Information
Applicable Products
Citrix Workspace App 1904 for Windows and later. Also for Citrix Workspace App 1910 and later.Note:
The Citrix Workspace app allows for secure, unified access to all of your SaaS apps, web apps, virtual apps, files, and desktops. If your company uses Citrix, simply login with your company credentials to access all of the resources you need to be productive from anywhere. Download and manually install the latest Workspace App for Mac release: 19.10.2 and above Problem Cause Due to a change in the API behavior introduced in the Catalina release with Apple's Notarization and XCode 10.
Citrix has deprecated weak cryptography across the board. If the configurations on the backend is not updated to support one of the 3 supported strong cipher suites, you will not be able to connect. At least one of these is required:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Objective
This feature is an important change to the secure communication protocol. Cipher suites with the prefix TLS_RSA_ do not offer forward secrecy and are considered weak. These cipher suites were deprecated in Citrix Receiver version 13.10 with an option for backward compatibility.In this release, the TLS_RSA_ cipher suites have been removed entirely. Instead, this release supports the advanced TLS_ECDHE_RSA_ cipher suites. If your environment is not configured with the TLS_ECDHE_RSA_ cipher suites, client launches are not supported due to weak ciphers.
This document aims to detail the changes to the cipher suites.
What’s New?
The following advanced cipher suites are supported:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
In earlier releases, the GPO configuration that was available under the below Computer Configuration node which allowed to enable the deprecated cipher suites has been removed now.
Administrative Template > Citrix Component > Citrix Workspace > Network Routing > Deprecated Cipher Suites
The following cipher matrix provides the ciphers supported by the latest SSL SDK:
The following cipher matrix provides the ciphers supported by the latest SSL SDK:
Expected failure scenarios and edge cases
- TCP
- OPEN mode: Session launch is not supported when the client is configured for GOV and the VDA for COM. This happens because a common cipher suite is absent.
- FIPS/NIST(SP800-52) compliance mode: Session launch is not supported when the VDA is configured for COM the client for COM, GOV, or ANY, or the other way around. This happens because a common cipher suite is absent.
- DTLS v1.0 supports the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
- DTLS v1.2 supports the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
- Therefore, session launch is not supported from a client configured for GOV to a VDA configured for COM. Also, fallback to TCP is not supported. When you use DTLS v1.0, session launch is not supported for clients configured for GOV because a common cipher suite is absent.
- DTLS does not support FIPS/NIST compliance modes.
- DTLS v1.2 is supported by Windows 10 (1607 and later) and Windows 2016 VDAs. For more information, see Knowledge Center article https://support.citrix.com/article/CTX230010.
- DTLS v1.2 is not supported by Citrix Gateway. This scenario can be tested only with DTLS v1.0. For Citrix Gateway ciphers troubleshooting, see Knowledge Center article https://support.citrix.com/article/CTX235509.
The following matrices provide details of internal and external network connections:
- Matrix for internal network connections (Citrix Gateway scenario)
- Matrix for external network connections (Citrix Gateway scenario)
Note: When NetScaler Gateway is used
- For the EDT to work, NetScaler Gateway must be of version 12.1 or higher since the older versions doesn't support ECDHE cipher suites in DTLS mode.
- NetScaler Gateway doesn't support DTLS 1.2 so TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 are not supported and NetScaler Gateway must be configured to use TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA for it to work in DTLS 1.0
- Download the Citrix Workspace app for Windows
- Open the downloaded Citrix Workspace installer file by double-clicking on it
- Click the “Start” button to start the installation process
- Click the checkbox labelled “I accept the license agreement” and then click the “Next” button
- Click the checkbox labelled “Enable app protection” and then click the “Install” button in the bottom-right corner of the window to proceed with the installation
- Please wait while the Citrix Workspace app is being installed
- When the installation has completed, click the “Finish” button to close the window and get ready to install the Citrix HDX RealTime Media Engine
- Download the Citrix HDX RealTime Media Engine for Windows
- Open the downloaded installer file by double-clicking on it
- Read the Welcome message, then Click the “Next” button to continue the installation
- Click the checkbox labelled “I accept the terms in the License Agreement” and then click the “Next” button in the bottom-right corner of the window to proceed with the installation
- Click the “Install” button in the bottom-right corner of the window to begin the installation
- The installation is now complete. Click the “Finish” button to close the window
- Download the Citrix Workspace app for Mac
- Open the downloaded Citrix Workspace installer file by double-clicking on it
- Double-click the “Install Citrix Workspace” icon to start the installation process
- Click “Continue” at the top of the window to determine if the app can be installed on your computer, and then click “Continue” in the bottom-right corner of the window to proceed with the installation
- Read the Welcome message, and then click “Continue” in the bottom-right corner of the window to proceed with the installation
- Read the message regarding the Software License Agreement, and then click “Continue” in the bottom-right corner of the window to proceed with the installation
- Click the “Agree” button to accept the software license agreement
- Click the “Install” button in the bottom-right corner of the window to proceed with the installation
- To give the software permission to be installed on your Mac, use Touch ID (if your Mac supports it) or click “Use Password” and enter your Mac password
- Leave the checkbox labelled “Add Account” unselected. Click “Continue” in the bottom-right corner of the window to complete the installation
- You have successfully installed the Citrix Workspace app on your Mac. Click the Close button to close the window and get ready to install the Citrix HDX RealTime Media Engine
- Download the Citrix HDX RealTime Media Engine for Mac
- Open the downloaded installer file by double-clicking on it
- Double-click the cardboard box icon to start the installation process
- Click “Continue” at the top of the window to determine if the app can be installed on your computer, and then click “Continue” in the bottom-right corner of the window to proceed with the installation
- Read the Welcome message, and then click “Continue” in the bottom-right corner of the window to proceed with the installation
- Read the Software License Agreement, and then click “Continue” in the bottom-right corner of the window to proceed with the installation
- Click the “Agree” button to accept the software license agreement
- Click the “Install” button in the bottom-right corner of the window to proceed with the installation
- To give the software permission to be installed on your Mac, use Touch ID (if your Mac supports it) or click “Use Password” and enter your Mac password
- You have successfully installed the Citrix HDX RealTime Media Engine on your Mac. Click the Close button to close the window
Citrix Workspace App Download Mac Catalina
- On your iOS or iPadOS device, open the “App Store” app
- Tap the Search (magnifying glass) icon in the bottom-right corner of the screen
- Using the on-screen keyboard, search for “Citrix Workspace” and then tap the blue “Search” button in the bottom-right corner of the screen
- You will now see the Citrix Workspace app, with either a “Get” button or a cloud-shaped icon next to its' title. Tap this button/icon and wait for the app to install
- You have successfully installed the Citrix Workspace app on your iOS or iPadOS device