Product Documentation

Receiver and Plug-in Security

Oct 09, 2015

With the Citrix online plug-in installed on their client devices, users can work with applications running on XenApp servers. Users can access these applications from virtually any type of client device over many types of network connection, including LAN, WAN, dial-up, and direct asynchronous connections. Because the applications are not downloaded to the client devices (as with the more traditional network architecture), application performance is not limited by bandwidth or device performance.

Citrix plug-ins are available for Windows, Macintosh, Linux, UNIX, and Windows CE operating systems, and the Java Runtime Environment. Additionally, you can use the Citrix online plug-in Web with Web browsers that support ActiveX controls or Netscape plug-ins.

Citrix plug-ins for Windows use cryptographic modules provided by the operating system. Other plug-ins, including the Client for Java, contain their own cryptographic modules. The Client for Java can, therefore, be used on older Windows operating systems that do not support strong encryption.

The Standards Summary table lists the latest versions of the available plug-ins. The table specifies whether each plug-in is FIPS 140 compliant, supports TLS, includes smart card support, uses government ciphersuites, supports certificate revocation checking, and supports Kerberos authentication. Note that certificate revocation checking is applicable to plug-ins running on Windows XP, Windows Vista, and Windows 7 only. Where the latest version of a plug-in does not completely supersede a previous version (for example, a particular operating system may be supported only by an earlier plug-in version), the earlier version of the plug-in is also listed.

Standards Summary

The following table summarizes the standards relevant to the various Citrix plug-ins:

Plug-in type FIPS 140 TLS TripleDES AES CRL check Smart card Kerberos
Citrix online plug-in 12.x * * * * * *
Citrix online plug-in Web 12.x * * * * * *
Client for Windows CE for Windows-Based Terminals 10.x * *     *  
Client for Windows CE for Handheld and Pocket PCs 10.x * *     *  
Client for Macintosh 10.x   * * *   * *
Client for Linux 10.x   * *     *  
Client for Java 9.x   * * * *  
Client for Sun Solaris 8.x   * *     *  

Notes:

¹ These plug-ins inherit FIPS 140 compliance from the base operating system, Windows.

² These plug-ins inherit FIPS 140 compliance from the base operating system, Windows CE.

³ Kerberos authentication is not supported when the Client for Java is running on Mac OS X client devices.

The table below shows the certificate source for plug-ins that support at least one of the security features listed in the table above. Plug-ins marked “OS” use certificates stored in the operating system certificate store, those marked “Plug-in” use certificates bundled with the plug-in, and plug-ins marked “JRE” use certificates stored in the Java keystore.

Plug-in type Root certificate source
Citrix online plug-in 12.x OS
Citrix online plug-in Web 12.x OS
Client for Windows CE for Windows-Based Terminals 10.x OS
Client for Windows CE for Handheld and Pocket PCs 10.x OS
Client for Macintosh 10.x OS
Client for Linux 10.x Plug-in
Client for Java 9.x

JRE (Java 1.4.x)

JRE or OS (Java 1.5.x or later)

Client for Sun Solaris 8.x Plug-in