Citrix Cloud Connector requirements
The Citrix Cloud Connector comprises Windows services installed on Windows Server 2016, 2019, or 2022.
System requirements
The machines hosting the Cloud Connector must meet the following requirements. Citrix strongly recommends installing at least two Cloud Connectors in each resource location to ensure high availability.
For best practices on configuring Cloud Connector machines for Citrix DaaS, see Scale and size considerations for Cloud Connectors.
Operating systems
The following operating systems are supported:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
The Cloud Connector is not supported for use with Windows Server Core.
.NET requirements
Microsoft .NET Framework 4.7.2 or later is required.
Server requirements
The following requirements apply to all machines where the Cloud Connector is installed:
- Use dedicated machines for hosting the Cloud Connector. Do not install any other components on these machines.
- The machines are not configured as Active Directory domain controllers. Installing the Cloud Connector on a domain controller is not supported.
- The server clock is set to the correct UTC time.
- Internet Explorer Enhanced Security Configuration (IE ESC) is turned off. If Internet Explorer Enhanced Security Configuration is turned on, the Cloud Connector might not be able to establish connectivity with Citrix Cloud Japan.
Windows Update guidance
Citrix strongly recommends enabling Windows Update on all machines hosting the Citrix Cloud Connector. The Citrix Cloud Connector performs regular checks for pending reboots, which can be triggered by various factors, including Windows Updates, every five minutes. Any detected reboot is promptly executed, irrespective of the preferred day schedule set on the Resource location. This proactive approach ensures that the Citrix Cloud Connector isn’t left in a pending update state for an extended period, thereby maintaining system stability.
The Citrix Cloud platform manages restarts to maintain availability, permitting only one Citrix Cloud Connector to restart at a time. When setting up Windows Update, ensure that Windows is set to automatically download and install updates during non-business hours. However, the automatic restarts are not allowed for at least four hours to allow the Citrix Cloud Connector ample time to manage the restart process. Additionally, you can establish a fallback restart mechanism using Group Policy or a system management tool for situations where a machine must be restarted following an update. For more information, see Manage device restarts after updates.
Note:
- If the customer does not intend their Citrix Cloud Connector to reboot during business hours, we suggest that the customer schedule Windows Updates accordingly outside of business hours.
- Each Citrix Cloud Connector requires approximately 10 minutes to reboot, and this includes the time needed to synchronize with the Citrix Cloud Platform to ensure that only one Citrix Cloud Connector reboots at any given point of time. Hence, the recommended minimum delay of four hours for automatic restarts, as mentioned earlier, can be adjusted accordingly to a lesser or greater duration depending on the number of Citrix Cloud Connectors in the tenant.
Certificate validation requirements
Cloud Connector binaries and endpoints that the Cloud Connector contacts are protected by X.509 certificates issued by widely respected enterprise certificate authorities (CAs). Certificate verification in Public Key Infrastructure (PKI) includes the Certificate Revocation List (CRL). When a client receives a certificate, it verifies the CA’s trustworthiness and checks if the certificate is listed on a Certificate Revocation List (CRL). If the certificate is on a CRL, the certificate is revoked and should not be trusted, even though it appears valid.
The CRL servers use HTTP on port 80 instead of HTTPS on port 443. Cloud Connector components, themselves, do not communicate over external port 80. The need for external port 80 is a byproduct of the certificate verification process that the operating system performs.
The X.509 certificates are verified during the Cloud Connector installation. Therefore, all Cloud Connector machines must trust these certificates to ensure successful installation of the Cloud Connector software.
Endpoints in Citrix Cloud Japan are secured by certificates issued by DigiCert or by one of the Root Certificate Authorities employed by Azure. For more information on the Root CAs used by Azure, see https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes.
To validate the certificates, each Cloud Connector machine must meet the following requirements:
- HTTP port 80 is open to the following addresses. This port is used during Cloud Connector installation and during the periodic CRL checks. For more information about how to test for CRL and OCSP connectivity, see https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm on the DigiCert web site.
http://cacerts.digicert.com/
http://dl.cacerts.digicert.com/
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com
http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net
http://crl.microsoft.com
http://oneocsp.microsoft.com
http://ocsp.msocsp.com
- Communication with the following addresses is enabled:
https://*.digicert.com
- The following root certificates are installed:
https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
https://cacerts.digicert.com/DigiCertGlobalRootCA.crt
https://cacerts.digicert.com/DigiCertTrustedRootG4.crt
https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt
https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt
https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
https://www.microsoft.com/pkiops/certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crt
https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt
- The following intermediate certificates are installed:
https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
https://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
If any certificate is missing, the Cloud Connector installer downloads it from http://cacerts.digicert.com
.
For complete instructions for downloading and installing the certificates, see CTX223828.
Active Directory requirements
- Joined to an Active Directory domain that contains the resources and users that you use to create offerings for your users.
- Each Active Directory forest that you plan to use with Citrix Cloud Japan should be reachable by two Cloud Connectors always.
- The Cloud Connector must be able to reach the parent domain controllers as well as the child domain controllers. This is essential for completing the Active Directory workflows in which the Cloud Connector is installed.
For more information, refer to the following Microsoft support articles: - How to configure domains and trusts - Systems services ports
Network requirements
- Connected to a network that can contact the resources you use in your resource location. For more information, see Cloud Connector Proxy and Firewall Configuration.
- Connected to the Internet. For more information, see Internet Connectivity Requirements.
Supported Active Directory functional levels
The Citrix Cloud Connector supports the following forest and domain functional levels in the Active Directory.
Forest Functional Level | Domain Functional Level | Supported Domain Controllers |
---|---|---|
Windows Server 2008 R2 | Windows Server 2008 R2 | Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
Windows Server 2008 R2 | Windows Server 2012 | Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
Windows Server 2008 R2 | Windows Server 2012 R2 | Windows Server 2012 R2, Windows Server 2016 |
Windows Server 2008 R2 | Windows Server 2016 | Windows Server 2016 |
Windows Server 2012 | Windows Server 2012 | Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 |
Windows Server 2012 | Windows Server 2012 R2 | Windows Server 2012 R2, Windows Server 2016 |
Windows Server 2012 | Windows Server 2016 | Windows Server 2016 |
Windows Server 2012 R2 | Windows Server 2012 R2 | Windows Server 2012 R2, Windows Server 2016 |
Windows Server 2012 R2 | Windows Server 2016 | Windows Server 2016 |
Windows Server 2016 | Windows Server 2016 | Windows Server 2016, Windows Server 2019, Windows Server 2022 |
Federal Information Processing Standard (FIPS) support
The Cloud Connector currently supports the FIPS-validated cryptographic algorithms that are used on FIPS-enabled machines. Only the latest version of the Cloud Connector software available in Citrix Cloud Japan includes this support. If you have existing Cloud Connector machines in your environment (installed before November 2018) and you want to enable FIPS mode on these machines, perform the following actions:
- Uninstall the Cloud Connector software on each machine in your resource location.
- Enable FIPS mode on each machine.
- Install the latest version of the Cloud Connector on each FIPS-enabled machine.
Important:
- Do not attempt to upgrade existing Cloud Connector installations to the latest version. Always uninstall the old Cloud Connector first and then install the newer one.
- Do not enable FIPS mode on a machine hosting an older Cloud Connector version. Cloud Connectors older than Version 5.102 do not support FIPS mode. Enabling FIPS mode on a machine with an older Cloud Connector installed prevents Citrix Cloud Japan from performing regular maintenance updates for the Cloud Connector.
For instructions to download the latest version of the Cloud Connector, see Task 3: Install Cloud Connectors.
Allowed FQDNs for Cloud Connector
For a complete list of the fully qualified domain names (FQDNs) that the Cloud Connector accesses, refer to the JSON file at https://fqdnallowlistsa.blob.core.windows.net/fqdnallowlist-japan/allowlist.json. The list is organized by product, and for each group of FQDNs, there is an accompanying change log.
Some of these FQDNs are specific to a customer and include templated sections in angular brackets. These templated sections must be replaced with the actual values before use. For example, for <CUSTOMER_ID>.xendesktop.net
, you replace <CUSTOMER_ID>
with the actual customer ID for your Citrix Cloud account. You can find the customer ID at the top of the API Access tab in Identity and Access Management.
Installation requirements
- Download the Cloud Connector software only from Citrix Cloud Japan and install it on prepared machines. By default, the Cloud Connector installer attempts to connect with the control plane from which it is downloaded. So, if you attempt to install the software downloaded from a Citrix Cloud (citrix.cloud.com) account, the installer does not connect with Citrix Cloud Japan.
- Because the Cloud Connector software is downloaded, your browser must allow downloading executable files.
Considerations for cloned machines
Each machine hosting the Cloud Connector must have a unique SID and connector ID so that Citrix Cloud Japan can communicate with the machines in your resource location. Installing the Cloud Connector on a machine template (before cloning) is not supported. Cloning a machine with the Cloud Connector installed will result in the Cloud Connector services not running, rendering the machine unable to connect to Citrix Cloud Japan.
If you intend to host the Cloud Connector on multiple machines in your resource location and you want to use cloned machines, perform the following steps:
- Prepare the machine template according to the requirements for your environment.
- Provision the number of machines that you intend to use as Cloud Connectors.
- Install the Cloud Connector on each machine, either manually or using the silent installation mode.
Important usage considerations
- Keep all Cloud Connectors powered on always to ensure an always-on connection to Citrix Cloud Japan.
- Do not upgrade a previously installed Cloud Connector with a newer version. Instead, uninstall the old Cloud Connector and then install the new one.
- Citrix strongly recommends enabling Windows Update on all machines hosting the Cloud Connector.
- Citrix strongly recommends installing at least two Cloud Connectors in each resource location. In general, the number of Cloud Connectors you should install is N+1, where N is the capacity needed to support the infrastructure within your resource location and ensure that the connection between Citrix Cloud Japan and your resource location remains intact in the event any single Cloud Connector becomes unavailable.
- Each Active Directory forest that you plan to use with Citrix Cloud Japan should be reachable by two Cloud Connectors always.
- After installation, do not move the machine hosting the Cloud Connector into a different domain. If the machine requires joining a different domain, uninstall the Cloud Connector, then reinstall it after domain joining.
Cloud Connector installed services
This section describes the services that are installed with the Cloud Connector and their system privileges.
During installation, the Citrix Cloud Connector executable installs and sets the necessary service configuration to the default settings required to function. If the default configuration is manually altered, the Cloud Connector might not perform as expected. In this case, the configuration resets to the default state when the next Cloud Connector update occurs, assuming the services that handle the update process can still function.
Citrix Cloud Agent System facilitates all elevated calls necessary for the other Cloud Connector services to function and does not communicate on the network directly. When a service on the Cloud Connector needs to perform an action requiring Local System permissions, it does so through a predefined set of operations that the Citrix Cloud Agent System can perform.
Service Name | Description | Runs As |
---|---|---|
Citrix Cloud Agent System | Handles the system calls necessary for the on-premises agents. Includes installation, reboot, and registry access. Can only be called by Citrix Cloud Services Agent WatchDog. | Local System |
Citrix Cloud Services Agent WatchDog | Monitors and upgrades the on-premises agents (evergreen). | Network Service |
Citrix Cloud Services Agent Logger | Provides a support logging framework for the Citrix Cloud Connector services. | Network Service |
Citrix Cloud Services AD Provider | Enables Citrix Cloud Japan to facilitate management of resources associated with the Active Directory domain accounts in which it is installed. | Network Service |
Citrix Cloud Services Agent Discovery | Enables Citrix Cloud Japan to facilitate management of XenApp and XenDesktop legacy on-premises Citrix products. | Network Service |
Citrix Cloud Services Credential Provider | Handles storage and retrieval of encrypted data. | Network Service |
Citrix Cloud Services WebRelay Provider | Enables HTTP Requests received from WebRelay Cloud service to be forwarded to On-Premises Web Servers. | Network Service |
Citrix CDF Capture Service | Captures CDF traces from all configured products and components. | Network Service |
Citrix Config Synchronizer Service | Copies brokering configuration locally for high availability mode. | Network Service |
Citrix High Availability Service | Provides continuity of service during outage of central site. | Network Service |
Citrix ITSM Adapter Provider | Automates provisioning and management of virtual apps and desktops. | Network Service |
Citrix NetScaler Cloud Gateway | Provides Internet connectivity to on-premises desktops and applications without the need to open in-bound firewall rules or deploying components in the DMZ. | Network Service |
Citrix Remote Broker Provider | Enables communication to a remote Broker service from local VDAs and StoreFront servers. | Network Service |
Citrix Remote HCL Server | Proxies communications between the Delivery Controller and one or more Hypervisors. | Network Service |
Citrix Session Manager Proxy | Manages anonymous pre-launched sessions, and uploads session count information to the cloud-based Session Manager service. | Network Service |
Citrix WEM Cloud Authentication Service | Provides authentication service for Citrix WEM agents to connect to cloud infrastructure servers. | Network Service |
Citrix WEM Cloud Messaging Service | Provides service for Citrix WEM cloud service to receive messages from cloud infrastructure servers. | Network Service |
Citrix Secure Private Access | Zero Trust Network Access to all enterprise applications | Network Service |
Event messages and logs
The Cloud Connector generates certain event messages that you can view in the Windows Event Viewer. If you want to enable your preferred monitoring software to look for these messages, you can download them as a ZIP archive. The ZIP archive includes these messages in the following XML files:
- Citrix.CloudServices.Agent.Core.dll.xml (Connector Agent Provider)
- Citrix.CloudServices.AgentWatchDog.Core.dll.xml (Connector AgentWatchDog Provider)
Download Cloud Connector event messages. (ZIP file)
Troubleshooting
The first step in diagnosing any issues with the Cloud Connector is to check the event messages and event logs. If you don’t see the Cloud Connector listed in your resource location or is “not in contact,” the event logs provide some initial information.
Installation
If the Cloud Connector is in an “error” state, there might be a problem hosting the Cloud Connector. Install the Cloud Connector on a new machine. If the issue persists, contact Citrix Support. To troubleshoot common issues with installing or using the Cloud Connector, see CTX221535.