top of page
  • Foto van schrijverEdwin de Bruin

Migrating from Citrix Gateway to VMware Access Workspace One: Part one

Bijgewerkt op: 2 mrt. 2023

A while ago I was discussing a valid migration scenario between an existing Citrix Deployment to VMware Horizon with my buddy Henry Heres. One of the steps is to migrate the external portal from Citrix (Unified) Gateway to VMware WS One Access.

As seen before, discussing these kind of scenarios with Henry is like planting a seed and pouring a gallon of Pokon on top of it. So, we decided to do a Cross reference Blog. I will show the flow, the blog(s) made by Henry will show how to do the real magic.

This will be a divided in to two blogs describing the 2 steps! This blog is Step 1.

for Step 2: Using VMware WS One Access as the Portal, click on the following link:

Step 1: Using VMware Access as IDP to the Citrix Unified Gateway.

The Why:

By implementing this in step 1 we can migrate the authentication to VMware Workspace One Access.

This gives us as an example the possibility to migrate the MFA solution to the VMware Authenticator, implement the access policies and migrate the applications to use Access as IDP.

There is one requirement though, Citrix FAS needs to be implemented. Why? Well, the user is going to login by using SAML so there is no password to pass to the VDA. As result a certificate is used to login to the Windows OS (similar to TrueSSO).I've seen this in place already in multiple occasions when for example ADFS is still used(and yes you can use ADFS as the IDP but not in scope for this blog). Mainly we still see an LDAPS connection with additional MFA like Radius. I added the link to how to implement Citrix FAS.

In both scenario's WS One access is configured to use Password (Cloud Deployment) plus additional authentication. This is not a necessity for step 1, just to give the user the same experience when implementing step 2.

The Flow:

  1. The user will make a connection to the NetScaler Gateway

  2. Netscaler will respond to authenticate to WS One Access since that is the configured IDP

  3. The user is redirected to WS One Access

  4. The credentials are validated to the VMware Access Connector

  5. The User Auth service on the VMware Access connector will validate to an On Prem Active Directory controller

  6. The SAML Token will be passed on to the users device

  7. With this SAML token the user can logon to the Netcaler Gateway

  8. A connection will be made to the configured StoreFront address

  9. Storefront will enumerate the resources on the XML Service on a Citrix Delivery Controller and show the available desktops or apps to the user

  10. When the user clicks on a desktop or app a ICA file will be generated and downloaded by the user

  11. In the meantime, a request will be send to Citrix FAS to generate a certificate

  12. The certificate is generated on the designated Certificate Authority and cached on the FAS server

  13. When the Citrix Receiver or Workspace App connects to the gateway the secure ticket will be validated to the Secure Ticket Authority (STA) service

  14. The connection to the VDA will be made

  15. At the same time the VDA will request the cached user certificate

  16. The VDA will validate the certificate to Active Directory

The Magic:

I will handover this one to Ern.. eh.. Henry. He wrote a beautiful blog how to configure VMware Access as the IDP:

In addition to, here is an article how to configure Citrix FAS:

Next time: Part Deux! Migrating the portal to VMware WS One Access!

This one will use the virtual app service to enumerate the Citrix Resources and the end users will use WS One Access to access the Citrix Resources! (And by extend you can make the transisition to Horizon if you want to..)

Stay Tuned!

217 weergaven0 opmerkingen

Recente blogposts

Alles weergeven


Post: Blog2_Post
bottom of page