Accessing Citrix XenDesktop (Apps and Desktops) View through ZPA


I am increasingly seeing requests to access Citrix VDI Desktops using Zscaler Private Access. This may be in part to the multiple CVEs in Citrix Access Gateway as reported by the US NSA as a top vulnerability exploited by nation-state actors.

I made a short video demonstrating the capability of accessing Citrix virtual desktops through ZPA.

Warm Regards,


Hey Chris,

Great video, thanks. Do you have an Application Segment example you could share? I’d be interested to know what you had to configure for Citrix receiver to work over ZPA.


1 Like

Hi Jamie,
The ZPA App segments required are:

  1. XenDesktop Delivery Controller
  2. Storefront Server
  3. IP address or hostname to the actual virtual desktop I connected to

In my lab, my Delivery Controller and Storefront server are on the same VM. The ports required can be found on the Citrix help site: Communication Ports Used by Citrix Technologies

Specifically for accessing virtual desktops with the Citrix Receiver, TCP 80, 443, 1494, and 2598 are required. If you want things like HTML5 receiver then you have to add port 8008.

Warm Regards,


Hi Chris,

thx for that video,
I have a question - after ZPA is running and the user is able to reach the citrix store front, they are then presented with a form to login again, and after login the users sees their webtop of desktops to access.
The user has to click on one, then download the ica file, and then open the ica file and and the citrix retriever app will then connect to the desktop.
After that has happened, and the user logs out of the desktop or closes the remote desktop - how does the user access the remote desktop again?
What would be great to see what happens from a user experience since ZPA is always running - how does the user connect to the remote desktop subsequently after everything is closed, and they want to open the remote desktop again?

Hi Peter,
Since ZPA provides always-on secure connectivity, the user will be able to revisit Storefront at any time to re-access their VDI desktop. The ICA file is only good for one use and it is consumed by Citrix Receiver when launched. After disconnecting, a new ICA file can be generated to reconnect to the VDI desktop.

Warm Regards,