Product Documentation

Securing Network Communications

Oct 09, 2015

Network communication between servers and client devices can be a security risk in any enterprise environment. In addition to physically securing servers, most organizations install network security measures including firewalls to isolate servers running XenApp and Web browsers from the Internet and publicly accessible networks. To deploy XenApp on internal networks, secure communications between the client and server by means of SSL/TLS or other security measures.

Depending on your security needs, you can incorporate the following network communication security components when designing XenApp deployments:
  • At the client-server level inside your network:
    • By encrypting the Independent Computing Architecture (ICA) protocol using SecureICA
    • Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption
  • At the network level, when clients are communicating with your farm remotely across the Internet:
    • Secure Gateway
    • Secure Ticket Authority
    • Network firewalls
    • Proxy servers

Part of securing your server farm is making sure that only properly authenticated users can access your servers and resources, which can include smart cards.

Configuring TCP Ports

This table lists the TCP/IP ports that the servers, Citrix online plug-in, IMA Service, and other Citrix services use in a server farm. This information can help you configure firewalls and troubleshoot port conflicts with other software.
Communication Default port Configuration
Delivery Services Console/Access Management Console 135 Not configurable
Citrix SSL Relay 443 See Using the SSL Relay with the Microsoft Internet Information Server (IIS)
Citrix XML Service 80 See Installing and Configuring XenApp
Client-to-server (directed UDP) 1604 Not configurable
ICA sessions (clients to servers) 1494 See XenApp Command Reference for information about using the ICAPORT command
Citrix Vendor Daemon 7279 See Licensing Your Product
License Management Console 8082 See Licensing Your Product
Server to license server 27000 In the console, open the farm or server properties page, and select License Server
Server to Microsoft SQL Server or Oracle server 139, 1433, or 443 for MS-SQL See the documentation for the database software
Server to server 2512 See XenApp Command Reference for information about using the IMAPORT command
Session reliability 2598 See Configuring Session Reliability

Using Proxy Servers

A proxy server accepts connection requests from client devices and redirects those requests to the appropriate XenApp servers. Using a proxy server, much like using a firewall, gives you more control over access to the XenApp servers and provides a heightened level of security for your network. A proxy server, as opposed to a firewall, uses a different port from that used by the XenApp servers.

For information about using proxy servers with the XenApp plug-ins, see the Citrix online plug-in documentation.

Supported proxy servers are:
  • Microsoft Internet Security and Acceleration (ISA) Server 2004 and 2006
  • iPlanet Web Proxy Server 3.6
  • Squid 2.6 STABLE 4
  • Microsoft Proxy Server 2.0

Configuring Authentication for Workspace Control

If users log on using smart cards or pass-through authentication, you must set up a trust relationship between the server running the Web Interface and any server in the farm that the Web Interface accesses for published applications. Without the trust relationship, the Disconnect, Reconnect, and Log Off (“Workspace Control”) commands fail for those users logging on with smart card or pass-through authentication. For more information about Workspace Control, see Ensuring Session Continuity for Mobile Workers.

You do not need to set up a trust relationship if your users authenticate to the Web Interface or the Citrix online plug-in by typing in their credentials.

To set up the trust relationship, configure the Citrix Computer policy Trust XML requests setting. The Citrix XML Service communicates information about published applications among servers running the Web Interface and servers running XenApp.

If you configure a server to trust requests sent to the Citrix XML Service, consider these factors:
  • The trust relationship is not necessary unless you want to implement Workspace Control and your users log on using smart cards or pass-through authentication.
  • Enable the trust relationship only on servers directly contacted by the Web Interface. These servers are listed in the Web Interface Console.
  • When you set up the trust relationship, you depend on the Web Interface server to authenticate the user. To avoid security risks, use SSL Relay, IPSec, firewalls, or any technology that ensures that only trusted services communicate with the Citrix XML Service. If you set up the trust relationship without using IPSec, firewalls, or other security technology, it is possible for any network device to disconnect or terminate client sessions.
  • Configure SSL Relay, IPSec, firewalls, or other technology that you use to secure the environment so that they restrict access to the Citrix XML Service to only the Web Interface servers. For example, if the Citrix XML Service is sharing a port with IIS, you can use the IP address restriction capability in IIS to restrict access to the Citrix XML Service.