Citrix - Are there best practises or experiences?


(Andreas Kopplinger) #1

Hi,
we have some issues with the Citrix environment of one of our customers, basically with proper user authentication/identification without the IP Surrogate feature due to the shared IP addresses.
We think, we can solve that with Kerberos, but any best practises reagrding citrix will help us.

Thanks in advance.

Best regards
Andreas


(Jim McCarty) #2

Does anyone have any best practices or has anyone successfully implemented ZScaler on an Citrix Environment? I would love this info also.


(Scott Bullock) #3

We recently published this article on Citrix setup:


https://help.zscaler.com/zia/supporting-citrix-xenapp-and-xendesktop-applications


Hope this helps in your configuration.
@skottieb


(Andreas Kopplinger) #4

Hi Scott,
thanks for sharing this document. Is there a reason why Kerberos is not mentioned there? The tests of our customer showed that this works fine.

There is just one drawback: The users are working on Citrix and classic PCs at the same time. Therefore we can only deploy one PAC file via GPO. Since Kerberos does not work on dedicated Proxy ports, even if it is enabled on the sublocation we build some logic with egress IP and “myip” to identify the Citrix enviromentment and change to Kerberos ZEN-URL and port in that case. On classic PCs the customer uses SAML.

Best regards
Andreas


(Scott Bullock) #5

You’re correct in Kerberos working great, this authentication decision is often seperate from Citrix and is documented here —> https://help.zscaler.com/zia/provisioning-and-authenticating-users

It’s certainly possible there’ll be a need for mixed auth modes within a given environment, e.g. Kerberos on Citrix, Zapp on Users, PAC on kiosks, I’m sure you rolled through this in your design.

To your point on being a single PAC per GPO (how nice would it be of PAC could be set at matching level!), you may use some function like myIpAddress() to test if the machine is on a Citrix subnet and return the Kerberos VIP.


(Andreas Kopplinger) #6

Hi Scott,
yes, we use myIPAddress() and egressIP variable. Just myIPAddress won’t work since pac is distributed on mobile PCs and for another customer we found out that private IPs are also used in public WIFI-Networks… :rofl:

Regards
Andreas