This document applies to all the XenApp and XenDesktop services hosted in Citrix Cloud, including XenApp Essentials and XenDesktop Essentials.
Citrix Cloud manages the operation of the control plane for XenApp and XenDesktop environments. This includes the controllers, management consoles, SQL database, license server, and optionally StoreFront and NetScaler Gateway. The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer's control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector. If customers elect to use the StoreFront cloud service, they may also choose to use the NetScaler Gateway Service instead of running NetScaler Gateway within their data center. The diagram below illustrates the service and its security boundaries.
As the components hosted by the cloud service do not include the VDAs, the customer's application data and golden images required for provisioning are always hosted within the customer setup. The control plane has access to metadata, such as usernames, machine names, and application shortcuts, restricting access to the customer's Intellectual Property from the control plane.
Data flowing between the cloud and customer premises uses secure TLS connections over port 443.
The XenApp and XenDesktop Service stores only metadata needed for the brokering and monitoring of the customer’s applications and desktops. Sensitive information, including master images, user profiles, and other application data remain on the customer premises or in their subscription with a public cloud vendor.
The capabilities of the XenApp and XenDesktop Service varies by edition. For example, XenApp Essentials only supports NetScaler Gateway service and Citrix-Managed StoreFront. Consult product documentation to learn more about supported features.
The service handles four types of credentials:
- User Credentials: When using a customer-managed StoreFront, user credentials are encrypted by the Citrix Cloud Connector using AES-256 encryption and a random one-time key generated for each launch. The key is never passed into the cloud, and returned only to Citrix Receiver. This key is then passed to the VDA directly by Citrix Receiver to decrypt the user password during session launch for a single sign-on experience. The entire flow is shown in the figure below.
- Administrator Credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This generates a one-time signed JSON Web Token (JWT) which gives the administrator access to the XenApp and XenDesktop Service.
- Hypervisor Passwords: On-premises hypervisors that require a password for authentication have a password generated by the administrator and directly stored encrypted in the SQL database in the cloud. Peer keys are managed by Citrix to ensure that hypervisor credentials are only available to authenticated processes.
- Active Directory (AD) Credentials: Machine Creation Services uses the connector for creating machine accounts in a customer's AD. Because the machine account of the connector has only read access to AD, the administrator is prompted for credentials for each machine creation or deletion operation. These credentials are stored only in memory and only held for a single provisioning event.
Citrix recommends that users consult the published best practices documentation for deploying NetScaler Gateway applications and VDAs within their environments. Additional considerations regarding on-premises StoreFront deployment and network connectivity are as follows:
Citrix Cloud Connector network access requirements
The Citrix Cloud Connectors require only port 443 outbound traffic to the internet, and may be hosted behind an HTTP proxy.
The communication used in Citrix Cloud for HTTPS is TLS 1.0, 1.1, or 1.2.
Within the internal network, the connector needs access to the following for the XenApp and XenDesktop Service:
- VDAs (port 80, both inbound and outbound)* plus 1494 and 2598 inbound if using NetScaler Gateway Service
- StoreFront Servers (port 80 inbound)**
- NetScaler Gateways, if configured as a STA (port 80 inbound)**
- Active Directory domain controllers
- Hypervisors (outbound only; see hypervisor documentation for specific ports)
* Traffic between the VDAs and Connectors is encrypted using Kerberos message-level security.
** SSL is not yet supported in Citrix Cloud for the StoreFront or NetScaler traffic, so Citrix recommends configuring firewall rules, VLANs, and/or IPsec tunnels for these services.
A customer-managed StoreFront offers greater security configuration options and flexibility for deployment architecture, including the ability to maintain user credentials on-premises. The StoreFront can be hosted behind the NetScaler Gateway to provide secure remote access, enforce multifactor authentication, and add other security features.
NetScaler Gateway Service and Citrix-managed StoreFront
Using the NetScaler Gateway Service avoids the need to deploy NetScaler Gateway within customer data centers. To use the NetScaler Gateway Service, it is a prerequisite to use the StoreFront service delivered from Citrix Cloud. The data-flow when using NetScaler Gateway Service is shown in the figure below.
Note: This diagram shows the logical data flows. All TLS connections between the Cloud Connector and Citrix Cloud are initiated from the Cloud Connector to the Citrix Cloud. No in-bound firewall port mapping is required.
See the following resources for more security information:
Note: This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and to define the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not intended to serve as a configuration and administration guidance manual for Citrix Cloud or any of its components or services.