Technical security overview
This document applies to Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) hosted in Citrix Cloud. This information includes Citrix Virtual Apps Essentials and Citrix Virtual Desktops Essentials.
Citrix Cloud manages the operation of the control plane for Citrix DaaS environments. The control plane includes the Delivery Controllers, management consoles, SQL database, license server, and optionally StoreFront and Citrix Gateway (formerly NetScaler Gateway). The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector. If customers elect to use Citrix Workspace, they can also choose to use the Citrix Gateway Service instead of running Citrix Gateway within their data center. The following diagram illustrates Citrix DaaS and its security boundaries.
Citrix cloud-based compliance
As of January 2021, the use of Citrix Managed Azure Capacity with various Citrix DaaS editions and Workspace Premium Plus has not been evaluated for Citrix SOC 2 (Type 1 or 2), ISO 27001, HIPAA, or other cloud compliance requirements. Visit the Citrix Trust Center for more information regarding Citrix Cloud Certifications, and check back frequently for updates.
Citrix DaaS does not host the VDAs, so the customer’s application data and images required for provisioning are always hosted in the customer setup. The control plane has access to metadata, such as user names, machine names, and application shortcuts, restricting access to the customer’s Intellectual Property from the control plane.
Data flowing between the cloud and customer premises uses secure TLS connections over port 443.
Citrix DaaS stores only the metadata needed for the brokering and monitoring of the customer’s applications and desktops. Sensitive information, including images, user profiles, and other application data remains on the customer premises or in their public cloud vendor’s subscription.
The capabilities of Citrix DaaS vary by edition. For example, Citrix Virtual Apps Essentials supports only Citrix Gateway service and Citrix Workspace. Consult that product documentation to learn more about supported features.
Citrix DaaS provides several options for securing ICA traffic in transit. The following are the options available:
- Basic encryption: The default setting.
- SecureICA: Allows encrypting session data using RC5 (128-bit) encryption.
- VDA TLS/DTLS: Allows using network-level encryption using TLS/DTLS.
- Rendezvous protocol: Available only when using the Citrix Gateway Service. When using the Rendezvous protocol, ICA sessions are encrypted end-to-end using TLS/DTLS.
When using basic encryption, traffic is encrypted as shown in the following graphic.
When using SecureICA, traffic is encrypted as shown in the following graphic.
SecureICA is not supported when using Workspace app for HTML5.
When using VDA TLS/DTLS encryption, traffic is encrypted as shown in the following graphic.
When using the Gateway Service without Rendezvous, the traffic between the VDA and the Cloud Connector is not TLS encrypted, because the Cloud Connector does not support connecting to the VDA with network-level encryption.
For more information about the ICA security options and how to configure them, see:
- SecureICA: Security policy settings
- VDA TLS/DTLS: Transport Layer Security
- Rendezvous protocol: Rendezvous protocol
Citrix DaaS handles four types of credentials:
User Credentials: When using a customer-managed StoreFront, the Cloud Connector encrypts user credentials using AES-256 encryption and a random one-time key generated for each launch. The key is never passed into the cloud, and returned only to Citrix Workspace app. The Citrix Workspace app then passes this key to the VDA to decrypt the user password during session launch for a single sign-on experience. The flow is shown in the following figure.
By default, user credentials are not forwarded across untrusted domain boundaries. If a VDA and StoreFront are installed in one domain and a user in a different domain attempts to connect to the VDA, the logon attempt fails unless a trust is established between the domains. You can disable this behavior and allow credentials to be forwarded between untrusted domains using the DaaS PowerShell SDK. For more information, see Set-Brokersite.
- Administrator Credentials: Administrators authenticate against Citrix Cloud. Authentication generates a one-time signed JSON Web Token (JWT) which gives the administrator access to Citrix DaaS.
- Hypervisor Passwords: On-premises hypervisors that require a password for authentication have an administrator-generated password that is directly stored encrypted in the SQL database in the cloud. Citrix manages peer keys to ensure that hypervisor credentials are only available to authenticated processes.
- Active Directory (AD) Credentials: Machine Creation Services uses the Cloud Connector for creating machine accounts in a customer’s AD. Because the machine account of the Cloud Connector has only read access to AD, the administrator is prompted for credentials for each machine creation or deletion operation. These credentials are stored only in memory, and are held only for a single provisioning event.
Citrix recommends that users consult the published best practices documentation for deploying Citrix Gateway applications and VDAs within their environments.
Citrix Cloud Connector network access requirements
The Citrix Cloud Connectors require only port 443 outbound traffic to the internet, and can be hosted behind an HTTP proxy.
- The communication used in Citrix Cloud for HTTPS is TLS. (See Deprecation of TLS versions.)
- Within the internal network, the Cloud Connector needs access to the following for Citrix DaaS:
- VDAs: Port 80, both inbound and outbound. plus 1494 and 2598 inbound if using Citrix Gateway service
- StoreFront servers: Port 80 inbound.
- Citrix Gateways, if configured as a STA: Port 80 inbound.
- Active Directory domain controllers
- Hypervisors: Outbound only. See Communications Ports Used by Citrix Technologies for specific ports.
Traffic between the VDAs and Cloud Connectors is encrypted using Kerberos message-level security.
A customer-managed StoreFront offers greater security configuration options and flexibility for deployment architecture, including the ability to maintain user credentials on-premises. The StoreFront can be hosted behind the Citrix Gateway to provide secure remote access, enforce multifactor authentication, and add other security features.
Citrix Gateway service
Using the Citrix Gateway service avoids the need to deploy Citrix Gateway within customer data centers.
For details, see Citrix Gateway service.
All TLS connections between the Cloud Connector and Citrix Cloud are initiated from the Cloud Connector to the Citrix Cloud. No in-bound firewall port mapping is required.
This setting is available in Full Configuration > Settings > Enable XML trust and is disabled by default. Alternatively, you can use the Citrix DaaS Remote PowerShell SDK to manage XML trust.
XML trust applies to deployments that use:
- An on-premises StoreFront.
- A subscriber (user) authentication technology that does not require passwords. Examples of such technologies are domain pass-through, smart cards, SAML, and Veridium solutions.
Enabling XML trust allows users to successfully authenticate and then start applications. The Cloud Connector trusts the credentials sent from StoreFront. Enable XML trust only when you have secured communications between your Citrix Cloud Connectors and StoreFront (using firewalls, IPsec, or other security recommendations).
This setting is disabled by default.
Use the Citrix DaaS Remote PowerShell SDK to manage XML trust.
- To check the XML trust current value, run
Get-BrokerSiteand inspect the value of
- To enable XML trust, run
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
- To disable XML trust, run
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $false
Enforce HTTPS or HTTP traffic
To enforce either HTTPS or HTTP traffic through the XML Service, configure one of the following registry value sets on each of your Cloud Connectors.
After you configure the settings, restart the Remote Broker Provider Service on each Cloud Connector.
- To enforce HTTPS (ignore HTTP) traffic: Set
- To enforce HTTP (ignore HTTPS) traffic: Set
Deprecation of TLS versions
To improve the security of Citrix DaaS, Citrix began blocking any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019.
All connections to Citrix Cloud services from Citrix Cloud Connectors require TLS 1.2.
To ensure successful connection to Citrix Workspace from user devices, the installed Citrix Receiver version must be equal to or newer than the following versions.
|Chrome/HTML5||Latest (browser must support TLS 1.2)|
To upgrade to the latest Citrix Receiver version, go to https://www.citrix.com/products/receiver/.
If you must continue using TLS 1.0 or 1.1 (for example, with a thin client based on an earlier Receiver for Linux version), install a StoreFront in your resource location. Then, have all the Citrix Receivers point to it.
The following resources contain security information:
Security and Compliance Information: The security and compliance center contains security bulletins that can help you stay informed. The center also has documentation about standards and certifications that are important in maintaining a secure and compliant IT environment.
Secure Deployment Guide for the Citrix Cloud Platform: This guide provides an overview of security best practices when using Citrix Cloud and describes the information Citrix Cloud collects and manages. This guide also contains links to comprehensive information about the Citrix Cloud Connector.
- Security considerations and best practices.
- Smart cards.
- Transport Layer Security (TLS).
This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and to define the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not intended to serve as a configuration and administration guidance manual for Citrix Cloud or any of its components or services.
In this article
- Security overview
- Citrix cloud-based compliance
- Data flow
- Data isolation
- Service editions
- ICA Security
- Credential handling
- Deployment considerations
- Citrix Cloud Connector network access requirements
- Customer-managed StoreFront
- Citrix Gateway service
- XML trust
- Enforce HTTPS or HTTP traffic
- Deprecation of TLS versions
- More information