Technical security overview
This document applies to all the Citrix Virtual Apps and Desktops services hosted in Citrix Cloud, including Citrix Virtual Apps Essentials and Citrix Virtual Desktops Essentials.
Citrix Cloud manages the operation of the control plane for Citrix Virtual Apps and Desktops environments. This includes the Delivery Controllers, management consoles, SQL database, license server, and optionally StoreFront and Citrix Gateway (formerly NetScaler Gateway). The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector. If customers elect to use Citrix Workspace, they may also choose to use the Citrix Gateway Service instead of running Citrix Gateway within their data center. The diagram below illustrates the service and its security boundaries.
As the components hosted by the cloud service do not include the VDAs, the customer’s application data and golden images required for provisioning are always hosted within the customer setup. The control plane has access to metadata, such as usernames, machine names, and application shortcuts, restricting access to the customer’s Intellectual Property from the control plane.
Data flowing between the cloud and customer premises uses secure TLS connections over port 443.
The Citrix Virtual Apps and Desktops service stores only the metadata needed for the brokering and monitoring of the customer’s applications and desktops. Sensitive information, including master images, user profiles, and other application data remain on the customer premises or in their subscription with a public cloud vendor.
The capabilities of the Citrix Virtual Apps and Desktops service vary by edition. For example, Citrix Virtual Apps Essentials only supports Citrix Gateway service and Citrix Workspace. Consult product documentation to learn more about supported features.
The service handles four types of credentials:
- User Credentials: When using a customer-managed StoreFront, user credentials are encrypted by the Citrix Cloud Connector using AES-256 encryption and a random one-time key generated for each launch. The key is never passed into the cloud, and returned only to Citrix Workspace app. This key is then passed to the VDA directly by Citrix Workspace app to decrypt the user password during session launch for a single sign-on experience. The entire flow is shown in the figure below.
- Administrator Credentials: Administrators authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This generates a one-time signed JSON Web Token (JWT) which gives the administrator access to the Citrix Virtual Apps and Desktops service.
- Hypervisor Passwords: On-premises hypervisors that require a password for authentication have a password generated by the administrator and directly stored encrypted in the SQL database in the cloud. Peer keys are managed by Citrix to ensure that hypervisor credentials are only available to authenticated processes.
- Active Directory (AD) Credentials: Machine Creation Services uses the connector for creating machine accounts in a customer’s AD. Because the machine account of the connector has only read access to AD, the administrator is prompted for credentials for each machine creation or deletion operation. These credentials are stored only in memory and only held for a single provisioning event.
Citrix recommends that users consult the published best practices documentation for deploying Citrix Gateway applications and VDAs within their environments. Additional considerations regarding on-premises StoreFront deployment and network connectivity are as follows:
Citrix Cloud Connector network access requirements
The Citrix Cloud Connectors require only port 443 outbound traffic to the internet, and may be hosted behind an HTTP proxy.
- The communication used in Citrix Cloud for HTTPS is TLS 1.0, 1.1, or 1.2. (See Deprecation of TLS versions below for in-progress changes.)
- Within the internal network, the connector needs access to the following for the Citrix Virtual Apps and Desktops service:
- VDAs (port 80, both inbound and outbound) plus 1494 and 2598 inbound if using Citrix Gateway service
- StoreFront servers (port 80 inbound)
- Citrix Gateways, if configured as a STA (port 80 inbound)
- Active Directory domain controllers
- Hypervisors (outbound only; see hypervisor documentation for specific ports)
Traffic between the VDAs and Cloud Connectors is encrypted using Kerberos message-level security.
A customer-managed StoreFront offers greater security configuration options and flexibility for deployment architecture, including the ability to maintain user credentials on-premises. The StoreFront can be hosted behind the Citrix Gateway to provide secure remote access, enforce multifactor authentication, and add other security features.
Citrix Gateway service and Citrix Workspace
Using the Citrix Gateway service avoids the need to deploy Citrix Gateway within customer data centers. To use the Citrix Gateway Service, it is a prerequisite to use the StoreFront service delivered from Citrix Cloud. The data flow when using Citrix Gateway service is shown in the figure below.
Note: This diagram shows the logical data flows. All TLS connections between the Cloud Connector and Citrix Cloud are initiated from the Cloud Connector to the Citrix Cloud. No in-bound firewall port mapping is required.
Deprecation of TLS versions
To improve the security of the Citrix Virtual Apps and Desktops service, Citrix will block any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019.
See CTX247067 for the most current and comprehensive guidance for all affected Citrix Cloud services.
Upgrade to the latest Citrix Receiver or Citrix Workspace app
To ensure successful connection to Citrix Workspace from user endpoint devices, the installed Citrix Receiver version must be equal to or greater than those listed below, which support TLS 1.2.
|Chrome/HTML5||Latest (Browser must support TLS 1.2)|
To upgrade to the latest Citrix Receiver version, go to https://www.citrix.com/products/receiver/.
CTX247067 describes how to retrieve a list of Citrix Receivers that are connecting to your Citrix Cloud environment for the Citrix Virtual Apps and Desktops service.
If you need to continue using TLS 1.0 or TLS 1.1
If you need to continue using TLS 1.0 or 1.1 (for example, if you are using a thin client based on an earlier version of Receiver for Linux), install a StoreFront in your resource location and have all of the Citrix Receivers point to it.
All connections to Citrix Cloud services from Citrix Cloud Connectors will require TLS 1.2. Citrix Provisioning and Machine Creation Services will allow TLS 1.0, 1.1, and TLS 1.2 connections by default (no action required) until later this year when they will change to TLS 1.2 only.
Optional: If your security policy requires strict enforcement of TLS 1.2 connections, make the registry setting changes described in CTX247067 on each of your Citrix Cloud Connectors.
See the following resources for more security information:
- Citrix security site: https://www.citrix.com/security
- Secure Deployment Guide for NetScaler
- Security considerations and best practices
- Smart cards
- Transport Layer Security (TLS)
This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and to define the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not intended to serve as a configuration and administration guidance manual for Citrix Cloud or any of its components or services.