Technical Security Overview for Session Manager and On-Premises XenApp and XenDesktop
Session Manager is a product managed by Citrix Cloud. When using the Session Manager Service to prelaunch sessions to an on-premises data center, the Desktop Delivery Controllers (DDC), StoreFront servers, Virtual Delivery Agents (VDAs), and any Citrix Gateways used for remote access remain under the customer’s control. The customer has security ownership over these components. You enable the new feature by using the TrustManagedAnonymousXmlServiceRequests setting. The XML Service should only accept incoming requests from trusted StoreFront servers when using this setting.
The Session Manager Service uses external ICA connections to internal VDAs to prelaunch sessions, and collects a limited amount of data from the on-premises DDC through the Citrix Cloud Connector to enable prelaunch configuration and monitoring from the cloud. The following diagram illustrates the service and its security boundaries.
XML Service Anonymous Prelaunch Considerations
As part of the Session Manager Service configuration, you must enable both the TrustRequestsSentTotheXmlServicePort and TrustManagedAnonymousXmlServiceRequests flags. The TrustManagedAnonymousXmlServiceRequests flag allows for the XML Service to accept anonymous prelaunch requests from StoreFront. These requests are not validated by the XML Service, and it is important to remember that you allow trusted StoreFront servers only to communicate with the XML service when using either of these settings.
To isolate the XML Service, it is possible to change the XML Service port. Follow the instructions in the article How to Change the XML Port in XenDesktop in the Citrix Support Knowledge Center to change the XML Service port. When the service is running on its own port, it is possible to use network isolation through firewalls or other technologies to keep the XML Service separated from user traffic.
Prelaunched Anonymous Sessions
The session tracking metadata that is stored in the site’s database designates the prelaunched anonymous sessions created in Session Manager. When a user obtains an ICA file for a prelaunched session, the session is converted to a standard anonymous session and can never be reused or connected to again. Standard non-prelaunched anonymous sessions cannot be connected to or modified by the Session Manager Service.
The Citrix Cloud Connector periodically uploads a limited set of metadata that is queried through the broker delegated admin API to allow for prelaunch configuration and monitoring from the Session Manager Service. The data includes Delivery Group names, session counts, application names, and VDA counts. The data is uploaded to an HTTPS server on port 443.
The on-premises StoreFront server is configured in a standard external access configuration to channel all ICA traffic through the Netscaler Gateway. The Session Manager Service makes calls to the on-premises StoreFront through Netscaler Gateway to enumerate and start anonymous applications. The on-premises StoreFront server trusts the Session Manager Service by using a certificate pinning mechanism that ensures requests are valid only for a single tenant and StoreFront store. When you configure the internal StoreFront for external access, the ICA file obtained from the internal StoreFront contains all of the information necessary to perform the prelaunch sequence from the Session Manager Service.
The Session Manager Service is a multi-tenant service. The metadata collected from each customer’s Citrix Cloud Connector is stored within this service. The collected metadata, along with configuration information is isolated between tenants. A limited number of authorized Citrix administrators have internal access to the collected metadata and configuration information for the purposes of maintenance or troubleshooting. External queries for collected customer data and configuration information require unique CWC administrator credentials.
Citrix Cloud Connector Network Access Requirements
The Citrix Cloud Connectors require that port 443 is open for outbound traffic to the Internet, and can be hosted behind an HTTP proxy. The communication protocol used in Citrix Cloud for HTTPS is TLS 1.2. Within the internal network, the connector will require a Help Desk admin level of delegated administration access to the Broker. You can be configure this by using Active Directory Machine Groups and the Administrators settings in Citrix Studio.
Citrix Gateway Access Requirements
The Session Manager Service must be able to tunnel through Netscaler Gateway to the internal StoreFront server. You grant access by configuring at least one of the Citrix Cloud Connectors as a STA server for the gateway. The Session Manager Service obtains a STA ticket from the Citrix Cloud STA Server for an internal connection. The ticket is then redeemed by Netscaler Gateway through the Citrix Cloud Connector’s connection to the same cloud-based STA server. Citrix Cloud services with access to the Citrix Cloud STA server can make connections to your internal resources through Netscaler Gateway with this configuration.
See the following resources for additional security information:
- Citrix Cloud Documentation: http://docs.citrix.com/en-us/citrix-cloud/
- Secure Deployment Guide for Citrix Gateway
This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and to define the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not intended to serve as a configuration and administration guidance manual for Citrix Cloud or any of its components or services.