Professional Documents
Culture Documents
2011 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Contents
XenApp 6.5 Security Standards and Deployment Scenarios XenApp 6.5 Security Standards and Deployment Scenarios Security Considerations in a XenApp Deployment Country-Specific Government Information FIPS 140 and XenApp SSL/TLS Protocols Government Ciphersuites IP Security Citrix Single Sign-on Smart Cards Kerberos Authentication Citrix Receiver and Plug-ins Virtual Channels Additional Security Features Deployment Samples Sample A Using the SSL Relay How the Components in Sample Deployment A Interact Security Considerations in Sample Deployment A Sample B Using Secure Gateway (Single-Hop) How the Components in Sample Deployment B Interact Security Considerations for Sample Deployment B Sample C Using Secure Gateway (Double-Hop) How the Components in Sample Deployment C Interact Security Considerations in Sample Deployment C Sample D Using the SSL Relay and the Web Interface How the Components in Sample Deployment D Interact Security Considerations for Sample Deployment D Sample E Using Citrix Single Sign-on and Secure Gateway (Single-Hop) How the Components in Sample Deployment E Interact
4 6 8 10 11 14 16 17 18 19 21 22 25 26 27 28 29 30 32 34 36 38 40 41 43 45 46 48 50
52
SHA-256 hashing q
The Citrix Streaming Profiler now creates SHA-256 hashes of each file in a profile. When enabled for backwards compatibility with the legacy Offline Plug-in 6.0.x, the Offline Plug-in can verify the integrity of profiles that contain SHA-256 and SHA-1 hashes. For more information, see To support legacy plug-ins.
SmartAuditor now creates SHA-256 hashes of saved sessions. For backwards compatibility, the SmartAuditor Player can verify the integrity of sessions whose integrity checksum is computed using SHA-256 or SHA-1. 2048-bit RSA keys q q
IMA Encryption now creates 2048-bit RSA keys. The keys contain both size and algorithm information, and can be imported by any version of XenApp that supports IMA Encryption. IMA Encryption RSA keys are generated only during a new install or when manually changed. If the key is replaced on one server, it must be replaced on all servers. Therefore, there are no issues arising from mixed farms.
In This Section
Security Considerations in a XenApp Deployment Deployment Samples
Quick Links
Application Streaming SmartAuditor IMA Encryption Single Sign-On
Providing users with the fastest possible application access Achieving the required degree of centralized administration and network security
XenApp also supports sending audio via UDP in a real time protocol (RTP) stream. When this feature is enabled, audio data not transmitted in the ICA protocol, but is instead sent in a separate UDP stream. For more information, see Configuring Audio. The HDX Flash redirection technology may stream Flash content outside of the ICA protocol in separate TCP connections. For more information, see Configuring HDX MediaStream Flash Redirection.
Web Interface
In XenApp deployments that include the Web Interface, use HTTPS for communication between the server running the Web Interface and the client devices running Web browsers (and Citrix Receiver software). 6
SSL Relay, a component that is integrated into XenApp Secure Gateway, a separate component provided on the XenApp installation media
Providing users with the fastest possible application access Achieving the required degree of centralized administration and network security
XenApp also supports sending audio via UDP in a real time protocol (RTP) stream. When this feature is enabled, audio data not transmitted in the ICA protocol, but is instead sent in a separate UDP stream. For more information, see Configuring Audio. The HDX Flash redirection technology may stream Flash content outside of the ICA protocol in separate TCP connections. For more information, see Configuring HDX MediaStream Flash Redirection.
Web Interface
In XenApp deployments that include the Web Interface, use HTTPS for communication between the server running the Web Interface and the client devices running Web browsers (and Citrix Receiver software). 8
SSL Relay, a component that is integrated into XenApp Secure Gateway, a separate component provided on the XenApp installation media
FIPS 140 and XenApp SSL/TLS Protocols Smart Cards - includes information on Common Access Cards (of particular relevance to installations in the United States) Kerberos Authentication
For more information about issues specific to your country, contact your local Citrix representative.
10
FIPS 140-1, published in 1994, established requirements for cryptographic modules to provide four security levels that allowed cost-effective solutions appropriate for different degrees of data sensitivity and different application environments. FIPS 140-2, which superseded FIPS 140-1 in 2002, incorporated changes in standards and technology since 1994. FIPS 140-3, which is still in draft, adds an additional security level and incorporates new security features that reflect recent advances in technology.
When configured properly, XenApp 6.5 can use FIPS 140-validated cryptographic modules in a manner that is compliant with FIPS 140-2.
11
XenApp Citrix Receiver and Citrix online plug-in Web Interface SSL Relay Secure Gateway for Windows Single Sign-on Offline applications (streaming) SmartAuditor Power and Capacity Management Configuration Logging ICA File Signing
Where these client and server components communicate with the TLS or SSL connection enabled, the cryptographic modules that are used are provided by the Microsoft Windows operating system. These modules use the Microsoft Cryptography Application Programming Interface (CryptoAPI) and are FIPS 140-validated. Note: On both Windows Vista with Service Pack 1 and Windows Server 2008, you must apply Microsoft hotfix kb954059 (http://support.microsoft.com/kb/954059) to ensure that the random number generator used within CryptoAPI and, therefore the underlying operating system, is FIPS 140-compliant.
FIPS Compliance
FIPS compliance is achieved as follows:
q
According to the Microsoft documentation (http://technet.microsoft.com/en-us/library/cc750357.aspx), FIPS-compliant systems that use FIPS 140-certified cryptomodules can be deployed by following a prescribed set of steps. These steps include setting a particular FIPS local policy flag. As noted in the Microsoft documentation referenced above, not all Microsoft components and products check the FIPS local policy flag. Refer to the Microsoft documentation for instructions on how to configure these components and products to behave in a FIPS-compliant manner.
12
Similarly, Citrix components do not check the FIPS local policy flag. Instead, these components must be configured to behave in a FIPS-compliant manner. Specifically, Citrix components that use TLS must be configured to use Government Ciphersuites.
q
RSA_WITH_AES_256_CBC_SHA [FIPS 197, RFC 3268] Given the accuracy of the above statements, and assuming that all these steps are followed, the resulting XenApp configuration will use FIPS 140 cryptomodules in a FIPS-compliant manner.
q
13
SSL/TLS Protocols
If client devices in your environment communicate with your farm across the Internet, Citrix recommends enabling Secure Sockets Layer (SSL) 3.0 or Transport Layer Security (TLS) 1.0 encryption when you publish a resource. These protocols are collectively referred to SSL/TLS. Both SSL and TLS are open protocols that provide data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection:
q
SSL is an open, nonproprietary security protocol for TCP/IP connections. TLS, which is also an open standard, is the latest, standardized version of the SSL protocol.
SSL 3.0 and TLS 1.0 are not interoperable. However, because there are only minor differences between them, the server certificates in your installation can be used for both SSL and TLS implementations.
For client devices communicating with your farm remotely, Citrix recommends that you use the Secure Gateway to pass client communications to the computer running XenApp. The Secure Gateway can be used with SSL Relay on the computer running XenApp to secure the Secure Gateway to XenApp traffic, depending on your requirements. For client devices communicating with your farm internally, you can do one of the following to pass client communications to the computer running XenApp:
q
Use the Secure Gateway with an internal firewall and place your farm behind the firewall.
14
SSL/TLS Protocols
q
Use the SSL Relay feature to secure the traffic between client devices and servers in your farm.
Note:
q
If you use SSL Relay, you must install it on every server in the farm. Because SSL Relay requires you to store certificates on each server, it may be less convenient for larger environments. If your farm has more than five servers and you are concerned with internal threats, you may prefer to use the Secure Gateway with an internal firewall. To use SSL with the Secure Gateway or SSL Relay, you must select the Enable SSL and TLS protocols setting when you publish an application. If you are using Web Interface with the Secure Gateway, see the information about SSL in the Secure Gateway and Web Interface administrator documentation.
15
Government Ciphersuites
You can configure XenApp, the Web Interface, and Secure Gateway to use government-approved cryptography to protect "sensitive but unclassified" data by using the applicable ciphersuite:
q
RSA_WITH_3DES_EDE_CBC_SHA supports RSA key exchange and TripleDES encryption, as defined in Internet RFC 2246 (http://www.ietf.org/rfc/rfc2246.txt). RSA_WITH_AES_128_CBC_SHA supports RSA key exchange with Advanced Encryption Standard (AES) and 128-bit keys for TLS connections, as defined in FIPS 197 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf and Internet RFC 3268 (http://www.ietf.org/rfc/rfc3268.txt). For more information about AES, see http://csrc.nist.gov/cryptval/des.htm. RSA_WITH_AES_256_CBC_SHA supports RSA key exchange with AES and 256-bit keys for TLS connections, as defined in FIPS 197 and RFC 3268.
16
IP Security
IP Security (IPSec) is a set of standard extensions to the Internet Protocol (IP) that provides authenticated and encrypted communications with data integrity and replay protection. IPSec is described in Internet RFC 2401. IPSec is a network-layer protocol set, so higher level protocols such as Citrix Independent Computing Architecture (ICA) can use it without modification. Microsoft Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 have built-in support for IPSec. Although not illustrated in the sample deployments, you can use IPSec to secure a XenApp deployment within a virtual private network (VPN) environment.
17
18
Smart Cards
You can use smart cards with XenApp, supported XenApp plug-ins, the Web Interface, and Single Sign-on to provide secure access to applications and data. Using smart cards simplifies the authentication process while enhancing logon security. XenApp supports smart card authentication to published applications, including smart card-enabled applications such as Microsoft Outlook. In a business network, smart cards are an effective implementation of public key technology and can be used for the following purposes:
q
Authenticating users to networks and computers Securing channel communications over a network Securing content using digital signatures
If you are using smart cards for secure network authentication, your users can authenticate to applications and content published on your server farms. In addition, smart card functionality within these published applications is also supported. For example, a published Microsoft Outlook application can be configured to require that users insert a smart card into a smart card reader attached to the client device in order to log on to a XenApp server. After users are authenticated to the application, they can digitally sign email using certificates stored on their smart cards. Note: The availability of some smart card features depends on the smart card cryptographic service provider (CSP).
Tasks performed by smart card administrators (for example smart card issuance) may be inappropriate for carrying out through XenApp. Usually these functions are performed at a dedicated smart card station, and may require two smart card readers. Infrequent and sensitive tasks, such as unblocking a smart card, may also be inappropriate for carrying out through XenApp. Security policies often forbid users to perform these functions; they are carried out by the smart card administrator. Note: Citrix recommends that you carry out these tasks locally on the user device if possible, rather than using XenApp.
Highly sensitive applications that require strict separation of duties or tamper-resistant audit trails may entail additional special-purpose security control measures. These measures are outside the scope of XenApp.
19
Smart Cards You can reset PINs from the desktop using Microsoft Identity Lifecycle Manager (ILM) and Certificate Lifecycle Manager (CLM) smart card management systems, or using any smart card vendor's reset utilities that use the Windows smart card PC/SC (WinSCard) API.
20
Kerberos Authentication
Kerberos is an authentication protocol. Version 5 of this protocol was first standardized as Internet RFC 1510. Many operating systems, including Microsoft Windows 2000 and later, support Kerberos as a standard feature. XenApp extends the use of Kerberos. When users log on to a client device, they can connect to XenApp without needing to authenticate again. The users password is not transmitted to XenApp; instead, authentication tokens are exchanged using the Generic Security Services API (GSSAPI), which was first standardized in Internet RFC 1509. This authentication exchange is performed within a Citrix Independent Computing Architecture (ICA) virtual channel and does not require any additional protocols or ports. The authentication exchange is independent of the logon method, so it can be used with passwords, smart cards, or biometrics. To use Kerberos authentication with XenApp, both the client and server must be appropriately configured. You can also use Microsoft Active Directory Group Policy to selectively disable Kerberos authentication for specific users and servers. For information on implementing Kerberos Authentication in a XenApp environment, see Knowledge Center article CTX121918.
21
Standards Summary
The following table summarizes the security standards relevant to Citrix Receiver and the Citrix online plug-in:
Platform and Version Citrix Receiver for Windows 3.0 Citrix Receiver for Windows CE for Windows-Based Terminals 11.02 Citrix Receiver for Windows CE for Handheld and Pocket PCs 11.02 Citrix Receiver for Macintosh 11.3 Citrix Receiver for Linux 12.1
FIPS 140 *1 *2
TLS * *
Triple DES * *
AES *
CRL check *3
Smart card * *
Kerberos *
*2
* *
* *
* *
22
Citrix Receiver and Plug-ins Citrix Receiver for Sun Solaris 8.63 Citrix Receiver for Java 10.1 Citrix Receiver for Android 2.1 Citrix Receiver for BlackBerry 2.1 Citrix Receiver for Playbook 1.0 Citrix Receiver for iOS 4.2.3 Citrix online plug-in 12.1 Citrix online plug-in Web 12.1 Notes:
1 2
* * * *
* * * * *
* * * *
*3 * *5
*4
*1 *
1
* *
* *
* *
*3 *
3
* *
* *
These plug-ins inherit FIPS 140 compliance from the base operating system, Windows.
These plug-ins inherit FIPS 140 compliance from the base operating system, Windows CE.
3
Certificate revocation checking is only applicable to plug-ins running on Windows XP, Windows Vista, or Windows 7.
4
Kerberos authentication is not supported when the Citrix Receiver for Java is running on Mac OS X client devices.
5
Plug-in type Citrix Receiver for Windows 3.0 Citrix Receiver for Windows CE for Windows-Based Terminals 11.02 Citrix Receiver for Windows CE for Handheld and Pocket PCs 11.02 Citrix Receiver for Macintosh 11.3 Citrix Receiver for Linux 12.1 Citrix Receiver for Sun Solaris 8.63
Root certificate source operating system certificate store operating system certificate store operating system certificate store operating system certificate store bundled with the plug-in bundled with the plug-in
23
Citrix Receiver and Plug-ins Citrix Receiver for Java 10.1 Java keystore (Java 1.4.x) Java keystore or operating system certificate store (Java 1.5.x or later) Citrix Receiver for Android 2.1 Citrix Receiver for BlackBerry 2.1 Citrix Receiver for Playbook 1.0 Citrix Receiver for iOS 4.2.3 Citrix online plug-in 12.1 Citrix online plug-in Web 12.1 operating system certificate store operating system certificate store Android keystore operating system certificate store bundled with the plug-in
24
Virtual Channels
The following table shows which Citrix Independent Computing Architecture (ICA) virtual channels or combination of virtual channels can be used with XenApp for authentication, or for and application signing and encryption methods. Note: This table applies only to XenApp, not to Citrix Single Sign-on.
25
26
Deployment Samples
To make a XenApp deployment FIPS 140-compliant, you need to consider each communication channel within the installation. The following deployment samples show how users can connect to XenApp servers with different configurations of components and firewalls. In particular, the samples provide general guidance on how to make each communication channel secure using SSL/TLS so that the system as a whole is FIPS 140-compliant.
q
Sample A - Using the SSL Relay Sample B - Using Secure Gateway (Single-Hop) Sample C - Using Secure Gateway (Double-Hop) Sample D - Using the SSL Relay and the Web Interface Sample E - Using Citrix Single Sign-on and Secure Gateway (Single-Hop)
Note: Secure Gateway and the SSL Relay support both SSL- and TLS-based encryption. Your choice of method is largely determined by which topology best meets the needs of your organizations security policies. Refer to SSL/TLS Protocols for more information.
27
The following table lists the components of the deployment and the operating systems required for the servers and client devices.
XenApp farm
Components XenApp 6.5 for Microsoft Windows Server 2008 R2 SSL Relay enabled Secure Ticket Authority installed on XenApp server
User devices
28
29
XenApp 5.0 Windows Server 2008, Windows Server 2003 For more information, see the documentation for your operating system.
30
31
The following table lists the components of the deployment and the operating systems required for the servers and client devices.
XenApp farm
Components XenApp 6.5 for Microsoft Windows Server 2008 R2 SSL Relay enabled Secure Ticket Authority installed on XenApp server
32
Sample B Using Secure Gateway (Single-Hop) Web server Web Interface 5.4 for Internet Information Services Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 .NET Framework 3.5 or 2.0 (IIS 6.0 only) Visual J#.NET 2.0 Second Edition Secure Gateway server Secure Gateway 3.3 for Windows Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 User devices Citrix Receiver for Windows 3.0 TLS-enabled Web browser Windows 7 Windows Vista Windows XP Professional
33
In this deployment, the Secure Gateway removes the need to publish the address of every XenApp server in the farm and provides a single point of encryption and access to the farm. The Secure Gateway does this by providing a gateway that is separate from the XenApp servers and reduces the issues for firewall traversal to a widely-accepted port for ICA traffic in and out of the firewalls. While sample deployment B.1 is highly scalable, the trade-off is that ICA communication is encrypted only between client devices and the Secure Gateway, not between the Secure Gateway and the XenApp servers. Note: The SSL Relay in sample deployment B.1 is used to encrypt communication between the Web Interface and the XML Service running on the XenApp servers. The Secure Gateway communicates with the XenApp servers directly, so the SSL Relay is not used for communication between the Secure Gateway and the server farm. You can secure the communication between the Secure Gateway and the server farm using IPSec, as shown in sample deployment B.2. This diagram shows a detailed view of sample deployment B.2, which includes IPSec.
34
35
XenApp 5.0 Windows Server 2008, Windows Server 2003 For more information, see the documentation for your operating system.
36
Security Considerations for Sample Deployment B For TLS connections, you can choose other Government Ciphersuites that employ RSA key exchange and the Advanced Encryption Standard (AES).
37
The following table lists the components of the deployment and the operating systems required for the servers and client devices.
XenApp farm
Components XenApp 6.5 for Microsoft Windows Server 2008 R2 SSL Relay enabled Secure Ticket Authority installed on XenApp server
38
Sample C Using Secure Gateway (Double-Hop) Web server Web Interface 5.4 for Internet Information Services Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 .NET Framework 3.5 or 2.0 (IIS 6.0 only) Visual J#.NET 2.0 Second Edition Secure Gateway Service Secure Gateway Proxy User devices Citrix Receiver for Windows 3.0 TLS-enabled Web browser Secure Gateway 3.3 for Windows Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 Windows 7 Windows Vista Windows XP Professional
39
In this deployment, the Secure Gateway removes the need to publish the address of every XenApp server in the farm and provides a single point of encryption and access to the farm. The Secure Gateway does this by providing a gateway that is separate from the XenApp servers and reduces the issues for firewall traversal to a widely-accepted port for ICA traffic in and out of the firewalls.
40
XenApp 5.0 Windows Server 2008, Windows Server 2003 For more information, see the documentation for your operating system.
41
Security Considerations in Sample Deployment C For TLS connections, you can choose other Government Ciphersuites that employ RSA key exchange and the Advanced Encryption Standard (AES).
42
The following table lists the components of the deployment and the operating systems required for the servers and client devices.
XenApp farm
Components XenApp 6.5 for Microsoft Windows Server 2008 R2 SSL Relay enabled Secure Ticket Authority installed on XenApp server
43
Sample D Using the SSL Relay and the Web Interface Web server Web Interface 5.4 for Internet Information Services Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 .NET Framework 3.5 or 2.0 (IIS 6.0 only) Visual J#.NET 2.0 Second Edition User devices Citrix Receiver for Windows 3.0 TLS-enabled Web browser Windows 7 Windows Vista Windows XP Professional
44
45
XenApp 5.0 Windows Server 2008, Windows Server 2003 For more information, see the documentation for your operating system.
46
47
Note: The Citrix Single Sign-on central store is hosted on two servers (primary and secondary), both running Active Directory. The secondary server is only used to provide failover for the primary server. The following table lists the components of the deployment and the operating systems required for the servers and client devices.
Components
Operating systems
48
Sample E Using Citrix Single Sign-on and Secure Gateway (Single-Hop) XenApp farm XenApp 6.5 for Microsoft Windows Server 2008 SSL Relay not enabled Secure Ticket Authority installed on XenApp server Citrix Single Sign-on 5.0 plug-in Citrix Single Sign-on Service Citrix Single Sign-on 5.0 Service Windows Server 2008 R2 Windows Server 2008 (32-bit) Windows Server 2003 with Service Pack 2 (32-bit) Windows Server 2003 R2 (32-bit) .NET Framework 3.5 Service Pack 1 Citrix Single Sign-on central store Citrix Single Sign-on 5.0 central store Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 Web server Web Interface 5.4 for Internet Information Services Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 .NET Framework 3.5 or 2.0 (IIS 6.0 only) Visual J#.NET 2.0 Second Edition Secure Gateway server Secure Gateway 3.3 for Windows Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 with Service Pack 2 User devices Citrix Receiver for Windows 3.0 TLS-enabled Web browser Windows 7 Windows Vista Windows XP Professional Windows Server 2008 R2 Java 1.4.x or later
49
50
51
XenApp 5.0 Windows Server 2008, Windows Server 2003 For more information, see the documentation for your operating system.
53