Introduction
VMware Identity Manager is a good product for providing users with a single unified portal to access their resources (Horizon Apps/Desktops, ThinApp Packages, Citrix Apps/Desktops, AirWatch Apps, Web Apps, SaaS Apps, and Enterprise Apps) with built-in features such as contextual policy access, Self-Service Catalog, and Single Sign On.
Been meddling with VMware Identity Manager for some time now, playing with, Horizon/XenDesktop integration and haven’t seen a lot of resources out on the interweb detailing the complete steps required to integrate Citrix XenDesktop/XenApp/NetScaler with VMware Identity Manager, to enable users to launch Citrix published applications and desktops through their unified VMware access portal.
Horizon integration with VMware Identity Manager is well documented by VMware and public community so here goes publishing Citrix resources (Apps/Desktops) using VMware Identity Manager for internal and external users using XenDesktop 7.X and Storefront. Eventually users can access all of their workspace environment from this unified portal that can also be integrated with AirWatch to formulate Workspace One …
Just to make one thing clear before we continue, for both Horizon and XenDesktop, VMware IDM does NOT provide remote connectivity that being tunneling or proxying but rather utilizes VMware UAG/Citrix NetScaler for the same so those still have to be in place rather we get a unified portal with SSO, Self-Service, and Contextual Policies especially on Authentication and Access.
Architecture
This is copied directly from VMware Documentation as I found their explanation on how resources are launches straight to the point:
“VMware Identity Manager uses the Integration Broker component and the Citrix Web Interface SDK or Citrix StoreFront REST API to launch Citrix-published applications from the Workspace ONE portal or app. You can configure internal and external access to the Citrix-published resources. End users must install Citrix Receiver on their systems or devices to launch the applications and desktops”.
Launch Architecture Diagram (Internal Access)
-
A user launches a Citrix-published application or desktop from the Workspace ONE portal or app.
-
The request goes to the VMware Identity Manager service, connector, and Integration Broker.
-
The Integration Broker communicates with the Citrix server farm through the Web Interface SDK or StoreFront REST API to authenticate and request the ICA file.
-
The ICA file is retrieved and passed to the Workspace ONE portal or app.
-
The ICA file is passed to the Citrix Receiver.
-
The Citrix Receiver launches the application or desktop.
Launch Architecture Diagram (External Access)
-
A user launches a Citrix-published application or desktop from the Workspace ONE portal or app.
-
The request goes to the VMware Identity Manager service, connector, and Integration Broker.
-
The Integration Broker communicates with the Citrix server farm through the Web Interface SDK or StoreFront REST API to authenticate and request the ICA file.
-
The ICA file is retrieved and passed to the Workspace ONE portal or app.
-
The ICA file is passed to the Citrix Receiver.
-
Citrix Receiver communicates with NetScaler.
-
NetScaler communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information.
-
NetScaler communicates with the Citrix Session Host server and creates a session for application launch.
Prerequisites
-
Supported Versions:
-
VMware IDM 3.2, Citrix XenDesktop 7.x and Citrix Storefront 3.X .
-
Integration Broker VM Server 2016 (two can be deployed/configured in an Load Balanced Config if required).
-
Domain Service Account with XD Administrator privilege.
-
CA signed SSL certificate for Integration Broker Service.
Configuration
Step 1 – Create a domain joined server 2016 virtual machine (2 vCPU, 4GB RAM, 40GB OS) and add the following Roles/Features:
The account to be used for Application Pool Identity requires certain permissions on Storefront servers and Integration Broker so my advise is to add this account to local administrator on all Storefront servers and in XD Studio provide this user with Administrator privileges. Restart IIS after all changes are completed.
Set Execution policy to unrestricted or remote signed (requires SSL cert) and enable PS remoting then install Citrix Studio on Integration Broker.
Restart IIS and in order to verify Integration Broker functionality in terms of requirements and prerequisites, open these 2 URLs and make sure that the file downloaded has the phrase “All OK”. Also make sure that All connection broker servers have access to all Storefront Servers.
http://FQDN/IB/API/RestServiceImpl.svc/ibhealthcheck
https://FQDN/IB/API/RestServiceImpl.svc/ibhealthcheck
Step 2 – On Storefront server make sure that the following requirements are completed:
Make sure that Trusted Domains are using FQDN and not NETBIOS or Identity Manager will fail to authenticate.
VMware Identity Manager requires that resources are assigned access to users or groups explicitly rather than using “Any Authenticated Users” or else it cannot sync assignments to delivery groups.
Step 3 – Login to VMware Identity Manager and first we need to verify that directory includes attribute “distinguishedName” which should have been configured as Required when the directory was initially configured. If it does not exist then the directory needs to be deleted and recreated with that attribute as Required.
Step 4 – Its time to add Citrix resources in Identity Manager so navigate to Catalog – Virtual Apps – Virtual App Configuration and configure as follows:
For Sync Integration Broker port 80 can be used but for coming SSO section we do need SSL so if you choose to use both sections with SSL 443 then in the section here choose 443 and click use SSL then paste the same cert config I am going to paste in the section below. To attain the certificate just complete the following:
Copy the cert and paste it into the SSL Certificate section.
Now lets add our STA servers and Storefront Server which includes the full path ex. https://xd.diyarunited.com/Citrix/StoreWeb . Later on when NetScaler is integrated we need to come back and add the full STA path as well here so will get to that down below.
Sync the newly created Resource and a box should popup with all of your delivery groups that being desktops or applications with user/group assignments. After which resources should now be visible in catalog and I always like to create category for Citrix resources and assign accordingly.
If your assigned certificate to Integration Broker is signed by a local CA then make sure to add all Intermediate and Root certificates into Identity Manager. Use the same procedure earlier to export the certs and copy/paste them below.
Step 5 – Now its time to associate internal users with storefront LB URL (if load balanced) and external users with NetScaler Access Gateway URL so that internal users do not have to go to NS to open a resource and external users are able to reach an Access Gateway that is reachable from outside the environment.
First we set network ranges to determine our internal users. When adding any range, it is by default excluded from the default created ALL RANGES so use the ALL RANGES for external access and create network ranges for your internal routable resources.
We have the luxury of changing ICA client and launch properties directly from IDM.
Come back to Citrix Virtual Resource added and add all STA servers here (XD Servers with port used). This is required for external users using NetScaler Gateway but not a requirement for internal users.
We also have the option of applying different identity management policies per resource that being an ICA session (Just an example).
Step 6 – Test with internal and external users.
Conclusion:
I hope that has been informative and does actually apply to some user requirement out there, I have seen a lot of organizations adopting WorkSpace One for AirWatch UEM and IDM while still utilizing Citrix for virtual Desktop/App delivery.
Dear Saadallah,
very usefull guide , and yes i have such cases where customer have Citrix Xenapp and adopt workspace one
Thanks Hussam.