Allowing Citrix through WS1 vpn tunnel

[Michael Zielinski]

Hi,

I was wondering if any of you could give me some pointers on how to allow citrix and the published apps through the tunnel? So far I have allowed the store in Chrome and Edge and allowed the Citrix Workspace through the tunnel. I can successfully conect to Citrix through a browser but I cannot connect directly through the workspace app. Also I cannot launch apps from inside citrix.
I get an error that the selected resource failed to respond in time. If I set the tunnel into per-device mode everything works
 

[Andreano Guedes Rocha]

@MichaelZ did you create the device traffic rules adding the Chrome and Edge apps for the specific domains you want to connect via Workspace ONE Tunnel?

In this case you want to connect through Tunnel Service on UAG, do you have all the ports and protocols open on your firewall to allow the Tunnel client to connect via UAG? This article explains the Tunnel communication flow and might help you https://techzone.omnissa.com/resource/understand-and-troubleshoot-tunnel-connections-load-balancing

 

 

[Michael Zielinski]

The tunnel as such works with the other apps. It's just Citrix that won't work. When the tunnel is in device mode Citrix works and I can start published apps. When in per-app mode selfservice.exe will not let me log in and I cannot start apps from browsers as well. I can connect to web based citrix as I have added the url to  our browser rules. But I cannot start apps as this is initiated by selfservice.exe. As this works in device mode I believe that selfservice.exe calls another app to actually connect and since this is not added the connection will fail.

So basically what I need is a list of the citrix apps to allow in the tunnel or a pfn

Edited September 19 by MichaelZ

[Andreano Guedes Rocha]

You need to find all the programs and not just the self-service.exe, certainly others apps are used by Citrix and needed to be added to the  DTR.

[Sascha Warno]

Carl has the list of all apps that should be involved. https://www.carlstalhood.com/workspace-app-for-windows/

Add those to the DTR and test again. Else you will need to use tools like procmon to find out which other services are called.

• ICA Engine (wfica.exe) – process that uses the ICA protocol to connect to published apps and desktops.
• Self-Service (selfservice.exe) – gets icons from StoreFront and displays them in a Window. When an icon is clicked, Self-service passes the ICA file to the ICA Engine to establish a connection.
• Single Sign-on (SSON) for ICA (ssonsvr.exe) – captures user credentials and submits them to VDAs after an ICA connection is established
• Workspace Auto-Update (CitrixReceiverUpdater.exe) – Notifies users of Workspace app updates. The most recent name for this component is Citrix Workspace Update.

[Michael Zielinski]

On 9/27/2024 at 9:27 AM, Sascha Warno said:

Carl has the list of all apps that should be involved. https://www.carlstalhood.com/workspace-app-for-windows/

Add those to the DTR and test again. Else you will need to use tools like procmon to find out which other services are called.

• ICA Engine (wfica.exe) – process that uses the ICA protocol to connect to published apps and desktops.
• Self-Service (selfservice.exe) – gets icons from StoreFront and displays them in a Window. When an icon is clicked, Self-service passes the ICA file to the ICA Engine to establish a connection.
• Single Sign-on (SSON) for ICA (ssonsvr.exe) – captures user credentials and submits them to VDAs after an ICA connection is established
• Workspace Auto-Update (CitrixReceiverUpdater.exe) – Notifies users of Workspace app updates. The most recent name for this component is Citrix Workspace Update.

procmon was what finally cracked this nut.

Thanks for the link and tip, Sascha.