Citrix

From ArchWiki
Jump to navigation Jump to search

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: See Help:Style; also add an introduction. (Discuss in Talk:Citrix#)

Citrix Receiver is the client component of XenDesktop (desktop virtualization software) and XenApp (application virtualization software), developed by Citrix Systems.

Installation

Install the icaclientAUR package.

SSL connections are supported by default in this packages. Also Firefox plugin will be installed by default as well as the wfica.desktop file. That way Arch knows how to open ica files.

Google Chromium

If you have problems launching Citrix applications with Chromium, just go to chrome://extensions and disable "Citrix Receiver for Linux".

Next, create /usr/share/applications/wfica.desktop (Exec path may vary based on package installed):

[Desktop Entry]
Name=Citrix ICA client
Comment="Launch Citrix applications from .ica files"
Categories=Network;
Exec=/opt/Citrix/ICAClient/wfica
Terminal=false
Type=Application
NoDisplay=true
MimeType=application/x-ica;

Now xdg-open will handle .ica extensions using /opt/Citrix/ICAClient/wfica.

Note: if you are running Xfce and Chromium is opening the .ica files in the wrong application (e.g. a text editor), make sure you have xorg-xprop installed.

Manual installation

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: Firefox has removed plugin support (Discuss in Talk:Citrix#)
  • Step 1. Download Citrix Receiver from here. Choose the latest version of the x86_64 tarball.
  • Step 2. Unpack the archive:
# tar zxvf en.linuxx86.tar.gz
./
./PkgId
./install.txt
./eula.txt
./readme.txt
./setupwfc
./linuxx86/
./linuxx86/hinst
./linuxx86/linuxx86.cor/
./linuxx86/linuxx86.cor/nls/
./linuxx86/linuxx86.cor/nls/en/
./linuxx86/linuxx86.cor/nls/en/UTF-8/
./linuxx86/linuxx86.cor/nls/en/UTF-8/Wfica
./linuxx86/linuxx86.cor/nls/en/UTF-8/Wfcmgr
... many more files ...
  • Step 3. Run setupwfc:
    # ./setupwfc
    (Follow all instructions prompted by setupwfc.)
  • Step 4. (Applies only for Firefox integration:)

The setup program should have made appropriate links to the "Citrix Receiver for Linux" plugin. You can check this as such:

# find / -name npica.so
/opt/Citrix/ICAClient/npica.so

Or you can check if your browser loads the plugin, in Firefox this can be done by typing "about:plugins" in the address bar. If you have a 64-bit version of Firefox, the plugin will not be loaded. You can check below what to do.

Create missing links as such:

# ln -s /opt/Citrix/ICAClient/npica.so /usr/lib/mozilla/plugins/
  • Step 6. Restart your browser

At this point, everything should work, including wfcmgr. In the case of Opera, integration should be automatic. The ICAClient will automatically be launched whenever you try to access a citrix-based application from either Firefox or Opera.

Note: If for some reason firefox prompts you for which application to use when opening a citrix-based application, use /opt/Citrix/ICAClient/wfica

TLS/SSL Certificates

Because ICAClient uses SSL you may need a security certificate to connect to the server, check with the server administrator. If there is a certificate download and place it in /usr/lib/ICAClient/keystore/cacerts/.

You may then receive the error You have not chosen to trust the issuer of the server's security certificate. (SSL Error 61).

There may be several reasons for this:

You do not have the root Certificate Authority (CA) certificates.
These are already installed on most systems, they are part of the core package ca-certificates, but they are not where ICAClient looks for them. Copy the certificates from /etc/ssl/certs/ to /usr/lib/ICAClient/keystore/cacerts/. For Citrix versions before 13.1, run the following command as root:
# ln -sf /etc/ssl/certs/* /opt/Citrix/ICAClient/keystore/cacerts/
Since versions 13.1, Citrix needs the certificates in separate files. You need to run the following commands as root:
# cd /opt/Citrix/ICAClient/keystore/cacerts/
# cp /etc/ca-certificates/extracted/tls-ca-bundle.pem .
# awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < tls-ca-bundle.pem
You may also need to download your CA's intermediate certificates and store them in the same directory.
Changes to your certificate directory will likely require rehashing links for openssl to find them properly. Skipping this step might result in Citrix still giving certificate errors. To do this, use this command (borrowed from [1])

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: After the last [April 2018] openssl upgrade, the c_rehash command is broken in Arch. [unless the command hasn't been deprecated upstream, this should be a bug report] (Discuss in Talk:Citrix#)
# c_rehash /opt/Citrix/ICAClient/keystore/cacerts/

Audio Support

Citrix Receiver uses ALSA. If you use Pulse Audio, install pulseaudio-alsa.

To get audio input into Citrix Receiver, in ~/.ICAClient/wfclient.ini, add AllowAudioInput=True anywhere in the [WFClient] section.

Endpoint Analysis (EPA)

If your company has activated the optional endpoint analysis to check if your computer meets certain requirements, you will have to install another component, the EPA-Plugin. It seems like it was a browser plugin using the legacy NPAPI, but now it's just an application the browser calls with a protocol handler for "nsgcepa://". Here's what you have to do to get it running:

  • Step 1. Download the EPA plugin from your company's Citrix gateway. Opening the URL of your company's Citrix gateway will try to start the endoint check immediately, which (of course) fails, because you haven't installed the EPA plugin, yet. Under the error message you will see a button for downloading nsepa.deb. Download it.
  • Step 2. Transform the Debian package into an Arch package with debtap. You might need to install debtapAUR first.
    $ debtap nsepa.deb
    Call the package "nsepa" and use the suggested version. Install it like so:
    $ sudo pacman -U nsepa nsepa-1.0.0.35-1-x86_64.pkg.tar.xz

Recent versions of the EPA are linked to libcurl-gnutls and you're done now. Unfortunately your company might use and old version that has the following problem:

$ ldd /opt/Citrix/Browser-EPA/nsgcepa
/opt/Citrix/Browser-EPA/nsgcepa: /usr/lib/libcurl.so.4: version `CURL_OPENSSL_3' not found (required by /opt/Citrix/Browser-EPA/nsgcepa)
	linux-vdso.so.1 (0x00007fff33f4f000)
	libX11.so.6 => /usr/lib/libX11.so.6 (0x00007fe4401d9000)
        [...]

As you can see, the nsgcepa executable (which is the main executable of nsepa) has been linked to a libcurl.so.4 that contains the "CURL_OPENSSL_3" symbol. I think this is a patched version from Ubuntu and I couldn't find an Arch package providing it, not even libcurl-compat. Unfortunately you have to find an appropriate lib for yourself. I found one in the Steam runtime under ~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/x86_64-linux-gnu.

  • Troubleshooting-Step 1. Create a directory for patched library files and copy libcurl.so.4 into it. Also copy dependencies.
$ sudo mkdir /opt/Citrix/lib
$ cd ~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/x86_64-linux-gnu
$ sudo cp libcurl.so.4 /opt/Citrix/lib
$ sudo cp libhogweed.so.4 libnettle.so.6 librtmp.so.0 libidn.so.11 /opt/Citrix/lib
  • Troubleshooting-Step 2. In order to use these libs instead of your system's libs, we have to fiddle with the way nsgcepa is being called. There's a .desktop file provided in the nsepa package for that: /opt/Citrix/Browser-EPA/nsgcepa.desktop. Change the Exec line to:
    Exec=env LD_LIBRARY_PATH=/opt/Citrix/lib LD_PRELOAD=/opt/Citrix/lib/libcurl.so.4 /opt/Citrix/Browser-EPA/nsgcepa
  • Troubleshooting-Step 3. The .desktop file had already been copied to where the system expects it to be: /usr/share/applications/. Overwrite it with your new one.
    $ cp /opt/Citrix/Browser-EPA/nsgcepa.desktop /usr/share/applications/

Now go to you company's Citrix URL again. The EPA should run. If it does not, you should check if the protocol handler for "nsgcepa://" works:

$ xdg-open nsgcepa://something.com

If it answers "gio: nsgcepa://something.com: The specified location is not supported" you need to add the protocol handler manually:

$ xdg-mime default nsgcepa.desktop x-scheme-handler/nsgcepa

If the EPA still fails you should ask your company's Citrix Netscaler admins if they've disabled Linux logins completely. It seems like there's no corresponding error message for that case, instead the error message is the same as if you don't have installed the EPA plugin at all.


Troubleshooting

  • If you have issues opening a Citrix connection under Firefox you may need to set the Citrix Receiver plugin to 'Always Activate' under the Firefox Add-ons Manager plugin settings.
  • If you have cursor alignment issues under Citrix and you have multiple displays connected to your machine you may need to disable all but one when using Citrix.
  • If you have sticky Control Ctrl key issues after logging to session you may resolve it using this guide
  • On i3 window manager, Citrix might go full screen and grab all keyboard input. A workaround is to disable full screen mode in ~/.ICAClient/All_Regions.ini. See forum for more info.
[Virtual Channels\Seamless Windows]
TWIMode=0

[Virtual Channels\Thinwire Graphics]
DesiredColor=8
ApproximateColors=*
DesiredHRES=1024
DesiredVRES=768
ScreenPercent=*
UseFullScreen=false
TWIFullScreenMode=false
NoWindowManager=false