Citrix DaaS

Technical security overview

Security overview

This document applies to Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) hosted in Citrix Cloud. This information includes Citrix Virtual Apps Essentials and Citrix Virtual Desktops Essentials.

Citrix Cloud manages the operation of the control plane for Citrix DaaS environments. The control plane includes the Delivery Controllers, management consoles, SQL database, license server, and optionally StoreFront and Citrix Gateway (formerly NetScaler Gateway). The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector. If customers elect to use Citrix Workspace, they can also choose to use the Citrix Gateway Service instead of running Citrix Gateway within their data center. The following diagram illustrates Citrix DaaS and its security boundaries.

Service security boundaries image

Citrix cloud-based compliance

As of January 2021, the use of Citrix Managed Azure Capacity with various Citrix DaaS editions and Workspace Premium Plus has not been evaluated for Citrix SOC 2 (Type 1 or 2), ISO 27001, HIPAA, or other cloud compliance requirements. Visit the Citrix Trust Center for more information regarding Citrix Cloud Certifications, and check back frequently for updates.

Data flow

Citrix DaaS does not host the VDAs, so the customer’s application data and images required for provisioning are always hosted in the customer setup. The control plane has access to metadata, such as user names, machine names, and application shortcuts, restricting access to the customer’s Intellectual Property from the control plane.

Data flowing between the cloud and customer premises uses secure TLS connections over port 443.

Data isolation

Citrix DaaS stores only the metadata needed for the brokering and monitoring of the customer’s applications and desktops. Sensitive information, including images, user profiles, and other application data remains on the customer premises or in their public cloud vendor’s subscription.

Service editions

The capabilities of Citrix DaaS vary by edition. For example, Citrix Virtual Apps Essentials supports only Citrix Gateway service and Citrix Workspace. Consult that product documentation to learn more about supported features.

ICA Security

Citrix DaaS provides several options for securing ICA traffic in transit. The following are the options available:

  • Basic encryption: The default setting.
  • SecureICA: Allows encrypting session data using RC5 (128-bit) encryption.
  • VDA TLS/DTLS: Allows using network-level encryption using TLS/DTLS.
  • Rendezvous protocol: Available only when using the Citrix Gateway Service. When using the Rendezvous protocol, ICA sessions are encrypted end-to-end using TLS/DTLS.

Basic encryption

When using basic encryption, traffic is encrypted as shown in the following graphic.

Traffic encryption when using basic encryption

SecureICA

When using SecureICA, traffic is encrypted as shown in the following graphic.

Traffic encryption when using SecureICA

Note:

SecureICA is not supported when using Workspace app for HTML5.

VDA TLS/DTLS

When using VDA TLS/DTLS encryption, traffic is encrypted as shown in the following graphic.

Traffic encryption when using TLS/DTLS

Note:

When using the Gateway Service without Rendezvous, the traffic between the VDA and the Cloud Connector is not TLS encrypted, because the Cloud Connector does not support connecting to the VDA with network-level encryption.

More resources

For more information about the ICA security options and how to configure them, see:

Credential handling

Citrix DaaS handles four types of credentials:

  • User Credentials: When using a customer-managed StoreFront, the Cloud Connector encrypts user credentials using AES-256 encryption and a random one-time key generated for each launch. The key is never passed into the cloud, and returned only to Citrix Workspace app. The Citrix Workspace app then passes this key to the VDA to decrypt the user password during session launch for a single sign-on experience. The flow is shown in the following figure.

    By default, user credentials are not forwarded across untrusted domain boundaries. If a VDA and StoreFront are installed in one domain and a user in a different domain attempts to connect to the VDA, the logon attempt fails unless a trust is established between the domains. You can disable this behavior and allow credentials to be forwarded between untrusted domains using the DaaS PowerShell SDK. For more information, see Set-Brokersite.

    Flow figure image

  • Administrator Credentials: Administrators authenticate against Citrix Cloud. Authentication generates a one-time signed JSON Web Token (JWT) which gives the administrator access to Citrix DaaS.
  • Hypervisor Passwords: On-premises hypervisors that require a password for authentication have an administrator-generated password that is directly stored encrypted in the SQL database in the cloud. Citrix manages peer keys to ensure that hypervisor credentials are only available to authenticated processes.
  • Active Directory (AD) Credentials: Machine Creation Services uses the Cloud Connector for creating machine accounts in a customer’s AD. Because the machine account of the Cloud Connector has only read access to AD, the administrator is prompted for credentials for each machine creation or deletion operation. These credentials are stored only in memory, and are held only for a single provisioning event.

Deployment considerations

Citrix recommends that users consult the published best practices documentation for deploying Citrix Gateway applications and VDAs within their environments.

Citrix Cloud Connector network access requirements

The Citrix Cloud Connectors require only port 443 outbound traffic to the internet, and can be hosted behind an HTTP proxy.

  • The communication used in Citrix Cloud for HTTPS is TLS. (See Deprecation of TLS versions.)
  • Within the internal network, the Cloud Connector needs access to the following for Citrix DaaS:
    • VDAs: Port 80, both inbound and outbound. plus 1494 and 2598 inbound if using Citrix Gateway service
    • StoreFront servers: Port 80 inbound.
    • Citrix Gateways, if configured as a STA: Port 80 inbound.
    • Active Directory domain controllers
    • Hypervisors: Outbound only. See Communications Ports Used by Citrix Technologies for specific ports.

Traffic between the VDAs and Cloud Connectors is encrypted using Kerberos message-level security.

Customer-managed StoreFront

A customer-managed StoreFront offers greater security configuration options and flexibility for deployment architecture, including the ability to maintain user credentials on-premises. The StoreFront can be hosted behind the Citrix Gateway to provide secure remote access, enforce multifactor authentication, and add other security features.

Citrix Gateway service

Using the Citrix Gateway service avoids the need to deploy Citrix Gateway within customer data centers.

For details, see Citrix Gateway service.

All TLS connections between the Cloud Connector and Citrix Cloud are initiated from the Cloud Connector to the Citrix Cloud. No in-bound firewall port mapping is required.

XML trust

This setting is available in Full Configuration > Settings > Enable XML trust and is disabled by default. Alternatively, you can use the Citrix DaaS Remote PowerShell SDK to manage XML trust.

XML trust applies to deployments that use:

  • An on-premises StoreFront.
  • A subscriber (user) authentication technology that does not require passwords. Examples of such technologies are domain pass-through, smart cards, SAML, and Veridium solutions.

Enabling XML trust allows users to successfully authenticate and then start applications. The Cloud Connector trusts the credentials sent from StoreFront. Enable XML trust only when you have secured communications between your Citrix Cloud Connectors and StoreFront (using firewalls, IPsec, or other security recommendations).

This setting is disabled by default.

Use the Citrix DaaS Remote PowerShell SDK to manage XML trust.

  • To check the XML trust current value, run Get-BrokerSite and inspect the value of TrustRequestsSentToTheXMLServicePort.
  • To enable XML trust, run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
  • To disable XML trust, run Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $false

Enforce HTTPS or HTTP traffic

To enforce either HTTPS or HTTP traffic through the XML Service, configure one of the following registry value sets on each of your Cloud Connectors.

After you configure the settings, restart the Remote Broker Provider Service on each Cloud Connector.

In HKLM\Software\Citrix\DesktopServer\:

  • To enforce HTTPS (ignore HTTP) traffic: Set XmlServicesEnableSsl to 1, and XmlServicesEnableNonSsl to 0.
  • To enforce HTTP (ignore HTTPS) traffic: Set XmlServicesEnableNonSsl to 1, and XmlServicesEnableSsl to 0.

Deprecation of TLS versions

To improve the security of Citrix DaaS, Citrix began blocking any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019.

All connections to Citrix Cloud services from Citrix Cloud Connectors require TLS 1.2.

To ensure successful connection to Citrix Workspace from user devices, the installed Citrix Receiver version must be equal to or newer than the following versions.

Receiver Version
Windows 4.2.1000
Mac 12.0
Linux 13.2
Android 3.7
iOS 7.0
Chrome/HTML5 Latest (browser must support TLS 1.2)

To upgrade to the latest Citrix Receiver version, go to https://www.citrix.com/products/receiver/.

Alternatively, upgrade to the Citrix Workspace app, which uses TLS 1.2. To download the Citrix Workspace app, go to https://www.citrix.com/downloads/workspace-app/.

If you must continue using TLS 1.0 or 1.1 (for example, with a thin client based on an earlier Receiver for Linux version), install a StoreFront in your resource location. Then, have all the Citrix Receivers point to it.

More information

The following resources contain security information:

Note:

This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and to define the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not intended to serve as a configuration and administration guidance manual for Citrix Cloud or any of its components or services.