highlights areas that may have an impact on system security when deploying and
Certificates in StoreFront
Server certificates are used for machine identification and transport security in StoreFront. If you decide to enable ICA file signing, StoreFront can also use certificates to digitally sign ICA files.
Authentication services and stores each require certificates for token management. StoreFront generates a self-signed certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be used for any other purpose.
To enable email-based account discovery for users installing Citrix Receiver on a device for the first time, you must install a valid server certificate on the StoreFront server. The full chain to the root certificate must also be valid. For the best user experience, install a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain, where domain is the Microsoft Active Directory domain containing your users' email accounts. Although you can use a wildcard certificate for the domain containing your users' email accounts, you must first ensure that the deployment of such certificates is permitted by your corporate security policy. Other certificates for the domain containing your users' email accounts can also be used, but users will see a certificate warning dialog box when Citrix Receiver first connects to the StoreFront server. Email-based account discovery cannot be used with any other certificate identities. For more information, see Configure email-based account discovery.
If your users configure their accounts by entering store URLs directly into Citrix Receiver and do not use email-based account discovery, the certificate on the StoreFront server need only be valid for that server and have a valid chain to the root certificate.
In a production
environment, Citrix recommends using the Internet Protocol security (IPsec) or
HTTPS protocols to secure data passing between StoreFront and your servers.
IPsec is a set of standard extensions to the Internet Protocol that provides
authenticated and encrypted communications with data integrity and replay
protection. Because IPsec is a network-layer protocol set, higher level
protocols can use it without modification. HTTPS uses the Secure Sockets Layer
(SSL) and Transport Layer Security (TLS) protocols to provide strong data
The SSL Relay can
be used to secure data traffic between StoreFront and XenApp servers. The SSL
Relay is a default component of XenApp that performs host authentication and
securing communications between StoreFront and users' devices using NetScaler
Gateway and HTTPS. To use HTTPS, StoreFront requires that the Microsoft
Internet Information Services (IIS) instance hosting the authentication service
and associated stores is configured for HTTPS. In the absence of the appropriate IIS configuration, StoreFront
uses HTTP for communications.
Citrix strongly recommends that you do not enable unsecured user connections to StoreFront in a production environment.
SSL 2.0 is
enabled by default in IIS. As this protocol is now deprecated, Citrix
recommends disabling SSL 2.0 on StoreFront servers. For more information about
disabling protocols in IIS, see
If you deploy
any web applications in the same web domain (domain name and port) as
StoreFront, then any security risks in those web applications could potentially
reduce the security of your StoreFront deployment. Where a greater degree of
security separation is required, Citrix recommends that you deploy StoreFront
in a separate web domain.
ICA file signing
StoreFront provides the option to digitally sign ICA files using a specified certificate on the server so that versions of Citrix Receiver that support this feature can verify that the file originates from a trusted source. ICA files can be signed using any hash algorithm supported by the operating system running on the StoreFront server, including SHA-1 and SHA-256. For more information, see Enable ICA file signing.
User change password
You can enable Receiver for Web site users logging on with Active Directory domain credentials to change their passwords, either at any time or only when they have expired. However, this exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network. When you create the authentication service, the default configuration prevents Receiver for Web site users from changing their passwords, even if they have expired. For more information, see Optimize the user experience.