Citrix XenApp lab setup notes including iPad configuration

My good friend Steve and I were up till 02:30 Fri night / Sat morning doing further testing with Citrix XenApp 6.5 and the Citrix Receiver app on the iPad.

There were a few teething errors, but we got everything working fine in the end; including configuring an ActiveSync Profile for the iPad that installs a Root Certificate and pre-configures the Mail app to work with Exchange.

We used Hyper-V to setup a base VM of Server 2008 R2, then installed the following VMs using differencing disks which are similar to linked clones using VMware:

  • A Domain Controller with Certificate Services installed
  • SQL Server 2008 R2
  • XenApp and Licensing
  • Citrix Web Interface and Secure Gateway
  • Exchange 2010

After a few short hours sleep, I decided to do exactly the same in my home lab too. Usually I use my ESXi server, but I thought this would be a great time to test out the latest version of VMware Workstation.

I didn’t take screenshots as usual, but here’s the notes I made:

XenApp and Licensing Server
  1. Install XenApp Server > Add server roles > Advanced Edition >  Select License Server and XenApp from Common Roles
  2. Select XML Service IIS Integration from Option Components
  3. Reboot
  4. Resume Install > Install
  5. License Server > Configure > Leave default ports > Set password
  6. XenApp > Specify Licensing > License server name = xenapp01 or localhost
  7. Test Connection > Next > Continue at license warning
  8. Licensing Model = XenApp > Continue at license warning
  9. Download license
    1. Citrix website > Start a trial > Toolbox > Manage Licenses > Allocate (
    2. Enter hostname of XenApp server (run “hostname” at prompt to confirm)
    3. Download license.
  10. Start > All Programs > Citrix > Administration Tools > Management Consoles > License Administration Console
    1. Administration
    2. Login (admin | password)
    3. Vendor Daemon Configuration > Import License > Browse to license file > Import License
  11. Server Configuration Tasks > XenApp > Configure
  12. Create a new server farm
    1. Choose farm name eg. farm01
    2. Leave First Citrix admin account as domain admin
    3. Choose new or existing DB (I chose existing – make sure you have created DB first in SQL Server)
    4. Test Connection
    5. Allow shadowing, no tickboxes
    6. Reboot
Web Interface and Secure Gateway Server
Web Interface
  1. Install XenApp Server > Add server roles > Advanced Edition >  Select Secure Gateway and Web Interface from Other Roles
  2. Web Interface > Configure
  3. Create new site in XenApp Web Sites in Citrix Web Interface Management – set as default page for the IIS site
  4. Specify Point of Authentication = At Web Interface
  5. Specify same farm name as XenApp setup earlier eg. farm01
  6. Specify XenApp server eg. xenapp01
  7. Authentication Method = Explicit (read about options here:
  8. Restrict domain to the following > Add domain eg. vilab
  9. Logon Screen Appearance = Full
  10. Published Resource Type = Dual Mode
  11. Create XenApp Services Site, using same settings as XenApp site
Add Certificate for IIS
  1. Server Manager > IIS > Add Role Services > Add IIS Management Console role service
  2. IIS Manager > Server > Server Certificates > Create Certificate Request
  3. Common name has to be FQDN of SG server eg. xensg01.vilab.local
  4. Save certificate request on desktop eg. xensg01-cert-req.txt
  5. Open CA URL eg. http://dc01/certsrv > Request a Certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
  6. Copy paste certificate text into Saved Request field > Certificate Template = Web Server > Submit
  7. Select Base 64 encoded > Download certificate to desktop
  8. IIS Manager > Server > Server Certificates > Complete Certificate Request > Browse to certnew.cer on desktop, giving friendly name like “xensg01 IIS Cert”
  9. Default Web Site > Bindings > Add HTTPS and select “xensg01 IIS Cert” SSL certificate > Change port to 444 (as secure gateway will use 443)
  10. Run iisreset
  11. Test URL from another computer using FQDN eg. http://xensg01.vilab.local
Secure Gateway
  1. Server Configuration Tasks > Secure Gateway > Install > Installation Mode = Secure Gateway
  2. Account = LocalSystem
  3. Configuration Type = Advanced
  4. Accept defaults until STA step
  5. FQDN for STA is XenApp server eg. xenapp01.vilab.local
  6. Tick No connection timeout
  7. Access = indirect
  8. Accept defaults until finish
  9. Web Interface Management > XenApp Web Sites > Edit Settings > Secure Access > Edit Default > Change to Gateway direct.
  10. Enter Secure Gateway FQDN eg. xensg01.vilab.local
  11. Disable session reliability.
  12. Add STA URL, which is XenApp server eg. http://xenapp01.vilab.local/scripts/ctxsta.dll
  13. Do previous few steps for XenApp Services Sites
  14. Run iisreset
Note: if you cannot connect after a reboot, check the Citrix Secure Gateway service is running.
Enable Client Downloads
  1. Copy D:\Citrix Receiver and Plug-ins\Windows and D:\Citrix Receiver and Plug-ins\Mac folders from the install ISO to C:\Program Files (x86)\Citrix\Web Interface\5.4.0\Clients
  2. Web Interface Management > XenApp Web Sites > Edit Settings > Client Deployment > Properties > General > Client Detection > Enable Offer upgrades for clients
  3. Edit C:\inetpub\wwwroot\Citrix\XenApp\conf\WebInterface.conf file
  4. Uncomment windows and mac lines:
    1. # ClientIcaMac=Filename:Citrix online plug-in (web).dmg,Directory:Mac,Mui:Yes
    2. # ClientIcaWin32=Filename:CitrixOnlinePluginWeb.exe,Directory:Windows,Mui:Yes,ClassID:238f6f83-b8b4-11cf-8771-00a024541ee3
  5.  Rename Filename to client in folder eg. citrixreceiver.exe
    1. ClientIcaWin32=Filename:CitrixReceiver.exe,Directory:Windows,Mui:Yes,ClassID:238f6f83-b8b4-11cf-8771-00a024541ee3
    2. ClientIcaMac=Filename:CitrixReceiver11_4_3.dmg,Directory:Mac,Mui:Yes
Publishing Applications
  1. From XenApp server, open Administrative Tools > Citrix > Administration Tools > Management Consoles > Citrix AppCenter
  2. Untick SSO under Citrix Resources > Add Local Computer > Close wizard
  3. Navigate to Citrix Resources > XenApp > farm01 > Applications
  4. Click Publish application, choose application, path, name etc.
  5. Add XenApp server (xenapp01)
  6. Add user groups
  7. Test application (https://xensg01.vilab.local)
Exporting Root Cert for non-domain clients
  1. Open mmc console > Add certificates for local computer
  2. From trusted root CA > right-click root cert > Export > Base 64 > Save to desktop
  1. Download iPhone configuration utility from Apple to a computer with root cert installed (not on the Root CA though – it wouldn’t work for me):
  2. In Configuration profiles > Fill in general info > Select Credentials section > Select root cert > make any other changes.
  3. Export > Save file to desktop > Email profile to clients, or make available for download via web site. If you do make available on a web site, create a MIME type with extension as mobileconfig and application/x-apple-aspen-config.
  4. Once imported on an Apple device, the profile will show in General Settings at the bottom, where you can easily delete from.


  1. John carmo says

    I am wanting to acess my lab farm from the internet which is running in vmware workstation on my home pc my servers are using bridged networking in vmware so have the same IP range as my normal machines eg 192.168.0.*

    I understand fully about installing and configuring secure gateway /web interface and then using a ssl cert but i am strugling with the network config for this home enviroment

    Do i place the secure gateway / web interface in the dmz on my router ?? Do i have to open certain ports to get it to work ?

    • I haven’t tested this at my home lab yet, but I’ll look into it for you shortly, as I’m waist-deep in MSSQL stuff at the mo. It should be a simple case of port forwarding.

      • Hi John, I can confirm it’s just a case of forwarding the port (443 in my case) from your router to the Secure Gateway server IP.

        This is the command I ran on my Cisco 877W router:

        ip nat inside source static tcp 443 443 extendable

        To be honest, I couldn’t run any apps, as the certificate auth fails (mine was originally for xensg01.vilab.local), but it logged in enough to see the available apps, so I know it would work if I created a matching certificate for external use.

        Hope that helps 🙂