AppController 2.0 2014-03-18 13:20:49 UTC 2014 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
Contents AppController 2.0... 5 About This Release... 7 Introduction... 8 Key Features... 9 What's New... 10 Compatibility with Citrix Receiver... 12 Known Issues... 13 System Requirements... 17 AppController Management Console Requirements... 18 Plan... 19 AppController Pre-Installation Checklist... 20 Deploy... 24 Deploying AppController in Your Network... 25 Deploying AppController in an Appliance Failover Configuration... 27 Install and Setup... 28 Downloading the Virtual Image for AppController... 29 Installing AppController on XenServer... 30 Installing AppController by Using VMware ESXi... 31 Setting the AppController IP Address by Using the Console... 33 Configuring AppController for the First Time... 34 Configuring and Synchronizing with Active Directory... 36 Licensing... 37 Obtaining Your License Files... 38 Manage... 39 Configuring AppController Appliance Failover... 40 How AppController Appliance Failover Works... 41 Configuring Appliance Failover... 42 To configure appliance failover in AppController... 43 Configuring Certificates in AppController... 44 2
Installing a Signed Server Certificate and Private Key on AppController 46 Overview of the Certificate Signing Request... 47 To create a Certificate Signing Request... 48 To import a signed server certificate to AppController... 49 To install a certificate and private key from a Windows-based computer 50 Installing Root Certificates on AppController... 51 To view the details of a certificate... 52 To export a certificate... 53 Configuring Certificates for SAML Applications... 54 To install a certificate for an application... 56 Configuring Roles in AppController... 57 Adding or Removing Roles... 58 To edit a role... 59 Viewing Members of Active Directory Groups... 60 Configuring Categories to Manage Applications... 61 Configuring Applications for Single Sign-On... 62 List of Application Connector Types... 63 Configuring Additional Parameters in Application Connectors... 66 List of Application Connectors with Additional Parameters... 67 Building Your Own Application Connectors... 75 Building Enterprise Applications... 76 To build a SAML connector... 77 To build an HTTP Federated Formfill connector... 78 Configuring Applications for User Account Management... 79 Configuring Workflows for User Account Management... 80 To configure workflow email settings... 81 To configure settings to create user accounts... 82 To synchronize application users with Active Directory... 84 To assign applications to roles... 85 To remove applications from a role... 86 Configuring Single Sign-On by Using Application Connectors... 87 Allowing Users to Reset Application Passwords... 89 Adding Mobile Apps to AppController... 90 How Mobile Apps Work... 91 Policies for ios- and Android-Based Apps in AppController 2.0... 93 Uploading and Configuring Settings for Mobile Apps... 95 Upgrading a Mobile App in AppController... 98 3
Configuring ShareFile for User Access... 99 To configure ShareFile settings... 100 Removing Data from User Devices... 101 Adding Web Links in AppController... 102 To configure a Web link... 103 Connect Users... 104 Sending AppController Application Lists to Citrix Receiver... 105 To configure AppController to connect to StoreFront... 106 Configuring Connections to Enterprise Web Applications Through Access Gateway... Configuring Applications and Trust Settings for Access Gateway... 108 Maintain... 110 Updating AppController... 112 To update AppController... 113 To change Active Directory settings... 114 Managing Citrix Receiver Updates... 115 To change the administrator password... 117 Changing System Settings by Using the Command-Line Console... 118 To view the AppController date and time... 121 To view the system disk usage... 122 To enable or disable SSH access... 123 To reset the AppController server certificate... 124 To restart or shut down AppController by using the command-line console 125 Monitor... 126 Viewing Application Access and License Utilization on the Dashboard... 127 To configure a syslog server in AppController... 128 To transfer logs to a network server... 129 Troubleshooting AppController by Using the Command-Line Console... 130 Capturing Network Settings for Troubleshooting... 131 Creating a Support Bundle for AppController... 132 Configuring Logs by Using the Command-Line Console... 134 107 4
AppController 2.0 AppController authenticates users to Web, SaaS, and ios apps, as well as integrated ShareFile data and documents. Users access their applications through Citrix Receiver or Receiver for Web sites. With AppController, you can: Seamlessly create and manage user identities for internal and external applications by using Active Directory group memberships. Provide users with federated single sign-on (SSO) based on their enterprise user identities. Deliver ios applications from the enterprise app store, with security controls on how the apps function across a heterogeneous mix of user devices. Provide users access to documents by using ShareFile. The topics in this section provide information about deploying, configuring, and managing AppController 2.0. In This Section This section of edocs introduces AppController 2.0 and discusses how to configure AppController. About This Release System Requirements Plan Deploy Install and Setup Contains information about this release, including AppController features, deployment considerations, what's new, Citrix Receiver compatibility, and known issues. Provides system requirements for AppController and for the AppController Management Console. Provides information on evaluating and planning your installation of AppController by using the AppController Pre-Installation Checklist. Provides deployment information for AppController. Provides information about how to install AppController on XenServer and VMware ESXi. Includes information about configuring the AppController IP address and configuring additional AppController settings. 5
AppController 2.0 Licensing Manage Connect Users Maintain Monitor Describes how licensing works in AppController. Provides information on configuring appliance failover, certificates, roles, application connectors, mobile apps, and data management by using ShareFile, groups, and categories. This section also provides information about configuring applications for user account management and information about configuring Web links for Web addresses that do not require SSO. Provides information about connecting users to applications in AppController by using StoreFront and Receiver. Provides information about configuring AppController system settings by using the Management Console and command line. This section also provides information about upgrading AppController and applying application connector updates. Provides information about monitoring application access and license usage in AppController. This section also provides information about troubleshooting AppController by using support bundles, logs, and network utilities, such as PING and traceroute. 6
About This Release CloudGateway enables the delivery of Web, SaaS, and ios applications, and ShareFile data, along with Windows-based applications from XenApp and virtual desktops from XenDesktop. You manage Web, SaaS, and ios application configuration and policy settings by using AppController, with the following capabilities: Centralized user account creation and management for Web and SaaS applications, and ShareFile access that provides users with a seamless single sign-on (SSO) experience. The use of Active Directory as the identity repository. Active Directory is then used as the basis for authorizing users to external applications and services. A unified enterprise app store to enable the publishing and distribution of ios applications for authorized users to download and install on mobile devices. Centralized policy controls to secure the applications and data, with easy removal of user accounts, wipe and lock of Citrix-delivered applications and data, and consolidated auditing and reporting of application access. You can configure applications and ShareFile access by using the AppController Web-based Management Console. Within the Management Console, you can configure the following: Roles that include Active Directory groups Applications for SSO only Applications for SSO, user account management, and the creation of new user accounts Approval workflows for creating user accounts Categories to organize applications in Citrix Receiver HTTP Federated Formfill connectors SAML 1.1 or 2.0 connectors that support the identity provider (IdP) flow Role-based management and delivery of mobile applications Role-based ShareFile document management This section introduces AppController 2.0, announces what's new in this release, discusses compatibility between AppController and Citrix Receiver, and lists known issues for CloudGateway Enterprise. 7
Introduction Before you install AppController, you want to plan your deployment, which includes the following considerations: Configuring AppController network settings, including the IP address, default gateway, DNS servers, NTP servers, and Active Directory. Deploying Web, SaaS, and ios applications that users need to access, including applications that you host in your internal network or applications that reside on the Internet. Deploying AppController only. Users can connect to their Web, SaaS, and mobile ios applications directly from AppController. Deploying AppController for appliance failover. You can deploy two AppController virtual machines (VMs) to failover if one VM fails. Deploying AppController with StoreFront that allows user access to Windows-based applications from XenApp and virtual desktops from XenDesktop. Configuring AppController to work with ShareFile to allow users to easily view, edit, synchronize, and share files from any devices with document-level control. Before you install AppController, review the following topics for information about getting started with AppController. AppController Pre-Installation Checklist Deploying AppController Installing AppController 2.0 Provides planning information to review and a list of tasks to complete before you install AppController in your network. Provides information about deploying AppController by itself, or with StoreFront and Access Gateway, and in an appliance failover configuration. Provides information about installing AppController on XenServer and VMware ESXi. Also provides information about configuring AppController by using the command-line console and network configuration in Management Console. 8
Key Features AppController is easy to deploy and simple to administer. The most typical deployment configuration is to locate AppController in the secure network. Users can connect to AppController to access applications, as well as ShareFile data configured in AppController. The key features of AppController are: Access to Web and SaaS applications that includes: Federated support for SAML 1.1 and SAML 2.0 applications Password storage and formfill support for password-based Web applications User account management from Active Directory group membership for SaaS applications User account management workflows that allow users to request application accounts and for individuals in your organization to approve the requests ios applications that includes: The ability to publish ios applications that user can download and install on their ios mobile devices from Citrix Receiver Security controls for ios applications to ensure application and data security Management of mobile applications on user devices through Receiver which enables you to control the mobile applications without managing the mobile device ShareFile that includes: Creation and deletion of user accounts within ShareFile by using Active Directory rules Seamless data access for authorized users from Receiver Centralized device listing for users that allows you to wipe ShareFile data on lost or stolen devices 9
What's New AppController 2.0 supports the following new features: Mobile app management. You can internally develop or purchase ios apps and then upload the apps to CloudGateway. Developers can wrap the ios app by using the App Preparation Tool with logic that AppController and Citrix Receiver recognizes. Within AppController, you can set rules for how users can use the apps. You can manage mobile apps in the same way you manage Windows, Web, and SaaS applications. You can then publish the application in a store in StoreFront. When users log on with Receiver, they download the apps to their device, allowing them to access their apps at any time. ShareFile integration. You can configure ShareFile in AppController to provide role-based management of user data and documents on any device: computer, smartphone, and tablet. Within AppController, through the capability of Data Controller, you can also enable users to view, edit, synchronize, and share files from any mobile device with secure document-level control. Likewise, when you add or remove an employee from Active Directory, AppController creates or removes the ShareFile account automatically. When users have their ShareFile account, they can access all of their data and documents on any device by logging on to Receiver. If users lose their device or leave the organization, you can remotely wipe all of the data in Receiver. App and document access. You can give users access to apps and documents by deploying AppController in one of the two following ways: Configure AppController to provide access to apps and documents directly. In this deployment, Receiver users access Web, SaaS, and mobile apps, along with documents from ShareFile, through a new built-in store in AppController. Users can connect to the store in AppController without going through StoreFront. When users log on with Receiver, AppController resources appear in Receiver. Configure AppController to provide access to apps and documents through StoreFront. In this deployment, Receiver users access the Web, SaaS, and mobile apps you configured in AppController, along with published applications from XenApp and virtual desktops provided by XenDesktop. Web links. You can configure Web links to allow access to commonly used Web sites, on the Internet and within your intranet. When you configure Web links, the links appear in Receiver in the same way as applications and XenDesktop. Receiver updates. You can choose to update Receiver from AppController, My Citrix, or Merchandising Server. Certificates. You can import, export, and create Certificate Signing Requests by using the System settings panel in AppController. You can also download a SAML certificate to use with applications that require an AppController SAML certificate, such as Google Apps. Release management. You can upgrade the AppController software, install minor releases, and install application connector updates by using the System settings panel in 10
What's New AppController. Group membership. You can view members of a group from the Edit Role dialog box. You select a group, and click Details to view the members of the group. Logging. You can store logs on a syslog server or on a server in your internal network from the System settings panel in AppController. System settings. From one convenient panel, you can configure the AppController network settings and Active Directory. In addition, you can manage Receiver updates on Windows-based and Mac computers, as well as workflow email, and logging settings. 11
Compatibility with Citrix Receiver AppController supports the following versions of Citrix Receiver. Users can connect from the internal network or from an external network. If users connect from the Internet, you must have Access Gateway deployed in the DMZ. Receiver Versions Receiver for Windows 3.1 and 3.2 Receiver for Mac 11.5 and 11.6 Receiver for ios 5.6 Receiver for Android 3.1 Receiver for Web 1.1, 1.2, and 1.3 If users connect remotely with Receiver for Web Version 1.1, the connection must route through Access Gateway. 12
Known Issues Prerequisite Important: When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, AppController cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. Important Notes 1. User account requests by using the workflow template with the AppController workflow feature is not supported for users who connect with Receiver for Web. 2. User account requests by using the subscription workflow template with the AppController workflow feature is not supported on Receiver for Mac 11.4. Users need to upgrade to Receiver for Mac 11.6. 3. The internal URL redirection feature, in which Receiver checks a keyword to determine if the URL requires a connection with the Access Gateway Plug-in, is not available with Receiver for Web. The feature is supported only with Receiver for Windows 3.1. 4. Upgrades are not supported from AppController 1.0 or from AppController 1.1 to AppController 2.0. 5. AppController now contains the Management Console, which simplifies configuring applications for single sign-on (SSO). To open the Management Console, in a Web browser, enter https://<appcontrollerfqdn:4443/controlpoint. The default user name is administrator and the password is password. Installing AppController You can find installation instructions for AppController in Citrix edocs at Installing AppController 2.0. 13
Known Issues Known Issues 1. When you configure a high availability pair, if the primary AppController virtual machine (VM) is suspended or paused, the secondary VM takes over. If the primary VM is resumed and comes back online, however, the primary VM takes over from the secondary VM. When this occurs, users who log on while the secondary VM is active lose their connections. They must log on and authenticate again. [#300452] 2. When you download the virtual image (.xva) for the XenServer installation, when you install AppController on XenServer and import the.xva image file, if you do not specify the network interfaces when prompted, AppController might not start successfully and instead starts in recovery mode. [#306771] 3. The SSO functionality for GoToMeeting, GoToWebinar, GoToTraining, and GoToAssist applications does not work under the following conditions: GoToMeeting, GoToWebinar, or GoToTraining: SSO does not work when users log on to the applications for the first time by using an Internet Explorer 9 or Safari browser. An error appears and users are prompted to enter their credentials. After users enter their credentials, SSO is successful each subsequent time users open the application. [#308260] [#308570] GoToAssist: SSO does not work when users log on to the applications for the first time by using an Internet Explorer 9 or Safari browser. SSO works when users log for first time by using a Firefox or Chrome browser. Occasionally with subsequent logon attempts, however, users need to close and reopen the browser before logon with SSO is successful. [#308580] 4. The Successfactor_SAML application does not have SSO or user account management support. [#308577] 5. When users log on to the Webtrends application from Receiver, SSO to the application fails. [#308604] 6. When users log on the MedpageToday application from Receiver, SSO to the application fails. [#308611] 7. When users log on by using Receiver for Web from an Internet Explorer 9 or Safari browser and try to open the ebay application for the first time, a browser cookies error appears. SSO to the application is successful each subsequent time users open the application. [#308614] 8. If an app is available for user account management and you configure the app for SSO only, you cannot modify the app to include user account management. [#312819] 9. If you change DNS server settings in the Management Console, you must restart AppController so the settings take effect. [#317526] 10. If you upload a wrapped ios app two times in AppController with different file names, when users subscribe to both apps and then delete one instance of the app from their device, the title shows as "GoogleGoogle." Do not upload the same app with different names to AppController. [#317912, #321386, #323986, #324436] 11. When you configure a new enterprise application in the Management Console, if you enter Unicode characters for the application name and description, instead of alphanumeric characters, AppController does not add the app to the store. [#320262] 14
Known Issues 12. When users log on to Southwest Airlines for the first time by using the Safari Web browser, SSO to the app fails. When users attempt to log on again, SSO is successful. [#320608] 13. When you upload a wrapped app to AppController and set the Maximum OS version in the Mobile App Details dialog box, AppController allows users with a newer version of the operating system to start the app. You must set the maximum OS version when you wrap the app. [#321389] 14. When you configure AppController to update Citrix Receiver by using the Merchandising Server, users cannot download the configured plug-ins from the Merchandising Server. The issue does not occur when users access their applications through StoreFront. [#322010] 15. If users create a Zendesk account, users need to respond to the activation email sent from Zendesk to configure their password. If users do not set the password in Zendesk, SSO to the application fails. [#323148] 16. It can take AppController 15 to 20 minutes to send the approval email when users request access to an application. [#323309] 17. If users create an account in the application, the user is not synchronized automatically in AppController. For example, if a user creates an account in Salesforce instead of AppController, the user account does not synchronize with Active Directory. Users should create account from the application configured in AppController. [#323619] 18. If users connect with Receiver for Web through Access Gateway, the FQDN must be case-sensitive. When you configure the AppController URL, such as https://<appc-fqdn>/citrix/storeweb and if users connect using only lowercase letters, the connection fails. Users can enter the correct FQDN with the correct case or you can configure the base URL. [#324108] 19. If you configure an application for user management, such as Salesforce or Google Apps, and assign the app to a custom role, when users log on with Receiver for Web, the app is not available in the store. This only occurs when there is one app assigned to the role and no apps are assigned to the All Users role. If you add another app to the role, or assign the app to the All Users role, the app appears in the store. [#324823] 20. When users attempt to open Skype for the first time, the error message, "You have cookies disabled in your browser. You need to enable cookies for skype.com before signing in" appears. When users attempt to open Skype again, the error message does not appear and Skype opens. [#325055] 21. When users connect on a Macintosh computer and log on to Receiver, the only custom images that you uploaded to StoreFront to accompany Weblinks appear to users if you formatted the.png files as squares, such as 256 x 256. [#325285] 22. When you configure user account management and create a workflow, the email that approvers receive does not show the application name. [#326498] 23. If you add an app in AppController and then modify the original application name, the application does not appear in the Management Console. For example, you change GoogleApps_SAML to GoogleApps_SAML_Marketing. You must change the name in Google Apps. When you change the name in Google Apps, the application appears in AppController [#326502] 15
Known Issues 24. If an application description contains a special character, the application does not appear in Receiver when users log on. [#326432] 25. If you configure ShareFile and assign a role, if you remove the role from AppController, the ShareFile configuration uses the All Users role. Citrix recommends that the All Users role be removed from the ShareFile configuration. [#326939] 16
AppController System Requirements You can install AppController on the following: XenServer 5.6 with a minimum of Service Pack 1 XenServer 6.0 VMware ESXi 4.x VMware ESXi 5.0 XenServer and VMware ESXi must provide adequate virtual computing resources to AppController as listed in the following table. Table 1. Virtual Computing Resources for AppController Memory Virtual CPU (VCPU) Virtual Network Interfaces 1 2 GB 2 VCPUs Active Directory When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, AppController cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. 17
AppController Management Console Requirements To use the Management Console effectively, keep the following minimum display requirements and recommendations in mind: Citrix recommends using a Firefox, Chrome, or Internet Explorer 9 browser. The Management Console display size is 1024 x 800. When running the Management Console on a laptop, hide all toolbars to provide more screen space for the console. In Internet Explorer or Firefox browsers, to view the Management Console as full screen, press F11. 18
Planning Your AppController Deployment Before you install AppController, you should collect and record configuration information in order to complete a successful installation. If users connect to their applications from an external network, such as the Internet, you must deploy Access Gateway in the DMZ. Access Gateway authenticates users and then routes the connection to the secure network. This section includes a checklist that helps you define the information you need about the following: Active Directory settings Applications for single sign-on (SSO) Authentication through StoreFront Appliance failover Mobile apps Network connectivity Ports Role and category names ShareFile settings User devices 19
AppController Pre-Installation Checklist This checklist lists the tasks you should complete and the configuration values you should note before you install AppController 2.0. Citrix recommends that you print and complete this checklist. The checklist has an extra column that you can use to check off each task as you complete it and to record information. For instructions about installing and configuring AppController, see Installing AppController 2.0. AppController Basic Network Connectivity 1 Note the AppController host name. Configure up to two DNS servers. 2 Note the IP address of AppController. 3 Note the IP address for the Network Time Protocol (NTP) server. 4 If your deployment supports remote access to AppController, note the following: One public IP address One external DNS entry for Access Gateway Note: You only need an external DNS entry if you deploy Access Gateway in your network. If users connect to applications in the secure network from the Internet, Access Gateway must reside in the DMZ. In all cases, AppController resides in the internal network. 5 Note the default gateway IP address. Communication Open the following ports to allow communication with AppController. 20
AppController Pre-Installation Checklist 6 Active Directory port 389. Open port 636 if you use secure LDAP. 7 If you allow connections to AppController from external users, open TCP port 443 in your firewall. Users connect through Access Gateway located in the DMZ. 8 Open the following ports to allow administrator access: 22, 443, 4443, 8443, and 9443 Port 4443 is used to open the AppController Management Console. Active Directory Settings You use Active Directory to obtain groups. When you obtain groups, you can create roles and then assign applications to the role. 9 Note the Active Directory IP address and port. 10 Note the Active Directory domain name. 11 Note the Base DN. This is the directory level under which users are located; for example, cn=users, dc=ace, dc=com. 12 Note the Active Directory service account. The Active Directory service account is the account that AppController uses to query Active Directory. 13 Note the service account password. Roles Roles in AppController represent a set of one or more groups in Active Directory. You can control the list of applications that users can view based on their group membership in Active Directory. When adding a role, you select the groups from Active Directory to include in the role. Then, you can add applications to the roles to provide access to a specific group of users. When you configure applications in AppController, you select the role. If you do not select a role for the app, AppController uses the default role AllUsers. 14 List the names of roles you want to add in AppController. 21
AppController Pre-Installation Checklist Categories You can group applications into categories, such as Finance, Sales, and Marketing. Users see the categories when they log on with Citrix Receiver. Users can open their applications from the category. 15 List the category names you want to create for Receiver. Application Information You can configure single sign-on (SSO) to applications in AppController. 16 List the names of SAML applications for your organization. 17 List the names of Formfill applications for your organization. 18 List the names of mobile apps to upload to AppController. 19 Note the logon Web address of applications that do not have a default Web address, such as Google Apps. 20 Use test credentials to test SSO to applications. 21 Note the total number of users accessing applications. 22 Note the number of licenses available for each application. Web Links You can configure Web addresses in AppController. The links can be to Internet sites, or to intranet sites in the internal network. The links appear in Receiver when users log on. 23 List the Web sites to which you want to allow user access. Data Management You can configure ShareFile in AppController to provide user access to documents and data. 24 Note the ShareFile domain name. 25 Note the roles from Active Directory that provide user access. 22
AppController Pre-Installation Checklist 26 Note the service account user name and password for user management. Appliance Failover You can configure two AppController VMs for appliance failover. If the primary AppController fails, the secondary AppController can accept user connections. Each AppController VM must be in the same subnet. In AppController 2.0, you can configure appliance failover by using the command line on the Console tab in XenCenter. For more information about configuring appliance failover, see Configuring AppController Appliance Failover. 27 Identify the primary AppController IP address and subnet. 28 Identify the secondary AppController IP address and subnet. 29 Configure a virtual IP address on the primary AppController. Connect Users You can configure AppController to authenticate users. When users connect by using Citrix Receiver to AppController, they receive the mobile, Web, and SaaS apps you configure in AppController. Users can also connect to StoreFront which provides the additional capability of access to published applications in XenApp and virtual desktops. If users need to connect to apps hosted in your internal network from a remote location, you can route user connections through Access Gateway. 30 Note the access method, AppController, StoreFront, or Access Gateway for user connections. 31 Note the StoreFront URL. 32 Note the Access Gateway host name and URL. Logging You can configure a syslog server or transfer the logs to a server in the internal network. 33 Note the IP address or FQDN and port of the syslog server. 34 Note the server name to which you want to transfer logs. 35 Note the user name and password of the server to which you want to transfer logs. 23
Deploying AppController AppController works with Access Gateway and StoreFront to allow users to connect to Web, SaaS, mobile applications, and Windows-based applications and desktops. You install AppController in your internal network. In this deployment, users can connect directly to AppController to obtain their Web, SaaS and ios apps, along with documents from ShareFile. If you also deploy StoreFront, users connect to StoreFront to obtain their Windows-based apps and desktops. StoreFront communicates with AppController to deliver apps and documents. You can also deploy AppController for appliance failover. In this deployment, two AppController virtual machines (VMs) work together to provide uninterrupted service to users. If one VM becomes unavailable for any reason, the other VM takes over and services user requests. This section illustrates how you can deploy the AppController VM on XenServer or VMware ESXi in your internal network. It also illustrates the AppController appliance failover configuration. 24
Deploying AppController in Your Network You can deploy the AppController virtual machine (VM) on XenServer or VMware ESXi located in your internal network. Users can connect to AppController from an external connection (the Internet) or from the internal network. If users connect from the Internet or a remote location, the connection must route through Access Gateway. AppController resides in the internal network behind the firewall. The following figure shows how you can deploy AppController in an enterprise network. User connections from the Internet route through Access Gateway directly to AppController. The figure also shows how users connect from the internal network directly to AppController. Users can then access Web, SaaS, and native mobile apps located in the internal network. Figure 1. AppController Network Deployment You can include StoreFront in your deployment, which allows users access to published applications from XenApp and virtual desktops from XenDesktop, along with apps configured in AppController. When users log on with Citrix Receiver, all of their apps appear in the store. The following figure shows how you can deploy Access Gateway, AppController, and StoreFront in your network. Figure 2. CloudGateway Deployment with Access Gateway, AppController, and StoreFront 25
Deploying AppController in Your Network 26
Deploying AppController in an Appliance Failover Configuration You can deploy two AppController virtual machines (VM) in an appliance failover pair. An appliance failover configuration prevents downtime and ensures that the services provided by AppController remain available, even if one AppController VM is not working. The following figure shows an appliance failover deployment where one AppController VM is not receiving connections. Figure 1. AppController Appliance Failover Deployment 27
Installing AppController 2.0 The AppController virtual machine (VM) runs on Citrix XenServer or VMware ESXi. You can use XenCenter or vsphere management consoles to install AppController 2.0. Before installing AppController, you must do the following: Install XenServer or VMware ESXi on a computer with adequate hardware resources. Install XenCenter or vsphere on a separate computer. The computer that hosts XenCenter or vsphere connects to XenServer or VMware ESXi host through the network. This section details the following steps for installing AppController on XenServer or VMware: Downloading the virtual image. Installing the VM on XenServer and setting the properties for AppController in XenCenter. Installing AppController on VMware ESXi and using vsphere to allocate virtual hardware components to AppController, such as memory and virtual CPUs. Configuring the IP address, default gateway, DNS servers, and Network Time Protocol (NTP) servers for AppController by using the XenCenter or vsphere command-line console. When you finish configuring AppController network settings by using the command-line console, you then use the AppController Management Console to configure the following network settings: Active Directory configuration from which you obtain groups for AppController Administrator settings AppController network settings, such as IP address, DNS servers, and the time zone Certificates Logging NTP server settings Receiver updates Workflow email settings After you configure AppController system settings, you can then synchronize AppController with Active Directory. When you synchronize, AppController retrieves the groups from the specified Base DN in Active Directory. 28
Downloading the Virtual Image for AppController You can download the AppController virtual image from My Citrix. The virtual image contains the package that you need in order to install AppController on XenServer or VMware ESXi. For the XenServer installation, the virtual image is a file with the file name extension of.xva. For the VMware installation, the virtual image is a file with the file name extension of.ova. To download the virtual image 1. Log on to My Citrix and then click Downloads. 2. Under Select a Product, click CloudGateway. 3. Under Results for: CloudGateway, click CloudGateway Enterprise. 4. On the CloudGateway Enterprise page, under AppController, next to AppController 2.0 virtual appliance for VMware or AppController 2.0 virtual appliance for XenServer click Download and then save the image to your computer. After the image downloads to your computer, you then install the image on XenServer or VMware. After installation, you set the properties for AppController in XenCenter or vsphere. 29
Installing AppController on XenServer After you download the virtual image (VM) from My Citrix, install AppController on XenServer. After installation, set the properties for AppController in XenCenter. To install AppController on XenServer 1. Start XenCenter on your computer. 2. In the navigation pane, click the name of the XenServer on which you want to install AppController and then connect. 3. On the File menu, click Import. 4. In the Import wizard, in Import file name, browse to the location to which you saved the.xva image file and then click Open. 5. Follow the instructions in the wizard to import the AppController image. After you click Finish in the wizard, you can click the Logs tab to view the status of the import process. When the import process is complete, you need to set the AppController properties. To set the properties for AppController Citrix recommends shutting down AppController before changing the CPU and memory settings. 1. In XenCenter, select the imported VM, and in the right pane, click Properties. 2. In the App Controller import Properties page, click CPU and Memory. 3. In VM memory, select 4096. The value 4096 is the default setting. 4. In the left pane, in Number of VCPUs, select 2. 5. In the left pane, click Startup Options. 6. In the right pane, click Auto-start on server boot. 7. In Boot from, select HD and then click OK. 30
Installing AppController by Using VMware ESXi To install AppController on VMware ESXi, you must first install VMware on a computer with adequate hardware resources. To perform the AppController installation, you use vsphere. You install vsphere on a remote computer that can connect to the VMware host through the network. After you install AppController, you can create virtual hardware components on VMware and then use vsphere to allocate them to AppController. To import the virtual image file to the vsphere Client 1. Click Start > VMware > Vsphere Client. 2. Log on by using your vsphere credentials. 3. Click File and then click Deploy OVF Template. The Deploy OVF Wizard opens. 4. In Source, select Deploy from file, browse to the.ova file on your computer, select the file and then click Next. 5. In OVF Template Details, click Next. 6. In the Name and Location page, in Name, type a name for the template, such as AppController and then click Next. 7. In the Resource Pool, select the resource pool in which to import the AppController image and then click Next. 8. In the Datastore page, select the datastore in which you want to store the virtual machine (VM) image and then click Next. 9. In the Disk Format, select the format to store the virtual disks and then click Next. 10. In Ready to Complete, confirm the deployment settings, such as the host and cluster name, datastore, and network mapping and then click Finish. To set AppController properties in vsphere Citrix recommends shutting down AppController before modifying properties in vsphere. 1. In vsphere, in the left pane, select the server on which you installed AppController. 2. In the right pane, select the Configuration tab. 3. In the right pane, under Software, click Virtual Machine Startup/Shutdown. 31
Installing AppController by Using VMware ESXi 4. In the right pane, click Properties in the upper-right corner. 5. Select Allow virtual Machines to start and stop automatically with the system. 6. In Startup Order, select the AppController VM. 7. Click the move up button until AppController appears under Automatic Startup and then click OK. 8. In vsphere, select the imported AppController VM and in the right pane, click Edit Settings. 9. In the App Controller import Virtual Machine Properties page, in the left pane, click Memory. 10. In the right pane, in Memory Size, select 4096. This is the default setting. 11. In the left pane, select CPUs. 12. In the right pane, in Number of VCPUs, select 2 and then click OK. This is the default setting. 32
Setting the AppController IP Address by Using the Console After importing the AppController image, you need to configure the IP address. The IP address is the management address at which you can access AppController through a Web browser or by using a Secure Shell (SSH) client, such as PuTTY. You can access the AppController command-line interface through the XenCenter console to specify an IP address, subnet mask, default gateway, Domain Name Servers (DNS) and a Network Time Protocol (NTP) server. The default IP address for AppController is 10.20.30.40. To change the IP address for AppController 1. In XenCenter, click the Console tab. 2. At the console logon prompt, enter the administrator credentials. The default user name for the console is admin and the default password is password. 3. At a command prompt, press 0 to select Express Setup. 4. Select the appropriate number to change the IP address, subnet mask, default gateway, DNS servers, and NTP servers. 5. Press 5 to commit the changes. When you commit the changes, AppController restarts. You can then access the Management Console by using the new IP address in a Web browser. To open the Management Console, type https://appcontrolleripaddress:4443/controlpoint in the address bar of the Web browser. For example, type https:// 10.20.30.40:4443/ControlPoint. The user name is administrator and the password is password. When you connect to AppController, you must use HTTPS. If you attempt to connect with HTTP, the connection fails. 33
Configuring AppController for the First Time After you install the AppController virtual machine (VM) and configure the initial settings by using the command-line console, you can configure additional AppController network settings. When you log on to the AppController Management Console for the first time, the Network panel appears. When you click Configure, you can configure the following: Administrator password and email address AppController host name, IP address, default gateway, and DNS server settings Active Directory Network Time Protocol (NTP) server Workflow email settings After you configure the remaining network settings in the Management Console, AppController restarts. When you log on to AppController, two new panels appear: Apps and Docs. From the Apps panel, you can add mobile, Web, and SaaS applications, and Web links. To create your own SAML and Formfill application connectors, you use the System settings panel. From the Docs panel, you configure ShareFile settings. If you need to make changes to system settings at a later time, you can access the System settings panel. You can configure or reconfigure the following settings on the System settings panel: Active Directory Trust settings for either StoreFront or Access Gateway Receiver updates Certificates Network connectivity Domain Name Server NTP server Workflow email settings Administrator settings Syslog settings for recording log files on remote server Log transfer settings for log files 34
Configuring AppController for the First Time Release management Note: You can also configure an IP address for AppController if you want a different IP address than what you configured by using the command-line console. To change AppController settings 1. In the AppController Management Console, click the System settings icon at the top of the page. The icon appears as a gear symbol. 2. In the left pane, under System Configuration, click one of the options to configure the settings. After you complete AppController configuration, you can configure roles, users, applications, and application categories for single sign-on (SSO). You can do the following: Refresh users from Active Directory. Add roles to map which Active Directory groups receive access to applications. Add Web and Software as a Service (SaaS) applications to AppController from the provided connector catalog. Upload mobile apps to AppController. Add links to commonly used Web sites which can include Internet and intranet sites. Create access to applications that are not in the catalog for SSO by using either HTTP Federated Formfill or SAML connectors Download certificates for use with some SAML applications. Create user accounts automatically based on Active Directory group membership. Assign users to applications based on their role within the organization. Add categories to which you can add applications. Connect StoreFront to AppController. When users connect with Citrix Receiver, they can see the application list, subscribe to applications, and access applications seamlessly. Configure ShareFile settings for user data and documents. 35
Configuring and Synchronizing with Active Directory AppController uses Active Directory to obtain groups and users. You configure Active Directory in System settings. If you need to change Active Directory settings, see To change Active Directory settings. Important: When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, AppController cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. When you synchronize with Active Directory, AppController retrieves and reconciles users from the Active Directory base DN setting in AppController. AppController uses the Active Directory user name and password to log users on to applications, thereby providing single sign-on (SSO) capability. AppController automatically synchronizes with Active Directory daily. If you make more frequent changes to Active Directory, you can synchronize at any time. To synchronize with Active Directory 1. In the AppController Management Console, click the System settings icon. 2. In the right pane, under Quick Links, click Refresh from Active Directory. A message appears when synchronization is complete. 36
Installing Licenses on CloudGateway AppController requires you to purchase one of the following CloudGateway licensing options: User licensing. This option enables a dedicated user connection to a CloudGateway virtual appliance. An assigned user receives access to CloudGateway from an unlimited number of user devices. Concurrent licensing. This option enables a single device to connect to any application or data by using a single instance of CloudGateway. Through this option, multiple devices can share licenses. This option is recommended for occasional or anonymous use. When you purchase a license, you also choose from the following two options: Perpetual. This option enables user access to CloudGateway on a perpetual basis. All Perpetual licenses include an initial 12-month membership in the Citrix Subscription Advantage program, which entitles you to receive future software version updates. Annual. This option enables user access to CloudGateway on an annual basis. The license is valid for 12 months from the purchase date. The agreement includes the right to receive AppController updates for that period. To extend an Annual license, you must purchase and install a new license prior to the expiration of the current license. If you do not purchase a new license, when the license period expires, you might not be able to access AppController. 37
Obtaining Your License Files After you install AppController in the network, you are ready to obtain your license files from Citrix. You log on to My Citrix to access your available licenses and to generate a license file. When the license file is generated, download it to a computer. For more information about obtaining your license files, see Citrix Licensing System. When you download the license file, you need to select the Host ID as the Host ID type. 38
Managing AppController After you install and set up AppController, you manage applications, users, and documents. This section covers the following topics: Configuring appliance failover. Configuring certificates. Configuring roles from Active Directory groups. Configuring categories to manage applications in Citrix Receiver. Configuring applications for single sign-on (SSO) from the application catalog Configuring applications that require extra parameters. Building your own SAML or HTTP Federated Formfill connectors. Configuring applications for user account creation and management. Assigning applications to roles. Uploading mobile apps. Configuring ShareFile for user data and documents. Adding Web links. 39