Legacy Citrix configuration

From Stratodesk Knowledge Base
Jump to: navigation, search

Legacy Citrix product specific information

PNA-based sites

Generally speaking, the Citrix/StoreFront connection mode also works fine with PNA-based sites. There are only few corner cases where it makes sense to switch back to other, older modes.

These connection modes deal with PNA-sites.

  • Citrix/Program Neighborhood. Login to Web frontend (in the background!), and put all available published applications into the local Start Menu, allowing the user to choose from many available resources.

Expired passwords

The Citrix Workspace App for Linux has a feature to allow users to enter a new password should theirs have expired. This has to be done before actually logging in, so it requires a special mechanism. Again, this functionality provided by the Citrix Receiver, it just needs to be configured properly - set these two parameter in the Citrix parameters correctly:

  • Kerberos KDC Server (Domain Controller Name). This needs to be a DNS host name or IP address of the Domain Controller. Please make sure the name is resolvable by DNS (i.e. not just a Windows/WINS name) - a simply test is to ping the name from the Console of a NoTouch system or any other non-Windows system such as a Mac.
  • Kerberos KDC Realm (Domain Name). Set this to the domain name of your AD domain.

Keep in mind that NoTouch systems are not members of the AD domain - this is the reason why you have to supply to these parameters to NoTouch, which in turn passes them on directly to the Citrix Receiver.


Non-StoreFront XenApp

PNAgent 2.jpg

Registering at the Citrix Web frontend allows for better load balancing, reconnect and session distribution, since the user authenticates first to the connection broker, and after that starts a connection to a specified server.

  1. Create a connection
  2. Set session type to "Citrix Workspace App"
  3. Save changes and then navigate to the "Citrix Workspace App" parameter subcategory
  4. Set the "Citrix URL" parameter to an URL containing the host name/IP address where the Web frontend is installed, such as http://mycitrix.mycompany.com/Citrix/Store/PNAgent/config.xml
    • Have your Citrix URL always refer to a config.xml if possible. Yes, you can abbreviate but only if the paths are standard like /Citrix/PNAgent on the server
  5. Save changes

Non-StoreFront XenDesktop

PNAgent 3.jpg

XenDesktop also uses the ICA/HDX protocol and the Citrix Web service, so the configuration is similar to how you would configure XenApp. (Note that there is a special hint for XenDesktop 7 below...)

  1. Create a connection
  2. Set the connection mode to either (according to what you want to use)
      • In this case please write the name of the desktop to be started into the "Launch Resource" parameter. Observe case, spaces, punctuation!
    • "Citrix/Program Neighborhood" (get desktops added to local start menu)
  3. Set the parameter "Citrix URL" in the Citrix parameter subtree to the URL where the Citrix Webservice resides

There are a few other hints you should consider (mostly these are fulfilled by default, but double check):

  • Workplace-Management has to be set to either none, disconnected or all. This will either reconnect no sessions (none), only disconnected sessions (disconnected) or all kinds of sessions (all).
  • The authentication method for the webxml service must be set to 'prompt'. 'passthrough' is NOT supported by the Linux Citrix Workspace App.
  • Make sure the device is set to 24 bit colordepth and the ICA session is also using 24 bit colordepth.

XenDesktop 7 and higher

XenDesktop 7 and higher have - by default - only the StoreFront interface active. This is perfectly fine as you can use the Citrix/StoreFront connection mode (see above). Only if you want to use the other modes that use config.xml, you need to enable "Legacy Support" according to this screenshot:

PNAgent 1.jpg

Non-StoreFront Access Gateway

Connecting via Citrix Access Gateway is, generally spoken, not different from connecting to a XenApp or XenDesktop. However, there are three things you need to be aware of:

  • Configuration of Access gateway and Citrix URLs. Please see http://support.citrix.com/article/CTX124937 for information on how make Access Gateway work directly with Citrix Receiver (i.e. NoTouch).
  • Citrix URLs: When just providing a short URL or even just a host name, NoTouch will add the standard config.xml path for you. People using Access Gateway are much more likely to change paths so the automatic completion won't work, you must provide the exact and correct URL to config.xml
  • Certificates: If you use HTTPS (SSL) with a self-signed/private certificate (and not one from a well-known certificate authority), then you must upload your root CA certificate to NoTouch. The Citrix Receiver does not offer an option to ignore unverifiable certificates nor does it offer to accept and store a private certificate for you (as a web browser does). It must be present before the connection is launched, no matter if you connect via browser or directly with the Citrix Receiver. See here for more information on how to deal with certificates in NoTouch: Certificates

Furthermore, you need to have Access Gateway configured correctly as well:

  • it must allow the connection from whereever you are connecting (IP/network range)
  • it must allow the connection from the user account and the user account must be allowed to connect from this network
  • it must allow the connection from a non-Windows machine and non-domain member
  • make sure that there are no redirects that only work "inside", no private IP addresses are used

The following article may be helpful as well: http://www.jasonsamuel.com/2012/04/10/how-to-setup-your-citrix-netscaler-access-gateway-and-web-interface-for-ipads-and-mobile-devices-that-use-citrix-receiver/

Note that if it works from another client, notably a Windows PC, this doesn't mean your Access Gateway is configured correctly. Especially when testing from inside your network with external URLs, you may experience a perfectly working scenario, and from outside it doesn't work. You might find out that your system would redirect to internal IP addresses or find similar error causes.

Non-StoreFront NetScaler

Similar to what is said above about NetScaler, in general there is no difference between connecting with or without NetScaler. However, there are three things you need to be aware of:

  • Configuration of NetScaler and PNAgent service. Please see http://support.citrix.com/article/CTX133771 for information on how configure PNAgent service (config.xml) on NetScaler.
  • Citrix URLs: When just providing a short URL or even just a host name, NoTouch will add the standard config.xml path for you. People using NetScaler are much more likely to change paths so the automatic completion won't work, you must provide the exact and correct URL to config.xml
  • Certificates: If you use HTTPS (SSL) with a self-signed/private certificate (and not one from a well-known certificate authority), then you must upload your root CA certificate to NoTouch. The Citrix Receiver does not offer an option to ignore unverifiable certificates nor does it offer to accept and store a private certificate for you (as a web browser does). It must be present before the connection is launched, no matter if you connect via browser or directly with the Citrix Receiver. See here for more information on how to deal with certificates in NoTouch: Certificates

The following article may be helpful as well: http://www.jasonsamuel.com/2012/04/10/how-to-setup-your-citrix-netscaler-access-gateway-and-web-interface-for-ipads-and-mobile-devices-that-use-citrix-receiver/

Note that if it works from another client, notably a Windows PC, this doesn't mean your NetScaler is configured correctly. Especially when testing from inside your network with external URLs, you may experience a perfectly working scenario, and from outside it doesn't work. You might find out that your system would redirect to internal IP addresses or find similar error causes.