Citrix
Citrix Workspace App (previously known as Citrix Receiver and ICA Client) is the client component of XenDesktop (desktop virtualization software) and XenApp (application virtualization software), developed by Citrix Systems.
Installation
Install the icaclientAUR package. It includes the wfica.desktop
file, so Arch knows how to open ica files.
Chromium/Google Chrome
If you have problems launching Citrix applications with Chromium, just go to chrome://extensions
and disable "Citrix Receiver for Linux".
wfica.desktop
Create /usr/share/applications/wfica.desktop
(Exec path may vary based on package installed):
[Desktop Entry] Name=Citrix ICA client Comment="Launch Citrix applications from .ica files" Categories=Network; Exec=/opt/Citrix/ICAClient/wfica Terminal=false Type=Application NoDisplay=true MimeType=application/x-ica;
Now xdg-open
will handle .ica extensions using /opt/Citrix/ICAClient/wfica
.
TLS/SSL Certificates
Because ICAClient uses SSL you may need a security certificate to connect to the server, check with the server administrator. If there is a certificate download and place it in /usr/lib/ICAClient/keystore/cacerts/
.
You may then receive the error You have not chosen to trust the issuer of the server's security certificate. (SSL Error 61)
.
There may be several reasons for this:
- You do not have the root Certificate Authority (CA) certificates.
- These are already installed on most systems, they are part of the core package ca-certificates, but they are not where ICAClient looks for them. Since versions 13.1, Citrix needs the certificates in separate files. You need to run the following commands as root:
# cd /opt/Citrix/ICAClient/keystore/cacerts/ # cp /etc/ca-certificates/extracted/tls-ca-bundle.pem . # awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < tls-ca-bundle.pem
- You may also need to download your CA's intermediate certificates and store them in the same directory.
- Changes to your certificate directory will likely require rehashing links for openssl to find them properly. Skipping this step might result in Citrix still giving certificate errors. To do this, use this command (borrowed from [1])
# c_rehash /opt/Citrix/ICAClient/keystore/cacerts/
Instead of using c_rehash
which no longer works the openssl rehash
command can be used instead.
# openssl rehash /opt/Citrix/ICAClient/keystore/cacerts/
Audio Support
Pulse Audio
Citrix Receiver uses ALSA. If you use Pulse Audio, install pulseaudio-alsa.
To get audio input into Citrix Receiver, in ~/.ICAClient/wfclient.ini
, add AllowAudioInput=True
anywhere in the [WFClient]
section.
As of client 2012 - December 2020 Citrix has introduced additional audio redirection: https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/configure-xenapp.html#audio . If your audio device is no longer detected within the Citrix Workspace App, you may need to disable this new functionality following the instructions provided.
Pipewire
Pipewire - although not officially supported - interacts with Citrix much in the same way Pulse Audio does. Install pipewire-alsa to allow Citrix to redirect audio and make sure you have AllowAudioInput=True
in your ~/.ICAClient/wfclient.ini
like described above.
Citrix also checks for the /usr/bin/pulseaudio
binary to be present on the system and aborts audio redirection otherwise. For this reason you also need to create a dummy executable with the following content[2]:
/usr/bin/pulseaudio
#!/bin/sh if [ "$1" == "--version" ]; then pactl info | grep Server\ Name | sed -e "s/Server Name: //" else echo "This is a dummy file for apps that check if pulseaudio is available by checking for the binary existing" fi
Make it executable.
Endpoint Analysis (EPA)
If your company has activated the optional endpoint analysis to check if your computer meets certain requirements, you will have to install another component, the EPA-Plugin. It seems like it was a browser plugin using the legacy NPAPI, but now it is just an application the browser calls with a protocol handler for "nsgcepa://". Here is what you have to do to get it running:
- Step 1. Download the EPA plugin from your company's Citrix gateway. Opening the URL of your company's Citrix gateway will try to start the endoint check immediately, which (of course) fails, because you have not installed the EPA plugin, yet. Under the error message you will see a button for downloading
nsepa.deb
. Download it.
- Step 2. Transform the Debian package into an Arch package with debtap. You might need to install debtapAUR first.
# debtap nsepa.deb
Call the package "nsepa" and use the suggested version. Install it like so:# pacman -U nsepa-1.0.0.35-1-x86_64.pkg.tar.xz
Recent versions of the EPA are linked to libcurl-gnutls and you are done now. Unfortunately your company might use and old version that has the following problem:
$ ldd /opt/Citrix/Browser-EPA/nsgcepa /opt/Citrix/Browser-EPA/nsgcepa: /usr/lib/libcurl.so.4: version `CURL_OPENSSL_3' not found (required by /opt/Citrix/Browser-EPA/nsgcepa) linux-vdso.so.1 (0x00007fff33f4f000) libX11.so.6 => /usr/lib/libX11.so.6 (0x00007fe4401d9000) [...]
As you can see, the nsgcepa executable (which is the main executable of nsepa) has been linked to a libcurl.so.4 that contains the "CURL_OPENSSL_3" symbol. I think this is a patched version from Ubuntu and I could not find an Arch package providing it, not even libcurl-compat. Unfortunately you have to find an appropriate lib for yourself. I found one in the Steam runtime under ~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/x86_64-linux-gnu
.
- Troubleshooting-Step 1. Create a directory for patched library files and copy libcurl.so.4 into it. Also copy dependencies.
# mkdir /opt/Citrix/lib $ cd ~/.local/share/Steam/ubuntu12_32/steam-runtime/usr/lib/x86_64-linux-gnu # cp libcurl.so.4 /opt/Citrix/lib # cp libhogweed.so.4 libnettle.so.6 librtmp.so.0 libidn.so.11 /opt/Citrix/lib
- Troubleshooting-Step 2. In order to use these libs instead of your system's libs, we have to fiddle with the way nsgcepa is being called. There is a .desktop file provided in the nsepa package for that:
/opt/Citrix/Browser-EPA/nsgcepa.desktop
. Change the Exec line to:Exec=env LD_LIBRARY_PATH=/opt/Citrix/lib LD_PRELOAD=/opt/Citrix/lib/libcurl.so.4 /opt/Citrix/Browser-EPA/nsgcepa
- Troubleshooting-Step 3. The .desktop file had already been copied to where the system expects it to be:
/usr/share/applications/
. Overwrite it with your new one.$ cp /opt/Citrix/Browser-EPA/nsgcepa.desktop /usr/share/applications/
Now go to you company's Citrix URL again. The EPA should run. If it does not, you should check if the protocol handler for "nsgcepa://" works:
$ xdg-open nsgcepa://something.com
If it answers "gio: nsgcepa://something.com: The specified location is not supported" or "klauncher said: Unknown protocol 'nsgcepa'" you need to add the protocol handler manually:
$ xdg-mime default nsgcepa.desktop x-scheme-handler/nsgcepa
If the EPA still fails you should ask your company's Citrix Netscaler admins if they have disabled Linux logins completely. It seems like there is no corresponding error message for that case, instead the error message is the same as if you do not have installed the EPA plugin at all.
Troubleshooting
- If you have issues opening a Citrix connection under Firefox you may need to set the Citrix Receiver plugin to 'Always Activate' under the Firefox Add-ons Manager plugin settings.
- perl-file-mimeinfo may be required to correctly interpret the .ica file mimeinfo and open it as per the setup in wfica.desktop
- If you have cursor alignment issues under Citrix and you have multiple displays connected to your machine you may need to disable all but one when using Citrix.
- If you have sticky Control Ctrl key issues after logging to session you may resolve it using this guide
- On i3, Citrix might go full screen and grab all keyboard input. A workaround is to disable full screen mode. See https://bbs.archlinux.org/viewtopic.php?id=242398. Tip: In case the keyboard in Sway is not working properly, setting
TWIMode=*
might help.
~/.ICAClient/All_Regions.ini
[Virtual Channels\Seamless Windows] TWIMode=0 [Virtual Channels\Thinwire Graphics] DesiredColor=8 ApproximateColors=* DesiredHRES=1024 DesiredVRES=768 ScreenPercent=* UseFullScreen=false TWIFullScreenMode=false NoWindowManager=false
- If
Alt+Tab
does not work in a remote Citrix session on GNOME Wayland, these two settings will enable key passthrough.
$ gsettings set org.gnome.mutter.wayland xwayland-grab-access-rules "['Wfica']" $ gsettings set org.gnome.mutter.wayland xwayland-allow-grabs true
- If ICAClient is flooding the journal with error messages, a simple fix is to disable all logging in Citrix Workspace Preferences.
- If your timezone inside the VDI is reset to UTC when starting session from Firefox, you might need to go to
about:config
and setprivacy.resistFingerprinting=false
. This feature spoofs the browser's timezone to UTC which is then redirected to the Citrix session.
Note: at the time of writing the privacy.resistFingerprinting.exemptedDomains
setting cannot be used to exclude your company's self-service portal because it's still under testing and not fully working. This might not be the case in the future anymore.
Microsoft Teams audio redirection troubleshooting
- If audio devices are detected by Windows inside the VDI but not by MS Teams, check whether the HdxRtcEngine process is running on your client machine:
$ ps -ef | grep HdxRtcEngine
If not, the process might have crashed. Look for any libraries that are not installed or loaded from the wrong path:
$ ldd /opt/Citrix/ICAClient/util/HdxRtcEngine
In most cases you might be missing some of them. In particular libunwind
might be installed in a different path from the one Citrix is trying to load it from. In such case execute the following to fix that:
# ln -s /usr/lib/libunwind.so /usr/lib/libunwind.so.1
Another thing that might be crashing the HdxRtcEngine
process is an incompatible version (at the time of writing) of gpsd. Downgrading to version 3.18-2 from the Arch Linux Archive may fix the issue:
# pacman -U https://archive.org/download/archlinux_pkg_gpsd/gpsd-3.18-2-x86_64.pkg.tar.xz
Note: you don't actually need to start the gpsd
service, but only have a compatible libgps
installed.
- When starting sessions from Firefox, calls are interrupting after a few minutes or audio is dropping, it might be related to resource limits set by Firefox and inherited by the Citrix processes. You can check that by running
$ prlimit --rttime --pid=$(pgrep HdxRtcEngine)
while a session is running. If the soft or hard limits show anything different than unlimited (default on most systems) you might have to run# prlimit --rttime=unlimited --pid=$(pgrep HdxRtcEngine)
to fix that. Note that limits are reset when you close and reopen a session so you'll have to set them every time.
Alternatively you can just start your session from chromium or other Chromium based browsers.