Secure Browser service
The Citrix Secure Browser service isolates web browsing to protect the corporate network from browser-based attacks. It delivers consistent, secure remote access to internet hosted web applications, with no need for user device configuration. Administrators can rapidly roll out secure browsers, providing instant time-to-value. By isolating internet browsing, IT administrators can offer end users safe internet access without compromising enterprise security.
Users log on through Citrix Workspace (or Citrix Receiver) and can open web apps in the configured web browser. The website does not directly transfer any browsing data to or from the user device, so the experience is secure.
The Secure Browser service can publish secure browsers for use with:
- Unauthenticated external web apps. Although typically not recommended, unauthenticated external web apps might be used for a simple proof of concept.
- Authenticated external web apps. To publish authenticated external web apps requires a resource location containing at least one Cloud Connector (two or more are recommended). For details, see Citrix Cloud Connector.
The service also offers:
- Integration of published apps with Citrix Workspace
- Integration of published apps with on-premises StoreFront
- Simple URL whitelisting for security
- Usage monitoring
- Controls for clipboard use, printing, kiosk mode, region failover, and client drive mapping
- June 2019: The Secure Browser can now automatically transfer your published browser to a different region if your current region is reporting an issue. To opt out, you need to disable the Region failover policy. For more information, see the Policy section.
- March 2019: This release contains enhancements that help improve overall performance and stability.
- November 2018: You can enable the Client drive mapping policy to upload and download the files to and from the remote session. For more information, see the Policy section.
- November 2018: Configure a secure browser to automatically connect you to the closest region based on your geolocation. For more information, see Publish a secure browser.
- October 2018: Secure Browser is adapted for use in five languages. For globalization information, see CTX119253.
- October 2018: Additional region support: Secure Browser supports the Australia East region.
- September 2018: You can now download a custom icon for your published browser. For more information, see Publish a secure browser.
- August 2018: The Citrix Secure Browser service is now integrated with Citrix Workspace. For details, see Integration with Citrix Workspace.
- August 2018: Additional region support: When you publish a secure browser, you can choose among the following regions: US East, US West, Europe West, and Southeast Asia.
Here’s a video about getting started with Secure Browser.
- Sign in to Citrix Cloud. If you don’t have an account, see Sign up for Citrix Cloud. You can request a 30-day trial of the Citrix Secure Browser service.
In the Secure Browser Service tile, click Request Trial.
- In a few moments, you’ll receive an email (the email associated with your Citrix Cloud account). Click the Sign in link in the email.
After you’re in Citrix Cloud again, click Manage on the Secure Browser Service tile.
On the Welcome to Secure Browser page, click Let’s Get Started. You’re guided to publish your first secure browser.
For information about purchasing the Citrix Secure Browser service, click How to Buy on the Citrix Cloud home page.
Integration with Citrix Workspace
Secure Browser can be integrated with Citrix Workspace. To ensure that it’s integrated:
- Sign in to Citrix Cloud.
- In the upper left menu, select Workspace Configuration.
- Select the Service Integrations tab.
- The Secure Browser service entry should indicate Enabled. If it does not, click the ellipsis menu and select Enable.
You can authenticate using Active Directory or Azure Active Directory. If you choose Azure Active Directory, the on-premises domain containing your Active Directory Domain Controllers must contain one (preferably two) Cloud Connectors. For more information, see:
Integrate with your on-premises StoreFront
Citrix Virtual Apps and Desktops customers with an on-premises StoreFront can easily integrate with the Secure Browser Service to provide the following benefits:
- Aggregate your published secure browsers with your existing Citrix Virtual Apps and Desktops apps for a unified store experience.
- Use native Citrix Receivers for enhanced end user experience.
- Strengthen security for Secure Browser launches by using your existing multifactor authentication solution integrated with your StoreFront.
For details, see CTX230272 and the StoreFront configuration documentation.
Publish a secure browser
If you haven’t published a secure browser yet, begin with step 3.
- If you’re not already in Citrix Cloud, sign in. In the Secure Browser Service tile, click Manage.
- On the Manage tab, click Publish a Secure Browser.
Select the type of secure browser to publish: external unauthenticated (default) or external authenticated. Then click Continue. By default, the unauthenticated apps are available to all Workspace subscribers (users) without user assignment. For authenticated apps, you must explicitly add users with Citrix Cloud Library.
- Enter the name, start URL, and select the region. By default, the icon of the Google Chrome executable is used when you publish a Secure Browser. You can now bring your own icon to represent a published browser.
- Click Change icon > Select icon to upload the icon of your choice, or choose Use default icon to use the existing Google Chrome icon.
- Choose among the following regions: West US, East US, Southeast Asia, Australia East, and West Europe.
- If you select Auto, your Secure Browser connects you to the closest region based on your geolocation.
- When you are done, click Publish. When the publishing completes, the Manage tab lists the browser you published.
Use the Citrix Cloud Library to add users to the authenticated secure browser you created. Click the right arrow at the end of the row to expand the details pane containing a link to the Library.
- When you click that link, you are guided to the Library display containing your secure browser. Click the ellipsis on the tile containing the secure browser and click Manage Subscribers. For information about adding subscribers, see Assigning users and groups to service offerings using Library.
Manage published secure browsers
The Manage tab lists the published secure browsers. To access management tasks, click the ellipsis at the end of an entry’s row, and then select the task.
If you select a menu entry, and then decide not to change anything, cancel the selection by clicking the X outside the dialog box.
Time-out settings include:
- Idle Timeout: The number of minutes a session can remain idle before it is ended due to inactivity.
- Idle Warning Time: The number of minutes before ending a session that a warning message is sent to the user.
For example, if you set an idle timeout of 20 and an idle warning time of 5, a message will be sent to the user if there is no activity in the session for 15 minutes (20 minus 5). If the user does not respond, the session will end five minutes later.
When you’re done, click OK.
Settings on the policies page control the following:
- Clipboard: Enabling the Clipboard policy allows copy and paste operations to and from the remote session. (The Clipboard button is removed from the Citrix Workspace app toolbar.) By default, this setting is disabled.
- Printing: Enabling printing saves the remote webpage as a PDF and transfers it to the user’s device. The user can then press Ctrl-P and select the Citrix PDF printer. By default, this setting is disabled.
- Non-kiosk: Enabling non-kiosk mode restores the interface to the remote browser. The user can then access the address bar and create multiple tabs and windows. (Disabling non-kiosk mode removes the remote browser’s navigation controls and address bar.) By default, this setting is enabled (non-kiosk mode is on).
- Region failover: The Region failover policy automatically transfers your published browser to a different region if your current region is reporting an issue. To opt out, you need to disable the Region failover policy. If you published the browser using the Auto region selection, your secure browser will remain enrolled in the policy. By default, this setting is enabled.
Client drive mapping: Enabling the Client drive mapping policy allows the user to upload and download files to and from the remote session. This feature is available only for sessions launched with the Citrix Workspace app. By default, this setting is disabled.
Users must save downloaded files only on the
ctxmntdisk in the
Anonxxxdirectory. To do that, users need to navigate to the desired location for storing the file. For example, Anonxxx > ctxmnt > C > Users > User Name > Documents.
The dialog box might prompt the user to accept the Permit all access or Read and Write permissions to access the
When you’re done, click OK.
Use the Whitelists task to restrict users to visiting only whitelisted URLs within their published Secure Browser session. This feature is available for external authenticated web apps.
Enter whitelist entries in the form
hostname:port number. Specify each entry on a new line. Asterisks are supported as wildcards. Browser requests must match at least one entry in the whitelist.
For example, to set
https://example.com as a whitelisted URL:
example.com:*allows connection to this URL from any port.
example.com:80allows connection to this URL only from port 80.
*:*allows access to this URL from any port and from any links to other URLs and ports. The
*.*format allows access to all external web apps from the published app. This format is the default setting for the external web apps URL whitelist field.
When you’re done, click OK.
Advanced web filtering capabilities are available through integration with the Access Control service. Learn more at Use case: Selective access to apps.
Use the Edit task to change the name, start URL, or region of a published browser. When you’re done, click Publish.
Use the Delete task to remove a published secure browser. When you select this task, you’re prompted to confirm the deletion.
The Usage tab shows the:
- Number of initiated sessions
- Number of hours used
To create a spreadsheet containing usage details, click Export to CSV and select a timeframe.
Technical security overview
Secure Browser Service is a SaaS product managed and operated by Citrix. It allows access to web applications via an intermediate web browser hosted in the cloud.
The Citrix Secure Browser service consists of web browsers running on Virtual Delivery Agents (VDAs) along with the management console used to manage and connect users to these VDAs. Citrix Cloud manages the operation of these components, including the security and patching of operating systems, web browsers, and Citrix components.
While using Secure Browser service, hosted web browsers may track user’s browsing history and perform caching of HTTP requests. Citrix uses mandatory profiles and ensures that this data is deleted when the browsing session ends.
Secure Browser service is accessed with an HTML5-compatible web browser. The service does not provide any downloadable clients. All traffic between the browser being used and cloud service is encrypted using industry-standard TLS encryption. Secure Browser supports TLS 1.2 only.
Citrix Secure Browser service is used to deliver web applications owned by the customer or a third party. The owner of the web application is responsible for its security, including patching the web server and application against vulnerabilities.
Security of the traffic between Secure Browser and the web application depends on the encryption settings of the web server. To protect this traffic as it flows over the Internet, administrators should publish HTTPS URLs.
See the following resources for additional security information:
- Citrix Security site: https://www.citrix.com/security
- Citrix Cloud documentation: Secure Deployment Guide for the Citrix Cloud Platform
For developers: Preview API for Secure Browser Service