Troubleshooting

Disconnected sessions

Users can disconnect (but not log off) from a Citrix Receiver session in the following ways:

  • While viewing a published app or desktop in session:
    • tap the arrow at the top of the screen to expose the in-session drop down menu.
    • tap the Home button to return to the launch pad.
    • notice the white shadow under the icon of one of the published apps that are still in an active session; tap the icon.
    • tap disconnect.
  • Close Citrix Receiver:
    • double tap the device’s Home button.
    • locate Receiver in the iOS app switcher view.
    • tap disconnect in the dialog that appears.
  • Pressing the home button on their mobile device.
  • Tapping Home or Switch in the app’s drop-down menu.

The session remains in a disconnected state. Although the user can reconnect at a later time, you can ensure disconnected sessions are rendered inactive after a specific interval. To do this, configure a session timeout for the ICA-tcp connection in Remote Desktop Session Host Configuration (formerly known as “Terminal Services Configuration”). For more information about configuring Remote Desktop Services (formerly known as “Terminal Services”), refer to the Microsoft Windows Server product documentation.

Issues with numeric keys in applications

If users have issues with numeric keys not working correctly in published applications, they can try disabling the Unicode keyboard in Citrix Receiver. To do this, from the Settings tab, tap Keyboard Options, and for Use Unicode Keyboard, toggle the switch to Off.

Loss of HDX audio quality from XenDesktop

From XenDesktop, HDX audio to Citrix Receiver for iOS might lose quality when using audio plus video. This issue occurs when the XenDesktop HDX policies cannot handle the amount of audio data with the video data. For suggestions about how to create policies to improve audio quality, see Knowledge Center article CTX123543.

Demonstration accounts available from the Citrix Cloud

Users who do not currently have an account can create a demonstration user account at the Citrix Cloud demo site at http://cloud.citrix.com/.

The Citrix Cloud offers users the ability to experience the power of Citrix solutions without having to set up and configure their own environment. The Citrix Cloud demo environment uses a number of key Citrix solutions including XenServer, XenApp, NetScaler, and Access Gateway.

However, in this demo environment, data is not saved, and when you disconnect, you might not get able to get back to your session.

Expired passwords

Citrix Receiver supports the ability for users to change their expired passwords. Prompts appear for users to enter the required information.

Slow connections

If you experience slow connections to the XenApp Services site, or issues such as missing application icons or “Protocol Driver Error” messages, as a workaround, on the XenApp server and Citrix Secure Gateway or Web Interface server, disable the following Citrix PV Ethernet Adapter Properties for the network interface (all enabled by default):

  • Large Send Offload
  • Offload IP Checksum
  • Offload TCP Checksum
  • Offload UDP Checksum

No server restart is needed. This workaround applies to Windows Server 2003 and 2008 32-bit. Windows Server 2008 R2 is not affected by this issue.

Applications might open in different sessions

This server-side issue can occur even when application sharing is enabled. This is an intermittent issue, and there is no workaround.

App Switcher not working

Apps must be published by the IT administrator on the same server. Otherwise, app switching will not work.

Blocking jailbroken devices from running applications from StoreFront

Your users can compromise the security of your deployment by connecting with jailbroken iOS devices. Jailbroken devices are those whose owners have modified them, usually with the effect of bypassing certain security protections.

When Citrix Receiver detects a jailbroken iOS device, Citrix Receiver displays an alert to the user. To further help to secure your environment, you can configure StoreFront or Web Interface to help to prevent detected jailbroken devices from running apps.

Requirements

  • Citrix Receiver for iOS 6.1 or later
  • StoreFront 3.0 or Web Interface 5.4 or later
  • Access to StoreFront or Web Interface through an administrator account

To help to prevent detected jailbroken devices from running apps

  1. Log onto your StoreFront or Web Interface server as a user who has administrator privileges.

  2. Find the file default.ica, which is in one of the following locations:

    • C:\inetpub\wwwroot\Citrix\storename\conf (Microsoft Internet Information Services)
    • C:\inetpub\wwwroot\Citrix\storename\App_Data (Microsoft Internet Information Services)
    • ./usr/local/tomcat/webapps/Citrix/XenApp/WEB-INF (Apache Tomcat)
  3. Under the section [Application], add the following: AllowJailBrokenDevices=OFF

  4. Save the file and restart your StoreFront or Web Interface server.

After you restart the StoreFront server, users who see the alert about jailbroken devices cannot launch apps from your StoreFront or Web Interface server.

To allow detected jailbroken devices to run apps

If you do not set AllowJailBrokenDevices, the default is to display the alert to users of jailbroken devices but still allow them to launch applications.

If you want to specifically allow your users to run applications on jailbroken devices:

  1. Log onto your StoreFront or Web Interface server as a user who has administrator privileges.

  2. Find the file default.ica, which is in one of the following locations:

    • C:\inetpub\wwwroot\Citrix\storename\conf (Microsoft Internet Information Services)
    • C:\inetpub\wwwroot\Citrix\storename\App_Data (Microsoft Internet Information Services)
    • ./usr/local/tomcat/webapps/Citrix/XenApp/WEB-INF (Apache Tomcat)
  3. Under the section [Application] add the following: AllowJailBrokenDevices=ON

  4. Save the file and restart your StoreFront or Web Interface server.

When you set AllowJailBrokenDevices to ON, your users see the alert about using a jailbroken device, but they can run applications through StoreFront or Web Interface.

Securing Citrix Receiver for iOS communications

To secure the communication between your server farm and Citrix Receiver for iOS, you can integrate your connections to the server farm with a range of security technologies, including Citrix NetScaler Gateway.

Note:

Citrix recommends using NetScaler Gateway to secure communications between StoreFront servers and users’ devices.

  • A SOCKS proxy server or secure proxy server (also known as security proxy server, HTTPS proxy server). You can use proxy servers to limit access to and from your network and to handle connections between Citrix Receiver and servers. Citrix Receiver for iOS supports SOCKS and secure proxy protocols.
  • Secure Gateway. You can use Secure Gateway with the Web Interface to provide a single, secure, encrypted point of access through the Internet to servers on internal corporate networks.
  • SSL Relay solutions with Transport Layer Security (TLS) protocols
  • A firewall. Network firewalls can allow or block packets based on the destination address and port. If you are using Citrix Receiver for iOS through a network firewall that maps the server’s internal network IP address to an external Internet address (that is, network address translation, or NAT), configure the external address.

About certificates

Private (Self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device to successfully access Citrix resources using Citrix Receiver for iOS.

Note:

If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the iOS keystore), an untrusted certificate warning appears. If a user chooses to continue through the warning, a list of applications is displayed; however, applications fail to launch.

Importing root certificates on Citrix Receiver for iOS devices

Obtain the certificate issuer’s root certificate and email it to an account configured on your device. When clicking the attachment, you are asked to import the root certificate.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Receiver for iOS supports wildcard certificates.

Intermediate certificates with NetScaler Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be mapped to the NetScaler Gateway server certificate. For information on this task, see NetScaler Gateway documentation. For more information about installing and linking an intermediate certifcate with Primary CA on a NetScaler Gateway appliance, refer to the article How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway.

Joint Server Certificate Validation Policy

Releases of Citrix Receiver for iOS 7.5 and later introduce a new, stricter, validation policy for server certificates.

Important

Before installing Citrix Receiver for iOS, confirm that the certificates at the server or gateway are correctly configured as described here. Connections may fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Receiver for iOS now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous releases, Citrix Receiver for iOS then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Receiver for iOS connections to fail.

Suppose a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Receiver for iOS:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Example Root Certificate”

Then, Citrix Receiver for iOS will check that all these certificates are valid. Citrix Receiver for iOS will also check that it already trusts “Example Root Certificate”. If Citrix Receiver for iOS does not trust “Example Root Certificate”, the connection fails.

Important

Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root”, and “DigiCert Baltimore Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Receiver for Mac connections on those user devices will fail. Consult the certificate authority’s documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.

Note:

Then, Citrix Receiver for iOS will use these two certificates. It will then search for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as “Example Root Certificate”), the connection succeeds. Otherwise, the connection fails. Note that this configuration supplies the intermediate certificate that Citrix Receiver for iOS needs, but also allows Citrix Receiver for iOS to choose any valid, trusted, root certificate.

Now suppose a gateway is configured with these certificates:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Wrong Root Certificate”

A web browser may ignore the wrong root certificate. However, Citrix Receiver for iOS will not ignore the wrong root certificate, and the connection will fail.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

  • “Example Server Certificate”
  • “Example Intermediate Certificate 1”
  • “Example Intermediate Certificate 2”

Important

Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and a earlier root certificate is still in use at the same time as a later root certificate. In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5”. However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority”. The later root certificate does not use a cross-signed intermediate certificate.

Note

The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To), but the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such “Example Intermediate Certificate 2”).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”

Avoid configuring the gateway to use the cross-signed intermediate certificate, as Citrix Receiver for iOS will select the earlier root certificate:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the gateway with only the server certificate:

  • “Example Server Certificate”

In this case, if Citrix Receiver for iOS cannot locate all the intermediate certificates, the connection will fail.

Connecting with NetScaler Gateway

To enable remote users to connect to your XenMobile deployment through NetScaler Gateway, you can configure certificates to work with StoreFront. The method for enabling access depends on the edition of XenMobile in your deployment.

If you deploy XenMobile in your network, allow connections from internal or remote users to StoreFront through NetScaler Gateway by integrating NetScaler Gateway with StoreFront. This deployment allows users to connect to StoreFront to access published applications from XenApp and virtual desktops from XenDesktop. Users connect through Citrix Receiver.

Connecting with the Secure Gateway

This topic applies only to deployments using the Web Interface.

You can use the Secure Gateway in either Normal mode or Relay mode to provide a secure channel for communication between Citrix Receiver for iOS and the server. No configuration of Citrix Receiver for iOS is required if you are using the Secure Gateway in Normal mode and users are connecting through the Web Interface.

Citrix Receiver for iOS uses settings that are configured remotely on the Web Interface server to connect to servers running the Secure Gateway.

If the Secure Gateway Proxy is installed on a server in the secure network, you can use the Secure Gateway Proxy in Relay mode. If you are using Relay mode, the Secure Gateway server functions as a proxy and you must configure Citrix Receiver for iOS to use:

  • The fully qualified domain name (FQDN) of the Secure Gateway server.
  • The port number of the Secure Gateway server. Note that Relay mode is not supported by Secure Gateway Version 2.0.

The FQDN must list, in sequence, the following three components:

  • Host name
  • Intermediate domain
  • Top-level domain

For example, my_computer.example.com is a FQDN, because it lists, in sequence, a host name (my_computer), an intermediate domain (example), and a top-level domain (com). The combination of intermediate and top-level domain (example. com) is generally referred to as the domain name.

Connecting through a proxy server

Proxy servers are used to limit access to and from your network, and to handle connections between Citrix Receiver for iOS and servers. Citrix Receiver for iOS supports both SOCKS and secure proxy protocols.

When communicating with the XenApp or XenDesktop server, Citrix Receiver for iOS uses proxy server settings that are configured remotely on the Web Interface server.

When communicating with the Web server, Citrix Receiver for iOS uses the proxy server settings that are configured for the default Web browser on the user device. You must configure the proxy server settings for the default Web browser on the user device accordingly.

Connecting through a firewall

Network firewalls can allow or block packets based on the destination address and port. If you are using a firewall in your deployment, Citrix Receiver for iOS must be able to communicate through the firewall with both the Web server and Citrix server. The firewall must permit HTTP traffic (often over the standard HTTP port 80 or 443 if a secure Web server is in use) for user device to Web server communication. For Receiver to Citrix server communication, the firewall must permit inbound ICA traffic on ports 1494 and 2598.

If the firewall is configured for Network Address Translation (NAT), you can use the Web Interface to define mappings from internal addresses to external addresses and ports. For example, if your XenApp or XenDesktop server is not configured with an alternate address, you can configure the Web Interface to provide an alternate address to Citrix Receiver for iOS. Citrix Receiver for iOS then connects to the server using the external address and port number.

Connecting using TLS

Citrix Receiver for iOS 7.2.2 and later supports TLS 1.0, 1.1 and 1.2 with the following cipher suites for TLS connections to XenApp/XenDesktop:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

Note:

Citrix Receiver for iOS running on iOS 9 and later does not support the following TLS cipher suites:

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5

Transport Layer Security (TLS) is the latest, standardized version of the TLS protocol. The Internet Engineering Taskforce (IETF) renamed it TLS when it took over responsibility for the development of TLS as an open standard.

TLS secures data communications by providing server authentication, encryption of the data stream, and message integrity checks. Some organizations, including U.S. government organizations, require the use of TLS to secure data communications. These organizations may also require the use of validated cryptography, such as Federal Information Processing Standard (FIPS) 140. FIPS 140 is a standard for cryptography.

Citrix Receiver for iOS supports RSA keys of 1024, 2048, and 3072-bit lengths. Root certificates with RSA keys of 4096-bit length are also supported.

Note:

Citrix Receiver for iOS uses platform (iOS) crypto for connections between Citrix Receiver for iOS and StoreFront.

Configuring and enabling Citrix Receiver for iOS for TLS

There are two main steps involved in setting up TLS:

  1. Set up SSL Relay on your XenApp or XenDesktop server and your Web Interface server and obtain and install the necessary server certificate. For more information, see the XenApp and Web Interface documentation.
  2. Install the equivalent root certificate on the user device.

Installing root certificates on user devices

To use TLS to secure communications between TLS-enabled Citrix Receiver for iOS and XenApp or XenDesktop, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate.

iOS comes with about 100 commercial root certificates preinstalled, but if you want to use a different certificate, you can obtain one from the Certificate Authority and install it on each user device.

Depending on your organization’s policies and procedures, you may want to install the root certificate on each user device instead of directing users to install it. The easiest and safest way is to add root certificates to the iOS keychain.

To add a root certificate to the keychain

  1. Send yourself an email with the certificate file.
  2. Open the certificate file on the device. This automatically starts the Keychain Access application.
  3. Follow the prompts to add the certificate.
  4. Starting with iOS 10, verify that the certificate is trusted by going to iOS Settings > About > Certificate Trust Setting. Under Certificate Trust Settings, see the section “ENABLE FULL TRUST FOR ROOT CERTIFICATES.” Make sure that your certificate has been selected for full trust.

The root certificate is installed and can be used by TLS-enabled clients and by any other application using TLS.