Product Documentation


Aug 23, 2016

WorxWeb is a mobile web browser that provides secure access to internal and external sites. You can configure WorxWeb to be pushed to user devices automatically when the devices are enrolled in Worx Home, or users can add the app from the Worx Store.

You can download WorxWeb and other XenMobile components from

System Requirements for WorxWeb

WorxWeb is supported for any device that runs one of the following operating systems:

iOS: 8 - 10

Android: 4.4.x, 5.x, 6.x, and 7. Devices should have the latest version of Android WebView installed; users can download Android WebView from the Google Play Store.

Windows Phone: 8.1 - 10


Windows Phone 10 is currently supported for XenMobile 10 and 10.3 only.  It is not supported for XenMobile 10.1.  For XenMobile 9, you must install a patch for apps to work properly.  You can download the patch at XenMobile downloads page.

Citrix has tested WorxWeb on the following devices. Not all supported devices are listed.

  • iPhone 4s – iPhone 6 Plus
  • iPad 3
  • iPad Air 1 and 2
  • iPad mini 3 (touch ID)
  • Nexus
  • Samsung Note
  • Samsung Galaxy
  • Samsung Galaxy Tab
  • HTC One
  • Motorola
  • Nokia Lumia

What's New in WorxWeb

Arabic support. WorxWeb is now supported in Arabic.  

Integrating and Delivering WorxWeb

To integrate and deliver WorxWeb with XenMobile, follow these general steps:

  1. To enable SSO to the internal network, configure NetScaler Gateway.
    For HTTP traffic, NetScaler can provide SSO for all proxy authentication types supported by NetScaler. For HTTPS traffic, the Web password caching policy enables WorxWeb to authenticate and provide SSO to the proxy server through MDX. MDX supports basic, digest and NTLM proxy authentication only. The password is cached using MDX and stored in the Worx shared vault, a secure storage area for sensitive app data. For details about NetScaler Gateway configuration, see NetScaler Gateway.
  2. Download ( and wrap WorxWeb. For details, see About the MDX Toolkit.
  3. Determine how you want to configure user connections to the internal network. For details, see Configuring User Connections, next.
  4. Add WorxWeb to XenMobile, using the same steps as for other MDX apps, and configure MDX policies. For details about policies specific to WorxWeb, see About WorxWeb Policies.

Configuring User Connections

WorxWeb supports the following configurations for user connections:

  • Secure browse. Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as secure browse. This is the default configuration specified for the Preferred VPN mode policy. Secure browse is recommended for connections that require single sign-on (SSO).
  • Full VPN tunnel. Connections that tunnel to the internal network can use a full VPN tunnel, configured by the Preferred VPN mode policy. Full VPN tunnel is recommended for connections that use client certificates or end-to-end SSL to a resource in the internal network. Full VPN tunnel handles any protocol over TCP and can be used with Windows and Mac computers as well as iOS and Android devices.

The Permit VPN mode switching policy allows automatic switching between the full VPN tunnel and secure browse modes as needed. By default, this policy is off. When this policy is on, a network request that fails due to an authentication request that cannot be handled in the preferred VPN mode is retried in the alternate mode. For example, server challenges for client certificates can be accommodated by the full VPN tunnel mode, but not secure browse mode. Similarly, HTTP authentication challenges are more likely to be serviced with SSO when using secure browse mode.

  • Full VPN tunnel with PAC. You can use a Proxy Automatic Configuration (PAC) file with a full VPN tunnel deployment for iOS and Android devices. A PAC file contains rules that define how web browsers select a proxy to access a given URL. PAC file rules can specify handling for both internal and external sites. WorxWeb parses PAC file rules and send the proxy server information to NetScaler Gateway.
  • The full VPN tunneling performance when a PAC file is used is comparable to secure browse mode. For details about PAC configuration, see Full VPN Tunneling with PAC.

The following table summarizes the differences between the user connection configurations.

Secure Browse

Full VPN Tunnel

Full VPN Tunnel with PAC File

NetScaler provides SSO

For HTTP traffic, NetScaler can provide SSO for all proxy authentication types supported by NetScaler.

For HTTPS traffic, the Web password caching policy enables WorxWeb to authenticate and provide SSO to the proxy server through MDX. MDX supports basic, digest and NTLM proxy authentication only. The password is cached using MDX and stored in the Worx shared vault, a secure storage area for sensitive app data.

Proxies HTTP and HTTPS traffic

Proxies HTTP and HTTPS traffic

Proxies HTTP and HTTPS traffic

Tunnels all TCP and DNS traffic originating from WorxWeb for iOS and Android.

NetScaler Gateway replies to 401 and 407 responses

o    MDX replies to 401 responses for HTTPS traffic

o    NetScaler Gateway replies to 401 responses for HTTP traffic

o    NetScaler Gateway replies to 407 responses when a proxy server is configured

o    MDX replies to 401 responses for HTTPS traffic

o    NetScaler Gateway replies to 401 responses for HTTP traffic

o    NetScaler Gateway replies to 407 responses when a proxy server is configured. If NetScaler Gateway is unable to reply, it passes the request to MDX, which caches the credentials

Re-writes URLs

Intercepts sockets

No client certificate support for backend services

Provides client certificate validation

iOS and Android validate client certificates

NetScaler Gateway performs name resolution and relies on DNS suffixes for internal and external sites

DNS servers perform name resolution

HTTPS SSL handshake is between NetScaler Gateway and the backend server

HTTPS SSL handshake is between WorxWeb and the backend server

The following table notes whether WorxWeb prompts a user for credentials, based on the configuration and site type:

Connection mode

Site type

Password caching?

SSO configured for NetScaler Gateway?

WorxWeb prompts for credentials?

On first access of a website

On subsequent access of the website

After password change

Secure Browse







Secure Browse







Full VPN







Full VPN


Yes (1)


Yes (2)



(1)  If the WorxWeb MDX policy Enable web password caching is On.

(2)  Required to cache the credential in WorxWeb.

Full VPN Tunneling with PAC


If WorxWeb is configured with a PAC file and NetScaler is configured for proxy operation, WorxWeb will time out. You must remove NetScaler Gateway traffic policies configured for proxy before using full VPN tunneling with PAC.

When you configure WorxWeb for full VPN tunneling with your PAC file or proxy server, WorxWeb sends all traffic to the proxy through NetScaler Gateway, which then routes traffic according to the proxy configuration rules. In this configuration, NetScaler Gateway is unaware of the PAC file or proxy server. The traffic flow is the same as for full VPN tunneling without PAC.

The following diagram shows the traffic flow when WorxWeb users navigate to a web site:

localized image

In that example, the traffic rules specify that:

  • NetScaler Gateway directly connects to the intranet site
  • Traffic to intranet site is proxied through internal proxy servers.
  • External traffic is proxied through internal proxy servers. Proxy rules block external traffic to

To configure full VPN tunneling with PAC

1. Validate and test the PAC file:


For details about creating and using PAC files, see

  • Validate your PAC file using a PAC validation tool such as Pacparser When you read your PAC file, ensure the Pacparser results are what you expect. If the PAC file has a syntax error, mobile devices will silently ignore the PAC file. (A PAC file is stored only in memory on mobile devices.)

    A PAC file is processed from the top down and processing stops when a rule matches the current query.
  • Test the PAC file URL with a web browser before entering into the PAC/Proxy field of the XenMobile Server. Make sure that the computer can access the network where the PAC file is located.


Tested PAC file extensions are .txt or .pac.

The PAC file should show its contents inside the web browser.


Each time you update the PAC file used with WorxWeb, inform users that they must close and reopen WorxWeb.

2. Configure NetScaler Gateway:

  • Disable NetScaler Gateway split tunneling. If split tunneling is on and a PAC file is configured, the PAC file rules override the NetScaler split tunneling rules. A proxy does not override NetScaler split tunneling rules.
  • Remove NetScaler Gateway traffic policies configured for proxy. This is required for WorxWeb to work correctly. The following figure shows an example of the policy rules to remove.
localized image

3. Configure WorxWeb policies:

  • Set the Preferred VPN mode policy to Full VPN tunnel.
  • Set the Permit VPN mode switching policy to Off.
  • Configure the PAC file URL or proxy server policy. WorxWeb supports HTTP and HTTPS as well as default and non-default ports. For HTTPS, the root certificate authority must be installed on the device if the certificate is self-signed or untrusted.

    Be sure to test the URL or proxy server address in a web browser before configuring the policy.

    Example PAC file URLs:


    Example proxy servers (port is required):


If you configure a PAC file or proxy server, do not configure PAC in system proxy settings for WiFi.

  • Set the Enable web password caching policy to On. Web password caching handles SSO for HTTPS sites.

    NetScaler can perform SSO for internal proxies if the proxy supports the same authentication infrastructure.

Limitations of PAC file support

WorxWeb does not support:

  • Failover from one proxy server to another. PAC file evaluation can return multiple proxy servers for a hostname. WorxWeb uses only the first proxy server returned.
  • Protocols such as ftp and gopher in a PAC file
  • SOCKS proxy servers in a PAC file
  • Web Proxy Autodiscovery Protocol (WPAD)

WorxWeb ignores the PAC file function alert so that WorxWeb can parse a PAC file that doesn't include those calls.

About WorxWeb Policies

When adding WorxWeb, be aware of these MDX policies that are specific to WorxWeb.

For all supported mobile devices:

Allowed or blocked websites
WorxWeb normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Each pattern in the list is preceded by a Plus Sign (+) or Minus Sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as follows:
  • A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address could not be resolved.
  • A plus (+) prefix allows the URL to be processed normally.
  • If neither + or - is provided with the pattern, + (allow) is assumed.
  • If the URL does not match any pattern in the list, the URL is allowed
To block all other URLs, end the list with a Minus Sign followed by an asterisk (-*). For example:
  • The policy value +http://**,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all other URLs.
  • The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, Hotmail, and so on, regardless of protocol.

Default value is empty (all URLs allowed).

Preloaded bookmarks
Defines a preloaded set of bookmarks for the WorxWeb browser. The policy is a comma-separated list of tuples that include folder name, friendly name, and web address. Each triplet should be of the form folder,name,url where folder and name may optionally be enclosed in double quotes (").

For example, the policy values ,"Mycorp, Inc. home page",, "MyCorp Links",Account logon, "MyCorp Links/Investor Relations","Contact us", define three bookmarks. The first is a primary link (no folder name) titled "Mycorp, Inc. home page". The second link will be placed in a folder titled "MyCorp Links" and labeled "Account logon". The third will be placed in the "Investor Relations' subfolder of the "MyCorp Links" folder and displayed as "Contact us"."

Default value is empty.

Home page URL
Defines the website that WorxWeb loads when started. Default value is empty (default start page).

For supported Android and iOS devices only:

Browser user interface
Dictates the behavior and visibility of browser user interface controls for WorxWeb. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. Default value is All controls visible.


  • All controls visible. All controls are visible and users are not restricted from using them.
  • Read-only address bar. All controls are visible, but users cannot edit the browser address field.
  • Hide address bar. Hides the address bar, but not other controls.
  • Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience.
Enable web password caching
When WorxWeb users enter credentials when accessing or requesting a web resource, this policy determines whether WorxWeb silently caches the password on the device. This policy applies to passwords entered in authentication dialogs and not to passwords entered in web forms.

If On, WorxWeb caches all passwords users enter when requesting a web resource. If Off, WorxWeb does not cache passwords and removes existing cached passwords. Default value is Off.

This policy is enabled only when you also set the Preferred VPN policy to Full VPN tunnel for this app.

Proxy servers
You can also configure proxy servers for WorxWeb when used in secure browse mode. For details, see this blog post.
DNS suffixes
On Android, if DNS suffixes aren't configured, the VPN could fail. For details on configuring DNS suffixes, see Supporting DNS Queries by Using DNS Suffixes for Android Devices.

Preparing Intranet Sites for WorxWeb

This section is for website developers who need to prepare an intranet site for use with WorxWeb for Android and iOS. Intranet sites designed for desktop browsers require changes to work properly on Android and iOS devices.

WorxWeb relies on Android WebView and iOS UIWebView or WKWebView to provide web technology support. Some of the web technologies supported by WorxWeb are:

  • AngularJS
  • JavaScript
  • JQuery

Some of the web technologies not supported by WorxWeb are:

  • Flash
  • Java

The following table shows the HTML rendering features and technologies supported for WorxWeb. X indicates the feature is available for a platform, browser, and component combination.

Technology iOS WorxWeb Android 4.3 WorxWeb Android 4.4 WorxWeb Android 5.0 WorxWeb
Nitro 8     X X
LocalStorage X X X X
AppCache X X X X
IndexedDB     X X
SPDY     X X
WebP     X X
srcset       X
WebGL       X
requestAnimationFrame API X   X X
Navigation Timing API   X X X
Resource Timing API     X X


To determine the browser version used for WorxWeb, you can view its user agent string. From WorxWeb, navigate to

Troubleshooting Intranet Sites

To troubleshoot rendering issues when your intranet site is viewed in WorxWeb, compare how the website renders on WorxWeb and a compatible third-party browser. 

OS Compatible third-party browsers
iOS Chrome, Dolphin
Android Dolphin
Note: Chrome is a native browser on Android. Do not use it for the comparison.

In iOS, make sure the browsers have device-level VPN support.   You can configure this on the device in Settings > VPN > Add VPN Configuration

You can also use VPN client apps available on the App Store, such as Citrix VPN, Cisco AnyConnect, or Pulse Secure.

  • If a web page renders the same for the two browsers, the issue is with your website. Update your site and make sure it works well for the OS.
  • If the issue on a web page appears only in WorxWeb, contact Citrix Support to open a support ticket. Please provide your troubleshooting steps, including the tested browser and OS types. If WorxWeb for iOS has rendering issues, please include a web archive of the page as described in the following steps. Doing so helps Citrix resolve the issue faster.

To create a web archive file

Using Safari on Mac OS X 10.9 or later, you can save a web page as a web archive file (referred to as a reading list) that includes all linked files such as images, CSS, and JavaScript.

  1. From Safari, empty the Reading List folder: In the Finder, click the Go menu in the Menu bar, choose Go to Folder, type the path name ~/Library/Safari/ReadingListArchives/, and then delete all of the folders in that location.
  2. In the Menu bar, go to Safari > Preferences > Advanced and enable Show Develop menu in menu bar.
  3. In the Menu bar, go to Develop > User Agent and enter the WorxWeb user agent:(Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69 WorxWeb/ 10.1.0(build 1.4.0) Safari/8536.25).
  4. In Safari, open the web site you will save as a reading list (web archive file).
  5. In the Menu bar, go to Bookmarks > Add to Reading List. This can take a few minutes. The archiving occurs in the background.
  6. Locate the archived reading list: In the Menu bar, go to View > Show Reading List Sidebar.
  7. Verify the archive file:
    1. Turn off network connectivity to your Mac.
    2. Open the web site from the reading list.

    The web site should completely render.

  8. Compress the archive file: In the Finder, click the Go menu in the Menu bar, choose Go to Folder, type the path name ~/Library/Safari/ReadingListArchives/, and then compress the folder that has a random hex string as a file name. This is the file that you can send to Citrix support when you open a support ticket.

WorxWeb Features

WorxWeb makes use of mobile data exchange technologies to create a dedicated VPN tunnel for users to access internal and external websites and all other websites—including sites with sensitive information—in an environment secured by your organization's policies.

The integration of WorxWeb with WorxMail and ShareFile offers a seamless user experience within the secure XenMobile container. Here are some examples of integration features:

  • When users tap mailto links, a new email message opens in WorxMail with no additional authentication required.
  • In iOS, users can open a link in WorxWeb from a native mail app by inserting ctxmobilebrowser:// in front of the URL. For example, to open from a native mail app, use the URL ctxmobilebrowser://
  • When users click an intranet link in an email message, WorxWeb goes to that site with no additional authentication required.
  • Users can upload files to ShareFile that they download from the web in WorxWeb.

WorxWeb users can also perform the following actions:

  • Block pop-ups.
    Note: Much of WorxWeb's memory goes into rendering pop-ups, so performance is often improved when users block pop-ups in Settings. If you want to block pop-ups by default, set Block pop-ups in the XenMobile console to On. If you had Block pop-ups set to Off before upgrading to version 10.3.6, the setting remains off. Otherwise, the setting is On and pop-ups are blocked.
  • Bookmark their favorite sites.
  • Download files.
  • Save pages offline.
  • Auto-save passwords.
  • Clear cache/history/cookies.
  • Disable cookies and HTML5 local storage.
  • Securely share devices with other users.
  • Search within the address bar.
  • Allow web apps they run with WorxWeb to access their location.
  • Export and import settings.
  • In iOS, use 3D Touch actions to open a new tab and access offline pages, favorite sites, and downloads directly from the springboard.
  • Open links directly in ShareFile. Users must have ShareFile 4.0 and you must add ctx-sf: to the Allowed URLs policy in XenMobile.
  • In iOS, download files of any size and open them in ShareFile or other apps.  Note: Putting WorxWeb in the background causes the download to stop.
  • Search for a term within the current page view using Find in Page.
localized image

WorxWeb also has dynamic text support, so it displays the font that users set on their devices.

Supported File Formats

An X indicates a file format that can be rendered and downloaded in WorxWeb.

  iOS Android
H.263 AMR NB codec_Mp4   X
H.263 AMR NB codec_3gp   X
H.264 AAC codec_3gp   X
H.264 AVC codec_mp4   X
MP4* X X
3GP   X
*MP4 is not supported when WorxWeb is running in full VPN mode.
Flac   X
m4a   X
mp3 X X
wav X X
wma   X
PDF X Download only; open in
QuickEdit or other app to preview.