System and Connectivity Requirements
Citrix Cloud provides administrative functions (through a web browser) and operational requests (from other installed components) that connect to resources within your deployment. This article describes the system requirements, required contactable Internet addresses, and considerations for establishing connectivity between your resources and Citrix Cloud.
System requirements
Citrix Cloud requires the following minimum configuration:
- An Active Directory domain
- Two physical or virtual machines, joined to your domain, for the Citrix Cloud Connector. For more information, see Citrix Cloud Connector Technical Details.
- Physical or virtual machines, joined to your domain, for hosting workloads and other components such as StoreFront. For more information about system requirements for specific services, refer to the Citrix documentation for each service.
For information about scale and size requirements, see Scale and size considerations for Cloud Connectors.
Supported web browsers
- Latest version of Google Chrome
- Latest version of Mozilla Firefox
- Latest version of Microsoft Edge
- Microsoft Internet Explorer 11
- Latest version of Apple Safari
Service connectivity requirements
Connecting to the Internet from your data centers requires opening port 443 to outbound connections. However, to operate within environments containing an Internet proxy server or firewall restrictions, further configuration might be needed. For more information, see Cloud Connector Proxy and Firewall Configuration.
The addresses for each service in this article must be contactable to properly operate and consume the service. The following table lists the addresses that are common to most Citrix Cloud services and their function. These addresses are provided only as domain names because Citrix Cloud services are dynamic and their IP addresses are subject to routine changes.
| Required address | Function |
|---|---|
https://*.citrixworkspacesapi.net |
Provides access to Citrix Cloud APIs that the services use. |
https://*.cloud.com |
Provides access to the Citrix Cloud sign-in interface. |
https://*.blob.core.windows.net |
Provides access to Azure Blob Storage, which stores updates for Citrix Cloud Connector. |
https://*.servicebus.windows.net |
Provides access to Azure Service Bus, which is used by the Active Directory agent and Machine Creation Services. |
https://*.cloudapp.net |
Provides access to Azure Cloud Services, which hosts compute resources and APIs for Citrix Cloud. |
As a best practice, use Group Policy to configure and manage these addresses. Also, configure only the addresses that are applicable to the services that you and your end-users are consuming.
If you are using Citrix Cloud with Citrix License Server to register your on-premises products, see On-premises product registration in this article for additional required contactable addresses.
Citrix Analytics
For complete Internet connectivity requirements, see Prerequisites in the service documentation.
For more information about onboarding data sources to the service, see How to configure Data Sources.
Content Collaboration
Citrix resource location / Cloud Connector:
https://*.sharefile.com- Additional requirements: ShareFile Firewall Configuration and IP Address (CTX208318)
Administration console:
https://*.citrixworkspacesapi.nethttps://*.cloud.com- Additional requirements: ShareFile Firewall Configuration and IP Address (CTX208318)
Endpoint Management
Citrix resource location / Cloud Connector:
https://*.citrixworkspacesapi.nethttps://*.cloud.comhttps://*.blob.core.windows.nethttps://*.servicebus.windows.nethttps://*.cloudapp.net- Additional requirements: https://docs.citrix.com/en-us/citrix-endpoint-management/endpoint-management.html
Administration console:
https://*.citrix.comhttps://*.citrixworkspacesapi.nethttps://*.cloud.comhttps://*.blob.core.windows.net- Additional requirements: https://docs.citrix.com/en-us/citrix-endpoint-management/endpoint-management.html
Citrix Gateway Service
https://*.nssvc.net
SD-WAN Orchestrator
For complete Internet connectivity requirements, see Prerequisites for Orchestrator usage.
Secure Browser
Citrix resource location / Cloud Connector:
https://*.citrixworkspacesapi.nethttps://*.cloud.com
Administration console:
https://*.cloud.comhttps://*.citrixworkspacesapi.nethttps://browser-release-a.azureedge.nethttps://browser-release-b.azureedge.net
Citrix Secure Workspace Access
https://*.netscalergateway.nethttps://*.nssvc.net
Virtual Apps and Desktops service
Citrix resource location / Cloud Connector:
https://*.citrixworkspacesapi.nethttps://*.citrixnetworkapi.nethttps://*.cloud.comhttps://cwsproduction.blob.core.windows.nethttps://*.nssvc.nethttps://*.xendesktop.nethttps://*.servicebus.windows.net
For an overview of how the Cloud Connector communicates with the service, refer to the Virtual Apps and Desktops diagram on the Citrix Tech Zone web site.
Administration console:
https://*.citrixworkspacesapi.nethttps://*.citrixnetworkapi.nethttps://*.cloud.comhttps://*.nssvc.nethttps://*.xendesktop.net
Virtual Apps and Desktops Standard for Azure
The addresses in this section are required only for customer-managed Cloud Connectors deployed in a customer-managed Azure subscription.
Citrix resource location / Cloud Connector:
https://*.citrixworkspacesapi.nethttps://*.citrixnetworkapi.nethttps://*.cloud.comhttps://cwsproduction.blob.core.windows.nethttps://*.nssvc.nethttps://*.xendesktop.net
Administration console:
https://*.citrixworkspacesapi.nethttps://*.citrixnetworkapi.nethttps://*.cloud.comhttps://*.xendesktop.net
Citrix Workspace
https://*.cloud.comhttps://*.citrixdata.com
To ensure subscribers can successfully access their content in Citrix Files and Content Collaboration through Workspace, Citrix recommends allowing the domains listed in CTX208318.
Workspace single sign-on with Citrix Federated Authentication Service
The console and FAS service access the following addresses using the user’s account and the Network Service account, respectively.
- FAS administration console, under the user’s account
*.cloud.com*.citrixworkspaceapi.net- Addresses required by a third party identity provider, if one is used in your environment
- FAS service, under the Network Service account:
*.citrixworkspaceapi.net
If your environment includes proxy servers, configure the user proxy with the addresses for the FAS administration console. Also, ensure the address for the Network Service account is configured as appropriate for your environment.
Workspace Environment Management service
https://*.wem.cloud.com
Citrix Cloud management console
The Citrix Cloud management console is a web-based console that you can access after signing in at https://citrix.cloud.com. The webpages that make up the console might require other resources on the Internet, either when signing in or at a later point when carrying out specific operations.
Proxy configuration
If you’re connecting through a proxy server, the management console operates using the same configuration applied to your web browser. The console operates within the user context, so any configuration of proxy servers that require user authentication should work as expected.
Firewall configuration
For the management console to operate, you must have port 443 open for outbound connections. You can test general connectivity by navigating within the console.
Session timeouts
After an administrator signs in to Citrix Cloud, the management console session times out after the following intervals have elapsed:
- Idle sessions (no console activity detected): 60 minutes
- Maximum session timeout (regardless of console activity): 24 hours
After the maximum session timeout elapses, any unsaved configuration changes are lost and the administrator must sign in again.
On-premises product registration
If you are using Citrix Cloud with Citrix License Server to register your on-premises products, ensure the following addresses are contactable:
-
https://trust.citrixnetworkapi.net(for retrieving a code) -
https://trust.citrixworkspacesapi.net/(for confirming the license server is registered) -
https://cis.cloud.com(for data upload)
If you are using a proxy server with Citrix License Server, ensure the proxy server is configured as described in the “Configure a proxy server manually” section of Step 3 - install the .crt and .key files on the License Server.
Citrix Cloud Connector
The Citrix Cloud Connector is a software package that deploys a set of services that run on Microsoft Windows servers. The machine hosting the Cloud Connector resides within the network where the resources you use with Citrix Cloud reside. The Cloud Connector connects to Citrix Cloud, allowing it to operate and manage your resources as needed.
For requirements for installing the Cloud Connector, see System requirements. To operate, the Cloud Connector requires outbound connectivity on port 443. After installation, the Cloud Connector might have additional access requirements depending on the Citrix Cloud service with which it is being used.
For help with troubleshooting connectivity between the Cloud Connector and Citrix Cloud, use the Cloud Connector Connectivity Check Utility. This utility runs a series of checks on the Cloud Connector machine to verify it can reach Citrix Cloud and related services and helps you add any missing connectivity addresses to the Trusted Sites zone in Internet Explorer. If you use a proxy server in your environment, all connectivity checks are tunneled through your proxy server. To download the utility, see CTX260337 in the Citrix Support Knowledge Center.
Certificate validation
Cloud Connector binaries and endpoints that the Cloud Connector contacts are protected by X.509 certificates that are verified when the software is installed. To validate these certificates, each Cloud Connector machine must meet the following requirements:
- HTTP port 80 is open to *.digicert.com. This port is used during Cloud Connector installation and during periodic Certificate Revocation List checks.
- The following addresses must be contactable:
http://*.digicert.comhttps://*.digicert.comhttps://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crthttps://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
For more information about these certificates, see Certificate validation requirements.
SSL Decryption
Enabling SSL decryption on certain proxies might prevent the Cloud Connector from connecting successfully to Citrix Cloud. For more information about resolving this issue, see CTX221535.
Citrix Connector Appliance for Cloud Services
The Connector Appliance is an appliance that you can deploy in your hypervisor. The hypervisor hosting the Connector Appliance resides within the network where the resources you use with Citrix Cloud reside. The Connector Appliance connects to Citrix Cloud, allowing it to operate and manage your resources as needed.
For requirements for installing the Connector Appliance, see System requirements.
To operate, the Connector Appliance requires outbound connectivity on port 443. However, to operate within environments containing an Internet proxy server or firewall restrictions, further configuration might be needed.
To properly operate and consume the Citrix Cloud services, the following addresses must be contactable:
https://*.cloud.comhttps://*.citrixworkspacesapi.nethttps://*.citrixnetworkapi.nethttps://*.nssvc.nethttps://*.servicebus.windows.nethttps://iwsprodeastusuniconacr.azurecr.iohttps://iwsprodeastusuniconacr.eastus.data.azurecr.io
System and Connectivity Requirements
In this article
- System requirements
- Supported web browsers
- Service connectivity requirements
- Citrix Analytics
- Content Collaboration
- Endpoint Management
- Citrix Gateway Service
- SD-WAN Orchestrator
- Secure Browser
- Citrix Secure Workspace Access
- Virtual Apps and Desktops service
- Virtual Apps and Desktops Standard for Azure
- Citrix Workspace
- Workspace Environment Management service
- Citrix Cloud management console
- Citrix Cloud Connector
- Citrix Connector Appliance for Cloud Services