Cloud Connector Proxy and Firewall Configuration

The Cloud Connector supports connection to the Internet through a web proxy server. Both the installer and the services it installs need connections to Citrix Cloud. Internet access needs to be available at both of these points.

Connectivity requirements

Use port 443 for HTTP traffic, egress only. For a list of required contactable addresses, see Internet Connectivity Requirements. When whitelisting these addresses, wildcards (*) are supported.

The required contactable addresses for Citrix Cloud are specified as FQDNs, not IP addresses. Because IP addresses might change, whitelisting FQDNs ensures that the connection to Citrix Cloud remains stable. Additionally, as Citrix continually improves and augments the Citrix Cloud platform, whitelisting these domains as wildcards (for example, *.citrixworkspacesapi.net), instead of using more specific addresses (for example, trust.citrixworkspacesapi.net), allows customers to benefit from these improvements without affecting their connectivity to Citrix Cloud. Some critical functions of the platform, such as traffic failover based on geographical region, rely on being able to route calls under multiple subdomains. Whitelisting at the subdomain level increases the risk of outage as these functions might use subdomains the customer hasn’t whitelisted. Whitelisting the wildcard domain allows these functions to work without placing an undue burden on the customer to whitelist a large number of subdomains for every Citrix Cloud service.

Important:

Enabling SSL decryption on certain proxies might prevent the Cloud Connector from connecting successfully to Citrix Cloud. For more information about resolving this issue, see CTX221535.

Installer

The installer will use the settings configured for internet connections. If you can browse the internet from the machine then the installer should also function.

See How to configure proxy server settings in Windows 8 for details of how to configure the proxy settings.

Services at Runtime

The runtime service operates in the context of a local service. It does not use the setting defined for the user (as described above. You need to import the setting from the browser.

To configure the proxy settings for this, open a Command Prompt window and use netsh as follows:

netsh winhttp import proxy source =ie

After executing the command, restart the Cloud Connector machine so that the services start up with these proxy settings.

For complete details, see Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP).

Note:

There is no support for auto-detect or PAC scripts.

Connections to internal resources

Due to Windows proxy configuration, the Cloud Connector may attempt to access internal resources through the web proxy. These resources may not be able to connect to the Cloud Connector and Virtual Apps and Desktops service, even if the required connectivity URLs are whitelisted. Additionally, the web proxy may block connections between the Cloud Connector and Azure Service bus because an IP address is used as a URL in the HTTP Connect command. As a result, some resource functions might fail. For example, Citrix Provisioning can’t create machine catalogs successfully.

To ensure these internal resources can connect as expected, add the FQDN or IP address of each resource to the proxy bypass list on the Cloud Connector machine. For more information about this issue, see CTX241222 in the Citrix Support Knowledge Center.

Cloud Connector Proxy and Firewall Configuration