Instructions

Ensure your cloud connections can access the Citrix Point-of-Presence URLs - *.nssvc.net (including all subdomains) as outlined in the DaaS requirements.

Reference: https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html#citrix-daas-service-connectivity 

If your organization’s security policy restricts the use of wildcard FQDNs, you can instead use the complete list of Citrix DaaS FQDNs provided in allowlist.json under Connector Common section.

US/APS: https://fqdnallowlistsa.blob.core.windows.net/fqdnallowlist-commercial/allowlist.json
Japan: https://fqdnallowlistsa.blob.core.windows.net/fqdnallowlist-japan/allowlist.json
Gov: https://fqdnallowlistsa.blob.core.windows.net/fqdnallowlist-gov/allowlist.json 

Additionally, ensure that SSL decryption is not applied to any of these URLs. Reference: https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html#ssl-decryption

Failure to maintain uninterrupted access to these FQDNs from Citrix Cloud Connectors may result in service disruption when the migration occurs.

Troubleshooting

This section outlines diagnostic steps to validate network readiness, detect proxy or SSL inspection issues, verify Cloud Connector health, and ensure successful communication with the updated Citrix DaaS hypervisor channel.

Validate Gateway Service Connectivity

The attached PowerShell script will validate:

• WinHTTP proxy configuration
• Bypass lists
• Ability to download allowlist.json
• TLS handshake validation
• Certificate chain validation against Citrix‑provided certificates
• Direct or proxy‑routed connectivity to Gateway Service POPs (*.g.nssvc.net) 

How to run the script:

1. Save the script as: Verify-CitrixGatewayConnectivity.ps1
2. Run PowerShell as Administrator on Citrix Cloud Connectors
3. Navigate to the script path and run:
   .\Verify-CitrixGatewayConnectivity.ps1
4. (Optional) For more details on the errors, you can run: .\Verify-CitrixGatewayConnectivity.ps1 -Verbose
5. Review pass/fail entries for any POPs unreachable, misconfigured, or impacted by SSL interception.

Action if failures occur:

• Ensure your firewall/proxy allows network access to all hosts in the allowlist
• Exclude these hosts from SSL inspection
• Confirm DNS resolution works for each endpoint

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Citrix DaaS service is migrating the communication channel used to access some Hypervisors. This change will deliver a more stable and higher performing connection. This transition will be performed by the end of April 2026. It applies to all hosting connections to the following hypervisors:

· Amazon Web Services (AWS) EC2

· VMware

· XenServer