Citrix Virtual Apps and Desktops service

User access

There are two primary components that provide access to applications and desktops in a Citrix Virtual Apps and Desktops service deployment:

  • Citrix Workspace: Citrix Workspace is a complete digital solution that allows you to deliver secure access to the information, apps, and other content that are relevant to a person’s role in your organization. Users subscribe to the services you make available and can access them from anywhere, on any device. Citrix Workspace helps you organize and automate the most important details your users need to collaborate, make better decisions, and focus fully on their work.

    There is zero effort to deploy Workspace, and it is kept evergreen by Citrix. Workspace is recommended for new and existing customers, previews, and proofs-of-concept.

  • An on-premises StoreFront: Customers can also use an existing StoreFront to aggregate applications and desktops in Citrix Cloud. This use case offers greater security, including support for two-factor authentication, and prevents users from entering their password into the cloud service. It also allows customers to customize their domain names and URLs. This deployment type is recommended for any Citrix Virtual Apps and Desktops customers who already have StoreFront deployed.

    See also Local Host Cache and StoreFront.

When users connect from outside the corporate firewall, Citrix Cloud can use Citrix Gateway (formerly NetScaler Gateway) technology to secure these connections with SSL. Citrix Gateway or the Citrix VPX virtual appliance is an SSL VPN appliance that is deployed in the demilitarized zone (DMZ). It provides a single secure point of access through the corporate firewall.

Using Citrix Workspace

Access to Workspace is through https://<customername>.cloud.com. If needed, you can customize the <customername> portion of the workspace URL. You can then configure the connectivity for each resource location you want to use, so that end-users can access the resources in their workspace. End-users access their workspace using the latest version of Citrix Workspace app.

For more information about using Workspace, see:

To provide remote access for end-users through Workspace, you can use either Citrix Gateway service or your own Citrix Gateway.

  • To use the Citrix Gateway service:

    1. In Citrix Cloud > Resource Locations, select Gateway for the resource location you want to use.
    2. Select Gateway Service and then click Save.
    3. In Citrix Cloud > Workspace Configuration > Service Integrations, locate the Gateway service and select Enable from the ellipsis menu.
  • To use your own Citrix Gateway:

    1. Set up Citrix Gateway as an ICA Proxy (No authentication or session policies are needed).
    2. Configure a resource location to use Citrix Gateway:
      1. In Citrix Cloud > Resource Locations, select Gateway for the resource location you want to use.
      2. Select Traditional Gateway and enter the external FQDN. Do not add a protocol. Ports are optional. Combination remote and internal access is not supported in Workspace.
    3. Bind Citrix Cloud Connectors as Secure Ticket Authority (STA) servers to Citrix Gateway. For details, see CTX232640.

For more information about the Citrix Gateway service and Citrix Gateway, see Citrix Gateway.

Using an on-premises StoreFront

For information about configuring an on-premises StoreFront, see the StoreFront documentation.

One benefit of using an existing StoreFront is that the Citrix Cloud Connector provides encryption of user passwords. The Cloud Connector encrypts credentials using AES-256, using a random-generated one-time key. This key is returned directly to Citrix Workspace app and never sent to the cloud. Citrix Workspace app then supplies it to the VDA during session launch to decrypt the credentials and provide a single sign-on experience into Windows.

  • For transport, select HTTP and port 80. The StoreFront machine must be able to directly access the Cloud Connector through the FQDN (fully qualified domain name) provided. The Cloud Connector must be able to reach the Cloud NFuse/STA URL at (https://<customername\>.xendesktop.net/Scripts/wpnbr.dll and ctxsta.dll).
  • Add Cloud Connectors as Delivery Controllers for high availability.

Use the most recent version of StoreFront.

External access

To provide external access through Citrix Gateway and on-premises StoreFront:

  • Set up Citrix Gateway as usual, with authentication and session policies. See the Citrix Gateway documentation for details.
  • Point your on-premises StoreFront store’s Delivery Controllers to the Citrix Cloud Connectors. Bind Cloud Connectors as STA servers to Citrix Gateway.
  • The Citrix Gateway must use the same STA URLs as StoreFront. If the gateway is not already configured to use the STA of an existing Citrix Virtual Apps and Desktops environment, Cloud Connectors can be used as a STA.

Internal access

To provide internal access through an on-premises StoreFront, point the on-premises StoreFront store’s Delivery Controllers to the Citrix Cloud Connectors.

External and internal access

To provide external and internal access through Citrix Gateway and on-premises StoreFront:

  • Set up Citrix Gateway as usual, with authentication and session policies. See the Citrix Gateway documentation for details.
  • Bind Cloud Connectors as STA servers to Citrix Gateway.
  • Point your on-premises StoreFront store’s Delivery Controllers to the Cloud Connectors.

Local Host Cache and StoreFront

Local Host Cache enables connection brokering operations in a Citrix Virtual Apps and Desktops service deployment to continue when Cloud Connectors cannot communicate with Citrix Cloud.

The Local Host Cache feature works only in resource locations containing a customer-deployed on-premises StoreFront. Local Host Cache does not support Workspace.

Each resource location must have a customer-deployed on-premises StoreFront. Verify that the resource location contains a local StoreFront that points to all the Cloud Connectors in that resource location.

For more information, see Local Host Cache.

User access