Configure Support for Citrix XenApp Resources

capam32

You can configure

Privileged Access Manager

to support the following specific resource types in a Citrix XenApp environment:

Citrix StoreFront
: Access, transparent (automatic) login, and session recording.

Citrix XenDesktop
: Direct access, transparent (automatic) login, and session recording.

Published XenApp applications
: Direct access and session recording.

Transparent login is not currently supported for published Citrix XenApp applications.

This topic has the following contents:

Requirements

Verify that the following requirements are configured in your Citrix XenApp environment:

HTML5 client is enabled on the Citrix StoreFront store.

WebSocket connections are enabled on Citrix XenApp and Citrix XenDesktop.

Privileged Access Manager

and Citrix XenApp are in different subnets, configure Citrix StoreFront to allow remote users to access stores through NetScaler Gateway using the Enable Remote Connections task. For more information, see the XenApp documentation for your version of StoreFront.

By default, concurrent connections by the same user from different IP addresses are not allowed. Because there are use cases where this concurrence might be necessary, there is an option to allow it. For example, your Citrix XenApp environment might have several jump boxes and a load balancer. An end user might run several sessions simultaneously, and the user sessions originate at different jump boxes. If this concurrence is necessary, you can allow concurrent connections. Select Enabled
for Concurrent Remote Connections Allowed
on the Configuration
, Security
, Access
Page. By default, this setting is set to Disabled
.

Configure a Service for Citrix Storefront

Use this procedure to configure a service for Citrix Storefront.

Follow these steps:

From the Menu bar, select Services
, Manage TCP/UDP Services
.

Select Add
.

Complete the following fields:

Service Name
: A unique name, for example, "XenApp_All".

Ports
: StoreFront_Ports

Where StoreFront_Ports
are the port numbers for StoreFront, separated by a colon. For example, "80:6513".

Application Protocol
: Web Portal

Launch URL
: https://<Local IP>:<First Port>/Path_to_StoreFront

Where Path_to_StoreFront
is the browser path to StoreFront. For example, "Citrix/Store1Web"

Browser Type
: PAM Browser

Auto-Login Method
:

PAM

HTML Web SSO

(Accept the default values for other fields.)

Select Save
.

Configure a Service for XenDesktop

Use this procedure to configure a service for Citrix XenDesktop.

Follow these steps:

From the Menu bar, select Services
, Manage
TCP/UDP Services
.

Select Add
.

Complete the following fields:

Service Name
: A unique name, for example, "XenApp_Desktop."

Ports
:

XenDesktop_Ports

Where XenDesktop_Ports

are the port numbers for XenDesktop, separated by a colon. For example, "80:6611"

Application Protocol
: Web Portal

Launch URL
: https://<Local IP>:<First Port>/Path_to_XenDesktop

Where Path_to_XenDesktop
is the browser path to XenDesktop. For example, "Citrix/Store2Web"

Browser Type
: PAM Browser

Auto-Login Method
:

PAM

HTML Web SSO

(Accept the default values for other fields.)

Select Save
.

In the StoreFront console, navigate to Stores
, XenDesktop_Store
,
Manage Receiver for Web Sites
, Configure, Client Interface Settings.
Verify that the Auto launch desktop
option is set.

Configure a Service for XenApp Applications

Use this procedure to configure a service for your Citrix XenApp applications.

Follow these steps:

From the Menu bar, select Services
, Manage
TCP/UDP Services
.

Select ADD
.

Complete the following fields:

Service Name
: A unique name, for example, "XenApp_Apps."

Ports
:

XenApp_App_Ports

Where

XenApp_App_Ports

are the port numbers for your XenApp applications, which are separated by a colon. For example, "80:6813"

Application Protocol
: Web Portal

Launch URL
: https://<Local IP>:<First Port>/Path_to_XenApp_Apps

Where Path_to_XenApp_Apps
is the browser path to your XenApp applications. For example, "Citrix/Store3Web"

Browser Type
: PAM Browser

Auto-Login Method
:

PAM

HTML Web SSO

(Accept the default values for other fields.)

Select Save
.

In the StoreFront console, navigate to Stores
, XenApp_App_Store,

Manage Receiver for Web Sites
, Configure, Client Interface Settings
and set the Auto launch desktop
setting.

Configure a Device for XenApp

Use this procedure to configure a device for XenApp.

Follow these steps:

From the Menu bar, select Devices
, Manage Devices
.

Select ADD
.

Complete the following fields:

Name
: A unique name, for example, "XenApp"

Address
: The IP address of the XenApp server.

Device Type
: Select the following option: Access
. Optionally, select Password Management
.

Services
: Select Add
and select the services that you configured for XenApp resources. In this example, XenApp_All
, XenApp_Desktop
, and XenApp_Apps
.

(Accept the default values for other fields.)

Select Save.

Configure a Policy for Your XenApp Resources.

Configure a policy to associate your XenApp device and its services with users who require access. If session recording is required, select Web Portal
from the Recording
options.

Multiple users can launch CA PAM Client instances from different
XenApp sessions. That is, each user must start their own XenApp session because multiple user logins from a single
XenApp session do not guarantee attribution and confidentiality.

Configure Devices

Symantec Privileged Access Manager - 3.4

Configure Support for Citrix XenApp Resources