Citrix Gateway VPN clients and supported features

Important:

The legacy Citrix VPN client was built using Apple’s private VPN APIs that is now deprecated. VPN support in Citrix SSO is rewritten using Apple’s public Network Extension framework. Citrix Gateway plug-in and Citrix VPN for iOS and macOS are no longer supported. Citrix SSO is the recommended VPN app to be used.

The following table lists some of the commonly used features supported for each VPN client.

Feature Windows plug-in Mac plug-in Linux SSO for macOS SSO for iOS SSO for Android
Always On (user mode) Yes (11.1 and later) No No No No Yes (via MDM) Android 7.0+
PAC file push Yes (12.0 and later) Yes No Yes Yes No
Client proxy support Yes Yes Yes No No Yes. See note 1
Max limit of Intranet Applications 512 128 128 No limit No limit No limit
Intranet IP (IIP) support Yes Yes Yes Yes Yes Yes
Split tunnel ON Yes Yes Yes Yes Yes Yes
Split tunnel reverse Yes Yes Yes Yes Yes No
FQDN based split tunnel Yes-Only ON (13.0 and later) No No Yes Yes No
Client idle timeout Yes Yes Yes No No No
Endpoint analysis Yes Yes Yes Yes No No
Device certificate (classic) Yes Yes No Yes No No
nFactor authentication Yes (12.1 and later) No No Yes Yes Yes. See note 3
EPA (nFactor) Yes (12.1 and later) No No Yes No No
Device certificate (nFactor) Yes (12.1 and later) No No Yes No No
Push notification Yes (12.1 and later) No No No Yes Yes (device registration only)
OTP token autofill support. See note 2 No No No No Yes Yes
DTLS support. See note 4 Yes (13.0 and later) No No No No No

Note:

  1. Setting a proxy in the client configuration on the VPN virtual server in the gateway configuration for Android 10 and later is supported. Only basic HTTP proxy configuration with IP address and port is supported.
  2. Only QR code scanned tokens are eligible for auto filling. Auto filling is not supported in the nFactor authentication flow.
  3. nFactor authentication support for Android devices is under preview and the feature is disabled, by default. Contact Citrix Support for enabling this feature. Customers must provide their Citrix Gateway’s FQDN to the support team for enabling nFactor authentication for Android devices.
  4. For details, see Configure DTLS VPN virtual server using SSL VPN virtual server.
Citrix Gateway VPN clients and supported features