Citrix Cloud Connector Technical Details

The Citrix Cloud Connector is a component with a collection of Windows services installed on Windows Server 2012 R2 or Windows Server 2016.

System requirements

The machines hosting the Cloud Connector must meet the following requirements. Citrix strongly recommends installing at least two Cloud Connectors in each resource location to ensure high availability.

Operating systems

Windows Server 2012 R2 or Windows Server 2016 is supported.

The Cloud Connector is not supported for use with Windows Server Core.

.NET requirements

Microsoft .NET Framework 4.7.2 or later is required.

Server requirements

  • Use dedicated machines for hosting the Cloud Connector. Do not install any other components on these machines.
  • FIPS is not enabled. See Federal Information Processing (FIPS) support in this article.
  • The machines are not configured as Active Directory domain controllers. Installing the Cloud Connector on a domain controller is not supported.
  • Server clock is set to the correct UTC time.
  • Internet Explorer Enhanced Security Configuration (IE ESC) is turned off. If this is turned on, the Cloud Connector might not be able to establish connectivity with Citrix Cloud.
  • Citrix strongly recommends enabling Windows Update on all machines hosting the Cloud Connector. When configuring Windows Update, automatically download and install updates, but do not allow automatic restarts. The Citrix Cloud platform handles machine restarts, allowing them for only one Cloud Connector at a time when needed. Alternatively, you can control when the machine is restarted after an update using Group Policy. For more information, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-restart.

Active Directory requirements

  • Joined to an Active Directory domain that contains the resources and users that you will use to create offerings for your users. For multi-domain environments, see Deployment scenarios for Cloud Connectors in Active Directory in this article.
  • Each Active Directory forest you plan to use with Citrix Cloud should be reachable by two Cloud Connectors at all times.
  • The Cloud Connector must be able to reach the parent (root) domain controllers as well as the child domain controllers in the Active Directory infrastructure (to complete the Active Directory workflows) in which the Cloud Connector is installed. For more information, refer to the following Microsoft support articles:

Network requirements

Supported Active Directory functional levels

The Citrix Cloud Connector supports the following forest and domain functional levels in Active Directory.

Forest Functional Level Domain Functional Level Supported Domain Controllers
Windows Server 2008 R2 Windows Server 2008 R2 Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Windows Server 2008 R2 Windows Server 2012 Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Windows Server 2008 R2 Windows Server 2012 R2 Windows Server 2012 R2, Windows Server 2016
Windows Server 2008 R2 Windows Server 2016 Windows Server 2016
Windows Server 2012 Windows Server 2012 Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Windows Server 2012 Windows Server 2012 R2 Windows Server 2012 R2, Windows Server 2016
Windows Server 2012 Windows Server 2016 Windows Server 2016
Windows Server 2012 R2 Windows Server 2012 R2 Windows Server 2012 R2, Windows Server 2016
Windows Server 2012 R2 Windows Server 2016 Windows Server 2016
Windows Server 2016 Windows Server 2016 Windows Server 2016

Deployment scenarios for Cloud Connectors in Active Directory

If you have a single domain in a single forest, installing Cloud Connectors in that domain is all you need to establish a resource location. However, if you have multiple domains in your environment, you’ll need to consider where to install the Cloud Connectors so that users can access the resources you make available through Citrix Cloud.

Note:

The below resource locations form a blueprint that may need to be repeated in other physical locations depending on where your resources are hosted.

Single domain in a single forest with a single set of Cloud Connectors

In this scenario, a single domain contains all the resource and user objects (forest1.local). One set of Cloud Connectors is deployed within a single resource location and joined to the forest1.local domain.

  • Trust relationship: None - single domain
  • Domains listed in Identity and Access Management: forest1.local
  • User logons to Citrix Workspace: Supported for all users
  • User logons to an on-premises StoreFront: Supported for all users

Parent and child domains in a single forest with a single set of Cloud Connectors

In this scenario, a parent domain (forest1.local) and its child domain (user.forest1.local) reside within a single forest. The parent domain acts as the resource domain and the child domain is the user domain. One set of Cloud Connectors is deployed within a single resource location and joined to the forest1.local domain.

  • Trust relationship: Parent/child domain trust
  • Domains listed in Identity and Access Management: forest1.local, user.forest1.local
  • User logons to Citrix Workspace: Supported for all users
  • User logons to an on-premises StoreFront: Supported for all users

Note:

You might need to restart the Cloud Connectors to ensure Citrix Cloud registers the child domain.

Users and resources in separate forests (with trust) with a single set of Cloud Connectors

In this scenario, one forest (forest1.local) contains your resource domain and one forest (forest2.local) contains your user domain. A trust exists between these forests that allows users to log on to resources. One set of Cloud Connectors is deployed in a single resource location and joined to the forest1.local domain.

  • Trust relationship: Forest trust
  • Domains listed in Identity and Access Management: forest1.local
  • User logons to Citrix Workspace: Supported for forest1.local users only
  • User logons to an on-premises StoreFront: Supported for all users

Note:

The trust relationship between the two forests needs to permit the user in the user forest to be able to log on to machines in the resource forest.

Because Cloud Connectors can’t traverse forest-level trusts, the forest2.local domain is not displayed on the Identity and Access Management page in the Citrix Cloud console. This carries the following limitations:

  • Resources can only be published to users and groups located in forest1.local in Citrix Cloud. However, forest2.local users may be nested into forest1.local security groups to mitigate this issue.
  • Citrix Workspace cannot authenticate users from the forest2.local domain.

To work around these limitations, deploy the Cloud Connectors as described in Users and resources in separate forests (with trust) with a set of Cloud Connectors in each forest.

Users and resources in separate forests (with trust) with a set of Cloud Connectors in each forest

In this scenario, one forest (forest1.local) contains your resource domain and one forest (forest2.local) contains your user domain. A trust exists between these forests that allows users to log on to resources. One set of Cloud Connectors is deployed within the forest1.local domain and a second set is deployed within the forest2.local domain.

  • Trust relationship: Forest trust
  • Domains listed in Identity and Access Management: forest1.local, forest2.local
  • User logons to Citrix Workspace: Supported for all users
  • User logons to an on-premises StoreFront: Supported for all users

Federal Information Processing Standard (FIPS) support

The Citrix Cloud Connector is not supported for use on FIPS-enabled machines. These machines use only FIPS-validated cryptographic algorithms which the Cloud Connector software does not support. If you attempt to install the Cloud Connector on a FIPS-enabled machine, the installation fails. Install the Cloud Connector only on machines that do not have FIPS enabled.

View the health of the Cloud Connector

The Resource Locations page in Citrix Cloud displays the health status of all the Cloud Connectors in your resource locations.

Event messages

Event messages are available in the Windows Event viewer on the connector machine. The Windows event logs that the Cloud Connector generates are in the following documents:

Event logs

By default, event logs are located in the C:\ProgramData\Citrix\WorkspaceCloud\Logs directory of the machine hosting the Cloud Connector.

Troubleshoot the Cloud Connector

The first step in diagnosing any issues with the Cloud Connector is to check the event messages and event logs. If you don’t see the Cloud Connector listed in your resource location or is “not in contact,” the event logs will provide some initial information.

If the Cloud Connector is “disconnected” and the event logs don’t indicate why a connection can’t be established between the Cloud Connector and Citrix Cloud, contact Citrix Support.

If the Cloud Connector is in an “error” state, there might be a problem hosting the Cloud Connector. Install the Cloud Connector on a new machine. If the issue persists, contact Citrix Support.

To troubleshoot commmon issues with installing or using the Cloud Connector, refer to CTX221535.