As with my previous blog post, UNOFFICIAL means UNSUPPORTED!

Do not contact Citrix Technical Support with questions/issues with this post. Please submit your questions/comments below.

With the recent launch of the Citrix Receiver for the iPhone 1.0 at Synergy, I’ve had several customers ask me how to configure it for the Access Gateway Enterprise. In version 1.0, only the Access Gateway Standard Edition is supported, but this will soon be addressed in future versions of the client. Is there a way to address this now? The answer is yes, but it’s unsupported! If you are using the Secure Gateway functionality within the Access Gateway Enterprise, there is a way to get this to work.

First, take a look at the following articles to familiarize yourself with what is supported today:

Getting Started with Citrix Receiver for the iPhone

Citrix Access Gateway Standard Edition Setup for Citrix Receiver for the iPhone 1.0

So how do you get this to work on the Access Gateway Enterprise edition? In a nutshell, you configure a virtual server with a session policy that mimics the Secure Gateway/ICA Proxy configuration. Instead of pointing your session profile to your Web Interface site, you point it to your XenApp Services (AKA PNAgent) site. Configuring XenApp Services for Secure Gateway (Gateway Direct mode) can be found in the Web Interface 5.1 Administrators guide located here:
You’ll have to disable authentication on the virtual server and allow Web Interface/XenApp Services to handle the authentication. This is not a best practice since you are allowing unauthenticated (this does not mean unencrypted) traffic to be proxied to your Web Interface site. The best practice recommendation is to authenticate at the Access Gateway and pass the credentials to the Web Interface landing page. That functionality is not supported today in the 1.0 client.

My Lab Environment
XenApp 4.5 with HFRU2 on Windows 2003 32bit Sevice Pack 2
Web Interface 5.1 on Windows 2003 32bit Service Pack 2
Access Gateway 9.0 build 66.12
Firewall with a single hop DMZ


  • You have a working Access Gateway and XenApp deployment already in place for external access

Nuts and Bolts
The quickest way to get the environment up and running is to copy your current session profile for Secure Gateway/ICA Proxy and make some modifications. Simply select the existing session profile from your session profile list, right click and select copy. Then click on Add and a copy of your profile will appear.

Below are the screen shots of my session profile that I created:

In the “Published Applications” tab, make sure the URL is pointing to the same URL that is configured in the XenApp Services site. Do not include the ‘config.xml’ in this path.

Assign the newly created session profile to your existing session policy. Disable authentication on the virtual server.

On your iPhone, open the Citrix Receiver 1.0 and configure the following:

Use the same path that you specified under your “Published Applications” session profile, but include the config.xml

User Name
Enter your domain user name

Enter your domain password

Enter you Active Directory domain name

Citrix Access Gateway
Leave this set to OFF

Here is a screen shot:

Once you have everything configured, click on Next in the upper right hand corner and your list of applications should appear. If it doesn’t go through the first time, try a submitting a second time. Most of the time it goes through on the first attempt, but sometimes it takes two attempts.

Let me know if you have any questions in regards to this post. I didn’t develop the code, so I can’t address anything specific about it.

Kind Regards,