Technical Security Overview
This document applies to all the features pertaining to Citrix Gateway service hosted in Citrix Cloud, including HDX transport and SaaS apps.
Citrix Cloud manages the operation for Citrix Gateway services, replacing the need for customers to manage the Citrix Gateway appliance. To use the Citrix Gateway service, customers must elect to use Workspace.
Citrix Gateway service provides the following capabilities:
- HDX connectivity for XenApp users – a globally available service providing secure connectivity from users in any location to virtual apps and desktops.
- Secure access to SaaS and Web applications – a unified user experience bringing configured SaaS and Web applications to end-users.
HDX Connectivity: The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector.
SaaS apps: Software as a Service (SaaS) is a software distribution model to deliver software remotely as a Web-based service. Commonly used SaaS apps include Salesforce, Workday, Concur, GoToMeeting, and so forth.
SaaS apps can now be accessed using Citrix Gateway service. Citrix Gateway service provides authenticated access to third-party SaaS applications running within the customer environment. Along with Secure Access, Citrix Gateway service additionally protects users from untrusted links embedded in user-generated content.
Citrix Gateway service is a globally distributed multi-tenant service. End-users utilize the nearest Point-of-Presence (PoP) where the particular function they need is available, regardless of Citrix Cloud Control plane geo-selection or location of the applications being accessed. Configuration, such as authorization meta-data is replicated to all PoPs.
Logs used by Citrix for diagnostic, monitoring, business and capacity planning are secured and stored in one central location.
Customer configuration is stored in one central location and distributed globally to all Points-of-Presence.
Data flowing between the cloud and customer premises uses secure TLS connections over port 443.
Encryption keys used for user authentication and single sign-on are stored in hardware security modules.
The Citrix Gateway service stores the following data:
- Configuration data needed for the brokering and monitoring of the customer’s applications – data is scoped by customer when persisted.
- TOTP seeds for each user device – TOTP seeds are scoped by customer, user, and device.
Audit and Change Control
Citrix Gateway service does not currently make auditing and change control logs available to customers at the present time. Logs are available to Citrix which can be used to audit end-user and administrator activity.
The service handles two types of credentials:
- User Credentials: End-user credentials (passwords and authentication tokens) may be made available to Citrix Gateway service to perform:
- User authentication - Passwords are not persisted in memory beyond the lifetime of the user’s session. Passwords are not persisted to disk, nor included in any logs generated. All credentials are encrypted during transmission using TLS.
- Access control - The service uses the user’s identity to determine access to SaaS and Web applications and other resources.
- Single sign-on - The service may have access to the user’s password in order to complete the SSO function to internal web applications using HTTP Basic, NTLM or forms-based authentication. The password is encrypted by TLS unless specifically configured by the customer to use HTTP, in which case the password may be used ‘in plaintext’ (HTTP Basic authentication) within the customers network.
- Administrator Credentials: Administrators authenticate against Citrix Cloud. This generates a one-time signed JSON Web Token (JWT) which gives the administrator access to the management consoles in Citrix Cloud.
Points to note
- All traffic over public networks is encrypted by TLS, using certificates managed by Citrix.
- Keys used for SaaS App SSO (SAML signing keys) are fully managed by Citrix.
- For MFA, Citrix Gateway service stores per-device keys used to seed the TOTP algorithm.
- To enable Kerberos Single Sign-On functionality, customers may configure Gateway Connector with credentials (username + password) for a service account trusted to perform Kerberos Constrained Delegation.
Citrix recommends that users consult the published best practices documentation for deploying Citrix Gateway services. Additional considerations regarding SaaS and Web apps deployment, and network connector are as follows.
Selecting the correct Connector: The correct connector must be selected, depending on the use case:
|Use Case||Connector||Form factor|
|User Authentication: Active Directory||Citrix Cloud Connector||Windows software|
|HDX Connectivity||Citrix Cloud Connector||Windows software|
|SaaS access||Citrix Cloud Connector||N/A|
Citrix Cloud Connector network access requirements
Citrix Gateway service HDX Connectivity
Using the Citrix Gateway service avoids the need to deploy Citrix Gateway within the customer data centers. To use the Citrix Gateway service, it is a prerequisite to use the StoreFront service delivered from Citrix Cloud.
Customer Best Practices
Customers are recommended to use TLS within their network and not enable SSO for applications over HTTP.