Secure Workspace Access with Connector Appliance

This private technical preview enables you to use the Connector Appliance with Citrix Secure Workspace Access.

To use this private technical preview, the following restrictions apply:

  • We recommend that you install your Connector Appliances in a separate resource location to your Gateway Connectors. This configuration ensures separation between your technical preview connectors and your production connectors when handling traffic for Citrix Secure Workspace Access.

  • This technical preview enables the use of Kerberos Constrained Delegation (KCD) for authentication to Enterprise web apps. You can join an Active Directory (AD) forest to enable KCD.

    However, the ability to use this AD forest for identity requests and authentication is not provided in this private technical preview. To do so, contract Citrix to request access to another private technical preview that enables you to use these features.


  1. Install 2 or more Connector Appliances in an isolated Resource Location before requesting to enroll in this technical preview.

    For more information about setting up your Connector Appliances, see Connector Appliance for Cloud Services.

  2. Contact Citrix and request to enroll in this private technical preview.


    If you reinstall your Connector Appliances after enrolling in the private technical preview, you might have to request to be re-enrolled.

  3. Configure Kerberos Constrained Delegation (KCD):

    1. Join your Connector Appliance to an Active Directory domain.

      1. Connect to the Connector Appliance administration webpage in your browser by using the IP address provided in the Connector Appliance console.

      2. In the Active Directory domains section, click + Add Active Directory domain.

        If you don’t have an Active Directory domains section in your administration page, contact Citrix to request enrollment in the technical preview.

      3. Enter the domain name in the Domain Name field. Click Add.

      4. The Connector Appliance checks the domain. If the check is successful, the Join Active Directory dialog opens.

      5. Enter the user name and password of an Active Directory user that has join permission for this domain.

      6. The Connector Appliance suggests a machine name. You can choose to override the suggested name and provide your own machine name that is up to 15 characters in length. Make a note of the machine account name.

        This machine name is created in the Active Directory domain when the Connector Appliance joins it.

      7. Click Join.

    2. On your Active Directory controller, start from step 4 and follow the instructions from Prerequisites to set up KCD in your data center before configuring KCD on Citrix Gateway Connector.

      Use the machine account name instead of creating a new user account.

Set up Secure Workspace Access

Follow the Citrix Secure Workspace Access documentation to set up the Citrix Secure Workspace Access service. During setup, Citrix Cloud recognizes the presence of your Connector Appliances and uses them to connect your resource location.

For more information, see the following webpages:

  1. Get started with Citrix Secure Workspace Access
  2. Configure Citrix Secure Workspace Access

    Where this article refers to information about the Cloud Connector (prerequisite #4), instead see the Connector Appliance documentation:

  3. Support for Enterprise web apps
Secure Workspace Access with Connector Appliance