Citrix Cloud Connector requirements
The Citrix Cloud Connector is a component with a collection of Windows services installed on Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows Server 2022.
System requirements
The machines hosting the Cloud Connector must meet the following requirements. Citrix strongly recommends installing at least two Cloud Connectors in each resource location to ensure high availability.
See also our best practice recommendations for Cloud Connector machine configuration for Citrix DaaS (formerly Citrix Virtual Apps and Desktops service): Scale and size considerations for Cloud Connectors.
Operating systems
The following operating systems are supported:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2 (deprecated)
The Cloud Connector is not supported for use with Windows Server Core.
.NET requirements
Microsoft .NET Framework 4.7.2 or later is required.
Server requirements
- Use dedicated machines for hosting the Cloud Connector. Do not install any other components on these machines.
- The machines are not configured as Active Directory domain controllers. Installing the Cloud Connector on a domain controller is not supported.
- Server clock is set to the correct UTC time.
- Internet Explorer Enhanced Security Configuration (IE ESC) is turned off. If this is turned on, the Cloud Connector might not be able to establish connectivity with Citrix Cloud Government.
- Citrix strongly recommends enabling Windows Update on all machines hosting the Cloud Connector. When configuring Windows Update, automatically download and install updates, but do not allow automatic restarts. The Citrix Cloud Government platform handles machine restarts, allowing them for only one Cloud Connector at a time when needed. Alternatively, you can control when the machine is restarted after an update using Group Policy. For more information, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart.
Certificate validation requirements
Cloud Connector binaries and endpoints that the Cloud Connector contacts are protected by X.509 certificates issued by widely respected enterprise certificate authorities (CAs). Certificate verification in Public Key Infrastructure (PKI) includes the Certificate Revocation List (CRL). When a client receives a certificate, the client checks whether it trusts the CA that issued the certificates and whether the certificate is on a CRL. If the certificate is on a CRL, the certificate is revoked and cannot be trusted, even though it appears valid.
The CRL servers use HTTP on port 80 instead of HTTPS on port 443. Cloud Connector components, themselves, do not communicate over external port 80. The need for external port 80 is a byproduct of the certificate verification process that the operating system performs.
The X.509 certificates are verified during the Cloud Connector installation. So, all Cloud Connector machines must be configured to trust these certificates to ensure that the Cloud Connector software can be installed successfully.
Citrix Cloud endpoints are protected by certificates issued by DigiCert or by one of the Root Certificate Authorities used by Azure. For more information on the Root CAs used by Azure, see https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes.
To validate the certificates, each Cloud Connector machine must meet the following requirements:
- HTTP port 80 is open to the following addresses. This port is used during Cloud Connector installation and during the periodic CRL checks. For more information about how to test for CRL and OCSP connectivity, see https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm on the DigiCert website.
http://cacerts.digicert.com/http://dl.cacerts.digicert.com/http://crl3.digicert.comhttp://crl4.digicert.comhttp://ocsp.digicert.comhttp://www.d-trust.nethttp://root-c3-ca2-2009.ocsp.d-trust.nethttp://crl.microsoft.comhttp://oneocsp.microsoft.comhttp://ocsp.msocsp.com
- Communication with the following addresses is enabled:
https://*.digicert.com
- The following root certificates are installed:
https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crthttps://cacerts.digicert.com/DigiCertGlobalRootG2.crthttps://cacerts.digicert.com/DigiCertGlobalRootCA.crthttps://cacerts.digicert.com/DigiCertTrustedRootG4.crthttps://cacerts.digicert.com/BaltimoreCyberTrustRoot.crthttps://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crthttps://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crthttps://www.microsoft.com/pkiops/certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crthttps://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt
- The following intermediate certificates are installed:
https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crthttps://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
If any certificate is missing, the Cloud Connector installer will download it from http://cacerts.digicert.com.
For complete instructions for downloading and installing the certificates, see CTX223828.
Active Directory requirements
- Joined to an Active Directory domain that contains the resources and users that you will use to create offerings for your users. For multi-domain environments, see Deployment scenarios for Cloud Connectors in Active Directory in this article.
- Each Active Directory forest you plan to use with Citrix Cloud Government should be reachable by two Cloud Connectors at all times.
- The Cloud Connector must be able to reach the parent (root) domain controllers as well as the child domain controllers in the Active Directory infrastructure (to complete the Active Directory workflows) in which the Cloud Connector is installed. For more information, refer to the following Microsoft support articles:
Network requirements
- Connected to a network that can contact the resources you will use in your resource location. For more information, see Cloud Connector Proxy and Firewall Configuration.
- Connected to the Internet. For more information, see Internet Connectivity Requirements.
Supported Active Directory functional levels
The Citrix Cloud Connector supports the following forest and domain functional levels in Active Directory.
| Forest Functional Level | Domain Functional Level | Supported Domain Controllers |
|---|---|---|
| Windows Server 2008 R2 | Windows Server 2008 R2 | Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
| Windows Server 2008 R2 | Windows Server 2012 | Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
| Windows Server 2008 R2 | Windows Server 2012 R2 | Windows Server 2012 R2, Windows Server 2016 |
| Windows Server 2008 R2 | Windows Server 2016 | Windows Server 2016 |
| Windows Server 2012 | Windows Server 2012 | Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
| Windows Server 2012 | Windows Server 2012 R2 | Windows Server 2012 R2, Windows Server 2016 |
| Windows Server 2012 | Windows Server 2016 | Windows Server 2016 |
| Windows Server 2012 R2 | Windows Server 2012 R2 | Windows Server 2012 R2, Windows Server 2016 |
| Windows Server 2012 R2 | Windows Server 2016 | Windows Server 2016 |
| Windows Server 2016 | Windows Server 2016 | Windows Server 2016, Windows Server 2019, Windows Server 2022 |
Federal Information Processing Standard (FIPS) support
The Cloud Connector currently supports the FIPS-validated cryptographic algorithms that are used on FIPS-enabled machines. Only the latest version of the Cloud Connector software available in Citrix Cloud Government includes this support. If you have existing Cloud Connector machines in your environment (installed before November 2018) and you want to enable FIPS mode on these machines, perform the following actions:
- Uninstall the Cloud Connector software on each machine in your resource location.
- Enable FIPS mode on each machine.
- Install the latest version of the Cloud Connector on each FIPS-enabled machine.
Important:
- Do not attempt to upgrade existing Cloud Connector installations to the latest version. Always uninstall the old Cloud Connector first and then install the newer one.
- Do not enable FIPS mode on a machine hosting an older Cloud Connector version. Cloud Connectors older than Version 5.102 do not support FIPS mode. Enabling FIPS mode on a machine with an older Cloud Connector installed prevents Citrix Cloud Government from performing regular maintenance updates for the Cloud Connector.
For instructions to download the latest version of the Cloud Connector, see Task 3: Install Cloud Connectors.
Deployment scenarios for Cloud Connectors in Active Directory
If you have a single domain in a single forest, installing Cloud Connectors in that domain is all you need to establish a resource location. However, if you have multiple domains in your environment, you’ll need to consider where to install the Cloud Connectors so that users can access the resources you make available through Citrix Cloud Government.
Note:
The below resource locations form a blueprint that may need to be repeated in other physical locations depending on where your resources are hosted.
Single domain in a single forest with a single set of Cloud Connectors
In this scenario, a single domain contains all the resource and user objects (forest1.local). One set of Cloud Connectors is deployed within a single resource location and joined to the forest1.local domain.
- Trust relationship: None - single domain
- Domains listed in Identity and Access Management: forest1.local
- User logons to Citrix Workspace: Supported for all users
- User logons to an on-premises StoreFront: Supported for all users
Parent and child domains in a single forest with a single set of Cloud Connectors
In this scenario, a parent domain (forest1.local) and its child domain (user.forest1.local) reside within a single forest. The parent domain acts as the resource domain and the child domain is the user domain. One set of Cloud Connectors is deployed within a single resource location and joined to the forest1.local domain.
- Trust relationship: Parent/child domain trust
- Domains listed in Identity and Access Management: forest1.local, user.forest1.local
- User logons to Citrix Workspace: Supported for all users
- User logons to an on-premises StoreFront: Supported for all users
Note:
You might need to restart the Cloud Connectors to ensure Citrix Cloud Government registers the child domain.
Users and resources in separate forests (with trust) with a single set of Cloud Connectors
In this scenario, one forest (forest1.local) contains your resource domain and one forest (forest2.local) contains your user domain. A trust exists between these forests that allows users to log on to resources. One set of Cloud Connectors is deployed in a single resource location and joined to the forest1.local domain.
- Trust relationship: Forest trust
- Domains listed in Identity and Access Management: forest1.local
- User logons to Citrix Workspace: Supported for forest1.local users only
- User logons to an on-premises StoreFront: Supported for all users
Note:
The trust relationship between the two forests needs to permit the user in the user forest to be able to log on to machines in the resource forest.
Because Cloud Connectors can’t traverse forest-level trusts, the forest2.local domain is not displayed on the Identity and Access Management page in the Citrix Cloud Government console. This carries the following limitations:
- Resources can only be published to users and groups located in forest1.local in Citrix Cloud Government. However, forest2.local users may be nested into forest1.local security groups to mitigate this issue.
- Citrix Workspace cannot authenticate users from the forest2.local domain.
To work around these limitations, deploy the Cloud Connectors as described in Users and resources in separate forests (with trust) with a set of Cloud Connectors in each forest.
Users and resources in separate forests (with trust) with a set of Cloud Connectors in each forest
In this scenario, one forest (forest1.local) contains your resource domain and one forest (forest2.local) contains your user domain. A trust exists between these forests that allows users to log on to resources. One set of Cloud Connectors is deployed within the forest1.local domain and a second set is deployed within the forest2.local domain.
- Trust relationship: Forest trust
- Domains listed in Identity and Access Management: forest1.local, forest2.local
- User logons to Citrix Workspace: Supported for all users
- User logons to an on-premises StoreFront: Supported for all users
Installation requirements
- Download the Cloud Connector software only from Citrix Cloud Government and install it on prepared machines. By default the Cloud Connector installer attempts to connect with the control plane from which it is downloaded. So, if you attempt to install the software downloaded from a commercial Citrix Cloud account, the installer will not connect with Citrix Cloud Government.
- Because the Cloud Connector software is downloaded, your browser must allow downloading executable files.
Important usage considerations
- Keep all Cloud Connectors powered on at all times to ensure an always-on connection to Citrix Cloud Government.
- Do not upgrade a previously-installed Cloud Connector with a newer version. Instead, uninstall the old Cloud Connector and then install the new one.
- Citrix strongly recommends enabling Windows Update on all machines hosting the Cloud Connector.
- Citrix strongly recommends installing at least two (2) Cloud Connectors in each resource location. In general, the number of Cloud Connectors you should install is N+1, where N is the capacity needed to support the infrastructure within your resource location. This ensures the connection between Citrix Cloud Government and your resource location remains intact in the event any single Cloud Connector becomes unavailable.
- Each Active Directory forest you plan to use with Citrix Cloud Government should be reachable by two Cloud Connectors at all times.
- After installation, do not move the machine hosting the Cloud Connector into a different domain. If the machine needs to be joined to be a different domain, uninstall the Cloud Connector and then re-install it after the machine is joined to the different domain.## View the health of the Cloud Connector
The Resource Locations page in Citrix Cloud Government displays the health status of all the Cloud Connectors in your resource locations.
Troubleshoot the Cloud Connector
The first step in diagnosing any issues with the Cloud Connector is to check the event messages and event logs. If you don’t see the Cloud Connector listed in your resource location or is “not in contact,” the event logs will provide some initial information.
If the Cloud Connector is “disconnected” and the event logs don’t indicate why a connection can’t be established between the Cloud Connector and Citrix Cloud Government, contact Citrix Support.
If the Cloud Connector is in an “error” state, there might be a problem hosting the Cloud Connector. Install the Cloud Connector on a new machine. If the issue persists, contact Citrix Support.
To troubleshoot common issues with installing or using the Cloud Connector, refer to CTX221535.
Event messages
The Cloud Connector generates certain event messages that you can view in the Windows Event Viewer. If you want to enable your preferred monitoring software to look for these messages, you can download them as a ZIP archive. The ZIP archive includes these messages in the following XML files:
- Citrix.CloudServices.Agent.Core.dll.xml (Connector Agent Provider)
- Citrix.CloudServices.AgentWatchDog.Core.dll.xml (Connector AgentWatchDog Provider)
Download Cloud Connector event messages. (ZIP file)
Event logs
By default, event logs are located in the C:\ProgramData\Citrix\WorkspaceCloud\Logs directory of the machine hosting the Cloud Connector.