A while ago I wrote a cross reference blog with my buddy Henry Heres about integrating Citrix Gateway and VMware Workspace One Access.
A respected customer read these blogs and tried integrating this in their environment but ran in to issues and called for some assistance. Unfortunately, the original scenario we blogged about did not work in this specific environment, so I had to find an alternative way.
In this blog I will show you another option and how to configure this!
The Original:
The original flow drawn out and explained in our previous blogs is based on the flow in figure 1. But instead of allowing username and password externally (sigh.) stated in the original article, Henry solved this by using Advanced Policies. For more information about this I refer to the original articles mentioned in the links below this article
· Figure 1
The Alternative
Since the previous flow did not work in the current situation there is an alternate route. Instead of requesting the ICA file to the Citrix Gateway we are going to enumerate this at Storefront directly. We will configure Storefront in such a way it will always create an ICA file pointing to the External gateway. The Citrix Gateway is used only as an ICA proxy.
· Figure 2
The Steps
Citrix StoreFront:
· Create an alternate Citrix Storefront Store if you don’t have a separate store for external access and you don’t want to redirect all the ICA traffic over the Citrix Gateway (link 5)
· After creating the store, configure the store setting accordingly, if you don’t do this step, you will miss critical configuration in the web.config we need to edit further up the road, click in
order of the numbers:
· Backup and Edit the web.config of the Store (so in the Store folder not the StoreWeb folder!) (Link 7)
· Search for the rule containing:
<optimalGatewayForFarms enabledOnDirectAccess="false">
· Change this to true:
<optimalGatewayForFarms enabledOnDirectAccess="true">
· Save and IISreset
· Repeat and/or replicate config to other StoreFront servers.
· Configure the Gateway to point to the new Store if needed.
VMware Workspace One Access:
For the length of this blog, I suppose you already added CVAD resources within VMware Access (Read link 8 or if you need help let me know).
The next step might feel a bit unnatural. Normally you would add network ranges and on “All Ranges” configure the Client Access FQDN to the Gateway FQDN and enable the NetScaler box (usually I configure internal ranges and consider everything else externally) like this the picture below. But as the sticker says DO NOT USE this option in this specific scenario:
Instead let it point to the configured Store on the internal StoreFront server.
This way the resources are enumerated directly to StoreFront. Since we altered StoreFront to create ICA files always directing to the Gateway with a valid STA ticket, the Citrix Client will connect to the gateway.
If you want to use VMware Access (or Intelligent HUB) and use direct ICA connections on your internal network, configure the Network range linked to the internal range (and remember VMware Workspace One Access SAAS only sees your public IP!) to point to the original StoreFront Store so it will generate the proper ICA file.
In the end, you will be able to login both ways, for the simplicity of the video I removed the MFA from VMware Access and Citrix Gateway. But of course, you can (and STRONGLY advise to!) use MFA. Alternatively federate the Citrix Gateway to VMware Workspace One Access, implement conditional access etc... read link 1 and link 2...
Questions, remarks or want to debate the solution? Feel free to contact me!
Links:
And the cross-reference blog:
And the cross-reference blog:
Link 4: Notes from the lab: Some magic, integrating Citrix resources with VMware Access – The IT Stories (technicalfellow.com)
Link 7 How to Force Connections Through NetScaler Gateway Using Optimal Gateway Feature of StoreFront (citrix.com)