Point ThinOS device to Citrix cloud – MYCORP.cloud.com & Virtual Apps Service

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #51067
    david.drum
    Participant
    • Total Post: 81
    • Back Stage Pass
    • ★★★★

    Hi guys,
    I was wondering if anyone could point me in the right direction if it comes to connecting  ThinOS clients to public Citrix Storefront URL like MYCORP.cloud.com – I cannot find any resurces on this. In other words, I would like to be able to connect to Citrix Virtual Apps (and Desktops) SERVICE (i.e. in the cloud) resources from a thin client.

    At the moment I already have working Citrix farm in the cloud (with its servers in Azure) and users log in to it via MYCORP.cloud.com, web browser and Citrix Workspace App (using Azure Active Directory credentials and MFA). Is it possible to do the same from ThinOS device?

    Thanks,

     

    #51087
    ConfGen
    Keymaster
    • Total Post: 10696
    • Jedi Master
    • ★★★★★★★

    Citrix Workspace will be supported with upcoming ThinOS 9 next year.

    CG

    #51089
    david.drum
    Participant
    • Total Post: 81
    • Back Stage Pass
    • ★★★★

    Thanks Thomas!

    #51098
    brian1020
    Participant
    • Total Post: 259
    • Jacked into The Matrix
    • ★★★★★★

    I don’t think the Citrix Cloud or on-prem should make a difference.  Unless I’m misunderstanding you should be able to do this now by plugging in your Citrix Broker URL.  The only thing that may prevent you from connecting is your MFA method.  If its RSA two-factor that should be fine, but if its Azure MFA using SAML based authentication that’s not supported and may not be supported on the initial release of ThinOS 9.  I have a case open with Dell to get SAML based authentication working with Azure MFA.

    We do have Microsoft MFA working with our on-prem authenticator hardware using RADIUS.  Currently SAML authentication isn’t supported in ThinOS

    #51100
    david.drum
    Participant
    • Total Post: 81
    • Back Stage Pass
    • ★★★★

    Thanks for your input Brian, good point about Azure MFA (for public Citrix Storefront). My current workaround for it is to use on-prem StoreFront servers and point them to on-prem Citrix Connectors which then speak to Azure based VDAs via Citrix Cloud.

    However, as I mentioned, ideally we don’t want to have to rely only any on-premises resources and go stright to the cloud. For this reason I am thinking to go with Windows clients and MS Intune.

    Looks like Wyse needs to catch up in this area. It’s a share I have to tell the business I work for “we cannot do this with thin clients”…

    #51186
    david.drum
    Participant
    • Total Post: 81
    • Back Stage Pass
    • ★★★★

    Another question in this topic guys, if I may.

    When ThinOS 9 is released and clients can authenticate directly to Citrix Cloud (e.g. MYCORP.cloud.com) how this would work from security point of view? I mean, I don’t want users to use 2FA every time they log in (just username & password), while MYCORP.cloud.com is a publictly available website. Would there need to be another security mechanism in place like certificates?

    What I need to achieve it that users log in to their apps via Wyse clients exactly the same way as they do know when using on-prem Storefront/Citrix farm (just username & password) BUT use MYCORP.cloud.com instead or any other PUBLIC Storefront server.

    The reason is that I have to install (Wyse) thin clients in the location where there is no VPN or any other on-prem infrastructure. Let’s say I ship a client to someone working from home and that person connects to Citrix apps just with username and password.

     

    The requirement is to replicate what can currently be achieved with Windows 10 and Intune where on first user logon, the laptop is joined to Azure AD and users log in to Windows with their Azure AD credentials WITHOUT VPN as they would if they were in the office.
    If I cannot achieve this with Wyse clients and Citrix, I will have to go with Windows 10.

     

    #51188
    brian1020
    Participant
    • Total Post: 259
    • Jacked into The Matrix
    • ★★★★★★

    I”m not familiar enough with your corporate infrastructure to give a very informed comment.  With that said, anyone from outside our organization (home teleworker or small office leveraging landlord internet and no infrastructure) is setup to use 2 factor authentication.  From a security perspective I couldn’t imagine doing anything different.

    Here’s an example of how logging on to citrix.cloud.com/go/organizationname goes for me when using the “Sign in with company credentials” on the browser.

    <span style=”text-decoration: underline;”>Internal – On Corporate Network</span>

    • Browse to citrix.cloud.com/go/organizationname
    • Federated Services detects i’m coming from an approved network
    • Pass-through authentication via email address only
    • citrix.cloud.com console loads

    <span style=”text-decoration: underline;”>External – Off Network</span>

    • Browse to citrix.cloud.com/go/organizationname
    • Microsoft Authentication prompt for organizational email address
    • Federated Services prompt for autofilled email address and AD password
    • Microsoft Authenticator app prompt to Allow or Deny network connection attempt
    • citrix.cloud.com console loads

    I’m not a Citrix engineer so I’m not much help on how you could configure this to not allow two factor authentication, but that would seem very insecure to me.

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.