This feature provides secure remote access for Citrix Receiver application running on mobile devices to XenApp/XenDesktop VDI servers through ASA, eliminating the need for Citrix Access Gateway.
Citrix Access Gateway (CAG) was traditionally the only way to provide secure remote access to virtualized Citrix resources (desktops and applications). In typical deployment such device would be located behind the firewall in DMZ zone. Current feature adds ASA functionality to support secure remote connection to virtual resources from mobile devices.
Traditional deployments require presence of CAG, typically located behind the Firewall:
With ASA, connections to internal Citrix resources is possible without presence of CAG:
For ASA to proxy Citrix Receiver to a Citrix Server, ASA impersonates Citrix Access Gateway. When a user tries to connect to Citrix virtualized resource, instead of providing the Citrix Server’s address/credentials, users enter ASA’s SSL VPN IP address and credentials.
A new ASA handler is created to handle requests, including authentication requests from Citrix Receivers (HTTPS requests with agent string identifying itself as Citrix Receiver). After ASA has verified the credentials, the Receiver client starts to retrieve entitled applications through the ASA. The ASA rewrites and proxies to the XenApp or XenDesktop Server’s XML service interface (XML service is a service running on a Citrix server that service virtualization resource related requests).
ASA will connect and authenticate to VDI server using preconfigured credentials (see Configuration section). When sending credentials to back-end XenApp/XenDesktop server, ASA will always obfuscate user password using Citrix CTX1 encoding.
When a user uses Citrix Receiver mobile client to log on to the ASA, the ASA needs to connect it to a pre-defined Citrix XenApp or XenDesktop server. For this, the administrator configures the Citrix server’s address and logon credentials under Group Policy or username. In case both username and group-policy CLI are configured, username settings will take precedence over group-policy.
configure terminal group-policy DfltGrpPolicy attributes webvpn vdi type <citrix> url <url> domain <domain> username <username> password <password>
configure terminal username <username> attributes webvpn vdi type <citrix> url <url> domain <domain> username <username> password <password>
• type: type of VDI. For Citrix Receiver type must be citrix
• url : full url of the XenApp or XenDesktop server incluiding http or https, hostname, port number, as well as the path to the XML service.
Hostname and XML service path can contain a clientless macro. If XML service path is not provided, default path /Citrix/pnagent/ will be used
• username: username for logging into the virtualization infrastructure server, this can be a clientless macro
• password: password for logging into the virtualization infrastructure server, this can be a clientless macro
• domain: domain for logging into the virtualization infrastructure server, this can be a clientless macro
The following are valid configuration examples:
vdi type citrix url http://192.168.1.2 domain domain1 username user1 password pass1
vdi type citrix url https://192.168.1.2/Citrix/pnagent1/ domain domain2 username username2 password password2
vdi type citrix url http://192.168.1.2:8080/Citrix/pnagent3 domain CSCO_WEBVPN_MACRO1 username CSCO_WEBVPN_USERNAME password CSCO_WEBVPN_PASSWORD
Asdm -> Configuration -> Remote Access VPN -> Clientless SSL VPN Access - > Group Policy
Edit -> More Options-> VDI Access
Add VDI Server
The user experience of using Citrix Receiver to access virtual resources via the ASA is the same as when a Citrix Access Gateway is used.
If no servers are configured, user must configure a new virtual resource.
Users provide ASA's FQDN/IP address.
Users must check Access Gateway, Standard Edition, and enter credentials to connect to ASA.
When user profile is saved, application will automatically ask for credentials (ASA) and try to login.
When logged in, the application will display a list of published resources.
Users can navigate folders and click the corresponding resource to launch it.
Citrix Receiver application does not provide means to terminate webvpn session with connected ASA or CAG at will. Typically such session will be terminated upon reaching configured timeout. Although newest version of Citrix Receiver have a new button "Logoff", such button does not terminate existing session with ASA. Instead it closes all open applications, and displays to user the list of configured servers. Therefore, if ASA is configured to use only 1 license per user, clients that use "Logoff" button will not be able to log back in until after session times out.
To allow end-users terminate webvpn session at will, and as a result release ASA license, new functionality has been added to injects Secure Logoff resource.
Such injection happens every time Citrix Receiver fetches the list of published resources.
When user clicks on Secure Logoff application, the session between ASA and Citrix Receiver is terminated. To properly release ASA license, Secure logoff resource must be used to terminate webvpn session instead of native Citrix Receiver Logoff button.
Different messages are displayed as a result of session termination based on the mobile devices and the version of the Citrix Receiver. Also, the difference in the way Citrix Application is written for different mobile platforms yields different user experience when logging off Android devices.
On iPad and iPhone, Citrix Receiver will display message Your access to Gateway session has expired, please log on again. When user clicks OK, Citrix receiver brings up the screen with configured servers.
Android devices also display injected Secure Logoff resource.
However, when user clicks Secure logoff application, network connection Error will be displayed.
Although by this time the webvpn session is terminated, Citrix Receiver application does not have embedded messages to properly inform the user of further actions. Note that this behavior is expected. When such "Error" message is displayed as a result of terminating session, users are expected to click "Cancel" button, then "Back" button on Android device to exit current account, and confirm "OK" when asked about leaving the account.
After exiting current account, the user will be presented with list of preconfigured servers.
For XenDesktop to work through the clientless, if there are any intermediate firewalls between the ASA (inside) and the XenDesktop server, make sure the ports 443, 1494, 2598 and 80 are open on that firewall. Also, ensure that the ports are open for both the XenDesktop Server and the pool of XenDesktops.
SSL Error 4: Error number: 183
This error is seen when the connection to the XML broker (XenDesktop server) is allowed, but the ports 1494 and 2598 to the actual XenDesktop pool is blocked. You can debug by enabling all ports and then narrow down the required ports.
CSCug45674 ASA : Citrix Receiver Proxy broken on enabling TCP-State-Bypass
CSCug18734 ENH: Citrix Receiver proxy on ASA support for backend Storefront server
1. Does this new feature retain the granular controls configured on the XenServer? For example controls such as Client Drive Redirection, Client Printer Redirection, Client Clip board Redirection and Client USB devices redirection?
Answer: These parameters are defined on the XenServer and are part of the ICA file. The ASA does not modify these parameters. So, what ever setting you have on XenApp or XenDesktop will be reflected on the client.
2. Does the ASA have granular controls of the ICA connection such as prevent cut-n-paste, control Printer, Drive, Clip Board or USB redirection?
Answer: ASA doesn't modify the above settings. So, what ever setting you have on the XenApp or XenDesktop will be reflected on the receiver client.