Notes from the lab: Some magic, integrating Citrix resources with VMware Access

Like my friend Edwin de Bruin explains in his blog(s): Migrating from Citrix Gateway to VMware Access Workspace One: Part one ( and Migrating from Citrix Gateway to VMware Access Workspace One: Part Two! ( he expects me to deliver you all some magic.

For this blog I’m going to start with the necessary resource articles and blogs for a starting point and those are the following:

Providing Access to Citrix-Published Resources in VMware Workspace ONE Access – this one is the basic starting point for integration and should help you out with a working setup

Workspace ONE Access – Nick’s IT Blog ( – Some enlightenment regarding requirements (undocumented)

Configuring Citrix Resource Launch for External Networks with Citrix Gateway ( – Is still referring to basic authentication policies and we are doing it the new way as in advanced policies with an authentication profile

Configuring Password Caching for Virtual Apps (Workspace ONE Access Cloud Only) ( – To provide an extra SSO experience after username and password logon, see this as an equivalent to Azure AD PHS, side note is that if you don’t logon via username password you will get an password prompt for that session one time. The following screenshot shows an internal logon via Kerberos method and then after selecting the resource it will prompt for the password:

So, keep in mind when configuring your access policies for a Citrix integration preferably this needs to be username, password, and a dual factor for a nice experience. (You can apply this as you would do in a Horizon deployment, internal access policies and external access policies)

Well so far, no magic but I’ll try and give some more, and this time regarding Citrix NetScaler. The above-mentioned article states a nice integration point for basic authentication but that is not the case anymore if you upped your game with advanced policies and the accommodating authentication profile for a Citrix Gateway setup.

For an advanced authentication method and to use this in a Citrix Gateway setup you will need a AAA setup combined with an authentication profile, which basically has an authentication binding which first checks if you have an IP of the VMware Workspace ONE access connector(s) and if so then you’ll use the username password LDAPS action. If you don’t have a follow-up binding e.g., which still uses the current authentication method for the Citrix Gateway you will get a username/password option and nasty message after trying to logon. The following screenshots explain that:

So, to do this correctly we need the current authentication policy and a new one filtering on the source-IP addresses of the VMware Workspace ONE Access connector(s) which has a lower priority and will get triggered first. All other flow will still use the “old” logon experience.

Some caveats to keep in mind:

  • The Citrix LDAPS server in NetScaler needs to align with your VMware Workspace ONE unique attribute, this can be UPN or sAMAccountName so please match those
  • When using Citrix Unified Gateway (Content Switching) or Citrix Gateway make sure that the client choices options are not selected, this will break the logon from VMware Workspace ONE Access
  • Entitlements in Citrix Studio need to align with the entitlements in VMware Workspace ONE Access, the same as it does with VMware Horizon

Well that about wraps it up!

Experiences are a nice working flow from Citrix Gateway as the SP-provider and still leveraging SAML and Citrix FAS, and the other way around with VMware Workspace ONE Access as IDP as well.

The integration flow from VMware Workspace ONE Access with the source-IP filter for the connectors and corresponding username/password logon on Citrix Gateway closes the book and provides a nice migration / integration portal for the whole stack.

Any questions or comments drop them to me, or Edwin de Bruin and we are here to help!

Some closing reference articles regarding the source-IP filtering:

Configuring a data set | AppExpert (

How to create responder policy allow/block a set of ip’s (



, , , ,