System requirements

Devices

  • Linux kernel version 2.6.29 or later, with glibcxx 3.4.15 or later, glibc 2.11.3 or later, gtk 2.20.1 or later, libcap1 or libcap2, and udev support.

  • For the self-service user interface (UI):

    • libwebkit or libwebkitgtk 1.0
    • libxml2 2.7.8
    • libxerces-c 3.1
  • ALSA (libasound2), Speex, and Vorbis codec libraries.

  • At least 55 MB of free disk space for the installed version of Citrix Workspace app. And at least 110 MB if you expand the installation package on the disk. You can check the available disk space by typing the following command in a terminal window:

     df -k
    
  • At least 1 GB RAM for system-on-a-chip (SoC) devices that use HDX MediaStream Flash Redirection.

  • 256 color video display or higher.

  • TCP/IP networking.

H.264

For x86 devices, processor speeds of at least 1.6 GHz display single-monitor sessions well at typical resolutions (for example, 1280 x 1024). If you use the HDX 3D Pro feature, a native hardware accelerated graphics driver and a minimum processor speed of 2 GHz are required.

For ARM devices, a hardware H.264 decoder is required for both general H.264 support and HDX 3D Pro. Performance also benefits from faster processor clock speeds.

HDX MediaStream Flash Redirection

For all HDX MediaStream Flash Redirection requirements, see CTX134786.

Citrix recommends testing with the latest plug-in before deploying a new version to take advantage of the latest functionality and security-related fixes.

Customer Experience Improvement Program (CEIP) integration

To ensure that CEIP works properly, the following libraries are required:

  • zlib 1.2.3.3
  • libtar 1.2 and above
  • libjson 7.6.1 or any latest version

HDX RealTime Webcam Video Compression

HDX RealTime Webcam Video Compression requires:

  • A Video4Linux compatible Webcam
  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package.

    Or

    GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base,” “plugins-good,” “plugins-bad,” “plugins-ugly,” and “gstreamer-libav” packages.

HDX MediaStream Windows Media Redirection

HDX MediaStream Windows Media Redirection requires:

  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package. In general, version 0.10.15 or later is sufficient for HDX MediaStream Windows Media Redirection.

    Or

    GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base,” “plugins-good,” “plugins-bad,” “plugins-ugly,” and “gstreamer-libav” packages.

    Note: If GStreamer is not included in your Linux distribution, you can download it from

http://gstreamer.freedesktop.org. Use of certain codes (for example, those in “plugins-ugly”) might require a license from the manufacturer of that technology. Consult with your corporate legal department to determine whether the codes you plan to use require extra licenses.

Browser content redirection

Browser content redirection requires:

  • Linux operating system webkit2gtk version 2.16.6 and glibcxx 3.4.20 or later.

Philips SpeechMike

If you plan to use Philips SpeechMike devices with Citrix Workspace App, you might need to install the relevant drivers on the user device. Visit the Philips web site for information and software downloads.

Smart card support

To configure smart card support in Citrix Workspace app for Linux, you must have the StoreFront services site configured to allow smart card authentication.

Note: Smart cards are not supported with the Citrix Virtual Apps Services site for Web Interface configurations (formerly known as Program Neighborhood Agent), or with the “legacy PNAgent” site that can be provided by a StoreFront server.

Citrix Workspace app for Linux supports smart card readers that are compatible with PCSC-Lite and smart cards with PKCS#11 drivers for the appropriate Linux platform. By default, Citrix Workspace app for Linux now locates opensc-pkcs11.so in one of the standard locations. To ensure that Citrix Workspace app for Linux finds either opensc-pkcs11.so in a non-standard location or another PKCS#11 driver, store the location in a configuration file using the following steps:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml

  2. Locate the line <key>PKCS11module</key> and add the driver location to the <value> element immediately following the line.

    Note: If you enter a file name for the driver location, Citrix Workspace app navigates to that file in the$ICAROOT/PKCS#11 directory. Alternatively, you can use an absolute path beginning with “/.”

To configure the behavior of Citrix Workspace app for Linux when a smart card is removed, update SmartCardRemovalAction in the configuration file using the following steps:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml
  2. Locate the line <key>SmartCardRemovalAction</key> and add ‘noaction’ or ‘forcelogoff’ to the<value> element immediately following the line.

The default behavior is ‘noaction’. No action is taken to clear credentials stored and tokens generated with regards to the smart card on the removal on the smart card. The ‘forcelogoff’ action clears all credentials and tokens within StoreFront on the removal of the smart card.

Citrix Servers

  • Citrix Virtual Apps: All versions currently supported by Citrix. For more information, see the Citrix product matrix.

  • Citrix Virtual Apps and Desktops: All versions currently supported by Citrix. For more information, see the Citrix product matrix.

  • VDI-in-a-Box: All versions currently supported by Citrix. For more information, see the Citrix product matrix.

  • You can use Citrix Workspace app for Linux 13.5 or later browser-based access with StoreFront Citrix Workspace app for Web and Web Interface, with - or without - the Citrix Gateway plug-in.

    StoreFront:

    • StoreFront 3.x, 2.6, 2.5 and 2.1

      Provides direct access to StoreFront stores.

    • StoreFront configured with a Citrix Workspace app for Web site

      Provides access to StoreFront stores from a web browser. For the limitations of this deployment, refer to “Important considerations” in Citrix Workspace app for Web sites.

    Web Interface with the NetScaler VPN client:

    • Web Interface 5.4 for Windows web sites.

      Provides access to virtual desktops and apps from a web browser.

    • Web Interface 5.4 for Linux with Citrix Virtual Apps Services or Citrix Virtual Desktops Services sites

  • Ways to deploy Citrix Workspace app to users:

    • Enable users to download from Citrix Workspace App, then configure using an email or services address with StoreFront.
    • Offer to install from Citrix Workspace app for Web site (configured with StoreFront).
    • Offer to install Citrix Workspace app from Citrix Web Interface 5.4.

Browser

Previously, the browser plug-in provided along with Citrix Workspace app for Linux enabled users to launch published desktops and applications. This plug-in was based on the Netscape Plugin Application Programming Interface (NPAPI).

Mozilla Corporation has announced that NPAPI support is deprecated as of version 52 of the Firefox browser. Other browsers, too, have deprecated support for NPAPI.

Introducing Workspace launcher

Citrix is introducing Workspace launcher (WebHelper) as a solution to deprecated NPAPI support. To enable this feature, configure StoreFront to send requests to Workspace launcher in order to detect the Citrix Workspace app installation.

For information about configuring StoreFront, see Solution – 2 > a) Administrator configuration in Knowledge Center article CTX237727.

Note:

Citrix Workspace launcher currently works only with direct connections to StoreFront. It is not supported in other cases such as connections through Citrix Gateway.

Connectivity

Citrix Workspace app for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.

  • For LAN connections:

    • StoreFront using StoreFront services or Citrix Workspace app for Web sites
    • Web Interface 5.4 for Windows, using Web Interface or Citrix Virtual Apps Services sites
  • For secure remote or local connections:

    • Citrix Gateway 12.0
    • Citrix Gateway 11.1
    • Citrix Gateway 11.0
    • Citrix Gateway 10.5
    • Citrix Gateway 10.1
    • Citrix Access Gateway Enterprise Edition 10
    • Citrix Access Gateway Enterprise Edition 9.x
    • Citrix Access Gateway VPX

    For information about the Citrix Gateway and Access Gateway versions supported by StoreFront, see System requirements of StoreFront.

Note: References to Citrix Gateway in this topic also apply to Access Gateway, unless otherwise indicated.

About secure connections and certificates

Note: For additional information about security certificates, refer to topics under Authentication and Secure communications.

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device to access Citrix resources using Citrix Workspace app.

Note: If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the local key store), an untrusted certificate error appears. The root certificate must be installed in the client’s certificate store.

Installing root certificates on user devices

For information about installing root certificates on user devices as well as configuring Web Interface for certificate use, see Secure Citrix Workspace app communication.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app for Linux supports wildcard certificates, however they should only be used in accordance with your organization’s security policy. In practice, alternatives to wildcard certificates, such as a certificate containing the list of server names within the Subject Alternative Name (SAN) extension, could be considered. Such certificates can be issued by both private and public certificate authorities.

Intermediate certificates and the Citrix Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates.

Joint Server Certificate Validation Policy

Citrix Workspace app for Linux has a stricter validation policy for server certificates.

Important

Before installing this version of Citrix Workspace app for Linux, confirm that the certificates at the server or gateway are correctly configured as described here. Connections may fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app for Linux now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app for Linux releases, it then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app for Linux’s connection to fail.

Suppose that a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Workspace app for Linux:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Example Root Certificate”

Then, Citrix Workspace app for Linux checks that all these certificates are valid. Citrix Workspace app for Linux also checks that it already trusts “Example Root Certificate.” If Citrix Workspace app for Linux does not trust “Example Root Certificate,” the connection fails.

Important

  • Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root,” and “DigiCert Baltimore Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Workspace app for Linux connections on those user devices will fail. Consult the certificate authority’s documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.
  • Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose that a gateway is configured with these valid certificates. This configuration, omitting the root certificate, is normally recommended:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

Then, Citrix Workspace app for Linux uses these two certificates. It then searches for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as “Example Root Certificate”), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app for Linux needs, but also allows Citrix Workspace app for Linux to choose any valid, trusted, root certificate.

Now suppose that a gateway is configured with these certificates:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Wrong Root Certificate”

A web browser may ignore the wrong root certificate. However, Citrix Workspace app for Linux will not ignore the wrong root certificate, and the connection will fail.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

  • “Example Server Certificate”

  • “Example Intermediate Certificate 1”

  • “Example Intermediate Certificate 2”

Important

  • Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and an earlier root certificate is still in use at the same time as a later root certificate. In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5.” However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority.” The later root certificate does not use a cross-signed intermediate certificate.
  • The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such “Example Intermediate Certificate 2”).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

Avoid configuring the gateway to use the cross-signed intermediate certificate, as it selects the earlier root certificate:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the gateway with only the server certificate:

  • “Example Server Certificate”

In this case, if Citrix Workspace app for Linux cannot locate all the intermediate certificates, the connection fails.

User requirements

Although you do not need to log on as a privileged (root) user to install the Citrix Workspace app for Linux, USB support is enabled only if you are logged on as a privileged user when installing and configuring Workspace app. Installations performed by non-privileged users will, however, enable users to access published resources using either StoreFront through one of the supported browsers or using Workspace app’s native UI.

Check whether your device meets the system requirements

Citrix provides a script, hdxcheck.sh, as part of the Citrix Workspace App installation package. The script checks whether your device meets all of the system requirements to benefit from all of the functionality in Workspace app for Linux. The script is located in the Utilities directory of the installation package.

To run the hdxcheck.sh script

  1. Open a terminal window.
  2. Type cd $ICAROOT/util and press ENTER to navigate to the Utilities directory of the installation package.
  3. Type ./hdxcheck.sh to run the script.