Add an on-premises Site to Citrix Workspace

If you have an on-premises XenApp or XenDesktop deployment, you can add your Site to Citrix Workspace. This process is known as Site aggregation. You can then create workspaces for your users, showing the on-premises applications available to them, and your users can access these applications through Citrix Cloud.

Supported environments

Site aggregation is supported for on-premises deployments of the following Citrix products:

  • Virtual Apps and Desktops 7 1808 or later
  • XenApp and XenDesktop 7.0 through 7.18
  • XenApp 6.5

On-premises Sites running older versions of XenApp or XenApp and XenDesktop are not supported for use with Citrix Workspace.

Important:

XenApp and XenDesktop 7.x includes versions which are End of Life. XenApp and XenDesktop Current Releases prior to 7.14 reached End of Life on June 30, 2018. Support for Workspace Site aggregation with End of Life versions of XenApp and XenDesktop 7.x is conditional upon successful enumeration and launch of resources with your existing StoreFront on-premises deployment.

XenApp 6.5 reached End of Life on June 30, 2018. Support for Workspace Site aggregation with End of Life versions of XenApp is conditional on the successful enumeration and launch of resources in your existing StoreFront or Web Interface on-premises deployment.

Task overview

When you add your on-premises Site to Citrix Workspace, the Add Site wizard guides you through the following tasks:

  • Discover your Site and select the default resource location. The default resource location specifies the domain and connectivity method for all users who access your Site. During this process, Citrix Cloud performs a connectivity test to verify your Site is reachable and displays your resource locations. If you have resource locations with no Cloud Connectors installed, you can download and install the required software.
  • Detect the Active Directory domains in which your Cloud Connectors are installed. For XenApp 6.5, Citrix Cloud also detects if there are any published applications assigned to local user accounts on XenApp servers. To use Citrix Workspace, application users must be able to authenticate with Active Directory. Citrix Cloud provides a list of any local user accounts detected so you can ensure they can authenticate to Citrix Workspace.
  • Specify the connectivity you want to use between Citrix Cloud and your Site. For external connectivity, you can use your own Citrix Gateway or use the Citrix Gateway service. To ensure only users on the same network as your Site can access applications, you can specify internal-only access.

Prerequisites

Cloud Connectors

You need at least two (2) servers on which to install the Citrix Cloud Connector software. These servers must meet the following requirements:

  • Meets the system requirements described in Cloud Connector Technical Details.
  • Does not have any other Citrix components installed, is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
  • Joined to the domain where your Site resides. If users access your Site’s applications in multiple domains, you need to install at least two Cloud Connectors in each domain.
  • Connected to a network that can contact your Site.
  • Connected to the Internet. For more information, see Internet Connectivity Requirements.
  • Citrix recommends two servers for Cloud Connector high availability. After installation, the Cloud Connectors allow Citrix Cloud to locate and communicate with your Site.

For more information about installing the Cloud Connector, see Cloud Connector Installation.

Although you can install the Cloud Connectors during the process of your adding your Site to Citrix Workspace, Citrix recommends installing them beforehand to ensure your Site is added with minimal interruption.

Active Directory

Site aggregation supports Sites that use an on-premises Active Directory.

Azure Active Directory configuration

To allow Sites using Azure Active Directory to be added to Citrix Workspace, you must configure your Site to trust XML Service requests. For detailed instructions, refer to the following articles:

Important: If you choose to use Azure Active Directory authentication with Site aggregation, users will be prompted to authenticate to each application they launch.

Active Directory trusts

If you have separate user and resource forests in Active Directory, you must have Cloud Connectors installed in each forest before you add your on-premises Site. When you add your Site, Citrix Cloud detects these forests during the Site discovery process, through the Cloud Connectors. You can then use the forests’ users and resources to create workspaces for your users.

Limitations:

  • You cannot use separate user and resource forests when you define the default resource location during the process of adding your Site. Because the Cloud Connectors do not participate in any cross-forest trusts that might be established, Citrix Cloud can’t discover your Site through the Cloud Connectors in these forests. You can use these forests when you define a secondary resource location that provides a different connectivity option for your users. For more information, see Add IP ranges for different connectivity options.
  • Untrusted forests are not supported for Site aggregation. Although Citrix Cloud and Citrix Workspace support users from untrusted forests, these users are not able to use Citrix Workspace after an on-premises Site has been added through Site aggregation. Only users located in the forests that the Site trusts can log in and use Citrix Workspace. If users from an untrusted forest attempt to log in to Citrix Workspace, they receive the error message, “Your logon has expired. Please log on again to continue.”

Internal and external connectivity to workspace resources

During the process of adding your Site to Citrix Workspace, you can specify if you want to provide internal or external access to the resources you make available to users. If you intend to allow only internal users to access your Site through Citrix Workspace, users must be on the same network as the Site to access their applications.

If you intend to allow external users to access these resources, you have the following options:

  • Use your existing Citrix Gateway to handle the traffic between your on-premises Site and Citrix Cloud. To use this option, your Citrix Gateway must be configured to use Cloud Connectors as the Secure Ticket Authority (STA) servers before you add your Site to Citrix Workspace. For instructions, see CTX232640.
  • Use the Citrix Gateway service if you prefer to allow Citrix to handle the traffic between your Site and Citrix Cloud for you. You can activate a service trial and configure the service when you add your Site. If you have already signed up for the Citrix Gateway service, Citrix Cloud detects your subscription when you select this option.

Note: For Citrix Cloud to detect your Citrix Gateway service subscription while adding your Site to Workspace, you must use the same OrgID that you used when you signed up for the Citrix Gateway service. For more information about OrgIDs in Citrix Cloud, see What is an OrgID?.

Credentials and ports for Site discovery

During the process of adding your Site to Citrix Workspace, Citrix Cloud discovers your Site and ensures the Controller you specify is available. Before you add your on-premises Site, perform the following tasks:

  • Ensure you have Citrix administrator credentials with a minimum of Read Only permissions. During the process of adding your Site to Citrix Workspace, Citrix Cloud prompts you to supply these credentials. Citrix Cloud only reads these credentials for the discovery process. Citrix Cloud does not store these credentials or use them to make changes to your Site.
  • XenApp 6.5 only: Ensure that port 2513 on the XenApp server is accessible from the Cloud Connector machines in your environment. During the discovery process, the Cloud Connectors contact the Citrix XenApp Remoting Service on the XenApp server you specify. This service listens on port 2513. If this port is blocked, Citrix Cloud can’t discover your deployment.

To enable Site discovery without Site credentials

XenApp and XenDesktop 7.x and Virtual Apps and Desktops 7 1808 only: If you don’t want to provide your Site credentials for security reasons, you can enable Citrix Cloud to discover your Site without prompting for Site credentials. Complete this task before you add your Site to Citrix Workspace.

  1. Install at least two Cloud Connectors in your Site’s domain.
  2. Create an Active Directory security group and add the Cloud Connectors in your domain to it.
  3. In Studio, grant the security group Read Only permissions, at a minimum.

Task 1: Discover your Site

In this step, you provide the information that Citrix Cloud needs to locate your Site and select your default resource location. The default resource location specifies the domain and connectivity option for all users who access your Site. If you need to install Cloud Connectors in your Site’s domain, you can do so now. If you already have Cloud Connectors installed, you can select them when prompted.

  1. From the Citrix Cloud menu, click Workspace Configuration and then click Sites > Add Site.
  2. In Select type of Site, select the XenApp or XenDesktop version of the Site you want to add. Citrix Cloud attempts to discover any Cloud Connectors in your domain and displays them in the next tab.
  3. In Discover XenApp Site or Discover XenApp and XenDesktop Site, perform one of the following actions:
    1. If you have no Cloud Connectors installed in your Site’s domain, click Install Connector. Citrix Cloud prompts you to download the Cloud Connector software and complete the installation wizard.
    2. If you have Cloud Connectors installed, Citrix Cloud displays the connectors in the domains in which they were detected. Select the resource location you want to add to Citrix Workspace. This resource location becomes the default resource location.
    3. If you have Cloud Connectors installed, but they are not displayed, click Detect.
  4. In Enter Server Address, enter the IP address or FQDN of a Controller in the Site.
  5. XenApp 6.5 only: Enter the port for the XML Server. If the XML Server port uses SSL, select Use SSL.

    Note: For XenApp and XenDesktop 7.x Sites, Citrix Cloud automatically discovers the XML server port.

  6. Click Discover.
  7. If prompted, type the Citrix Administrator credentials for the Site and click Continue. Citrix Cloud performs a connectivity test to verify that your Site is reachable. Discovery might take a few minutes to complete, depending on the type and size of the Site.
  8. Click Continue.

Task 2: Verify Active Directory Connectiion

In Verify Active Directory Connection, Citrix Cloud displays the domains used with your Site and whether or not there are Cloud Connectors installed in those domains. For XenApp 6.5, Citrix Cloud also displays an alert if there are any local user accounts on the XenApp servers assigned to any applications.

If there are no Cloud Connectors in a domain, users in that domain can’t use Citrix Workspace to access the applications published there. If only one Cloud Connector is installed, your Site’s connection to Citrix Cloud is at risk of an outage, preventing users from using Citrix Workspace. To ensure high availability for your Site, Citrix recommends installing at least two (2) Cloud Connectors in each domain.

XenApp 6.5: If there are local user accounts assigned to published applications, these users must be assigned to applications using their Active Directory account instead. Otherwise, they can’t use Citrix Workspace to access their applications. Citrix Cloud provides a downloadable list in CSV format of the applications and the local user accounts assigned to them.

  1. To install more Cloud Connectors, click Install Connector. If your domain has only one Cloud Connector and you choose to continue without installing more Cloud Connectors, select I understand that high availability requires having two connectors installed in each domain.
  2. If you have local users assigned to applications in your Site, click Download user list (.csv).
  3. Click Continue.

Task 3: Configure connectivity and confirm settings

In this step, you specify whether you want to allow only external user access or internal-only access to your Site through Citrix Workspace. Internal connectivity requires your users to be on the same network as your Site. For external connectivity, you can use your existing Citrix Gateway or you can use the Citrix Gateway service.

  1. In Configure Connectivity, under Select connectivity type, select one of the following options:
    • Add Existing Gateway: Select this option to use your existing Citrix Gateway to provide external access.
    • Citrix Gateway service: Select this option to activate a service trial or use your existing subscription with your Site.
    • Internal Only: If selected, no other configuration is needed. Click Continue.
  2. If Add Existing Gateway is selected, perform the following actions:
    1. Click Edit and type the public URL of the Citrix Gateway.
    2. Verify that Citrix Gateway is configured to use your Cloud Connectors as the STA servers as described in CTX232640.
    3. Click Test STA. When the test is successful, click Continue. If the test isn’t successful, refer to CTX232517 for troubleshooting steps.
  3. If Citrix Gateway service is selected, but the service isn’t enabled for your Citrix Cloud account as a service trial or as a purchase, click Start a 60-day trial. Citrix Cloud enables the service as a trial for you. If the service was enabled at an earlier time, Citrix Cloud detects the service and displays any remaining trial days, if applicable.
  4. Click Continue.
  5. In Confirm Site Aggregation, review the XML port, XML servers, Active Directory domains, and the Connectivity Type you chose earlier.

    Note: Citrix Cloud displays up to five of the XML servers with which it can connect. If you have multiple XML servers in your Site but only one is displayed, Citrix Cloud displays an alert. To troubleshoot this issue, refer to CTX232516.

  6. Click Save and Finish. The Sites page displays your newly added Site.

Note: If you want to specify different XML servers, click Save and Finish. You can then edit your Site to change these values.

Change your Site configuration

Rediscover your Site

If you add Delivery Controllers to your Site or change XML ports, you can initiate rediscovery to verify your Site is still reachable in Citrix Workspace.

  1. On the Sites page, click the ellipsis button for the Site you want to update and click Edit Site.
  2. In Server Address, type the IP address or FQDN of a Delivery Controller in your Site and click Rediscover.

Add or modify XML servers

When you add a new Site to Citrix Workspace, Citrix Cloud automatically detects the XML servers in your Site and displays up to five XML servers in your Site configuration. You can add and remove XML servers as needed from your Site configuration, up to the display limit of five XML servers.

To add an XML server

  1. On the Sites page, click the ellipsis button for the Site you want to update and click Edit Site.
  2. In the XML Servers section, type the XML server port and select Use SSL if needed.
  3. Select a connectivity method:
    • Load balanced: This option allows Citrix Cloud to pick a random XML server from the list.
    • Failover: This option allows Citrix Cloud to use the listed XML servers in the order in which they appear in the list. You can re-order the list by dragging and dropping each server as needed.
  4. Click Save Changes.

If you experience an error when adding an XML server, refer to CTX232516 for troubleshooting steps.

Add IP ranges for different connectivity options

If you have VDAs or session hosts in different subnets, you can specify IP ranges with a different connectivity type for each one. Each IP range can also have a different resource location associated with it. For example, you might have one IP range for machines located in the EU where users connect internally only, one IP range for machines in the EU where users connect through your existing Citrix Gateway, and one IP range for machines in the US where users connect through the Citrix Gateway service.

  1. On the Sites page, click the ellipsis button for the Site you want to update and click Edit Site.
  2. In the Connectivity section, click Add an IP range with a different connectivity option.
  3. Type an IP range in CIDR format.
  4. To create a new resource location for your IP range, perform the following actions:
    1. Select Add a new Resource Location and type a friendly name.
    2. In Select your connectivity, select whether you want to provide internal-only access or allow external access using your existing Citrix Gateway or the Citrix Gateway service.
  5. To assign an existing resource location to the IP range, choose Select an existing resource location and then select the resource location you want to use. If you choose a resource location with only one Cloud Connector installed, select I understand that high availability requires having two connectors are installed in a resource location.
  6. Click Add.

Add more Active Directory domains

If you install Cloud Connectors in additional domains with Active Directory users in your Site, you can ensure they are added to your Site configuration in Citrix Workspace.

  1. On the Sites page, click the ellipsis button for the Site you want to update and click Edit Site.
  2. Under Active Directory, click Refresh.

Disable Sites

If you no longer want to make your on-premises Site available to users in Citrix Workspace, you can disable it. You can disable an individual on-premises Site or you can disable all on-premises Sites you’ve added to Citrix Workspace.

When Sites are disabled, users can no longer access the on-premises applications in those Sites through Citrix Workspace, but the configuration for those Sites is preserved. When you re-enable a Site later on, the Site’s default resource location, domain, XML server, and connectivity settings are retained.

To disable an on-premises Site

  1. On the Sites page, click the ellipsis button for the Site you want to disable.
  2. Click Disable. A confirmation message appears.
  3. Click Disable.

To disable all on-premises Sites

To disable all Sites on the Sites page, you disable the workspace integration for all Virtual Apps and Desktops on-premises Sites. Disabling the workspace integration effectively disables Site aggregation of on-premises Sites. For instructions, see Disable workspace integration for a service.

To re-enable any individual on-premises Sites or to add a new Site later on, you must first re-enable the workspace integration for all Sites on the Service Integrations page.

Delete a Site from Citrix Workspace

If you no longer want your on-premises Site configuration in Citrix Workspace, you can delete the Site. When you delete a Site, only the configuration for the Site in Citrix Workspace is removed. Citrix Cloud does not make any changes to your Site.

  1. On the Sites page, click the ellipsis button for the Site you want to remove.
  2. Click Delete.