To secure the communication between your server farm and Citrix Workspace app for iOS, you can integrate your connections to the server farm with a range of security technologies, including Citrix Gateway.
Citrix recommends using Citrix Gateway to secure communications between StoreFront servers and users’ devices.
- A SOCKS proxy server or secure proxy server (also known as security proxy server, HTTPS proxy server). You can use proxy servers to limit access to and from your network and to handle connections between Citrix Workspace app for iOS and servers. Citrix Workspace app for iOS supports SOCKS and secure proxy protocols.
- Secure Web Gateway. You can use Secure Web Gateway with Web Interface to provide a single, secure, encrypted point of access through the Internet to servers on internal corporate networks.
- SSL Relay solutions with Transport Layer Security (TLS) protocols.
- A firewall. Network firewalls can allow or block packets based on the destination address and port. If you are using Citrix Workspace app for iOS through a network firewall that maps the server’s internal network IP address to an external Internet address (that is, network address translation, or NAT), configure the external address.
To enable remote users to connect to your Citrix Endpoint Management deployment through Citrix Gateway, you can configure certificates to work with StoreFront. The method for enabling access depends on the edition of Citrix Endpoint Management in your deployment.
If you deploy Citrix Endpoint Management in your network, allow connections from internal or remote users to StoreFront through Citrix Gateway by integrating Citrix Gateway with StoreFront. This deployment allows users to connect to StoreFront to access published applications from XenApp and virtual desktops from XenDesktop. Users connect through Citrix Workspace app for iOS.
Secure Web Gateway
This topic applies only to deployments using the Web Interface.
You can use the Secure Web Gateway in either Normal mode or Relay mode to provide a secure channel for communication between Citrix Workspace app for iOS and the server. No configuration of Citrix Workspace app for iOS is required if you are using the Secure Web Gateway in Normal mode and users are connecting through the Web Interface.
Citrix Workspace app for iOS uses settings that are configured remotely on the Web Interface server to connect to servers running the Secure Web Gateway.
If the Secure Web Gateway Proxy is installed on a server in the secure network, you can use the Secure Web Gateway Proxy in Relay mode. If you are using Relay mode, the Secure Web Gateway server functions as a proxy and you must configure Citrix Workspace app for iOS to use:
- The fully qualified domain name (FQDN) of the Secure Web Gateway server.
- The port number of the Secure Web Gateway server. Note that Relay mode is not supported by Secure Web Gateway Version 2.0.
The FQDN must list, in sequence, the following three components:
- Host name
- Intermediate domain
- Top-level domain
For example, my_computer.example.com is a FQDN, because it lists, in sequence, a host name (my_computer), an intermediate domain (example), and a top-level domain (com). The combination of intermediate and top-level domain (example. com) is generally referred to as the domain name.
Proxy servers are used to limit access to and from your network, and to handle connections between Citrix Workspace app for iOS and servers. Citrix Workspace app for iOS supports both SOCKS and secure proxy protocols.
When communicating with the Citrix Virtual Apps and Desktops server, Citrix Workspace app for iOS uses proxy server settings that are configured remotely on the Web Interface server.
When communicating with the Web server, Citrix Workspace app for iOS uses the proxy server settings that are configured for the default web browser on the user device. You must configure the proxy server settings for the default web browser on the user device accordingly.
Network firewalls can allow or block packets based on the destination address and port. If you are using a firewall in your deployment, Citrix Workspace app for iOS must be able to communicate through the firewall with both the web server and Citrix server. The firewall must permit HTTP traffic (often over the standard HTTP port 80 or 443 if a secure Web server is in use) for user device to Web server communication. For Citrix server communication, the firewall must permit inbound ICA traffic on ports 1494 and 2598.
If the firewall is configured for Network Address Translation (NAT), you can use Web Interface to define mappings from internal addresses to external addresses and ports. For example, if your Citrix Virtual Apps and Desktops server is not configured with an alternate address, you can configure Web Interface to provide an alternate address to Citrix Workspace app for iOS. Citrix Workspace app for iOS then connects to the server using the external address and port number.
Citrix Workspace app for iOS supports TLS 1.0, 1.1 and 1.2 with the following cipher suites for TLS connections to XenApp/XenDesktop:
Citrix Workspace app for iOS running on iOS 9 and later does not support the following TLS cipher suites:
Transport Layer Security (TLS) is the latest, standardized version of the TLS protocol. The Internet Engineering Taskforce (IETF) renamed it TLS when it took over responsibility for the development of TLS as an open standard.
TLS secures data communications by providing server authentication, encryption of the data stream, and message integrity checks. Some organizations, including U.S. government organizations, require the use of TLS to secure data communications. These organizations may also require the use of validated cryptography, such as Federal Information Processing Standard (FIPS) 140. FIPS 140 is a standard for cryptography.
Citrix Workspace app for iOS supports RSA keys of 1024, 2048, and 3072-bit lengths. Root certificates with RSA keys of 4096-bit length are also supported.
Citrix Workspace app for iOS uses platform (iOS) crypto for connections between Citrix Workspace app for iOS and StoreFront.
Configure and enable TLS
There are two main steps involved in setting up TLS:
- Set up SSL Relay on your Citrix Virtual Apps and Desktops server and your Web Interface server and obtain and install the necessary server certificate.
- Install the equivalent root certificate on the user device.
Install root certificates on user devices
To use TLS to secure communications between TLS-enabled Citrix Workspace app for iOS and Citrix Virtual Apps and Desktops, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate.
iOS comes with about 100 commercial root certificates preinstalled, but if you want to use a different certificate, you can obtain one from the Certificate Authority and install it on each user device.
Depending on your organization’s policies and procedures, you may want to install the root certificate on each user device instead of directing users to install it. The easiest and safest way is to add root certificates to the iOS keychain.
To add a root certificate to the keychain
- Send yourself an email with the certificate file.
- Open the certificate file on the device. This automatically starts the Keychain Access application.
- Follow the prompts to add the certificate.
- Starting with iOS 10, verify that the certificate is trusted by going to iOS Settings > About > Certificate Trust Setting. Under Certificate Trust Settings, see the section “ENABLE FULL TRUST FOR ROOT CERTIFICATES.” Make sure that your certificate has been selected for full trust.
The root certificate is installed and can be used by TLS-enabled clients and by any other application using TLS.
XenApp Services site
To configure the XenApp Services site:
- Citrix Secure Gateway 3.x is supported by Citrix Workspace app for iOS using XenApp Services sites.
- Citrix Secure Gateway 3.x is supported by Citrix Workspace app for iOS using Citrix Virtual Apps Web sites.
- Only single-factor authentication is supported on XenApp Services sites, and both single-factor and dual factor are supported on Citrix Virtual Apps Web sites.
- You must use Web Interface 5.4, which is supported by all built-in browsers.
Before beginning this configuration, install and configure Citrix Gateway to work with Web Interface. You can adapt these instructions to fit your specific environment.
If you are using a Citrix Secure Gateway connection, do not configure Citrix Gateway settings on Citrix Workspace app for iOS.
Citrix Workspace app for iOS uses a XenApp Services site to get information about the applications a user has rights to and presents them to Citrix Workspace app for iOS running on the device. This is similar to the way you use the Web Interface for traditional SSL-based Citrix Virtual Apps connections for which a Citrix Gateway can be configured. XenApp Services sites running on the Web Interface 5.x have this configuration ability built in.
Configure the XenApp Services site to support connections from a Citrix Secure Gateway connection:
- In the XenApp Services site, select Manage secure client access > Edit secure client access settings.
- Change the Access Method to Gateway Direct.
- Enter the FQDN of the Secure Web Gateway.
- Enter the Secure Ticket Authority (STA) information.
For the Citrix Secure Gateway, Citrix recommends using the Citrix default path for this site (//XenAppServerName/Citrix/PNAgent). The default path enables your users to specify the FQDN of the Secure Web Gateway they are connecting to instead of the full path to the config.xml file that resides on the XenApp Services site (such as //XenAppServerName/CustomPath/config.xml).
To configure the Citrix Secure Gateway
- On the Citrix Secure Gateway, use the Citrix Secure Gateway Configuration wizard to configure the Citrix Secure Gateway to work with the server in the secure network hosting the XenApp Service site. After selecting the Indirect option, enter the FQDN path of your Secure Web Gateway Server and continue the wizard steps.
- Test a connection from a user device to verify that the Secure Web Gateway is configured correctly for networking and certificate allocation.
To configure the mobile device
- When adding a Citrix Secure Gateway account, enter the matching FQDN of your Citrix Secure Gateway server in the Address field:
- If you created the XenApp Services site using the default path (/Citrix/PNAgent), enter the Secure Web Gateway FQDN: FQDNofSecureGateway.companyName.com
- If you customized the path of the XenApp Services site, enter the full path of the config.xml file, such as: FQDNofSecureGateway.companyName.com/CustomPath/config.xml
- If you are manually configuring the account, then turn off the Citrix Gateway option New Account dialog.