This document applies to all the XenApp and XenDesktop services hosted in Citrix Cloud, including XenApp Essentials and XenDesktop Essentials.
Citrix Cloud manages the operation of the control plane for XenApp and XenDesktop environments. This includes the controllers, management consoles, SQL database, license server, and optionally StoreFront and NetScaler Gateway. The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer's control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector. If customers elect to use the StoreFront cloud service, they may also choose to use the NetScaler Gateway Service instead of running NetScaler Gateway within their data center. The diagram below illustrates the service and its security boundaries.
As the components hosted by the cloud service do not include the VDAs, the customer's application data and golden images required for provisioning are always hosted within the customer setup. The control plane has access to metadata, such as usernames, machine names, and application shortcuts, restricting access to the customer's Intellectual Property from the control plane.
Data flowing between the cloud and customer premises uses secure TLS connections over port 443.
The XenApp and XenDesktop Service stores only metadata needed for the brokering and monitoring of the customer’s applications and desktops. Sensitive information, including master images, user profiles, and other application data remain on the customer premises or in their subscription with a public cloud vendor.
The capabilities of the XenApp and XenDesktop Service varies by edition. For example, XenApp Essentials only supports NetScaler Gateway service and Citrix-Managed StoreFront. Consult product documentation to learn more about supported features.
The service handles four types of credentials:
Citrix recommends that users consult the published best practices documentation for deploying NetScaler Gateway applications and VDAs within their environments. Additional considerations regarding on-premises StoreFront deployment and network connectivity are as follows:
The Citrix Cloud Connectors require only port 443 outbound traffic to the internet, and may be hosted behind an HTTP proxy.
* Traffic between the VDAs and Connectors is encrypted using Kerberos message-level security.
** SSL is not yet supported in Citrix Cloud for the StoreFront or NetScaler traffic, so Citrix recommends configuring firewall rules, VLANs, and/or IPsec tunnels for these services.
A customer-managed StoreFront offers greater security configuration options and flexibility for deployment architecture, including the ability to maintain user credentials on-premises. The StoreFront can be hosted behind the NetScaler Gateway to provide secure remote access, enforce multifactor authentication, and add other security features.
Using the NetScaler Gateway Service avoids the need to deploy NetScaler Gateway within customer data centers. To use the NetScaler Gateway Service, it is a prerequisite to use the StoreFront service delivered from Citrix Cloud. The data-flow when using NetScaler Gateway Service is shown in the figure below.
Note: This diagram shows the logical data flows. All TLS connections between the Cloud Connector and Citrix Cloud are initiated from the Cloud Connector to the Citrix Cloud. No in-bound firewall port mapping is required.
See the following resources for more security information:
Note: This document is intended to provide the reader with an introduction to and overview of the security functionality of Citrix Cloud; and to define the division of responsibility between Citrix and customers with regard to securing the Citrix Cloud deployment. It is not intended to serve as a configuration and administration guidance manual for Citrix Cloud or any of its components or services.