Citrix XenApp and XenDesktop 7.6 FIPS 140-2 Sample Deployments

Similar documents
Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Supplementary scenarios

Getting Started with Citrix XenApp and XenDesktop Security

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Citrix Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information. Citrix Presentation Server 4.

MetaFrame Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios

NetScaler 2048-bit SSL Performance

Configuring Security Features of Session Recording

Requirements. System Requirements. System Requirements, page 1 Port Requirements, page 4 Supported Codecs, page 5

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6.

App Orchestration 2.0

Citrix Application Firewall 8.0: Administration Exam

VPN. Date: 4/15/2004 By: Heena Patel

App Orchestration Setup Checklist

Common Criteria Security Target For XenApp 6.0 for Windows Server 2008 R2 Platinum Edition

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

2014 IBM Corporation

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

McAfee Firewall Enterprise 8.2.1

Deploying NetScaler Gateway in ICA Proxy Mode

App Orchestration 2.5

McAfee Firewall Enterprise 8.3.1

Communication ports used by Citrix Technologies. July 2011 Version 1.5

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Citrix TCP Ports Communication Ports Used By Citrix Technologies. August 2009 Version 1.0

XenDesktop 7.5 on Amazon Web Services (AWS) Design Guide

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

WHITE PAPER Citrix Secure Gateway Startup Guide

Citrix - CXD Deploying Citrix XenDesktop 7 Solutions

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Security Policy Revision Date: 23 April 2009

EAC Decision on Request for Interpretation (Operating System Configuration)

Designing App and Desktop Solutions with Citrix XenDesktop 7

A new Secure Remote Access Platform from Giritech. Page 1

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

CMB 207 1I Citrix XenApp and XenDesktop Fast Track

Introduction to Security and PIX Firewall

Technical White Paper

BlackBerry Enterprise Server Express System Requirements

Sophos Certified Architect Course overview

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Complying with PCI Data Security

XenDesktop 5 with Access Gateway

Common Criteria Security Target

Secure Gateway for Windows Administrator s Guide. Secure Gateway 3.1 for Windows

Guangzhou Macau Hong Kong Shanghai Beijing

View Installation. VMware Horizon 7 Version 7.0 VMware Horizon 7 Version EN

Secure SSL, Fast SSL

CVE-401/CVA-500 FastTrack

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Corporate and Payment Card Industry (PCI) compliance

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

SSL VPN Technology White Paper

NetScaler for the best XenApp/XenDesktop access and mobile experience

Security Policy. Security Policy.

User Guide. FIPS Mode. For use with epolicy Orchestrator 4.6.x Software

Cornerstones of Security

More than just Layer 2-7 Load Balancing Citrix NetScaler & CloudGateway

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Bridgit conferencing software Version 4.6

ReadyNAS Remote White Paper. NETGEAR May 2010

21.4 Network Address Translation (NAT) NAT concept

Features of a comprehensive application security solution

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Communication Ports Used by Citrix Technologies. April 2011 Version 1.5

NEFSIS DEDICATED SERVER

Connectivity Security White Paper. Electronic Service Agent for AIX and Virtual I/O Server (VIOS)

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

Successful Solutions to Virtual Desktop Infrastructure

High Availability for Desktop Virtualization

Citrix Workspace Cloud Apps and Desktop Service with an on-premises Resource Reference Architecture

Design Guide: Remote Access to Windows Apps XenApp 7.6 Feature Pack 2 vsphere 6

CWS- 300: Deploying and Managing Citrix Workspace Suite

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Integrated Services Router with the "AIM-VPN/SSL" Module

Insecure network services

Goliath Performance Monitor Prerequisites v11.6

Network Access Security. Lesson 10

Table of Contents. Introduction. Audience. At Course Completion

Unisys Internet Remote Support

SSL VPN vs. IPSec VPN

PCI Compliance Considerations

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Symantec Client Management Suite 8.0

Securing virtual desktop infrastructure with Citrix NetScaler

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

simplify monitoring Environment Prerequisites for Installation Simplify Monitoring 11.4 (v11.4) Document Date: January

Transcription:

Citrix XenApp and XenDesktop 7.6 FIPS 140-2 Sample Deployments

Table of Contents Introduction... 1 Audience... 1 Security features introduced in XenApp and XenDesktop 7.6... 2 FIPS 140-2 with XenApp and XenDesktop... 3 Sample deployments... 4 XenApp (internal network)... 6 How the components interact... 7 XenApp using NetScaler Gateway MPX FIPS (external access)... 8 How the components interact... 9 XenDesktop (internal network)... 10 How the components interact... 11 XenDesktop using NetScaler Gateway MPX FIPS (external access)... 12 How the components interact... 13 Finding more information... 14 Last updated 6 March, 2015 Citrix Citrix Systems, Inc. All Rights Reserved citrix.com

Introduction When deploying XenApp and XenDesktop within large organizations, particularly in government environments, security standards are an important consideration. Many government bodies specify a preference or requirement for applications to be compliant with Federal Information Processing Standards 140-2 (FIPS 140-2). The document provides an overview of the security features that apply to XenApp and XenDesktop, with an emphasis on FIPS 140-2. Sample deployments are shown, providing guidance on FIPS 140-2 compliance. For more information regarding details of the individual security features, refer to the relevant product or component documentation. Audience This document is designed to meet the needs of security specialists, systems integrators, and consultants, particularly those working with government organizations worldwide. citrix.com 1

Security features introduced in XenApp and XenDesktop 7.6 The new security features and enhancements in XenApp and XenDesktop 7.6 provide a more streamlined route to deploy Citrix products securely and in accordance with FIPS 140-2. The new features provide the following benefits: You can secure traffic from user devices right through to hosted desktops and applications using Transport Layer Security (TLS) protocol encryption. With enhancements to the broker and VDA on XenApp and XenDesktop, TLS can be configured through to the VDA. The FIPS-enabled NetScaler Gateway MPX-FIPS appliance (NetScaler Gateway 10.x) is fully compatible, allowing full TLS configuration in deployments that include NetScaler Gateway. You can secure traffic using TLS from user devices to hosted desktops and applications. NetScaler Gateway MPX-FIPS appliances are FIPS 140-2 Level 2 compliant, offering encrypted and FIPSsecured communication between: o o Citrix Receiver user devices and the NetScaler Gateway NetScaler Gateway and XenApp and/or XenDesktop VDA and StoreFront You can achieve FIPS compliance without any dependency on IPsec network configuration. You no longer need to use additional components such as the SSL Relay for TLS configuration. citrix.com 2

FIPS 140-2 with XenApp and XenDesktop FIPS 140-2 is a U.S. federal government standard that details a benchmark for implementing cryptographic software. An evaluation process that is administered by the National Institute of Standards and Technology s (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) allows encryption product vendors to demonstrate the extent to which they comply with the standard and thus, the trustworthiness of their implementation. Some U.S. government organizations restrict purchases of products that contain cryptography to those that have FIPS 140-validated modules. The security community at large values products that follow the guidelines detailed in FIPS 140-2 and the use of FIPS 140-2-validated cryptographic modules. To facilitate implementing secure application server access and to meet the FIPS requirements, Citrix products can use cryptographic modules that are FIPS 140-2-validated for implementations of secure SSL/TLS connections. The following Citrix products and components included in the sample deployments can use cryptographic modules that are FIPS 140-validated: Citrix XenApp 7.6 Citrix XenDesktop 7.6 NetScaler Gateway MPX FIPS edition hardware appliance 10.1 StoreFront 2.6 Citrix Receiver for Windows 4.1 When using these products with the TLS connections enabled, the cryptographic modules that are used are FIPS 140-2-validated. Citrix XenApp and XenDesktop, StoreFront and Receiver, use cryptographic modules provided by the Microsoft Windows operating system. NetScaler uses the FIPS 140-2-validated Cavium cryptographic module. citrix.com 3

Sample deployments To ensure XenApp and/or XenDesktop deployments are FIPS 140-2 compliant, you need to consider each communication channel within the deployment. The following sample deployments show how users can connect and access resources on XenApp and XenDesktop with different configurations of components and firewalls. In particular, the samples provide general guidance on how to make each communication channel secure using TLS so that the system as a whole is FIPS 140-2 compliant. The following sample deployments are shown: Product Deployment XenApp Direct internal access [LAN] External remote access [via Internet] XenDesktop Direct internal access [LAN] External remote access [via Internet] These deployment scenarios utilize the following components to secure data communications using the TLS protocol. TLS provides server authentication, encryption of the data stream, and message integrity checks. The NetScaler Gateway MPX FIPS hardware appliance is deployed in the DMZ to provide secure remote access to XenApp and XenDesktop environments. It provides FIPS 140-2 Level 2 TLS encryption of traffic to encrypt and secure communication between: Citrix Receiver and the NetScaler Gateway MPX FIPS hardware appliance The NetScaler Gateway MPX FIPS hardware appliance and Storefront, Delivery Controller, and VDA StoreFront provides TLS encryption and secure communication between: Citrix Receiver and the XenApp and/or XenDesktop VDA (for the internal access deployment scenarios) Citrix Receiver and StoreFront (for the remote access deployment scenarios) Delivery Controller and StoreFront Virtual Desktop Agent (VDA) runs on XenApp or XenDesktop and provides encryption and secure communication between: Citrix Receiver and the XenApp and/or XenDesktop VDA (for the internal access deployment scenarios) NetScaler Gateway MPX FIPS hardware appliance and the XenApp and/or XenDesktop VDA (for the remote access deployment scenarios) citrix.com 4

XenApp, XenDesktop, and Storefront can be configured to use government approved cryptography to protect data by using the applicable ciphersuites: RSA_WITH_3DES_EDE_CBC_SHA supports RSA key exchange and TripleDES encryption, as defined in Internet RFC 2246 (http://www.ietf.org/rfc/rfc2246.txt). RSA_WITH_AES_128_CBC_SHA supports RSA key exchange with Advanced Encryption Standard (AES) and 128-bit keys for TLS connections, as defined in FIPS 197 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf and Internet RFC 3268 (http://www.ietf.org/rfc/rfc3268.txt). For more information about AES, see http://csrc.nist.gov/cryptval/des.htm. RSA_WITH_AES_256_CBC_SHA supports RSA key exchange with AES and 256-bit keys for TLS connections, as defined in FIPS 197 and RFC 3268. NetScaler Gateway MPX FIPS hardware appliances can be configured to use government-approved cryptography to protect data by using the applicable ciphersuites: Cipher Name: SSL3-DES-CBC3-SHA Description: SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 Cipher Name: TLS1-AES-256-CBC-SHA Description: TLSv1 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 Cipher Name: TLS1-AES-128-CBC-SHA Description: TLSv1 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 Note that SSL3-DES-CBC3-SHA is relevant to TLS encryption (despite the reference to SSL3 in the cipher name and description). For more information and support regarding these deployment scenarios, including the operating system requirements, contact Technical Support if you have a valid Technical Support contract (including TRM), or contact your Citrix partner. Note that the sample deployments assume User Datagram Protocol (UDP) audio is disabled. Although a popular protocol for applications such as Lync and Skype, UDP is not compatible with TLS. citrix.com 5

XenApp (internal network) This deployment provides end-to-end TLS encryption between the user device and the applications hosted on XenApp. The deployment includes Citrix Receiver, StoreFront, the Delivery Controller and the VDA. The following table lists the components of the deployment and the operating systems required for the servers and user devices. XenApp Product/Components Delivery Controller (Secure Ticket Authority is part of the Desktop Controller) XenApp VDA Operating System Windows Server 2012 R2 x64 Windows Server 2008 R2 SP1 x64 StoreFront StoreFront 2.6 Windows Server 2012 R2 x64 User Devices Citrix Receiver for Windows 4.1 TLS-enabled web browser Windows 8.1 Update 1 x64 citrix.com 6

How the components interact Traffic between the web browser on the user device and StoreFront is secured using HTTPS. All other traffic is secured using TLS. The diagram below shows a detailed view of the deployment including the components and certificates on each server, plus the communication and port settings. The MS SQL database must be hosted on a dedicated server, and the connection between the database and Delivery Controller must be secured. For details regarding securing this link, see http://support.citrix.com/article/ctx137556. citrix.com 7

XenApp using NetScaler Gateway MPX FIPS (external access) The deployment includes Citrix Receiver, NetScaler Gateway MPX FIPS appliance, StoreFront, the Delivery Controller, and the VDA. The NetScaler Gateway MPX FIPS hardware appliance terminates the TLS/HTTPS connections from the user device (browser and Citrix Receiver). Traffic from the NetScaler Gateway MPX FIPS appliance through StoreFront, the Delivery Controller, and the VDA is secured using TLS. The following table lists the components of the deployment and the operating systems required for the servers and client devices. XenApp NetScaler Gateway Product/Components Delivery Controller (Secure Ticket Authority is part of the Desktop Controller) XenApp VDA NetScaler Gateway MPX FIPS hardware appliance 10.1 Operating System Windows Server 2012 R2 x64 Windows Server 2008 R2 SP1 x64 StoreFront StoreFront 2.6 Windows Server 2012 R2 x64 User Devices Citrix Receiver for Windows 4.1 TLS-enabled web browser Windows 8.1 Update 1 x64 citrix.com 8

How the components interact Traffic between the web browser on the user device and NetScaler Gateway is secured using HTTPS. All other traffic is secured using TLS. This diagram shows a detailed view of the deployment including the components and certificates on each server, plus the communication and port settings. The MS SQL database must be hosted on a dedicated server, and the connection between the database and Delivery Controller must be secured. For details regarding securing this link, see http://support.citrix.com/article/ctx137556. citrix.com 9

XenDesktop (internal network) This deployment provides end-to-end TLS encryption between the user device and the resources hosted on XenDesktop. The deployment includes Citrix Receiver, StoreFront, the Delivery Controller, and the VDA. The following table lists the components of the deployment and the operating systems required for the servers and client devices. XenDesktop Product/Components Delivery Controller (Secure Ticket Authority is part of the Desktop Controller) XenDesktop VDA Operating System Windows Server 2012 R2 x64 Windows 7 SP1 x64 StoreFront StoreFront 2.6 Windows Server 2012 R2 x64 User Devices Citrix Receiver for Windows 4.1 TLS-enabled web browser Windows 8.1 Update 1 x64 citrix.com 10

How the components interact Traffic between the web browser on the user device and StoreFront is secured using HTTPS. All other traffic is secured using TLS. This diagram shows a detailed view of the deployment including the components and certificates on each server, plus the communication and port settings. The MS SQL database must be hosted on a dedicated server and the connection between the database and Delivery Controller must be secured. For details regarding securing this link, see http://support.citrix.com/article/ctx137556. citrix.com 11

XenDesktop using NetScaler Gateway MPX FIPS (external access) The deployment includes Citrix Receiver, NetScaler Gateway MPX FIPS hardware appliance, StoreFront, the Delivery Controller, and the VDA. NetScaler Gateway terminates the TLS/HTTPS connections from the user device (browser and Citrix Receiver). Traffic from NetScaler Gateway through StoreFront, the Delivery Controller, and the VDA is secured using TLS. The following table lists the components of the deployment and the operating systems required for the servers and user devices. XenDesktop NetScaler Gateway Product/Components Delivery Controller (Secure Ticket Authority is part of the Desktop Controller) XenDesktop VDA NetScaler Gateway MPX FIPS hardware appliance 10.1 Operating System Windows Server 2012 R2 x64 Windows 7 SP1 x64 StoreFront StoreFront 2.6 Windows Server 2012 R2 x64 User Devices Citrix Receiver for Windows 4.1 TLS-enabled web browser Windows 8.1 Update 1 x64 citrix.com 12

How the components interact Traffic between the web browser on the user device and NetScaler Gateway is secured using HTTPS. All other traffic is secured using TLS. This diagram shows a detailed view of the deployment including where the components and certificates on each server, plus the communication and port settings. The MS SQL database must be hosted on a dedicated server, and the connection between the database and Delivery Controller must be secured. For details regarding securing this link, see http://support.citrix.com/article/ctx137556. citrix.com 13

Finding more information For more information regarding the products, requirements, and specific procedures, please see: Product-specific content at the Citrix product documentation site (http://support.citrix.com/proddocs). For more information about secure NetScaler Gateway deployments, see http://support.citrix.com/article/ctx129514. For more information regarding the XenApp and XenDesktop 7.6 FIPS support and features, see http://blogs.citrix.com/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2-and-ssl-to-vda/ For additional guidance regarding certificate management see, http://blogs.citrix.com/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6- using-ssl/ citrix.com 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information