Product Documentation

Security Considerations in a XenApp Deployment

May 07, 2015

XenApp provides server-based computing to local and remote users through the Independent Computing Architecture (ICA) protocol developed by Citrix.

ICA is the communication protocol by which servers and client devices exchange data in a XenApp environment. ICA is optimized to enhance the delivery and performance of this exchange, even on low bandwidth connections.

As an application runs on the server, XenApp intercepts the application’s display data and uses the ICA protocol to send this data (on standard network protocols) to the plugin software running on the user’s client device. When the user types on the keyboard or moves and clicks the mouse, the plugin software sends the data generated for processing by the application running on the server.

ICA requires minimal client workstation capabilities and includes error detection and recovery, encryption, and data compression.

A server farm is a collection of XenApp servers that you can manage (from the Delivery Services Console) as a single entity. A server can belong to only one farm, but a farm can include servers from more than one domain. The design of server farms has to balance the goal of providing users with the fastest possible application access with that of achieving the required degree of centralized administration and network security.

Note that in XenApp deployments that include the Web Interface, communication between the server running the Web Interface and client devices running Web browsers (and plugin software) takes place using HTTP.

In a XenApp deployment, administrators can configure encryption using either of the following:

  • SSL Relay, a component that is integrated into XenApp
  • Secure Gateway, a separate component provided on the XenApp installation media

Virtual Channels

The following table shows which ICA virtual channels (or combination of virtual channels) can be used with XenApp for authentication and application signing or for encryption methods.

Note: This table applies only to XenApp, not to Single sign-on.
  Smart card virtual channel Kerberos virtual channel Core ICA protocol (no virtual channel)
Smart card authentication * *  
Biometric¹ authentication   *  
Password authentication   * *
Application signing/encryption *    

¹ Third-party equipment is required for biometric authentication.

Additional XenApp Security Features

The following products can be used with XenApp to provide additional security. These additional security measures are not included in the sample deployments.

ICA Encryption Using SecureICA

ICA encryption with SecureICA is integrated into XenApp. With SecureICA, you can use up to 128-bit encryption to protect the information sent between a XenApp server and users’ client devices. However, it is important to note that SecureICA does not use FIPS 140-compliant algorithms. If this is an issue, you can configure XenApp servers and plug-ins to avoid using SecureICA.

Authentication for the Web Interface Using RSA SecurID

You can use the third-party product RSA SecurID as an authentication method for the Web Interface running on Internet Information Services. If RSA SecurID is enabled, users must log on using their credentials (user name, password, and domain) plus their SecurID PASSCODE. The PASSCODE is made up of a PIN followed by a tokencode (the number displayed on the user’s RSA SecurID token).

RSA SecurID supports authentication on both XenApp and Single sign-on.

Authentication for the Web Interface Using SafeWord

You can use the third-party product Aladdin SafeWord as an authentication method for the Web Interface running on Internet Information Services. If SafeWord is enabled, users must log on using their credentials (user name, password, and domain) plus their SafeWord passcode. The passcode is made up of the code displayed on the user’s SafeWord token, optionally followed by a PIN.

SafeWord supports authentication on XenApp, but not on Single sign-on.