Tag Archives: Security

Session Watermarking for App & Desktop Security by Citrix XenApp & XenDesktop 7.17 or #CitrixCloud

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Session Watermark policy feature with the XenApp & XenDesktop Service (April 2018) or XenApp & XenDesktop 7.17 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SECURITY – sec
NETSCALER – ns
NETSCALER GATEWAY SERVICE – nsg service
WINDOWS – win
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad

Introduction to “Session Watermark”
The latest release of the XenApp & XenDesktop Service powered by Citrix Cloud or if you are performing a private cloud (on-premises) upgrade or net new installation of XenApp & XenDesktop 7.17 has some NEW features (another post brewing) and one that I have been waiting on for quiet sometime now has not finally arrived (WAHOO!) and its VERY VERY simple to configure and aids in improving your security posture (I believe) for delivery of apps & desktops powered by Citrix against e.g IP theft. In the below tweet can you see it?

The above is from my initial tests using a Windows Server 2016 VM hosted in Azure Northern Europe region running the 7.17 VDA configured to my Citrite #CitrixCloud XenApp & XenDesktop Service so I did not need to upgrade anything to get this new SHINY cool feature yes I said it SHINY. All I was required to do was deploy a new Windows Server 2016 VM from the Azure marketplace, domain join it, install the VDA and connect it to my Cloud Connector and I was ready in less than 25 minutes from initially deploying the VM from the marketplace.

Finally on a personal note for me Citrix SysAdmins enabling the “Session Watermark” feature obviously initally tested in a safe environment e.g UAT with a few users from a couple of departments and then rolling it out into production (as when/how your ready) will be making IT the modern “App & Desktop Security Heroes“. IT can apply and configure these new policies to be the most right vs. relevant for your organisations security needs while not hindering the end-users Rich HD eXperience.

Session Watermark Policies
You have 8 watermarking policies to apply with the 9th one enabling this security capability or feature set with the following list of quirks, suggested policy configuration and more available at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/policies/reference/ica-policy-settings/session-watermark-policy-setting.html.

Before we get started it is worth mentioning that this feature does add an overhead to the compute on the backend (VDA side) and therefore it is suggested to enable up to two water marking features or items. In my overview of this feature I will wont cover off the cost of implementing this security policy as there are multiple variables to consider e.g HDX Graphics Mode and associated policies to provide the right vs. relevant end-user experience vs. how many watermark items do I apply? I have begun testing so bare with me and I’ll publish my findings either on my personal blog here or on https://www.mycugc.org under the “Expert Insights” area.

Enable session watermark
By default this feature is DISABLED as the default behaviour which I believe is the right approach considering its Citrix’s initial release of this #security feature (in my personal view) and secondly online documentation at eDocs suggested recommendations it to enable NOT more than two watermark text items. Finally * indicates that this policy is DISABLED by default when Session Watermark is enabled.

Include client IP address
* This is the IP addr of the device connecting to the virtual app & desktop.

Include connection time
* Utilises the following format yyyy/mm/dd hh:mm to display the users initial connection time to there virtual app or desktop.

Include logon user name
ENABLED by default when you enable Session Watermark as a policy and uses the following format USERNAME@DOMAINNAME is most optimise for 20 characters or less otherwise truncation might occur of the users logon username.

Include VDA host name
ENABLED by default when you enable Session Watermark as a policy and provides the VDA hostname e.g ne1vad01

Include VDA IP address
* Provides the internal IP addr that corresponding the VDA’s hostname e.g ne1vad01 = 10.1.0.7

Session watermark style
ENABLED by default using “Multiple e.g displays five watermark labels” when you enable Session Watermark as a policy or you can configure “Single e.g displays a single watermark label in the centre of the session“. TIP switching to SINGLE and sticking to two watermark text items for me in my initial tests is a good starting policy however time will tell as I continue to test out this new feature and its capabilities with different HDX Graphics Modes and associated tweaks.

Watermark custom text
* A unicode maximum of 25 characters is supported if you exceed this limit it will be truncated.

Watermark transparency
ENABLED by default set to “17 out of 100” when you enable Session Watermark as a policy, personally I think setting it to just 1 is fine in my initial tests as you want it to be not so in your face to the end-users to be bluntly honest.

GDPR Compliance [Infographic] from Citrix

The views expressed here are my own and do not necessarily reflect the views of Citrix.

What is GDPR?
http://www.eugdpr.org

[Infographic] from Citrix
The following Citrix infographic is from the following Citrix blog post at – https://www.citrix.com/blogs/2017/04/04/gdpr-compliance-redefining-the-price-of-privacy/ by Kurt Roemer – https://www.citrix.com/blogs/author/kurtr/.

More on Citrix Secuirty
https://www.citrix.com/it-security/

Setup Pre-Authentication Endpoint Analysis (EPA) Policy with an Azure NetScaler (Unified) Gateway 11.x.n

The following content is a brief and unofficial overview of how-to setup an Endpoint Analysis (EPA) scan of Windows and Mac devices with an Azure NetScaler (Unified) Gateway VPX 11.x.n using Microsoft Azure (ARM). The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions, best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
ENDPOINT ANALYSIS – epa
FIREWALL – f/w
ANTI-VIRUS = a/v
NETSCALER UNIFIED GATEWAY – nug
NETSCALER GATEWAY – nsg
XENAPP – xa
XENDESKTOP – xd
VIRTUAL DESKTOP – vd
PRE-AUTHENTICATION – pre-auth
CONFIGURATION – cfg
MICROSOFT – ms

What is an Pre-Authentication EPA Scan?
Citrix NUG provides an ability to perform and enforce end-point security checks using the NetScaler’s EPA agent which installed onto supported OSes (Windows, OS X) which then sends the results to the NUG to validated against preconfigured “Preauthentication Policy(s)” which check’s if e.g the Windows Firewall enabled? If YESthen the user is allowed to procced to logon page and if NO the user is denied access until all outstanding end-security requirements have been successful meet.

You can create pre-auth policies using Opswat – http://citrix.opswat.com/ to check for A/V including min version, precense of exsiting registry entries, file policies and much more so be sure to check out https://docs.citrix.com/en-us/netscaler-gateway/11/vpn-user-config/endpoint-policies/ng-endpoint-expressions-client-security-preauth-con.html for more in-depth detail.

User Workflow of Pre-Authentication EPA Scans
1. User attempts to login by opening an internet browser e.g Internet Explorer or Google Chrome and navigates to at https://go.x1co.eu/
2. The user is automatically re-directed to https://go.x1co.eu/epa/epa.html
3. The user will be prompted after 10 seconds if they do not have the EPA agent installed to install it with the download initiating from the NetScaler on https://go.x1co.eu/epa/epa.html.
4. The user follows the onscreen instructions to install the EPA agent and after it’s installation the EPA scan begins automatically.
5. The scanned results are sent to the NetScaler at https://go.x1co.eu/.
6. The NetScaler verifies the sent scanned results based upon the pre-auth policy cfg configured in the “Preauthentication Policy(s)” on the NUG and then returns a pass vs. fail to the device. If the device receives a Pass then the user can login with there organisation credentials at – https://go.x1co.eu/vpn/index.html and if its a Fail then the user is redirected automatically to https://go.x1co.eu/epa/errorpage.html and they should thereafter contact there organisations IT support department with the Case ID presented to the user onscreen to help resolve and validate the end-users required end-point security requirements to be able to login successfully.

The following Image 1 below describes visually the user flow once the end-user has the NetScaler EPA agent installed and a scan is initated if sucessful the user can then attemp to auth against the NetScaler UG and will be presented with various options as configured by the NS & CTX SysAdmins but lets assume they have all three options avaiable to them as part of the NetScaler Unified Gateway offering and the user in this example elect’s to select a virtual desktop from XAD as seen in the Image 2 below.

Image 1

Image 2

Setup Pre-Authentication Policy on your NetScaler 11.x.n+ for a PoC
The following will descirbe’s how-to setup & bound a pre-authentication policy to check the min ClamWin Anti-Virus version installed onto a Windows desktop OS and to check that your Windows Firewall actually ENABLED!

1. Setup your NetScaler Unified Gateway following this detailed Citrix CTX article – https://support.citrix.com/article/CTX205295.
2. Test that you can actually login to your configured NetScal UG and launch a virtual app or desktop or connecting to an internal intranet homepage using the clientless VPN feature prior to proceeding.
3. Go back to the NS Admin WebUi & then navigate to “NetScaler Gateway > Policies > Preauthentication Profiles > Add“.
4. Select “Add” and enter in a name for your policy e.g PreScanPoC and ensure that the “Action” field is set to “ALLOW” then click “Create“.
5. Now in the Expression Editor input field below click on the link entitled “OPSWAT EPA editor“.
6. Now select “Windows” next select “Firewall” then search for and select “Microsoft Windows Firewall” then click on the “+” symbol and configure as follows below:

Version <
Enabled == TRUE
Comment == Microsoft Windows Firewall

7. Next click on “OPSWAT EPA editor” once again & now select “Windows” next select “Antivirus” then search for and select “*YOUR PREFFERD & SUPPORTED ANTI-VIRUS” then click on the “+” symbol and configure as follows below replacing ClamWin Free Antivirus with your *:

Version < 0.99.1
Enabled ==
Comment == ClamWin Free Antivirus

Or if you prefer you could also just copy and paste the following into your expression editor input box “CLIENT.APPLICATION(‘ANTIVIR_177001_VERSION_<=_0.99.1[COMMENT: ClamWin Free Antivirus]') EXISTS && CLIENT.APPLICATION('FIREWALL_6015_ENABLED_==_TRUE[COMMENT: Microsoft Windows Firewall]') EXISTS” or if you only want to configure the pre-auth policy to just detect if your MS Windows Firewall is disabled and deny access then copy and paste the folllwing into the expression editor input box “CLIENT.APPLICATION(‘FIREWALL_6015_ENABLED_==_TRUE[COMMENT: Microsoft Windows Firewall]’) EXISTS“.

8. Once you have finished your inputs then select “Ok“.
9. Now click on the “Action” drop down above and select “Global Bindings“, next select the “pencil icon” and select your created policy e.g “PreScanPoC” as described eariler, once you return back to the Policy Binding view select “Bind” and click “Close”.
10. Now using the menu on the left-hand side navigate to “NetScaler Gateway > Virtual Servers” and select your Unified Gateway configuration and select “Edit”.
11. Scroll to the bottom and look for the “Policies” section and click on the “+” symbol.
12. Next from the “Choose Policy*” drop down list select “Preauthentication” and the “Choose Type*” default should be “Request” and then click on “Continue“.
13. Parallel to “Select Policy*” select the “” then select your Preauthentication Policy e.g “PreScanPoC“.
14. Select “Bind” then click on “Close”.
15. Click on “Done” and now you have setup & configured your first pre-authentication Endpoint Analysis (EPA) policy against your NetScaler Unified Gateway configurtion of your Azure NetScaler (Unified) Gateway 11.x.n VPX.
16. Naviagte to your FQDN e.g https://go.x1co.eu/ and attempt to sign-in and you’ll notice it will prompt you to install the EPA agent and thereafter automatically initate the EPA scan which will either allow or deny your access e.g turn your Windows f/w on an off to test how the EPA scanning works.

Troubleshooting
As I only have a Windows laptop my suggusted troubleshooting is only relevant to Windows OSes.

1. On Windows click Start -> Run -> enter in “%localappdata%\Citrix\AGEE\” once Windows Explorer opens the window you can open and review each file for errors however in most cases I would sugguest if you are just trying to get an EPA scan to work based upon this blog article then copy and paste the Windows f/w expression only.

Citrix NetScaler How-to Guides
The follow guides and more can be found at the NetScaler Developer Community webpage – https://www.citrix.com/go/citrix-developer/netscaler-developer-community/howto-guides.html which also includes how-to guides for HDX Framehawk, GSLB, L/B DNS traffic and much much more. The below guides are purely focused on configuriung pre-authentication scans on your NUG prior to allowing to attempt to login.

1. How do I configure EPA for Registery Check – https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-do-i-configure-epa-for-registery-check.pdf
2. How do I configure EPA for Symantec Antivirus Check – https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-do-i-configure-epa-for-symantec-antivirus-check.pdf
3. How do I configure EPA for Windows Update Check – https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/how-do-i-configure-epa-for-windows-update-check.pdf

What’s new with XenApp/XenDesktop 7.6 Feature Pack (FP3)

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenApp, XenDesktop FP3 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
EXPERIENCE 1st – x1
STOREFRONT SERVER – sfs
FEATURE PACK – fp
THINWIRE PLUS – thinwire +
THINWIRE COMPATIBLE – thinwire c
USER EXPERIENCE – ux

What is new in FP3?
0: ++An absolutely MUST read entitled “HDX Graphics Modes – Which Policies Apply to DCR/Thinwire/H.264 – An Overview for XenDesktop/XenApp 7.6 FP3” which is available at – http://support.citrix.com/article/CTX202687 prior to implementing any of the new graphics mode/encoder(s) within XAD 7.6 FP3.
1: Support for Windows 10 Enterprise Edition, in the Standard VDA for Windows Desktop OSes.
2: HDX Broadcast updates include the following:

Framehawk (Admin guide – http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-6/downloads/Framehawk%20Administration%20Guide.pdf) virtual display channel is integrated into the standalone VDA package.
Thinwire Compatible Modehttp://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-hdx-landing/thinwire-compatibility-mode.html also referred to as Thinwire +/Plus is the very latest encoder to deliver a fantastic and rich X1 UX for virtual apps and desktops delivered from Windows Server 2012 R2, Windows 8.1 and 10 powered by XAD 7.6 FP3. To learn more about check out – https://www.citrix.com/blogs/2015/10/09/a-big-leap-in-ica-protocol-innovation-for-citrix/. Set the “Use video codec for compression” to “Do not use” which will force the use of Thinwire Compatibility Mode by default for user ICA/HDX sessions on XAD 7.6 FP3.

HDX Framehawk Performance in XenApp and XenDesktop 7.6 FP3

3: ++Updated Studio built-in policies ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-templates.html which include the following:

– Very High Definition User Experience+
– High Server Scalability *+
– High Server Scalability-Legacy OS **
– Optimized for WAN *+
– Optimized for WAN-Legacy OS **
– Security and Control

+ New or adjusted to meet today’s new requirements
* Windows 8.1-10, Windows Server 2012 R2
** Windows 7, Windows Server 2008 R2

4: Support for signature devices (Wacom) and drawing tablets which can be applied by adding the following USB device policy settings ref – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-settings-wrapper/xad-policies-settings-ica/xad-policies-settings-usb.html.
5: The HDX 3D Pro VDA used to deliver HDX Rich Graphical apps now supports full-screen apps including 3D and gaming apps within single monitor for ICA sessions.
x: For a full and compete list with accurate descriptions and overviews please check out – http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-whats-new.html.

What’s new with StoreFront 3.0.1?
This release contains a number of fixed issues ref – http://docs.citrix.com/en-us/storefront/3/sf-about-30/fixed-issues.html including support for TLS 1.0-1. Please beware that SSL 3.0 is NOT supported and Citrix strongly recommends that you do not use it.

XenMobile Device Manager 9.0

The following content is a brief and unofficial prerequisites guide to setup, configure and test XenMobile Device Manager 9.0 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.

Shortened Names
XENMOBILE APPCONTROLLER – xac
APPLE PUSH NOTIFICATION SERVICE – apns
ROLE BASED ACCESS CONTROL – rbac
LIGHT WEIGHT DIRECTORY PROTOCOL – ldap
ACTIVE DIRECTORY – ad
CERTIFICATE SIGNING REQUEST – csr
FULLY QUALIFIED DOMAIN NAME – fqdn
RECEIVER FOR WEB – rfw
CERTIFICATE AUTHORITY – ca
STOREFRONT SERVICES – sfs
PUBLIC KEY INFRASTRUCTURE – pki
NETSCALER GATEWAY – nsg
XENMOBILE DEVICE MANAGER – xdm
XENMOBILE NETSCALER CONNECTOR – xnc
SECURE TICKET AUTHORITY – sta
DOMAIN NAME SERVER – dns

Self-paced Online (SPO) XenMobile Device Manager Training
1: Course # CXM-200 entitled “Deploying Citrix XenMobile Device Manager Server” at – http://training.citrix.com/mod/ctxcatalog/course.php?id=834. Note at the time of writing this blog entry Thursday 17/07/2014 this SPO was freely available with a valid Citrix.com account.
2: Course # CXM-201
Administering and Managing Devices with Citrix XenMobile 9.0 – http://training.citrix.com/mod/ctxcatalog/course.php?id=923. Login to view the price at http://training.citrix.com.

XenMobile APNS Signing Portal
This service requires a valid Citrix.com partner access details to sign-in and sign your APNS CSR – https://xenmobiletools.citrix.com/. Please review the documented APNS process for XenMobile Device Manager at – http://support.citrix.com/proddocs/topic/xenmobile-90/xmob-dm-config-requesting-apns-con.html.

Handset Security
1: How do you know a handset is secure outside of MDM or EMM providers? Well I typically search for a security Whitepaper or security micro sites that covers off the h/w and or software security hardening of these mobile handsets and I have listed a few below enjoy. Note the resources are not listed in any particular order.

Samsung Knox – https://www.samsungknox.com/en/support/knox/white-paper

Windows Phone 8.1 Security Overview – http://download.microsoft.com/download/B/9/A/B9A00269-28D5-4ACA-9E8E-E2E722B35A7D/Windows-Phone-8-1-Security-Overview.pdf

iOS Security – http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf

Android Security Overview – https://source.android.com/devices/tech/security/