Citrix Cloud Connectors: How they work and how to get the most from them

Connectors have long fulfilled a key role in providing a simple, secure way to connect on-premises resources to the Citrix Cloud console. They unlock the advantages of cloud management by bridging on-prem and cloud deployments, without requiring complex networking or infrastructure configuration.

In the context of Citrix, when you think of a connector, you probably think of the Gateway Connector or the Citrix Cloud Connector depending on the use case. However, more recently you might have heard talk of a new kind of connector — the Connector Appliance. The Connector Appliance is part of an ongoing effort to reduce the on-prem footprint needed to run Citrix and related infrastructure, which includes minimizing and unifying the number of connectors needed. In this blog post, I’ll break down the types of Citrix connectors and help you to understand which should be used where.

This table provides a breakdown of the primary use for each connector and the underlying technology.

Let’s take a closer look at each connector type.

Gateway Connector – Deprecated

The Gateway Connector was a Linux-based appliance used for facilitating remote access to enterprise web apps – primarily Citrix Secure Private Access and Citrix Application Delivery Management (ADM). On a technical level, it acted as a reverse-proxy for web apps and provided single sign-on capabilities. The Gateway Connector was the first Connector to be successfully migrated to the Connector Appliance and has been deprecated as of Q3 2022.

Citrix Cloud Connector

The Citrix Cloud Connector is a collection of Windows Services packaged as a suite of MSIs, which must be installed on a Windows Server OS. At the time of this writing, the Cloud Connector remains the connector to use in the majority of DaaS use cases. It enables the use of Active Directory forests and domains within resource locations; enables publishing of virtual apps and desktops; facilitates providing an environment for managing device and app policies and delivering apps to users; and enables the provisioning of machines directly into your resource locations.

While the Cloud Connector is the connector to use in the majority of DaaS-related use cases, other specific use cases are being facilitated by the Connector Appliance. Organizations can leverage the advantages of the Connector Appliance as an alternative to the Cloud Connector.

Connector Appliance

At its heart, the Connector Appliance runs a custom Linux-based operating system with only the minimum functionality to achieve its purpose and is provided as a “black box” with minimal touch needed to set one up. The Connector Appliance has a number of distinctive features, including:

• Cost Savings: The Linux-based Connector Appliance removes the need to invest in Windows licenses. Additionally, running the Connector Appliance offers more versatile and streamlined management than the Cloud Connector. That means fewer Connector Appliances are needed to fulfill the same demands, with each connector requiring fewer resources (memory, vCPUs, etc.).
• Reliability: Moving to Linux has removed the limits imposed by a Windows operating system. Connector Appliance updates are smaller, less impactful, and less vulnerable to environmental differences than comparable Windows Connector updates.
• Management: At its simplest, requiring fewer connectors reduces management load. However, the real advantage comes from the connector being a “black box” appliance that does not need OS-level configuration to get started. Once you have deployed, registered, and joined to Active Directory, everything else can then be configured from the Citrix Cloud console. There’s no setting up of hosts or installing anti-virus and other agents.
• Security: Resistance to external threats was a priority for the Connector Appliance and guided the decision to run a custom, hardened operating system. The Connector Appliance allows no incoming connections or remote access — not even SSH — and only contains the basic functionality for its operation.
• Extensibility: Compared to both the Cloud Connector and Gateway Connector, it is much simpler to on-board additional use cases onto the Connector Appliance. While this might not be immediately meaningful to customers, it provides a platform for Citrix to continue extending the Connector Appliance and remains the only tool customers will need going forward.

When Should I Use a Connector Appliance?

The Connector Appliance does not currently support most DaaS use-cases — though these will be coming soon. Still, there are several use cases to which the Connector Appliance applies.

Active Directory (AD) User Authentication (including multi-domain)

A primary use for a connector is to connect on-premises active directory (AD) infrastructure to the Citrix Cloud console without the need for additional AD trusts. At the time of this writing, the Connector Appliance can be used to connect a resource location to forests that do not contain Citrix Virtual Apps and Desktops resources. This might be used to facilitate Kerberos SSO within Citrix Secure Private Access. Alternatively, user authentication can be supported through the Connector Appliance if a customer has AD domains that only contain users — for example, if they have separate domains for users and machines or have non-domain-joined machines (e.g. Linux VDAs).

The Connector Appliance can be used to connect these user-only domains to Citrix Cloud in the same way as traditional Cloud Connectors. It is worth noting that a single Connector Appliance can be joined to multiple domains, while with the Cloud Connector, a customer must deploy a minimum of two Cloud Connectors per user-domain. With the Connector Appliance, the customer could deploy two Connector Appliances across all domains. Using this feature, one customer was able to reduce their connector footprint from 39 Cloud Connectors to just six Connector Appliances, helping them meet their AD needs at a fraction of the cost.

Citrix Secure Private Access (SPA)

Citrix Secure Private Access delivers ZTNA with adaptive access to all IT-sanctioned apps — web, SaaS, and client-server — whether they’re deployed on-premises or in the cloud. Within this offering, the Connector Appliance is a key component in fulfilling the roles previously managed by the Gateway Connector. It acts as a reverse-proxy for web apps and provides single sign-on capabilities.

Image Portability

Citrix Image Portability Service simplifies the management of images between on-premises resource locations and the public cloud. Within this solution, the Connector Appliance runs in your environment (both on-premises and/or cloud) and acts as a controller for individual jobs.

Citrix Hypervisor (XenServer) Cloud (preview)

Currently in preview, Citrix Hypervisor 8 Cloud enables you to administer updates to your on-premises Citrix Hypervisor servers and pools from Citrix Cloud, with the Connector Appliance again acting as the conduit between the Citrix Cloud control-plane and on-premises Citrix Hypervisor (XenServer) hosts.

What’s Next?

With multi-Domain AD user authentication, Citrix Secure Private Access, Citrix Image Portability service, and Citrix Hypervisor Cloud supported, customers are already realizing the benefits of the Connector Appliance. And we have more use cases relating to DaaS and NetScaler in the works as we continue work to enhance the security, reliability, and ease of use of the platform. Keep an eye out for updates in the coming months, because it’s an exciting time in the world of connectors!

Disclaimer: The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.