Edwin de Bruin
Migrating from Citrix Gateway to VMware Access Workspace One: Part Two!
Bijgewerkt op: 2 mrt.
As mentioned in my previous blog I was discussing a valid migration scenario between an existing Citrix Deployment to VMware Horizon with my buddy Henry Heres. One of the steps is to migrate the external portal from Citrix (Unified) Gateway to VMware WS One Access. This will be a divided in to two blogs describing the 2 steps. This blog is Step 2!
In this step we will switch the portal to VMware WS One Access.
Same as the previous one, I will show the flow, Henry will show the magic!
for Step 1 click here: Migrating from Citrix Gateway to VMware Access Workspace One: Part one (debruinonline.net)
Step 2: Using VMware WS One Access as the Portal
Why? why the why? VMware WS One Access is just awesome. No that just can't be it.
In the scenario when you are migrating from Citrix to Horizon you are going to have users who still need to access the Citrix resources. Since the Citrix Unified Gateway cannot enumerate Horizon resources you will need to switch to WS One Access. Usually In most cases the user is not aware if Horizon or Citrix is in use, they just don't care (and they shouldn't) It is not very user friendly to let the user open multiple URL's and/or portals to access their resources. Or perhaps there are some cases you wish to mix and match and still keep the Citrix VDA's in play. As always, the user experience is what matters!
In both scenario's WS One access is configured to use Password (Cloud Deployment) plus additional authentication. Password caching needs to be enabled. This is a necessity for step 2 in opposite to step 1 to give the user a SSO experience. Otherwise, the user will experience an additional password prompt when for example using the Kerberos connector or Certificate based login.
The user will make a connection to the VMware Workspace One Access
The credentials are validated to the VMware Access Connector
The User Auth service on the VMware Access connector will validate to an On Prem Active Directory controller
The user will see their Citrix Resources between the apps, the user launches a Citrix resource.
A request will be sent to the Virtual App Service running on the Access Connector. Making use of the StoreFront REST API a request will be made by the connector to the NetScaler Gateway. The connector can only use username and password. At first it seemed that we needed to configure the Citrix gateway to only use Username and Password. Imagine that when accessible from the bad internet big fat no no.. A little later VMware published the solution how to secure this with basic authentication policies to allow only the connectors to use Username and Password. Henry will show how to do this with Advanced Policies and use SAML when a connection is made not originating from one of the connectors. The flow from step 1 in the previous blog will apply and authentication will be required! In case a user still accesses the gateway directly they will be redirected to the WS One Access Portal for authentication
The request for the ICA file will be forwarded to Storefront
Storefront will enumerate the resources on the XML Service on a Citrix Delivery Controller and show the available desktops or apps to the user
The generated ICA File will be passed to the Gateway
The generated ICA File will be passed to Access Connector
The generated ICA File will be passed to WS One Access
The generated ICA File will be passed to Users Device
Citrix Workspace App or Receiver will make the connection to the Gateway
When the Citrix Receiver or Workspace App connects to the gateway the secure ticket will be validated to the Secure Ticket Authority (STA) service
The connection to the VDA will be made
Once again, I will handover this part to Henry!
He wrote down the magic in his blog:
Notes from the lab: Some magic, integrating Citrix resources with VMware Access – The IT Stories (technicalfellow.com)
Most important: Fun partnering up and keep the other one sharp!
These 2 steps will give an awesome and user-friendly way to migrate to WS One Access (and in extend Horizon?) both flows can coexist so big bang not required!
We hope this could help someone. If there are any questions, remarks please don't hesitate to contact me or Henry Heres!