Citrix Gateway Service Plurality

Last Updated on December 26, 2021

Citrix Gateway service is available at many places in Citrix cloud. The purpose of this article is to show where and how the Citrix Gateway service can be enabled, and why it should be enabled or left disabled.

At Workspace Configuration Service Integrations

When using an authentication method (screenshot 1) such as Active Directory, Active Directory + Token, Azure Active Directory (AAD) or Okta for Workspace (replacement of Storefront in Citrix cloud), it is essential to secure the HDX traffic between users/subscribers and on-premises resources (applications/desktops). Citrix Gateway service at Service Integrations (screenshot 2) under Workspace Configuration does that for you. If you want to correlate it with on-premises Citrix setup then think of it as on-premises NetScaler aka Citrix ADC proxying HDX/ICA traffic between end-users and VDAs.

To enable, click on ellipsis (three dots) to the right and select Enable. Click on Confirm on “Enable Gateway Integration for Citrix Workspace” prompt. A confirmation notification with message “Gateway successfully enabled for Citrix Workspace” will appear at the top.

Gateway Service and On-Premises Gateway at Resource Locations and Workspace External Connectivity

When you integrate Citrix gateway service with Citrix Workspace as we saw in previous topic, all resource locations inherit Gateway service as the default secure remote access solution. Now, imagine a situation where you have two resource locations in Citrix Cloud – Azure and physical Datacenter. For one resource location (Azure for example), you can choose to use Gateway service but for other resource location (Physical Datacenter in Noida for example), you may want to use on-premises Citrix Gateway. This scenario requires some changes in Noida resource location.

1. As a prerequisite, install Citrix Cloud Connectors and define those cloud connectors as STA in on-premises gateway virtual server. This is out of scope of this article, however, cloud connector installation and configuring Citrix ADC to use cloud connectors as STA (CTX232640) is very straightforward.
2. Go to Resource Locations and Click on +Gateway (not Gateway Connectors).

3. Select Traditional Gateway, provide the External FQDN of on-premises gateway and click on Add.

4. Click on Test STA.

5. Once the connectivity is successful, click on Save.
6. Alternatively, you can go to Workspace Configuration > Access > External connectivity, click on ellipsis symbol in the resource location and then click on Configure Connectivity.

7. It will open the same window as we saw in step 3 of this topic, where you can choose between on-premises gateway, Gateway service or Internal Only. Internal Only is used when only users in the same network as Citrix site are supposed to use apps and desktops.

Gateway Service and On-Premises Gateway at Workspace Site Aggregation

Site aggregation is the process of adding Citrix site to Citrix workspace so existing on-premises apps and desktops can be made available to workspace subscribers.

1. As a prerequisite, install Citrix cloud connector and ensure that if there is a web-proxy then Cloud connector should be able to validate connectivity to the XML service. See Site aggregation fails with error “We couldn’t find your site. Adding cloud connectors as STA to the on-premises Citrix ADC will depend on the choice of “Connectivity Type” we will select later in this process.
2. Select the type of on-premises Citrix site. Click on continue.

3. Select a resource location for Citrix Cloud to discover Virtual Apps and Desktops Site. Citrix Cloud will use cloud connectors in that resource location to talk to the on-premises Controllers.
4. Provide FQDN or IP address of on-premises Delivery Controller. Click on Discover. If you selected XenApp 6.5 as site type in previous section then you have to provide the XML port here. For 7.x sites, Citrix cloud automatically detects XML server port.

5. Provide credentials of a Citrix Administrator. Read-only permissions are enough for Citrix cloud to discover on-premises Citrix site. Citrix Cloud does not store these credentials or use them to make changes to your Site. Discovery takes place through Cloud connectors and might take a few minutes to complete.
6. Citrix cloud also allows site discovery without using site credentials. Complete this task before you add the Site to Citrix Workspace:
   • Install Cloud Connectors (at least two) in your Site’s domain.
   • Create AD security group and add connectors on that group.
   • Open Citrix Studio and assign Read-only administrator role to that security group.
7. Click on Continue once the authentication and discovery is successful.

8. Next Step is to verify the Active Directory Connection. npp.local is the domain that Citrix Cloud detected during the discovery process. Since I am doing this in the lab, I have installed only one connector and thus the warning. To continue, I have to check “I understand that high availability requires having two connectors installed in each domain”.
9. To understand the limitations and solution of having separate user and resource forests, go to prerequisites and scroll down to Active Directory trusts.
10. To aggregate site that uses Azure Active Directory, configure the site to trust XML service requests. See CTX236929
11. Click on Continue.

12. This is where you choose existing on-premises gateway or Citrix gateway service or Internal Only. If you select “Add existing NetScaler Gateway” then follow step 3-5 in second heading of this article. Click on Continue.

13. The last section is “Confirm Site Aggregation”. Review the configuration and click on Save and Finish.
14. If you are seeing an alert related to XML servers then troubleshoot it with the help of CTX232516.

In next article, we will see how to use on-premises Citrix ADC to authenticate workspace users.