Connecting to Citrix From Apple Products – New Upgrade Needs More of an Understanding

by Aaron Silber
Managing Director – NY Region

In a world where network security is constantly compromised, either by hackers who wish to cause harm, virus infiltrations or those who lock files and demand bitcoins for ransom, we find ourselves in a place struggling to protect ourselves and our users in their environments. If we discover a flaw or are exploited, we find ourselves looking for corrective measures so we are not in a position where communication comes to a hault.  We close any of the holes in our networks and/or apply new security measures and fixes. Sometimes, a specific encrypting technology, or key, can be deemed not strong enough and the industry decides to discontinue its use. Unfortunately, in many cases, some corrective measures taken inadvertently break real technology that is being relied upon and you find out about it after you have implemented the prescribed lockdown measures. In some cases, we actually become aware of the issues before our users do and prevent them from experiencing a failure.

To those connecting to Citrix from Apple products (MacOS and iOS), please be aware that there are a couple of issues that have recently been discovered that may prevent successful connection into Citrix environments. The issues are documented in Citrix Articles which discuss issues that arise upgrading to the latest Citrix Receiver for iOS or Mac.

Citrix Receiver for iOS v7.2.2 https://support.citrix.com/article/CTX223949

Error: “You have chosen not to trust the certificate” When Using Receiver for Mac 12.5 or Receiver for iOS 7.2.2 or Newer Versions – https://support.citrix.com/article/CTX220962

Stricter SSL Certificate validation requirements will result in Citrix Receiver for Mac and iOS to fail to establish a connection. In order to get mitigate possible connection failures, Citrix offers the following suggestions:

  • Verify the SSL certificate binding and ensure all certificates in the chain are installed and linked correctly.
  • Remove the root certificate from the binding, unless you are certain that this is the correct root certificate and that it is already trusted on iOS devices.
  • Check that all intermediate certificates correspond to the correct root certificate and also correspond to the server certificate.

Additionally, a recent update within Citrix NetScaler 11.1 has altered code which pertains to Citrix Receiver session policies. As a result of this change, SourceIP persistent timeout values must be modified to support functionality for adding accounts to Citrix Receiver for Mac.

Cannot Add Account Using Receiver for Mac After Upgrading NetScaler – https://support.citrix.com/article/CTX216683
When updating your NetScaler environment from version 10.5 to 11.1 clients, Mac users might not be able to connect to the server after logging in using Citrix Receiver. This is due to specific policy settings on the NetScaler environment.

If your Citrix environment supports connectivity from Mac or iOS devices, please be aware of these issues and feel free to contact Helient for support of your certification authority along with SSL Certificate chaining, implementation and Citrix NetScaler security and hardening.