Product Documentation

Configuration

May 29, 2018

Configure your environment

Citrix Receiver for iOS supports the configuration of Web Interface for your XenApp deployment. There are two types of Web Interface sites: XenApp Services (formerly Program Neighborhood Services) sites and XenApp and XenDesktop Sites. Web Interface sites enable client devices to connect to the server farm. Authentication between Citrix Receiver and a Web Interface site can be handled using various solutions, including Citrix Access Gateway and Citrix Secure Gateway.

Also, you can configure StoreFront to provide authentication and resource delivery services for Citrix Receiver, enabling you to create centralized enterprise stores to deliver desktops, applications, and other resources to users.

For more information about configuring connections, including videos, blogs, and a support forum, see http://community.citrix.com.

Before your users access applications hosted in your XenApp or XenDesktop deployment, configure the following components in your deployment as described here.

  • When publishing applications on your farms or sites, consider the following options to enhance the experience for users accessing those applications through StoreFront stores.

    • Ensure that you include meaningful descriptions for published applications because these descriptions are visible to users in Citrix Receiver.
    • You can emphasize published applications for your mobile device users by listing the applications in the Featured list of Citrix Receiver. To populate this list on Citrix Receiver, edit the properties of applications published on your servers and append the KEYWORDS:Featured string to the value of the Application description field.
    • To enable the screen-to-fit mode that adjusts the application to the screen size of mobile devices, edit the properties of applications published on your servers and append the KEYWORDS:mobile string to value of the Application description field. This keyword also activates the auto-scroll feature for the application.
    • To automatically subscribe all users of a store to an application, append the KEYWORDS:Auto string to the description you provide when you publish the application in XenApp. When users log on to the store, the application is automatically provisioned without users needing to manually subscribe to the application.
  • If the Web Interface of your XenApp or XenDesktop deployment does not have a Web site or XenApp and XenDesktop Site, create one. The name of the site and how you create it depends on the version of the Web Interface you have installed. For instructions on how to create one of these sites, see the “Creating Sites” topic for your version of the Web Interface.

Configure StoreFront

Important:

  • When using StoreFront, Citrix Receiver supports Citrix Access Gateway Enterprise Edition versions from 9.3, and NetScaler Gateway versions through 12.
  • Citrix Receiver for iOS supports only XenApp Services sites on Web Interface.
  • Citrix Receiver for iOS supports launching sessions from Receiver for Web, as long as the web browser works with Receiver for Web. If launches do not occur, configure your account through Citrix Receiver for iOS directly. Users must manually open the ICA file using the browser Open in Receiver function. For the limitations of this deployment, see the StoreFront documentation.

With StoreFront, the stores you create consist of services that provide authentication and resource delivery infrastructure for Citrix Receiver. Create stores that enumerate and aggregate desktops and applications from XenDesktop sites and XenApp farms, making these resources available to users.

  1. Install and configure StoreFront. For details, see StoreFront in the Technologies > StoreFront section of Product Documentation. For administrators who need more control, Citrix provides a template you can use to create a download site for Citrix Receiver for iOS.
  2. Configure stores for StoreFront as you would for other XenApp and XenDesktop applications. No special configuration is needed for mobile devices. For details, see User Access Options in the StoreFront section of Product Documentation. For mobile devices, use either of these methods:
    • Provisioning files. You can provide users with provisioning files (.cr) containing connection details for their stores. After installation, users open the file on the device to configure Citrix Receiver automatically. By default, Receiver for Web sites offer users a provisioning file for the single store for which the site is configured. Alternatively, you can use the Citrix StoreFront management console to generate provisioning files for single or multiple stores that you can manually distribute to your users.
    • Manual configuration. You can directly inform users of the Access Gateway or store URLs needed to access their desktops and applications. For connections through Access Gateway, users also need to know the product edition and required authentication method. After installation, users type these details into Citrix Receiver, which attempts to verify the connection and, if successful, prompts users to log on.
    • Automatic configuration. Tap Add Account on the Welcome screen and type the URL of the StoreFront server in the address field. The configuration of the account happens automatically while the account is added.

To configure Access Gateway and NetScaler Gateway

If you have users who connect from outside the internal network (for example, users who connect from the internet of from remote locations), configure authentication through Access Gateway or NetScaler Gateway.

  • When using StoreFront, Citrix Receiver supports Citrix Access Gateway Enterprise Edition versions from 9.3, and NetScaler Gateway versions through 12.
  • For details, see your version of Access Gateway or NetScaler Gateway in Product Documentation.

To configure Citrix Receiver to access apps

  1. If you want to configure Citrix Receiver to automatically access apps when creating an account, in the Address field, type the matching URL of your store, such as storefront.organization.com.
  2. Select the Use Smartcard option when you are using a smart card to authenticate.
  3. For manual configuration (accessible by tapping Options>Manual Setup), continue by completing the remaining fields and select the Access Gateway (or NetScaler Gateway) authentication method, such as enabling the security token, selecting the type of authentication, and saving the settings.

Note:

Logons to the store are valid for about one hour. After that time, users must log on again to refresh or launch other applications.

Configure client certificate authentication

Important:

  • When using StoreFront, Receiver supports Citrix Access Gateway Enterprise Edition versions from 9.3, and NetScaler Gateway versions through 11.
  • Client certificate authentication is supported by Receiver for iOS starting with version 5.5.
  • Only Access Gateway Enterprise Edition 9.x and 10.x (and subsequent releases) support client certificate authentication.
  • Double-source authentication types must be CERT and LDAP.
  • Citrix Receiver also supports optional client certificate authentication.
  • Only P12 formatted certificates are supported.

Users logging on to an Access Gateway (or NetScaler Gateway) virtual server can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, LDAP, to provide double-source authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on Access Gateway.

When users log on to the Access Gateway virtual server, after authentication, the user name and domain information is extracted from the specified field of the certificate.  This information must be in the certificate’s SubjectAltName:OtherName:MicrosoftUniversalPrincipalName field. It is in the format “username@domain.” If the user name and domain are extracted successfully, and the user provides the other required information (for example, a password), then the user is authenticated. If the user does not provide a valid certificate and credentials, or if the username/domain extraction fails, authentication fails.

If a user provides the username and domain information (rather than the certificate providing them (essentially a more secure paradigm), then remove the SubjectAltName:OtherName:MicrosoftUniversalPrincipalName field from the client certificate.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

To configure the XenApp Services site

If you do not already have a XenApp Services site created, in the XenApp console or Web Interface console (depending on the version of XenApp you have installed), create a XenApp Services site for mobile devices.

Citrix Receiver for mobile devices uses a XenApp Services site (formerly Program Neighborhood Agent site) to get information about the applications a user has rights to and presents them to the Receiver running on the device. This is similar to the way you use the Web Interface for traditional SSL-based XenApp connections for which an Access Gateway can be configured.

Configure the XenApp Services site for the Receiver for mobile devices to support connections from an Access Gateway connection.

  1. In the XenApp Services site, select Manage secure client access > Edit secure client access settings.
  2. Change the Access Method to Gateway Direct.
  3. Enter the FQDN of the Access Gateway appliance.
  4. Enter the Secure Ticket Authority (STA) information.

To configure the Access Gateway appliance

For client certificate authentication, configure the Access Gateway with two-factor authentication using two authentication policies: Cert and LDAP. For details, refer to your version of the Access Gateway Enterprise Edition (9.x only) or Access Gateway 10 in Product Documentation and search for the topic: Configuring Client Certificate Authentication.

  1. Create a session policy on the Access Gateway to allow incoming XenApp connections from the Receiver, and specify the location of your newly created XenApp Services site.
    • Create a session policy to identify that the connection is from the Receiver for mobile devices. As you create the session policy, configure the following expression and choose Match All Expressions as the operator for the expression:

      REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

    • In the associated profile configuration for the session policy, on the Security tab, set Default Authorization to Allow.

      On the Published Applications tab, if this is not a global setting (you selected the Override Global check box), ensure that the ICA Proxy field is set to ON.

      In the Web Interface Address field, type the URL including the config.xml for the XenApp Services site that the device users use, such as //XenAppServerName/Citrix/PNAgent/config.xml or /XenAppServerName/CustomPath/config.xml.

    • Bind the session policy to a virtual server.

    • Create authentication policies for Cert and LDAP.

    • Bind the authentication policies to the virtual server.

    • Configure the virtual server to request client certificates in the TLS handshake (on the Certificate tab, open SSL Parameters, and for Client Authentication, set Client Certificate to Mandatory. Important: If the server certificate used on the Access Gateway is part of a certificate chain (with an intermediate certificate), ensure that the intermediate certificates are also installed correctly on the Access Gateway. For information about installing certificates, see the Access Gateway documentation.

To configure the mobile device for Citrix Receiver

If client certificate authentication is enabled on Access Gateway, users are authenticated based on certain attributes of the client certificate. After authentication is completed successfully, the user name and domain are extracted from the certificate and any policies specified for that user are applied.

  1. From Citrix Receiver, open the Account, and in the Server field, type the matching FQDN of your Access Gateway server, such as GatewayClientCertificateServer.organization.com. Receiver automatically detects that the client certificate is required.
  2. Users can either install a new certificate or choose one from the already installed certificate list. For iOS client certificate authentication, the certificate must be downloaded and installed by the Receiver application only.
  3. After selecting a valid certificate, the user name and domain fields on the logon screen is prepopulated using the user name information from the certificate, and a user types the remaining details, including the password.
  4. If client certificate authentication is set to optional, users can skip the certificate selection by pressing Back on the certificates page. In this case, Receiver proceeds with the connection and provides the user with the logon screen.
  5. After users complete the initial log on, they can start applications without providing the certificate again. Receiver stores the certificate for the account and uses it automatically for future logon requests.

Configure Secure Gateway

To configure the XenApp Services site

Important:

  • Secure Gateway 3.x is supported by Receiver for iOS using XenApp Services sites.
  • Secure Gateway 3.x is supported by Citrix Receiver for iOS using XenApp Web sites.
  • Only single-factor authentication is supported on XenApp Services sites, and both single-factor and dual factor are supported on XenApp Web sites.
  • You must use the Web Interface 5.4, which is supported by all built-in browsers.

Before beginning this configuration, install and configure the Secure Gateway to work with Web Interface. You can adapt these instructions to fit your specific environment.

If you are using a Secure Gateway connection, do not configure Citrix Access Gateway settings on the Receiver.

The Receiver for mobile devices uses a XenApp Services site (formerly Program Neighborhood Agent site) to get information about the applications a user has rights to and presents them to the Receiver running on the device. This is similar to the way you use the Web Interface for traditional SSL-based XenApp connections for which an Access Gateway can be configured. XenApp Services sites running on the Web Interface 5. x have this configuration ability built in.

Configure the XenApp Services site to support connections from a Secure Gateway connection:

  1. In the XenApp Services site, select Manage secure client access > Edit secure client access settings.
  2. Change the Access Method to Gateway Direct.
  3. Enter the FQDN of the Secure Gateway.
  4. Enter the Secure Ticket Authority (STA) information.

Note:

For the Secure Gateway, Citrix recommends using the Citrix default path for this site (//XenAppServerName/Citrix/PNAgent). The default path enables your users to specify the FQDN of the Secure Gateway they are connecting to instead of the full path to the config.xml file that resides on the XenApp Services site (such as //XenAppServerName/CustomPath/config.xml).

To configure the Secure Gateway

  1. On the Secure Gateway, use the Secure Gateway Configuration wizard to configure the Secure Gateway to work with the server in the secure network hosting the XenApp Service site. After selecting the Indirect option, enter the FQDN path of your Secure Gateway Server and continue the wizard steps.
  2. Test a connection from a user device to verify that the Secure Gateway is configured correctly for networking and certificate allocation.

To configure the mobile device for the Receiver application

  1. When adding a Secure Gateway account, enter the matching FQDN of your Secure Gateway server in the Address field:
    • If you created the XenApp Services site using the default path (/Citrix/PNAgent), enter the Secure Gateway FQDN: FQDNofSecureGateway.companyName.com
    • If you customized the path of the XenApp Services site, enter the full path of the config.xml file, such as: FQDNofSecureGateway.companyName.com/CustomPath/config.xml
  2. If you are manually configuring the account, then turn off the Access Gateway option in the New Account dialog.

Configure Web Interface

To configure the Web Interface site

Users with iPhone and iPad devices can launch applications through your Web Interface site and the built-in Safari browser on the mobile device. Configure the Web Interface site the same as you would for other XenApp applications. If no XenApp Services site is configured for the mobile device, Citrix Receiver automatically uses your Web Interface site. No special configuration is needed for mobile devices.

Web Interface 5.x is supported by the built-in Safari browser.

To launch applications on the iOS device

On the mobile device, users can log on to the Web Interface site using their normal logon and password.

Configure mobile devices automatically

In StoreFront, use the Export Multi-Store Provisioning File and Export Provisioning File tasks to generate files containing connection details for stores, including any NetScaler Gateway deployments and beacons configured for the stores. Make these files available to users to enable them to configure Citrix Receiver automatically with details of the stores. Users can also obtain Citrix Receiver provisioning files from Receiver for Web sites.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.

  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile. Select the Stores node in the left pane of the Citrix StoreFront management console.
  2. To generate a provisioning file containing details for multiple stores, in the Actions pane, click Export Multi-Store Provisioning File and select the stores to include in the file.
  3. Click Export and Save the provisioning file with a .cr extension to a suitable location on your network.

Configure accounts manually

In general, when Receiver connects to an Access Gateway, Receiver attempts to locate a XenApp Services site or XenApp Web site after authenticating. If no site is detected, Receiver displays an error. To avoid this situation, you can configure an account manually so Receiver can connect to the Access Gateway.

  1. Tap the Accounts icon in the upper right corner and then in the Accounts screen, tap the Plus Sign (+). The New Account screen appears.
  2. In the lower left corner of the screen, tap the icon to the left of Options and tap Manual setup. Additional fields appear on the screen.
  3. In the Address field, type the secure URL of the site or Access Gateway to which you want to connect (for example, agee.mycompany.com).
  4. Select one of the following connection options. The remaining fields on the screen change, depending on your selection.
    • Web Interface - Select for Receiver to display a XenApp Web site similar to a Web browser. This is also known as Web View.
    • XenApp Services - Select for Receiver to locate a specific XenApp Services site for which authentication through Access Gateway is not configured. In the additional options that appear on this screen, provide site logon credentials.
      • <StoreFront FQDN>: If there are multiple stores, a list will be presented and the user can choose the store to add.
      • <StoreFront FQDN>/citrix/<Store Name>: This will add the StoreFront store <Store Name>.
      • <StoreFront FQDN>/citrix/PnAgent/config.xml: This will add the default legacy PNAgent store.
      • <StoreFront FQDN>/citrix/<Store Name>/PnAgent/config.xml: This will add the legacy PNAgent store associated with <Store Name>.
    • Access Gateway - Select for Receiver to connect to a XenApp Services site through a specific Access Gateway. In the additional options on this screen, select the server edition and its logon credentials, including whether it requires a security token for authentication.
  5. For certificate security, use the setting in the Ignore certificate warnings field to determine whether you want to connect to the server even if it has an invalid, self-signed, or expired certificate. The default setting is OFF. Important: If you do enable this option, make sure you are connecting to the correct server. Citrix strongly recommends that all servers have a valid certificate to protect user devices from online security attacks. A secure server uses an SSL certificate issued from a certificate authority. Citrix does not support self-signed certificates and does not recommend by-passing the certificate security.
  6. Tap Save.
  7. Type your user name and password (or token, if you selected two-factor authentication), and then tap Log On. The Citrix Receiver screen appears, in which you can access your desktops and add and open your apps.