Supporting Citrix XenApp and XenDesktop Applications


Supporting Citrix XenApp and XenDesktop Applications

Zscaler Internet Access (ZIA) is used by many existing Citrix customers. To forward traffic to ZIA from Citrix workloads you can use GRE or IPSec tunnels, PAC files, or the Zscaler App (Z App). However, there are some situations where one option might not be feasible or where it needs to be configured in a certain way. 

Using XenDesktop with ZIA

These workloads are typically Windows Client Operating Systems, such as Windows 7, 8, or 10. 

  • GRE or IPSec tunnels: These can be treated like any Windows user device going through ZIA. You will likely only need to create a sub-location for these workloads. 
  • PAC files: These are typically deployed as a Group Policy Object (GPO) and treated no differently than a user’s physical device. However, you need to ensure that the Zscaler authentication cookies are retained across sessions. This way, a user does not need to re-authenticate each time they launch a new desktop. To learn more, see What are the Authentication Frequency options?
  • Zscaler App: Z App currently supports Windows Client Operating Systems and can work with Virtual Desktops. However, due to Z App’s enrollment process, this only works well with a Dedicated VDI. If customers have a Pooled VDI where users get random, fresh desktops each time they connect, they will need to re-enroll each time. To avoid this, configure Device Cleanup in the Zscaler App Portal to remove the oldest enrolled device. To learn more, see Configuring Automated Device Removal.
  • SSL Inspection: If needed, you can deploy the Zscaler Root certificate centrally to the Citrix master images or via GPO as you would any other domain-joined machine.
  • IP Surrogacy: Since each user gets a one to one mapping with a virtual desktop, you can use IP Surrogacy to bind a username to an internal IP for transactions that would normally only show the ZIA location name. Typically, you should configure the threshold to be much lower than on normal device networks, such only as a few hours. To learn more about surrogate IP, see What is Surrogate IP?

Using XenApp and Hosted Shared Desktops with ZIA 

These workloads are typically Windows Servers, such as Windows Server 2008R2, and Windows Server 2012.

  • GRE or IPSec tunnels: These can be treated like any Windows user device going through ZIA. You will likely only need to create a sub-location for these workloads. 
  • PAC files: These are typically deployed as a Group Policy Object (GPO) and treated no differently than a user’s physical device. However, you need to ensure that the Zscaler authentication cookies are retained across sessions. This way, a user does not need to re-authenticate each time they launch a new desktop. To learn more, see What are the Authentication Frequency options?
  • Zscaler App: Z App is not supported for use with Virtual Apps and Hosted Shared Desktops. This is because Zscaler does not support concurrent user sessions on a device with Z App installed. Z App will establish a single tunnel to ZIA from the first Windows user session that has enrolled with the service. Any concurrently connected users on the same server will be able to enroll with Z App, but the ZIA and ZPA tunnels will fail. 
  • SSL Inspection: If needed, you can deploy the Zscaler Root certificate centrally to the Citrix master images or via GPO as you would any other domain-joined machine.
  • IP Surrogacy: IP Surrogacy needs to be disabled for the sub-location containing the XenApp workloads. The reason is that these servers have multiple concurrent users connected to them. Therefore, if user authentication is enabled, IP Surrogate can flip between users and eventually stop working. Since all the users connected to the server have the same source IP address, there is no way for Zscaler to know which user to map to that IP. To learn more about surrogate IP, see What is Surrogate IP?