Aggregate on-premises virtual apps and desktops in workspaces
You can add your site (Virtual Apps and Desktops deployment) to Citrix Workspace to make your existing apps and desktops available to subscribers. After adding your site, subscribers can access all their virtual apps and desktops alongside Files and other resources, when they sign in to their workspace. This process is known as site aggregation.
Site aggregation is available in all Citrix Workspace editions. For more information about the features included in each Workspace edition, see the Citrix Workspace Feature Matrix.
Site aggregation is supported for on-premises deployments of the following Citrix products:
- Virtual Apps and Desktops 7 1808 or later
- XenApp and XenDesktop 7.0 through 7.18
- XenApp 6.5
On-premises sites running older versions of XenApp or XenApp and XenDesktop aren’t supported for use with Citrix Workspace.
XenApp and XenDesktop 7.x includes versions that are End of Life (EoL). XenApp and XenDesktop releases before 7.14 reached EoL in June 30, 2018. Support for site aggregation with EoL versions of XenApp and XenDesktop 7.x depends on successful enumeration and launch of resources with your StoreFront deployment.
XenApp 6.5 reached EoL in June 30, 2018. Support for site aggregation with EoL versions of XenApp depends on successful enumeration and launch of resources in your StoreFront or Web Interface on-premises deployment.
To use site aggregation with an on-premises deployment that includes the Citrix Federated Authentication Service (FAS), your site must use one of the following Citrix product versions:
- Virtual Apps and Desktops 7 1808 or later
- XenApp and XenDesktop 7.16 through 7.18
Connecting to Citrix Cloud is required for using FAS with Citrix Workspace. Update your FAS servers to the latest version of the FAS software so that you can connect to Citrix Cloud. For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.
When you add your on-premises site to Citrix Workspace, the Add Site wizard guides you through the following tasks:
- Discover your site and select the resource location you want to use.
- Detect the Active Directory domains in which your Cloud Connectors are installed.
- Specify the connectivity that you want to use between Citrix Cloud and your site.
The resource location specifies the domain and connectivity method for all users who access your site. During this process, Citrix Cloud tests connectivity to verify that your site is reachable from Cloud Connectors. Citrix Cloud then displays a list of your resource locations. If you have resource locations with no Cloud Connectors installed, download and install the required software.
For XenApp 6.5, Citrix Cloud also detects if there are any published applications assigned to local user accounts on XenApp servers. To use Citrix Workspace, application users must authenticate with Active Directory. Citrix Cloud provides a list of local user accounts detected so you can check that they can authenticate to Citrix Workspace.
For external connectivity, you can use your own Citrix Gateway or use the Citrix Gateway service. To only allow users on the same network as your site to access applications, specify internal-only access.
Cloud Connectors allow Citrix Cloud to locate and communicate with your site. For minimal interruption, Citrix recommends installing Cloud Connectors before adding your site to Citrix Workspace.
For high availability, Citrix recommends at least two (2) servers on which to install Citrix Cloud Connector software. These servers must:
- Meet the system requirements described in Cloud Connector Technical Details.
- Have no other Citrix components installed.
- Not be an Active Directory domain controller.
- Not be a machine that is critical to your resource location infrastructure.
- Be joined to your site domain. If users access your site’s applications in multiple domains, install at least two Cloud Connectors in each domain.
- Connect to a network that can contact your site.
- Connect to the Internet. For more information, see System and Connectivity Requirements.
For more information about installing Cloud Connectors, see Cloud Connector Installation.
Web proxy configuration
If you have a web proxy in your environment, check that the Cloud Connectors can validate connectivity to the XML Service in your site. Add each XML server within the site to the bypass proxy list on each Cloud Connector. Don’t use wildcards or IP addresses because the Cloud Connector supports handling FQDNs only.
- Add the XML servers to the bypass proxy list:
- On the Cloud Connector, select Start and then type Internet Options.
- Select the Connections tab and then select LAN Settings.
- Under Proxy server, select Advanced.
- Under Exceptions, add the FQDN of each XML server in your site using lowercase letters. If these entries use mixed-case or uppercase letters, site aggregation might fail. For more information, see CTX272160 in the Citrix Support Knowledge Center.
- Import the list so that the Cloud Connector services can consume them. At the command prompt, type
netsh winhttp import proxy source=ie.
- From the Services console, restart all Citrix Cloud services on each machine hosting the Cloud Connector or restart each machine.
Site aggregation supports sites that use an on-premises Active Directory.
Azure Active Directory configuration
To add sites using Azure Active Directory to Citrix Workspace, configure your site to trust XML Service requests. For detailed instructions, refer to the following articles:
- For XenApp and XenDesktop 7.x and Virtual Apps and Desktops 7 1808, see CTX236929.
- For XenApp 6.5, see Configuring the Citrix XML Service Port and Trust.
If you use Azure Active Directory, Okta, SAML, or other federated identity provider with workspaces and site aggregation, users are prompted to authenticate to each application they launch.
FAS provides a single sign-on (SSO) experience for launching resources using federated authentication. To enable SSO for subscribers, register one or more FAS servers with the same resource location that you configured for adding your site.
Active Directory trusts
If you have separate user and resource forests in Active Directory, you must have Cloud Connectors installed in each forest before you add your on-premises site. Citrix Cloud detects these forests during the site discovery process through the Cloud Connectors. You can then use the forests’ users and resources to create workspaces for your users.
When adding your site, you can’t use separate user and resource forests when you define the resource location. Because Cloud Connectors don’t participate in any cross-forest trusts that might be established, Citrix Cloud can’t discover your site through the Cloud Connectors in these forests. You can use these forests when you define a secondary resource location that provides a different connectivity option for your users. For more information, see Add IP ranges for different connectivity options.
Untrusted forests aren’t supported for site aggregation. Although Citrix Cloud and Citrix Workspace support users from untrusted forests, these users can’t use Citrix Workspace after an on-premises site is added through site aggregation. Only users located in the forests that the site trusts can sign in and use Citrix Workspace. If users from an untrusted forest try to sign in to Citrix Workspace, they receive the error message, “Your logon has expired. Please log on again to continue.”
Internal and external connectivity to workspace resources
During the process of adding your site to Citrix Workspace, you can specify if you want to provide internal or external access to the resources available to users. If you intend to allow only internal users to access your site through Citrix Workspace, users must be on the same network as the site to access applications.
If you intend to allow external users to access these resources, you have the following options:
- Use your existing Citrix Gateway to handle the traffic between your on-premises site and Citrix Cloud. Your Citrix Gateway must be configured to use Cloud Connectors as the Secure Ticket Authority (STA) servers before you add your Site to Citrix Workspace. For instructions, see CTX232640.
- Use the Citrix Gateway service to allow Citrix to handle the traffic between your site and Citrix Cloud for you. You can activate a service trial and configure the service when you add your site. If you’ve already signed up for the Citrix Gateway service, Citrix Cloud detects your subscription when you select this option.
For Citrix Cloud to detect your Citrix Gateway service subscription, you must use the same OrgID you used when you signed up for the Citrix Gateway service. For more information about OrgIDs in Citrix Cloud, see What is an OrgID?
Credentials and ports for site discovery
During the process of adding your site to Citrix Workspace, Citrix Cloud discovers your site and checks that the Controller you specify is available. Before you add your on-premises site, check the following:
- You have Citrix administrator credentials with a minimum of Read Only permissions. During the site discovery process, Citrix Cloud prompts you to supply these credentials. Citrix Cloud doesn’t store these credentials or use them to change to your site.
- XenApp 6.5 only: Port 2513 on the XenApp server is accessible from the Cloud Connector machines in your environment. During the site discovery process, the Cloud Connectors contact the Citrix XenApp Remoting Service on the XenApp server that you specify. This service listens on port 2513. If this port is blocked, Citrix Cloud can’t discover your XenApp 6.5 deployment.
To enable site discovery without site credentials
XenApp and XenDesktop 7.x and Virtual Apps and Desktops 7 1808 only: If you don’t want to provide site credentials for security reasons, you can allow Citrix Cloud to discover your site without prompting for site credentials. Complete this task before you add your site to Citrix Workspace.
- Install at least two Cloud Connectors in your site’s domain.
- Create an Active Directory security group and add the Cloud Connectors in your domain to it.
- Restart the Cloud Connectors.
- In Studio, grant the security group Read Only permissions, at a minimum.
Task 1: Discover site
In this step, you provide the information that Citrix Cloud needs to locate your site and select your resource location. The resource location specifies the domain and connectivity option for all users who access your site. If you need to install Cloud Connectors in your site’s domain, you can do so now. If you already have Cloud Connectors installed, you can select them when prompted.
- From the Citrix Cloud menu, navigate to Workspace Configuration > Sites > Add Site.
Select the type of on-premises site you want to add and continue.
Citrix Cloud attempts to discover any resource locations and Cloud Connectors in your domain and displays a list for you to select from.
- Perform one of the following actions:
- If you have no Cloud Connectors installed in your site’s domain, select Install Connector. Citrix Cloud prompts you to download the Cloud Connector software and complete the installation wizard.
- If you have Cloud Connectors installed, Citrix Cloud displays the connectors in the domains in which they were detected. Select the resource location you want to add to Citrix Workspace. This resource location becomes the default resource location.
- If you have Cloud Connectors installed, but they aren’t displayed, select Detect.
- Select the resource location and Cloud Connector pair that you want to use to discover your site.
In Enter Server Address, add the IP address or FQDN of a Controller in the site, and select Discover
If using an FQDN, you must have a DNS record that points to the Delivery Controller that you want to discover.
XenApp 6.5 only: Enter the port for the XML Server. If the XML Server port uses SSL, select Use SSL.
For XenApp and XenDesktop 7.x sites, Citrix Cloud automatically discovers the XML server port.
If prompted, enter the Citrix Administrator credentials for the site.
Citrix Cloud tests connectivity to verify that your site is reachable. Discovery might take a few minutes to complete, depending on the type and size of the site.
- If a success message appears indicating that the site has been successfully discovered, select Continue.
Task 2: Verify Active Directory Connection
In Verify Active Directory Connection, Citrix Cloud displays the domains used with your site and whether there are Cloud Connectors installed in those domains.
For XenApp 6.5, Citrix Cloud also displays an alert if there are any local user accounts on the XenApp servers assigned to any applications.
If there are no Cloud Connectors in a domain, users in that domain can’t use Citrix Workspace to access the applications published there. If you only have one Cloud Connector in your domain, you have two options:
- Install more Cloud Connectors by selecting Install Connector.
- Continue without installing more Cloud Connectors by selecting I understand that high availability requires having two connectors installed in each domain.
XenApp 6.5: If there are local user accounts assigned to published applications, they must be assigned to applications using their Active Directory account. Otherwise, users can’t use Citrix Workspace to access their applications. Citrix Cloud provides a downloadable list in CSV format of the applications and the local user accounts assigned to them.
If you have local users assigned to applications in your site, select Download user list (.csv).
After verifying your Active Directory connection, select Continue.
Task 3: Configure connectivity
In this step, you specify whether you want to allow external or internal-only user access to your site through Citrix Workspace. Internal connectivity requires your users to be on the same network as your site and VDAs that host your published resources. For external connectivity, you can use your existing on-premises Citrix Gateway or you can use the cloud-hosted Citrix Gateway service.
Select one of the following options in Select connectivity type > Configure Connectivity:
- Add Existing Gateway: Select this option to use your existing Citrix Gateway to provide external access.
- Citrix Gateway service: Select this option to activate a service trial or to use your existing subscription with your site.
- Internal Only: Select this option if no other configuration is needed.
If Add Existing Gateway is selected, perform the following actions:
- Select Edit and enter the public URL of the Citrix Gateway.
- Verify that Citrix Gateway is configured to use your Cloud Connectors as the STA servers, described in CTX232640.
- Select Test STA and then, when the test is successful, Continue. If the test isn’t successful, refer to CTX232517 for troubleshooting.
If Citrix Gateway service is selected, but the service isn’t enabled for your Citrix Cloud account as a service trial or as a purchase, you can select Start a 60-day trial. Citrix Cloud enables the service as a trial for you. If the service was enabled at an earlier time, Citrix Cloud detects the service and displays any remaining trial days.
After completing the preceding tasks, select Continue.
Task 4: Confirm site aggregation
In this step, you confirm site aggregation, which involves reviewing the XML port, XML servers, Active Directory domains, and the connectivity type you chose earlier.
Citrix Cloud displays up to five XML servers it can connect to. If you have more than one XML server in your site but only one is shown, Citrix Cloud displays an alert. To troubleshoot this issue, refer to CTX232516.
- In Confirm Site Aggregation, review the XML port, XML servers, Active Directory domains, and the connectivity type you chose earlier.
- Select Save and Finish. The Sites page displays your newly added site.
If you want to specify different XML servers, you can then edit your site to change these values after you select Save and Finish.
Task 5: Manage service integrations
After adding your first site, you must enable the Service Integration for Virtual Apps and Desktops on-premises sites, which is disabled by default. Subscribers can’t see resources from the site until you enable it.
- Navigate to Workspace Configuration > Service Intergrations > Virtual Apps and Desktops On-Premises Sites and select the ellipsis to open the site actions menu.
- Enable the service integration so that subscribers can sign in to their workspaces and see resources from the site.
Change your site configuration
Rediscover your site
If you add Delivery Controllers to your site or change XML ports, you can verify that your site is still reachable in Citrix Workspace with a rediscovery process.
- Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to update, and then select Edit Site.
- In Server Address, type the IP address or FQDN of a Delivery Controller in your site and select Rediscover.
Add or modify XML servers
When you add a site to Citrix Workspace, Citrix Cloud automatically detects XML servers in your site and displays up to five XML servers in your configuration. You can add and remove XML servers as needed from your site configuration up to the display limit of five XML servers.
To add an XML server
- Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to update and select Edit Site.
- In the XML Servers section, enter the XML server port and select Use SSL if needed.
- Select a connectivity method:
- Load balanced: This option allows Citrix Cloud to pick a random XML server from the list.
- Failover: This option allows Citrix Cloud to use the listed XML servers in the order that they appear in the list. Only the first XML service in the list is used for launch unless it becomes unavailable, then the second server is used. You can reorder the list by dragging and dropping each server.
- Select Save Changes.
If you experience an error when adding an XML server, refer to CTX232516 for troubleshooting steps.
Add IP ranges for different connectivity options
If you have VDAs or session hosts in different subnets, you can specify IP ranges with a different connectivity type for each one. Each IP range can also have a different resource location associated with it. For example, you might have one IP range for machines in the EU where users connect internally, one IP range for machines in the EU where users connect through your Citrix Gateway, and one IP range for machines in the US where users connect through the Citrix Gateway service.
- Navigate to Workspace Configuration > Sites, select the ellipsis button for the site you want to update, and select Edit Site.
- In the Connectivity section, select Add an IP range with a different connectivity option and enter an IP range in CIDR format.
To create a resource location for your IP range:
- Select Add a new Resource Location and enter a user-friendly name.
- In Select your connectivity, select whether you want to provide internal-only access or allow external access using your Citrix Gateway or the Citrix Gateway service.
To assign an existing resource location to the IP range:
- Choose Select an existing resource location
- Select the resource location you want to use.
- If you choose a resource location with only one Cloud Connector installed, select I understand that high availability requires having two connectors are installed in a resource location.
- Select Add.
Add more Active Directory domains
If you install Cloud Connectors in more domains with Active Directory users in your site, you can check they’re added to your site configuration in Citrix Workspace.
- Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to update, and then select Edit Site.
- Under Active Directory, select Refresh.
If you no longer want to make your on-premises site available to users in Citrix Workspace, you can disable it. You can disable an individual on-premises site or all on-premises sites you’ve added to Citrix Workspace.
When sites are disabled, users can’t access the on-premises applications in those sites through Citrix Workspace. However, the configuration for those sites is preserved. If you re-enable a site later on, the site’s default resource location, domain, XML server, and connectivity settings are kept.
To disable an on-premises site
- Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to disable and then select Disable.
- A confirmation message appears. Select Disable again.
To disable all on-premises sites
To disable all sites on the Sites page, disable the workspace service integration for all Virtual Apps and Desktops on-premises sites. For instructions, see To disable workspace integration for a service.
To re-enable an individual on-premises site or to add another site later on, you must first re-enable the workspace service integration for all sites on the Service Integrations page.
Delete a site from Citrix Workspace
If you no longer want your on-premises site configuration in Citrix Workspace, you can delete the site. When you delete a site, only the configuration for the site in Citrix Workspace is removed. Citrix Cloud doesn’t change your site.
To delete a site, navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to remove, and then select Delete.