Hello, We've never been able to open webex meetings in Citrix Xenapp 7.6, our VDAs are Windows 2012 R2. I'm not sure what is required to run Webex meetings within XenApp or if it's possible. I just had a meeting request from Cisco and tried to open it in IE and Chrome an. There is no vendor Optimized Solution for Citrix / WebEx or Skype etc. Only Windows and Linux endpoints. Tough to push a solution that is supposed to enable you to work from anywhere on any device when it doesn't work on one of the primary Operating systems. We installed the Cisco VDI Client on Remote Client and using Cisco Webex on Citrix Hosted Shared desktop. The Webex Teams Client is registering from internal network over expressway, which seems to be correct, if I look at the deployment guide for VDI. Our Headset is passing through the session and can be used. (Webex Teams Audio Tests are working fine, Audio working fine, Webex Calls over Cloud.
- When connecting to Citrix from a laptop or desktop computer, it is possible to use the webcam, speakers, and microphone built into the device. In order to do this, you must first grant Citrix access to the devices. Start by getting logged into Citrix.
- Citrix Virtual Apps and Desktops (formerly known as XenApp and XenDesktop) provides AV optimization for Teams on VDI. With Citrix Virtual Apps and Desktops, Teams on VDI supports calling and meeting functionality in addition to chat and collaboration.
The Webex Meetings desktop app package includes two parts: the in-meeting app, which allows you to host or participate in meetings, and the pre-meeting app, which resides on your desktop.
You can use the pre-meeting desktop app to join meetings, whether or not you have a Webex account. If you sign in with a host account, you can start meetings instantly, schedule meetings, join your scheduled meetings, add integrations to join meetings from other apps, and detect nearby video devices. If you sign in with an attendee account, you can see and join your upcoming meetings and detect nearby video devices.
If you don't have an account or haven't signed in, you can still use the Webex Meetings desktop app as a guest to see your upcoming meetings, easily join your meetings, and connect to a video device.
Download and Install the Webex Meetings Desktop App
The Webex Meetings desktop app automatically downloads after starting or joining a Webex meeting from a Webex site or email invitation. Click the installation file to install it. Refer to the New Webex Sign-In Users and the New Webex Guest Users sections in the Cisco Webex Meetings Desktop App Installation Matrix.
If you want to install the app without joining a meeting first, you can also download it manually. Go here to get the download file, then follow steps 3—5 below to install the file.
Customers who are locked down to a specific meeting application version should get the download file directly from their Webex site. Follow the steps below.
If you have a previous version of the Webex Meetings desktop app, you have to uninstall that version before installing the new version. |
| 1 | Sign in to your Webex site. |
| 2 | Select Downloads > Cisco Webex Meetings Desktop App > Download. |
| 3 | Run the .msi (Windows) or .dmg (Mac) installation file and follow the instructions. The Webex Meetings desktop app opens when the installation is complete. |
| 4 | Enter your email address and select Sign In. |
| 5 | Select or enter your Webex site URL, and then enter your password. |
- Citrix Virtual Apps and Desktops
Objective
This article takes Microsoft Teams as an example to describe a modern website using OAuth 2.0 for Authentication.
Instructions
Webex Teams App Download
Browser Content Redirection is a technology built around a URL whitelisting mechanism. Two policies are exposed in Studio for that purpose:
i. Browser content redirection Access Control List (ACL) policy settings (a.k.a the ACL policy)
ii. Browser content redirection authentication sites (a.k.a the authentication sites policy)
While the description in edocs tries to cover the general cases, there are some websites using intrinsic redirection mechanisms that make the whitelisting process more difficult.
[Note: websites that rely on Integrated Windows Authentication, or that require a pop-up Windows Security message box are not handled correctly by BCR with CWA 1905 or older. This is because our overlay browser (HdxBrowser.exe or HdxBrowsercef.exe) cannot display that window, hence the user is stuck on a blank page. See CTX230052 (current limitations section)
CWA 1907 for Windows and higher fixes this problem].
Important Note:
For a website, once it is redirected to the client successfully(client fetch client render and/or server fetch client render), the authentication for the website is done by the client side, not by the VDA side.
So if the client machine is not domain joined, the authentication page will ask for user name and password (and maybe other multiple factor authentication ), the behavior shall be similar to the behavior of opening the website in a regular browser in the client machine.
After the overlay has established a connection to the server, the authentication is done between the overlay and the server (not between the VDA and the server).
As an example of BCR redirections, we will look into Microsoft Teams.
It is essential that the Developer Tools is used to understand the website's behavior before configuring any policy.
The 'Preserve Log' check-box should be ticked, otherwise entries are cleared automatically.
Microsoft Teams
A user typing http://teams.microsoft.com will get an HTTP 307 response from the webserver, repointing the browser to https://teams.microsoft.com
(Hence it is critical that the right syntax is used when whitelisting a website, like http or https, with or without www, etc - otherwise redirection might fail).
From that URL, the resource https://teams.microsoft.com/auth/prelogin is contacted by the browser, which eventually ends up being redirected to:
| https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fgo&state=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&&client-request-id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&x-client-SKU=Js&x-client-Ver=1.0.9&nonce=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1&domain_hint= |
Once the browser loads this page, it 'rests' and waits for user input. These redirections occured very fast, and the HdxVideo.js javascript that the Browser Content Redirection Chrome Extension needs to inject is not done in time.
In this case, the url https://login.microsoftonline.com/* needs to be whitelisted in the ACL policy in Studio.
Since Admins might not want to redirect the entire domain, better granularity can be achieved by leveraging a common parameter in OAuth 2.0 (redirect_uri, where the App name is embedded in the URL).
So whitelisting the following URL in the BCR ACL policy in Studio will achieve the objective, thanks to wildcards:
https://login.microsoftonline.com/*teams*
The Chrome Extension will now be able to inject HdxVideo.js, and the first redirection happens. The user will end up being redirected to an Office 365 Authentication website that is linked to Teams (see screenshot above), but this time the website will be running locally on the endpoint's overlay browser that is part of Workspace app (HdxBrowserCef.exe).
Important: Please note that any IdP/SSO websites your organization deployed to authenticate users in O365 will also need to be added to the Authentication Sites policy (e.g. https://mycompany.okta.com)
Please also note that Teams will require to add https://login.microsoftonline.com/login* to the Authentication Sites.
After a successful authentication, the overlay browser HdxBrowserCef.exe is pointed back to https://teams.microsoft.com
This URL (https://teams.microsoft.com/*) should now be whitelisted also in the 'Authentication Sites' policy in Studio.
Note: This might be somehow counter intuitive as the Authentication site is login.microsoftonline.com, not teams.microsoft.com - yet the problem in Teams is that the Chrome Extension is not loaded fast enough by the Browser and therefore injection fails on teams.microsoft.com.
Browser Content Redirection treats websites whitelisted under the Authentication sites policy as child websites that must remain redirected if the parent website was in the ACL whitelist policy. In the Teams case then, teams.microsoft.com is the child website of the parent login.microsoftonline.com
GoToMeeting
First thing to notice is that navigating to https://gotomeet.me/mymeetingID redirects to https://www.gotomeet.me/mymeetingID
Whitelisting without the 'www' will result in failure. So whitelisting https://www.gotomeet.me/* is the solution (in the ACL policy).
Note the use of the wildcard '*' - this allows you to whitelist any path for that URL.
After the webpage is redirected, the user can click 'Join meeting in browser', which points to:
https://app.gotomeeting.com/index.html?meetingId=xxxxxxxxxx
Note that this is a different FQDN. So if the user clicks on that link, he will fall back to server-side.
The solution is to whitelist https://app.gotomeeting.com/*
You can either add this to the ACL policy or to the Authentication Sites policy (or both).
The difference is that if you add it only to the ACL policy, if the user clicks on the link it will trigger a re-processing of the URL by the VDA (look up of that URL in the ACL entries), resulting in a few extra redirection steps.
If you add it to the Authentication Sites policy, then since the parent website is https://www.gotomeet.me/* and that is already whitelisted in the ACL policy, a re-processing of the URL by the VDA is not required and the experience is smoother (see last paragraph under the Teams section).
Of course there could be a scenario where the user types https://app.gotomeeting.com/index.html?meetingId=xxxxxxxxxx directly as the first URL in Chrome's navigation bar. Browser Content Redirection will only kick-in if that URL is on the ACL policy (that is because the Authentication Sites policy is only processed after an ACL match). So in order to prevent this exact scenario from failing, you can add the URL to the ACL and Authentication Sites policies (and hence the reference to 'both' in the paragraph above).
Microsoft Stream
Microsoft's corporate video-sharing platform runs as an Office 365 service.
The URL https://stream.microsoft.com/* needs to be whitelisted in the ACL policy.
That is because whitelisting https://web.microsoftstream.comwill not work, since that page redirects to login.microsoftonline.comusing HTTP response status code 302 Found, and that page in turn redirects to https://stream.microsoft.com.
Once the browser lands on that website, clicking on Sign In will redirect to https://login.microsoftonline.com/common/oauth2/*microsoftstream*
where the user finally will insert his credentials.
Hence the site https://login.microsoftonline.com/*microsoftstream* needs to be added to Authentication Sites.
(This is different from the behavior in Teams).
If you are using SSO solutions like OKTA, or ADFS, the URLs will need to be added under Authentication Sites also.
Finally, also add https://web.microsoftstream.com/* to the Authentication Sites.
Google Meet
Required policy setting are as follows.
'Browser Content Redirection Authentication Sites'
https://accounts.google.com/*
https://meet.google.com/*
'Browser Content Redirection ACL Configuration'
https://meet.google.com/*
https://apps.google.com/*
Any other website used for SSO (e.g. Okta) must be added to the Authentication Sites policy (it could be more than one).
These websites require WebRTC support, hence you must use Citrix Workspace app 1809 for Windows or higher.
Currently, outgoing screensharing is not supported when using BCR.
Cisco Webex Teams
Add https://teams.webex.com/* to the ACL policy.
Add https://idbroker.webex.com/* to the Authentication Sites policy. This entry might vary depending on your Organization's SSO configuration and IdP providers. Any website used for SSO must be added to the Authentication Sites policy (it could be more than one).
Cisco Webex Meetings
Citrix and Cisco collaborated on this and have a solution ready.https://www.cisco.com/c/en/us/td/docs/collaboration/meeting_center/wvdi/wvdi-b-admin-guide/wvdi-b-admin-guide_chapter_01.pdf
Additional Resources
Disclaimer