the user is redirected to the URL configured
under App Details section.
7. Download the metadata file by clicking the link under SAML Metadata. Use the downloaded
metadata file to configure SSO on the SaaS apps server.
Note:
• You can copy the SSO login URL under Login URL and use this URL when configuring SSO
on the SaaS apps server.
• You can also download the certificate from the Certificate list and use the certificate when
configuring SSO on the SaaS apps server.
8. Click Finish.
9. The following screen appears indicating that the app has been added to the Library.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 45Citrix Gateway Service
Perform the application server specific configuration for configuring and publishing the app using the
template. For details on each app server specific configuration, see SaaS app server specific configu-
ration.
SaaS app server specific configuration
August 25, 2020
Following are the links to the documents that have guidance on app server specific configuration us-
ing a template. Citrix presently supports the following SaaS apps and is continually adding support
for more apps.
• 15Five - Continuous performance management tool to coach employees.
• 10000 ft - Project management tool to plan for growth.
• 4me - Service management tool for collaboration between internal, external, and outsourced
teams.
• Abacus - Real-time expense reporting software.
• Absorb - Learning management tool.
• Accompa - Requirements management tool to build products.
• Adobe Captivate Prime - Learning management system to deliver personalized learning experi-
ences across devices.
• Aha - Product roadmap and marketing planning tool to build products and launch campaigns.
• AlertOps - Collaboration incidence response tool to manage IT incidents.
• Allocadia - Marketing performance management tool to manage an organization’s marketing
planning process.‘
• Ana plan - Planning tool to help organizations with decision making by connecting data, people,
and plans.
• &frankly - An engagement tool to drive change in the workplace.
• Anodot - An AI platform that monitors times series data, detects anomalies and forecasts busi-
ness performance in real time.
© 1999-2020 Citrix Systems, Inc. All rights reserved. 46You can also read
