Citrix Virtual Apps and Desktops service

Technical security overview

Security overview

This document applies to Citrix Virtual Apps and Desktops services hosted in Citrix Cloud (other than Standard for Azure edition). This includes Citrix Virtual Apps Essentials and Citrix Virtual Desktops Essentials. (For Citrix Virtual Apps and Desktops Standard for Azure, see its security overview).)

Citrix Cloud manages the operation of the control plane for Citrix Virtual Apps and Desktops environments. This includes the Delivery Controllers, management consoles, SQL database, license server, and optionally StoreFront and Citrix Gateway (formerly NetScaler Gateway). The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector. If customers elect to use Citrix Workspace, they can also choose to use the Citrix Gateway Service instead of running Citrix Gateway within their data center. The following diagram illustrates the service and its security boundaries.

Service security boundaries image

Data flow

The VDAs are not hosted by the service, so the customer’s application data and images required for provisioning are always hosted in the customer setup. The control plane has access to metadata, such as user names, machine names, and application shortcuts, restricting access to the customer’s Intellectual Property from the control plane.

Data flowing between the cloud and customer premises uses secure TLS connections over port 443.

Data isolation

The Citrix Virtual Apps and Desktops service stores only the metadata needed for the brokering and monitoring of the customer’s applications and desktops. Sensitive information, including master images, user profiles, and other application data remains on the customer premises or in their subscription with a public cloud vendor.

Service editions

The capabilities of the Citrix Virtual Apps and Desktops service vary by edition. For example, Citrix Virtual Apps Essentials supports only Citrix Gateway service and Citrix Workspace. Consult that product documentation to learn more about supported features.

Credential handling

The service handles four types of credentials:

  • User Credentials: When using a customer-managed StoreFront, the Cloud Connector encrypts user credentials using AES-256 encryption and a random one-time key generated for each launch. The key is never passed into the cloud, and returned only to Citrix Workspace app. The Citrix Workspace app then passes this key to the VDA to decrypt the user password during session launch for a single sign-on experience. The flow is shown in the figure below.

Flow figure image

  • Administrator Credentials: Administrators authenticate against Citrix Cloud. This generates a one-time signed JSON Web Token (JWT) which gives the administrator access to the Citrix Virtual Apps and Desktops service.
  • Hypervisor Passwords: On-premises hypervisors that require a password for authentication have a password generated by the administrator and directly stored encrypted in the SQL database in the cloud. Peer keys are managed by Citrix to ensure that hypervisor credentials are only available to authenticated processes.
  • Active Directory (AD) Credentials: Machine Creation Services uses the Cloud Connector for creating machine accounts in a customer’s AD. Because the machine account of the Cloud Connector has only read access to AD, the administrator is prompted for credentials for each machine creation or deletion operation. These credentials are stored only in memory, and are held only for a single provisioning event.

Deployment considerations

Citrix recommends that users consult the published best practices documentation for deploying Citrix Gateway applications and VDAs within their environments.

Citrix Cloud Connector network access requirements

The Citrix Cloud Connectors require only port 443 outbound traffic to the internet, and can be hosted behind an HTTP proxy.

  • The communication used in Citrix Cloud for HTTPS is TLS. (See Deprecation of TLS versions.)
  • Within the internal network, the Cloud Connector needs access to the following for the Citrix Virtual Apps and Desktops service:
    • VDAs: Port 80, both inbound and outbound. plus 1494 and 2598 inbound if using Citrix Gateway service
    • StoreFront servers: Port 80 inbound.
    • Citrix Gateways, if configured as a STA: Port 80 inbound.
    • Active Directory domain controllers
    • Hypervisors: Outbound only. See Communications Ports Used by Citrix Technologies for specific ports.

Traffic between the VDAs and Cloud Connectors is encrypted using Kerberos message-level security.

Customer-managed StoreFront

A customer-managed StoreFront offers greater security configuration options and flexibility for deployment architecture, including the ability to maintain user credentials on-premises. The StoreFront can be hosted behind the Citrix Gateway to provide secure remote access, enforce multifactor authentication, and add other security features.

Citrix Gateway service

Using the Citrix Gateway service avoids the need to deploy Citrix Gateway within customer data centers.

For details, see Citrix Gateway service.

All TLS connections between the Cloud Connector and Citrix Cloud are initiated from the Cloud Connector to the Citrix Cloud. No in-bound firewall port mapping is required.

XML trust

The XML trust setting applies to deployments that use:

  • An on-premises StoreFront.
  • A subscriber (user) authentication technology that does not require passwords. Examples of such technologies are domain pass-through, smart cards, SAML, and Veridium solutions.

Enabling the XML trust setting allows users to successfully authenticate and then start applications. The Cloud Connector trusts the credentials sent from StoreFront. Enable this setting only when you have secured communications between your Citrix Cloud Connectors and StoreFront (using firewalls, IPsec, or other security recommendations).

This setting is disabled by default.

Use the Citrix Virtual Apps and Desktops Remote PowerShell SDK to manage the XML trust setting.

  • To check the XML trust setting’s current value, run Get-BrokerSite and inspect the value of TrustRequestsSentToTheXMLServicePort.
  • To enable XML trust, run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
  • To disable XML trust, run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $false

Deprecation of TLS versions

To improve the security of the Citrix Virtual Apps and Desktops service, Citrix began blocking any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019.

All connections to Citrix Cloud services from Citrix Cloud Connectors require TLS 1.2.

Important:

CTX247067 contains current and complete guidance for all affected Citrix Cloud services.

Upgrade to the latest Citrix Receiver or Citrix Workspace app

To ensure successful connection to Citrix Workspace from user endpoint devices, the installed Citrix Receiver version must be equal to or newer than the version listed in the following table.

Receiver Version
Windows 4.2.1000
Mac 12.0
Linux 13.2
Android 3.7
iOS 7.0
Chrome/HTML5 Latest (browser must support TLS 1.2)

To upgrade to the latest Citrix Receiver version, go to https://www.citrix.com/products/receiver/.

Alternatively, upgrade to the Citrix Workspace app, which uses TLS 1.2. Learn more. To download the Citrix Workspace app, go to https://www.citrix.com/downloads/workspace-app/.

If you must continue using TLS 1.0 or 1.1 (for example, with a thin client based on an earlier Receiver for Linux version), install a StoreFront in your resource location and have all the Citrix Receivers point to it.

More information

The following resources contain security information:

Note:

This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and to define the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not intended to serve as a configuration and administration guidance manual for Citrix Cloud or any of its components or services.