Support for Citrix Endpoint Management
Citrix Gateway service provides remote device access to your internal network and resources.
Use the cloud-based Citrix Gateway service with Endpoint Management when:
You want a maintenance-free service that doesn’t require negotiating with network, security, and compliance teams before configuring your corporate network.
You want to use the unified authentication experience provided by Citrix Cloud. Citrix Gateway service uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account. For more information, see Identity and access management.
You plan to use Citrix mobile productivity apps, such as Citrix Secure Mail or Secure Web. Citrix Gateway provides an on-demand application VPN connection. Secure Hub initiates that VPN connection on mobile devices to access corporate network sites or resources.
This variation of a clientless VPN is also known as Tunneled – Web single sign-on (SSO). Connections such as web traffic that tunnel to the internal network use Tunneled – Web SSO. We recommend Tunneled – Web SSO for connections that require single sign-on. For more information, see App network access for Android and App network access for iOS.
Architecture and communication flow overview
The following diagram provides an overview of Citrix Gateway service architecture when used with Endpoint Management.
Citrix Gateway service isn’t used during device enrollment in Endpoint Management. After enrollment, MDM control traffic goes directly to Citrix Endpoint Management, without going through Citrix Gateway service. Only MAM VPN data traffic is sent to Citrix Gateway service. All traffic sent to Citrix Gateway gets directed to the on-premises Gateway Connector.
The following authentication types are supported for Citrix Gateway service integration with Endpoint Management:
- Basic, Digest, NTLM
- Kerberos Constrained Delegation (KCD) single sign-on
- Form-based single sign-on
- SAML single sign-on
The following diagram shows the Endpoint Management communication flow with Citrix Gateway service.
Citrix Workspace experience enabled
With Citrix Workspace enabled, user enrollment starts in the Workspace app. When Secure Hub detects the Workspace entitlement, Secure Hub completes enrollment. Secure Hub then opens Citrix Workspace where users can access their apps and other resources.
Citrix Gateway service subscription
If you already use on-premises Citrix Gateway and want to switch to Citrix Gateway service, contact your Citrix Sales representative. Switching from on-premises Citrix Gateway to the Citrix Gateway service requires that you reenroll devices.
New Endpoint Management customers: Select the Citrix Gateway service during Endpoint Management onboarding.
Gateway Connector installed on-premises in a resource location
Endpoint Management uses the resource location for Gateway Connector only for STA tickets for Secure Mail. Citrix Gateway sends STA traffic to the Gateway Connector in the resource location.
Install one or more Gateway Connectors in any one resource location. Endpoint Management doesn’t support Gateway Connectors installed in multiple resource locations.
Install Gateway Connector in the same or a different resource location than Active Directory. The only role of Active Directory is to use the Citrix Identity provider to authenticate users to the Citrix Gateway service. Citrix Gateway service creates session connections to the Gateway Connector for authenticated users. You can have multiple Active Directories.
If the connector isn’t available during Citrix Endpoint Management onboarding, you can install it after onboarding.
To configure Citrix Gateway service with Citrix Endpoint Management
A preview of the Citrix Gateway service is available for Endpoint Management customers. For more information, see Configure Citrix Gateway use with Endpoint Management.