I wanted to share several the improvements made in Citrix Cloud Connectors recently, including an exciting preview and a key change we’re making to increase security, which may require a change in your environment to ensure uninterrupted communications with Citrix Cloud. Read on for more details!

Enabling Secure Private Access Use Cases on Connector Appliance

Citrix is keen to simplify and minimize the infrastructure needed on premises to access the full range of Citrix Cloud services. We’re pleased to share that the Connector Appliance can now be used for the Citrix Secure Private Access (formerly Citrix Secure Workspace Access) use cases, including all the single sign-on methods. We’ve even made it easier to have Kerberos SSO against multiple forests by allowing the Connector Appliance to join more than one forest. You can learn about getting started with the Connector Appliance in our documentation. And we want to hear your feedback on this preview. Try it out and get in touch!

Changes to Recommended Ciphers

Citrix Cloud is continually evolving, and as we make improvements to enhance its resiliency, some ciphers on older operating systems become unusable. We’ve updated our secure deployment guide to highlight which ciphers we recommend connecting to Citrix Cloud now. Take note, the ciphers we recommend for use with Windows Server 2012 have changed. So, if you are using that operating system for your Cloud Connectors, you must ensure that TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 aren’t disabled.

Improvements to the Cloud Connector Installation

When the Cloud Connector is installed, it runs as a service rather than as the user who initiated the installation. The proxy configuration from the user can’t be used directly and might not be appropriate to copy to the service account. Because of this, we’ve added an option in the Cloud Connector installer to specify which proxy to use.

We’ve also made it even easier to validate connectivity to Citrix Cloud by extending the set of checks that the Cloud Connector will make.

Finally, we’ve changed how automated installations of the Cloud Connector can be initiated. You must now pass a JSON file containing the parameters needed to install the connector. The new approach ensures that security-sensitive credentials do not need to be passed on the command line. Please note, the configuration file is only used at the time of installation and can be deleted immediately after the installation is completed.

Allowed FQDNs to Access Citrix Cloud

To make it easier to conform to some security policies, we’ve also published a list of Fully Qualified Domain Names that are accessed from the Cloud Connector. You can find a complete list of these FQDNs in this JSON file. This list is grouped by product and includes a change log for each group of FQDNs. As the requirements to access Citrix Cloud from the connector are updated, we’ll add entries to this JSON file and changelog. This gives you the flexibility of restricting to FQDNs for tighter security (at the cost of needing to ensure your config is kept up to date) or continuing to use the wildcards for easier management and flexibility.

You can find documentation for how to use this list (specifically the templated FQDNs) in the Internet Connectivity Requirements page of the Citrix Cloud product documentation.

Usage Improvements

We’re continually making improvements to the Cloud Connector and the components that provide the Citrix Cloud services, and recent releases have seen some key improvements to the memory footprint of both the bootstrapper and component packages.

We’ve also addressed a key issue with offline mode — when a connector is in offline mode, it will no longer be allowed to perform an upgrade. This ensures that an upgrade doesn’t cause an interruption in service if connectivity to Citrix Cloud is sporadic, or a disaster recovery test is being performed.

Coming Soon

Of course, there’s more on the horizon, such as:

  • Making the improvements to the Cloud Connector connectivity checks visible in the Citrix Cloud admin console, including the connectivity history.
  • Adding Connector-related events to the System Log.

Keep an eye out for these enhancements soon!

Disclaimer: The development, release and timing of any features or functionality described for our products remains at our sole discretion and are subject to change without notice or consultation. The information provided is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making purchasing decisions or incorporated into any contract.