AlSolorzano.com

Yes, I know it has been awhile. I've had tons to write about, but I haven't had the time. Anyway... onto the iPhone.

First of all, I'd like to say "Thanks to Citrix". Great job on the Citrix Reciever for the iPhone. Secondly, I'd like to "Finally!". We have been waiting for a long time. I remember seeing a demo as far back as early 2008. And lastly, I'd like to say "Citrix... you have some more work to do". I wouldn't be writing this otherwise.

I do make some assumptions when writing this article since I am not going to go through and explain how to setup a Citrix Access Gateway, Standard/Enterprise or Citrix Secure Gateway Server. Sorry if you were looking for every exact step, but I need to spend time with my kids.  

Citrix Cloud iPhone Demo - http://iphone.citrixcloud.net/
If you don't want to make any changes to production or you don't have Citrix Access Gateway, Standard or Citrix Secure Gateway, then visit the above URL. You will be prompted for 4 pieces of information and they will send you instructions and credentials to access a demo site from your iPhone.

Updates for 07/2009

• Enterprise is now supported with the latest Citrix Reciever for iPhone downloaded from iTunes (currently 1.0.2) and the latest Citrix Access Gateway Enterprise/NetScaler firmware (9.1 Build 95.3 - make sure to get the correct version for your appliance - Classic or nCore). See the Added instructions for how to configure Access Gateway Enterprise/NetScaler.
• Don't bother trying to get this working with Presentation Server 4.0. Real flaky. Works great on XenApp 4.5 and above. Also works great on XenDesktop.

Updates for 08/25/2009

• Citrix Access Gateway, Advanced is now supported.
  

What is missing still and hopefully being resolved soon

1. Citrix Access Gateway Advanced and Enterprise Support. Currently neither is supported. So if you have these two solutions, you are out of luck. You may want to build a Citrix Secure Gateway server just for the iPhone users (iphone.company.com)
   Note: Citrix Employee Matt Lesak has an unsupported HOW TO for Enterprise, but it isn't perfect. I tried the same thing for a client who wanted an externally accessible XenApp Services site without a VPN and I had the same timing issue. I would try to authenticate and it would fail. Wait 30 seconds. Then authenticate again and it would work. I guess this is better than nothing but again UNSUPPORTED.
   http://community.citrix.com/blogs/citrite/mattle/2009/05/22/Unofficial+HOWTO+on+Configuring+Citrix+Receiver+for+the+iPhone+1.0+to+work+with+Access+Gateway+Enterprise
   Citrix Access Gateway Advanced Support. I know the usage of this solution is low and Citrix is pushing clients towards Enterprise, but clients still want it. Now all the major access platforms from Citrix are supported. SWEET!!!
   
2. Encryption beyond BASIC for the Published Applications. All published applications need to be set at Basic Encryption or the apps will error and close. No way around this one. You have to disable encryption on the published applications the users will be using.
   
3. Wildcard certificates. Currently not supported.

What you need is listed here http://community.citrix.com/display/xa/Citrix+Receiver+Requirements but that isn't quite everything.

Here are my recommended requirements and some steps to set this up: 

• iPhone or iPod Touch mobile device with iPhone 2.2 Software Update installed (version 2.2.1)

• Citrix Receiver from the iTunes App Store (just search for Citrix at the iTunes App Store) must be downloaded and installed. Everyone with a iPhone or iPod Touch should be familiar with this procedure.

• A Citrix XenApp/Presentation Server Farm running

• A Presentation Server 4.5 Farm or Citrix XenApp 5.0 Farm

• Web Interface 4.5/4.6 running a PN Agent site OR Web Interface 5.x running a XenApp Services site
  
  Note: Web Interface is function tool that runs on a Web Server. A XenApp Web needs to be contacted by a Web Browser to work. The XenApp Services site (formerly known as PN Agent site) needs to be contacted by the Citrix Receiver or the XenApp Plugin for Hosted Apps (formerly known as Program Neighborhood Agent)

• A Presentation Server 4.0 farm also is confirmed to work, BUT it isn't consistently working. I wouldn't recommend this method without lots of testing and verification. You won't get support from Citrix either on this config, but I was testing anyway. PS 4 goes End of Life at the end of this year even though it is still a common deployment.

• I found the applications launching to be inconsistent. It seemed to work for awhile but then it would stop and i needed to reboot the Presentation Server and iPhone to ge them working.

• You must use a new version of the Web Interface (4.5 or above).
  You can't use the Web Interface 4.0 PN Agent Site. During my testing, I was able to see the app list but they didn't always launch correctly. It may have something to with how the ICA files are generated. 

• Also after messing with this test, I needed to reboot the iPhone and the Presentation Server 4 Server before I could get it working with the WI 5 site again.

• If you are encrypting the login process via the XenApp Service site or accesing the environment via Citrix Secure Gateway or Citrix Access Gateway, Standard or Enterprise edition, then the iPhone must trust the root certificate for the CSG or CAG, Std./Ent Here are the easiest two methods I've found to install a root certificate.
• Method 1 - E-mail the root certificate to yourself and download/install the attachement via the Safari browser or the built-in mail readers on the iPhone
• Method 2 - Host the root certificate somewhere wher you can use the Safari browser and browse to it. (Example: www.companyname.com/root.crt -> When prompted select to Install and then approve it by selecting Install Now, then click Done.)
  
• Connectivity
• For internal access, the iPhone or iPod Touch must be connected to the corporate Wireless connection. (This is the easiest one to test since testing from external or the 3G network requires a little bit more work.
• Account Settings
• Address: IP or FQDN of the Web Interface server (You can try the hostname if the wireless configuration appends the DNS suffix). This connection does not need to be secured with a SSL cert and by putting https:// in front of the FQDN when entering the information on the iPhone, but it is recommended.
• User Name: <Username that has applicationspublished to it>
• Password: <Password>
• Domain: <Domain Name>
• Sign in Automatically: On (I recommend turning this off for testing configurations. Once it has been enabled, you will need to go the Home of the iPhone > General > Citrix and disable Sign in Automatically)
• Citrix Access Gateway > Off
  
• For external access, you currently have two possible connections. If you are running Citrix Access Gateway, Advanced or Enterprise you are currently out of luck. I'm hoping they will be resolving this soon.
• Citrix Secure Gateway - I only tested this with the latest version of CSG 3.1 and the latest Web Interface 5.1.1. I had them both on the same server in the DMZ. I created a XenApp Service site and enabled Gateway Direct (I don't NAT from the DMZ into the internal network).
1. Ensure CSG is setup and configured as you normally would. (I'm not going to get into this one.)
2. Create a XenApp Services site using the default path (/Citrix/PNagent - If you don't use the default, it will require you to append the custom path to the iPhone when you setup the Address field. The iPhone automatically appends /Citrix/PNAgent/ and looks for the config.xml in there.)
3. Configure the Secure Remote Settings, for the same settings as the WI site you previously had working. For my example, I selected Gateway Direct, entered the External FQDN of the CSG and entered the appropriate STAs.
4. Account Settings on the iPhone
• Address: https://<External FQDN of the CSG Server> - This assumes you only allow HTTPS. If you allow HTTP, then you can simply enter <External FQDN of the CSG Server>. I recommend entering the https:// in front to ensure a secure authentication.
• User Name: <Username that has applications published to it>
• Password: <Password>
• Domain: <Domain Name>
• Sign in Automatically: On (I recommend turning this off for testing configurations. Once it has been enabled, you will need to go the Home of the iPhone > General > Citrix and disable Sign in Automatically)
• Citrix Access Gateway > Off
  
• Citrix Access Gateway, Standard - I tested this with Citrix Access Gateway 4.6 and the latest Web Interface 5.1.1. Again, I created a XenApp Services Site and enabled Gateway Direct.
  
  There are two major ways to setup the Access Gateway, Standard: Enable login page authentication and Bypass Login page authentication (by disabling the Enable login page authentication option in the Global Cluster Policies section of the Citrix Access Gateway, Standard Administration tool).
  
  The first allows for VPN and EPA Scans, the second pretty much turns the box into a CSG appliance. Both options are common.
  
  Enable login page authentication
  You can this article as a reference for the "Enable login page authentication" method also:
  http://support.citrix.com/article/CTX121093
  
  
1. Ensure the "Enable login page Authentication" is enabled in the Global Cluster Policies section of the Citrix Access Gateway, Standard Administration tool).
   
2. Ensure the LDAP Settings, STAs and all the group setting are configured correctly.
   
3. For my example, I modified the Default user group policy on the CAG Standard to look as below.
   
   
   I left the same Web Interface and Path for my existing Web Interface server. Because I use the new SSO configuration with CAG 4.6, I have "Single sign-on to the Web Interface" enabled. I entered the DOMAIN1 for my domain name for AD, then I enabled the "Use the multiple logon option page" to allow users to select which type of access they want (VPN or XenApp).
   Note: "Single sign-on to the Web Interface" and "Use the multiple logon option page"  do NOT need to be enabled for the iPhone to function. In fact, the iPhone basically ignores these settings. These settings will be used for anyone normally browsing to the web site via a Windows PC or Mac OS X desktop/laptop. The most critical setting in here is the Web Server IP or FQDN.
   
4. On the same Web Server that you have entered above, create a XenApp Services Site with the default path (/Citrix/PNAgent/ otherwise you will need enter the custom path in the iPhone Address Settings). Configure its Secure Access settings for the same settings as the XenApp Web Site that was referenced above. Set the correct Gateway connection, the External FQDN for the CAG, enter the STAs, etc.
   
   If you don't get an app list, then make sure you created a XenApp Services site.
   
   If you get an app list, but can't launch anything, then make sure you set correct Gateway settings.
   
5. Account Settings on the iPhone
• Address: <External FQDN of the CAG Server> (it will automatically assume HTTPS when you enable Citrix Access Gateway. If you used a custom path on the XenApp Services site, then enter the path here. No need to append the config.xml portion)
• User Name: <Username that has applications published to it>
• Password: <Password>
• Domain: <Domain Name>
• Sign in Automatically: On (I recommend turning this off for testing configurations. Once it has been enabled, you will need to go the Home of the iPhone > General > Citrix and disable Sign in Automatically)
• Citrix Access Gateway > On
• Gateway Type: Standard Edition
• Gateway Authentication: Domain Only (or RSA SecureID Only or Domain + RSA SecurID)

Bypass login page authentication
The only difference here is we are now performing authentication at the Web Interface and the Access Gateway, Standard is acting like a reverse proxy to the XenApp Web and XenApp Services site.

1. Uncheck the "Enable login page Authentication" to disable it in the Global Cluster Policies section of the Citrix Access Gateway, Standard Administration tool).
   
2. Ensure the STAs settings and all the group setting are configured correctly.
   
3. Modify the Default user group in the Access Policy Manager and uncheck the "Single sign-on to the Web Interface" and "Use the multiple logon option page" boxes. They are not needed in this configuration.
   Ensure the Web Server and the Path are correct for the normal XenApp Web service.
   
4. On the same Web Server that you have entered above, create a XenApp Services Site with the default path (/Citrix/PNAgent/ otherwise you will need enter the custom path in the iPhone Address Settings). Configure its Secure Access settings for the same settings as the XenApp Web Site that was referenced above. Set the correct Gateway connection, the External FQDN for the CAG, enter the STAs, etc.
   
5. Account Settings on the iPhone
• Address: <External FQDN of the CAG Standard> (it will automatically assume HTTPS when you enable Citrix Access Gateway. If you used a custom path on the XenApp Services site, then enter the path here. No need to append the config.xml portion)
• User Name: <Username that has applications published to it>
• Password: <Password>
• Domain: <Domain Name>
• Sign in Automatically: On (I recommend turning this off for testing configurations. Once it has been enabled, you will need to go the Home of the iPhone > General > Citrix and disable Sign in Automatically)
• Citrix Access Gateway > On
• Gateway Type: Standard Edition
• Gateway Authentication: No Authentication 

• Citrix Access Gateway, Enterprise - I tested this with Citrix Access Gateway 9.1 Build 95.3 and the latest Web Interface 5.1.1. Again, I created a XenApp Services Site and enabled Gateway Direct.
  
  Just like on Standard, you can set Enterprise to perform authentication at the CAG or at Web Interface.
  
  The first allows for VPN and EPA Scans, the second pretty much turns the box into a CSG appliance. Both options are common.
  
  Enable login page authentication
  I ripped most of this from the following URL because it kept vServer and creates a policy to send to the XenApp Services site based on Request Headers. SWEET! :http://support.citrix.com/proddocs/index.jsp?topic=/xenapp5fp-w2k3/iphone-receiver-admin-config-agee-101.html
  
  

Configure authentication policies to authenticate users connecting to the Access Gateway using the Access Gateway Plug-in. Bind each authentication policy to a virtual server.

Active Directory authentication and RSA SecurID are the two supported authentication methods for v1.0.2 of the Citrix Receiver for iPhone:

If double source authentication is required (such as RSA SecurID and Active Directory), RSA SecurID authentication must be the primary authentication type. Active Directory authentication must be the secondary authentication type.

RSA SecurID uses a RADIUS server to enable token authentication.

Active Directory authentication can use either LDAP or RADIUS.

Test a connection from a user device to guarantee that the Access Gateway is configured correctly in terms of networking and certificate allocation.

Configure a XenApp Services site for the Citrix Receiver for iPhone to use.

The Citrix Receiver for iPhone uses a XenApp Services site (formally PNAgent site) to get information about the applications a user has rights to and present them to the Citrix Receiver running on the iPhone.

Note that this is similar to the way you use the Web Interface for traditional SSL-based XenApp connections for which an Access Gateway can be configured.

1. In the Access Management Console, create a XenApp Services site (such as http://ServerName/Citrix/PNAgent or http://iphone.citrix.com/CustomPath/config.xml) for iPhone users. For this procedure, see the Citrix Access Gateway Enterprise Edition Integration Guide for Citrix XenApp and Citrix XenDesktop.
2. Configure the XenApp Services site to support connections from an Access Gateway connection.
3. In the XenApp Services site, select Manage secure client access > Edit secure client access settings.
4. Change the Access Method to Gateway Direct.
5. Enter the FQDN of the Access Gateway appliance.
6. Enter the Secure Ticket Authority (STA) information.

Note: The configuration of this site is similar to the Web Interface site.

Create a session policy on the Access Gateway to allow incoming XenApp connections from the Citrix Receiver, and specify the location of your newly created XenApp Services site.

1. Create a new session policy to identify that the connection is from Citrix Receiver for iPhone. When you create the session policy, configure the following expressions:

   REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

   REQ.HTTP.HEADER User-Agent CONTAINS CFNetwork

   REQ.HTTP.HEADER User-Agent CONTAINS Darwin

2. In the associated profile configuration for the session policy, if this is not a global setting (you checked the Override Global check box), ensure the ICA Proxy field is ON.

   In the Web Interface Address field, enter the URL including the config.xml for the XenApp Services site that the iPhone users use, such as http://ServerName/Citrix/PNAgent or http://iphone.citrix.com/CustomPath/config.xml.

3. Bind the session policy to a virtual server.

4. Create authentication policies for RADIUS and Active Directory.

5. Bind the authentication policies to the virtual server. 

On the same Web Server that you have entered above, create a XenApp Services Site with the default path (/Citrix/PNAgent/ otherwise you will need enter the custom path in the iPhone Address Settings). Configure its Secure Access settings for the same settings as the XenApp Web Site that was referenced above. Set the correct Gateway connection, the External FQDN for the CAG, enter the STAs, etc.

If you don't get an app list, then make sure you created a XenApp Services site.

If you get an app list, but can't launch anything, then make sure you set correct Gateway settings.

Account Settings on the iPhone

• Address: <External FQDN of the CAG Server> (it will automatically assume HTTPS when you enable Citrix Access Gateway. If you used a custom path on the XenApp Services site, then enter the path here. No need to append the config.xml portion)
• User Name: <Username that has applications published to it>
• Password: <Password>
• Domain: <Domain Name>
• Sign in Automatically: On (I recommend turning this off for testing configurations. Once it has been enabled, you will need to go the Home of the iPhone > General > Citrix and disable Sign in Automatically)
• Citrix Access Gateway > On
• Gateway Type: Enterprise Edition
• Gateway Authentication: Domain Only (or RSA SecureID Only or Domain + RSA SecurID)

Bypass login page authentication
The only difference here is we are now performing authentication at the Web Interface and the Access Gateway, Enterprise is acting like a reverse proxy to the XenApp Web and XenApp Services site.

1. Create new vServer with a new cert like iphone.company.com. Create a Profile to proxy the /Citrix/PNAgent/Config.xml site with ICA Proxy On. Create a Policy to always apply and bind to the vServer.
    
2. Uncheck the "Authentication" check on the vServer to disable authentication at the CAG, Enterprise.
   
3. On the same Web Server that you have entered above, create a XenApp Services Site with the default path (/Citrix/PNAgent/ otherwise you will need enter the custom path in the iPhone Address Settings). Configure its Secure Access settings for the same settings as the XenApp Web Site that was referenced above. Set the correct Gateway connection, the External FQDN for the CAG, enter the STAs, etc.
   
4. Account Settings on the iPhone
• Address: <External FQDN of the CAG Standard> (it will automatically assume HTTPS when you enable Citrix Access Gateway. If you used a custom path on the XenApp Services site, then enter the path here. No need to append the config.xml portion)
• User Name: <Username that has applications published to it>
• Password: <Password>
• Domain: <Domain Name>
• Sign in Automatically: On (I recommend turning this off for testing configurations. Once it has been enabled, you will need to go the Home of the iPhone > General > Citrix and disable Sign in Automatically)
• Citrix Access Gateway > On
• Gateway Type: Enteprise Edition
• Gateway Authentication: No Authentication 

Troubleshooting

• Error: You do not have the proper encryption level to access the Session.
  The Citrix Receiver for the iPhone currently does not support ANY encryption on the application other than Basic. Modify your published applications to Basic encryption level and test again.
  
• Certificate Errors when using Private CAs or Public CAs the iPhone does not have built-in
  Check to make sure the iPhone has the correct root certificate installed. Click on Settings > General > Profile, then click on the Profile and look for the certificate you installed.
  
• Don't use a wildcard cert
  Not supported. 
  

• Unable to load app list
  Operation could not be completed
  "NSUrlerrordomain error -1012’
  Solution: IIS was locked down. Even though the IUSR account is usually part of the local Guest group, i had to remove it at one client. Once I removed, the iPhones started working. During testing i launched safari and browsed to https://ipaddress/Citrix/PNAgent/Config.xml and I was prompted for credentials to log in. If IIS was working right, I would see the Config.xml without being prompted for credentials.
  

Best Practices

• Default paths for the PN Agent or XenApp Service site is best. The default is /Citrix/PNAgent/. If you change the path, you will need to change this on the iPhone. The iPhone automatically appends /Citrix/PNAgent/config.xml
  
• Make sure that you can test the configuration with other methods. Example, make sure CAG/CSG is working correctly externally by using a Web Browser ("the old way"), then compare that with what happens on the iPhone.
• If you can see the application list on both, but the apps don't launch on the iPhone, then check the Secure Access settings on the XenApp Services site.
• If you can't see the application list on either, then get the WI site working (maybe a wrong XML server or the authentication connection for LDAP is wrong).
• Use the Safari browser on the iPhone to test connections to the web based CAG/CSG sites.
• Once you everything working via 1 method, then you determine what is wrong on the iPhone because it could be something simple (typoes, https:// needs to be in front of the address, the wrong settings for the Citrix Access Gateway,etc).

To activate these functions, go to Settings > Citrix > Keyboard. When activated, these functions appear as buttons at the top of the keyboard.

• Alt: Activates menus in the current application.
• Alt+Tab: Switches between open windows in an application.
• Copy: Copies the selected item.
• Ctrl+Alt+Del: Provides Windows Security options such as Lock Computer, Log Off, and Task Manager.
• Ctrl+Esc: Displays the Start menu.
• Cut: Cuts the selected item.
• Del: Deletes the selected item.
• End: Moves the insertion point to the end of the current line of text.
• Esc: Cancels the current task.
• F1-12: Activates keyboard shortcuts assigned to function keys in an application. For example, in Microsoft Office applications, tapping F12 displays the Save As dialog.
• Home: Returns the insertion point to the beginning of the current line of text.
• Page Down: Scrolls content upward in the current document.
• Page Up: Scrolls content downward in the current document.
• Paste: Pastes a copied or cut item at the insertion point.
• Refresh: Updates the current window.
• Save: Saves the current file.
• Slide Show: Starts a slide show for the current PowerPoint presentation. To advance the slide show, tap the current slide.
• Tab: Inserts a tabbed space in the current document.

Up next. Article on the Citrix Doc Finder (http://community.citrix.com/display/xa/Citrix+Doc+Finder) and Citrix App Viewer (http://community.citrix.com/display/xa/Citrix+App+Viewer)