LAB607 - Migrating legacy Citrix environments to

deliver the new Citrix Workspace experience

Level Beginner - Intermediate

January 2020
Table of Contents

Training Overview .................................................................................................. 4

Lab Environment Details ........................................................................................................................... 5

Training Overview ..................................................................................................................................... 7

Real-World Scenario .................................................................................................................................. 7

Exercise 1: Introduction to existing end user experience and install first Cloud Connector .................... 8

Exercise 2: Control the availability of Workspace and add the on-premises resources into Workspace
................................................................................................................................................................. 26

Exercise 3: Create a custom, branded experience for users accessing the Citrix Workspace ................ 37

Exercise 4: Enable new services and capabilities in the Citrix Workspace.............................................. 48

Exercise 5: On-prem Citrix ADC and Citrix Gateway Service. .................................................................. 65

Exercise 6: Move On-premises Virtual Apps and Desktops resources under management of Citrix Cloud
................................................................................................................................................................. 72

Exercise 7: Publish a new SaaS app with SSO functionality .................................................................... 88

Exercise 8: Enable multi-factor authentication with a token ................................................................ 119

Exercise 9: Set up high availability for the connections to your on-premises environment ................ 129
 Training Overview

citrix.com
4
Lab Guide Conventions
Indicator Purpose

This symbol indicates particular attention must be paid to this step

Special note to offer advice or background information

reboot Text the student enters or an item they select is printed like this

Start Bold text indicates reference to a button or object

Focuses attention on a particular part of the screen (R:255 G:20 B:147)

Shows where to click or select an item on a screenshot (R:255 G:102 B:0)

Lab Environment Details

citrix.com
5
Virtual Machines
VM Name IP Address Description

AD.training.lab 192.168.10.11 Domain Controller, DNS, DHCP, Certificate Services

CC1 192.168.10.22 Clean Windows server ready for Cloud Connector

CC2 192.168.10.23 Clean Windows server ready for Cloud Connector

NS1 192.168.10.90 NetScaler 12.1 VPX Build 49.37 (ns1.mycitrixtraining.net)

NS1 192.168.10.92 Citrix Gateway virtual server (ns1-gw.mycitrixtraining.net)

SF1 192.168.10.21 StoreFront 3.13

CVAD1 192.168.10.30 Virtual Apps and Desktops Delivery Controller server

ServerVDA1 192.168.10.31 Virtual Apps and Desktops VDA registered with CVAD1 Delivery Controller

ServerVDA2 192.168.10.32 Virtual Apps and Desktops VDA registered with CC1 for future use with
the Virtual Apps and Desktops service from Citrix Cloud

Credentials
User Name Password Description

training\admin1 Citrix123 Member of Domain Admins group

training\user1 Citrix123 Standard User

training\user2 Citrix123 Standard User

nsroot nsroot Administrator account for the Citrix ADC

admin See the Citrix Administrator account for Citrix Hypervisor running your training lab VMs
Enablement website for
the password to your
lab

citrix.com
6
Training Overview
Learning Objectives (Intermediate)
In this lab you will:
 Create a Workspace to show resources from an on-premises Virtual Apps and Desktops 7
deployment.
o Control availability of the Workspace to the internet and your users.
 Create a custom, branded experience for users accessing the Citrix Workspace

 Enable new services and capabilities in Workspace to extend the capabilities of the Virtual Apps
and Desktops deployment.
 Enable multi-factor authentication using AD and tokens to secure access to Workspace.
 Use the Citrix Gateway service to allow users to connect externally to the Virtual Apps and
Desktops environment without having to install an ADC.
 Move On-premises Virtual Apps and Desktops resources under management of Citrix Cloud

Real-World Scenario
CompanyX has installed a large on-premises environment that uses Storefront and Citrix Gateway to
provide access to resources from a Virtual Apps and Desktops 7 site. CompanyX is keen to explore new
capabilities for its workforce and to take practical steps to move off its legacy environment before end
of support.

citrix.com
7
Exercise 1: Introduction to existing end user experience
and install first Cloud Connector
Learning Objective
Introduces you to the existing Virtual Apps and Desktops environment as the starting point for this
training lab. The lab uses Virtual Apps and Desktops 7 but the overall migration process described in this
training lab would also apply for XenApp 6.5 as starting environment.

Exercise Overview
1. Familiarize yourself with the infrastructure available to you in this training lab.
2. Logon to Storefront and see the user experience that will be enhanced during this training lab.
3. Install a Cloud Connector as a pre-requisite for Citrix Cloud to communicate with the on-
premises environment.

Estimated time to complete this exercise: 25 Minutes

Virtual Machines Required for This Exercise

Student desktop

CC1

Step-by-Step Guidance
Step Action

citrix.com
8
 1. Enter the following URL https://enablement.citrix.com in your browser and log in with your
Citrix.com credentials.

To begin the lab click Enroll

2. Refresh the course page and then click Provision Lab to start a new virtual lab session.

This will do two things:

1. Send an email to the users email on the account logged in

2. Display the Citrix Cloud tenant assignment on the screen. This will take about 30
seconds (The messaging at the bottom will say 1 hour, just ignore it).

3. Go to your e-mail account.

A Citrix Cloud Welcome email will have arrived in your email inbox.

Click “Sign In” on the Welcome email. You will be re-directed to Citrix Cloud to Sign In.

You will be redirected to cloud.citrix.com

citrix.com
9
 4. Click Sign In on Citrix Cloud and login with your Citrix.com username and password

5. Once logged in, accept the Terms of Service and click Continue

6. If you see this pop up, click the Maybe later button.

citrix.com
10
 7. You will then see your Entitlements.

8. Navigate back to the ECC course page, scroll down and click Launch Lab to connect to the
Student Desktop.

9. Once connected to the Student desktop, follow the steps below to bring up the on-prem VMs
for your lab.

10. Citrix XenCenter should launch automatically on the Student Desktop. If not, launch it using the
following desktop shortcut.

citrix.com
11
 11. Click Add a Server to add your XenServer to XenCenter, if there isn’t one already

12. Enter the parameters shown below and click the Add button.

citrix.com
12
 13. Optional: If you get the following message, click the Close button.

citrix.com
13
 14. Once the server is added, start the VMs if they are not running (shown with a red icon in case the
VM is not running)

If the VMs are not running, start the following VMs

 AD.training.lab

 CC1

 CC2

 NS1

 SF1

 CVAD1

 ServerVDA1

Right-click the VM and click Start. Repeat this step for all the VMs listed above which are not
running.

Wait for about 5 mins for all the VMs to boot completely

citrix.com
14
 15. First, familiarize yourself with the on-premises deployment of Virtual Apps and Desktops.
Open the Chrome browser on the Student desktop and navigate to:
http://sf1.training.lab/Citrix/StoreWeb/
Click Detect Receiver

At the pop-up, Tick the checkbox to Remember my choice, and Click the Open URL: Citrix
Receiver button

Log On using these credentials

User name: user1, Password: Citrix123

citrix.com
15
 16. You now see the applications and desktops available to user1.

Click on an application icon to launch a resource to confirm that the on-premises Virtual Apps
and Desktops environment is working correctly.
This is the user experience that you will replace and extend with Workspace from Citrix
Cloud.

If you do not see your applications. Go to XenCenter and login to the SF1 VM. Set
StoreFront to communicate with the Delivery Controller on its IP address instead of FQDN.
Click EDIT to remove the FQDN of the Delivery Controller and add the IP address 192.168.10.30
Save the changes.
Go back to the SF site and refresh the page. Your apps will appear.

This lab is in the process of upgrading. This will be resolved during the upgrade!

citrix.com
16
 17. Next, you are going to set up a Citrix Cloud Connector in the customer’s on-premises
environment. This is the first and mandatory step needed to allow Citrix Cloud to communicate
with the on-premises environment to allow authentication to Active Directory, and access to the
existing resources.

18. Navigate to XenCenter and select the CC1 console desktop.

Log in as an administrator using the following credentials:

User: training\admin1, Password: Citrix123

You may use the XenCenter built in VM console, or Remote Desktop Connection icon located on
the Student Desktop.

If you receive the below warning when establishing an RDP session, click the Yes button.

citrix.com
17
 19. From CC1 console desktop, open the Chrome browser on the desktop and browse to
https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

Your cloud credentials are the same as the credentials you use to sign in at Citrix.com.

20. Select your customer profile: Example

Customer should match the information on the ECC course page and your Welcome email
in you inbox – Example:

citrix.com
18
 21. Once logged in, click the ≡ navigation button (also known as “the hamburger”) in the top left of
the website and navigate to Resource Locations.

22. As you currently have no connector configured, the Resource Location page shows instructions
on how to install your first Citrix Cloud Connector.

Click the Download button to download the Citrix Cloud connector installer.

citrix.com
19
 23. Navigate to the Downloads folder and right-click the file and click “Run as administrator”

24. After you launch cwcconnector.exe and you will see a security message, click the Run button.

25. Enter the Citrix Cloud Credentials and click Sign In.

citrix.com
20
 26. If prompted, Choose a Customer and then click the Install button to continue.

Since you are using your citrix.com account, you may have multiple customers
associated with that account. It is important that you select the customer that you want
to associate with that connector. See example below:

Remember to select the same

customer you selected when you logged
into Citrix cloud at the beginning of this
lab.

If you have multiple sites, you will have

to choose the correct Resource Location
before proceeding to Install.

Choose a Resource Location if you have multiple sites

Click Install to continue

citrix.com
21
 27. The Connector will then check connectivity to the Citrix Cloud services. This may take a few
minutes.

The machine running the Citrix Connector must have access to the internet. It is possible
to configure the Citrix Connector to use a HTTP proxy server if required. This is
configurable using the commandline before installation.
28. You will see this screen once successful. Click the Close button to continue.

citrix.com
22
 29. Once complete, return to the web browser session to citrix.cloud.com on the Resource
Locations page. Refresh the browser and you will see that you now have a Resource Location
created with 1 Cloud Connector.

The Cloud Connectors box is highlighted in orange to indicate that you do not have
enough connectors to support high availability. You will fix this in a later lab exercise.

citrix.com
23
 30. Now Rename the resource location from the default “My Resource Location”, to a new name
with more meaning for an administrator, such as CompanyX US-East datacentre

If you are unable to see the resource location after clicking Rename, click “No
thanks – skip for now” to dismiss the pop-up message that is obscuring the page.

31. You have now succesfully configured Citrix Cloud to communicate with your on-premises
infrastructure. This is a prerequisite step to enable many services available in Citrix Cloud.

Exercise 1 - Key Takeaways

 The Citrix Cloud Connector is a component that allows Citrix Cloud to communicate with the
infrastructure in the on-premises deployment.

citrix.com
24
  The Citrix Cloud Connector is a component of Citrix Cloud and will be kept up to date by Citrix.
The administrator should still consider OS maintenance and updates.

 The Citrix Cloud Connector can authenticate users against the Active Directory domain that the
Connector machine is joined to.

 A resource location can be anywhere you need it: in a public cloud, private cloud, or an on-
premises data-center. Consider the location of users and resources, and the Active Directory
domain design.

citrix.com
25
Exercise 2: Control the availability of Workspace and add
the on-premises resources into Workspace
Learning Objective
Enable a Citrix hosted Workspace to show resources from an on-premises Virtual Apps and Desktops
deployment and learn how to control the availability of the Workspace.

Exercise Overview
 Set up site aggregation in Citrix Cloud to the Virtual Apps and Desktops solution so users can
access the published apps and desktops from on-premises in the cloud hosted Workspace.
 How to control availability of the Citrix Cloud Workspace

Estimated time to complete this exercise: 25 Minutes

Virtual Machines Required for This Exercise

Student desktop

Step-by-Step Guidance
Step Action

1. From your Laptop, or the Student Desktop, open the Chrome browser on the desktop and
browse to https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

citrix.com
26
 2. Once logged in click the “Hamburger” icon in the top left of the website and navigate to
Workspace Configuration.

3. You now see the Workspace Configuration administration console. On here you will see the
Access tab is selected by default and below that you should see your Workspace URL in the
format something.cloud.com:

Workspace is enabled by default. Workspace is set up automatically if you have

entitlement to a service that makes resources available through Workspace (e.g. Virtual
Apps and Desktop, Gateway)

citrix.com
27
 4. Click the green toggle to disable Workspace.

This message will appear. Tick the check box and click the Disable button.

5. The toggle will now show the URL is disabled. This means the users will not be able to access
Workspace.

An administrator may choose to disable Workspace when making changes to the services
that provide resources to Workspace. In this exercise you have disabled the URL but it
isn’t a requirement you do that for your live environment.

citrix.com
28
 6. If you browse to the Workspace URL (<yourWorkspaceUrl>.cloud.com) you will see that your
Workspace is not accessible.

There is a 5 minute sync for the configuration changes update so if you don’t see this
screen straight away you will in 5 minutes.

7. Now you will set up site aggregation which will allow users to see and use the applications and
desktops we saw earlier from the on-premises Virtual Apps and Desktops 7 environment.

Go back to the Student desktop where you should still be logged into Citrix Cloud, if not log
back in.

Navigate back to Workspace Configuration from the hamburger menu

citrix.com
29
 8. Click on the Service Integrations tab, and click on the Add Site button under the Virtual Apps
and Desktops On-Premises Sites service.

9. Select the Virtual Apps and Desktops option and click Continue

10. Select your resource location by clicking on the green radio button.

Enter the address of the XenApp server: CVAD1.training.lab or 192.168.10.30

citrix.com
30
 11. Click the Discover button, you will see a pop up asking for the administrator credentials to the
Virtual Apps and Desktops deployment.

Enter, Username: training\admin1, Password: Citrix123

The Site credentials are needed for initial discovery only and are not need for operation of
the Site aggregation feature. These credentials are not permanently stored by Citrix.

12. You will see that Discovery was successful, click Continue

citrix.com
31
 13. You will then see information discovered from the Virtual Apps and Desktops deployment.

Tick the checkbox and click Continue

There is a warning for only having 1 connector. Ignore this and you will resolve this in a
later lab exercise.
In this lab, all resources are published to a single AD domain so no additional resource
locations and connectors are required.

14. Next you will see the Configure Connectivity section where you can choose your network
connectivity.

Set it to Internal Only, so select that option and click Continue.

citrix.com
32
 15. You will then see a summary of the settings.

16. Click Save and Finish and you will see a success message:

17. Next you will re-enable the Workspace URL. Go back to the Access tab and click the disabled
toggle next to the URL to enable.

citrix.com
33
 18. You need to enable the Virtual Apps and Desktops On-Premises Sites service, so navigate to the
Service Integrations tab, from Workspace Configuration.

Click the 3 dots button to the right and click Enable

19. You will see a pop asking you to confirm you want to turn on the service. Click Confirm.

By default, some services are disabled in Workspace to ensure that it is a deliberate

decision from an administrator to make those resources available to users.

Citrix Cloud is a distributed and resilient cloud solution. Any changes to Workspace
Configuration may take 5 minutes to take effect.

citrix.com
34
 20. Now you will familiarize yourself with the end user’s initial experience with Workspace
accessing the Virtual Apps and Desktops on-premises resources.
From the Student desktop, open the Chrome browser and navigate to your Workspace URL
(remember: The Workspace URL is listed on the Citrix Cloud administrator console under,
Workspace Configuration \ Access).
Enter, Username: training\user1, Password: Citrix123 and click the Log On button.

21. You will be prompted on first use of Workspace to detect if the Workspace app is installed on
the computer.

Click Detect Workspace button to continue.

Citrix Receiver will also be successfully detected by Workspace, but it is recommended

that users upgrade to Citrix Workspace App for a better experience.

This detection screen will only appear for users that have HDX resources published to
them. E.g. if a user only has only files or SaaS apps published to their AD account then
they would not see this check.

citrix.com
35
 22. Once logged on, you see the applications and desktops assigned to user1.

On first log on, no apps or desktops will be shown on the Home page. To view published apps
and desktops, click on the “View all applications” link

Note: it can take 5 minutes for the applications to appear once you have enabled the feed
due to a 5 minutes sync of the settings.

Launch a published resource to confirm that Workspace is now successfully providing access to
resources from the on-premises Virtual Apps and Desktops deployments.

Exercise 2 - Key Takeaways

 Access to Citrix Workspace can be enabled or disabled by a Citrix Cloud administrator.

 By default, some services are disabled in Workspace to ensure that it is a deliberate decision
from an administrator to make those resources available to users.

 You can configure Citrix Cloud to communicate with an existing Virtual Apps and Desktops site
to make those on-premises resources available via Workspace.

 The availability of the on-premises Virtual Apps and Desktops resources in Workspace can be
enabled or disabled by a Citrix Cloud administrator.

citrix.com
36
Exercise 3: Create a custom, branded experience for
users accessing the Citrix Workspace
Learning Objective
Customize the Citrix Cloud Workspace to reflect your company’s identity.

Exercise Overview
You are a Citrix Administrator who would like to change the look and feel of the Workspace to match your existing
branding, making it more familiar to your users.

Estimated time to complete this exercise: 15 Minutes

Virtual Machines Required for This Exercise

Student desktop

Images located in “Tech lab 607 resources” folder on student desktop

Step-by-Step Guidance

Step Action

1. From your Laptop, or the Student Desktop, open the Chrome browser on the desktop and
browse to https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

citrix.com
37
 2. Navigate to Workspace Configuration from the hamburger menu

3. Click on the Customize tab

citrix.com
38
 4. This page allows us to update the branding of the Workspace experience, so first of all we are
going to upload a logo for sign-in.
Click on the “Drop the logo or browse from a folder” button for sign-in appearance logo

5. Select the “companyx-logo-ondark-prelogin.png” file from within the folder called “Tech lab
607 resources” on the desktop of the student desktop.

citrix.com
39
 6. Next up we are going to add the logo for the After Sign-in Appearance.

Click on the “Drop the logo file or browse from a folder” button for sign-in appearance logo

7. Select the “companyx-logo-ondark.png” file from within the folder called “Tech lab 607
resources” on the desktop of the student desktop

You will notice now you have added the After Sign-in logo the preview pane has updated with
that logo, to give you an idea of what it looks like.

citrix.com
40
 8. Now we are going to update the colors

First, click on the background color, and enter #326bc4 into the box as shown in the image
below. Then click elsewhere on the screen and it will select that color.
Note as you click enter it wont change the color. You need to click elsewhere on the
screen.

Do the same for the other two colors with these values:

Text and Icon Color on branded Background: #fff

Accent Color: #b91a1a
9. You will see the preview look like this once you have updated the colours:

Now click the Save button at the bottom of the page.

This has allowed you to make the end user experience match the same branding you had in your
exisiting environment, making the transistion for your users easier. Remember to click Save if
you haven’t already done so.

citrix.com
41
 10. Next up we are going to change the URL to a more friendly name.

Click on the Access tab

11. Now click the Edit link next to the URL where you will see a text box appear allowing you to
change the prefix of the URL.

Enter CitrixTechLab2020

Check the tick box and click Save.

Be careful when choosing a new domain name and consider the relavent copyright or
trademark law that may apply.
12. You will see the URL updated:

citrix.com
42
 13. Now we can navigate to our Workspace and see the branding we have added and also the
applications we added using site aggregation earlier on in exercise 2.

Navigate to your new URL in the format of: https://citrixtechlab2020.cloud.com

It can take 5 minutes for the changes to take effect so if you see this don’t worry, just give
it a few more minutes.

14. Once the log in page loads you will notice the branding we set up earlier.

Log in using the credentials, Username: Training\user1, Password: Citrix123

Click Log On

citrix.com
43
 15. Once you have successfully logged in you will see the home page, which will be in the empty
state as you have not added any favourites, or launched anything yet. Also notice the branding
you have applied.

16. Click the Apps menu item on the left hand side menu and click All Apps. Here you will see the
applications you had in the on-premises site.

If you click the star icon on the Calculater app you will add it to your favourites. Click on the
Notepad++ icon to launch it.

citrix.com
44
 17. You will see the notepad++ application launch in using the locally installed Workspace app.

18. If you now click the Desktops menu item on the left hand menu and click All Desktops, you can
then also add the desktop as a favorite by clicking the star.

citrix.com
45
 19. If you now navigate back to the home screen by clicking Home on the left hand menu, you will
see the Notepad++ application is now shown in the Recents tab.

20. If you click on the Favorites tab under Apps and Favorites under Desktops you will see the
Calculator app now appearing under apps. My Desktop now also appears under Desktops

citrix.com
46
Exercise 3 - Key Takeaways
 You can brand your Workspace to bring over the design from the on-premises Storefront site,
making the transition to Workspace less disruptive for users.

 You can modify the first part of the cloud.com URL to a name more familiar to your users and
your corporate IT identity.

 You are familiar with Workspace and where the key areas are to find your resources.

citrix.com
47
Exercise 4: Enable new services and capabilities in the
Citrix Workspace
Learning Objective
Set up SaaS applications and use the new Access Control and Secure Browser services to control how
users access web content.

Exercise Overview
As a Citrix Administrator you wish to enable some new applications to your end users but want to make
sure you can control the behavior of how they access them.

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required for This Exercise

Student desktop

Step-by-Step Guidance
Step Action

1. From your Laptop, or the Student Desktop, open the Chrome browser on the desktop and
browse to https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

citrix.com
48
 2. Here you will see the services you have access to, as below (services may vary from what is seen
below):

3. Now it is time to add new SaaS applications. Click the View Library button on the main page.

citrix.com
49
 4. This is the Library in Citrix Cloud. This is the tool to manage availability of resources provided by
some of the service types in Citrix Cloud.

The library is currently empty.

Apps and desktop from the Virtual Apps and Desktops service can also be managed from
the Library.

5. Move the mouse over the plus icon, the single click the task to Add a Web/SaaS App.

Web and SaaS apps resource type is provided by the Gateway Service in Citrix Cloud.

citrix.com
50
 6. The first step to publish a web application is to select a template.
Take a moment to browse the list of templates available. These templates are for web
apps that Citrix will provide Single-Sign on to. The list will grow in the future as more apps
are validated by Citrix and partners.

Search for or scroll down and select Office 365. Click Next to continue.

7. Here you will specify the App details. As you have selected a template, some default values are
filled in for you.

The Name, Description and Icon fields will define what is shown in Workspace for this resource
and you can safely edit without risk of breaking the app.

The URLs may require customization for your SaaS application e.g. a “vanity” URL from the SaaS
vendor for your account. Learning how to set these values is beyond the scope of this training
lab.

For this lab, leave the default values from the Office 365 template and click Next

citrix.com
51
 8. Next up you will see the enhanced security section where you can use the features of Access
Control to set up restrictions for that application.

Take a moment to read the current set of enhanced security capabilities available. You will
enable these later in the lab exercise but not now.

Click Next to continue.

9. You will then be presented with options to configure Single sign on for this app. Learning how
to set these values is beyond the scope of this training lab.

Select Don’t use SSO and click Save.

Then click Finish to complete the process.

citrix.com
52
 10. You will see Office365 was successfully added to the Library.

Click the icon to Add Another App.

11. It is also possible to publish a Web or SaaS app that is not in the template list. You will do this
now.

Click the Skip button on the “Choose a template” screen.

citrix.com
53
 12. Now you will see a blank app details pane where we will fill out the details for a web app.

Select Outside my corporate network radio button,

Enter Name: Facebook

URL: http://facebook.com

Related Domains: *.facebook.com

Description : A prevalent social network

Click the Change Icon link and Select the “facebooklogo.png” file in the folder “Tech lab 607
resources” on the desktop of the Student desktop.

Click Next to continue.

citrix.com
54
 13. Next we get the enhanced security options again, this time turn on all the enhanced security
features.

Click Enable enhanced security and leave all security options selected. Read and acknowledge
the “I understand that…” statement and click Next to continue.

Enhanced Security options is enhanced functionality provided by the Access Control and
Secure Browser service in Citrix Cloud.

14. As before, select Don’t use SSO and click Save, and then Finish to complete the process.

Your application has successfully been added.

citrix.com
55
 15. Click Go to the Citrix Cloud Library.
You now see the two applications you just published in the Library.

16. You will notice both apps are labelled with “0 Subscribers”. Currently they will not be shown in
Workspace.

Lets add some subscribers. Click the 3 dots icon in the top right of the Office365 tile and click
Manage Subscribers.

citrix.com
56
 17. Type domain users into the “Choose a group or user” textbox, and single click on the Domain
Users group found in the search results.

You have now subscribed users to the app. Close the Manage subscribers pane.

18. Repeat the proceedure for the Facebook app and subscribe a user or group.
You have now published web apps from the Gateway Service. Before you see them in
action, next you will configure an additional method to publish web resources in
Workspace.

citrix.com
57
 19. Secure Browser is a Citrix Cloud service for Web apps that require an additional level of security
through virtualisation. The user will open a web browser running on a computer in Citrix Cloud
to separate the web site from the users local device. Secure Browser can also be published in
Workspace.

Now navigate to the Secure Browser service from the hamburger menu.

20. The Secure Browser home screen desscribes the process to get started with Secure Browser.
Click Let’s Get Started to begin.

citrix.com
58
 21. In this lab you will make an authenticated Secure Browser available in Workspace.
Select the Authenticated External tile and click the Continue button.

An Unauthenticated Secure Browser can be used by anyone if they have the URL to
launch it. Unauthorised Secure Browser instances are not managed in the Library.

22. Enter the following:

Name: Google Chrome

Start URL: https://www.citrixsummit.com

Region: East US

Click Publish to continue.

You can choose a name, URL and icon to make the Secure Browser look like a specific web
app in Workspace e.g. we could have published Facebook this way, however note that
Single sign on is not available unlike with the Web and SaaS service.

citrix.com
59
 23. An instance of Secure Browser named Google Chrome is now configured.
Click the Library link to continue.

There are options avaliable accessed from the 3-dots icon to configure some lockdown
policies to control what users can do in the Secure Browser instance. Look now if you
want to see what is currently possible.

24. Add the training\Domain users group as subscribers to the Google Chrome app. (follow the
same proceedure you used earlier for Office 365 and Facebook)

citrix.com
60
 25. You may remember that some Citrix Cloud services are disabled by default in Workspace.
From the hamburger menu, navigate to Workspace Configuration and click the Service
Integrations tab. Here you will see all the services listed and will notice that Secure Browser is
enabled, but Gateway is disabled. Click the 3 dots icon next to Gateway and click Enable.

Click Confirm when prompted.

Citrix Cloud is a distributed and resilient cloud solution. Any changes to Workspace
Configuration may take 5 minutes to take effect.

26. Now you will familiarize yourself with the end user’s experience with these new resource types.
From the Student desktop, open the Chrome browser and navigate to your Workspace URL
Log on using, Username: training\user1, Password: Citrix123
Navigate to All Apps where you will see Office365, Facebook and Google Chrome.

The Workspace URL is found on Workspace Configuration > Access.

citrix.com
61
 27. Click to launch the Office 365 Web and SaaS app.
Note that a new local browser window is started. In this case we did not configure Single sign
on so it is prompting for credentials.

If the tab fails to open, then check your browser for blocked pop-ups.

Select to “Always allow pop-ups” for that site.

28. Return to the Workspace tab, and click to launch the Google Chrome Secure Browser app.
The Citrix Workspace App will establish a connection to an instance of Secure Browser. The user
can use as a full web browser and navigate to different URLs as needed.

citrix.com
62
 29. Return to the Workspace tab, and click to launch the Facebook Web and SaaS app.
It will also launch in a Secure Browser instance because you configured the Facebook web app
with Enhanced security.

With full Enhanced security you will notice there are no navigation buttons and there is a
session watermark.

Try to copy some text (Ctrl C) from the session and it will be prevented

Close the applications you have launched.

citrix.com
63
Exercise 4 - Key Takeaways
 There are multiple ways to publish web resources on Citrix Cloud with different capabilities and
advantages. Experiment and pick what method meets the requirements of your web workloads.

 The Secure Browser and Web and SaaS apps service in Citrix Cloud offer more functionality than
Virtual Apps and Desktops published content.

 Web resources show in Workspace with apps from other services. A user does not know that a
different technology is providing them.

 Secure Browser is a service that runs a web browser in a secure sandbox. Policies are available
to further strengthen security for web resources with controlled business data, or for web
resources that are less trusted.

citrix.com
64
Exercise 5: On-prem Citrix ADC and Citrix Gateway
Service.
Learning Objective
Configure Workspace to use a Citrix Gateway for HDX launch.

Exercise Overview
1. Configure on-premises Citrix Gateway to use the Cloud connector as STA
2. Configure Workspace to use on-premises Citrix ADC as a Gateway for HDX launches
3. Validate that the traffic is routed via the on-premises Citrix Gateway
4. Configure Workspace to use Citrix Gateway for HDX launches
5. Validate that the traffic is routed via Citrix Gateway service.

Estimated time to complete this exercise: 25 Minutes

Virtual Machines Required for This Exercise

Student desktop

Step-by-Step Guidance
Step Action

1. First you will reconfigure Workspace to use the on-premises Citrix Gateway.

From the Student Desktop, open the Chrome browser on the desktop and browse to
https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

citrix.com
65
 2. From the hamburger menu go to Workspace Configuration > Sites, select the on-premises
Virtual Apps and Desktops aggregated site named “Training” and choose the task to Edit.

3. Scroll down to the Connectivity section and choose to Edit

4. Select Traditional Gateway and enter FQDN ns1-gw.myCitrixTraining.net

Click the Add button

In the next window that pops-up, click Save to complete the reconfiguration.

If you use the Test STA button, it will fail in this lab exercise. To run this test, servers in
Citrix Cloud need to be able to resolve the DNS name of the Citrix Gateway, connect to it,
and trust the certificate. In the case of this lab, the Citrix Gateway is in a private network and
the test will fail. This will not impact end-user functionality in this lab – just be sure that you
have entered the correct Gateway FQDN.

citrix.com
66
 5. Scroll to the top of the page and click the Save to finish editing the site.

6. Now you will configure the on-premises Citrix ADC with Citrix Cloud as an STA.

From the Student desktop, open a web browser to https://ns1.mycitrixtraining.net and logon
using NetScaler admin credentials; Username: nsroot, password: nsroot.

If you see this error, click the SHOW ADVANCED link and click Proceed to
ns1.mycitrix.training.net

citrix.com
67
 7. Navigate to Configuration > NetScaler Gateway > Virtual Servers, select the existing virtual
server and click Edit.

8. Under Advanced Settings, click the + Published Applications link

9. Scroll down the page and locate the Published Applications section and click No STA Server.

10. Enter the following information:

Secure ticket Authority Server: http://cc1.training.lab

Secure ticket Authority Server Address Type: Select IPV4 from the drop down

Click the Bind.

Then click Done.

citrix.com
68
 11. From your Student desktop, browse to your student Workspace URL
https://citrixtechlab2020.cloud.com

Logon as training\user1 and launch a published resource from the on-premises Virtual Apps
and Desktops deployment.

12. From the Student Desktop, confirm that the HDX traffic is going via Gateway.

The HDX connection is encrypted because it is being routed via the Citrix Gateway.

[Optional]:

 Capture the launch instructions issued to the Citrix Workspace App and inspect the ICA
directives for SSLProxyHost=, and Address= (hint: look in the
%localappdata%\Citrix\Web Helper\temp folder)

 Navigate to Configuration < NetScaler Gateway > Monitor Connections > ICA
Connections to view the connection from the endpoint (student’s desktop).

citrix.com
69
 13. As you have seen, the on-premises Citrix Gateway is only usable if there is connectivity from the
user’s endpoint device. In the case of this lab exercise, the DNS name and IP address of the
Citrix Gateway are only accessible from the internal lab network.

If a company does not want to manage their own Citrix Gateway on the public Internet to
allow access from outside their network, then the Gateway service from Citrix cloud can do
this. You will configure this next.

14. Earlier in this lab exercise you configured the Gateway from Workspace Configuration, it is also
possible to set the Gateway information from the Resource Location. Let’s use this alternate
method to configure Workspace to use the Citrix Gateway service.

Navigate back to your cloud session on the student’s desktop. Go to the hamburger menu >
Resource Locations, Click the tile “1 Gateway” tile from the Resource Location that you created
earlier.

15. From the 3-dots icon, choose to Edit the Gateway configuration.

16. Select the radio button for Gateway Service and click the Save.

citrix.com
70
 17. Wait 5 minutes for the new configuration change to take effect. While you wait, reflect on
how easy this process is for an administrator compared to the level of knowledge needed to
install, configure and manage an on-premises Netscaler Gateway (or refill your drink)

Citrix Cloud is a distributed and resilient cloud solution. Any changes to Workspace
Configuration may take 5 minutes to take effect.

18. From the Student desktop, browse to your student Workspace URL, logon as training\user1
and launch a published resource

19. From your Local Desktop, browse to your student Workspace URL, logon as training\user1
and launch a published resource.

The Virtual Apps and Desktops on-premises resources are now accessible from the public
internet via Citrix Gateway.

Exercise 5 - Key Takeaways

 An on-premises Citrix Gateway can be used as an HDX proxy for an on-premises Virtual Apps and
Desktops deployment with resources launched from Workspace.

 An on-premises Citrix Gateway can be used in a hybrid deployment to launch resources from on-
premises Storefront and from Workspace. Ensure that the Gateway is configured with an STA
for the Virtual Apps and Desktops servers, and an STA from the Cloud connectors.

 Citrix Gateway service removes the need for management of a more complex product when
only HDX proxy is needed.

citrix.com
71
Exercise 6: Move On-premises Virtual Apps and Desktops
resources under management of Citrix Cloud
Learning Objective
Introduction to the Citrix Cloud Virtual Apps and Desktops service, and how Workspace behaves when
identical apps are published from multiple services.

Exercise Overview
1. Power-on the ServerVDA2 VM
2. Configure a machine catalog for ServerVDA2 in Citrix Cloud Virtual Apps and Desktops.
3. Publish NotePad++ via Citrix Cloud Virtual Apps and Desktops. NB: NotePad++ is already
available to Workspace from the on-premises site configured in Exercise 2.
4. Logon to Workspace and explore how Workspace deals with resources from Citrix Cloud VAD
and on-premises VAD.

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required for This Exercise

Student desktop
ServerVDA2

Step by Step Guidance

Step Action

1. To save your time in this lab exercise, the Citrix Virtual Desktop Agent (VDA) software is already
installed on the ServerVDA2 VM and configured to register with the CC1.training.lab Cloud
connector. SerververVDA2 will provide resources to the Citrix Cloud Virtual Apps and Desktops
service.

Navigate to XenCenter on the Student desktop and Start the ServerVDA2 VM.

citrix.com
72
 2. From your Laptop, or the Student Desktop, open the Chrome browser on the desktop and
browse to https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

3. Once logged in click the “Hamburger” icon in the top left of the website and navigate to My
Services > Virtual Apps and Desktops

4. You may see a pop-up for some exciting new capabilities in Virtual Apps and Desktops. Read
and dismiss the pop-up by clicking on the maybe later link.

citrix.com
73
 5. The overall process to setup Virtual Apps and Desktops is described on the page. Read the
overview if you are unfamilar with the setup process, and continue to the next step in this lab
guide when you are ready.

In Exercise1 of this lab you have already installed Cloud Connectors to give Citrix Cloud
access to your hypervisors and Active Directory infrastructure, and you will use the same
Connectors for Apps and Desktop service. The VDA is already installed on ServerVDA2.

6. From the Manage tab, select Full Configuration from the drop down to open the Virtual Apps
and Desktops management console.

citrix.com
74
 7. Create a Machine Catalog by clicking on the 2 task from the first use deployment screen.

In this lab you will skip “Connection Setup” as you will not power manage the VDAs.

8. Read the Introduction if you are unfamiliar with Virtual Apps and Desktops, and click the Next
button.

citrix.com
75
 9. Leave the default checkbox selected for Multi-Session OS and click the Next button.

10. Leave the default radio buttons selected for “Machines that are not power managed…” and click
the Next button.

citrix.com
76
 11. Click the Add computers button.

12. Enter ServerVDA2 into the search text box and click the Check Names button.

Note that the ServerVDA2 text is placed with the full machine identifier and is underlined if the
computer account is successfully found in Active Directory. Click the OK button.

citrix.com
77
 13. Click the dropdown labelled 7.6 (or newer) and click 1811 (or newer) to enable the features
available in the newest release of Virtual apps and Desktops for this machine catalog.

The functional level controls which product features are available to machines in the catalog.
Setting a minimum functional level makes all features introduced since that version available
to the catalog. Machines will fail to register if they are running an earlier VDA version

14. Click the Next button.

citrix.com
78
 15. Enter a memorable name for the Machine Catalog and click the Finish button.

16. Publish a Delivery Group by clicking on the 3 task from the first use deployment screen.

citrix.com
79
 17. Read the Introduction if you are unfamiliar with Virtual Apps and Desktops, and click the Next
button.

18. Leave the pre-selected values for the Machine Catalog you previously created, and the 1
available machine. Click the Next button.

citrix.com
80
 19. Select the radio button to Allow any authenticated users to use this Delivery Group and click
the Next Button.

20. Click the Add button and select the menu option to add From start menu.

citrix.com
81
 21. Scroll down the list of available applications on the VDA and select the checkbox for Notepad ++
and Paint. Click the OK button.

NotePad++ is the important app to publish in this training exercise as you will use this for
advanced aggregation, but you can publish more apps too if you want to.

22. Click the Next button.

citrix.com
82
 23. Click the Next button as you do not need a published desktop for this lab exercise.

24. Enter a Delivery Group name, and click the Finish button.

citrix.com
83
 25. Now you will access the resources managed by Citrix Cloud Virtual Apps and Desktops.
From the Student desktop, open the Chrome browser and navigate to your Workspace URL
(remember: The Workspace URL is found on Workspace Configuration \ Access).
Log on using, Username: training\user1, Password: Citrix123

Navigate to All Apps where you see Notepad++ and Paint that are provided by the Citrix Cloud
Virtual Apps and Desktops.

citrix.com
84
 26. Notepad++ is now available to Workspace from 2 different services, but only one icon is
shown for the user to launch. This behaviour is part of the advanced app aggregation
feature of Workspace (this feature is currently in Tech Preview)

citrix.com
85
 27. Click to launch the Notepad ++ app from Workspace. After launch, open the Citrix Workspace
Connection Center.

The instance of Notepad ++ has opened from the ServerVDA2 machine via Citrix Cloud Virtual
Apps and Desktops. By default, in the Tech Preview of the avanced app aggregation feature,
launch will use the Citrix Cloud managed resource first.

citrix.com
86
Exercise 6 - Key Takeaways

 Citrix Cloud Virtual Apps and Desktops can manage VDAs and provide resources to Workspace.

 Workspace can aggregate resources from existing on-premises deployments of Virtual Apps and
Desktops, and Citrix Cloud Virtual Apps and Desktops. (and on-premises XenApp6.5 but not
shown in this lab)

 Citrix Workspace has a feature in Tech preview to look for identical resources from services and
show a single resource in Workspace for users to launch. The service chosen to launch the app
is not configurable by the administrator in the Tech Preview, but can be set by the Citrix support
team. (not shown in the lab but this behavior also applies if you have identical resources
published in multiple on-premises sites configured for Workspace)

citrix.com
87
Exercise 7: Publish a new SaaS app with SSO
functionality
Learning Objective
Set up a SaaS application, ServiceNow and configure the single sign on functionality with Citrix
Workspace.

Exercise Overview
As a Citrix Administrator you wish to enable a new application to your end users but don’t want them to
have to worry about logging on every time they launch it.

Estimated time to complete this exercise: 20 Minutes

Virtual Machines Required for This Exercise

Student desktop Your private email address. Example: johndoe@gmail.com

Step by Step Guidance

Step Action

1. Next up we are going to set up a SaaS app with single sign on.

We are going to setup a ServiceNow SaaS app, in order to do that we need a ServiceNow
account, so we are going to sign up for a developer account for the purposes of this lab.

From the Student desktop, open the Chrome browser and navigate to
https://developer.servicenow.com/app.do#!/home

Click Register link

citrix.com
88
 2. On the registration screen, fill out the details using your private email address. Example:
yourPrivateEmail@gmail.com

Once filled out correctly tick the checkbox and click the Sign Up button

3. You will now see a successfully registered screen telling you to click a link in an email to confirm
registration.

Navigate to your private email inbox: https://xxx.gmail.com/ and sign

citrix.com
89
 4. Once logged in, you will see the email from ServiceNow.

Click the Verify Email button in the email

5. You will then see a new tab open confiming you are registered. Click the Sign In button.

citrix.com
90
 6. Sign In with the credentails you used to register (your private email and password).

Example:

citrix.com
91
 7. Once you sign in you will see a pop called ServiceNow Developer Agreement

If you scroll to the bottom you can click the agreement check box and click Submit

citrix.com
92
 8. You will then be presented with a few questions to fill out. Use the same answers as shown in
the screenshot below and click Submit

9. You will then be back to the home page where you are logged in.
https://developer.servicenow.com/app.do#!/home

Click the Manage menu item and the Instance item below that.

citrix.com
93
 10. You will then see a screen where you can request a developer instance of ServiceNow free of
charge.

Click the Request Instance button.

11. You will see a screen where you will be asked what you will be using it for just enter Testing and
click I Understand button

citrix.com
94
 12. You will then be asked which version you would like to use, select the Madrid version which is
the latest release.

Click Request Instance

You will then see a processing screen

citrix.com
95
 13. Next you will see the details of your developer instance

Copy the admin password from the green box

Next we want you to login to your new developer instance by clicking the link in the green box
which will take you to a page to change your admin password.

Paste the password into the Current Password field.

For new password use Citrix123! And click Submit.

citrix.com
96
 14. The homepage for ServiceNow dev portal will now load.

15. In the Filter navigator field, enter System Definition, scroll down then click on the Plugins
option.

citrix.com
97
 16. You get redirected to the All Applications screen, in the search box, enter Integration in press
the Enter key.

Make sure “Integration – Multifactor Authentication”, “Integration – Multiple Provider Single

Sign-On Enhanced UI”, and “Integration – Multiple Provider Single Sign-On Installer” are ACTIVE.
If not, click on the link and then click on Install. You then see a pop up asking you to activate the
plugin, click on Activate.

Once complete you will see the success pop up click Close & Reload Form. Do this for all 3.

citrix.com
98
 Once the Single Sign-On Plugins are installed and activated, you can then configure Single Sign-
On (shown later in this lab).

17. Next we are going to add the ServiceNow app in the Citrix Cloud.

Open a new tab and browse to https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

18. Click the View Library button on the main page.

19. Move the mouse over the plus icon, the single click the task to Add a Web/SaaS App.

citrix.com
99
 20. Type Service Now into the search box and select the Service Now template and click Next

21. On the App Details section, fill out as follows:

 Where is the application = Outside my corporate network

 Name = Service Now

Replace the <your-organization> part of the URL with dev instance code you have for your
ServiceNow instance e.g. dev82037. You can find this on the My Instance page in
ServiceNow you should still have that open in another tab.

 URL = https://dev82037.service-now.com/

Once you click out of the box it should auto fill the related domains with the <mytenant>
part being replaced with your dev instance ID

 Related Domains = *. dev82037.service-now.com

Click Next once complete

citrix.com
100
 22. Click Next to continue on the enhanced security page.

citrix.com
101
 23. On the Single sign on section fill out as follows:

The highlighted bits in yellow show the bits you need to add to the URL or replace with your dev
instance ID you used on the previous page.

 Select SAML sign on

 Assertion URL = https://dev82037.service-now.com/navpage.do

 Relay State = https://dev82037.service-now.com/

 Audience = https://dev82037.service-now.com/

 Name ID format = Email Address

 Name ID = Email

Notes:

 The “Assertion URL” field contains domain values that are unique for your ServiceNow
tenant. When the end-user clicks the SaaS app icon within the Citrix Workspace app,
the SAML token is sent to the Assertion URL for performing single sign-on.

 The “Audience” field contains domain values that are unique for your ServiceNow
tenant. This field is included within the SAML token for parsing within ServiceNow.

citrix.com
102
  The “Name ID” field denotes the Active Directory user attribute to include in the SAML
token that will be sent to the Assertion URL for performing single sign-on.

Click the hyperlink on the right side of the page for

https://gateway.cloud.com/idp/saml/<ccaccount>/idp_metadata.xml. This links to an XML file
with details about the Citrix Workspace Identity Provider (IDP). That will open in a new tab an
XML file.

Click Save on the Single sign on tab back in the Citrix Cloud admin where we were adding the
application as highlighted in the first image in this step above.

citrix.com
103
 Click Finish

24. Click Go to the Library

Click the 3 dots on the ServiceNow application and click Manage Subscribers

citrix.com
104
 25. Type domain users into the box labelled step 2 and select the option Domain Users from the
search results.

26. You will then see it as subscribed for the Domain Users.

Click the X in the corner to close the pop up.

27. Next we are going to set up the SAML config in Service Now to get the Single Sign-On working.

Navigate back to your Service Now developer instance at:

https://dev82037.service-now.com replacing the highlighted part with your dev instance ID.

citrix.com
105
 28. In the Filter navigator field, enter Multi-provider and then click on the x509 Certificate option.

29. On the X.509 Certificate form, click the New button.

30. On the X.509 Certificate New Record form, give the new record a name in the Name field by
entering “X.509 cert Workspace”

citrix.com
106
 31. In the PEM Certificate field paste:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

32. Go back to the tab you had open with the XML as below and copy the text in the section
X509Certificate as highlighted below.

citrix.com
107
 33. Then paste that into the PEM Certificate field between the begin and end certificate you pasted
in below:

Click Submit

citrix.com
108
 34. Back on the X.509 form, click on the newly created PEM Certificate link labelled X.509 cert
Workspace.

Notice that the other fields should now be automatically filled in when the X509 Certificate text
was parsed.

citrix.com
109
 35. Next we are going to set up the Multi-Provider SSO properties

In the Filter navigator field, enter Multi-provider and then click on the Properties option.

36. On the Customization Properties for Multiple Provider SSO form, make sure that the Enable
multiple provider SSO option is checked. If not, select it and then click Save.

citrix.com
110
 37. In the Filter navigator field, enter “multi-provider” and then click on the Identity Providers
option

38. On the Identity Providers form, click the New button

39. When prompted with What kind of SSO are you trying to create?, select SAML

citrix.com
111
 40. A pop up will appear called Import Identity Provider Metadata select the URL option and enter
the URL you have from the XML file you still have open in the web browser that should look like
this:

https://gateway.cloud.com/idp/saml/2obg48pa3b6l/6c25e9c5-9949-4833-acfb-
61290d15d71b/idp_metadata.xml

Click Import

citrix.com
112
 41. The IDP details will be imported from the XML file. Update or verify a few fields as follows:

 Name: Supply a descriptive name to give to this Identity Provider

 Identity Provider URL: Verify this value matches the “Issuer” value found within the
Citrix Workspace IDP metadata XML file. It will have format
https://citrix.com/<ccaccount>. Note – this value is case sensitive!! Use the same case
as found within the XML file.
 Identity Providers’s AuthnRequest: Supply your Citrix Workspace URL used for end-
user authentication. This URL is configured within your Citrix Cloud account and will
have format https://<ccaccount>.cloud.com
 Entity ID / Issuer: Verify this value matches the “Issuer” value found within the Citrix
Workspace IDP metadata XML file. It will have format https://citrix.com/<ccaccount>.
Note – this value is case sensitive!! Use the same case as found within the XML file.

Click Update.

citrix.com
113
 42. Before we can test the connection and mark it as active we need to create the a matching user
in Service Now to the AD accounts in our lab environment.

In the filter navigator type Users

43. Click the New button in the Users area

citrix.com
114
 44. Enter the details as the text as highlighted below in the fields as shown in the screenshot.

User ID = user2

First name = User

Last name = two

Email = user2@training.lab

Click Submit

45. Now we need to test the connection before we can activate it.

In the Filter navigator field, enter “multi-provider” and then click on the Identity Providers
option

citrix.com
115
 46. Click Citrix Workspace Identity that we created earlier

47. Now we click the Test Connection button so we can activate the new Identity Provider.

48. You will get prompted to login to Workspace use these details to login:

User name: user2@training.lab

Password: Citrix123

citrix.com
116
 49. Once logged in navigate to All Apps by clicking the menu item on the left hand side and clicking
All Apps

Click to launch ServiceNow app

50. This will open a new tab showing the results of the SSO test

It failed on logout as we didn’t set a logout URL.

We can set it to work with that failure though, so click Activate

This takes you back to the ServiceNow screen. That is now setup. Lets try it out in our
Workspace and see it work. Logout of ServiceNow

citrix.com
117
 51. In Chrome, navigate to your Workspace URL e.g. https://citrixTechLab2020.cloud.com

Once logged in click to launch the Service Now application which should be in your recents after
the test before.

If it all works, it will open a new tab that logs you automatically into Service Now with the User2
account.

Exercise 7 - Key Takeaways

 Setting up SSO for web applications means your users do not have to login every time they do a
launch of that application, making the experience a better one for your users.

citrix.com
118
Exercise 8: Enable multi-factor authentication with a token
Learning Objective
Configure token authentication for Workspace without needing to build or buy additional Multi-Factor
authentication infrastructure.

Exercise Overview
1. Turn on token authentication in Citrix cloud and configure Workspace to use token
authentication.
2. Configure the Active Directory user accounts to be ready for token authentication.
3. Logon to Workspace and experience the new logon flow as a new user would on first use.

Estimated time to complete this exercise: 25 Minutes

Virtual Machines Required For This Exercise

Student desktop
Smart Device: Citrix SSO or Google Authenticator

Step by Step Guidance

Step Action

1. Download and install Citrix SSO app OR Google Authenticator app on your device beforehand.

2. From your Laptop, or the Student Desktop, open the Chrome browser on the desktop and
browse to https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

citrix.com
119
 3. Click the “Hamburger” icon in the top left of the website and navigate to Identity and Access
Management

4. From Identity and Access Management \ Authentication tab, choose the task to Connect Active
Directory + Token

5. Click Save and Finish to complete the configuration of Citrix Cloud authentication methods.

6. Identity and Access Management > Authentication tab, click the ellipsis next Active Directory +
Token and select Manage Subscriber Access.

citrix.com
120
 7. The new authentication method is now available in Citrix Cloud platform, but you must
configure Workspace to use it. This pattern is true for all authentication methods.

From “Hamburger” \ Workspace Configuration \ Authentication tab, select the radio button for
Active Directory + token.

Check the box and click Confirm after you have read the warning.

citrix.com
121
 8. Immediately check the users experience in Workspace.
From the Student desktop, Open the Chrome browser and navigate to your Workspace URL
(remember: The Workspace URL is found on Workspace Configuration \ Access)
A change in authentication method can result in a short period of time where Workspace
is not available, or users that were logged in to Workspace during the change may need
to restart their browser. Treat a change in authentication method as a managed change for end
–users.

9. Wait a few minutes for the system configuration to synchronize, close and re-open the
browser if you still see the error on refresh.

Users may observe that the logon page is now served from login.cloud.com rather than
the Workspace URL. Users may need training or reassurance that this is acceptable.

Users are now unable to logon to Workspace until they register a token generator with
Workspace. Treat a change in authentication method as a managed change for end –
users.

citrix.com
122
 10. Workspace is now configured to require a token for launch.

When a user first accesses Workspace configured with token authentication, they must register
a token. This registration process requires an email to help prove the user’s identity.

You will now update user1’s Active Directory account to use a functioning email address.
Example: YourPrivateEmail.com email address

11. Access the AD.training.lab console desktop from XenCenter on the Student desktop.

Log in as an administrator using the following credentials:

User: training\admin1, Password: Citrix123

12. From the AD.training.lab desktop, Launch the Active Directory Users and Computers console.

Click the Start menu Icon, and type Active directory Users and Computers and single click
on the search result to launch the management console.

citrix.com
123
 13. Expand the training.lab tree and select the Users node. Right click User One and open
Properties.

14. Update User One’s email address to YourPrivateEmail.com and click Apply or OK button.

Example:

citrix.com
124
 15. A token generator is required for every user.

Install a token generator application suitable for TOTP. E.g. Install Google authenticator on
your smart phone from the App store. For this lab exercise, you could download a token
generator extension for the web browser running on the Student desktop e.g. “Authenticator”
Chrome extension.

16. From the Student desktop, Open the Chrome browser and navigate to your Workspace URL
(remember: The Workspace URL is found on Workspace Configuration \ Access)
The user must register a token. Click the Don’t have a token? link

citrix.com
125
 17. Enter training\user1 and click Next.

18. Go to your YourPrivateEmail@xxx.com inbox for an email from Citrix Cloud for token
registration. This is your Verification code.

citrix.com
126
 19. Enter the Verification Code received in the device registration email, and enter password,
Citrix123 password for User1. Click Next to continue token set up.

20. Follow the user instructions to add a new site to the token application,

Click Finish and Sign In after Workspace is successfully added to your token application.

citrix.com
127
 21. After completing registration, return to the Workspace sign-in page and enter your Active
Directory credentials along with the token displayed in their authenticator app.

22. You are now logged in and the token is registered for User1.

Launch a resource to confirm that no further authentication is required in this session.

23. For subsequent logons the user now must enter their Username, Password and Password Token
from the token application.

Currently Citrix Cloud only supports one token application to be registered for a user. If
the user follows the flow to register a new token, then it will replace the existing token.

Exercise 8 - Key Takeaways

 Users are unable to logon to Workspace until they register a token generator with Workspace.
Treat a change in authentication method as a managed change for end–users.
 Currently Citrix Cloud only supports one token application to be registered for a user. If the user
follows the flow to register a new token, then it will replace the existing token.
 After log on, the token is not needed to launch resources from Workspace.

citrix.com
128
Exercise 9: Set up high availability for the connections to
your on-premises environment
Learning Objective
Know the requirements and how to configure Workspace for high availability.

Exercise Overview
You will add a second Citrix Cloud connector to give high availability to reduce the risk of your users
being unable to access their resources.

Estimated time to complete this exercise: 10 Minutes

Virtual Machines Required For This Exercise

Student desktop

CC2

Step by Step Guidance

Step Action

1. Now you will configure a second Citrix Cloud connector to provide high availability and load
balancing of all required traffic from the on-premises resources to Citrix Cloud.

2. From XenCenter on the Student desktop, “Start” the VM named “CC2” to power on the
Windows VM where you will install a second Cloud connector.

citrix.com
129
 3. Access the CC2 console desktop.

Log in as an administrator using the following credentials:

User: training\admin1, Password: Citrix123

You may use the XenCenter built in VM console, or Remote Desktop Connection icon located on
the Student Desktop.

Note: If you receive the below warning when establishing an RDP session, click ‘yes’.

4. From the CC2 desktop, open the Chrome browser on the desktop and browse to
https://citrix.cloud.com

Enter the Citrix Cloud Credentials and click Sign In.

citrix.com
130
 5. Add a second connector to your Resource Location and install the Connector on CC2.
If you get stuck, refer to the proceedure in Exercise 1, steps 12-23.
6. From citrix.cloud.com, confirm that two connectors are listed and show as green in your
Resource Location.

Citrix can now manage the upgrade of the connectors to keep them up-to-date without
causing an interuption to availability of resources in Workspace.

It is recommended that you have one additional connector, on top of the number that
you need to support the network communication needed for your deployment.

Exercise 9 - Key Takeaways

 You must have a minimum of 2 Cloud Connectors to guarantee availability of Workspace. It is
recommended that you have one additional connector, on top of the number that you need to
support the network communication needed for your deployment.

citrix.com
131
Authors
The following authors contributed to the creation of this deliverable.
Citrix
Amy Cole Tom Price
Cambridge, UK Cambridge, UK
amy.cole@citrix.com tom.price@citrix.com

Revision History
Revision Change Description Updated By Date
1.1 Added new exercises Amy and Tom May 2019
1.2 Modify exercises for self-paced Joslyn Bailey-White January 2020
environment

Corporate Headquarters India Development Center

Fort Lauderdale, FL, USA Bangalore, India Latin America Headquarters

Coral Gables, FL, USA

Silicon Valley Headquarters Online Division Headquarters

Santa Clara, CA, USA Santa Barbara, CA, USA UK Development Center

Chalfont, United Kingdom

EMEA Headquarters Pacific Headquarters

Schaffhausen, Switzerland
Hong Kong, China

About Citrix

Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable
apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making
IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations
and by over 100 million users globally. Learn more at www.citrix.com.

Copyright © 2014 Citrix Systems, Inc. All rights reserved. [list Citrix trademarks (without ® or ™ symbols!) in document] are trademarks of Citrix
Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned
herein may be trademarks of their respective companies.

citrix.com
132