Technical Security Overview for Citrix Smart Tools
Citrix Smart Tools manages the deployment, scaling, and monitoring of Citrix and other enterprise applications. The machines that comprise these deployments are under the customer’s control in the resource location of their choice, either cloud or on-premises. In Smart Tools, a resource location is the cloud service provider or on-premises hypervisor where the customer launches virtual machines and deploys the blueprints that create the Citrix or enterprise application environments.
Each machine in a blueprint deployment is connected to the cloud service using the Citrix Smart Tools Agent. This agent is installed automatically on each machine that Smart Tools provisions. This agent can be installed manually, by the customer, on machines that already exist in the customer’s resource location that the customer wants Smart Tools to manage.
Citrix XenApp and XenDesktop Sites that use Smart Tools’ Smart Scale and Smart Check services are required to install the Citrix Smart Tools Site Agent. The Site Agent connects the Site to the cloud service in order to coordinate Delivery Group scaling and monitoring, perform scheduled health checks, and search for applicable fixes and updates. This agent is installed on one or more Delivery Controllers in the Site by the customer as part of registering the Site with the Smart Scale or Smart Check services.
Connectivity between Smart Tools and the customer’s resource location is dependent on access to the Internet. Cloud service providers, such as Amazon Web Services and Microsoft Azure, are Internet-accessible by definition. Therefore, resource locations using these providers are able to maintain connectivity with Smart Tools by default. On-premises hypervisors such as Citrix XenServer and VMware vSphere are typically behind a firewall, restricting Internet access. To provide connectivity between Smart Tools and resource locations using these on-premises hypervisors, the Smart Tools Agent is installed on a separate machine, or connector, which has access to both the Internet and the customer’s on-premises resource location.
As the components comprising a deployment are hosted in the customer’s resource location, the customer’s application data and any machine image templates used to provision virtual machines are always hosted within the customer’s resource location. Smart Tools has access to metadata such as email addresses, usernames, and machine names. Smart Tools also has access to Site information such as:
- Delivery Group and Machine Catalog GUIDs and names.
- Master image VM names associated with Machine Catalogs.
- Delivery Controller FQDNs, product version, and IP addresses.
- VDA DNS names, UUIDs, and other information used for power management functions such as load index, power state, and maintenance mode status.
- Site data uploaded by the customer through Call Home in XenApp and XenDesktop or Citrix Scout.
Smart Tools stores this information in a separate database instance for each customer.
Data flowing between Smart Tools and the machines in a customer’s resource location (either cloud or on-premises) or a customer’s Site uses secure HTTPS outbound connections over port 443. Data flowing between Smart Tools and a customer’s Site also uses secure HTTPS outbound connections over port 443.
Customer metadata, such as company name and user email address, are stored in a master database. All transactional data is stored in separate database instances so that each customer’s data is isolated from other customers. When customers authenticate against Citrix Cloud, they access only the data in their own account. They cannot access data of any other customer or user.
The service handles the following types of credentials:
- User and Administrator credentials: Account administrators and users authenticate against Citrix Cloud, which uses the sign-on system from Citrix Online. This generates a one-time signed JSON Web Token (JWT) which gives the administrator access to the Smart Tools service.
- Resource location passwords and secret keys: Resource locations that require a password or a secret key for authentication with Smart Tools are stored, encrypted and salted, in the cloud service database. Citrix owns the keys used to encrypt these credentials. After a customer supplies a password (as for an on-premises hypervisor) or a secret key (as for a cloud service provider) to Smart Tools through the user interface, the password or key is masked and cannot be rendered in plain text.
- Passwords and credentials used in deploying blueprints: Smart Tools blueprints can store passwords as input parameters as well as usernames and passwords that are used as impersonation credentials. These items are stored, encrypted and salted, in the cloud service database. Citrix owns the keys used to encrypt these credentials.
- Citrix administrator credentials: If a customer elects to use the Smart Scale and Smart Check services with a Site, Smart Tools prompts the customer to supply the username and password of a Citrix Full Administrator in order to register the Site with these services. The credentials enable Smart Tools to perform health checks, coordinate scaling actions, and apply fixes and updates to Delivery Controllers and Machine Catalogs in the Site on the customer’s behalf. These credentials are stored, encrypted and salted, in the cloud service database. Citrix owns the keys used to encrypt these credentials. After a customer supplies a password to Smart Tools through the user interface, the password is masked and cannot be rendered in plain text.
- Amazon Web Services key pairs: If a customer elects to deploy a blueprint to an Amazon EC2 resource location, Smart Tools prompts the customer to create a key pair, if one does not exist. The key pair enables the customer to access the instances that Smart Tools provisions on the customer’s behalf, by way of the blueprint. The public key is stored in the customer’s AWS account while the private key is managed by the customer. As the key pair is created, the customer must make a copy of the private key to keep in a safe place. Smart Tools does not store the private key, so the customer cannot retrieve it at a later time.
- Machine image credentials: To provision the machines specified in blueprints to an on-premises resource location, Smart Tools uses a machine image located in the customer’s resource location. These images include usernames and passwords for the local administrator account on the provisioned machine. When the customer deploys a blueprint to an on-premises resource location, the customer specifies the machine image to be used and the local administrator account credentials with which the image has been configured. Smart Tools uses these credentials to impersonate the local administrator on the provisioned machine and install the Smart Tools Agent. Smart Tools stores these credentials only if the customer elects to create a deployment profile. Smart Tools stores these credentials in a separate database instance for each customer. Citrix owns the keys used to encrypt these credentials. All encryption used by Citrix uses standards-based encryption algorithms.
Citrix recommends that customers consult the published best practices documentation for the resource location where they are deploying Smart Tools blueprints, for deploying NetScaler Gateway applications, and for deploying XenApp, XenDesktop, and XenMobile environments. For references, see the “More Information” section.
Agent Network Access Requirements
The machines that host the Smart Tools Agent, either as a connector or as part of a managed deployment, or the Smart Tools Site Agent, as part of a registered Site using the Smart Scale or Smart Check services, require only port 443 outbound traffic to the Internet, and may be hosted behind an HTTP proxy.
To install the Smart Tools Agent automatically on provisioned machines, as part of the blueprint deployment process, Smart Tools uses the following ports:
- Linux: port 22 (SSH)
- Windows: TCP port 135 (WMI)
Linux ports are used only with Citrix XenServer resource locations. Windows ports are used with Citrix XenServer and Microsoft Hyper-V resource locations. After agent installation, these ports can be disabled.
Security Best Practices
- Resource location security: All resource locations that are added to an account are accessible to all users of the account, regardless of user role. Remove resource locations promptly when they are no longer needed.
- Secure user management: The Administrator user role in Smart Tools has access to all service functions and is responsible for managing new and existing users and assigning user roles. Assign the Administrator role to only select account users to ensure prompt management of users and support requests.
- Secure blueprint management: Restrict publishing rights for internal or experimental blueprints to specific users. Additionally, avoid including any sensitive or confidential information in a blueprint that is shared with other Smart Tools users or published to the Blueprint Catalog.
- Secure password parameters: When using passwords as blueprint input parameters, ensure the information is stored in the blueprint using the Password input type. This ensures the password data is obfuscated appropriately when the blueprint is configured and deployed.
- Citrix Security: http://www.citrix.com/security
- Smart Tools documentation: http://docs.citrix.com/en-us/smart-tools
- Citrix Cloud Technical Security Overviews: https://docs.citrix.com/en-us/citrix-cloud/secure-browser-service/technical-security-overview.html
- Secure Deployment Guide for the Citrix Cloud Platform: https://docs.citrix.com/en-us/citrix-cloud/overview/secure-deployment-guide-for-the-citrix-cloud-platform.html
- Secure Deployment Guide for NetScaler: http://support.citrix.com/article/CTX129514
- XenApp and XenDesktop 7.6 Security: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article.html
- Amazon Web Services Security Best Practices: http://aws.amazon.com/whitepapers/aws-security-best-practices/
- Microsoft Azure Trust Center - Security: http://azure.microsoft.com/en-us/support/trust-center/security/
- VMware Security Hardening Guides: https://www.vmware.com/security/hardening-guides
- Security Guide for Hyper-V in Windows Server 2012: https://technet.microsoft.com/en-us/library/Dn741280.aspx
Note: This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Smart Tools; and to define the division of responsibility between Citrix and customers with regard to securing the Smart Tools service and deployed resources. It is not intended to serve as a configuration and administration guidance manual for Smart Tools or any of the components or services that are used in tandem.
© Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, Citrix Cloud, NetScaler, NetScaler Gateway, and other Citrix names marks appearing herein are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. Other marks are the property of their respective owner/s.