In response to the COVID-19 pandemic and the sudden shift to remote work, Citrix customers are moving faster than ever to rapidly to deploy out access to large numbers of users. To streamline these deployments, many are leveraging the Citrix Workspace app for HTML5 as their Citrix client. Using a HTML5 client in a web browser gives IT admins a turnkey solution to enable access to Citrix Virtual Apps and Desktops without having to install a client.
In Citrix Consulting, we normally recommend standardizing the native Citrix Workspace client to provide an optimal user experience and to enable features such as USB and file redirection to function. However, there are situations where using the full Citrix Workspace client is not possible or is unnecessary for end users leveraging the Citrix solution. In these cases, the Citrix Workspace app for HTML5 is a great choice.
From a security and documentation perspective, it is important to understand the architecture required to support any solution. In terms of network topology and Citrix policies, you should not have any excess configurations that are not required to be configured such an open networks port.
In this blog post, I will walk through the ports and policies required to enable Citrix Workspace app for HTML5 connections to your applications and desktops. I will also cover some common deployment architectures and provide an overview of the required configurations.
External Access Through Citrix Gateway
When reviewing customer deployments, a common Citrix policy I find configured to allow Citrix Workspace app for HTML5 connections is “WebSockets connections.” This is usually accompanied by having port 8008 open on the firewall inbound to the Virtual Delivery Agent (VDA). A common misconception is that you must have both the Citrix policy enabled and port 8008 open when going through Citrix Gateway to enable HTML5 connections.
So why isn’t the WebSocket policy required, and which port is being used then?
The Citrix Workspace app for HTML5 uses the WebSocket technology built into most modern browsers. Any time a WebSocket connection is initiated, it attempts to establish the connection to the resource (the VDA) using connection method (unsecure vs. secure) that was established with the website (Citrix StoreFront) hosting the HTML5 code that creates in WebSocket.
So, for example, if you establish a connection to a secured StoreFront load balancing vServer (TLS) and use the Citrix Workspace app for HTML5 to connect to a desktop or application, it requires the communication to the VDA to be secure using TLS. By default, that is not the case, so the connection to the VDA will fail. We will discuss how to overcome this issue later in the blog.
In the case of external access through Citrix Gateway however, the browser is only communicating with the Gateway, not directly to the VDA to establish the WebSocket connection. This means that the connection to the VDA does not have to be secured with TLS.
A key point to note is that the Citrix WebSocket policy is only required to be enabled to allow unsecure WebSocket connections. An example is when the client establishes a Citrix Workspace app for HTML5 connection from an unsecure StoreFront website (accessed via HTTP). Typically, we never recommend unsecured connections to a StoreFront server; however you may have one in a testing environment. The diagram below details the communication flow when initializing a Workspace app for HTML5 session through Citrix Gateway.
To recap the configuration required to support HTML5 connections through Citrix Gateway:
- The Citrix WebSocket policy should not be enabled. The “WebSockets Connections” Citrix policy should only be enabled when connecting from unsecured StoreFront websites.
- Connections through Citrix Gateway do not require Port 8008. When connecting through Citrix Gateway, Citrix Workspace app for HTML5 connections still use port 2598 or 1494 on the backend network from the ADC to the VDA. Because the Citrix ADC is acting as the reverse proxy, the WebSocket connection is established to the Gateway and then the ADC’s Subnet IP (SNIP) address is used to communicate with the VDA on the default HDX ports 2598/1494.
Internal Access Through Storefront
When establishing an HTML5 connection directly to a VDA when not passing through Citrix Gateway, things get a bit more complicated. As I mentioned earlier, all modern browsers require WebSocket connections to use TLS when the underlying website that the HTML5 session was established from is also using TLS. This is detailed in in RFC 6455 (section 4.1.5).
Just as a website in a browser uses http:// and https:// to reference unsecure and secure websites, respectively, a WebSocket does the same with ws:// and wss//. When using developer tools in a browser such as Chrome, you can see the browser reaching out directly to the VDA to establish the WebSocket connection. Below are examples of WebSocket connections to the VDA:
- Unsecure WebSocket: ws://windows10-desktop1.domain.com:8008. The Citrix policy default value uses port 8008 as the default for connections. The actual default WebSocket port is 80, but the Citrix policy elects to use a different one. It does not matter as long as the port is opened on the firewall between the end users and the VDA.
- Secure WebSocket. wss://windows10-desktop1.domain.com. This uses 443 as the default port and does not have to be specified. If your Citrix Gateway or VDA configured with a TLS certificate is listening on a port other than 443, this will automatic be inserted into the address.
So, when establishing internal connections though a secured StoreFront website, you have two options to allow HTML5 access to VDA:
- Bind a Certificate to the VDA Allow ICA over TLS. This process involves modifying the ICA listener service on the VDA to use a TLS certificate. You can read more about this process here: “Configure TLS on a VDA using the PowerShell script.” In most situations, it involves configuring certificate auto enrollment to allow your pooled machines to dynamically get certificates.
- Use HDX Optimal Routing to Force WebSockets Connection over TLS. If configuring certificates on each VDA sounds like it is not for you, the other option is to use Citrix Gateway for HDX Routing only. Using HDX Optimal Routing (formally known as Optimal Gateway Routing) provides the ability to force the WebSocket connections over a secure TLS connection. Because the browser is now forced to leverage the secure Citrix Gateway vServer to establish the WebSocket connection, the HTML5 connection to the VDA will now work.
What about Citrix Workspace Service?
For Citrix Cloud customers leveraging Citrix Workspace Service to enumerate their applications and desktops, all the same items for StoreFront applies. Because Workspace can only be accessed securely via TLS, you encounter all the same issues found on StoreFront.
Recap
- Additional Configuration May be Required: Leveraging the Citrix Workspace app for HTML5 is a great solution to provide access to users from inside and outside your network. Depending on the access method, you may have to arrange additional configurations to allow access via HTML5 due to the TLS security requirements. Based on your use case, be sure only the required Citrix policies and network ports are configured and cited in your environment documentation.
- Citrix Policy Required Only for Unsecure StoreFront Sites: The “WebSocket Connections” Citrix Policy is only required to be enabled when accessing resources through unsecure StoreFront deployments via HTTP. Because you should always access StoreFront securely via HTTPS or by connecting through via Citrix Gateway, this setting should not be configured in most instances.
- Bind a Certificate or use HDX Optimal Routing for Internal StoreFront Workspace for HTML5: To allow Workspace app for HTML5 connections to VDA when not accessing resources through Citrix Gateway, you have two options. What the optimal solution is here depends on your preference. I have seen most customers elect to configure Optimal Gateway routing to allow for HTML5 connections when authenticating at StoreFront. This also provides other benefits such as the ability to make use of other Citrix Gateway features such as HDX Insight.
Frequently Asked Questions
Does Enlightened Data Transport (EDT) work in HTML5?
EDT is not supported in HTML5 for a simple reason: The WebSocket technology is built upon TCP. No matter what setting you have configured for “Adaptive Transport” in Citrix policy (even if you put it in diagnostic mode), the connection will be established via TCP.
What happens if I don’t configure TLS Certificates on the VDA or use HDX Optimal Routing?
If you don’t access the VDA with either of these methods and you are not connecting through Citrix Gateway, users will see an error when establishing an HTML5 session: “Citrix Workspace app cannot create a secure connection in this web browser.”
Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Click here for more Tech Bytes and subscribe.
Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.
