Support for Enterprise web apps

Web apps delivery using the Citrix Gateway service enables enterprise specific applications to be delivered remotely as a web-based service. Commonly used web apps include SharePoint, Confluence, OneBug, and so on.

Web apps can be accessed using Citrix Workspace using the Citrix Gateway service. The Citrix Gateway service coupled with Citrix Workspace provides a unified user experience for the configured Web apps, SaaS apps, configured virtual apps, or any other workspace resources.

SSO and remote access to web apps are available as part of the following service packages:

  • Gateway Service Standard
  • Workspace Standard, Workspace Premium, or Workspace Premium Plus

System requirements

Citrix Gateway Connector – A virtual appliance that facilitates the remote access to the Enterprise web apps. Citrix Gateway Connector is a virtual appliance. The virtual machine specification must at least have:

  • Number of vCPUs must be exactly 2.
  • 4 GB RAM minimum.
  • 1 Network Adapter (virtual NIC). You can add an extra virtual NIC upon requirement.

Install the Gateway Connector before configuring the Enterprise web apps for a cleaner approach.


If there are SSL intercepting devices in the on-premises data center where the Citrix Gateway Connector must be deployed, the connector registration does not succeed if SSL interception is enabled for these FQDNs. The SSL interception must be disabled for these FQDNs for successful connector registration. For more information on Citrix Gateway Connector, see Citrix CloudGateway Connector.

How it works

Citrix Gateway service securely connects to the on-premises data center using Citrix CloudGateway Connector, which is deployed on-premises. This connector acts as a bridge between Enterprise web apps deployed on-premises and the Citrix Gateway service. These connectors can be deployed in an HA pair and require only an outbound connection.

A TLS connection between the Gateway connector and the Citrix Gateway service in the cloud secures the on-premises applications that are enumerated into the cloud service. Web applications are accessed and delivered through Workspace using a VPN-less connection. The following figure illustrates accessing web applications using Citrix Workspace.

How web apps work

Ways to configure Enterprise web apps

Enterprise web apps can be configured and published in the following two ways:

Configure and publish Enterprise web apps manually

The following configuration takes the SharePoint app as an example to configure and publish an app manually:

  1. On the Citrix Gateway service tile, click Manage.

  2. Click Add a Web/SaaS App below the Single Sign On tile.

  3. Click Skip to configure the SharePoint app manually.

    Skip adding template

  4. Check Inside my corporate network radio button.

    Enter the following details in the App Details section and click Next.

    Name – Name of the application that you are adding.

    URL – URL with your customer ID. The URL must contain your customer ID (Citrix Cloud customer ID). To get your customer ID, see Sign up for Citrix Cloud. In case SSO fails or you do not want to use SSO, the user is redirected to this URL.

    Customer domain name and Customer domain ID - Customer domain name and ID are used to create the app URL and other subsequent URLs in the SAML SSO page.

    For example, if you are adding a Salesforce app, your domain name is salesforceformyorg and ID is 123754, then the app URL is

    Customer domain name and Customer ID fields are specific to certain apps.

    Related Domains – The related domain is auto-populated based on the URL that you have provided. Related domain helps the service to identify the URL as part of the app and route traffic accordingly. You can add more than one related domain.

    Icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. If you do not change the icon, the default icon is displayed.

    Description – This description that you enter here is displayed to your users in the workspace.

    Do not display application icon to users - Select the check box if you want to hide this app in the Citrix Workspace portal. When an app is hidden in the Citrix Workspace portal, the Secure Workspace Access service does not return this app during enumeration. However, users can still access the hidden app.

    Web app details

  5. In the Enhanced Security section, select Enable enhanced security to choose the security options you would like to apply to the application.


    The Enhanced Security section is available only if you are entitled to Secure Workspace Access service. For details, see

    • The following enhanced security options can be enabled for the application.

      • Restrict clipboard access: Disables cut/copy/paste operations between the app and system clipboard
      • Restrict printing: Disables ability to print from within the Citrix Workspace app browser
      • Restrict navigation: Disables the next/back app browser buttons
      • Restrict downloads: Disables the user’s ability to download from within the app
      • Display watermark: Displays a watermark on the user’s screen displaying the user name and IP address of the user’s machine

      Enhanced security options

    • The following advanced app protection policies can be enabled for the application.

      Restrict keylogging: Protects against key loggers. When a user tries to log on to the app using the user name and password, all the keys are encrypted on the key loggers. Also, all activities that a user performs on the app are protected against key logging. For example, if app protection policies are enabled for Office365 and the user edit an Office365 word document, all key strokes are encrypted on key loggers.

      Restrict screen capture: Disables the ability to capture the screens using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured.


      • You can enable the advanced app protection policies only after enabling the Enable enhanced security option.
      • The app protection policies are enabled per app because not all apps might require these restrictions.
      • The app protection policies work only when the app is delivered through the Citrix embedded browser.
    • Select Launch application always in Citrix Secure Browser service to always launch an application in Secure Browser service regardless of other enhanced security settings.


      • The other enhanced security options are still enforced once the app is launched inside the Secure Browser.

      • If you are accessing the app from the Citrix Workspace app or from the Citrix Workspace for web, then the app is launched in the embedded browser or the native browser respectively until the policy is enforced on mobile devices.

    • Select Enforce policy on mobile device to enable the previously mentioned enhanced security options on your mobile device.


      When Enforce Policy on Mobile Device is selected along with Enable enhanced security, the user experience for the application access is negatively impacted for the desktop users and the mobile users.

  6. Now you must connect to a resource location. You can either select an existing resource location or create one. To choose an existing resource location, click one of the resource locations from the list of resource locations, for example My Resource Location, and click Next. For guidance on adding a resource location, click

    Add new resource location

  7. Select your preferred single sign-on type to be used for your application and click Save. The following single sign-on types are available.

    • Basic – If your back-end server presents you with a basic-401 challenge, choose Basic SSO. You do not need to provide any configuration details for the Basic SSO type.
    • Kerberos – If your back-end server presents you with the negotiate-401 challenge, choose Kerberos. You do not need to provide any configuration details for the Kerberos SSO type.
    • Form-Based – If your back-end server presents you with an HTML form for authentication, choose Form-Based. Enter the configuration details for the Form-Based SSO type.
    • SAML - Choose SAML for SAML-based SSO into web applications. Enter the configuration details for SAML SSO type.
    • Don’t use SSO – Use Don’t use SSO option when you do not need to authenticate a user on the back end server. When the Don’t use SSO option is selected, the user is redirected to the URL configured under the App details section.

    Form based details: Enter the following form-based configuration details in the Single Sign On section and click Save.

    Save config1

    • Action URL - Type the URL to which the completed form is submitted.
    • Logon form URL – Type the URL on which the logon form is presented.
    • Username Format - Select a format for the user name.
    • Username Form Field – Type a user name attribute.
    • Password Form Field – Type a password attribute.

    SAML: Enter the following details in the Sign sign on section and click Save.

    Save config2

    • Sign Assertion - Signing assertion or response ensures message integrity when the response or assertion is delivered to the relying party(SP). You can select Assertion, Response, Both, or None.
    • Assertion URL – Assertion URL is provided by the application vendor. The SAML assertion is sent to this URL.
    • Relay State – The Relay State parameter is used to identify the specific resource the users access after they are signed in and directed to the relying party’s federation server. Relay State generates a single URL for the users. Users can click this URL to log on to the target application.
    • Audience – Audience is provided by the application vendor. This value confirms that the SAML assertion is generated for the correct application.
    • Name ID Format – Select the supported name identifier format.

    • Name ID – Select the supported name ID.
  8. Click Finish.

    After you click Finish, the app is added to the library and you are presented with the following three options.

    • Add Another App
    • Edit App
    • Go to the Library

Assign users or user groups for the published apps

After an app is published, you can assign users or groups to the app.

  1. On the Citrix Cloud screen, click Go to the Library. Alternatively, you can also click Library in the upper left menu.

    Notice that the newly added app features in your library.


  2. To assign users for the app, hover your pointer over the ellipses on the right, and click Manage Subscribers.

    Manage subscribers

  3. Click Choose a domain list and select a domain. Click Choose a group or user and assign users.

    Assign users or groups

    Note: A subscribed user can be unsubscribed by selecting the user and clicking the delete icon next to Status.

  4. To obtain the Workspace URL to be shared with app users, on Citrix Cloud, click the menu icon and navigate to Workspace Configuration.

    Obtain workspace url

Manage your published apps

You can edit or delete a published app, and add more subscribers to the published app.

Edit a published app

To edit a published app, perform the following steps:

  1. Go to Library and identify the app to be edited.

  2. Hover your pointer over the ellipses on the right and click Edit.

  3. Edit the entries under the App Details section and click Save.

  4. Edit the entries under the Single Sign On section, click Save, and click Finish.

Delete a published app

To delete a published app, perform the following steps:

  1. Go to Library and identify the app to be deleted.
  2. Click the dot icon on the right and click Delete.

Manage subscribers for published app

To add more subscribers, perform the following steps:

  1. Go to Library and identify the app to be modified.
  2. Hover your pointer over the ellipses on the right, and click Manage Subscribers.

Launch a configured app – end-user flow

To launch a configured app, perform the following steps:

  1. Log on to Citrix Workspace with AD user credentials. The admin configured app are displayed.
  2. Click the app to launch the app. The app is launched and the user is signed-in to the app.

Enable VPN-less access to Enterprise Web apps through a local browser

You can use the Citrix Secure Workspace Access browser extension to enable VPN-less access to Enterprise Web apps through a local browser. The Citrix Secure Workspace Access browser extension is supported on both Google Chrome and Microsoft Edge browsers.

How to install the Citrix Secure Workspace Access browser extension

  1. Download the Citrix Secure Workspace Access browser extension from the Google Chrome store.
  2. Click Register to register your server FQDN.
  3. Enter your server FQDN and click Next. Register for browser extension
  4. Enter your Citrix Workspace URL.
  5. Click Next.
  6. Enter your user name and password.
    • On entering the correct user credentials, the user is signed into the Workspace web portal and the browser extension.
    • Browser extension icon turns blue, indicating internal app access is enabled.
    • Browser extension window closes automatically after successful sign-in. Post registration of browser extension
  7. Access to links of the sanctioned internal web apps are now enabled directly in the browser. If the web app is configured for SSO, the user is signed into the app.


  • When you are on the internal network and do not need the browser extension to enable access to those URLs, you can turn the Internal App Access slider to OFF, and then access the URLs.
  • You can sign out of the browser extension if you want to disable internal web app access from the local browser
  • You can also delete your account registration by clicking the Delete button, to reset the extension back to its original state. Once you unregister your account, you cannot access the Enterprise Web apps from your native browser.

Configure session timeouts

Admins can configure session timeouts for the Citrix Secure Workspace Access browser extension.

  1. On the Citrix Gateway service tile, click Manage.
  2. Click the Manage tab.
  3. In Inactivity Timeout for Browser Extension Behavior, select the timeout as per the requirement.


The routing rules cannot be sent to the browser extension temporarily.