Product Documentation

Top 6 Networking Considerations for Public Sector

Jan 12, 2017

When setting up a Citrix XenDeskop or XenApp environment in the public sector, you need to consider Federal regulation and security standards like Federal Information Processing Standards (FIPS) 140-2 and United States Government Configuration Baseline (USGCB). Some specific situations and use cases may also require a specific configuration or product solution.

The following is a list of the top six considerations to keep in mind when configuring your network for the us of XenApp or XenDesktop in the public sector.

  1. FIPS 140-2 compliance: Making a network FIPS 140-2 compliant is one of the most important aspects for IT in the public sector. XenApp and XenDesktop 7.6 make it easier to be compliant because the VDA can natively use TLS/AES and FIPS, without the use of network level security like IPsec and without the use of separate application components like SSL Relay. The FIPS-enabled NetScaler MPX-FIPS appliances can also help other connections because appliances offer encrypted and FIPS-secured communication between Citrix Receiver and the NetScaler appliance, and between the NetScaler appliance and XenApp and/or XenDesktop VDA and StoreFront. But keep in mind that communication between NetScaler Gateway and administrator consoles need additional security to be FIPS compliant.
  2. Smart card: Smart card authentication is a requirement to use any federal computer system.  Without smart card capabilities, a system is useless in the public sector. XenApp and XenDesktop have smart card capabilities in both single and multiple Active Directory forests. You can also configure XenApp and XenDesktop for single sign-on (SSO) authentication, as well as for remote smart card authentication with the use of a NetScaler Gateway.
  3. Legacy software and web apps: Few fixes exist for most software and web apps that were made before certain regulations like FIPS 140-2 and HSPD 12 to bring them up to the government standard without the need to recode. For FIPS 140-2 level 2 compliant encryptions on legacy web applications, you can apply NetScaler as a front-end proxy to enforce smart card authentication. Adding a FIPS-enabled NetScaler MPX appliance can help organizations that still use Citrix Secure Gateway or Access Gateway with their Citrix environment to become FIPS 140-2 level 2 compliant.
  4. Configuration conflicts: USGCB settings may cause conflicts with Citrix features, you can ignore these settings if the features’ functionality outweighs the security concern. To do so requires a Plan of Actions and Milestones (POA&M) waiver. For example, the FIPS-compliant algorithm conflicts with Citrix Provisioning Services and LAN Manager authentication level – Send NTLMv2 response only can cause issues with the domain and member servers. Other conflicts occur with various security protocols when establishing SSO authentication. No single configuration solution exists for SSO authentication, so be sure to consult the appropriate documentation before trying to achieve this functionality.  For more information, see Section 2 of http://docs.citrix.com/content/dam/en-us/solutions/industries/downloadable_docs_public_sector/Configuring_Citrix_XenDesktop_7.6_and_NetScaler_Gateway_10.5_w_PIV_Smart_Card_Authentication.pdf
  5. Additional security: A good rule of thumb for any public sector network is as follows: If you can secure a connection, do so. XenDesktop and XenApp 7.6 use TLS/AES and FIPS natively, so you can use the same console to apply these encryptions. The FIPS-enabled NetScaler MPX-FIPS appliances can also create appropriately encrypted gateways for remote access to web applications, as well as for remote access to the main network.
  6. Monitoring and analytics: When using NetScaler with XenDesktop to deliver desktops and applications, you have greater access to TCP-based network information and application layer data gathered by the protocol known as AppFlow. HDX Insight allows you to leverage AppFlow to access ICA session data all the way down to virtual channels, such as video, voice, keystroke, mouse clicks, and so on. You can push this date to other common monitoring tools, such as Splunk and Solar Winds.