Product Documentation

System requirements

Jun 20, 2018


  • Linux kernel version 2.6.29 or later, with glibcxx 3.4.15 or later, glibc 2.11.3 or later, gtk 2.20.1 or later, libcap1 or libcap2, and udev support. 
  • For the self-service user interface (UI):
    • libwebkit or libwebkitgtk 1.0
    • libxml2 2.7.8
    • libxerces-c 3.1
  • ALSA (libasound2), Speex, and Vorbis codec libraries.
  • At least 55 MB of free disk space for the installed version of Receiver. And at least 110 MB if you expand the installation package on the disk. You can check the available disk space by typing the following command in a terminal window:
    df -k
  • At least 1 GB RAM for system-on-a-chip (SoC) devices that use HDX MediaStream Flash Redirection.
  • 256 color video display or higher.
  • TCP/IP networking.


For x86 devices, processor speeds of at least 1.6 GHz display single-monitor sessions well at typical resolutions (for example, 1280 x 1024). If you use the HDX 3D Pro feature, a native hardware accelerated graphics driver and a minimum processor speed of 2 GHz are required.

For ARM devices, a hardware H.264 decoder is required for both general H.264 support and HDX 3D Pro. Performance also benefits from faster processor clock speeds.

HDX MediaStream Flash Redirection

For all HDX MediaStream Flash Redirection requirements, see CTX134786.

Citrix recommends testing with the latest plug-in before deploying a new version to take advantage of the latest functionality and security-related fixes.

Customer Experience Improvement Program (CEIP) integration

To ensure that CEIP works properly, the following libraries are required:

  • zlib
  • libtar 1.2 and above
  • libjson 7.6.1 or any latest version

HDX RealTime Webcam Video Compression

HDX RealTime Webcam Video Compression requires:
  • A Video4Linux compatible Webcam
  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution's "plugins-good" package.
    Or GStreamer 1.0 (or a later 1.x version), including the distribution's “plugins-base,” “plugins-good,” “plugins-bad,” “plugins-ugly,” and “gstreamer-libav” packages.

HDX MediaStream Windows Media Redirection

HDX MediaStream Windows Media Redirection requires:
  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution's "plugins-good" package. In general, version 0.10.15 or later is sufficient for HDX MediaStream Windows Media Redirection.
    Or GStreamer 1.0 (or a later 1.x version), including the distribution's “plugins-base,” “plugins-good,” “plugins-bad,” “plugins-ugly,” and “gstreamer-libav” packages.
Note: If GStreamer is not included in your Linux distribution, you can download it from Use of certain codes (for example, those in "plugins-ugly") might require a license from the manufacturer of that technology. Consult with your corporate legal department to determine whether the codes you plan to use require extra licenses.

Browser content redirection

Browser content redirection requires:
  • Linux operating system webkit2gtk version 2.16.6 and glibcxx 3.4.20 or later.

Philips SpeechMike

If you plan to use Philips SpeechMike devices with Receiver, you might need to install the relevant drivers on the user device. Visit the Philips web site for information and software downloads.

Smart card support

To configure smart card support in Citrix Receiver for Linux, you must have the StoreFront services site configured to allow smart card authentication.



Note: Smart cards are not supported with the XenApp Services site for Web Interface configurations (formerly known as Program Neighborhood Agent), or with the "legacy PNAgent" site that can be provided by a StoreFront server.


Citrix Receiver for Linux supports smart card readers that are compatible with PCSC-Lite and smart cards with PKCS#11 drivers for the appropriate Linux platform. By default, Receiver for Linux now locates in one of the standard locations. To ensure that Receiver for Linux finds either in a non-standard location or another PKCS#11 driver, store the location in a configuration file using the following steps:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml
  2. Locate the line <key>PKCS11module</key> and add the driver location to the <value> element immediately following the line.

    Note: If you enter a file name for the driver location, Receiver navigates to that file in the$ICAROOT/PKCS#11 directory. Alternatively, you can use an absolute path beginning with "/."

To configure the behavior of Citrix Receiver for Linux when a smart card is removed, update SmartCardRemovalAction in the configuration file using the following steps:

  1. Locate the configuration file: $ICAROOT/config/AuthManConfig.xml
  2. Locate the line <key>SmartCardRemovalAction</key> and add 'noaction' or 'forcelogoff' to the<value> element immediately following the line.

The default behavior is 'noaction'. No action is taken to clear credentials stored and tokens generated with regards to the smart card on the removal on the smart card. The 'forcelogoff' action clears all credentials and tokens within StoreFront on the removal of the smart card.

Citrix Servers

  • XenApp: All versions currently supported by Citrix. For more information, see the Citrix product matrix.
  • XenDesktop: All versions currently supported by Citrix. For more information, see the Citrix product matrix.
  • VDI-in-a-Box: All versions currently supported by Citrix. For more information, see the Citrix product matrix.
  • You can use Citrix Receiver for Linux 13.5 or later browser-based access with StoreFront Receiver for Web and Web Interface, with - or without - the NetScaler Gateway plug-in.


    • StoreFront 3.x, 2.6, 2.5 and 2.1

      Provides direct access to StoreFront stores.

    • StoreFront configured with a Citrix Receiver for Web site

      Provides access to StoreFront stores from a web browser. For the limitations of this deployment, refer to "Important considerations" in Receiver for Web sites.

    Web Interface with the NetScaler VPN client:

    • Web Interface 5.4 for Windows web sites.

      Provides access to virtual desktops and apps from a web browser.

    • Web Interface 5.4 for Linux with XenApp Services or XenDesktop Services sites
  • Ways to deploy Citrix Receiver to users:
    • Enable users to download from, then configure using an email or services address with StoreFront.
    • Offer to install from Citrix Receiver for Web site (configured with StoreFront).
    • Offer to install Receiver from Citrix Web Interface 5.4.


Citrix recommends that you use the latest version of Mozilla Firefox or Google Chrome.
Note: For information on changes to Google Chrome NPAPI support, see Citrix blog article, Preparing for NPAPI being disabled by Google Chrome.


Citrix Receiver for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.

  • For LAN connections:
    • StoreFront using StoreFront services or Citrix Receiver for Web sites
    • Web Interface 5.4 for Windows, using Web Interface or XenApp Services sites
  • For secure remote or local connections:
    • Citrix NetScaler Gateway 12.0
    • Citrix NetScaler Gateway 11.1
    • Citrix NetScaler Gateway 11.0
    • Citrix NetScaler Gateway 10.5
    • Citrix NetScaler Gateway 10.1
    • Citrix Access Gateway Enterprise Edition 10
    • Citrix Access Gateway Enterprise Edition 9.x
    • Citrix Access Gateway VPX

    For information about the NetScaler Gateway and Access Gateway versions supported by StoreFront, see System requirements of StoreFront.

Note: References to NetScaler Gateway in this topic also apply to Access Gateway, unless otherwise indicated.

About secure connections and certificates

Note: For additional information about security certificates, refer to topics under Secure connections and Secure communications.

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization's certificate authority must be installed on the user device to access Citrix resources using Receiver.

Note: If the remote gateway's certificate cannot be verified upon connection (because the root certificate is not included in the local key store), an untrusted certificate error appears. The root certificate must be installed in the client's certificate store.

Installing root certificates on user devices

For information about installing root certificates on user devices as well as configuring Web Interface for certificate use, see Secure Receiver communication.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Receiver for Linux supports wildcard certificates, however they should only be used in accordance with your organization's security policy. In practice, alternatives to wildcard certificates, such as a certificate containing the list of server names within the Subject Alternative Name (SAN) extension, could be considered. Such certificates can be issued by both private and public certificate authorities.

Intermediate certificates and the NetScaler Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the NetScaler Gateway server certificate. For information, see Configuring Intermediate Certificates.

Joint Server Certificate Validation Policy

Citrix Receiver for Linux has a stricter validation policy for server certificates.


Before installing this version of Citrix Receiver for Linux, confirm that the certificates at the server or gateway are correctly configured as described here. Connections may fail if:

- the server or gateway configuration includes a wrong root certificate
- the server or gateway configuration does not include all intermediate certificates
- the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
- the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Receiver for Linux now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Receiver for Linux releases, it then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Receiver for Linux's connection to fail.

Suppose that a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Receiver for Linux:

- "Example Server Certificate"
- "Example Intermediate Certificate"
- "Example Root Certificate"

Then, Citrix Receiver for Linux checks that all these certificates are valid. Citrix Receiver for Linux also checks that it already trusts "Example Root Certificate." If Citrix Receiver for Linux does not trust "Example Root Certificate," the connection fails.


Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates ("DigiCert"/"GTE CyberTrust Global Root," and "DigiCert Baltimore Root"/"Baltimore CyberTrust Root") that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available ("DigiCert Baltimore Root"/"Baltimore CyberTrust Root"). If you configure "GTE CyberTrust Global Root" at the gateway, Citrix Receiver for Linux connections on those user devices will fail. Consult the certificate authority's documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.


Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose that a gateway is configured with these valid certificates. This configuration, omitting the root certificate, is normally recommended:

- "Example Server Certificate"
- "Example Intermediate Certificate"

Then, Citrix Receiver for Linux uses these two certificates. It then searches for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as "Example Root Certificate"), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Receiver for Linux needs, but also allows Citrix Receiver for Linux to choose any valid, trusted, root certificate.

Now suppose that a gateway is configured with these certificates:

- "Example Server Certificate"
- "Example Intermediate Certificate"
- "Wrong Root Certificate"

A web browser may ignore the wrong root certificate. However, Citrix Receiver for Linux will not ignore the wrong root certificate, and the connection will fail.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

- "Example Server Certificate"
- "Example Intermediate Certificate 1"
- "Example Intermediate Certificate 2"


Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and an earlier root certificate is still in use at the same time as a later root certificate. In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5.” However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority.” The later root certificate does not use a cross-signed intermediate certificate.


The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such "Example Intermediate Certificate 2").

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

- "Example Server Certificate"
- "Example Intermediate Certificate"

Avoid configuring the gateway to use the cross-signed intermediate certificate, as it selects the earlier root certificate:

- "Example Server Certificate"
- "Example Intermediate Certificate"
- “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the gateway with only the server certificate:

- "Example Server Certificate"

In this case, if Citrix Receiver for Linux cannot locate all the intermediate certificates, the connection fails.

User requirements

Although you do not need to log on as a privileged (root) user to install the Citrix Receiver for Linux, USB support is enabled only if you are logged on as a privileged user when installing and configuring Receiver. Installations performed by non-privileged users will, however, enable users to access published resources using either StoreFront through one of the supported browsers or using Receiver's native UI.

Check whether your device meets the system requirements

Citrix provides a script,, as part of the Receiver installation package. The script checks whether your device meets all of the system requirements to benefit from all of the functionality in Receiver for Linux. The script is located in the Utilities directory of the installation package.

To run the script
  1. Open a terminal window.
  2. Type cd $ICAROOT/util and press ENTER to navigate to the Utilities directory of the installation package.
  3. Type ./ to run the script.