Citrix Cloud

Connecting Session Manager to On-Premises XenApp and XenDesktop Deployments

You can use Session Manager to create anonymous, ready-to-use applications reducing the time it takes to start an application. The Session Manager Lab can be used to prelaunch anonymous sessions to on-premises XenApp and XenDesktop version 7.12 deployments by following the steps below.

Session Manager uses the Session Manager Proxy service running on a Cloud Connector machine to continuously poll the Broker for session, application, and Delivery Group data. This data is sent to the Session Manager Cloud service and continuously replenishes pools of pre-launched sessions in the on-premises deployment.

Getting Started

You can access the Session Manager Service from the Lab Services section in Citrix Cloud. To get started with connecting your on-premises deployment to the Session Manager Service with a Cloud Connector, click Settings. The Settings tab shows resource locations and Cloud Connectors that you previously configured. If you don’t have any resource locations configured for Citrix Cloud, the following screen appears.

Session Manager Settings page with Add a Resource Location button

If you created a resource location already, it can take up to 30 seconds for the data to synchronize with the Session Manager when you first access the Labs service. If you do not see your resource locations and Connectors listed, click the Refresh button.

This guide assumes that you do not have a resource location created. If you already have a resource location with connectors that you would like to use for the service, continue to the “Internal StoreFront Configuration” section.

Create a Resource Location in Citrix Cloud

  1. On the machine that you would like to use for your Cloud Connector, navigate to the Resource Locations page in Citrix Cloud by clicking the menu icon and selecting Resource Locations. You can also click the Add a Resource Location button on the Session Manager Settings tab.

    Citrix Cloud console menu

  2. Click Download to put the Cloud Connector (CWCConnector.exe) installer onto your connector machine.
  3. Double-click on the Cloud Connector file and follow the installation instructions.
  4. After finishing the installation, your Resource Locations page shows the connector and resource location:

    Resource Locations page with online Cloud Connector

The Session Manager Settings page now lists your new resource location. It also shows the status of the Session Manager Proxy service running on that particular connector as indicated by the orange ‘warning’ status bar as shown in the following image. You will configure the resource location and the bar will turn green later in the guide.

Session Manager Settings page with resource location displayed

The Manage page shows that the Session Manager Service does not currently know about any Anonymous Delivery Groups in your resource location.

Session Manager Manage page with no anonymous Delivery Groups

Internal StoreFront Configuration

This section describes how to configure an internal StoreFront store to interact with the Session Manager Service. You can perform this configuration on an existing store, or create a new authenticated or anonymous store that is only used by the Session Manager for better network isolation and security options.

Configure the store to trust the Session Manager

The Session Manager Trusted Issuer in your store establishes trust between Citrix StoreFront and the Session Manager Service. Use the following steps to establish trust.

  1. On the StoreFront server, run the command Add-PSSnapin Citrix* to import the StoreFront PowerShell Snap-In.
  2. Run the following command to obtain a reference to your desired Store Service object. Replace the variable “Store” with your store service name.

    $storeService = get-stfstoreservice | Where-Object {$_.Name -eq "Store"}
  3. Create a new Session Manager Trusted Issuer, using your customer ID as the tenant ID. Your customer ID is the first 12 characters of your Citrix Cloud customer name. For instance, if your customer name is PrelaunchDemo, your customer ID is PrelaunchDem. The Thumbprint parameter is the thumbprint of the certificate that Session Manager uses to sign tokens bound for the store. Make sure that you copy the thumbprint value correctly from this guide. The Name parameter can be any short string, and is used in StoreFront logging.

    $trustedIssuer = New-STFSessionManagerTrustedIssuer -Thumbprint "1EDDED2BA7962BE2CDA21F37FF91AA6E1E08D617" -TenantId "PrelaunchDem" -Name "LoggingName"
  4. Add the trusted issuer to the store service configuration:

    Add-STFSessionManagerTrustedIssuer -StoreService $storeService -SessionManagerTrustedIssuer $trustedIssuer
  5. Restart the StoreFront server with the iisreset command, or restart the machine.

Configure StoreFront Optimal Gateway Settings to Force All Traffic Through Your Netscaler Gateway

The Session Manager requires external access for ICA traffic. This means that the internal StoreFront store must provide an ICA file for external access from the internal Store. To do this, you must force all traffic for apps obtained from this store through Citrix Gateway, even when starting apps internally. This is done with an Optimal Gateway setting on the store.

To configure Optimal Gateway settings

  1. Configure the Optimal Gateway setting for your store by using the following PowerShell code. The code assumes that your Store name is “Store”. Change the code to suit your specific configuration before running. The gateway ID can be any randomly generated GUID, it only has to match both commands.

    "C:\\Program Files\\Citrix\\Receiver StoreFront\\Scripts\\ImportModules.ps1"
    Add-DSGlobalV10Gateway -Id 2eba0524-af40-421e-9c5f-a1ccca80715a -Name MyNewGateway -Address "" -Logon UsedForHDXOnly -SecureTicketAuthorityUrls @("https://XA-Controller.xenapp.local/scripts/ctxsta.dll")
    Add-DSStoreOptimalGateway -SiteId 1 -VirtualPath /Citrix/Store -GatewayId 2eba0524-af40-421e-9c5f-a1ccca80715a -EnabledOnDirectAccess $true -Farms "Controller"
  2. Test the configuration by starting an application from the store and examining the ICA file returned. The Address field of the ICA file shows the STA ticket instead of an IP Address. Open the ICA file with Citrix Receiver and confirm that the application starts successfully.

Gateway Configuration

You must add the Cloud Connector machine as a Secure Ticket Authority (STA) server to Citrix Gateway. This allows the Session Manager to tunnel through the Citrix Gateway to the on-premises StoreFront server by utilizing STA tickets obtained from the Citrix Cloud STA service.

  1. Navigate to the Citrix Gateway > Virtual Servers page in the configuration utility.

    Citrix Gateway Configuration console with Virtual Servers section highlighted

  2. Select the virtual server that you would like to use for tunneling SessionManager traffic to the StoreFront server and click Edit.
  3. Under Published Applications, click STA Servers and add your connector to the list of STA Servers that are used by this virtual server. In the image below, the IP address for the connector is, and you can see that the connector is sending STA ticketing requests to the Citrix Cloud STA service by checking the Auth ID column for CWSSTA.

    Citrix Gateway console with STA Server Binding screen

Session Manager and Broker Configuration

The status bar of the connector in the Session Manager Settings tab is orange. The following steps enable the Session Manager Proxy on the connector to poll the Broker for session data, and allow for the Session Manager to begin pre-launching anonymous sessions.

To configure the Session Manager and Broker service

  1. Configure the Broker to trust XML and Prelaunch Requests. To use anonymous prelaunch, the Broker needs to have the TrustManagedAnonymousXmlServiceRequests and TrustRequestsSentToTheXmlServicePort flags set to true.


    In production environments, configure the XML service to only accept requests originating from trusted StoreFront machines. Run the following PowerShell commands to enable both of these flags.

    Set-BrokerSite -TrustManagedAnonymousXmlServiceRequests $true -TrustRequestsSentToTheXmlServicePort $true
  2. Configure the Broker to trust the connector machine as a delegated administrator.

    1. Open Active Directory Users and Computers on your domain controller and add the Cloud Connector machine(s) to their own group as shown in the following diagram: Active Directory console with Session Manager Machine Properties dialog

    2. In Citrix Studio, select Configuration > Administrators and then click Create Administrator.
    3. Choose the Active Directory group you created in step 2a, select All and then click Next. Studio console with Create Administrator wizard

    4. In Citrix Studio, select Configuration > Administrators and then click Create Administrator. Administrator and Scope page of Create Administrator wizard

    5. On the Role page, select Help Desk Administrator for the role and then click Next. Role page of Create Administrator wizard

    6. On the next page, click Finish to create the administrator.

Session Manager Service Configuration

Return to the Session Manager Settings tab to complete the configuration.

  1. Click the down arrow icon beside the resource location name to open the Session Manager Settings for this resource location.

    Session Manager settings for selected resource location

  2. Enter the following values:

    • Gateway Address - use address to Citrix Gateway that was configured in the “Gateway Configuration” portion of this guide. Do not include protocols on this addess.
    • Gateway Port - The port through which users connect to Citrix Gateway.
    • Internal Broker URL - The internal FQDN of the broker. Note this FQDN needs to be resolvable from the Connector machine. For example, xa-controller.xenapp.local.
    • StoreFront Name - The StoreFront store’s friendly name setting. You can find the name by using the Get-STFStoreService PowerShell cmdlet on the StoreFront server.
    • Internal StoreFront URL - For example, https://storefront.xenapp.local/Citrix/Store
    • Check to Skip Certificate Validation - Select this setting if you are using an internal certificate on the StoreFront server that cannot be validated by an external service. Use this in testing environments only.

    After 1-2 minutes, the Cloud Connector begins uploading anonymous Delivery Group data to the Session Manager. The connector status bar on the Settings page turns green as shown in the image below:

    Green Cloud Connector status bar in Session Manager console

  3. Configure the desired prelaunch parameters on your anonymous Delivery Groups.

    1. Click the ellipsis icon to the right of each row to edit Delivery Groups.

      Session Manager prelaunch parameters

    2. Activate the Delivery Group and observe the pre-launching of sessions in Citrix Studio.

You can see three anonymous application sessions running Calculator, matching the configuration found on the Manage page in Session Manager.

Delivery Group with Active status in Session Manager console

Delivery Group running anonymous sessions in Studio

Connecting Session Manager to On-Premises XenApp and XenDesktop Deployments