Cloud Connector Proxy and Firewall Configuration
The Cloud Connector supports connection to the Internet through an unauthenticated web proxy server. Both the installer and the services it installs need connections to Citrix Cloud. Internet access needs to be available at both of these points.
Use port 443 for HTTP traffic, egress only. For a list of required contactable addresses, see System and Connectivity Requirements. For a list of the addresses common to most Citrix Cloud services and their function, see Cloud Connector common service connectivity requirements.
The required contactable addresses for Citrix Cloud are specified as domain names, not IP addresses. Because IP addresses might change, allowing domain names ensures that the connection to Citrix Cloud remains stable. Additionally, as Citrix continually improves and augments the Citrix Cloud platform, allowing these domains as wildcards (for example, *.citrixworkspacesapi.net), instead of using more specific addresses (for example, trust.citrixworkspacesapi.net), allows customers to benefit from these improvements without affecting their connectivity to Citrix Cloud. Some critical functions of the platform, such as traffic failover based on geographical region, rely on being able to route calls under multiple subdomains. Specifying allowed subdomains instead of allowed wildcard domains increases the risk of outage as these functions might use subdomains the customer hasn’t explicitly allowed. Specifying the wildcard domain allows these functions to work without placing an undue burden on the customer to allow a large number of subdomains for every Citrix Cloud service.
Enabling SSL decryption on certain proxies might prevent the Cloud Connector from connecting successfully to Citrix Cloud. For more information about resolving this issue, see CTX221535.
Check Cloud Connector connectivity
The Cloud Connector Connectivity Check Utility helps you verify connectivity between the Cloud Connector and Citrix Cloud using a series of connectivity checks. If you use a proxy server in your environment, the utility can help you configure proxy settings on the Cloud Connector and test connectivity through the proxy server. When a proxy server is configured, the connectivity tests are tunneled through the proxy server.
For more information about downloading and using the Cloud Connector Connectivity Check utility, see CTX260337.
The installer will use the settings configured for Internet connections. If you can browse the Internet from the machine then the installer should also function.
Services at Runtime
The runtime service operates in the context of a local service. It does not use the setting defined for the user (as described above). You need to import the setting from the browser.
To configure the proxy settings for this, open a Command Prompt window and use netsh as follows:
netsh winhttp import proxy source =ie
After executing the command, restart the Cloud Connector machine so that the services start up with these proxy settings.
For complete details, see Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP).
There is no support for auto-detect or PAC scripts or authenticated proxies.
Connections to internal resources
Due to Windows proxy configuration, the Cloud Connector may attempt to access internal resources through the web proxy. These resources may not be able to connect to the Cloud Connector and Virtual Apps and Desktops service, even if the required connectivity URLs are allowed. Additionally, the web proxy may block connections between the Cloud Connector and Azure Service bus because an IP address is used as a URL in the HTTP Connect command. As a result, some resource functions might fail. For example, Citrix Provisioning can’t create machine catalogs successfully.
To ensure these internal resources can connect as expected, add the FQDN or IP address of each resource to the proxy bypass list on the Cloud Connector machine. For more information about this issue, see CTX241222 in the Citrix Support Knowledge Center.
Connections between Citrix Federated Authentication Service and Citrix Cloud
The console and FAS service access the following addresses using the user’s account and the Network Service account, respectively.
- FAS administration console, under the user’s account
- Addresses required by a third party identity provider, if one is used in your environment
- FAS service, under the Network Service account:
If your environment includes proxy servers, configure the user proxy with the addresses for the FAS administration console. Also, ensure the address for the Network Service account is configured using netsh or a similar tool.