- This topic has 6 replies, 3 voices, and was last updated 4 years, 4 months ago by brian1020.
-
AuthorPosts
-
October 23, 2019 at 1:20 pm #51067
Hi guys,
I was wondering if anyone could point me in the right direction if it comes to connecting ThinOS clients to public Citrix Storefront URL like MYCORP.cloud.com – I cannot find any resurces on this. In other words, I would like to be able to connect to Citrix Virtual Apps (and Desktops) SERVICE (i.e. in the cloud) resources from a thin client.At the moment I already have working Citrix farm in the cloud (with its servers in Azure) and users log in to it via MYCORP.cloud.com, web browser and Citrix Workspace App (using Azure Active Directory credentials and MFA). Is it possible to do the same from ThinOS device?
Thanks,
October 25, 2019 at 2:31 pm #51087Citrix Workspace will be supported with upcoming ThinOS 9 next year.
CG
October 25, 2019 at 2:35 pm #51089Thanks Thomas!
October 25, 2019 at 4:18 pm #51098I don’t think the Citrix Cloud or on-prem should make a difference. Unless I’m misunderstanding you should be able to do this now by plugging in your Citrix Broker URL. The only thing that may prevent you from connecting is your MFA method. If its RSA two-factor that should be fine, but if its Azure MFA using SAML based authentication that’s not supported and may not be supported on the initial release of ThinOS 9. I have a case open with Dell to get SAML based authentication working with Azure MFA.
We do have Microsoft MFA working with our on-prem authenticator hardware using RADIUS. Currently SAML authentication isn’t supported in ThinOS
October 25, 2019 at 5:44 pm #51100Thanks for your input Brian, good point about Azure MFA (for public Citrix Storefront). My current workaround for it is to use on-prem StoreFront servers and point them to on-prem Citrix Connectors which then speak to Azure based VDAs via Citrix Cloud.
However, as I mentioned, ideally we don’t want to have to rely only any on-premises resources and go stright to the cloud. For this reason I am thinking to go with Windows clients and MS Intune.
Looks like Wyse needs to catch up in this area. It’s a share I have to tell the business I work for “we cannot do this with thin clients”…
November 7, 2019 at 5:47 pm #51186Another question in this topic guys, if I may.
When ThinOS 9 is released and clients can authenticate directly to Citrix Cloud (e.g. MYCORP.cloud.com) how this would work from security point of view? I mean, I don’t want users to use 2FA every time they log in (just username & password), while MYCORP.cloud.com is a publictly available website. Would there need to be another security mechanism in place like certificates?
What I need to achieve it that users log in to their apps via Wyse clients exactly the same way as they do know when using on-prem Storefront/Citrix farm (just username & password) BUT use MYCORP.cloud.com instead or any other PUBLIC Storefront server.
The reason is that I have to install (Wyse) thin clients in the location where there is no VPN or any other on-prem infrastructure. Let’s say I ship a client to someone working from home and that person connects to Citrix apps just with username and password.
The requirement is to replicate what can currently be achieved with Windows 10 and Intune where on first user logon, the laptop is joined to Azure AD and users log in to Windows with their Azure AD credentials WITHOUT VPN as they would if they were in the office.
If I cannot achieve this with Wyse clients and Citrix, I will have to go with Windows 10.November 7, 2019 at 6:17 pm #51188I”m not familiar enough with your corporate infrastructure to give a very informed comment. With that said, anyone from outside our organization (home teleworker or small office leveraging landlord internet and no infrastructure) is setup to use 2 factor authentication. From a security perspective I couldn’t imagine doing anything different.
Here’s an example of how logging on to citrix.cloud.com/go/organizationname goes for me when using the “Sign in with company credentials” on the browser.
<span style=”text-decoration: underline;”>Internal – On Corporate Network</span>
- Browse to citrix.cloud.com/go/organizationname
- Federated Services detects i’m coming from an approved network
- Pass-through authentication via email address only
- citrix.cloud.com console loads
<span style=”text-decoration: underline;”>External – Off Network</span>
- Browse to citrix.cloud.com/go/organizationname
- Microsoft Authentication prompt for organizational email address
- Federated Services prompt for autofilled email address and AD password
- Microsoft Authenticator app prompt to Allow or Deny network connection attempt
- citrix.cloud.com console loads
I’m not a Citrix engineer so I’m not much help on how you could configure this to not allow two factor authentication, but that would seem very insecure to me.
-
AuthorPosts
- You must be logged in to reply to this topic.