Technical Security Overview
This document applies to all the features pertaining to Citrix Gateway service hosted in Citrix Cloud, including HDX transport, SaaS apps, and Enterprise Web apps.
Citrix Cloud manages the operation for Citrix Gateway services, replacing the need for customers to manage the Citrix Gateway appliance. Citrix Gateway service is provisioned through Citrix Workspace app.
Citrix Gateway service provides the following capabilities:
- HDX connectivity for XenApp users – a globally available service providing secure connectivity from users in any location to virtual apps and desktops.
- Secure access to SaaS applications – a unified user experience bringing configured SaaS applications to end-users.
- Secure access to Enterprise web applications – a unified user experience bringing configured Enterprise web applications to end-users.
HDX Connectivity: The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector.
SaaS apps: Software as a Service (SaaS) is a software distribution model to deliver software remotely as a Web-based service. Commonly used SaaS apps include Salesforce, Workday, Concur, GoToMeeting, and so forth.
Enterprise web apps: Enterprise web apps delivery using Citrix Gateway service enables enterprise specific applications to be delivered remotely as a web-based service. Commonly used Enterprise web apps include SharePoint, Confluence, OneBug, and so on. You need Citrix Gateway Connector to access the Enterprise web apps.
SaaS apps and Enterprise web apps are provisioned through Citrix Workspace using Citrix Gateway service. The Citrix Gateway service coupled with Citrix Workspace provides a unified user experience for the configured Enterprise web apps, SaaS apps, configured virtual apps, or any other workspace resources. Along with Secure Access, Citrix Gateway service additionally protects users from untrusted links embedded in user-generated content.
Citrix Gateway service is a globally distributed multi-tenant service. End-users utilize the nearest Point-of-Presence (PoP) where the particular function they need is available, regardless of Citrix Cloud Control plane geo-selection or location of the applications being accessed. Configuration, such as authorization meta-data is replicated to all PoPs.
Logs used by Citrix for diagnostic, monitoring, business and capacity planning are secured and stored in one central location.
Customer configuration is stored in one central location and distributed globally to all PoPs.
Data flowing between the cloud and customer premises uses secure TLS connections over port 443.
Encryption keys used for user authentication and single sign-on are stored in hardware security modules.
The Citrix Gateway service stores the following data:
- Configuration data needed for the brokering and monitoring of the customer’s applications – data is scoped by customer when persisted.
- TOTP seeds for each user device – TOTP seeds are scoped by customer, user, and device.
Audit and Change Control
Currently Citrix Gateway service does not make auditing and change control logs available to customers. Logs are available to Citrix which can be used to audit activities of end-user and administrator.
The service handles two types of credentials:
- User credentials: End-user credentials (passwords and authentication tokens) may be made available to Citrix Gateway service to perform the following:
- Access control - The service uses the user’s identity to determine access to SaaS and Enterprise web applications and other resources.
- Single sign-on - The service may have access to the user’s password in order to complete the SSO function to internal web applications using HTTP Basic, NTLM or forms-based authentication. The encryption protocol used for password is TLS unless you specifically configure HTTP Basic authentication.
- Administrator credentials: Administrators authenticate against Citrix Cloud. This generates a one-time signed JSON Web Token (JWT) which gives the administrator access to the management consoles in Citrix Cloud.
Points to note
- All traffic over public networks is encrypted by TLS, using certificates managed by Citrix.
- Keys used for SaaS app SSO (SAML signing keys) are fully managed by Citrix.
- For MFA, Citrix Gateway service stores per-device keys used to seed the TOTP algorithm.
- To enable Kerberos Single Sign-On functionality, customers may configure Gateway Connector with credentials (username + password) for a service account trusted to perform Kerberos Constrained Delegation.
Citrix recommends that users consult the published best practices documentation for deploying Citrix Gateway services. Additional considerations regarding SaaS apps and Enterprise web apps deployment, and network connector are as follows.
Selecting the correct Connector: The correct connector must be selected, depending on the use case:
|Use Case||Connector||Form factor|
|User Authentication: Active Directory||Citrix Cloud Connector||Windows software|
|HDX Connectivity||Citrix Cloud Connector||Windows software|
|SaaS apps access||Citrix Cloud Connector||N/A|
|Enterprise web apps access||Citrix Cloud Connector, Citrix Gateway Connector||N/A|
Citrix Cloud Connector network access requirements
For information on Citrix Cloud Connector network access requirements, see https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html
Citrix Gateway Connector network access requirements
For information on Citrix Cloud Connector network access requirements, see https://docs.citrix.com/en-us/citrix-gateway-service/gateway-connector.html
Citrix Gateway service HDX Connectivity
Using the Citrix Gateway service avoids the need to deploy Citrix Gateway within the customer data centers. To use the Citrix Gateway service, it is a prerequisite to use the StoreFront service delivered from Citrix Cloud.
Customer Best Practices
Customers are recommended to use TLS within their network and not enable SSO for applications over HTTP.