Secure Browser service
The Citrix Secure Browser service isolates web browsing to protect the corporate network from browser-based attacks. It delivers consistent, secure remote access to internet hosted web applications, with no need for user device configuration. Administrators can rapidly roll out secure browsers, providing instant time-to-value. By isolating internet browsing, IT administrators can offer end users safe internet access without compromising enterprise security.
Users log on through Citrix Workspace (or Citrix Receiver) and can open web apps in the configured web browser. The website does not directly transfer any browsing data to or from the user device, so the experience is secure.
The Secure Browser service can publish secure browsers for use with:
- Unauthenticated external web apps. Although typically not recommended, unauthenticated external web apps might be used for a simple proof of concept.
- Authenticated external web apps. To publish authenticated external web apps requires a resource location containing at least one Cloud Connector (two or more are recommended). For details, see Citrix Cloud Connector.
The service also offers:
- Integration of published apps with Citrix Workspace
- Integration of published apps with on-premises StoreFront
- Simple URL whitelisting for security
- Usage monitoring
- Controls for clipboard use, printing, kiosk mode, region failover, and client drive mapping
- December 2019: You can configure URL Filtering to control access methods based on pre-defined categories associated with risk models. For more information, see Manage published secure browsers.
- December 2019: You can configure host name tracking to log host names visited during a user’s session. For more information, see Manage published secure browsers.
- November 2019: You can publish the new type of secure browser with shared passcode authentication. After publishing a browser, ensure that you save the passcode and share it with the users. For more information, see Publish a secure browser.
- October 2019: You can enable the URL parameters policy to identify suspicious links and redirect them to Secure Browser when users start a new session. For more information, see the Policy section.
- June 2019: The Secure Browser can now automatically transfer your published browser to a different region if your current region is reporting an issue. To opt out, you must disable the Region failover policy. For more information, see the Policy section.
- March 2019: This release contains enhancements that help improve overall performance and stability.
- November 2018: You can enable the Client drive mapping policy to upload and download the files to and from the remote session. For more information, see the Policy section.
- November 2018: Configure a secure browser to automatically connect you to the closest region based on your geolocation. For more information, see Publish a secure browser.
- October 2018: Secure Browser is adapted for use in five languages. For globalization information, see CTX119253.
- October 2018: Additional region support: Secure Browser supports the Australia East region.
- September 2018: You can now download a custom icon for your published browser. For more information, see Publish a secure browser.
- August 2018: The Citrix Secure Browser service is now integrated with Citrix Workspace. For details, see Integration with Citrix Workspace.
- August 2018: Additional region support: When you publish a secure browser, you can choose among the following regions: US East, US West, Europe West, and Southeast Asia.
Here’s a video about getting started with Secure Browser.
- Sign in to Citrix Cloud. If you don’t have an account, see Sign up for Citrix Cloud. You can request a 30-day trial of the Citrix Secure Browser service.
In the Secure Browser Service tile, click Request Trial.
- In a few moments, you’ll receive an email (the email associated with your Citrix Cloud account). Click the Sign-in link in the email.
After you’re in Citrix Cloud again, click Manage on the Secure Browser Service tile.
On the Welcome to Secure Browser page, click Let’s Get Started. You’re guided to publish your first secure browser.
For information about purchasing the Citrix Secure Browser service, click How to Buy on the Citrix Cloud home page.
Integration with Citrix Workspace
Secure Browser can be integrated with Citrix Workspace. To ensure that it’s integrated:
- Sign in to Citrix Cloud.
- In the upper left menu, select Workspace Configuration.
- Select the Service Integrations tab.
- The Secure Browser service entry indicates Enabled. If it does not, click the ellipsis menu and select Enable.
You can authenticate using Active Directory or Azure Active Directory. If you choose Azure Active Directory, the on-premises domain containing your Active Directory Domain Controllers must contain one (preferably two) Cloud Connectors. For more information, see:
Integrate with your on-premises StoreFront
Citrix Virtual Apps and Desktops customers with an on-premises StoreFront can easily integrate with the Secure Browser Service to provide the following benefits:
- Aggregate your published secure browsers with your existing Citrix Virtual Apps and Desktops apps for a unified store experience.
- Use native Citrix Receivers for enhanced end user experience.
- Strengthen security for Secure Browser launches by using your existing multifactor authentication solution integrated with your StoreFront.
For details, see CTX230272 and the StoreFront configuration documentation.
Publish a secure browser
If you haven’t published a secure browser yet, begin with step 3.
- If you’re not already in Citrix Cloud, sign in. In the Secure Browser Service tile, click Manage.
- On the Manage tab, click Publish a Secure Browser.
Select the type of secure browser to publish: shared passcode, authenticated, or unauthenticated. Then click Continue. By default, users must launch apps with shared passcode authentication using launch.cloud.com. The unauthenticated apps are available to all Workspace subscribers (users) without user assignment. For authenticated apps, you must explicitly add users with Citrix Cloud Library.
- Enter the name, start URL, and select the region. By default, the icon of the Google Chrome executable is used when you publish a Secure Browser. You can now bring your own icon to represent a published browser.
- Click Change icon > Select icon to upload the icon of your choice, or choose Use default icon to use the existing Google Chrome icon.
- Choose among the following regions: West US, East US, Southeast Asia, Australia East, and West Europe.
- If you select Auto, your Secure Browser connects you to the closest region based on your geolocation.
- If you selected a browser with shared passcode authentication, enter the passcode to provide an enhanced secure access to your app. The passcode must be at least 8 alphanumeric characters long. Ensure that you save the passcode and share it with the users. Users must enter passcode when they launch an app.
- When you are done, click Publish. When the publishing completes, the Manage tab lists the browser you published.
Use the Citrix Cloud Library to add users to the authenticated secure browser you created. Click the right arrow at the end of the row to expand the details pane containing a link to the Library.
- When you click that link, you are guided to the Library display containing your secure browser. Click the ellipsis on the tile containing the secure browser and click Manage Subscribers. For information about adding subscribers, see Assigning users and groups to service offerings using Library.
Manage published secure browsers
The Manage tab lists the published secure browsers. To access management tasks, click the ellipsis at the end of an entry’s row, and then select the task.
If you select a menu entry, and then decide not to change anything, cancel the selection by clicking the X outside the dialog box.
Time-out settings include:
- Idle Timeout: The number of minutes a session can remain idle before it is ended due to inactivity.
- Idle Warning Time: The number of minutes before ending a session that a warning message is sent to the user.
Setting an idle timeout of 20 and an idle warning time of 5 displays a message if there is no activity in the session for 15 minutes (20 minus 5). If the user does not respond, the session ends five minutes later.
When you’re done, click OK.
Settings on the policies page control the following:
- Clipboard: Enabling the Clipboard policy allows copy and paste operations to and from the remote session. (The Clipboard button is removed from the Citrix Workspace app toolbar.) By default, this setting is disabled.
- Printing: Enabling printing saves the remote webpage as a PDF and transfers it to the user’s device. The user can then press Ctrl-P and select the Citrix PDF printer. By default, this setting is disabled.
- Non-kiosk: Enabling non-kiosk mode restores the interface to the remote browser. The user can then access the address bar and create multiple tabs and windows. (Disabling non-kiosk mode removes the remote browser’s navigation controls and address bar.) By default, this setting is enabled (non-kiosk mode is on).
- Region failover: The Region failover policy automatically transfers your published browser to a different region if your current region is reporting an issue. To opt out, disable the Region failover policy. If you published the browser using the Auto region selection, your secure browser remains enrolled in the policy. By default, this setting is enabled.
Client drive mapping: Enabling the Client drive mapping policy allows the user to upload and download files to and from the remote session. This feature is available only for sessions launched with the Citrix Workspace app. By default, this setting is disabled.
Users must save downloaded files only on the
ctxmntdisk in the
Anonxxxdirectory. To do that, users must navigate to the desired location for storing the file. For example, Anonxxx > ctxmnt > C > Users > User Name > Documents.
The dialog box might prompt the user to accept the Permit all access or Read and Write permissions to access the
- URL parameters: Enabling URL parameters allows you to change a new session’s starting URL when users launch an app. For this policy to take effect, configure a local proxy server to identify suspicious websites and redirect them to Secure Browser. By default, this setting is disabled.
- Hostname tracking: Use host name tracking to enable Secure Browser to log host names during a user’s session. This policy is disabled by default. This information is shared with Citrix Analytics. For more information, see Citrix Analytics.
When you’re done, click OK.
Use the Whitelists task to restrict users to visiting only whitelisted URLs within their published Secure Browser session. This feature is available for external authenticated web apps.
Enter whitelist entries in the form
hostname:port number. Specify each entry on a new line. Asterisks are supported as wildcards. Browser requests must match at least one entry in the whitelist.
For example, to set
https://example.com as a whitelisted URL:
example.com:*allows connection to this URL from any port.
example.com:80allows connection to this URL only from port 80.
*:*allows access to this URL from any port and from any links to other URLs and ports. The
*.*format allows access to all external web apps from the published app. This format is the default setting for the external web apps URL whitelist field.
When you’re done, click OK.
Advanced web filtering capabilities are available through integration with the Access Control service. Learn more at Use case: Selective access to apps.
You can configure URL filtering to control access methods based on pre-defined categories associated with risk models. URL filtering options include:
- None - Allows all categories.
- Lenient - Maximizes access while still controlling risk from illegal and malicious websites.
- Moderate - Minimizes risk while allowing more categories with low probability of exposure from unsecure or malicious sites. Includes business travel, leisure, and social media websites.
- Strict - Minimizes the risk of accessing unsecured or malicious websites. End users can still access websites with low risk. Includes most business travel and social media websites.
When you’re done, click Ok.
Use the Edit task to change the name, start URL, region of a published browser, or the passcode. When you’re done, click Publish.
Use the Delete task to remove a published secure browser. When you select this task, you’re prompted to confirm the deletion.
The Usage tab shows the:
- Number of initiated sessions
- Number of hours used
To create a spreadsheet containing usage details, click Export to CSV and select a timeframe.
Technical security overview
Secure Browser Service is a SaaS product managed and operated by Citrix. It allows access to web applications via an intermediate web browser hosted in the cloud.
The Citrix Secure Browser service consists of web browsers running on Virtual Delivery Agents (VDAs) along with the management console used to manage and connect users to these VDAs. Citrix Cloud manages the operation of these components, including the security and patching of operating systems, web browsers, and Citrix components.
While using Secure Browser service, hosted web browsers track user’s browsing history and perform caching of HTTP requests. Citrix uses mandatory profiles and ensures that this data is deleted when the browsing session ends.
Secure Browser service is accessed with an HTML5-compatible web browser. The service does not provide any downloadable clients. All traffic between the browser being used and cloud service is encrypted using industry-standard TLS encryption. Secure Browser supports TLS 1.2 only.
Citrix Secure Browser service is used to deliver web applications owned by the customer or a third party. The owner of the web application is responsible for its security, including patching the web server and application against vulnerabilities.
Security of the traffic between Secure Browser and the web application depends on the encryption settings of the web server. To protect this traffic as it flows over the Internet, administrators publish HTTPS URLs.
See the following resources for more security information:
- Citrix Security site: https://www.citrix.com/security
- Citrix Cloud documentation: Secure Deployment Guide for the Citrix Cloud Platform
For developers: Preview API for Secure Browser Service