Prerequisites to install Citrix Workspace app

System requirements and compatibility

Hardware requirements

Linux kernel:

  • Version 2.6.29 or later

Disk space:

  • A minimum of 55 MB
  • An extra 110 MB if you expand/extract the installation package on the disk
  • A minimum of 1 GB RAM for system-on-a-chip (SoC) devices that use HDX MediaStream Flash Redirection

Color video display:

  • 256 color video display or greater

Libraries and codec

Libraries:

  • glibcxx 3.4.15 or later
  • glibc 2.11.3 or later
  • gtk 2.20.1 or later
  • libcap1 or libcap2
  • libjson-c (for instrumentation)
  • GCC 4.8 for x64
  • GCC 4.9 for Armhf
  • X11 or X.Org
  • udev support

Self-service user interface:

  • webkit2gtk 2.16.6 or later
  • libxml2 2.7.8
  • libxerces-c 3.1

Codec libraries:

  • Advanced Linux Sound Architecture (ALSA) libasound2
  • Speex
  • Vorbis codec libraries

Red Hat Package Manager (RPM) based distribution requirements:

  • chkconfig

Network requirements

Network protocol:

  • TCP/IP

H.264 requirements

For x86 devices:

  • A minimum processor speed of 1.6 GHz

For the HDX 3D Pro feature:

  • A minimum processor speed of 2 GHz
  • A native hardware with accelerated graphics driver

For ARM devices:

  • A hardware H.264 decoder is required for both general H.264 support and HDX 3D Pro

HDX MediaStream Flash Redirection

For all HDX MediaStream Flash Redirection requirements, see Knowledge Center article CTX134786.

We recommend that you test the article with the latest plug-in before deploying a new version to take advantage of the latest functionality and security-related fixes.

Customer Experience Improvement Program (CEIP) integration requirements

  • zlib 1.2.3.3
  • libtar 1.2 or later
  • libjson 7.6.1 or later

HDX RealTime webcam video compression requirements

  • A Video4Linux compatible webcam
  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package

    Or,

  • GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base”, “plugins-good”, “plugins-bad”, “plugins-ugly”, and “gstreamer-libav” packages

HDX MediaStream Windows Media redirection requirements

  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package. In general, version 0.10.15 or later is sufficient for HDX MediaStream Windows Media Redirection

    Or,

  • GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base”, “plugins-good”, “plugins-bad”, “plugins-ugly”, and “gstreamer-libav” packages

Note

  • If GStreamer is not included in your Linux distribution, you can download it from the GStreamer page.
  • Use of certain codes (for example, as in “plugins-ugly”) might require a license from the manufacturer of that technology. Contact your system administrator for help.

Browser content redirection requirements

  • webkit2gtk version 2.16.6
  • glibcxx 3.4.20 version or later

Philips SpeechMike requirements

  • Visit the Philips website to install the relevant drivers

Microsoft Teams optimization requirements

Minimum version:

  • Citrix Workspace app 2006

Software:

  • GStreamer 1.0 or later and Cairo 2
  • libc++-9.0 or later
  • libgdk 3.22 or later
  • OpenSSL 1.1.1d
  • x64 Linux distribution

Hardware:

  • A minimum 1.8 GHz dual-core CPU that can support 720p HD resolution during a peer-to-peer video conference call
  • Dual or quad-core CPU with a base speed of 1.8 GHz and a high Intel Turbo Boost speed of at least 2.9 GHz

Authentication enhancement:

  • Libsecret library

Service continuity requirements

Mandatory preinstalled libraries:

  • libwebkit2gtk-4.0-37 version 2.30.1 or later
  • For Ubuntu/RHEL/SUSE/Fedora/Debian, we suggest that you install the latest libwebkit2gtk-4.0-37 version 2.30.1 or later.
  • For Raspberry Pi with Buster OS, we suggest that you install the libwebkit2gtk-4.0-37 version 2.30.1.
  • gnome-keyring version 3.18.3 or later.
  • Libsecret installed

Note

Following the 1910 release, Citrix Workspace app works as expected only if the operating system meets the following GCC version criteria:

  • GCC version for x64 architecture: 4.8 or later
  • GCC version for ARMHF architecture: 4.9 or later

Following the 2101 release, Citrix Workspace app works as expected only if the operating system meets the following requirements:

  • GCC version 4.9 or later
  • glibcxx 3.4.20 or later

Compatibility matrix

Citrix Workspace app is compatible with all currently supported versions of the Citrix products. For information about the Citrix product lifecycle, and to find out when Citrix stops supporting specific versions of products, see the Citrix Product Lifecycle Matrix.

Server requirements

StoreFront

  • You can use all currently supported versions of Citrix Workspace app to access StoreFront stores from both internal network connections and through Citrix Gateway:
    • StoreFront 1811 and later.
    • StoreFront 3.12.
  • You can use StoreFront configured with the workspace for web. The workspace for web provides access to StoreFront stores from a web browser. For the limitations of this deployment, see Important considerations in the StoreFront documentation.

Connections and certificates

Connections

Citrix Workspace app for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.

  • For LAN connections:

    • StoreFront using StoreFront services or workspace for web
  • For secure remote or local connections:

    • Citrix Gateway 12.0
    • NetScaler Gateway 10.1 and later
    • NetScaler Access Gateway Enterprise Edition 10
    • Netscaler Access Gateway Enterprise Edition 9.x
    • Netscaler Access Gateway VPX

    For information about the Citrix Gateway versions supported by StoreFront, see System requirements of StoreFront.

Certificates

To ensure secure transactions between server and client, use the following certificates:

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device to access Citrix resources using Citrix Workspace app.

Note:

If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the local key store), an untrusted certificate warning appears. If a user chooses to continue through the warning, the apps are displayed but cannot be launched. The root certificate must be installed in the client’s certificate store.

Root certificates

For domain-joined machines, use the Group Policy Object administrative template to distribute and trust CA certificates.

For non-domain joined machines, create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.

Install root certificates on user devices

To use TLS, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate. By default, Citrix Workspace app supports the following certificates.

Certificate Issuing Authority
Class4PCA_G2_v2.pem Verisign Trust Network
Class3PCA_G2_v2.pem Verisign Trust Network
BTCTRoot.pem Baltimore Cyber Trust Root
GTECTGlobalRoot.pem GTE Cyber Trust Global Root
Pcs3ss_v4.pem Class 3 Public Primary Certification Authority
GeoTrust_Global_CA.pem GeoTrust
DigiCertGlobalRootCA.pem DigiCert Global Root CA

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app supports wildcard certificates, however they must only be used in accordance with your organization’s security policy. In practice, alternatives to wildcard certificates, such as a certificate containing the list of server names within the Subject Alternative Name (SAN) extension, can be considered. Both private and public certificate authorities issue such certificates.

Append intermediate certificate to Citrix Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates in Citrix Gateway documentation.

If your StoreFront server cannot provide the intermediate certificates that match the certificate it is using, or you install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store:

  1. Obtain one or more intermediate certificates separately in PEM format.

    Tip:

    If you cannot find a certificate in PEM format, use the openssl utility to convert a certificate in CRT format to a .pem file.

  2. When you install the package (usually root):

    1. Copy one or more files to $ICAROOT/keystore/intcerts.

    2. Run the following command after you installed the package:

      $ICAROOT/util/ctx_rehash

Joint server certificate validation policy

Citrix Workspace app has a stricter validation policy for server certificates.

Important:

Before installing Citrix Workspace app, confirm that the certificates on the server or gateway are correctly configured as described here. Connections might fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app releases, it verifies that the certificates are trusted. If any certificate is untrusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app connection to fail.

If a gateway is configured with these valid certificates, we recommend that you use the following configuration for stricter validation, by determining exactly which root certificate is used by Citrix Workspace app:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Example Root Certificate

Citrix Workspace app verifies that all these certificates are valid. Citrix Workspace app also verifies that it already trusts the Example Root Certificate. If Citrix Workspace app does not trust the Example Root Certificate, the connection fails.

Important:

  • Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (DigiCert/GTE CyberTrust Global Root and DigiCert Baltimore Root/Baltimore CyberTrust Root) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (DigiCert Baltimore Root/Baltimore CyberTrust Root). If you configure the GTE CyberTrust Global Root certificate at the gateway, Citrix Workspace app connections on those user devices fail. Consult the certificate authority’s documentation to determine which root certificate must be used. Also note that root certificates eventually expire, as do all certificates.
  • Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

If a gateway is configured with these valid certificates, usually we can use the following configuration, omitting the root certificate:

  • Example Server Certificate

  • Example Intermediate Certificate

Citrix Workspace app uses these two certificates. It searches for a root certificate on the user device. If Citrix Workspace app finds a root certificate that validates correctly, and is also trusted (such as Example Root Certificate), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app needs, but also allows Citrix Workspace app to choose any valid, trusted, root certificate.

If a gateway is configured with these certificates:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Wrong Root Certificate

A web browser might ignore the wrong root certificate. However, Citrix Workspace app does not ignore the wrong root certificate, and the connection fails.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is configured with all the intermediate certificates (but not the root certificate) such as:

  • Example Server Certificate

  • Example Intermediate Certificate 1

  • Example Intermediate Certificate 2

Important:

  • Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations where there is more than one root certificate, and an earlier root certificate is still in use at the same time as a later root certificate. In this case, there are at least two intermediate certificates. For example, the earlier root certificate Class 3 Public Primary Certification Authority has the corresponding cross-signed intermediate certificate Verisign Class 3 Public Primary Certification Authority - G5. However, a corresponding later root certificate Verisign Class 3 Public Primary Certification Authority - G5 is also available, which replaces Class 3 Public Primary Certification Authority. The later root certificate does not use a cross-signed intermediate certificate.
  • The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such as Example Intermediate Certificate 2).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is recommended:

  • Example Server Certificate

  • Example Intermediate Certificate

Avoid configuring the gateway to use the cross-signed intermediate certificate, because it selects the earlier root certificate:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Example Cross-signed Intermediate Certificate [not recommended]

It is not recommended to configure the gateway with only the server certificate:

  • Example Server Certificate

In this case, if Citrix Workspace app cannot locate all the intermediate certificates, the connection fails.

Hdxcheck

We provide a script, workspacecheck.sh, as part of the Citrix Workspace app installation package. The script checks whether your device meets all the system requirements in support of the functionalities of Citrix Workspace app. The script is in the Utilities directory of the installation package.

To run the workspacecheck.sh script

  1. Open the terminal in your Linux machine.
  2. Type cd $ICAROOT/util and press Enter to navigate to the Utilities directory of the installation package.
  3. Type ./workspacecheck.sh to run the script.

Out-of-support applications

Citrix does not offer support in the context of applications that are no longer supported by their vendors.

While attempting to address and resolve a reported issue, Citrix assesses whether the issue directly relates to an out-of-support application. To help in making that determination, Citrix might ask you to attempt to reproduce an issue using the supported version of the application. If the issue seems to be related to the out-of-support application, Citrix will not investigate the issue further.

Prerequisites to install Citrix Workspace app