# Citrix Web Client with Ubuntu

### Andrew Bolster

Researcher at the University of Liverpool, Founder/Director at Farset Labs

Ubuntu is one of those polarising technologies; Its really easy to use on a recreational basis, or as part of a institution/business wide rollout, but heartbreakingly awkward to use ‘alone’ within an entrenched business setting.

One such setting is that of Queen’s University; the only form of secure remote access that is made (quietly) availiable is through a Citrix XenApp gateway. Great in theory; everyone can take a slice of a virtualized desktop, do whatever they need to do, and that processing power and memory can be easially reappropriated when they’re done. Unfortunately, in an effort to be ‘secure’, you HAVE to use Windows, and you HAVE to have Internet Explorer installed, and you HAVE to install the propitiatory XenApp client.

Since I don’t have my completly legal MSDNAA-provided Windows 7 ISO handy, I couldn’t fire up a virtual machine to handle it, so I’m left with jerry rigging a solution using Citrix’s crippled linux client.

It all appears to be simple enough, even simpler than UbuntuGuide; download and extract the client called Citrix Reciever (and the additional USB support package, ctxusb), download and install the ‘.deb’ for ubuntu, or .rpm for RH/Fedora, or alternatively .tar.gz (YMMV), in which case you’ll need to run the installer.

sudo ./setupwfc

NOTE: only 32 bit clients are released, and in the case of Debian/RH based systems, you can force package installation to accept a 32 bit client on a 64 bit system. See Here for details.

Now, in an ideal world, that SHOULD be it, but Queen’s uses a CA (Certificate Authority) SSL Cert that isn’t shipped by default with Ubuntu (Specifically DigiCert High Assurance EV Root CA), so if you try and open up the Student Desktop link (that actually generates a launch.ica file) will crap out with “You have not chosen to trust the issuer of the server’s security certificate.”

Easy if obscure fix; grab the certificate (DigiCert or otherwise) and copy it to your keystore.

sudo cp ~/Downloads/*.crt /usr/lib/ICAClient/keystore/cacerts/

For newer versions of the client, this path has moved to…

 /usr/lib/ICAClient/linuxx86/keystore/cacerts/

Thanks to Rudolf for pointing that out to me!

And again, newer (12.1) appears in

/opt/Citrix/ICAClient/keystore/cacerts/

Now, even with all this setup, Google Chrome doesn’t like the arrangement, but Firefox copes handily.

UPDATE 2011/11/09 QUB appear to have changed their certificate authority (probably don’t want to pay for it…) So here is the new certificate to use (UTN-USERFirst-Hardware)