Citrix Cloud

Posted on  by admin

Citrix Cloud is not IaaS (Infrastrcuture as a Service) or SaaS (Software as a Service). Citrix Cloud: What it is. Think of Citrix Cloud as a PaaS (Platform as a Service). PaaS is a good thing, as core cloud computing features such as scalability, high availability, multi-tenancy, and resiliency can be taken advantage of. Citrix Cloud provides a hybrid cloud platform for organizations to deliver XenApp and XenDesktop services, offering increased flexibility and affordable pricing for scaling workloads on demand. Despite the benefits Citrix Cloud offers, managing performance of Citrix services remains a challenge for Citrix admins. Citrix leverages Microsoft investments in Azure and Remote Desktop Services to enable Citrix Cloud, the fastest and most flexible approach to deploying Citrix technology. Citrix Cloud simplifies how customers deploy VDI, virtual apps, desktops, and complete Citrix workspaces on one.

downloadWhy can't I download this file?

Applicable Products

  • Citrix Cloud

Symptoms or Error

Citrix Cloud Connector does not complete its initial installation or is unable to upgrade to the latest Cloud Connector version. The installation is blocked because it’s not able to validate the code signing certificate of the Citrix Cloud Components downloaded, which may be due to the certificates installed, or an expired signature. To verify this is occurring

  • Navigate to the local logs generated by the connector at: %ProgramData%CitrixWorkspaceCloudInstallLogs
  • Open the most recent logs and search for one of the following strings: “Verified download failed EdgeServiceComponents”. This will indicate if there are issues with downloading and verifying the Cloud Connector components. ​

Citrix Cloud Login

Solution

The Root and Intermediate Certificate authority used to sign the Citrix Cloud Connector need to be trusted on the local machine where the Citrix Cloud Connector is being installed. Cloud Connector binaries and endpoints that the Cloud Connector contacts are protected by X.509 certificates issued by DigiCert, a widely respected enterprise certificate authority (CA). DigiCert employs Certificate Revocation List (CRL) servers using HTTP on port 80 instead of HTTPS on port 443 to verify these certificates during Cloud Connector installation. Cloud Connector components, themselves, do not communicate over external port 80. The need for external port 80 is a byproduct of the certificate verification process that the operating system performs.

Here is the primary way to resolve this issue:

Citrix Cloud Computing

  • Download a new Connector installation package from the resource location page on Citrix Cloud.
  • Open HTTP port 80 to *.digicert.com on the Cloud Connector. This port is used during Cloud Connector installation and during the periodic CRL checks. For more information about how to test for CRL and OCSP connectivity, see https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm on the DigiCert web site.
  • Ensure Windows Update are enabled and there’s connectivity from the Citrix Cloud Connector to the following URIs:
  • The following address needs to be contactable from the Cloud Connector machine(s) to ensure proper certificate validation: Ensure the machine has the Root and Intermediate certificates (used by the Citrix Cloud Installer) installed in the certificate store on the local machine. You can manually install the certificates by following the instructions below.
    • http://crl3.digicert.com
      http://crl4.digicert.com
      http://ocsp.digicert.com
      http://www.d-trust.net
      http://root-c3-ca2-2009.ocsp.d-trust.net
      http://crl.microsoft.com
      http://oneocsp.microsoft.com
      http://ocsp.msocsp.com
  • Communication with the following addresses is enabled:
    • [https://*.digicert.com]https://*.digicert.com
  • The following certificates are need to be installed:
    • https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
    • https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
    • https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
    • https://cacerts.digicert.com/DigiCertGlobalRootCA.crt
    • https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt
    • https://www.d-trust.net/cgi-bin/D-TRUST_Root_Class_3_CA_2_2009.crt
    • https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
    • https://www.microsoft.com/pkiops/certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crt
    • Installing the certificate

  1. Open the MMC certificate store on the Citrix Cloud Connector exhibiting the behavior
    https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx. Make sure to select the Computer account option when prompted by the Certificates snap-in.

  2. Navigate to https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt and download the Root certificate.

  3. Open the certificate and choose “Install Certificate…”

  4. Ensure that the “local machine” option is targeted

  5. Validate that the Root certificate shows up under the proper Certificate Store

  6. Navigate to https://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt and download the Intermediate certificate.

  7. Open the certificate and choose “Install Certificate…”

  8. Ensure that the “local machine” option is targeted

  9. Validate that the Intermediate certificate shows up under the proper Certificate Store.

10. Repeat the above steps for missing required certificates listed in 'The following certificates are need to be installed:' section.

Problem Cause

The Citrix Cloud Connector installer is signed with a DigiCert signing certificate. During installation this certificate is programmatically validated in order to ensure integrity of the components downloaded. If the Root and Intermediate certificates are not trusted on the local machine, the installer cannot be successfully verified, preventing the installation from continuing.

Nutanix Instanton For Citrix Cloud

Note: This is usually not an issue if Windows Updates are automatically allowed.