Citrix Secure Workspace Access

Citrix Secure Workspace Access

Citrix Product Documentation | docs.citrix.com March 23, 2022


Contents

Release Notes 3

Get started with Citrix Secure Workspace Access 15

Admin guided workflow for easy onboarding and set up - Preview 18

Add andmanage apps 30

Support for Enterprise web apps 30

Direct access to Enterprise web apps - Preview 43

Citrix Gateway Connector 47

Citrix Gateway Connector dashboard 70

Support for client-server apps - Preview 71

Support for Software as a Service apps 87

Apps configuration using a template 98

SaaS app server specific configuration 104

Launch a configured app - end user workflow 118

Read-only access for admins to SaaS andWeb apps 119

Diagnostic logs for Enterprise Web and SaaS apps access - Preview 123

Audit logs - Preview 126

Route tables to resolve conflicts if the related domains in both SaaS andweb apps are thesame 127

Adaptive access and security controls for Enterprise Web and SaaS applications – Preview 131

Web filtering 142

Configure website filtering 143

Available categories list for Citrix Secure Workspace Access 148

Use case: Configure an access policy to allow selective access to apps 154

© 1999‒2022 Citrix Systems, Inc. All rights reserved. 2


Monitor user activity andmanage settings with analytics 158

Citrix Cloud Gateway Connector availability in Azure Marketplace 183

Citrix Cloud Gateway Connector availability in Azure 188

Deploy a Citrix Gateway Connector instance on AWS - Preview 195

ADFS integration with Secure Workspace Access 201



Release Notes

March 2, 2022

The Citrix Secure Workspace Access service release notes describe the new features, enhancementsto existing features, fixed issues, and known issues available in a service release. The release notesinclude one or more of the following sections:

What’s new: The new features and enhancements available in the current release.

Fixed issues: The issues that are fixed in the current release.

Known issues: The issues that exist in the current release and their workarounds, wherever applica-ble.

V13.4 (February 16, 2022)

What’s new

• Support for client-server appsWith the support for client-server applications within Citrix Se-cure Workspace Access, you can now eliminate the dependency on a traditional VPN solutionto provide access to all private apps for remote users.

For details, see Support for client-server apps - Preview

[ACS-870]

Known issues

• Enhanced security controls are not enforced for applications opened in a Secure Browser (re-mote browser) when the apps are launched from a native browser.

Workaround: Addadditional relateddomainswithwildcarddomainswhich satisfy the appURL.For example, if the app FQDN is finapp.acme.com, adding *.acme.com to the related domainsenforces the settings as expected.

• HTTP / Web App URL configured with IP address is not supported.

• During ZTNA login, Webview intermittently takes a longer time to load.

V12.1 (October 11, 2021)

What’s new

• Merger of Citrix Gateway service tile into a single Secure Workspace Access in Citrix Cloud


https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/support-for-client-server-apps.html


The Citrix Gateway service tile is now merged into a single Secure Workspace Access in CitrixCloud.

– All Secure Workspace Access customers, including Citrix Workspace Essentials and CitrixWorkspace Standard, can nowuse one single SecureWorkspace Access tile for configuringSaaSandEnterprisewebapps, enhancedsecurity controls, contextualpolicies, inadditionto web filtering policies.

– All Citrix Virtual Apps and Desktops service customers can still enable the Citrix Gatewayservice as the HDX proxy fromWorkspace Configuration. However, the shortcut to enableCitrix Gateway service from the gateway service tile is removed. You can enable the CitrixGateway service from Workspace configuration > Access > External Connectivity. Fordetails, see External connectivity. There is no change in the functionality, otherwise.

Fixed issues

• If theNameID configured in the SAMLSSO settings of an application is not available in the user’stoken, then the string “Anonymous” is used in the SAML assertion. As a result, the SAML SSO inSP initiated flow fails.

[NGSWS-16761]

V11.4 (July 30, 2021)

What’s new

• Contextual access and security controls for the Enterprise Web and SaaS apps based onuser’s geographic location

The Citrix Secure Workspace Access service now supports contextual access to the EnterpriseWeb and SaaS apps based on the user’s geographic location.

[ACS-833]

• Option to hide a specific Web or a SaaS app from Citrix Workspace portal

Admins cannowhide a specificWebor SaaS app from theCitrixWorkspace portal. When an appis hidden from the Citrix Workspace portal, the Citrix Gateway service does not return this appduring enumeration. However, users can still access the hidden app.

[ACS-944]

Fixed issues

• Sometimes, the message “Error modifying application….” might appear when you click theFinish button after adding a Web or a SaaS app.


https://docs.citrix.com/en-us/citrix-workspace/configure.html#external-connectivity


[NSHELP-28336]

Known issues

• The disabled setting of an entry in the application routing table is not enforced during the ap-plication launch.

[NGSWS-18296]

• The error page title is not globalized to display the text in the local language.

[NGSWS-19119]


[NGSWS-16761]

V10.5 (June 09, 2021)

What’s new

• Route table to define the rules to route the app traffic

Admins can now use the route table to define the rules to route the app traffic directly to theinternet or through the Citrix Gateway Connector. The admins can define the route type for theapps as External, Internal, Internal-Bypass Proxy, or External via Gateway Connector dependingon how they want to define the traffic flow.

[ACS-243]

Known issues


[NGSWS-16761]

V10.4 (May 22, 2021)

What’s new

• Contextual access to Enterprise Web and SaaS applications



The Citrix Secure Workspace Access service contextual access feature offers a comprehensivezero-trust access approach that delivers secure access to the applications. Contextual accessenables admins to provide granular level access to the apps that users can access based on thecontext. The term “context” here refers to users, user groups, and the platform (mobile deviceor a desktop computer) fromwhich the user is accessing the application.

[ACS-222]

• Rebranding of Citrix Gateway Connector user interface

TheCitrix CloudGatewayConnector user interface is rebranded as per theCitrix branding guide-lines.

[NGSWS-17100]

V10.2 (May 01, 2021)

What’s new

• Deletion of customer data from the Citrix Secure Workspace Access service datastore

Customer data, including backups, is deleted from the Citrix Secure Workspace Access servicedatastore after 90 days of service entitlement expiry.

[ACS-388]

• Simplified steps to federate a domain from Azure AD to Citrix Workspace

The steps to federateadomain fromAzureAD toCitrixWorkspaceapp is nowsimplified for fasteronboarding inCitrixWorkspace. Domain federation cannowbeperformed in theCitrix Gatewayservice user interface, from the Single sign on page.

[ACS-351]

• Enhancement to the Connectivity Test tool

TheConnectivity Test tool in theCitrix GatewayConnector is enhanced to handle timeout errorsand to generate the necessary logs.

[NGSWS-17212]

Fixed issues

• Access toEnterprisewebapps fail if theplus ( + ) character is used to replacewhitespace inqueryparameters.

[NSHELP-26792]



• Existing and new Enterprise Web apps cannot be assigned to the resource location if the re-source location name is modified. With this fix, you can rename the resource locations of theexisting andnewEnterpriseWebapps from theCitrix GatewayService if youhavemodified fromthe resource location name from the Citrix Cloud home page.

[NGSWS-16641]

V9.6 (March 15, 2021)

What’s new

• Platform enhancements

Various platform enhancements are made to increase reliability in propagating customer’s ad-min configurations to the Citrix Gateway Connectors.

[ACS-85]

• Improved web apps performance

The web apps performance when the web applications are accessed from the system browserusing clientless VPN has been improved.

[NGSWS-16469]

• Enabling Citrix Gateway Connector to use TLS1.2 Grade A or above cipher suites

The Citrix Gateway Connector now uses TLS1.2 with Grade A or above cipher suites to connectto Citrix Cloud service and other back end servers.

[NGSWS-16068]

Fixed issues

• Adding an Enterprise web app or a SaaS app with numbers in the FQDN fails. For example,https://sample-site.2k3.net fails.

[NGSWS-16847]

• Sometimes, if Enhanced Security is enabled for an application, the watermark on an applica-tion displays the name as “Anonymous” instead of the user’s display name.

[NGSWS-16371]

• If a SaaS app or an Enterprise web app name contains a period “.” in the name, the name getstruncated after the period “.” on saving the configuration.

[NGSWS-16758]


https://sample-site.2k3.net


V9.3 (January 20, 2021)

Fixed issues

• When adding an enterprise Web app, the App Connectivity page does not open.

[NGSWS-16332]

• An error message appears when you change the authentication type from Don’t use SSO toSAML. This errormessage appearswhen you try to edit an app after you click the Finish button.

[NGSWS-16315]

• The SAML single sign-on option is grayed out for some SaaS applications that are createdwith-out using the template.

[NGSWS-16162]

• When adding an EnterpriseWeb app, an alert symbol appears even after the gateway connectordetection is complete.

[NGSWS-15562]

V8.4 (November 11, 2020)

What’s new

• Renaming of Citrix Access Control service

The Access Control service is now renamed as Secure Workspace Access.

[NGSWS-14934]

V8.2 (October 15, 2020)

What’s new

• Enhanced security option to launch SaaS and Enterprise Web apps within Secure Browserservice

Admins can nowuse the enhanced security option, Select Launch application always in CitrixSecure Browser service to always launch an application in the Secure Browser service regard-less of other enhanced security settings.

[ACS-123]



V7.6 (October 8, 2020)

What’s new

• Configure session timeouts for the Citrix Secure Workspace Access browser extension

Admins can now configure session timeouts for the Citrix Secure Workspace Access browserextension. Admins can configure this setting from theManage tab in the Citrix Gateway serviceuser interface.

[NGSWS-13754]

• RBAC control on Citrix Secure Workspace Access browser extension admin settings

RBAC control is now enforced on Citrix Secure Workspace Access browser extension admin set-tings.

[NGSWS-14427]

V7.5 (September 24, 2020)

What’s new

• Enable VPN-less access to Enterprise Web apps through a local browser

You can now use the Citrix Secure Workspace Access browser extension to enable VPN-lessaccess to Enterprise Web apps through a local browser. The Citrix Secure Workspace Accessbrowser extension is supported on both Google Chrome and Microsoft Edge browsers.

[ACS-286]

V7.1 (July 7, 2020)

What’s new

• Validate Kerberos configuration on Citrix Gateway Connector

You can now use the Test button in the Single sign on section to validate the Kerberos configu-ration.

[NGSWS-8581]

V6.6 (June 19, 2020)

What’s new

• Read-only access to admins of the Citrix Gateway service and Citrix Secure Workspace Ac-cess service



Security admin teams using the Citrix Gateway service can now provide granular controls, suchas read-only access to admins of the Citrix Gateway service and Citrix SecureWorkspace Accessservice.

– Admins with read-only access to the Citrix Gateway service have access to only view theapp details.

– Admins with read-only access to the Citrix SecureWorkspace Access service can only viewthe content access settings.

[ACS-205]

V6.3 (May 8, 2020)

What’s new

• New troubleshooting tools in Citrix Gateway Connector 13.0

– Network tracing: You can now use the Trace feature to troubleshoot Citrix Gateway Con-nector registration issues. You can download the trace files and share it with the adminis-trators for troubleshooting. For details, see Troubleshoot Citrix Gateway Connector regis-tration issues.

[NGSWS-10799]

– Connectivity tests: You can now use the Connectivity Test feature to confirm that thereare no errors in the Gateway Connector configuration and the Gateway Connector is ableto connect to the URLs. For details, see Log on and set up the Citrix Gateway Connector.

[NGSWS-8580]

V3.5 (August 19, 2019)

Known issues

• Launching an Enterprise Web app for an NTLM authentication enabled resource from CitrixWorkspace fails if both of the following conditions are met:

– Customer’s data center has a proxy server and that proxy server is configured on the Gate-way Connector

– Web App is configured with no SSO (Don’t use SSO)

Workaround:

– Publish the Web app as a Basic SSO app or– Do not have a proxy server configured on Gateway Connector

[NGSWS-8266]


https://docs.citrix.com/en-us/citrix-gateway-service/gateway-connector.html#troubleshoot-citrix-gateway-connector-registration-issues

https://docs.citrix.com/en-us/citrix-gateway-service/gateway-connector.html#troubleshoot-citrix-gateway-connector-registration-issues

https://docs.citrix.com/en-us/citrix-gateway-service/gateway-connector.html#ways-to-install-citrix-gateway-connector


• If there are SSL intercepting devices in the on-premises data center where the Citrix GatewayConnectormust be deployed, the connector registration does not succeed if SSL interception isenabled for the following FQDNs.

– *.nssvc.net– *.netscalermgmt.net– *.citrixworkspacesapi.net– *.citrixnetworkapi.net– *.citrix.com– *.servicebus.windows.net– *.adm.cloud.com

The SSL interception must be disabled for these FQDNs for successful connector registration.

[NGSWS-8923]

• Download logs option is available in Gateway Connector from version 401.251. If you are on anearlier version of the connector and you upgrade the connector to version 401.251, you cannotdownload the logs even though the Download Logs link is available.

[NGSWS-8438]

V2019.06.01

Fixed issues

• Edits made in the Access Control page are not propagated to the database because the failedjobs were retried incorrectly. [NGSWS-7733]

V2019.05.01

Fixed issues

• If a customer’s data center has an authentication-enabled proxy server configured for GatewayConnector, the connector fails to register itself with Citrix Cloud. [NGSWS-7231]

• When adding an Enterprise Web app, if the FQDN contains an underscore ( _ ) in the domainname, an error is displayed. [NGSWS-7033]

• If the SSO type for a SaaS app is changed fromDon’t use SSO to SAML, the configuration changefails. [NGSWS-7466]



V2019.04.02

What’s new

• Kerberos authentication support for CitrixGatewayConnector tooutboundproxy [NGSWS-6410]

Kerberos authentication is now supported for the traffic from Citrix Gateway Connector to theoutbound proxy. Gateway Connector uses the configured proxy credentials to authenticate tothe outbound proxy.

Fixed issues

• In rare cases, web filtering UI configuration changes do not take effect to the tenant traffic.[NGSWS-7147]

• Memory leaks on ICA service nodes, resulting in a high memory usage. [NGSWS-7014]

• Application fails to launch because the Citrix Gateway service node does not send the X-NGS-Session-Id header as part of the policy document retrieval request to the CVMs. [NGSWS-6963]

• Authentication and app enumeration on the Citrix Gateway service fail if the token size for au-thentication exceeds 64 KB. [NGSWS-5932]

V2019.04.01

What’s new

• Web/SaaS apps traffic can now be routed via a corporate-network-hosted Gateway-Connector thus avoiding two factor authentication. If a customer has published a SaaS appthat is hosted outside the corporate network, support is now added to authenticate traffic forthat app to go through an on-premises Gateway Connector.

For example, consider that a customer has an Okta protected SaaS app (likeWorkday). The cus-tomer might want that even though the actual Workday data traffic is not routed via the CitrixGateway service, the authentication traffic to the Okta server is routed through the Citrix Gate-way service via an on-premises Gateway Connector. This helps a customer to avoid a secondfactor authentication from the Okta server as the user is connecting to the Okta server fromwithin the corporate network.

[NGSWS-6445]

• Disabling Filtering Website Lists and Website Categorization. Filtering Website Lists andWebsite Categorization can be disabled if the admin chooses not to apply these functionalitiesfor a specific customer.

[NGSWS-6532]



• Automatic geo routing for secure browser service redirects. Automatic geo routing is nowenabled for secure browser service redirects.

[ NGSWS-6926]

Fixed issues

• Web app launch fails for a customer when the value of the CustomerId is in the camel case.

[NGSWS-6705]

• Connection to a Secure Mail server is not possible with FQDN. If the customer configuration hasFQDN configured for the mail server, then the connection fails.

[NGSWS-6566]

• App launch fails after the Gateway Service session times out. The end user must relogin to ac-cess the apps.

[NGSWS-6917]

• When renaming a SaaS app, the name changes in theGUI but does not change in theWorkspaceapp. Similarly, when changing or adding an icon of certain SaaS apps and Web apps, the iconupdates in the GUI but is not propagated to the Workspace app.

[NGSWS-6915]

• If Enhanced Security is enabled on aWeb app (hosted inside the corporate network) and if thatapp is launched from a native browser, then the app launch is redirected to the secure browserservice because the native browser cannot enforce enhanced security policies.

[NGSWS-6804]

• An app fails to launch if the app FQDN is in the camel case.

[NGSWS-6587]

• Deleted applications still show up in the cloud library.

[NGSWS-6525]

• When there is anoutboundproxy configured forGatewayConnector and if theproxyhas authen-tication enabled, Gateway Connector cannot perform authentication with the proxy server.

[NGSWS-6374]

• In race conditions, app configuration does not get propagated intermittently.[NGSWS-4958]

• App launch fails intermittently with a “Failed to fetch Policy Document.” error.

[NGSWS-6963]



• Deleted apps still show up in the Workspace app.

[NGSWS-6732]

• Gateway Service supports form response sizes up to 32k for Web applications with form basedSSOwhich is not sufficient for certain applications. With this fix, Gateway ServiceNow supportsform response sizes of up to 64k for Web Applications with form based SSO type.

[NGSWS-6511]

V2019.03.01

What’s new

• “Detect”button is added in the“AddaGatewayConnector”page. TheDetectbutton is usedto refresh the list of connectors, allowing the newly added connector to reflect in the Web appconnectivity section.

[CGOP-6358]

• A new category “Malicious and Dangerous” is added in the “Access Control Web Filtering”categories. A new category named Malicious and Dangerous in the Access Control Web Fil-tering categories is added under theMalware and Spam group.

[CGOP-6205]

Fixed issues

• Sometimes, the Gateway Connector crashes whenmultiple threads access the same resource.

[CGOP-6359]

• Sometimes, delete operation using an administrator credential for a Web or SaaS applicationthat does not have subscribed users or groups fails.

[CGOP-6310]

• Configurations for the Citrix Gateway Connector are lost upon editing Form based SSO parame-ters.

[CGOP-6158]

• Add another app option does not work when you access the option navigating as follows, Editapp > Overview > Add another app.

[NGSWS-6089]

• A newly added connector takes too long to show up in the UI.

[NGSWS-5505]



• Outbound connections from a connector fail when the connector uses the external FQDN valuefor the connection via an outbound proxy.

[NGSWS-6451, NGSWS-6431]

• Sometimes, app enumeration fails for a customer when the value of the CC-Customer-Id fieldhas letters in lower case and in upper case.

[NGSWS-4924]

• Upon launching an application in a Secure Browser session, the display message incorrectlyshows “Connecting to [application id]” instead of “Connecting to “[application name].”

[NGSWS-6061]

• Athena tokens which exceed 64k bytes in size upon decompressing is not supported.

[NGSWS-5932]

Get started with Citrix Secure Workspace Access

September 4, 2021

This document walks you through how to get started with onboarding and setting up the SaaS appsdelivery for the first time. This document is intended for application administrators.

System requirements

Operating systems support: Citrix Workspace app is supported on Windows 7, 8, 10, and Mac 10.11and above.

Browser support: Access workspaces using Internet Explorer 11, or the latest versions of Edge,Chrome, Firefox, or Safari.

Citrix Workspace support: Access workspaces using Citrix Workspace for any of the desktop plat-forms (Windows, Mac).

How it works

Citrix SecureWorkspace Access helps IT and security admins to govern authorized end-user access tosanctionedSaaSandenterprisehostedwebapps. User identities andattributesareused todetermineaccess privileges and access control policies determine the privileges that are required to perform op-erations. Once a user is authenticated, access control then authorizes the appropriate level of accessand allowed actions associated with that user’s credentials



Citrix Secure Workspace Access combines elements of several Citrix Cloud services to deliver an inte-grated experience for end users and administrators.

FunctionalityService/Component providing thefunctionality

Consistent user interface to access apps Workspace Experience/Workspace App

SSO to SaaS and Web apps Citrix Gateway Service Standard

Web filtering and categorization Web filtering service

Enhanced security policies for SaaS Cloud app control

Secure browsing Secure Browser service

Visibility into website access and risky behavior Citrix Analytics

Get started with Citrix Secure Workspace Access service

1. Sign up for Citrix Cloud.2. Request for the Secure Workspace Access service entitlement.3. Post entitlement, Secure Workspace Access service is provisioned underMy Services.4. Access the Secure Workspace Access service UI.

Step 1: Sign Up for Citrix Cloud

To start using SecureWorkspace Access service, youmust first create a Citrix Cloud account or join anexisting one that is createdby someone else in your company. For detailed processes and instructionson how to proceed, see Signing Up for Citrix Cloud.

Step 2: Request for the Secure Workspace Access service entitlement

To request for the Secure Workspace Access service entitlement, on the Citrix Cloud screen, underthe Available Services section, click the Request Trial tab present in the Secure Workspace Accessservice tile.

Important:

The Citrix Gateway service tile and the Secure Workspace Access service tile aremerged into theSecure Workspace Access service tile and the landing page is modified for Secure WorkspaceAccess service. Therefore you do not see the Virtual Apps and Desktops and the Add a We-b/SaaS app shortcuts. However, the Citrix Virtual Apps and Desktops customers can enable Cit-rix Gateway service fromWorkspace configuration > Access > External Connectivity. There isno change in the functionality otherwise.


http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/signing-up-for-citrix-cloud.html


Step 3: Post entitlement, Secure Workspace Access service is provisioned under My Services

After you receive the Secure Workspace Access service entitlement, the Secure Workspace Access ser-vice tile moves toMy Services section.

Step 4: Access the Secure Workspace Access service UI

Click theManage tab present on the tile to access the Secure Workspace Access service UI. After youclick theManage tab, anOverview screen explaining the available services appears.

Note:

• For your end users to use the workspace and access the apps, theymust download and use theCitrix Workspace app or use the workspace URL. You must have a few SaaS apps published toyour workspace to test the Citrix Secure Workspace Access solution. The Workspace app canbe downloaded from https://www.citrix.com/downloads. In Find Downloads list, select CitrixWorkspace app.


https://www.citrix.com/downloads


• If you have an outbound firewall configured, ensure that access to the following domains isallowed.

– *.cloud.com– *.nssvc.net– *.netscalergateway.net

More details are available at Cloud Connector Proxy and Firewall Configuration and InternetConnectivity Requirements.

• You can add only one Workspace account.

Admin guided workflow for easy onboarding and set up - Preview

March 1, 2022

The admin-guided workflow wizard helps the admins to configure the zero trust access to the Enter-prise Web apps and SaaS apps seamlessly from a single page.

1. Choose the authentication method for the subscribers to log in to Citrix Workspace.2. Add applications for your users.3. Assigns permissions for app access by creating the required access policies.4. Review the app configuration

Access the Secure Private Access admin-guided workflowwizard

Perform the following steps to access the wizard.

1. On the Secure Private Access service tile, clickManage.2. In the Overview page, click Continue.


https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/proxy-firewall-configuration.html

https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html

https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html


Step 1: Set up identity and authentication

Select the authentication method for the subscribers to log in to Citrix Workspace. Use the adaptiveauthentication method or you can use an existing workspace authentication method. Adaptive au-thentication is a Citrix Cloud service that enables advanced authentication for customers and userslogging in to CitrixWorkspace. Adaptive Authentication service is Citrix hosted, Citrixmanaged, Cloudhosted Citrix ADC that provides all the advanced authentication capabilities such as the following.

• Multifactor authentication• Device posture scans• Conditional authentication• Contextual access to Citrix Virtual Apps and Desktops

To use the Adaptive Authenticationmethod, clickManage and configure the adaptive authenticationmethod.



To use an existing authentication method, clickWorkspace Configuration and select an authentica-tion method as per your requirement.

Step 2: Add andmanage applications

After you have selected the authentication method, configure the applications. For the first-timeusers, the Applications landing page does not display any applications. Add an app by clicking Addan app. You can add SaaS apps, Web apps, and TCP/UDP apps from this page. To add an app, click



Add an app.

Once you add an app, you can see it listed here.

Complete the steps displayed in the following figure to add an app.



• Add aWeb app– Support for Enterprise web apps– Configure direct access to Web apps– Configure Citrix Gateway Connector– Citrix Gateway Connector dashboard

• Add a SaaS app– Support for Software as a Service app

• Configure an app using a template


https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/support-web-apps.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/swa-direct-access-to-enterprise-web-apps.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/citrix-gateway-connector.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/citrix-gateway-connector-dashboard.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/support-saas-apps.html


– Apps configuration using a template– SaaS app server specific configuration

• Configure client-server apps– Support for client-server apps - Preview

• Launch an app– Launch a configured app - end user workflow

• Enable read-only access to admins– Read-only access for admins to SaaS and Web apps

Manage subscribers from the Add an app page

After you have added the apps, you can directly assign users or groups to the app from the App Sub-scribers section. For details, see Assign users or user groups for the published apps.

You can also assign users to the apps from the Step 2: Applications page after you have added theapp successfully.

• In the Step 2: Applications screen, select the app to assign users.• Click the ellipsis button and then clickManage Subscribers.

After you have configured the apps and assigned users or user groups to the apps, click Next to con-figure access policies.

Step 3: Create access policies

For the first-time users, the Access Policies landing page does not display any policies. Click CreatePolicy to create a policy. Once you create a policy, you can see it listed here.

1. For users of these applications - This field lists all the applications that an admin has config-ured in the Secure Workspace Access service. Admins can select the applications to which thiscontextual policy must be applied.

2. If the following condition is met - Select the condition for which this adaptive access policymust be evaluated. Select the subsequent options based on the selected condition.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/saas-apps-configuration-using-a-template.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/app-server-specific-configuration.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/support-for-client-server-apps.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/launch-a-configured-app.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/read-only-access-to-admins-to-saas-and-web-apps.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/support-web-apps.html#assign-users-or-user-groups-for-the-published-apps


3. Click Add Condition to addmore conditions.

An AND operation is performed between the conditions, and then the contextual policy is eval-uated.

4. Then do the following - If the set condition matches, admins can select the action to be per-formed for the users accessing the application.

• Allow access without restrictions - Allow access without any preset conditions.

• Allow access with restrictions - Select one of the preset security policy combinations.These security policy combinations are predefined in the system. Admins cannot modifyor add other combinations

Note:

– TheoptionsPreset 4, Preset 5, andPreset 6 are enabled only for Enterprisewebapps. If an admin has selected a SaaS app alongwithweb apps in the list of apps,then the options Preset 4, Preset 5, and Preset 6 are disabled.



– Admins can select a preset security policy and also select the option to launch anapplication through the secure browser in the same policy. >Both the conditionsare independent of each other.

• Deny access – When selected, access to the apps is denied. All other options are grayedout.

5. Select Open in secure browser to always launch an application in the Secure Browser serviceregardless of other enhanced security settings.

6. Select Access only from Citrix Workspace to always launch an application from CitrixWorkspace.

7. In Policy name, enter the name of the policy.

8. Slide the toggle switchON to enable the policy. The policy is disabled by default.

Note: You canalso enable thepolicy from theAccessPolicies pagebyenabling the toggle switchfrom the Status column.Click Create Policy.

Step 4: Review summary of each configuration

From the Review page, you can view the complete app configuration and then click Close.



Important:

• After you have completed the configuration using thewizard, you canmodify the configura-tion of a section by directly going to that section. You do not have to follow the sequence.

• If you delete all the configured apps or the policies, youmust add them again. In this case,the following screen appears if you have deleted all the policies.

The following figure displays the page after you have completed the 4-step configuration.



Dashboard

The dashboard displays a brief overview of the following entities. This data is fetched from Citrix Ana-lytics. The data for the various entities can be viewed for the preset time or for a custom timeline. Foreach entity, you can also view further details.

• Users: Provides details about the active users using the applications (SaaS and Web).• Applications: Provides details about the applications (SaaS and Web) launched over the se-lected period.

• Application sessions: Provides details about the total applications launched versus usage andnumber of sessions versus users.

• Uploads: Displays the upload volume of each app.• Downloads: Displays the download volume of each app.• Domains: Summarizes the details of the domains, URLs, and apps accessed by the users.• Connector insights: Provides insights into the connector statuses.



Known issues

• When an admin tries to add an Active-Directory group under App Subscriberswhile adding orconfiguring an application, the group name is displayed as “default”.

• The Enhanced Security section does not display the previously configured settings when anadmin tries to edit an application directly from the Enhanced Security section. Admins can se-lect the Save option from the App Details section and then navigate to the Enhanced Securitysection to view previously configured security settings.

Add andmanage apps

July 23, 2021

Apps delivery using the Citrix Secure Workspace Access service provides you an easy, secure, robust,and scalable solution to manage the apps. Apps delivered on the cloud have the following benefits:

• Simple configuration – Easy to operate, update, and consume.• Single sign-on – Hassle free logon with Single sign-on.• Standard template for different SaaS apps – Template based configuration of popular apps.These templates pre-fill much of the information required for configuring applications. Onlythe information specific to the customer must be still provided.

After you have added an EnterpriseWeb app or a SaaS app, you can assign users or groups to the app.Also, you can edit or delete a published app, and addmore subscribers to the published app.

Support for Enterprise web apps

March 20, 2022

Webappsdelivery using theSecureWorkspaceAccess service enables enterprise specific applicationsto be delivered remotely as a web-based service. Commonly usedweb apps include SharePoint, Con-fluence, OneBug, and so on.

Web apps can be accessed using Citrix Workspace using the Secure Workspace Access service. TheSecure Workspace Access service coupled with Citrix Workspace provides a unified user experiencefor the configured Web apps, SaaS apps, configured virtual apps, or any other workspace resources.

SSO and remote access to web apps are available as part of the following service packages:

• Gateway Service Standard• Workspace Standard, Workspace Premium, or Workspace Premium Plus



System requirements

Citrix Gateway Connector – A virtual appliance that facilitates the remote access to the Enterpriseweb apps. Citrix Gateway Connector is a virtual appliance. The virtual machine specification must atleast have:

• Number of vCPUsmust be exactly 2.• 4 GB RAMminimum.• 1 Network Adapter (virtual NIC). You can add an extra virtual NIC upon requirement.

Install the Gateway Connector before configuring the Enterprise web apps for a cleaner approach.

For more information about Citrix Gateway Connector, see Citrix Gateway Connector.

Important:

If there are SSL intercepting devices in the on-premises data center where the Citrix GatewayConnector must be deployed, the connector registration does not succeed if SSL interception isenabled for these FQDNs. The SSL interceptionmust be disabled for these FQDNs for successfulconnector registration.For more information on Citrix Gateway Connector, see Citrix CloudGateway Connector.

Connector Appliance - You can use the Connector Appliancewith the Citrix SecureWorkspace Accessservice to support VPN-less access to the Enterprise Web apps in the customers’ data center. For de-tails, see https://docs.citrix.com/en-us/preview/connector-appliance-swa.html. Secure WorkspaceAccess with Connector Appliance is presently under private technical preview.

How it works

Secure Workspace Access service securely connects to the on-premises data center using CitrixCloudGateway Connector, which is deployed on-premises. This connector acts as a bridge betweenEnterprise web apps deployed on-premises and the Secure Workspace Access service. Theseconnectors can be deployed in an HA pair and require only an outbound connection.

A TLS connection between the Gateway connector and the Secure Workspace Access service in thecloud secures the on-premises applications that are enumerated into the cloud service. Web applica-tions are accessed and delivered through Workspace using a VPN-less connection.The following figure illustrates accessing web applications using Citrix Workspace.




https://docs.citrix.com/en-us/preview/connector-appliance-swa.html


Ways to configure Enterprise web apps

Enterprise web apps can be configured and published in the following two ways:

• Template based configuration - For configuration steps, see Configuring and publishing appsusing template

• Manual configuration - Configuration steps are as follows.

Configure and publish Enterprise web appsmanually

The following configuration takes the SharePoint app as an example to configure andpublish anappmanually:

1. On the Secure Workspace Access tile, clickManage.

2. Click Add an app.

3. Click Skip to configure the SharePoint appmanually.





4. Check Insidemy corporate network radio button.

Enter the following details in the App Details section and click Next.

Name – Name of the application that you are adding.

URL–URLwithyour customer ID.TheURLmust containyourcustomer ID (CitrixCloudcustomerID). To get your customer ID, see Sign up for Citrix Cloud. In case SSO fails or you do not want touse SSO, the user is redirected to this URL.

Customer domain name and Customer domain ID - Customer domain name and ID are usedto create the app URL and other subsequent URLs in the SAML SSO page.

For example, if you are adding a Salesforce app, your domain name is salesforceformyorgand ID is 123754, then the appURL ishttps://salesforceformyorg.my.salesforce.com/?so=123754.

Customer domain name and Customer ID fields are specific to certain apps.

Related Domains – The related domain is auto-populated based on the URL that you have pro-vided. Related domain helps the service to identify the URL as part of the app and route trafficaccordingly. You can addmore than one related domain.

Icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. Ifyou do not change the icon, the default icon is displayed.

Description – This description that you enter here is displayed to your users in the workspace.



5. In the Enhanced Security section, select Enable enhanced security to choose the security op-tions you would like to apply to the application.

Important:

The Enhanced Security section is available only if you are entitled to Secure WorkspaceAccess service. For details, see https://www.citrix.com/products/citrix-cloud/.

• The following enhanced security options can be enabled for the application.

– Restrict clipboard access: Disables cut/copy/paste operations between the app andsystem clipboard

– Restrict printing: Disables ability to print from within the Citrix Workspace appbrowser

– Restrict navigation: Disables the next/back app browser buttons– Restrict downloads: Disables the user’s ability to download fromwithin the app– Display watermark: Displays a watermark on the user’s screen displaying the username and IP address of the user’s machine


https://www.citrix.com/products/citrix-cloud/


Important:

Restrict Navigation is not supported with the Citrix Workspace Browser. For details,see Citrix Workspace Browser.

• The following advanced app protection policies can be enabled for the application.

Restrict keylogging: Protects against key loggers. When a user tries to log on to the appusing the user name and password, all the keys are encrypted on the key loggers. Also, allactivities that a user performs on the app are protected against key logging. For example,if app protection policies are enabled for Office365 and the user edit an Office365 worddocument, all key strokes are encrypted on key loggers.

Restrict screencapture: Disables theability tocapture thescreensusinganyof thescreencapture programs or apps. If a user tries to capture the screen, a blank screen is captured.

Important:

– You can enable the advanced app protection policies only after enabling the En-able enhanced security option.

– The app protection policies are enabled per app because not all apps might re-quire these restrictions.

– The app protection policies work only when the app is delivered through the Cit-rix embedded browser.

• Select Launch application always in Citrix Secure Browser service to always launch anapplication in Secure Browser service regardless of other enhanced security settings.

Note:

– The other enhanced security options are still enforced once the app is launchedinside the Secure Browser.


https://docs.citrix.com/en-us/citrix-workspace-app/citrix-workspace-browser.html


– If you are accessing the app from the Citrix Workspace app or from the CitrixWorkspace for web, then the app is launched in the embedded browser or thenative browser respectively until the policy is enforced onmobile devices.

• Select Enforce policy on mobile device to enable the previously mentioned enhancedsecurity options on your mobile device.

Note:

When Enforce Policy onMobile Device is selected alongwith Enable enhanced security,the user experience for the application access is negatively impacted for the desktop usersand the mobile users.

6. Now you must connect to a resource location. You can either select an existing resource lo-cation or create one. To choose an existing resource location, click one of the resource loca-tions from the list of resource locations, for example My Resource Location, and click Next.For guidance on adding a resource location, click https://docs.citrix.com/en-us/citrix-secure-workspace-access/citrix-gateway-connector.html

7. Select your preferred single sign-on type to be used for your application and click Save. Thefollowing single sign-on types are available.

• Basic – If your back-end server presents youwith abasic-401 challenge, chooseBasic SSO.You do not need to provide any configuration details for the Basic SSO type.

• Kerberos – If your back-end server presents youwith the negotiate-401 challenge, chooseKerberos. Youdonot need toprovide any configurationdetails for theKerberosSSO type.

• Form-Based – If your back-end server presents youwith anHTML form for authentication,choose Form-Based. Enter the configuration details for the Form-Based SSO type.

• SAML - Choose SAML for SAML-based SSO into web applications. Enter the configurationdetails for SAML SSO type.

• Don’t use SSO – Use the Don’t use SSO option when you do not need to authenticatea user on the back end server. When the Don’t use SSO option is selected, the user is





redirected to the URL configured under the App details section.

Formbaseddetails: Enter the following form-basedconfigurationdetails in theSingleSignOn section and click Save.

• Action URL - Type the URL to which the completed form is submitted.• Logon form URL – Type the URL on which the logon form is presented.• Username Format - Select a format for the user name.• Username Form Field – Type a user name attribute.• Password Form Field – Type a password attribute.

SAML: Enter the following details in the Sign sign on section and click Save.



• Sign Assertion - Signing assertion or response ensures message integrity when the re-sponse or assertion is delivered to the relying party(SP). You can select Assertion, Re-sponse, Both, or None.

• Assertion URL – Assertion URL is provided by the application vendor. The SAML assertionis sent to this URL.

• Relay State – The Relay State parameter is used to identify the specific resource the usersaccess after they are signed in and directed to the relying party’s federation server. RelayState generates a single URL for the users. Users can click this URL to log on to the targetapplication.

• Audience – Audience is provided by the application vendor. This value confirms that theSAML assertion is generated for the correct application.

• Name ID Format – Select the supported name identifier format.

• Name ID – Select the supported name ID.

8. Click Finish.

After you click Finish, the app is added to the library and you are presented with the followingthree options.

• Add Another App• Edit App• Go to the Library

Assign users or user groups for the published apps

After an app is published, you can assign users or groups to the app.



1. On the Citrix Cloud screen, click Go to the Library. Alternatively, you can also click Library inthe upper leftmenu.

Notice that the newly added app features in your library.

2. To assign users for the app, hover your pointer over the ellipses on the right, and clickManageSubscribers.



3. ClickChooseadomain list and select a domain. ClickChooseagrouporuser andassignusers.

Note: A subscribed user can be unsubscribed by selecting the user and clicking the delete iconnext to Status.

4. To obtain theWorkspace URL to be shared with app users, on Citrix Cloud, click themenu iconand navigate toWorkspace Configuration.



Manage your published apps

You can edit or delete a published app, and addmore subscribers to the published app.

Edit a published app

To edit a published app, perform the following steps:

1. Go to Library and identify the app to be edited.

2. Hover your pointer over the ellipses on the right and click Edit.

3. Edit the entries under the App Details section and click Save.

4. Edit the entries under the Single Sign On section, click Save, and click Finish.

Delete a published app

To delete a published app, perform the following steps:

1. Go to Library and identify the app to be deleted.2. Click the dot icon on the right and click Delete.

Manage subscribers for published app

To addmore subscribers, perform the following steps:

1. Go to Library and identify the app to bemodified.2. Hover your pointer over the ellipses on the right, and clickManage Subscribers.



Launch a configured app – end-user flow

To launch a configured app, perform the following steps:

1. Log on to Citrix Workspace with AD user credentials.The admin configured app are displayed.

2. Click the app to launch the app.The app is launched and the user is signed-in to the app.

Enable VPN-less access to Enterprise Web apps through a local browser

You can use the Citrix Secure Workspace Access browser extension to enable VPN-less access to En-terprise Web apps through a local browser. The Citrix Secure Workspace Access browser extension issupported on both Google Chrome and Microsoft Edge browsers.

How to install the Citrix Secure Workspace Access browser extension

1. Download theCitrixSecureWorkspaceAccessbrowserextension fromtheGoogleChromestore.2. Click Register to register your server FQDN.3. Enter your server FQDN and click Next.

4. Enter your Citrix Workspace URL.5. Click Next.6. Enter your user name and password.

• On entering the correct user credentials, the user is signed into theWorkspace web portaland the browser extension.

• Browser extension icon turns blue, indicating internal app access is enabled.• Browser extension window closes automatically after successful sign-in.



7. Access to links of the sanctioned internal web apps are now enabled directly in the browser. Ifthe web app is configured for SSO, the user is signed into the app.

Note:

• When you are on the internal network and do not need the browser extension to enableaccess to those URLs, you can turn the Internal App Access slider to OFF, and then accessthe URLs.

• You can sign out of the browser extension if you want to disable internal web app accessfrom the local browser

• You can also delete your account registration by clicking the Delete button, to reset theextension back to its original state. Once you unregister your account, you cannot accessthe Enterprise Web apps from your native browser.

Configure session timeouts

Admins can configure session timeouts for the Citrix Secure Workspace Access browser extension.

1. On the Secure Workspace Access tile, clickManage.2. Click theManage tab.3. In Inactivity Timeout for Browser Extension Behavior, select the timeout as per the require-

ment.

Important:

The routing rules cannot be sent to the browser extension temporarily.

Direct access to Enterprise web apps - Preview

February 9, 2022



Enterprise web applications like SharePoint, JIRA, Confluence, and others which are hosted by thecustomer either on-premises or on public clouds, can now be accessed directly from a client browser.End users no longer need to initiate access to their enterprise web apps from the Citrix Workspaceexperience. This feature also enables end users access to the web apps by clicking links from theiremails, collaboration tools, or browser bookmarks. Thus provisioning a true zero footprint solutionto the customers.

How it works

• Add a newDNS record ormodify an existing DNS record for the configured Enterpriseweb apps.

• IT administrator would add a new public DNS record or modify an existing public DNS recordfor the configured enterprise web app FQDN to redirect the user to the Citrix SecureWorkspaceAccess service.

• When the end-user initiates access to the configured enterprise web app, the app traffic issteered to the Citrix Secure Workspace Access service, which then will proxy the access to theapp.

• Once the request lands on the Citrix SecureWorkspace Access service, it checks for user authen-tication and application authorization, including contextual access policies checks.

• Upon successful validation, the Citrix Secure Workspace Access service communicates with Cit-rix Cloud Gateway connectors, deployed at the customer’s environment (either in on-premisesor cloud) to enable access to the configured enterprise web app.

Configure Citrix Secure Workspace Access for direct access to Enterprise web apps

Prerequisites

Before you begin, you need the following for the application to be configured.

• Application FQDN• SSL certificate – Public certificate for the app to be configured• Resource location – Install Citrix Cloud Gateway connectors• Access to thepublicDNS record toupdate itwith the canonical name (CNAME)providedbyCitrixduring the app configuration.

The following configuration takes the SharePoint app as an example.

1. On theSecure Workspace Access tile, clickManage.

2. ClickAdd an App.

3. Click Skip to configure theweb appmanually.



4. In the App Details section, do the following.

(a). Select Insidemy corporate network and enter the following details.

• App name – Name of the application that you are adding.• App icon – Click the Change icon to change the app icon. The icon file sizemust be 128x128pixels. If you do not change the icon, the default icon is displayed.

• App description – The app description that you enter here is displayed to your users inthe workspace.

(b). Enable Direct Access check box, enter the following details, and click Next.

• URL – URL for the back-end application. The URL must be in HTTPS format and a corre-sponding DNS entry must be added by the admin.

• SSL certificate – Select an existing SSL certificate from the drop-downmenu or add a newSSL certificate by clicking Add New SSL Certificate.

Points to note:

– Only a public or a trusted CA certificate is supported. Self-signed certificates are notsupported.

– Only a certificate with key size of 4K or less is supported.– Full chain of certificate must be uploaded.

• RelatedDomains – The related domain is auto-populated basedon theURL that youhaveprovided. Relateddomainhelps the service to identify theURLaspart of theappand routetraffic accordingly. You canaddmore thanone relateddomain. AnSSL certmust beboundto each related domain.

• CName record – Auto generated by Secure Workspace Access. This is the value that mustbe entered in the DNS to enable direct access to the application.




Note: The configuration steps from 5 to 7 are the same as detailed in Configure and publishEnterprise web apps manually.

Important: The Enhanced Security section is available only if you are entitled to the SecureWorkspace Access service. For detailed guidance, see https://www.citrix.com/products/citrix-cloud.

6. In the Single sign on section, select your preferred single sign-on type to be used for your ap-plication and click Save. For detailed guidance, see Configure and publish Enterprise web appsmanually.

7. In the App Connectivity section, you must choose a Resource Location in turn the Gatewayconnectors. You can either select an existing resource location or create one and deploy newGateway connectors. To choose an existing resource location, click one of the resource loca-tions from the list of resource locations, for example My Resource Location, and clickNext. Fordetailed guidance, see Configure and publish Enterprise web apps manually.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/support-web-apps.html#configure-and-publish-enterprise-web-apps-manually


https://www.citrix.com/products/citrix-cloud

https://www.citrix.com/products/citrix-cloud



https://docs.citrix.com/en-us/citrix-secure-workspace-access/media/enter-webapp-details.html


Note: The steps to assign users or user groups for the published apps and managing your publishedapps remain unchanged, see the following links for a detailed guidance.

Configure and publish Enterprise web apps manually.

Manage your published apps.

With this configuration in place, the end-usersmust be able to access the configuredweb app directlyusing their client browser.

Citrix Gateway Connector

November 5, 2021

Citrix GatewayConnector is a Citrix componentwhich serves as a channel of communication betweenCloud services (SecureWorkspaceAccess service, ADM, and soon) andon-premises components suchasWeb servers. It is a virtual appliance compatiblewith Citrix Hypervisor, VMware ESXi, andMicrosoftHyper-V with a small form factor. Citrix Gateway Connector facilitates the remote access to the Enter-prise web apps.

How it works

Citrix Gateway Connector authenticates and encrypts all communication between Citrix Cloud andyour resource locations. The communication between the Citrix Gateway Connector and Citrix Cloudis outbound. All connections are established from theCitrix GatewayConnector to the cloudusing thestandard HTTPS port (443) and the TCP protocol. No incoming connections are accepted. TCP port443, with the following FQDNs are permitted outbound:

• *.nssvc.net• *.netscalermgmt.net• *.citrixworkspacesapi.net• *.citrixnetworkapi.net• *.citrix.com• *.servicebus.windows.net• *.adm.cloud.com

Important:

If there are SSL intercepting devices in the on-premises data center where the Citrix GatewayConnector must be deployed, the connector registration does not succeed if SSL interception isenabled for these FQDNs. The SSL interceptionmust be disabled for these FQDNs for successfulconnector registration.



https://docs.citrix.com/en-us/citrix-secure-workspace-access/support-web-apps.html#manage-your-published-apps


Capabilities of Citrix Gateway Connector

The following are some of the capabilities of Citrix Gateway Connector.

• Acts as a reverse proxy – Citrix Gateway Connector acts as a reverse proxy to Enterprise Webapps. The required web application ports must be opened from the Gateway Connector to theapps.

• Enables single sign-on: The Citrix Gateway Connector provides the following single sign-on ca-pabilities with the Secure Workspace Access service.

– Basic SSO– Kerberos– Form-based– SAML– No SSO

• Enables application of optional security policies through Secure Workspace Access – TheCitrix Gateway Connector provides enhanced security capabilities through the Citrix SecureWorkspace Access service. For example,

– Restrict clipboard access– Restrict printing– Restrict navigation– Restrict downloads– Display watermark– App protection policies– Enforce policy onmobile device

For details, see Support for Enterprise web apps and Support for Software as a Service apps.

System requirements

CitrixGatewayConnector is a virtual appliance. Theminimumsystemrequirements for theCitrixGate-way Connector are as follows:

• Number of vCPUsmust be exactly 2.

• 4 GB RAMminimum.

Important:

The newminimum system requirement for RAM has changed. If you have an existing CitrixGateway Connector, upgrade the system memory of your virtual machines to match thenew requirement of 4 GB RAM.

For details, see Upgrade the systemmemory of Citrix Gateway Connector virtual machines.

• 1 Network Adapter (virtual NIC). You can add an extra virtual NIC upon requirement.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/support-web-apps.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/support-saas-apps.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/citrix-gateway-connector.html#upgrade-the-system-memory-of-citrix-gateway-connector-virtual-machines


• Firewall:

– UDP port 53 to DNS server

– TCPandUDPport 389 toActiveDirectoryDomainControllers (optional* - * is describedat the end of the page)

– TCP port 636 to Active Directory Domain Controllers (optional *)



– TCP port 443, with the following FQDNs are permitted outbound:

* *.nssvc.net

* *.netscalermgmt.net

* *.citrixworkspacesapi.net

* *.citrixnetworkapi.net

* *.citrix.com

* *.servicebus.windows.net

* *.adm.cloud.com

– TCP ports (**) to Web servers accessed using Citrix Gateway Connector

– Open port 8443 inbound for web-basedmanagement

* - Required to perform domain-based single sign-on to Web applications**- Ports determined by the customers’ environment – ports 80 and 443 are typical

Recommended: Network with DHCP enabled to simplify the initial configuration.

Ways to install Citrix Gateway Connector

Citrix Gateway Connector can be installed in one of the following ways.

• From the Citrix Cloud user interface• While adding an Enterprise Web app

In both cases, youmust create a new virtual machine as described in the following section.

Create a new virtual machine

1. Sign in to Citrix Cloud.

2. From themenu in the top-left of the screen, select Resource Locations.

• If youhavenoexisting resource locations, clickDownloadon theResourceLocationspage.When prompted, save the cwcconnector.exe file. For details, see Cloud Connector Instal-lation.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/gateway-connector.html#install-citrix-gateway-connector-by-using-the-citrix-cloud-user-interface

https://docs.citrix.com/en-us/citrix-secure-workspace-access/gateway-connector.html#install-citrix-gateway-connector-while-adding-an-enterprise-web-app

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/installation.html

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector/installation.html


• If you have a resource location but no Cloud Connectors installed in it, click the CloudConnectors bar and then click Download. When prompted, save the cwcconnector.exefile.

3. Click Gateway Connectors.

4. Select the hypervisor and clickDownload Image. Import the locally downloaded image to yourhypervisor and create a new virtual machine (Citrix Gateway Connector).

5. Click Get Activation Code.



6. The activation code is generated as follows.

7. Once the installation is complete, Click Detect.



Install Citrix Gateway Connector by using the Citrix Cloud user interface

The following are the steps to set up a resource location and install Citrix Gateway Connector usingthe Citrix Cloud user interface:

1. On top left of theCitrix Cloud screen, click the hamburger icon and selectResource Locations.Click the plus icon next to Resource Locations.

2. Provide a name for the resource location and click Save.

3. Double-click the plus icon next to Citrix Gateway Connectors under the newly created resourcelocation.



4. Complete the steps as described in Create a new virtual machine.

Install Citrix Gateway Connector while adding an Enterprise Web app

While adding an Enterprise Web app using the Secure Workspace Access service user interface, youcan set up a new resource location and download connectors. For details on adding an EnterpriseWeb app, see Support for Enterprise web apps.

To set up a resource location and download connectors, perform the following steps:

1. In theWeb app connectivity section, select the Create New radio button. Provide a name forthe resource location and click Save.

2. Click Install Citrix Gateway Connector.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/gateway-connector.html#create-a-new-virtual-machine



3. Complete the steps as described in Create a new virtual machine.

Access the Citrix Gateway Connector user interface by using the URL

You can access the Citrix Gateway Connector user interface by using the URL that is displayed in oneof the messages on the newly installed Citrix Gateway Connector VM. You can also log on to the CitrixGatewayConnector CLI as an administrator and run theshow ipcommand for viewing the IP addressassigned to theCitrix GatewayConnector throughDHCP. Then you canopenhttps://<IP address>:8443 on your browser to access the Citrix Gateway Connector admin user interface.

Important:

For Azure, Citrix recommends that customers access the Citrix Gateway Connector user interfacefrom inside the Azure Virtual network.

Log on and set up the Citrix Gateway Connector

After the Citrix Gateway Connector installation is complete, look for the following message on thenewly installed VM (Citrix Gateway Connector).

Type the mentioned URL in a browser to access the Citrix Gateway Connector user interface. You canalso log on to the Citrix Gateway Connector CLI as an administrator and run the show ipcommand.The command displays the IP address assigned to the Citrix Gateway Connector through DHCP. Thenopen<https://IP address:8443>onyourbrowser toaccess theCitrixGatewayConnector adminuser interface.




1. The user name and password for the following screen is administrator for the first time user.

2. Change the password by providing a password of your choice in the Set administrator pass-word section and click Continue.

3. Enter the following configuration details in the System settings section and click Continue.

• Connector IP Address – IP address of Gateway Connector.• Subnet Mask – Subnet mask of the Gateway Connector IP address.• Default Gateway – IP address of the default gateway.• DNSServer – IP address of theDNS server. Starting fromCitrix GatewayConnector release13.0, there is a change in theDNS server configuration. For details, see the sectionChangesto the DNS server settings.

• Proxy IP – Your internal proxy server IP address.• Proxy Port – Port of the proxy server.



Changes to the DNS server settings:

Starting from Citrix Gateway Connector 13.0.400.xxx, the DNS configuration for both UDP andTCP protocol on the connector appliance is updated automatically when it is set in the SystemSettings section. However if you upgrade your connector from earlier versions, you have tomanually delete the DNS setting and read it again. To do so, perform the following.

a) Navigate to the Citrix Gateway Connector dashboard > Edit Settings.b) Click the delete icon next to the first DNS Server field and click Continue.c) Navigate to the Edit Settings page, read the same DNS server, and click Continue.d) Repeat the steps for the second DNS server.

Note:• You do not have to perform these steps for new instances of the 13.0 Citrix GatewayConnector.


• You need not perform the earlier mentioned steps immediately after the upgrade.There is no loss of functionality if this is not done. These steps must be performedfor enterprise customers who require DNS over TCP Functionality to make EnterpriseWeb apps to function correctly.

4. In the Single sign on section, check Enable Kerberos Single Sign On for capabilities beyondthe basic authentication.

Active directory domain is the global domain and is set as the realm of the KCD account. If youwant to override the global realm of the user, then you can use the following command in theconnector. SSH to your gateway connector using the same credentials that you use to log on tothe connector configuration page. Type the following command:

1 set kcdaccount ngs_kcdaccount -userRealm <value>2 

Example:In this example, realmaaa.local is the global domain andbbb.local is theoverriddenuser realm.

1 ssh kcdaccount2 KCD Account : ngs_kcdaccount3 Keytab :4 Realm : AAA.LOCAL5 User Realm : BBB.LOCAL6 DelegatedUser :7 User Certificate :8 CA Certificate :9 Done10 

You can validate the Kerberos details by two ways, realm-only mode and full Kerberos con-strained delegation (KCD).

Important:

For using KCD on a Citrix Gateway Connector, youmust fist set up KCD in your data centerbefore configuring KCD on a Citrix Gateway Connector. For details, see Prerequisites to setup KCD in your data center before configuring KCD on Citrix Gateway Connector.

You can use the Test option for debugging purposes. For example, if the Kerberos details arenot correctly set and if an app is added, SSO to the app fails.


a) For realm-onlymode, select Enable Kerberos Single SignOn, enter the following details,and then click Test Kerberos.

• ActiveDirectoryDomain–ActiveDirectorydomain for theusers tobegrantedaccess.• Service FQDN - FQDN of the service (the service FQDN that the user must accessthrough configuring Web apps).

• Username – User name of the logged on user.• Password – Password of the logged on user.

b) For full Kerberos constrained delegation, select Kerberos Constrained Delegation, enterthe following details, and then click Test Kerberos.

• ActiveDirectoryDomain–ActiveDirectorydomain for theusers tobegrantedaccess.• Service Account Username – Service account user name used for delegation. Fordetails, see Prerequisites to set up KCD in your data center before configuring KCD onCitrix Gateway Connector.

• Service Account Password – Password for the service account user name used fordelegation.

• Service FQDN - FQDN of the service (the service FQDN that the user must accessthrough configuring Web apps).

• Username - User name of the logged on user.



In both cases, based on whether the validation is successful or not, the respective message ap-pear. The following figure displays a sample validation error message.

5. Enter the activation code to register the connector with Citrix Cloud. Click Save and Finish.

6. Click Connectivity Test. (This step is optional)



The Connectivity Test option enables you to confirm that there are no errors in the GatewayConnector configuration and the Gateway Connector is able to connect to the URLs. This stepis optional. You can skip this step and proceed with activating the Gateway Connector.

• When you click Connectivity Test, a set of URLs is run in the back end to ensure that theconnector is able to connect to those URLs. If all the URLs are successfully run, the con-nectivity test success message appears. The following FQDNs are run when you click Con-nectivity Test.

– agent.netscalermgmt.net– agent.netscalermgmt.net– trust.citrixnetworkapi.net– download.citrixnetworkapi.net– web-reg.c.nssvc.net– agent.adm.cloud.com– anse.agent.adm.cloud.com– railay.agent.adm.cloud.com– agent.netscalermgmt.net– evergreen.citrixnetworkapi.net– agenthub.citrixworkspacesapi.net– callhome.citrix.com

• If any of theseURLs do not respond, an errormessage appears and the correspondingURLis displayed. The error messages are classified under three categories.

– DNS error– Server error– SSL exception

The following images display sample error messages.



7. Finally enter the activation code to register the connector with Citrix Cloud and click Save andFinish.

For details on how to get the activation code, see Create a new virtual machine.




Prerequisites to set up KCD in your data center before configuring KCD on Citrix GatewayConnector

1. Create a user account in the active directory that must be used for delegation.


2. Use the following command to add a service principal name (SPN) for the webserver that mustuse KCD.

1 setspn -A http://<webserver fqdn> <domain\Kerberos user>2 

3. Confirm the SPNs for the Kerberos user using the following command.

1 setspn ‒ l <Kerberos user>2 

In the following example, an SPN is added for a webserver that the KCD account must access.


Notice that the Delegation tab appears after you run the setspn command.

4. Select Trust this user for delegation to specified services only and Use any authenticationprotocol.

5. Add the web server for which you need Kerberos SSO, and select the Service Type as http.



Note:

You can now use this user account when configuring KCD on a Citrix Gateway Connector. Thisuser account must be added as the service account user name.

Troubleshoot Citrix Gateway Connector registration issues

You can use the Trace feature and the Download Logs feature to troubleshoot Citrix Gateway Connec-tor registration issues

Trace feature

While registering Citrix Gateway Connector, you might come across issues because of which the reg-istration might not be successful. To troubleshoot these issues, you can use the Trace Info link that



appears the first time you register the connector. You can download the trace files and share it withthe administrators for troubleshooting. Trace files are in an encrypted format.The Trace Info link is also available in the Gateway Connector dashboard even after the registration.You can also capture and download trace files from the dashboard for debugging issues.

How to download trace files

1. Click Trace Info.

2. In the Trace dialog box, select the duration that you want to run the trace and then click Start.The Trace dialog box displays the progress.

3. You can stop the trace that is in progress before it is complete. You can then download the tracefiles by clicking the Download button. You can also start a new trace from the dialog box.



Note: For debugging registration failures, first start a trace with a given pre-set interval, enter theactivation code, and submit for registration.

• If the registration fails, you can click the Trace info link to bring up the Trace dialog again, stopthe trace, and then download the trace files.

• If the registration succeeds, then the Dashboard console comes up and the trace stops automat-ically in the background.

Important:

• Closing the Trace window before the trace is complete does not stop the trace. The tracekeeps running in the background until it is completed.

• If you refresh or close the browser when the trace is in progress, you must manually stopthe trace by clicking the Trace Info link to prevent the trace from running indefinitely. Inthis scenario, the Trace Info link displays only the Stop button and does not display theDownload button. Therefore, you cannot download the captured trace. To capture thetrace again, click Start new trace.

Download logs

Download logs option is available in Gateway Connector from version 401.251. If you are on an earlierversion of the connector and you upgrade the connector to version 401.251, you still cannot downloadthe logs even though the Download Logs link is available.

How to download logs

1. Click Download Logs.

The Download Logs link is available even during the first time use to help setup the connector.

A log file is generated. Generation of the log file takes some time. Once the log file if generated,a message with the link to the download file appears.



2. Click Download. A .tgz file is downloaded.

All files in the download folder are in an encrypted format. Contact the Citrix Cloud support team forhelp.

Delete a Citrix Gateway Connector

Perform the following to delete a Citrix Gateway Connector.

1. Sign in to Citrix Cloud.

2. Select Resource Locations from themenu in the top-left of the screen.

3. In the Resource Locations page, click Gateway Connectors for a specific resource location.

4. Select the Gateway Connector that you want to delete and click the ellipsis menu.

5. Select Remove Connector.

A confirmation dialog box appears.

6. ClickOK.

Note: It might take a couple of minutes for the gateway Connector to be removed from theResource Locations page. Also, itmight take sometime for the Gateway Connector to unregisterfrom the gateway controller.



Upgrade the systemmemory of Citrix Gateway Connector virtual machines

Gateway connector RAM size is 2 GB, by default. Therefore, it is recommended that you increase theRAM size to 4 GB for optimal performance. This recommendation is applicable for new or existingconnector installations.

If youhave twoconnectorsper resource location forhighavailability, performthe following toupgradethe connector virtual machines.

1. From the hypervisor, shut down one of the connector virtual machines.2. Edit the hardware configuration or settings of the virtual machine depending on the type of

hypervisor.3. Navigate to Memory tab.4. If the RAM size is 2,048 MB, increase it to 4,096 MB and save the configuration.5. Power up the virtual machine.6. Repeat these steps on the second connector virtual machine as well.

Important:

Ensure that you upgrade one connector at a time to avoid any outages.

Continuous availability of the Citrix Gateway Connector

As long as you ensure continuous availability of the Citrix Gateway Connector in each resource loca-tion, you canmanage the machines where they are installed one at a time to avoid outage periods.

For continuous availability, install multiple Citrix Gateway Connectors in each of your resource loca-tions. Citrix recommends at least two (2) Citrix Gateway Connectors in each resource location. If oneCitrix Gateway Connector is unavailable for any time, the other Citrix Gateway Connectors can main-tain the connection.As long as there is one Citrix Gateway Connector available, there is no loss in communication withCitrix Cloud.Citrix GatewayConnectors canbe restricted to upgradeduring a specifiedmaintenancewindowevery24 hour, controlled per Resource Location.

Loadmanagement

Manage load by installing multiple Citrix Gateway Connectors in each resource location. Since eachCitrix Gateway Connector is stateless, the load can be distributed across all available Citrix GatewayConnectors. There is no need to configure this load balancing function. It is automated.



Citrix Gateway Connector dashboard

November 5, 2021

The Citrix Gateway Connector dashboard provides key metrics such as CPU usage (packet and man-agement), in-use memory, and TCP connection details.

You can perform the following from the Gateway Connector dashboard.

Restart the connector

Click Restart to restart the connector from the user interface. You can either do a warm reboot or acomplete restart of the Gateway Connector.

Re-register the connector with Citrix Cloud

Click Retry activation code if you want to install the already registered connector in a different re-source location. Enter the activation code that was provided when you downloaded the GatewayConnector.

Download support logs

Click Download Logs to download the support logs from the Gateway Connector. The DownloadLogs link is available even during the first time use to help setup the connector.



1. Click Download Logs.

A log file is generated. Generation of the log file takes some time. Once the log file if generated,a message with the link to the download file appears.

2. Click Download. A .tgz file is downloaded.

All files in the download folder are in an encrypted format. Reach out to the Citrix Cloud supportteam for help.

Important: Download logs option is available in Gateway Connector fromversion 401.251. If youare on an earlier version of the connector and you upgrade the connector to version 401.251, youstill cannot download the logs even though the Download Logs link is available.

Download trace files

You can use the Trace Info link to download the traces files. For details, see Download trace files fortroubleshooting Citrix Gateway Connector registration issues.

Support for client-server apps - Preview

February 16, 2022

With Citrix Secure Workspace Access, you can now access all private apps including TCP/HTTPS appseither using a native browser or a native client application via the Citrix Secure Access agent runningon your machine.

With the additional support of client-server applications within Citrix Secure Workspace Access, youcan now eliminate the dependency on a traditional VPN solution to provide access to all private appsfor remote users.

How it works?

End users can easily access all their sanctioned private apps by simply installing the Citrix Secure Ac-cess agent on their client devices.

• ForWindows, the agent (version 21.12.1.4 and later) can be downloaded fromhttps://www.citrix.com/en-in/downloads/citrix-gateway/plug-ins/citrix-gateway-windows-plug-in-clients.html.

• For macOS, the agent (version 22.02.2) can be downloaded from the App Store.

Not included in this preview

• Access to UDP apps is not supported.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/gateway-connector.html#troubleshoot-citrix-gateway-connector-registration-issues

https://docs.citrix.com/en-us/citrix-secure-workspace-access/gateway-connector.html#troubleshoot-citrix-gateway-connector-registration-issues

https://www.citrix.com/en-in/downloads/citrix-gateway/plug-ins/citrix-gateway-windows-plug-in-clients.html



Admin Configuration – ZTNA agent-based access to TCP apps

Prerequisites

• Access to Citrix Secure Workspace Access in Citrix Cloud.• Citrix Cloud Connector – Install a Citrix Cloud Connector for Active Directory domain configura-tion. For details, see Identity and access management.

• Connector Appliance – Citrix recommends installing two Connector Appliances in a high avail-ability set-up in your resource location. The connector can be installed either on-premises, inthe data center hypervisor, or in public cloud. For more information on Connector Applianceand its installation, see Connector Appliance for Cloud Services.

Steps to configure TCP apps:

1. On the Citrix Secure Workspace Access tile, clickManage.

2. Click Add an App.Note: App is a logical grouping of destinations. We can create an app for multiple destinations– Each destinationmeans different servers in the back end. For example, one app can have oneSSH, one RDP, one Database server, and one Web server. You don’t have to create one app perdestination, but one app can have many destinations.

3. In the Choose a template section, click Skip to configure the TCP appmanually.

4. In the App Details section, select Inside my corporate network, enter the following details,and click Next.

• App type – Select TCP/UDP.• App name– Name of the application that you are adding.• App icon– An app icon is displayed. This field is optional.• App description – Description of the app you are adding. This field is optional.• Destinations – IP Addresses or FQDNs of the back-end machines residing in the resourcelocation. One or more destinations can be specified as follows.

• IP address v4• IP address Range – Example: 10.68.90.10-10.68.90.99• CIDR – Example: 10.106.90.0/24• Hostname (FQDN) of themachines or Domain name – Single orwildcard domain. Exam-ple: ex.destination.domain.com, *.domain.com

• Port – The port on which the app is running. Only a single port can be specified.• Protocol – TCP


https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management.html

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/connector-appliance.html


An application can be configured with multiple destinations of various types.

5. In the App Connectivity section, amini version of the Application Domains table is available tomake the routing decisions. For each destination, you can choose a different or same resourcelocation. Destinations configured in the previous step are populated under the DESTINATIONcolumn. Destinations added here are also added to the main routing table. The routing tableis the source of truth for making the routing decision to direct connection establishment andtraffic to correct resource location. For more information on the routing table and possible IPconflict scenarios, see Application Domains - IP address conflict resolution section.

6. For the following fields, select an input from the drop-downmenu and click Next.

Note: Only the Internal route type is supported.

• RESOURCE LOCATION – From the drop-downmenu, youmust connect to a resource loca-tion with at least one Connector Appliance installed.Note: Connector Appliance installation is supported from the App Connectivity section.You can also install it under the Resource Locations section in the Citrix Cloud portal. Formore information on creating a Resource Location, see Set up resource locations.


https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/install-configure/resource-location.html


7. Click Finish to complete the app configuration.

8. After you click Finish, the app is added to the library, and you are presented with the followingthree options.


9. On the Citrix Cloud screen, clickGo to the Library. Notice that the newly added app features inyour library.


11. InChooseadomain, select a domain. InClickChooseagrouporuser, start typing thenameofthe user. Select the name once it populates. For guidance on how to add a domain, see Identityand access management.





12. To configure the authentication methods required for your users, from the Citrix Cloud menu,click Identity and Access Management and select the Authentication tab, and configure therequiredauthenticationmethod. Foradetailedguidance, see Identity andaccessmanagement.

13. FromtheCitrix Cloudmenu, clickWorkspaceConfigurationand select theAuthentication tab.Choose an authentication method configured in the previous step for users to log in from theCitrix Secure Access agent.




1. To obtain the Workspace URL to be shared with your users, from the Citrix Cloud menu, clickWorkspace Configuration, and select the Access tab.



Admin Configuration – ZTNA agent-based access to HTTP(S) apps

Note: To access existing or new HTTP/HTTPS apps using the Citrix Secure Access agent, in additionto a Gateway connector you must also install at least one (recommended two for high-availability)Connector Appliance in your resource location. The connector can be installed on-premises, in thedata center hypervisor, or in public cloud. For details of Connector Appliance and its installation, seeConnector Appliance for Cloud Services.

Prerequisites

• Access to Citrix Secure Workspace Access in Citrix Cloud.• Request for Connector Appliance support for web apps since this support is in preview.

Points to note

• Internal web apps enforced with enhanced security controls cannot be accessed through theCitrix Secure Access agent.

• If you try to access an HTTP(S) application which has enhanced security controls enabled, thenthe following pop-up message is displayed. Additional security controls are enabled for<”app name”(FQDN) > app. Please access it from Citrix Workspace.

• If you want to enable SSO experience, access the web apps using Citrix Workspace app or webportal.

The steps to configure HTTP(S) apps remain the same as existing functionality explained under Sup-port for Enterprise web apps.

The steps to assign users or user groups for the published apps and managing your published appsremain unchanged, see the following links for a detailed guidance.

• Assign users or user groups for the published apps• Manage your published apps




https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/support-web-apps.html#assign-users-or-user-groups-for-the-published-apps

https://docs.citrix.com/en-us/citrix-secure-workspace-access/add-and-manage-apps/support-web-apps.html#manage-your-published-apps


Note: The user subscriptionmade for an app is applicable for all the TCP appDestinations configuredfor the ZTNA application.

Adaptive access to TCP and HTTP(S) apps

Adaptive access provides the ability for admins to govern access to business-critical apps based onmultiple contextual factors like device posture check, user geo-location, user role, and the Citrix Ana-lytics service provided risk score.

Note: The steps to configure Adaptive Access for HTTP(S) apps remain the same as existing function-ality explained under Create a contextual access policy.

You can deny access to TCP applications, admins create policies based on the users, user groups, thedevices fromwhich the users access the applications, and the location (country) fromwhere an appli-cation is accessed. Access to applications is allowed by default.

Following are the steps to create an adaptive access policy

1. On the Citrix Secure Workspace Access tile, click the Manage tab and then click Contextualaccess.

2. Click Create Policy.

3. FOR USERS OF THESE APPLICATIONS - This field lists all the applications that an admin hasconfigured in the Citrix Workspace app. Admins can select the applications to which this con-textual policy must be applied.

4. IF THE FOLLOWING CONDITION IS MET - Enter the users or the user groups for whom this con-textual access policy must be evaluated.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/contextual-access-to-web-and-saas-apps.html#create-a-contextual-access-policy


• Devices – In addition to users or user groups, admins can add another condition to definethe device from which the user is accessing the applications. The device can be a mobiledevice or a desktop computer.

• Location – Admins can define another condition to identify the country from where theuser is accessing the application. The source IP address of the user is evaluated with theIP address in the database. If the IP address of the user and the IP address available in thegeo-location database match, the policy is applied. If the IP addresses do not match, thiscontextual policy is skipped and the next contextual policy is evaluated.

• Device Posture – Admin can restrict access to the application based on device posturecheck.

• Risk – Admins can restrict access to the application based on the user risk indicators pro-vided by Citrix Analytics for Security (CAS). For more information on user risk indicators,see Citrix user risk indicators.

5. Click Add Condition and in Select Condition, select the condition to be added for restrictingthe application access.An AND operation is performed on the conditions that you have added.

6. THEN DO THE FOLLOWING - You can create conditions to configure Deny Access to the appli-cations. Access to applications is allowed by default.


https://docs.citrix.com/en-us/security-analytics/risk-indicators.html


Deny access – If the set condition matches, the user’s access to the application is denied.Note: As the Enhanced Security functionality is not available for TCP apps at this point, appaccess with Preset Security Controls is not supported.

7. In POLICY NAME, enter the name of the policy.

8. Turn the toggle switch to Enabled to enable the policy.


To see the list of configuredcontextual accesspolicies, seeView the list of configuredcontextual accesspolicies.

Points to note

• Access to an existing web app for which enhanced security is enabled is denied via the SecureAccess agent. An error message suggesting to log in using Citrix Workspace app is displayed.

• Policy configurations for web app based on user risk score, device posture check and so on viaCitrix Workspace app holds good while accessing the app via the Secure Access agent.

• The policy bound to an application is applicable for all the destinations in the application.

DNS resolution

The IP addresses are spoofed, and the connector appliance present in the resource location resolvesthe DNS query.

If the IP address cannot be spoofed, the DNS resolution happens by connecting to one of the randomresource locations configured for a customer.

Note: For the preview release, you cannot choose a resource location for a DNS query.

Steps to install Citrix Secure Access agent on a client machine

Following are the steps to install the Citrix Secure Access agent on a Windowsmachine.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/contextual-access-to-web-and-saas-apps.html#view-the-list-of-configured-contextual-access-policies

https://docs.citrix.com/en-us/citrix-secure-workspace-access/contextual-access-to-web-and-saas-apps.html#view-the-list-of-configured-contextual-access-policies


1. Download the Citrix Secure Access agent from https://www.citrix.com/en-in/downloads/citrix-gateway/plug-ins/citrix-gateway-windows-plug-in-clients.html.

2. Click Install to install theagentonyourWindowsmachine. If youhaveanexistingCitrixGatewayagent, the same gets upgraded.

3. Click Finish to complete the installation.





4. Open regedit andadda registryentrywith the followingdetails atHKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SecureAccess ClientName: cloudAuthAllowed; Type: REG_DWORD; Value data: 1

Microsoft Edge Runtime installation steps

Microsoft Edge Runtime is now required for the authentication UI on the Secure Access agent.It is installed by default in the latest Windows 10 and Windows 11 machines. For machines on earlierversions, perform the following steps.

1. Go to the following link, https://go.microsoft.com/fwlink/p/?LinkId=2124703.


https://go.microsoft.com/fwlink/p/?LinkId=2124703


2. Downloadand installMicrosoftEdge. If theuser systemdoesn’t have theMicrosoftEdge runtimeinstalled, the Citrix Secure Access agent client prompts you to install when you try to connect tothe Workspace URL.Note: You can use an automated solution like SCCM software or a group policy to push CitrixSecure Access agent or Microsoft Edge Runtime to the client machines.

Steps to install Citrix Secure Access agent on amacOSmachine

Prerequisites:

• Workspace URL for the customer is enabled using the feature flagging mechanism.• Download theCitrix Secure Access app formacOS from theAppStore. This app is available frommacOS 10.15 (Catalina) and later.

• Preview builds are available in the TestFlight app only for macOS Monetery (12.x).• If you are switching between the App Store app and the TestFlight preview app, youmust recre-ate the profile you want to use with the Citrix Secure Access app. For example, if you have beenusing a VPN profile with blr.abc.company.com, delete the VPN profile, and create the sameprofile again.

OS versions supported for the Citrix Secure Access agent:

• macOS – 12.x (Monterey). 11.x (Big Sur) and 10.15 (Catalina) are supported.• Windows – Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019.

Points to note:

• Multi-user session in Windows is not supported.• Mobile devices - iOS and Android are not supported.

Launch a configured app - End-user flow

1. Launch the Citrix Secure Access agent on the client device.2. Enter the Workspace URL provided by the customer admin in the URL field in the Citrix Secure

Access agent and click Connect. It is a one-time activity and the URL is saved for subsequentuse.



3. User is prompted for authentication based on the authentication method configured in CitrixCloud.Upon successful authentication, the user can access the configured private apps.

User notificationmessages

A pop-up notification message appears in the following scenarios:

• The app is not authorized by the admin for the user.

Cause: The application configured for the accessed destination IP address or FQDN is not sub-scribed for the logged in user.

• The adaptive access policy evaluation results in denial of access.



Cause: Access to the destination IP address or FQDN is denied because the policy bound to theapplication is evaluated to “Deny Access” to the logged in user.

• The enhanced security control is enabled for the app.

Cause: The enhanced security control is enabled to the application for the accessed destina-tion. The application can be launched using the Citrix Workspace App.

Additional Information

Application Domains - IP address conflict resolution

Destinations added while creating an app are added to a main routing table.The routing table is the source of truth for making the routing decision to direct connection establish-ment and traffic to correct resource location.

• The destination IP address must be unique across resource locations.• Citrix recommends that you avoid overlap of the IP addresses in the routing table. In case youencounter an overlap, youmust resolve it.

Followingare the typesof conflict scenarios. Theonlyerror scenario that restricts adminconfigurationuntil the conflict is resolved is Complete Overlap.



Conflict ScenariosExisting applicationdomain entry

New entry from appaddition Behavior

Subset Overlap 10.10.10.0-10.10.10.255RL1

10.10.10.50-10.10.10.60RL1

Allow; Warning info -Subset overlap of IPdomain with existingentries

Subset Overlap 10.10.10.0-10.10.10.255RL1

10.10.10.50-10.10.10.60RL2

Allow; Warning info -Subset overlap of IPdomain with existingentrieS

Partial Overlap 10.10.10.0-10.10.10.100RL1

10.10.10.50-10.10.10.200RL1

Allow; Warning info -Partial overlap of IPdomain with existingentries

Partial Overlap 10.10.10.0-10.10.10.100RL1

10.10.10.50-10.10.10.200RL2

Allow; Warning info -Partial overlap of IPdomain with existingentries

Complete Overlap 10.10.10.0/24 RL1 10.10.10.0-10.10.10.255RL1

Error; <Completelyoverlapping IPdomain's value>IP domain completelyoverlaps with existingentries. Pleasechange the existingrouting IP Entry orconfigure a differentdestination

Complete Overlap 10.10.10.0/24 RL1 10.10.10.0-10.10.10.255RL2

Error; <Completelyoverlapping IPdomain's value>IP domain completelyoverlaps with existingentries. Pleasechange the existingrouting IP Entry orconfigure a differentdestination



Conflict ScenariosExisting applicationdomain entry

New entry from appaddition Behavior

Exact Match 20.20.20.0/29 RL1 20.20.20.0/29 Allow; Domainsalready exist in thedomain routing table.Changes madeupdates the domainrouting table

Note:

• If the destinations added results in a complete overlap, an error is displayed while configuringthe app in the App Details section. The adminmust resolve this error bymodifying the destina-tions in the App Connectivity section.

If there are no errors in the App Details section, the admin can proceed to save the app details.However, in the App Connectivity section, if the destinations have a subset and partial overlapwith each other or existing entries in themain routing table, a warningmessage is displayed. Inthis case, the admin can choose to either resolve the error or continue with the configuration.

• Citrix recommends keeping a clean Application Domain table. It is easier to configure newrouting entries if the IP address domains are broken into appropriate chunks without overlaps.

Release notes references

• Citrix Secure Access for Windows plug-in release notes

• Citrix Secure Access for macOS release notes

• Citrix Secure Workspace Access release notes

Support for Software as a Service apps

October 13, 2021

Software as a Service (SaaS) is a software distribution model to deliver software remotely as a web-based service. Commonly used SaaS apps include Salesforce, Workday, Concur, GoToMeeting, and soforth.

SaaS apps can be accessed using Citrix Workspace using the Secure Workspace Access service. TheSecure Workspace Access service coupled with Citrix Workspace provides a unified user experiencefor the configured SaaS apps, configured virtual apps, or any other workspace resources.


https://docs.citrix.com/en-us/citrix-gateway/citrix-gateway-clients/windows-plug-in-release-notes.html

https://docs.citrix.com/en-us/citrix-gateway/citrix-gateway-clients/citrix-sso-release-notes-ios-macos.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/citrix-secure-workspace-access-release-notes.html


SaaS apps delivery using the Secure Workspace Access service provides you an easy, secure, robust,and scalable solution to manage the apps. SaaS apps delivered on the cloud have the following ben-efits:

• Simple configuration – Easy to operate, update, and consume.• Single sign-on – Hassle free logon with Single sign-on.• Standard template for different apps – Template based configuration of popular apps.

How SaaS apps are supported with the Secure Workspace Access service

1. Customer admin configures SaaS apps using Secure Workspace Access service UI (cit-rix.cloud.com). The admin then adds subscribers (users) for the apps.

2. Admin provides the service URL to the users to access Citrix Workspace.3. Users subscribed for an app can see the app upon logon to Citrix Workspace.4. To launch the app, a user clicks the enumerated SaaS app icon.5. SaaS app trusts the SAML assertion provided by the Secure Workspace Access service and the

app is launched.

Note:

Configured SaaS apps are aggregated along with virtual apps and other resources in CitrixWorkspace for a unified user experience.

Ways to configure the SaaS apps

SaaS apps can be configured and published in the following two ways:

• Template based configuration - For configuration steps, see Configuring and publishing appsusing template.

• Manual configuration - Configuration steps are as follows.





Configure and publish appsmanually

The following configuration takes the Aha app as an example to configure and publish an appmanually:


2. Click Add an app.

3. Click Skip to configure the Aha appmanually.

4. SelectOutsidemy corporate network.

5. Enter the following details in the App Details section and click Save.

Name – Name of the application.

URL – URLwith your customer ID. If SSO fails or when theDon’t use SSO option is selected, theuser is redirected to this URL.

Customer domain name and Customer domain ID - Customer domain name and ID are usedto create an app URL and other subsequent URLs in the SAML SSO page.

For example, if you are adding a Salesforce app, your domain name is salesforceformyorgand ID is 123754, then the appURL ishttps://salesforceformyorg.my.salesforce.com/?so=123754.Customer domain name and Customer ID fields are specific to certain apps.

Note:

Unqualified domains are not supported.

Related Domains – The related domain is auto-populated based on the URL that you have pro-vided. Related domain helps the service to identify the URL as part of the app and route traffic



accordingly. You can addmore than one related domain.

Icon – Click Change to change the app icon. The icon file size must be 128x128 pixels. If you donot change the icon, the default icon is displayed.


Important:









Important:



Note:




Note:

When Enforce Policy onMobile Device is selected alongwith Enable enhanced security,the user experience for the application access is negatively impacted for the desktop usersand the mobile users.

7. Select your preferred single sign-on type to be used for your application and click Save. SAMLand Don’t use SSO single sign-on types are available.




SAML: Enter the following details for the SAML single sign-on section and click Save.

• Sign Assertion - Signing assertion or response ensures message integrity when the re-sponse or assertion is delivered to the relying party(SP). You can select Assertion, Re-sponse, Both, or None.

• Assertion URL – Assertion URL is provided by the application vendor. The SAML assertionis sent to this URL.

• Relay State – The Relay State parameter is used to identify the specific resource the usersaccess after they are signed in and directed to the relying party’s federation server. RelayState generates a single URL for the users. Users can click this URL to log on to the targetapplication.

• Audience – Audience is provided by the application vendor. This value confirms the SAMLassertion is generated for the correct application.

• Name ID Format – Select the supported name identifier format.

• Name ID – Select the supported name ID.

Don’t use SSO –Use the Don’t use SSO optionwhen you do not need to authenticate a useron the back-end server. When you select Don’t use SSO option the user is redirected to theURL configured under the App details section.

8. Download the metadata file by clicking the link under SAML Metadata. Use the downloadedmetadata file to configure SSO on the SaaS apps server.

Note:



• You can copy the SSO login URL under Login URL and use this URL when configuring SSOon the SaaS apps server.

• You can also download the certificate from theCertificate list and use the certificatewhenconfiguring SSO on the SaaS apps server.

9. Click Finish.

After you click Finish, the app is added to the library and you are presented with the following threeoptions.


Assign users or user groups for the published apps

After an app is published, you can assign users or groups to the app.

1. On the Citrix Cloud screen, click Go to the Library. Alternatively, you can also click Library inthe upper leftmenu.

Notice that the newly added app features in your library.




3. ClickChooseadomain list and select a domain. ClickChooseagrouporuser andassignusers.



Note:

A subscribed user can be unsubscribed by selecting the user and clicking the delete iconnext to Status.

4. To obtain theWorkspace URL to be shared with app users, on Citrix Cloud, click themenu iconand navigate toWorkspace Configuration.



Manage published apps

You can edit or delete a published app, and addmore subscribers to the published app.

Edit a published app

To edit a published app, perform the following steps:

1. Go to Library and identify the app to be edited.

2. Hover your pointer over the ellipses on the right and click Edit.

3. Edit the entries under the App Details section and click Save.



4. Edit the entries under the Single Sign On section, click Save, and click Finish.

5. The following screen appears indicating that the app has beenmodified.

Delete a published app

To delete a published app, perform the following steps:

1. Go to Library and identify the app to be deleted.2. Click the dot icon on the right and click Delete.

Manage subscribers for published app

To addmore subscribers, perform the following steps:

1. Go to Library and identify the app to bemodified.2. Hover your pointer over the ellipses on the right, and clickManage Subscribers.



Launch a configured app - end-user flow

To launch a configured app, perform the following steps:

1. Log on to Citrix Workspace with AD user credentials.The admin configured apps are displayed.

2. Click the app to launch the app.The app is launched and the user is signed-in to the app.

Apps configuration using a template

October 28, 2021

SaaS apps configuration with single sign-on on the Secure Workspace Access service is simplified byprovisioning a template list for popular SaaS apps. The SaaS app to be configured can be selectedfrom the list.

The template pre-fills much of the information required for configuring applications. However, theinformation specific to the customer must still be provided.

Note:

The following section has the steps to be performed on the Secure Workspace Access service forconfiguring and publishing an app using a template. The configuration steps to be performed onthe app server is presented in the subsequent section.

Configure and publish apps using template - Secure Workspace Access service specificconfiguration

The following configuration takes the Aha app as an example to configure and publish an appusing a template.

1. On the Secure Workspace Access service tile, clickManage.

2. a) Click Add an app.

3. Select the app you want to configure using the Choose a Template list and click Next.

4. Enter the following details in the App Details section and click Save.

Name – Name of the application.

URL – URL with your customer ID. The user is redirected to this URL if;- SSO fails or- Don’t use SSO option is selected.



Customer domain name and Customer domain ID - Customer domain name and ID are usedto create an app URL and other subsequent URLs in the SAML SSO page.

For example, if you are adding a Salesforce app, your domain name is salesforceformyorgand ID is 123754, then the appURL ishttps://salesforceformyorg.my.salesforce.com/?so=123754.

Customer domain name and Customer ID fields are specific to certain apps.

Related Domains – The related domain is auto-populated based on the URL that you have pro-vided. Related domain helps the service to identify the URL as part of the app and route trafficaccordingly. You can addmore than one related domain.

Icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. Ifyou do not change the icon, the default icon is displayed.



5. In the Enhanced Security section, select Enable enhanced security to choose the security op-tions you would like to apply to the application and click Next.

Important:









Important:


• The following advanced app protection policies can be enabled for the application.

Restrict keylogging: Protects against key loggers. When a user tries to log on to the appusing the user name and password, all the keys are encrypted on the key loggers. Also, allactivities that a user performs on the app are protected against key logging. For example,if app protection policies are enabled for Office365 and the user edit an Office365 worddocument, all key strokes are encrypted on key loggers.

Restrict screencapture: Disables theability tocapture thescreensusinganyof thescreencapture programs or apps. If a user tries to capture the screen, a blank screen is captured.

Important:

– You can enable the advanced app protection policies only after enabling the En-able enhanced security option.

– The app protection policies are enabled per app because not all apps might re-quire these restrictions.

– The app protection policies work only when the app is delivered through the Cit-rix embedded browser.





Note:




Note:

When Enforce Policy on Mobile Device is selected along with Enable enhanced se-curity, the user experience for the application access is negatively impacted for thedesktop users and the mobile users.

6. Enter the following SAML configuration details in the Single Sign On section and click Save.

Assertion URL – SaaS app SAML assertion URL provided by the application vendor. The SAMLassertion is sent to this URL.

Relay State – The Relay State parameter is used to identify the specific resource the users ac-cess after they are signed in and directed to the relying party’s federation server. Relay Stategenerates a single URL for the users. Users can click this URL to log on to the target application.

Audience – Service provider for whom the assertion is intended.

Name ID Format – Supported format type of user.

Name ID – Name of the format type of user.



Note:

When the Don’t use SSO option is selected, the user is redirected to the URL configured underApp Details section.

7. Download the metadata file by clicking the link under SAML Metadata. Use the downloadedmetadata file to configure SSO on the SaaS apps server.

Note:

• You can copy the SSO login URL under Login URL and use this URL when configuring SSOon the SaaS apps server.

• You can also download the certificate from theCertificate list and use the certificatewhenconfiguring SSO on the SaaS apps server.

8. Click Finish.



9. The following screen appears indicating that the app has been added to the Library.

Perform the application server specific configuration for configuring and publishing the app using thetemplate. For details on each app server specific configuration, see SaaS app server specific configu-ration.

SaaS app server specific configuration

July 23, 2021

Following are the links to the documents that have guidance on app server specific configuration us-ing a template. Citrix presently supports the following SaaS apps and is continually adding supportfor more apps.

• 15Five - Continuous performancemanagement tool to coach employees.

• 10000 ft - Project management tool to plan for growth.

• 4me - Service management tool for collaboration between internal, external, and outsourcedteams.




https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/15five-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/10000ft.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/4me.pdf


• Abacus - Real-time expense reporting software.

• Absorb - Learning management tool.

• Accompa - Requirements management tool to build products.

• Adobe Captivate Prime - Learning management system to deliver personalized learning experi-ences across devices.

• Aha - Product roadmap andmarketing planning tool to build products and launch campaigns.

• AlertOps - Collaboration incidence response tool to manage IT incidents.

• Allocadia - Marketing performance management tool to manage an organization’s marketingplanning process.‘

• Anaplan - Planning tool to help organizationswith decisionmakingby connectingdata, people,and plans.

• &frankly - An engagement tool to drive change in the workplace.

• Anodot - An AI platform that monitors times series data, detects anomalies and forecasts busi-ness performance in real time.

• App Follow - Product management tool for accelerating global app growth and increasing cus-tomer loyalty.

• Assembla - Version control and source codemanagement tool for software development.

• Automox - Patch management tool to track, control, andmanage the patching process.

• Azendoo - Collaboration tool for teams to converse and collaborate.

• BambooHR - Human resources management tool to manage employee data.

• Bananatag - Tool to track and schedule emails, track files and create email templates

• Base CRM - Sales management tool to manage emails, phone calls, and notes.

• Beekeeper - Tool to integratemultiple operational systemsand communication channels in oneSecure Hub that is accessible from desktop andmobile devices.

• BitaBIZ - Absence and vacation planning and communication tool for leave and absence man-agement.

• BlazeMeter - Testing suite.

• Blissbook - Policy management tool to create employee handbooks.

• BlueJeans - Video conferencing solution.

• Bold360 - Live chat tool for customer engagement.

• Bonusly - Employee recognition and rewardmanagement tool to recognize teamcontributions.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/abacus.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/absorb.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/accompa.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/adobe-captivate-prime.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/aha-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/alertops.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/allocadia.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/anaplan.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/andfrankly.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/anodot.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/appfollow.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/assembla.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/automox.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/azendoo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bamboohr-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bananatag.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/base-crm.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/beekeeper.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bitabiz.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/blazemeter.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/blissbook.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bluejeans.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bold-360.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bonusly-single-sign-on-configuration.pdf


• Box - Content management and file sharing tool to manage, share, and access your content.

• Branch - A mobile linking platform powering deep links andmobile.

• Brandfolder - Digital asset management tool to store and share digital assets.

• Breezy HR - Recruiting software and applicant tracking system.

• Buddy Punch - Timemanagement tool to monitor employee attendance.

• Bugsnag -Monitoring tool tomanageapplication stability and report errors anddiagnostic data.

• Buildkite - Infrastructure tool for continuous integration software development.

• Bullseye Locations - Store locator tool to locate a store or dealer on a device.

• CA Flowdock - Collaboration tool for teams to converse and collaborate.

• CakeHR - Human resources management tool for attendance and performancemanagement.

• Cardboard - Collaborative product planning tool to track disorganized information.

• Citrix Cedexis - Traffic management tool for large websites to leverage multivendor sourcing ofdata centers, cloud providers, and content delivery networks.

• CipherCloud - Platform that provides an end-to-end data protection and advanced threat pro-tection, and comprehensive compliance capabilities for an enterprise embracing cloud-basedapplications.

• Celoxis - Project management tool to create project plans, automate work and collaborate.

• CircleHD - Training, learning, and collaboration tool to share videos and slides within the orga-nization.

• Circonus - Data analytics and monitoring tool to deliver alerts, graphs, dashboards, andmachine-learning intelligence.

• Cisco Umbrella - Cloud security platform to provide the first line of defense against threats onthe internet.

• Citrix RightSignature - A solution to get documents signed electronically.

• ClearSlide - Sales engagement tool to let users share content and sales material for customerinteraction.

• Cloudability - Cloud costmanagement platform to improve visibility, optimization, governanceacross cloud environments.

• CloudAMQP - Message queue tool to pass messages between processes and other systems.

• CloudCheckr - Cost management, security, reporting, and analytics tool to help users optimizetheir AWS and Azure deployments.

• CloudMonix - Tool for cloud and on-premises resources monitoring and automation.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/box-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/branch-io.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/brandfolder.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/breezyhr.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/buddypunch.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bugsnag.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/buildkite.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/bullseye-locations.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cakehr.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cardboard.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cedexis-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ciphercloud.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/celoxis.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/circlehd.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cisco-umbrella.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-right-signature-saas.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/clearslide.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cloud-ability.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cloudampq.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cloudcheckr.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cloud-monix.pdf


• CloudPassage - Visibility andcontinuousmonitoring tool to reduce cyber risk andmaintain com-pliance.

• CloudRanger - Tool to streamline your backups, disaster recovery, and server control for AWSCloud.

• Clubhouse - Project management tool for software development.

• Coggle - Mind mapping web application to create hierarchically structured documents, like abranching tree.

• Comm100 -Customer service softwareandcommunication tool for customer serviceprofession-als.

• Confluence - Content collaboration tool to help teams collaborate and share knowledge.

• ConceptShare - Proofing tool to deliver content faster, quicker, and cheaper.

• Concur - Travel and expense management tool to manage expenses on the go.

• ConnectWise Control - Business management tool to provide remote support and access.

• Contactzilla - Contact management tool to access up to date contact information.

• ContractSafe - Contract management tool to track, store, andmanage contracts.

• Contentful - Software for content to create, manage, and distribute content to any platform.

• Convo - Team communication and collaboration tool for internal conversations.

• Copper - CRM tool.

• Cronitor - Monitoring tool for cron jobs.

• Crowdin - Solution that provides seamless and continuous localization for developers.

• Dashlane - Passwordmanagement tool that also manages digital wallets.

• Declaree - Travel and expense management tool for business travel.

• Dell Boomi - An integration tool to connect cloud and on-premises applications and data.

• Deskpro - Help desk tool to facilitate ticket management, customer self-help, and customerfeedback.

• Deputy - Workforce management tool for scheduling and tracking employees’ time, tasks, andcommunication.

• DigiCert - Certificate management and troubleshooting tool for SSL certificates for websites.

• Dmarcian - Email monitoring tool to filter spam, malware, and phishing.

• DocuSign - An online signature tool for different documents, such as insurance, medical, andreal estate.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cloud-passage.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cloudranger.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/clubhouse.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/coggle.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/comm-100.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/conceptshare.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/concur-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/connect-wise-control.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/contactzilla.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/contractsafe.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/contentful.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/convo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/copper.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/cronitor.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/crowdin.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/dashlane.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/declaree.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/dell-boomi.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/deskpro-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/deputy.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/digicert.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/dmarcian.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/docusign-single-sign-on-configuration.pdf


• DOME9 ARC - Security and compliance tool to manage public cloud environments.

• Dropbox - Cloud storage tool for secure file sharing and storage.

• Duo - Security tool to provide secure access to your applications.

• Dynatrace - Medical laboratory services.

• Easy Projects - Project Management tool.

• EdApp - Learning management tool for workspace learning.

• EduBrite - Learning management tool to create, deliver, and track training programs.

• Ekarda - Electronic card designing tool.

• Envoy - Visitor management tool to manage people and packages.

• Evernote - Application for note taking, organizing, task lists, and archiving.

• Expensify - Expense management tool for expense report management, receipt tracking, andbusiness travel.

• ezeep - Print infrastructure management tool to print from any device, any location to anyprinter in the Cloud.

• EZOfficeInventory - Inventory management tool to track all your assets and equipment.

• EZRentOut - Equipment rental tool to track equipment quality and availability.

• Fastly - Edge cloud platform to serve and secure applications closer to the users.

• Favro - Planning and collaboration tool for organizational flow.

• Federated Directory - Cross-company contact directory tool to search through the corporateaddress books of different companies.

• Feeder

• Feedly - News aggregation tool to compile news feeds from different sources.

• FileCloud -Software solution thatprovidesa robust and secure file hostingandsharingplatformfor organizations.

• Fivetran - Tool to help analysts replicate data into a cloud warehouse.

• Flatter Files - Digital flat file cabinet for drawings and documents to provide a secure and simpleway for providing access to content.

• Float - Resource planning tool for project scheduling andmanaging the teams’ utilization.

• Flock - Collaboration tool.

• Formstack - An online form builder and data collection tool.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/dropbox-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/duo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/dynatrace.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/easy-projects.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ed.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/edubrite.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ekarda.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/envoy.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/evernote.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/expensify-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ezeep.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ez-office-inventory.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ez-rent-out.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/fastly.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/favro.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/federated-directory.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/feeder.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/feedly.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/filecloud.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/fivetran.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/flatter-files.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/flatter-files.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/flock.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/formstack.pdf


• FOSSA - Automated open source license scanning and vulnerabilitymanagement tools built na-tively into CI/CD.

• Freshdesk - Customer support tool to help support the needs of customers.

• Freshservice - IT help desk tool to simplify IT operations.

• FrontApp - Collaboration tool to manage all conversations in one place.

• Frontify - Platform to facilitate and streamline day-to-day branding, marketing, and develop-ment operations.

• Fulcrum - Mobile data collection platform that allows you to easily build mobile forms and col-lect data.

• Fusebill - Billing management and recurring billing software.

• G-Suite - Set of intelligent apps to connect the people in your company.

• GetGuru - Knowledgemanagement software.

• GitBook - Tool to create andmaintain your documentation.

• GitHub -Aweb-basedhosting service for versioncontrol usingGit for repositorieshostedbehinda corporate firewall.

• GitLab - A complete DevOps platform, delivered as a single application.

• GlassFrog - Software to Holacracy practice.

• GoodData - An embedded BI and analytics platform that provides fast, reliable, and easy to useanalytics

• GotoMeeting - Online meeting software with HD Video Conferencing capabilities.

• HackerRank - Provides competitive programming challenges for consumers and businesses.

• HappyFox - Online help desk software and web based support ticket system.

• Helpjuice - Knowledgemanagement solution to create andmaintain knowledge bases.

• Help Scout - Customer service software and knowledge base tool for customer service profes-sionals.

• Hello sign - E-signing interface to enable signing from anywhere, at any time, on any device.

• HelpDocs - knowledge base software to guide your users when they are stuck.

• Honeybadger - Application health monitoring tool.

• Harness - Tool for continuous delivery and integration for Java, .NET apps in AWS, GCP, Azure,and Bare Metal.

• HelpDocs - Tool to create an authoritative knowledge base to guide your users when they’restuck.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/fossa.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/freshdesk.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/freshservice.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/frontapp.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/frontify.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/fulcrum.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/fusebill.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-gsuite-saas.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/guru.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/gitbook.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/github-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/gitlab.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/glassfrog.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/gooddata.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/gotomeeting.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/hacker-rank.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/happyfox.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/helpjuice.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/help-scout.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/hellosign.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/honeybadger.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/harness.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/help-docs.pdf


• Helpmonks - A collaborative email platform for team collaboration.

• Hoshinplan - Tool to visualize your strategic plans and track statuses in one canvas.

• Hosted Graphite - Tool to monitor your website, app, server, and container performance.

• Humanity -Online employee scheduling software tomanage shifts, schedules, payroll, and timeclocking.

• Igloo - Digital workplace and intranet solution provider to solve IT challenges across your orga-nization.

• iLobby - Cloud-based visitor registration management solution.

• Illumio - Security system to prevent spread of breaches inside data center and cloud environ-ments.

• Image Relay - Digital asset management and brandmanagement software to securely organizeand share digital files.

• Informatica - Tool for SaaS apps integration and a platform for developing and deploying cus-tom integration services.

• Intelligent contract - Contract management software.

• iMeet Central - Project management software for marketers, creative agencies, and enterprisebusinesses.

• InteractGo - Tool to measure real-time and historical data on system performance.

• iQualify One - Learning andmanagement tool to deliver authentic learning experiences.

• InsideView - Data and intelligence solutions to solve sales, marketing, and other business chal-lenges.

• Insightly - A cloud-based customer relationship management (CRM) and project managementtools for small andmedium size businesses.

• ITGlue - A cloud-based IT documentation platform to help MSPs standardize documentation,create knowledge bases, manage passwords. and track devices.

• Jitbit - Help desk software and ticketing system tomanage and track incoming support requestemails and their associated tickets.

JupiterOne - Software platform to create andmanage your entire security process.

• Kanbanize - An online portfolio Kanban software for leanmanagement.

• Klipfolio - An online dashboard platform for building powerful real-time business dashboardsfor your team or your clients.

• Jira - Tool to plan, track, andmanage your issues and projects.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/helpmonks.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/hoshinplan.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/hosted-graphite.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/humanity.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/igloo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ilobby.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/illumio.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/image-relay.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/informatica.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/intelligentcontract.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/imeetcentral.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/interactgo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/iqualify.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/insightly.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/itglue.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/jit-bit.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/jupiterone.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/kanbanize.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/klipfolio.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-jira-saas.html


• Kanban Tool - Visual management software to improve your team performance and boost pro-ductivity.

• Keeper Security - Password manager and security software to protect your passwords and pri-vate information.

• Kentik - Tool to apply big data for network and performance monitoring, DDoS protection, andreal-time ad-hoc network flow analytics.

• Kissflow - Workflow tool and business process workflow management software to automateyour workflow process.

• KnowBe4 - Tool to provide security awareness training and simulated phishing.

• KnowledgeOwl - Knowledge base and authoring tool.

• Kudos - Retail, job, project, and fulfillment process systems.

• LaunchDarkly - Feature management platform to enable dev and ops teams to control the fea-ture lifecycle.

• Lifesize - Video conferencing solution.

• Litmos - Learning management system for employee training, customer training, compliancetraining, and partner training.

• LiquidPlanner - Online project management software for your business.

• LeanKit - Lean-based, enterprise process and work management software to help enterprisesvisualize work, optimize processes, and deliver faster.

• LiveChat - Live chat and help desk software for businesses.

• LogDNA - Tool to collect, monitor, parse, and analyze logs from all sources in one centralizedlogging tool.

• Mango - Teamcollaboration software to consolidate and streamline siloed applications into onesingle platform.

• Manuscript - A writing tool to help you plan, edit, and share your work.

• Marketo - Automation software to help marketing teams master the art and science of digitalmarketing.

• Matomo -AWebanalytics platform that evaluates the entire user-journeyof everyonewhovisitsthe website.

• Meisterplan - Software that helps organizations create project portfolios.

• Mingle - Amagile projectmanagement and collaboration tool to provide a combinedworkplacefor the entire team.

• MojoHelpdesk - Help desk software and ticketing system.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/kanban-tool.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/keeper-security.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/kentik.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/kissflow.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/knowbe4.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/knowledge-owl.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/kudos.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/launchdarkly.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/lifesize.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/litmos-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/liquidplanner.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/leankit.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/live-chat.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/logdna.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/mango.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/manuscript.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/marketo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/matomo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/meisterplan.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/mingle.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/mojo-helpdesk.pdf


• Monday - Teammanagement software to plan, track, and collaborate all your work in one tool.

• Mixpanel - System to track user interactions with web andmobile.

• MuleSoft - Integration software to connect SaaS and enterprise applications in the cloud andon-premises.

• MyWebTimesheets - Online time tracking system to track time spent on various projects/job-s/activities.

• New Edge - Secure application networking service for Hybrid IT.

• NextTravel - Corporate travel management software tool.

• N2F - Expense report management tool to manage your business and travel expenses.

• New Relic - Digital intelligence platform to measure and monitor the performance of applica-tions and infrastructure.

• Nmbrs - Cloud HR and payroll software for businesses.

• Nuclino - Collaboration software to collaborate and share information in real-time.

• Office365 - Microsoft’s cloud-based subscription service.

• OfficeSpace - Cloud-based platform that helps organizations allocate workspace.

• OneDesk - Project management and help desk software to connect with and support your cus-tomers.

• OpsGenie - An Incidentmanagement platform for DevOps and ITOps teams to streamline alertsand incident resolution processes.

• Orginio - An online organizational chart creation tool to visualize the organizational structure.

• Oomnitza - IT Asset Management platform solution to track andmanage assets.

• OpenEye - Mobile app for viewing live and recorded videos on Apex recorder.

• Oracle ERP Cloud - Cloud-based software application suite to manage enterprise functions.

• Pacific Timesheet - Web-based timesheet tool for payroll, project hours, and expenses.

• PagerDuty - Digital operations management system.

• PandaDoc - Amobile app for iPhone users access to their documents, analytics, and dashboarddirectly on their mobile phones.

• Panopta - Infrastructure monitoring tool.

• Panorama9 - Cloud-based IT management platform for enterprise network monitoring.

• Papyrs - Editor to design your own intranet pages.

• ParkMyCloud - Single-purpose SaaS tool to connect to AWS, Azure Services, or GCP.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/monday-com.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/mixpanel.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/mulesoft.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/mywebtimesheets.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/new-edge.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/nex-travel.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/n2f.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/newrelic.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/nmbrs.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/nuclino.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-o365-saas.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/officespace.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/onedesk.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/opsgenie.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/orginio.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/oomnitza.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/openeye.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-oracle-erp-saas.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pacific-timesheet.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pagerduty.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pandadoc.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/panopta.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/panorama9.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/papyrs.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/parkmycloud.pdf


• Peakon - Tool to measure and improve employee engagement.

• People HR - HR software system for all key HR functions.

• Pingboard - Tool to build organization charts for organizing teams and workforce planning.

• Pigeonhole Live - Interactive Q&A platform.

• Pipedrive - Sales CRM and pipeline management software.

• PlanMyLeave - Leave management system for managing and tracking employee’s leave of ab-sence.

• PlayVox - Customer service quality monitoring tool.

• Podbean - Podcast service provider.

• Podio - A web-based tool to organize team communication, business processes, data, and con-tent in project management workspaces.

• POPin - Crowd-solving platform and mobile app that operationalizes team engagement forproblem-solving

• Postman - API development environment.

• Prescreen - Applicant tracking tool to publish job vacancies online and offline.

• ProductBoard - Product management tool.

• ProdPad - Product management software to develop product strategies.

• Proto.io - Application prototyping platform to create fully interactive, high-fidelity prototypes.

• Proxyclick - Cloud-based visitor management solution tomanage visitors, build their brand im-age, and ensure the security.

• Pulumi - Cloud native development platform for containers, serverless, infrastructure, and Ku-bernetes.

• PurelyHR - Leave management tool for accessing employee leave data.

• Promapp - Business process management (BPM) tool.

• Prescreen - Cloud-based applicant tracking system to publish job vacancies online and offline.

• QAComplete - Software test management tool.

• Qualaroo - Feedback tool to gain insights from customers.

• Quality Built, LLC - Insurance, financial, and construction industry for providing reliable andinnovative Third Party Quality Assurance Services.

• Qubole - Self-service platform for Big Data analytics built on Amazon.

• Questetra BPM Suite - Web-based business process platform for routine workflows.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/peakon.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/peoplehr.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pingboard.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pigeonhole-live.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pipedrive.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/planmyleave.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/playvox.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pod-bean.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/podio.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/popin.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/postman.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/prescreen.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/productboard.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/prodpad.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/proto-io.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/proxyclick.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/pulumi.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/purelyhr.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/prescreen.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/qa-complete.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/qualaroo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/qubole.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/questetra.pdf


• QuestionPro - Online survey software to create surveys and questionnaires.

• Quandora - Question and answer based knowledgemanagement solution.

• Quip - Collaborative productivity software suite for mobile and the Web.

• Rackspace - Managed cloud computing services.

• ReadCube - Tool for web, desktop, andmobile reference management.

• RealtimeBoard - Whiteboard Collaboration tool for organizations to collaborate beyondformats, tools, locations, and time zones.

• Receptive - Tool to gather feedback from customers, teams, and the market at one place.

• Remedyforce - IT service management and help desk system.

• Retrace - An Application performancemanagement tool that provides bug tracking, data aggre-gation, and automatic alerts.

• Robin - Workplace experience tools to schedule conferencemeeting rooms and desk bookings.

• Rollbar - Real-time error alerting and debugging tools for developers.

• Really Simple Systems - Cloud-based CRM software for small businesses to manage their salesandmarketing.

• Reamaze - Customer support software to support, engage, and convert customers with chat,social, SMS, FAQ, and email on a single platform.

• Resource Guru - Resource management software to schedule people, equipment, and other re-sources.

• Retrace - Application performance management to integrate code profiling, error tracking, ap-plication logs, andmetrics.

• Roadmunk - Product roadmap software and roadmap tool to create product roadmaps.

• Runscope - Tool to create, manage, and run functional API tests andmonitors.

• Salesforce – CRM tool to manage customer contact information, integrate social media, andfacilitate real-time customer collaboration.

• SalesLoft - Sales engagement platform for efficient and revenue-boosting sales

• Salsify - Product experience management (PXM) platform.

• Samanage - Tool for IT service management.

• Samepage - Collaboration software to manage online projects.

• Screencast-O-Matic – Tool to screencast and edit video.

• ScreenSteps –Tools to create visual documents centered on screen captures.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/question-pro.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/quandora.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/quip.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/rackspace.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/read-cube.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/realtimeboard.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/receptive.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/remedyforce.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/retrace.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/robin.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/rollbar.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/really-simple-systems.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/reamaze.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/resource-guru.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/roadmunk.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/runscope.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/salesforce.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/salesloft.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/salsify.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/samanage.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/samepage.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/screencast-o-matic.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/screensteps.pdf


• SendSafely – Encryption platform for secure exchange of files and emails.

• Sentry - Open-source error tracking software.

• ServiceDesk Plus - Tool for IT service desk.

• ServiceNow - Cloud platform to create digital workflows.

• SharePoint – Collaborative platform used for document management and storage.

• Shufflrr - Presentationmanagement tool to create, update, share, and broadcast presentations.

• Sigma Computing – An Analytics tool to explore, analyze, and visualize data.

• Signavio – A business process modeling tool.

• Skeddly - Tool to automate AWS resources.

• SkillsBase -Talentmanagement tool to trackanddocumentemployee’sperformanceandskills.

• Skyprep - Learning management system (LMS) to train customers and employees.

• Slack - Collaboration tool to communicate and share information.

• Slemma - Data analysis tool to create data reports frommultiple data sets.

• Sli.do - Interaction tool for meetings, events, and conferences.

• SmartDraw - Diagram tool used to make flowcharts, organization charts, mind maps, projectcharts, and other business visuals.

• SmarterU - Learning management system (LMS) to train customers and employees.

• Smartsheet - Collaboration tool to assign tasks, track project process, manage calendars, andshare documents.

• SparkPost - Email delivery service.

• Split - Bill splitting application.

• Spoke - Service desk tool to file service tickets.

• Spotinst - A SaaS optimization platform that helps companies purchase and manage cloud in-frastructure capacity.

• SproutVideo - Platform to host business videos.

• Stackify - Troubleshooting tool that provides support with a suite of tools including Prefix andRetrace.

• StatusCast - Hosted page to keep your employees and customers aware about downtime andwebsite maintenance.

• StatusDashboard - Communications platform for hosting status dashboards and broadcastingincident notifications to customers.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/sendsafely.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/sentry.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/servicedesk-plus.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-servicenow-saas.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/shufflrr.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/sigma-computing.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/signavio.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/skeddly.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/skillsbase.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/skyprep.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/slack-admin-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/slemma.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/slido.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/smart-draw.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/smarteru.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/smartsheet.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/spark-post.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/split.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/spoke.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/spotinst.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/sproutvideo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/stackify.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/statuscast.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/status-dashboard.pdf


• Status Hero - Tool for tracking status updates and daily goals from your team.

• StatusHub - Platform to host the service state page.

• Statuspage - Tool to communicate status and incidents.

• SugarCRM - CRM tool for Salesforce automation, marketing campaigns, customer support, col-laboration, Mobile CRM, Social CRM, and reporting.

• Sumo Logic - Data analytics software that focuses on security, operations, and BI use cases.

• Supermood - HR platform to gather employee’s feedback in real-time.

• Syncplicity - Tool to share and synchronize files.

• Tableau - Tool to create interactive data visualization.

• TalentLMS - Learning management system (LMS) to facilitate online seminars, courses, andother training programs.

• Tallie – Tool to capture and upload receipts, generate expense reports, and customize expensedetails.

• Targetprocess - Agile project management software to Scrum, Kanban, SAFe, and so on.

• Teamphoria - Software to provide real-time employee engagementmetrics, employee reviews,and recognition.

• TeamViewer - Proprietary software application for remote control, desktop sharing, onlinemeetings, web conferencing, and file transfer between computers.

• Tenable.io - Tool that provides data to identify, investigate, and prioritize the remediation ofvulnerabilities andmisconfigurations in your IT environment.

• Testable - Tool to create behavioral experiments and surveys.

• TestingBot - Tool to provide various browser versions for live and automated testing.

• TestFairy - Mobile testing platform, to provide companieswith video recordings, logs, and crashreports of mobile sessions.

• TextExpander - Communication tool to insert snippets of text from a repository of emails, andother content, as you type.

• TextMagic - Messaging service to connect with customers.

• ThousandEyes - Tool tomonitor network infrastructure, troubleshoot application delivery, andmap internet performance.

• Thycotic Secret server - Account management software tool to manage passwords.

• TimeLive – Tool to provide timesheets and track time.

• Tinfoil Security - Security solution software to check for vulnerabilities.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/status-hero.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/statushub.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/statuspage.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/sugar-crm.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/sumologic-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/supermood.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/syncplicity.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/tableau.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/talent-lms.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/tallie.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/targetprocess.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/teamphoria.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/teamviewer.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/tenable-io.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/testable.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/testing-bot.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/testfairy.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/textexpander.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/textmagic.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/thousandeyes.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/thycotic-secret-server.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/time-live.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/tinfoil-security.pdf


• Trisotech - Tool that allows customers to discover, model, analyze their digital enterprise.

• Trumba - Tool to publish online, interactive, calendars of events.

• TwentyThree - Videomarketing platform to integrate and add videos to the marketing stack.

• Twilio - A developer platform for communications.

• Ubersmith - Business management software for usage-based billing, quoting, order manage-ment, infrastructure management, and help desk ticketing solutions.

• UniFi - Communication and collaboration software with voice, web collaboration, and videoconferencing capabilities.

• UPTRENDS – Website monitoring solution to track website uptime and performance.

• UserEcho - Community forum tool that helps businesses manage customer feedback.

• UserVoice - Product feedbackmanagement software to enable businesses tomake data-drivenproduct decisions.

• VALIMAIL - Email authentication software to authenticate legitimate emails and block phishingattacks.

• Veracode - Source code analyzer and code scanner protect enterprises from cyber threats andapplication backdoors.

• Velpic - Learning management system (LMS) designed to streamline workplace training.

• VictorOps - Incidentmanagement software to provide DevOps observability, collaboration, andreal-time alerting.

• VIDIZMO - Enterprise live and on-demand video streaming software.

• Visual Paradigm - Visual modeling and diagramming online platform for team collaboration.

• Vtiger - CRM tool that enables sales, support, andmarketing teams to organize and collaborate.

• WaveMaker – Software for building and running custom apps.

• Weekdone - Tool to createmanagers’ dashboard and teammanagement service for companies.

• Wepow - Tool to connect recruiters, job candidates, and employers through mobile and videointerviewing solution.

• When I Work - Tool for employee scheduling and time tracking.

• WhosOnLocation – Tool to track the flow of people through sites and zones.

• Workable - Applicant tracking system.

• Workday - Tool for financial management, human resources, and planning.

• Workpath - Tool to manage the goals and performance of the organization.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/trisotech.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/trumba.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/twentythree.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/twilio.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ubersmith.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/unifi.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/uptrends.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/userecho.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/uservoice.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/valimail.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/veracode.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/velpic.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/victorops.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/vidizmo.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/visual-paradigm.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/vtiger.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/wavemaker.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/weekdone.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/wepow.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/when-i-work.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/whos-on-ocation.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/workable.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-workday-saas.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/workpath.pdf


• Workplace - Collaboration tool by Facebook to help employees communicate through a familiarinterface.

• Workstars - Platform for social and peer employee recognition programs.

• Workteam - Tool to track employee time and attendance.

• Wrike - Social project management and collaboration software.

• XaitPorter - Document co-authoring software for bids and proposals and other business docu-ments.

• Ximble - Tool for employee scheduling and time tracking.

• XMatters - Collaboration platformwith an alerting software that integrates with other tools cre-ating seamless process and effective communication.

• Yodeck - Tool to manage screens remotely, through the web or mobile.

• Zendesk - Software to request for customer service and to log support tickets.

• Ziflow - Tool for creative production teams.

• Zillable – Collaboration platform with communication capabilities.

• Zing tree - A toolkit for creating interactive decision trees and troubleshooters.

• ZIVVER - Tool that allows secure email and file transfer from your familiar email program.

• Zoho - Business application suite.

• Zoom - Communication and collaboration software with voice, web collaboration, and videoconferencing capabilities.

• Zuora - A subscription-based software that enables a company launch, manage, and transforminto a subscription business.

Launch a configured app - end user workflow

July 23, 2021

As an end user, youmust do the following:

1. Download the Citrix Workspace app from https://www.citrix.com/downloads. In Find Down-loads list, select Citrix Workspace app.

2. Log on and search for your SaaS apps. Click the app to launch it.

You can nowuse the SaaS app fromwithin the CitrixWorkspace app or from the CitrixWorkspacewebportal.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/workplace-single-sign-on-configuration.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/workstars.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/workteam.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/wrike.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/xaitporter.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ximble.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/xmatters.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/yodeck.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/zendesk.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/ziflow.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/zillable.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/zingtree.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/zivver.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/zoho-one.pdf

https://docs.citrix.com/en-us/citrix-secure-workspace-access/saas-apps-templates/citrix-gateway-zoom-saas.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/downloads/zuora.pdf

https://www.citrix.com/downloads


Dependingon theadminconfigured settings, yourSaaSappsopenbyusing thebrowser enginewithinthe Workspace app or you are redirected to a secure browser.

The following diagram shows the high-level flow for the Citrix Workspace app.

The following diagram shows the high-level flow for the Citrix Workspace web portal.

Read-only access for admins to SaaS andWeb apps

July 23, 2021

Organizations usually comprise multiple administrators and admins must be provided with differentlevels of access privileges. Security admin teams using the Secure Workspace Access service can pro-vide granular controls, such as read-only access to admins. Administrators who do not add or modifyan app can be provided with read-only access to view the app details. Secure Workspace Access ser-vice admins with read-only access cannot perform the following tasks.



• Add Enterprise Web or SaaS apps.• Add new Gateway connectors in existing or new resource locations.

How to provide read only access to admins

After signing in to Citrix Cloud, select Identity and Access Management from themenu.On the IdentityandAccessManagementpage, clickAdministrators. Theconsole showsall thecurrentadministrators in the account.

Add an administrator with read only access

1. In Add administrators, select the identity provider from which you want to select the admin-istrator. Sometimes, Citrix Cloud might prompt you to sign in to the identity provider first (forexample, Azure Active Directory).

2. If Citrix Identity is selected, enter the user’s email address and then click Invite.

3. If Azure Active Directory is selected, type the name of the user you want to add and then clickInvite.

4. Select Custom access. The following options appear:

• Select Full Access Administrator (Technical Preview) – Provides full access.• Read Only Administrator (Technical Preview) – Provides read-only access.

5. Select Read Only Administrator (Technical Preview).



6. Click Send Invite.

Important:

• When you provide Read Only Administrator access to Citrix Gateway Service admins, youmust also enable Library from the General Management list for those admins. Only thenthe View option for the apps is enabled for the admins.

• The Add a Web/SaaS App button is disabled for users with Read Only Administrator ac-cess.

To view the app details when admins have read only access

1. After signing in to Citrix Cloud, select Library from themenu.

2. Select the app that you want to view the details and click the ellipsis.Only the View option is enabled. All other options are disabled.



3. Click View.



Diagnostic logs for Enterprise Web and SaaS apps access - Preview

March 22, 2022

The Citrix Secure Workspace Access events are now integrated with Citrix Analytics. Citrix Analyticsprovides a public endpoint that enables admins to access and download the events. These eventscan be accessed through a PowerShell script.

Citrix Secure Workspace Access customers can now access this script and run the script in their en-vironment to view the diagnostic logs. Customers can then use the logs to troubleshoot or debugSaaS/web apps access failures reported by their end users.

Points to note

• Presently, there is nouser interface to troubleshootordebug theEnterpriseWeb/SaaSappsaccess failure logs. User Interface support is planned for future releases.

• ThePowerShell script canbedownloaded fromhttps://citrix.sharefile.com/d-s3096b922f9dd41c38d906c94b818ef26.• To run the PowerShell script, youmust enter a client ID and Secret in the script.

Following are the steps to create a client ID and Secret using Citrix Cloud user interface.

1. From the Citrix Cloudmenu, select Identity and Access Management.

2. On the Identity and Access Management tile, select API Access tab.

3. Provide a name for Secure Client and click Create Client.


https://citrix.sharefile.com/d-s3096b922f9dd41c38d906c94b818ef26

4. Click Download on the following screen to download your ID and Secret.

To run the PowerShell script and save the diagnostic logs, open a PowerShell tool in your machineand type the following commands.

1 Set-ExecutionPolicy RemoteSigned2

Note: Youmust set thePowerShell ExecutionPolicy toRemoteSignedorUnrestricted to allow localPowerShell scripts to be run.

For more information about the PowerShell Execution Policy, see the Microsoft PowerShell articleabout Execution Policies.

To download the diagnostic logs:

1. Import-Module <location of the locally downloaded PowerShell script>

2. Get‒CitrixSecurePrivateAccessLogs -clientId <> -customer <> -timerange<> -outFile <>

3. Enter the client secret.

The diagnostic logs get saved in the file specified under the outFile parameter in the previous com-mand.

Parameter description:

• ClientId – Client ID created and downloaded from Citrix Cloud UI

• ClienSecret - Client secret created and downloaded from Citrix Cloud UI

• Customer - ID to be taken from the Citrix Cloud UI -> Identity and Access Management -> APIAccess

• OutFile - Location where you want to save your output log file

Example command:

1 Get-CitrixSecurePrivateAccessLogs -clientId ”cd720b41-21f2-3232-9cc8-34c90kcm73f2” -customer ”j5d24a513k3r” -timeRange ”2022-01-25T00:00:00.000Z,2022-01-30T00:00:00.000Z” -outFile ”C:\diagnosticLogs.csv”

2 


https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Execution_Policies

https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Execution_Policies


Audit logs - Preview

March 22, 2022

Secure Workspace Access service related events are now captured in the Citrix Cloud > System Log.All the events that an admin performs in the Citrix Secure Workspace service is sent to Citrix Cloudand captured in the System Logs. The admin events can be but not limited to the following:

• Configuring a Web or a SaaS app• Subscribing an app• Deleting an app• Configuring a contextual policy

The following figure displays the Secure Workspace Access related events in the System Log.

Fordetails suchasexportingevents, retrievingevents for a specific timeperiod, forwarding logevents,and data retention, see System Log.


https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/system-log.html


Route tables to resolve conflicts if the related domains in both SaaS andweb apps are the same

October 8, 2021

The application domains feature of the Citrix Secure Workspace Access service enables customers tomake routingdecisions that allow relateddomainsof applications tobe routedexternally or internallythrough Citrix Gateway connectors.

Consider that the customer has configured the same related domains within both a SaaS app and aninternal web app.For example, if Okta is the SAML IdP for both Salesforce (SaaS app) and Jira (internal web app), thentheadminmight configure*.okta.comas a relateddomain inbothapps’ configuration. This leads toa conflict and the end user experiences inconsistent behavior. In this scenario, the admin can definerules to route these applications either externally or internally through theCitrix GatewayConnectors,as per the requirement.

Application Domains feature also enables admins to configure the Citrix Gateway connectors to by-pass the customer’s web proxy servers to reach the internal web servers. These bypass policies werepreviously configuredmanually by running the NSCLI commands on the Citrix Gateway connector.

How the route table works

The admins can define the route type for the apps as External, Internal, or External via Gateway Con-nector depending on how they want to define the traffic flow.

• External – The traffic flows directly to the internet.• Internal – The traffic flows via the Gateway Connector.

– For a web app, the traffic flows within the data center.– For a SaaS app, the traffic is routed outside the network through the Citrix Gateway Con-nector.

• Internal –bypassproxy - Thedomain traffic is routed throughCitrixCloudGatewayConnectors,bypassing the customer’s web proxy configured on the Gateway Connector.

• External via Gateway Connector - The apps are external but the traffic must flow through theCitrix Gateway Connector to the outside network.

Note:

• Route entries donot impact the enhanced security policies that are configuredon the apps.• If admins do not intend to use an entry in the route table or if the corresponding apps arenot working as intended, admins can simply disable the entry instead of deleting it.

• All Citrix GatewayConnectors for a particular customer, irrespective of the app type, get the



SSOsettings. Previously, theSSOsetting for aparticular appwas tied toa resource location.

Main route table

Themain route table is accessible from the Secure Workspace Access tile.

1. Log on to Citrix Cloud account.2. On the Secure Workspace Access tile, clickManage.3. In the Secure Workspace Accesse page, clickManage, and then click Application Domains.

The main route table displays the following columns.

• FQDN: FQDN for which the type of traffic routing is desired to be configured.

• Type: App type. Internal, External, or External via Gateway Connector as selected whenadding the app.

Important:

If there are conflicts, then an alert icon is displayed for the respective row in the table. Toresolve the conflict, admins must click the triangular icon and change the app type fromthemain table.

• Resource location: Resource location for routing of type Internal. If a resource location is notallocated, a triangular icon appears in the Resource location column for the respective app.When you hover on the icon, the following message is displayed.

Missing resource location. Ensure that a resource location is associated with this FQDN.

• Status: The toggle switch in the Status column can be used to disable the route for a routeentry without deleting the app. When the toggle switch is turned OFF, the route entry does nottake effect. Also, if FQDNs of exact match exist, admins can select the route to be enabled ordisabled.

• Comments: Displays comments, if any.



• Actions: The edit icon is used to add a resource location or change the type of route entry. Thedelete icon is used to delete the route.

Add an FQDN to the Application Domains table

Admins can add an FQDN into the ApplicationDomains table and choose the appropriate routing typefor it.

1. Click Add in the Applications Domain page.2. Enter the FQDN name and select the appropriate routing type for the FQDN.

Mini route table

Amini version of the Application Domains table is available tomake the routing decisions during appconfiguration. The mini route table available in the App Connectivity section in the Citrix GatewayService user interface.

To add routes to themini route table

The steps to add an app in the Citrix Gateway Service UI remain the same as described in the topicsSupport for software as service apps andSupport for Enterprisewebapps except for the following twochanges:

1. Complete the following steps:

• Choose a template.• Enter app details.• Choose enhanced security details, as applicable.





• Select the single sign-onmethod, as applicable.

2. Click App Connectivity. - A mini version of the Application Domains table is available to makethe routing decisions during app configuration.

• Domains: The Domains column displays one or more rows for a particular app. The firstrow displays the actual app URL that the admin has entered while adding the app details.The other rows are all related domains that are enteredwhile adding the appdetails. If theapp URL and the related domains are same, they are displayed in one row.

One row displays the SAML assertion URL, if SAML SSO is selected.

• Type: Select one of the following options.– External – The traffic flows directly to the internet.– Internal – The traffic flows via the Gateway Connector and the app is treated as awebapp.

* For a web app, the traffic flows within the data center.

* For a SaaS app, the traffic is routed outside the network through the Citrix Gate-way Connector.

– Internal – bypass proxy - Domain traffic is routed through Citrix Cloud Gateway Con-nectors, bypassing the customer’s web proxy configured on the Gateway Connector.

– External via Gateway Connector – The apps are external but the trafficmust flow viathe Citrix Gateway Connector to the outside network.

• Resource Location: Autopopulated when you select the type Internal for an app. Changeit if a different resource location is desired.

• Gateway Connector Status: Autopopulated, along with resource location, when you se-lect the type Internal for an app.

Note:

You can also add a Gateway Connector in a new resource location using the “Install GatewayConnector” link and get the activation code for registration. For details, see Ways to install CitrixGateway Connector.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/citrix-gateway-connector.html#ways-to-install-citrix-gateway-connector

https://docs.citrix.com/en-us/citrix-secure-workspace-access/citrix-gateway-connector.html#ways-to-install-citrix-gateway-connector


Adaptive access and security controls for Enterprise Web and SaaSapplications – Preview

March 1, 2022

In today’s ever changing situations, application security is vital for any businesses. Making context-aware security decisions and then enabling access to the applications reduces the associated riskswhile enabling access to users.

The Citrix SecureWorkspace Access service adaptive access feature offers a comprehensive zero-trustaccess approach that delivers secure access to the applications. Adaptive access enables admins toprovide granular level access to the apps that users can access based on the context. The term “con-text” here refers to:

• Users and groups (users and user groups)• Devices (desktop or mobile devices)• Location (geo-location or network location)• Device posture (device posture check)• Risk (user risk score)

The adaptive access feature applies adaptive policies to the applications that are being accessed.These policies determine the risks based on the context andmake dynamic access decisions to grantor deny access to the Enterprise Web or SaaS apps.

How it works

To grant or deny access to applications, admins create policies based on the users, user groups, thedevices fromwhich the users access the applications, the location (country or network location) fromwhere the user is accessing the application, and the user risk score.

The adaptive access policies take precedence over the application specific security policies that areconfigured while adding the SaaS or a Web app in the Secure Workspace Access service.

For example, consider that the Microsoft Word app is subscribed to users, Emp1 and Emp2. The en-hanced security options such as restrict printing, restrict downloads, and display watermark are en-abled for the application while adding the app in the Secure Workspace Access service.

The adminmust create a policy to apply app level policy. If the adaptive policy does notmatch basedon the context, it automatically falls back to app level policy. Then, the admin can create anotherpolicy with no adaptive security controls for Emp2.

In this scenario, the enhanced security options are applied when the Emp1 accesses the app. How-ever, for Emp2, the adaptive access policy overwrites the app level policies and hence the enhancedsecurity options are not enforced for Emp2.



The adaptive access policies are evaluated in three scenarios:

• During a Web or a SaaS app enumeration from the Secure Workspace Access service – If theapplication access is denied to this user, the user cannot see this application in the workspace.

• While launching the application – After you have enumerated the app and if the adaptive policyis changed to deny access, users cannot launch the app even though the app was enumeratedearlier.

• When the app is opened in an embedded browser or a Secure Browser service – The embeddedbrowser enforces some security controls. These controls are enforced by the client. When theembedded browser is launched, the server evaluates the adaptive policies for the user and re-turns those policies to the client. The client then enforces the policies locally in the embeddedbrowser.

Customers entitled for adaptive access

Customers entitled for the Citrix Secure Workspace Access service get the adaptive access feature atno additional cost. In addition, the adaptive access feature must be enabled for that customer.

Create an adaptive access policy

1. On the Secure Workspace Access service tile, clickManage.

2. Click theManage tab and then click Adaptive Access.


4. FOR USERS OF THESE APPLICATIONS - This field lists all the applications that an admin hasconfigured in theSecureWorkspaceAccess service. Admins can select the applications towhichthis adaptive policy must be applied.



5. IF THE FOLLOWING CONDITION IS MET - Select the context for which this adaptive access pol-icy must be evaluated.

6. Click Add Condition to add extra conditions, based on your requirement. An AND operation isperformed on the conditions, and then the adaptive access policy is evaluated.

7. THEN DO THE FOLLOWING - If the set condition matches, admins can select the action to beperformed for the users accessing the application.

• Deny access – When selected, access to the apps is denied. All other options are grayedout.

• Allowappaccesswith the following security controls – Select one of the preset security



policy combinations. These security policy combinations are predefined in the system.Admins cannot modify or add other combinations.

To apply a different preset security policy to the same set of applications that you have se-lected, the admins have to create a policy and then select the security policy combination.

• Appaccess fromCitrixWorkspacedesktopclientsonly - Select this option toallowusersto access apps from the Citrix Workspace desktop clients only.

• Launchanapplication through the securebrowser – Select this option to always launchan application in the Secure Browser service regardless of other enhanced security set-tings.

Note:

• The options Preset 4, Preset 5, and Preset 6 are enabled only for Enterprise webapps. If an admin has selected a SaaS app along with web apps in the list of apps,then the options Preset 4, Preset 5, and Preset 6 are disabled.

• Admins can select a preset security policy and also select the option to launch an ap-plication through the secure browser in the same policy. Both the conditions are in-dependent of each other.

8. In POLICY NAME, enter the name of the policy.

9. Turn the toggle switch ON to enable the policy.


Adaptive access based on users or groups

To configure an adaptive access policy based on users or groups, use the Create an adaptive accesspolicy procedure with the following changes.

• In IF THE FOLLOWING CONDITION IS MET, select Users or groups.

• If you have configured multiple users or groups, then select one of the following as per yourrequirement.

– Match all of – The users or groups must match all the users or groups configured in thedatabase.

– Does not match any – The users or groups do not match with the users or groups config-ured in the database.

• Complete the policy configuration.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/adaptive-access-to-web-and-saas-apps.html#createanadaptiveaccesspolicy



Adaptive access based on devices

To configure an adaptive access policy based on the platform (mobile device or a desktop computer)from which the user is accessing the application, use the Create an adaptive access policy procedurewith the following changes.

• In IF THE FOLLOWING CONDITION IS MET, select Desktop orMobile device.• Complete the policy configuration.

Adaptive access based on the location

Anadmincanconfigure theadaptiveaccesspolicybasedon the location fromwhere theuser is access-ing the application. The location can be the country fromwhere the user is accessing the applicationor the user’s network location. The network location is defined using an IP address range or subnetaddresses.

To configure an adaptive access policy based on the location, use the Create an adaptive access policy





procedure with the following changes.

• In IF THE FOLLOWING CONDITION IS MET, select Geo-location or Network location.

• If you have configured multiple geo-locations or network locations, then select one of the fol-lowing as per your requirement.

– Match all of – The geographic locations or network locations must match all thegeographic locations or network locations configured in the database.

– Does not match any – The geographic locations or network locations do not match withthe geographic locations or network locations configured in the database.

Note:

– If you select Geo-location, the source IP address of the user is evaluated with the IP ad-dress database. If the IP addresses of the user and the address available in the databasematch, the policy is applied. If the IP addresses do not match, this adaptive policy isskipped and the next adaptive policy is evaluated.

– For Network location, you can select an existing network location or create a networklocation. To create a new network location, click Create network location.

Important:

When you create a network location, the new network location might not be visiblein the drop-down list instantly. It might take around 5 minutes for the new networklocation to appear in the drop-down list.



– You can also create a network location from the Citrix Cloud console. For details, see CitrixCloud network location configuration.

• Complete the policy configuration.


https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/workspace-network-location.html#citrix-cloud-network-location-configuration

https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/workspace-network-location.html#citrix-cloud-network-location-configuration


Adaptive access based on the device posture

The Citrix Secure Workspace Access service provides adaptive access based on a device posture byusing an on-premises Citrix Gateway or a customer hosted Citrix Gateway (adaptive authentication)as an IdP to Citrix Workspace. The Enterprise Web or SaaS apps can either be enumerated or hiddenfrom the end user based on the EPA check results and the configured smart access policy.

Note: Adaptive authentication is aCitrix Cloud service that enables advancedauthentication for userslogging in to CitrixWorkspace. Adaptive authentication gives a gateway instance running in cloud andyou can configure the authentication mechanism for this instance, as required.

Prerequisites

• Citrix Gateway as an IdP must be configured for Citrix Workspace. For details, see Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud.

• Citrix ADC release version 13.0 Build 82.109 or later.• Smart access tags are configured on the Citrix Gateway appliance.

Understanding the flow of events

• User enters the Workspace URL into a browser or connects to a Workspace Store using a nativeCitrix Workspace App.

• User is redirected to the Citrix Gateway configured as an IdP.• User is prompted to allow an EPA check to be performed on the device.• Citrix Gateway performs an EPA check after the user consents to scan the device and writes thesmart access tags to CAS against the device ID.


https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/use-citrix-gateway-as-IdP-for-citrix-cloud.html

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/use-citrix-gateway-as-IdP-for-citrix-cloud.html


• User logs in to Citrix Workspace using Citrix Gateway IdP and the configured authenticationmechanism.

• Citrix Gateway provides smart access policy information to Citrix Workspace and SecureWorkspace Access.

• User is redirected to the Citrix Workspace home page.• Citrix Workspace processes the smart access tags provided by the Citrix Gateway configured asan IdP, and then determines the apps that must be enumerated and displayed to the end user.

Configuration scenario – Enterprise Web or SaaS app enumeration based on device posturescans

Step 1: Configure smart access policies using Citrix Gateway GUI

1. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Poli-cies> Smart Access > Profiles.

2. On the Profiles tab, click Add to create a profile.

1. In Tags, enter the smart access tag name. This is the tag that you must enter manually whencreating the adaptive access policy.

2. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Poli-cies> Smart Access > Policies.

3. Click Add to create a policy.



1. In Action, select the previously created profile and click Add.2. In Expression, create the policy expression and clickOK.

Step 2: Create an adaptive access policy

Perform the steps detailed in Create an adaptive access policy procedure with the following changes.

• In IF THE FOLLOWING CONDITION IS MET, select Device posture check.• If you have configured multiple smart access tags, then select one of the following as per yourrequirement.

– Matchall of –Thedevice IDmustmatchall the smart access tagswrittenagainst thedeviceID when you log in to Citrix Workspace.

– Match any of – The device ID must match one of the tags written against the device IDwhen you log in to Citrix Workspace.




– Does not match any - The device ID does not match against the device ID when you loginto Citrix Workspace.

• In Enter custom tags, manually type the smart access tag. These tags must be similar to thetags configured in Citrix Gateway (Create Authentication Smart Access Profile > Tags).

Points to note

• Posture evaluation occurs only when you log on to Citrix Workspace (only during the authenti-cation).

• In the current release, continuous device posture evaluation is not done. If the device contextchanges after the user logs on to Citrix Workspace, then the policy conditions do not have anyimpact on the device posture evaluation.

• Device ID is a GUID generated for each end user device. Device ID might change if the browserused to access Citrix Workspace is changed, cookies are deleted or incognito/private mode isused. However, this change does not impact the policy evaluation.

Adaptive access based on user risk score

User risk score is a scoring system to determine the risks associated with the user activities in yourenterprise. Risk indicators are assigned to user activities that look suspicious or can pose a securitythreat to your organization. The risk indicators are triggered when the user’s behavior deviates fromthe normal. Each risk indicator can have one ormore risk factors associatedwith it. These risk factorshelp you to determine the type of anomalies in the user events. The risk indicators and their associ-ated risk factors determine the risk score of a user. The risk score is calculatedperiodically and there isa delay between the action and the update in the risk score. For details, see Citrix user risk indicators.

To configure an adaptive access policy with risk score, use the Create an adaptive access policy pro-cedure with the following changes.

• In IF THE FOLLOWING CONDITION IS MET, select User risk score.

• Configure the adaptive access policy based on the following three types of user risk conditions.

– Preset tags fetched from CAS service– LOW

* MEDIUM

* HIGH– Threshold types

* Greater than or equal to

* Less than or equal to– A number range

* Range


https://docs.citrix.com/en-us/security-analytics/risk-indicators.html



Web filtering

November 5, 2021

The web filtering feature evaluates the risk of each hyperlink selected within the SaaS application.Accessing these sites and monitoring changes in user behavior increases the user’s overall risk scorebecause it signals the endpoint device is compromised and started to infect or encrypt data or theuser and device are stealing intellectual property.

Howweb filtering works

1. URL analysis check is done to determine if the URL is a Citrix service URL.2. The URL is then checked to determine if it is an Enterprise web or SaaS app URL.



3. URL is then checked to determine if it is identified as a blocked URL, or if it must be redirectedto a secure browser session or if the URL can be allowed to be accessed.

Note: The block, redirect, and allow URL analysis is also performed at the category level.

Configure website filtering

July 23, 2021

Configure web filtering for internet access from SaaS apps. If you have added a SaaS app from theSecure Workspace Access service, to return to the Citrix Secure Workspace Access service, click thehamburger icon on the top left of the navigation pane. InMy Services list, select Secure WorkspaceAccess. Click Configure content access settings.

Configure web filtering for internet access from SaaS apps

You are now ready to configure content access settings for your end users accessing the SaaS apps.For example, a link within a SaaS app can point to a malicious website. With content access settings,an administrator can take a specific website URL or a website category and allow access, block ac-cess, or redirect the request to a hosted, secure browser instance, helping to prevent browser-basedattacks. Formore informationabout the securebrowser service, seeSecureBrowser StandardServicedocumentation at Secure Browser Standard Service.

Note:

A paid Secured Browser Standard Service customer (organization) gets 5,000 hours of use peryear by default. For more hours, they need to buy secure browser add-on packs. You can track


https://docs.citrix.com/en-us/citrix-cloud/secure-browser-service.html


the usage of the Secure Browser Service. For more information, see Monitor usage.

The following illustration explains the end user traffic flow.

When a request arrives, the following checks are performed, and corresponding actions are taken:

1. Does the request match the global allow list?

a) If it matches, the user can access the requested website.

b) If it does not match, website lists are checked.

2. Does the request match the configured website list?

a) If it matches, the following sequence determines the action.

i. Block

ii. Redirect

iii. Allow

b) If it does not match, website categories are checked.

3. Does the request match the configured website category?


https://docs.citrix.com/en-us/citrix-cloud/secure-browser-service.html#monitor-usage


a) If it matches, the following sequence determines the action.

i. Block

ii. Redirect

iii. Allow

b) If it does not match, the default action (ALLOW) is applied. The default action cannot bechanged.

Perform the following steps to configure enhanced security settings.

1. Click Configure Content Access.

2. Configure website category filtering or website lists or both.

Configure website category filtering

Website categorization restricts user access to specific website categories. Administrators can selectfrom a preset list or customize the categories depending on the deployment. The preset list enablesorganizations to filter web traffic by using a commercial categorization database. The auto-updatingdatabase classifies billions of websites into different categories, such as social networking, gambling,adult content, new media, and shopping. In addition to categorization, each website has a reputa-tion score kept up-to-date based on the site’s historical risk profile. Presets are classified as strict,moderate, lenient, none, and custom. Administrators can tweak presets to add or remove websitecategories.

• Strict preset minimizes the risk of accessing unsecured or malicious websites. End users canstill access websites with low risk. Includes most business travel and social media websites.

• Moderate presetminimizes the riskwhile allowingmore categorieswith lowprobability of expo-sure from unsecure or malicious sites. Includes most business travel, leisure, and social mediawebsites.

• Lenient preset maximizes access while still controlling risk from illegal andmalicious websites.• None preset allows all categories.• Custom allows configuring custom filtering of categories.

Perform the following steps to configure website category filtering.

1. Enable Filter website categories.

2. Click Add in the respective section to block website categories, allow website categories, orredirect theuser toa securebrowser. For example, toblock categories, in theblockedcategoriessection, click Add.

3. Select the categories to block from the list and click Add.



4. To allow categories, in the allowed categories section, click Add. Select the categories to allowfrom the list and click Add.

5. To redirect users to a secure browser, in the redirected to secure browser categories section,click Add. Select the categories from the list and click Add.

6. Click Save.



Configure website lists filtering

Thewebsite list feature enables you to control access to specificwebsites. You canusewildcards, suchas *.example.com/*, to control access to all the domains in that website and all the pages within thatdomain.Perform the following steps to configure website lists filtering.

1. Enable Filter website list. Click Add in the respective section to block websites, allow web-sites, or redirect the user to a secure browser. For example, to block websites, in the blockedcategories section, click Add.

2. Enter a website that users cannot access and click Add.

3. To allow websites, in the allowed websites section, click Add. Enter the website that users canaccess and click Add.



4. To redirect users to a secure browser, in the redirected to secure browserwebsites section, clickAdd. Enter a website that end users can access only from a Citrix hosted browser and click Add.

5. Click Save for the changes to take effect.

Available categories list for Citrix Secure Workspace Access

July 23, 2021

Categories restrict user access to specific websites and website categories. Enterprise customers can



filter web traffic by using a commercial categorization database that is available in the Citrix SecureWorkspace Access service. This database has many URLs classified into different categories, such associal networking, gambling, adult content, new media, and shopping. When you select categoriesto add, block, or redirect to a secure browser, advanced policies are created internally to filter yourtraffic.

For example, you might want to block access to dangerous sites, such as sites known to be infectedwithmalware. Youmight want to selectively restrict access to content, such as adult content or enter-tainment streamingmedia for enterprise users.

List of third party categories and category groups:

• Adult– Adult/Porn– Nudity– Sexual Services– Adult Search/Links– Illegal Activities– Dating– Grotesque– Adult Magazine/News– Fetish– Sexual Expression(text)– Sex Education

• Business & Industry– Swimsuits & Lingerie– Business & Industry– Translators– Auctions– Shopping/Retail– Real Estate– IT Online Shopping– Side Business– Smoking– Alcoholic Products– Automotive– Business & Commercial– Ringtones– Emoticons– Mobile Operators– Agriculture– Associations/Trade Groups/Unions



– Books/ebooks– Piracy & Copyright Theft– Transport Service & Freight

• Computing & Internet– Advertisements/Banners– Computing & Internet– Mobile Apps & Publishers– Content Delivery Networks & Infrastructure– Hosting Sites– Parked Domains– DDNS

• Downloads– Downloads– Program Downloads– Storage Services– Mobile App Stores

• Email– Web-based Mail– Email Subscriptions

• Finance– Market Rates– Online Trading– Insurance– Financial Products

• Gambling– Gambling in general– Lottery– Sweepstakes/Prizes

• Health– Health– Hate

• Illegal/Harmful– Illegal Activities– Illegal Drugs– Medication– Marijuana– Terrorism/Extremists– Weapons– Hate/Slander



– Violence/Suicide– Advocacy in general

• Jobs & Resumes– LinkedIn– LinkedIn: Updates– LinkedIn: Mail– LinkedIn: Connections– LinkedIn: Jobs– Employment– Career Advancement

• Malware & SPAM– Hacking/Cracking– Malware– Malicious and Dangerous– SPAM– Spyware– Botnets– Infected Sites– Phishing Sites– Key loggers– Mobile Malware– BOT Phone Home

• Messaging/Chat/Telephony– Web based Chat– Instant Messages– Internet Telephony– Military– SMS $ Mobile Telephony Services

• News/Entertainment/Society– Online games– Games– Personal Web Pages/Blogs– Personal Web Pages/Blogs– Streaming Media– Special Events– Popular Topics– Drinking– Sexual Expression(text)– Costume Play/Enjoyment



– Occult– Home & Family– Professional Sports– Sports in general– Life Events– Travel & Tourism– Public Agency Tourism– Public Transit– Accommodations– Music– Horoscope/Astrology/Fortune Telling– Entertainer/Celebrity– Dining/Gourmet– Entertainment/Venues/Activities– Traditional Religions– Religions– Politics– News– Education– Government– Military– Recreation & Hobbies– Reference– Kids Sites– Arts & Cultural Events– Philanthropy & Non-Profit Organizations– Fashion & Beauty– No Content– Unsupported URL– Law– Local Communities– Miscellaneous– Online Magazines– Pets/Veterinarian– Recycling/Environment– Science– Society & Culture– Photography & Film– Museums & History



– eLearning– Wordpress– Wordpress: Posting– Wordpress: Upload

• Private IP Address– Private IP Addresses

• Peer-to-Peer/Torrents– Peer to Peer/Torrents

• Remote Proxies– Remote Proxies

• Search– Search Engine Caches– Ask.fm– Ask.fm: Ask– Ask.fm: Answer– Search Engines & Portals

• Social Networking– Social Networks in General– Facebook– Facebook: Posting– Facebook: Commenting– Facebook: Friends– Facebook: Photo Upload– Facebook: Events– Facebook: Apps– Facebook: Chat– Facebook: Questions– Facebook: Video Upload– Facebook: Groups– Facebook: Games– Twitter– Twitter: Posting– Twitter: Mail– Twitter: Follow– YouTube– YouTube: Commenting– YouTube: Video Upload– YouTube: Sharing– Instagram



– Instagram: Upload– Instagram: Commenting– Instagram: Private Message– Tumblr– Tumblr: Posting– Tumblr: Commenting– Tumblr: Photo or Video Upload– Google+– Google+: Posting– Google+: Commenting– Google+: Photo Upload– Google+: Video Upload– Google+: Video Chat– Pinterest– Pinterest: Pin– Pinterest: Commenting– Vine– Vine: Upload– Vine: Commenting– Vine: Message– YikYak– YikYak: Posting– YikYak: Commenting– Photo Search & Photo Sharing Sites– Bulletin Boards– IT Bulletin Boards

Use case: Configure an access policy to allow selective access to apps

July 23, 2021

Some organizations want to restrict access to web based email or social networking sites, as a policy,for security or other reasons. To configure this, they can select strict preset in the website filtercategories. Strict preset minimizes the risk of accessing unsecured or malicious websites. End userscan still access websites with low risk.

If your organization policy mandates strict preset, but wants to allow selective access to apps thatare not productivity related, but are required for social interaction, follow these steps to configuresettings in the Secure Workspace Access service. In the following configuration, the strict preset is



selected, but is customized so that access to Facebook groups is allowed, and access to the instagramis through a secure browser.

1. Log on to Citrix Cloud.


3. Click Configure Content Access.

4. Enable Filter website categories.

5. Select Strict Preset.

6. In the allowed categories section, click Add. In Add Categories, select Facebook Groups. ClickAdd.



7. In the redirected to secure browser categories section, click Add. In Add Categories, select In-stagram. Click Add.



8. Your settings appear in the allowed and redirect categories. Click Save.



Validation

To validate your configuration, you can publish a SaaS app for https://www.google.com with singlesign-on disabled and have some users subscribed to the app.

• Launch the SaaS app from Citrix Workspace app (or Citrix Workspace web).• After the app opens, search for Facebook, and click the link returned in the search. You mustsee the app launch.

• Search for Instagram, and click the link returned in the search. You must see the app launch ina secure browser.

• Search for any URL in the blocked category, and click the link returned. You must get accessdenied.

Monitor user activity andmanage settings with analytics

July 23, 2021

Citrix Secure Workspace Access collates and presents information on the activities of users, such as,websites visited, and the bandwidth spent. It also reports bandwidth use and detected threats, suchas malware and phishing sites. You can use these key metrics to monitor your network and take cor-rective actions.


https://www.google.com


Analytics tab

Citrix Secure Workspace Access provides four dashboards on the Analytics tab: User Security Dash-board, App Security Dashboard, User Operations Dashboard, and App Operations Dashboard.These dashboards display multiple sections that summarize the websites or applications accessedfrom the enterprise network, and also the activities performed by the users in the network.

TheManage tab on the dashboard page provides information on the filteredwebsite lists andwebsitecategories. The following sections provide more information about each of the dashboards.

User security

The domains accessed by the users in your network are categorized based on the URL categorizationconfiguration in the Citrix Secure Workspace Access service. The User Security dashboard summa-rizes the number of risky domains accessed and the volume of data uploaded and downloaded by theusers in your network.

To access the User Security dashboard, from the Analytics tab, click User Security.

For the selected timeframe, in the User Access Summary section, the dashboard provides anoverview of the number of malicious domains, Dangerous domains, Unknown domains, cleandomains, and blocked URLs accessed by the users in your network and also the trend in accessingthese domains by the users.



The widgets are represented based on the reputation score of the domains accessed by the user. Thereputation score for the domains is assigned based on the URL categorization configuration in theCitrix Secure Workspace Access service. The widgets are represented as follows:

Widgets Details

Malicious Access Shows the number of the domains accessed bythe users that have reputation score 4.

Dangerous Access Shows the number of the domains accessed bythe users that have reputation score 3.

Unknown Access Shows the number of the domains accessed bythe users that have reputation score 2.

Clear Access Shows the number of the domains accessed bythe users that have reputation score 1.

Blocked URL Shows the number of the domains or URLsblocked by the Citrix Secure Workspace Accessservice.

Top Risky Users by Access

In the Top Risky Users by Access section, the dashboard provides the details of top users who haveaccessed the URLs or domains that are categorized as malicious or dangerous by the Citrix SecureWorkspace Access service. It provides the user account name, the number of risky domains accessedby the user, and the total number of domains accessed by the user.



You can clickMore Details to view the complete list of users who have accessed the risky domains.

Top Risky Users by Data Download Volume

In the Top Risky Users by Data Download Volume section, the dashboard provides the details ofthe top users who have uploaded or downloaded a large volume of data from the domains that are



categorized as malicious or dangerous by the Citrix Secure Workspace Access service. It provides theuser account name; the volume of data uploaded or downloads by the user from the risky domains.

You can clickMore Details to view the complete list of users who have uploaded or downloaded datafrom the risky domains.



App security

The App Security dashboard summarizes the details of the domains, URLs, and apps accessed byusers in your network. To access the App Security dashboard, from the Analytics tab, click App Se-curity.

For the selected timeframe, in theAppAccessSummary section, thedashboardprovides anoverviewof the number of malicious domains, Dangerous domains, Unknown domains, and clean domainsaccessed by users in your network. It also provides the volume of data uploaded or downloaded fromthe risky domains.



Top risky domains by access

TheTopRiskyDomainsbyAccess sectionprovidesdetails about themaliciousordangerousdomainsthat were more accessed by the users in your network. It provides details such as:

• The URL of the risky domain.

• The category towhich the domain is categorized by the Citrix SecureWorkspace Access service.

• The action taken by the Citrix Secure Workspace Access service to mitigate the risk.

• The number of userswhohave accessed theURL,with the increase in trendof the number usersaccessing the risky domain for the selected timeframe.



You can click More Details to view the complete list of malicious or dangerous domains that wereaccessed by the users in your network.

Top risky domains by data download volume

TheTopRiskyDomains byDataDownloadVolume section, provides details about the topmaliciousor dangerous domains from which data was downloaded by users. The details are sorted by highestto lowest data volume. It provides details such as:

• The URL of the risky domain.


• The volume of data downloaded by users from the risky domain, with the increase in trend ofthe amount of data downloaded from the risky domain for the selected timeframe.



Top risky categories by access

The Top Risky Categories by Access section, provides details of the category of domains that wereaccessed the highest number of times by the users in your network. It provides details such as:

• The category towhich the domain is categorized by the Citrix SecureWorkspace Access service.• The number of userswhohave accessed theURL,with the increase in trendof the number usersaccessing the risky domain for the selected timeframe.

• The number of transactions by users on the risky domain, with the increase in trend of the num-ber of transactions by users on the risky domain for the selected timeframe.

• The number of transactions blocked by the Citrix Secure Workspace Access service.



Top risky categories by data download volume

The Top Risky Categories by Data Download Volume section, provides details of the category ofdomains from which the highest amount of data was uploaded or downloaded by the users in thenetwork. It provides details such as:

• The category to which the domain is categorized by the Citrix Secure Workspace Access.• The total volume of data uploaded or downloaded from the domain by users in your network.• The amount of data downloaded from the domain by users.• The amount of data uploaded to the domain by users.



You can clickMore Details to view the complete details of data uploaded or downloaded by the userfrom the domains.



User operations

The User Operations dashboard provides an overview of the total number of domains accessed byusers in your network. It also provides the amount of data uploaded to or downloaded from the do-mains. To access the User Operations dashboard, from the Analytics tab, click User Operations.



Top users by transactions

The Top Users by Transactions section, lists the transactions performed by a user while accessingdifferent domain categories and also specifies the number of transactions blocked for each user. Itprovides details such as:

• The name of the user.

• The number of transactions performedby the userwhile accessing different domain categories.

• The total number of domains accessed by the user.




You can clickMore Details to view the complete details about the user transactions.

Top users by data download volume



The Top Users by Data Download Volume section, provides details of the top users who have up-loaded data to or downloaded data from the domains. It provides details such as:

• The name of the user.

• The total volume of data uploaded to and downloaded from the domain by the user.

• The amount of data downloaded from the domain by the user.

• The amount of data uploaded to the domain by the user.

You can clickMore Details to view the complete details about the user transactions.



App operations

The App Operations dashboard provides an overview of the total number of domains accessed byusers in your network. It also provides the amount of data uploaded to or downloaded from the do-mains. To access the App Operations dashboard, from the Analytics tab, click App Operations.



For the selected timeframe, the dashboard provides an overview of the number of domains accessedby users in your network. It also provides the volume of data uploaded to or downloaded from thedomains.



Top domains by access

The Top Domains by Access section provides details about the domains that were more accessed bythe users in your network. It provides details such as:

• The URL of the domain.


• The action taken by the Citrix Secure Workspace Access service to mitigate the risk.

• The number of userswhohave accessed theURL,with the increase in trendof the number usersaccessing the domain for the selected timeframe.

You can click More Details to view the complete list of domains that were accessed by the users inyour network.



Top domains by data download volume

The Top Domains by Data Download Volume section, provides details about the top domains fromwhich data was downloaded by users. The details are sorted by highest to lowest data volume. Itprovides details such as:

• The URL of the domain.


• The volume of data downloaded by users from the domain, with the increase in trend of theamount of data downloaded from the domain for the selected timeframe.



Top categories by access

TheTopCategories byAccess section, provides details of the category of domains thatwere accessedthe highest number of times by the users in your network. It provides details such as:

• The category to which the domain is categorized by the Secure Workspace Access service.

• The number of userswhohave accessed theURL,with the increase in trendof the number usersaccessing the domain for the selected timeframe.

• The number of transactions by users on the risky domain, with the increase in trend of the num-ber of transactions by users on the domain for the selected timeframe.





Top categories by data download volume

The Top Risky Categories by Data Download Volume section, provides details of the category of do-mains fromwhich the highest amount of datawas upload or downloaded by the users in the network.It provides details such as:


• The total volume of data uploaded or downloaded from the domain by users in your network.

• The amount of data downloaded from the domain by users.

• The amount of data uploaded to the domain by users.



You can clickMore Details to view the complete details of data uploaded or downloaded by the userfrom the domains.



Manage tab

The dashboard on theManage tab provides information on the blocked websites, allowed websites,and websites that redirect users to a secure browser.

For more details, see Configure web filtering for internet access from SaaS apps.

Citrix Cloud Gateway Connector availability in Azure Marketplace

November 5, 2021

The Citrix Cloud Gateway connector is available in Azure Marketplace Offers.

To deploy the Citrix Gateway Connector instances in the Azure Marketplace:

1. Go to Azure > Marketplace and search for Citrix Cloud Gateway Connector.

2. Click Citrix Cloud Gateway Connector.

3. Click Create in the Citrix Cloud Gateway Connector page. Choose a size that has 2 vCPUs and4 GB RAMminimum.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/configure-access-control-service.html#configure-web-filtering-for-internet-access-from-saas-apps


4. Enter the virtual machine details as per your requirement.

Note: The default OS disk is Premium SSD and the minimum storage needed is 20 GB.

5. After the VM is created, update the Networking and Inbound Port Rules to allow ports 22 and8443. You can access the admin UI at <https://<ip>:8443>.

6. Log on with default connector credentials and complete the registration.

Note:

• The offering, by default, comes up with and allows management access on port 8443 only forthe default administrator with the default administrator password.

• Citrix recommendsaccessing theGatewayConnector adminuser interface from inside theAzureVirtual Network.

Create a virtual machine by using a pre-set configuration

You can also create a virtual machine by using a pre-set configuration. However, Citrix recommendsthat you create a virtual machine with a new configuration. The pre-set configuration suggests us-ing the D series virtual machine but it is not a mandatory requirement for the Citrix Gateway CloudConnector.

To do so, click create a virtual machine with a pre-set configuration in the Citrix Cloud GatewayConnector page and complete the registration.



Note: Citrix GatewayConnector can also bedeployedusing the VHD. For details, see Citrix CloudGate-way Connector availability in Azure.

Citrix Cloud Gateway Connector availability in Azure

November 5, 2021

Applications hosted in an enterprise’s data center are securely accessed and connected to cloud usingtheCitrix CloudGateway connector. TheCitrix CloudGateway connector is a virtualmachinebasedontheCitrix ADCappliancehostedwithin thecompany’sdatacenter. TheCitrixCloudGatewayconnectorcreates a secure connection and registers to Citrix Cloud services to form a secure tunnel. The CitrixCloud Gateway connector is hosted on public cloud for customers to purchase and deploy.

Deploy a gateway connector in Azure

The high-level steps involved in deploying a gateway connector in Azure are as follows:

1. Upload VHD to Azure Storage2. Create an image3. Create a virtual machine.

A fixed size VHD image is used as a connector image. These images are published with the regularbuild artifacts. The following are the steps to create a VHD from an HyperV image.

1. Extract theHyperV zip file CONNECTOR-HyperV-.zip, and copy the dynamic.vhd file to yourwork-ing folder.

2. Run the following Azure CLI commands.

• Convert-VHD -Path C:\Users\Administrator\Downloads\Dynamic.vhd -DestinationPathC:\Users\Administrator\Downloads\Fixed.vhd -VHDType >Fixed

• Resize-VHD -Path C:\Users\Administrator\Downloads\Fixed.vhd -SizeBytes 20481 MBThis step is necessary if the VHD generated is not greater than the whole number size.

Upload VHD to Azure Storage

1. Create a storage account. If you already have a storage account, in the left pane, under BlobService, click Containers.


https://docs.citrix.com/en-us/citrix-secure-workspace-access/gateway-cloud-connector-in-azure.html

https://docs.citrix.com/en-us/citrix-secure-workspace-access/gateway-cloud-connector-in-azure.html


2. Create a container or click an existing container.

3. On the Container page, click Upload.



4. Use the Upload form to upload your VHD.



Create an Image

1. Go to Azure > Images and then click Add.



2. Create an image using the uploaded VHD.



Create a virtual machine

1. Go to the image you created in the previous step and click Create VM. Choose a size that has 2vCPUs and 4 GB RAMminimum.



Note: The default OS disk is Premium SSD andminimum storage needed is 20 GB.

2. After the VM is created, update the Networking and Inbound Port Rules to allow ports 22 and8443. You can access the admin UI at <https://<ip>:8443>.

3. Log on with default connector credentials and complete the registration.

Deploy a Citrix Gateway Connector instance on AWS - Preview

February 9, 2022

Citrix Gateway Connectors can be deployed in AWS to provide secure VPN-less access to internal webapplications hosted in AWS. Citrix Gateway Connectors deployed in AWS support all functions includ-ing all SSO types - Basic, Forms based, Kerberos, and SAML.

High-level steps to deploy the Citrix Gateway Connector instance on AWS.

1. Create a key pair2. Create a Virtual Private Cloud (VPC)3. Addmore subnets4. Create security groups and security rules5. Add route tables6. Create an internet gateway7. Create a Citrix Gateway Connector instance



8. Connect to the Gateway Connector

Create a key pair

Amazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to your instance, youmust do the following:

1. Create a key pair.2. Specify the name of the key pair when you launch the instance.3. Enter the private key when you connect to the instance.

When you review and launch an instance by using the AWS Launch Instancewizard, you are promptedto use an existing key pair or create a new key pair. For details on creating a key pair, see Amazon EC2Key Pairs.

Create a virtual private cloud

A Citrix Gateway Connector instance is deployed inside an AWS VPC. A VPC allows you to define thevirtualnetworkdedicated toyourAWSaccount. Formore informationonAWSVPC, seeGettingStartedWith Amazon VPC.

While creating a VPC for your Citrix Gateway Connector instance, note the following:

• Use the VPC with a VPC with public and private subnets option to create an AWS VPC in an AWSavailability zone.

• Citrix recommends having the Bastion VM (Jump Box) in the public subnet and the Citrix Gate-way Connector VM in the private subnet.

• Access the Citrix Gateway Connector from the Bastion VM.• All subnets must be in the same availability zone.

Addmore subnets

When you used the VPC wizard, only two subnets (Public and Private) were created. Depending onyour requirement, youmightwant to createmore subnets. Formore information about how to createmore subnets, see Adding a Subnet to Your VPC.

Create security groups and security rules

To control inboundandoutbound traffic, create security groups andadd rules to the groups. Formoreinformation about how to create groups and add rules, see Security Groups for Your VPC.

To enable access to the Citrix Gateway Connector, open port 22 and 8443 must on the security groupfor SSH and HTTPS respectively.


https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html


Add route tables

Route table contains a set of rules, called routes, that are used to determinewhere the network trafficis directed. Each subnet in your VPC must be associated with a route table. For more informationabout how to create a route table, see Route Tables.

Create an internet gateway

Create an internet gateway for internet traffic flow in your public subnet and add it to the correspond-ing route table for the private subnet.

Create an NAT gateway for internet traffic flow in your private subnet and add it to the correspondingroute table for the private subnet.

For more information about how to create an Internet Gateway, see Attaching an Internet Gateway.

Create a Citrix Gateway Connector instance

To create a Citrix Gateway Connector instance by using the AWS EC2 service, complete the followingsteps.

1. Search for the AMI ID shared with you by Citrix.

a) Navigate to EC2 frommain menu.b) Click AMI and search for the AMI ID in Private Images.


https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway


Important:

For technical preview, the Citrix Gateway Connector image is not available in AWS Market-place. Contact Citrix to get access to the AMI.

2. Launch Instance Type - Choose instance type that hasmore than 2 vCPUs, 4 GBRAMminimum.

3. Configure an instance - Configure the Instance VPC, subnet, and network.

4. Add storage- Configure the storage device setting. The storage must be a minimum of 20 GB.



5. Add tags - Add tags to the VM.

6. Configure the security group - Configure the inbound and outbound firewall rules. You cancreate a security group or select an existing group to configure the rules.

Inbound rules:

• TCP Port 22 to SSH• TCP 8443 to access dashboard

Outbound rules:



• All traffic

For more details, see System requirements.

7. Review the settings - Review your instance launch details and edit the details if necessary.

a) Click Launch.b) Select and existing key pair or create a new key pair.c) Click Launch Instances.




8. Select the Key Pair - Select the created key pair for the Citrix Gateway Connector.

Connect to Citrix Gateway Connector

From the AWSmanagement console, select the Citrix Gateway Connector instance and clickConnect.Follow the instructions on the Connect to Your Instance page.

• Youmust be able to SSH to the Gateway Connector VM from the Bastion VM.

ssh -i <pem file> administrator@<ip_address>

• To access GUI in browser from the Bastion VM use;<https://<ip_address>:8443>

User name: administrator

Password: administrator

The default password is administrator and you are prompted to change the password after thefirst time you log on.

ADFS integration with Secure Workspace Access

July 23, 2021



Claim rules are necessary to control the flow of claims through the claims pipeline. Claim rules canalso be used to customize the claims flow during the claim rule execution process. For more informa-tion about claims, see Microsoft documentation.

To set up ADFS to accept claims fromCitrix SecureWorkspace Access, youmust perform the followingsteps:

1. Add claim provider trust in ADFS.2. Complete the app configuration on Citrix Secure Workspace Access.

Add claim provider trust in ADFS

1. Open ADFSmanagement console. Go to ADFS > Trust relationship > Claim provider Trust.

a) Right-click and select Add Claim Provider Trust.

b) Add an app in Secure Workspace Access that is used to federate to ADFS. For details see,App configuration on Citrix Secure Workspace Access.

Note:

First add the app and from the app’s SSO configuration section, you can download theSAMLmetadata file, and then import the metadata file into ADFS.


https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

https://docs.citrix.com/en-us/citrix-secure-workspace-access/adfs-integration-with-secure-workspace-access.html#app-configuration-on-citrix-secure-workspace-access


a) Complete the steps to finish adding claim provider trust. After you complete adding theclaim provider trust, a window to edit the claim rule appears.

b) Add a claim rule with Transform An Incoming Claim.



c) Complete the settings as shown in the following figure. If your ADFS accepts other claims,then use those claims and configure SSO in Secure Workspace Access also accordingly.



You have now configured the claim provider trust that confirms ADFS now trusts Citrix SecureWorkspace Access for SAML.

Claim Provider trust ID

Make a note of the claim provider trust id that you added. You need this ID while configuring the appin Citrix Secure Workspace Access.



Relaying Party Identifier

If your SaaS app is already authenticated using ADFS, then you must already have the Relaying partytrust added for that app. Youneed this IDwhile configuring the app in Citrix SecureWorkspace Access.



Enable relay state in IdP initiated flow

RelayState is a parameter of the SAML protocol that is used to identify the specific resource the usersaccess after they are signed in and directed to the relying party’s federation server. If RelayState is notenabled in ADFS, users see an error after they authenticate to the resource providers that requires it.

For ADFS 2.0, you must install update KB2681584 (Update Rollup 2) or KB2790338 (Update Rollup 3)


https://support.microsoft.com/en-gb/help/2681584/description-of-update-rollup-2-for-active-directory-federation-service

https://support.microsoft.com/en-gb/help/2790338/description-of-update-rollup-3-for-active-directory-federation-service


to provide RelayState support. ADFS 3.0 has RelayState support built in. In both cases RelayState stillneeds to be enabled.

To enable the RelayState parameter on your ADFS servers

1. Open the file.• ForADFS2.0, enter the following file inNotepad: %systemroot%\inetpub\adfs\ls\web.config• ForADFS3.0, enter the following file inNotepad: %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config

2. In the microsoft.identityServer.web section, add a line for useRelyStateForIdpInitiatedSignOnas follows, and save the change:<microsoft.identityServer.web> ... <useRelayStateForIdpInitiatedSignOnenabled=”true”/> ...</microsoft.identityServer.web>

• For ADFS 2.0, run IISReset to restart IIS.3. For both platforms, restart the Active Directory Federation Services (adfssrv)service.

Note: If you have windows 2016 or Windows 10 then use the following PowerShell command toenable it.Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true

Link to commands - https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps

App configuration on Citrix Secure Workspace Access

You can either configure the IdP initiated flow or the SP initiated flow. The steps to configure IdP orSP initiated flow in Citrix Secure Workspace Access are the same except that for SP initiated flow, youmust select the Launch the app using the specified URL (SP initiated) check box in the UI.

IdP initiated flow

1. While setting up the IdP initiated flow, configure the following.

• App URL – Use the following format for the app URL.https://<adfs fqdn>/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=<rpid>&RedirectToIdentityProvider=<idp id>

• ADFS FQDN – FQDN of your ADFS setup.

• RP ID – RP ID is the ID that you can get from your relaying party trust. It is the same as theRelaying Party Identifier. If it is a URL, then URL encoding happens.

• IDP ID – IdP ID is the same as the claim provider trust ID. If it is a URL, then URL encodinghappens.


https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps

https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps


Example: https://adfs1.workspacesecurity.com/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=https%3A%2F%2Fdev98714.service-now.com&RedirectToIdentityProvider=https%3A%2F%2Fcitrix.com%2F9a9sx0ijvihq

2. SAML SSO configuration.

The following are the default values of the ADFS server. If any of the values are changed, get thecorrect values from the metadata of the ADFS server. Federation metadata of the ADFS servercanbedownloaded from its federationmetadata endpoint, whose endpoint canbeknown fromADFS > Service > Endpoints.

• Assertion URL – https://<adfs fqdn>/adfs/ls/

• RelayState–Relay state is important for the IdP initiated flow. Follow this link to constructit properly - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj127245(v=ws.10)

Example: RPID=https%3A%2F%2Fdev98714.service-now.com&RelayState=https%3A%2F%2Fdev98714.service-now.com%2F

• Audience – http://<adfsfqdn>/adfs/services/trust

• For the other SAML SSO configuration settings, see to the following image. For moredetails, see https://docs.citrix.com/en-us/citrix-secure-workspace-access/support-saas-apps.html

3. Save and subscribe the app to the user.


https://adfs1.workspacesecurity.com/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=https%3A%2F%2Fdev98714.service-now.com&RedirectToIdentityProvider=https%3A%2F%2Fcitrix.com%2F9a9sx0ijvihq






SP initiated flow

For SP initiated flow, configure the settings as captured in the IDP initiated flow section. In addition,enable the Launch the app using the specified URL (SP initiated) check box.


LocationsCorporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309, United StatesSilicon Valley | 4988 Great America Parkway Santa Clara, CA 95054, United States

© 2022 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of

Citrix Systems, Inc. and/or one or more of its subsidiaries, andmay be registered with the U.S. Patent and Trademark Office

and in other countries. All other marks are the property of their respective owner(s).

Citrix Product Documentation | docs.citrix.com March 23, 2022

Citrix Secure Workspace Access

Documents

Transcript of Citrix Secure Workspace Access