Jump to content

Allowing Citrix through WS1 vpn tunnel


MichaelZ
Go to solution Solved by Sascha Warno,

Recommended Posts

Hi,

I was wondering if any of you could give me some pointers on how to allow citrix and the published apps through the tunnel? So far I have allowed the store in Chrome and Edge and allowed the Citrix Workspace through the tunnel. I can successfully conect to Citrix through a browser but I cannot connect directly through the workspace app. Also I cannot launch apps from inside citrix.
I get an error that the selected resource failed to respond in time. If I set the tunnel into per-device mode everything works
 

Link to comment
Share on other sites

  • Replies 5
  • Created
  • Last Reply

Top Posters In This Topic

  • Employee

@MichaelZ did you create the device traffic rules adding the Chrome and Edge apps for the specific domains you want to connect via Workspace ONE Tunnel?

In this case you want to connect through Tunnel Service on UAG, do you have all the ports and protocols open on your firewall to allow the Tunnel client to connect via UAG? This article explains the Tunnel communication flow and might help you https://techzone.omnissa.com/resource/understand-and-troubleshoot-tunnel-connections-load-balancing

 

 

Link to comment
Share on other sites

The tunnel as such works with the other apps. It's just Citrix that won't work. When the tunnel is in device mode Citrix works and I can start published apps. When in per-app mode selfservice.exe will not let me log in and I cannot start apps from browsers as well. I can connect to web based citrix as I have added the url to  our browser rules. But I cannot start apps as this is initiated by selfservice.exe. As this works in device mode I believe that selfservice.exe calls another app to actually connect and since this is not added the connection will fail.

So basically what I need is a list of the citrix apps to allow in the tunnel or a pfn

Edited by MichaelZ
Link to comment
Share on other sites

  • Employee
  • Solution

Carl has the list of all apps that should be involved. https://www.carlstalhood.com/workspace-app-for-windows/

Add those to the DTR and test again. Else you will need to use tools like procmon to find out which other services are called.

  • ICA Engine (wfica.exe) – process that uses the ICA protocol to connect to published apps and desktops.
  • Self-Service (selfservice.exe) – gets icons from StoreFront and displays them in a Window. When an icon is clicked, Self-service passes the ICA file to the ICA Engine to establish a connection.
  • Single Sign-on (SSON) for ICA (ssonsvr.exe) – captures user credentials and submits them to VDAs after an ICA connection is established
  • Workspace Auto-Update (CitrixReceiverUpdater.exe) – Notifies users of Workspace app updates. The most recent name for this component is Citrix Workspace Update.
Link to comment
Share on other sites

On 9/27/2024 at 9:27 AM, Sascha Warno said:

Carl has the list of all apps that should be involved. https://www.carlstalhood.com/workspace-app-for-windows/

Add those to the DTR and test again. Else you will need to use tools like procmon to find out which other services are called.

  • ICA Engine (wfica.exe) – process that uses the ICA protocol to connect to published apps and desktops.
  • Self-Service (selfservice.exe) – gets icons from StoreFront and displays them in a Window. When an icon is clicked, Self-service passes the ICA file to the ICA Engine to establish a connection.
  • Single Sign-on (SSON) for ICA (ssonsvr.exe) – captures user credentials and submits them to VDAs after an ICA connection is established
  • Workspace Auto-Update (CitrixReceiverUpdater.exe) – Notifies users of Workspace app updates. The most recent name for this component is Citrix Workspace Update.

procmon was what finally cracked this nut.

Thanks for the link and tip, Sascha.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...