Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios



Similar documents
Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Supplementary scenarios

How to Configure NetScaler Gateway 10.5 to use with StoreFront 2.6 and XenDesktop 7.6.

Deploying NetScaler Gateway in ICA Proxy Mode

Guangzhou Macau Hong Kong Shanghai Beijing

SA Citrix Virtual Desktop Infrastructure (VDI) Configuration Guide

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

SA Citrix Virtual Desktop Infrastructure (VDI) Configuration Guide

Citrix Receiver for Mobile Devices Troubleshooting Guide

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

WHITE PAPER Citrix Secure Gateway Startup Guide

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Common Criteria Security Target For XenApp 6.0 for Windows Server 2008 R2 Platinum Edition

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

App Orchestration 2.0

The steps will take about 4 hours to fully execute, with only about 60 minutes of user intervention. Each of the steps is discussed below.

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

SCENARIO EXAMPLE. Case study of an implementation of Swiss SafeLab M.ID with Citrix. Redundancy and Scalability

Deployment Guide for Citrix XenDesktop

Deployment Guide ICA Proxy for XenApp

Citrix StoreFront 2.0

High Availability for Desktop Virtualization

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

App Orchestration 2.5

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

MetaFrame Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

CITRIX 1Y0-A14 EXAM QUESTIONS & ANSWERS

Preparing for GO!Enterprise MDM On-Demand Service

CTX-4100BI Citrix Presentation Server 4.5 and XenApp 5.0 for Windows Server 2003: Skills Update

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

HRC Advanced Citrix Troubleshooting Guide. Remove all Citrix Instances from the Registry

Accessing the Media General SSL VPN

This document details the procedure for installing Layer8 software agents and reporting dashboards.

Secure Gateway for Windows Administrator s Guide. Secure Gateway 3.1 for Windows

Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.6 with Amazon VPC

Hands-on Lab Exercise Guide

Overview - Using ADAMS With a Firewall

WHITE PAPER Citrix XenDesktop XenDesktop Planning Guide: Load Balancing Web Interface with NetScaler

Overview - Using ADAMS With a Firewall

Adagio and Terminal Services

How To - Implement Clientless Single Sign On Authentication with Active Directory

Citrix XenApp 6.5 Advanced Administration (CXA-301)

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

ShareFile On-Demand Sync can be installed via EXE or MSI. Both installation types can be downloaded from

Citrix Access on SonicWALL SSL VPN

To add Citrix XenApp Client Setup for home PC/Office using the 32bit Windows client.

Secure Gateway for Windows Administrator s Guide. Secure Gateway for Windows

Communication Ports Used by Citrix Technologies. April 2011 Version 1.5

Goverlan Remote Control

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

For Splunk Universal Forwarder and Splunk Cloud

Citrix - CXD Deploying Citrix XenDesktop 7 Solutions

Introduction to Mobile Access Gateway Installation

Interwise Connect. Working with Reverse Proxy Version 7.x

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

Mobile Admin Architecture

XenDesktop Implementation Guide

How To Protect Your Data From Being Stolen

Citrix Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information. Citrix Presentation Server 4.

Desktop Virtualization Made Easy Execution Plan

visionapp Remote Desktop 2010 (vrd 2010)

App Orchestration 2.5

extranet.airproducts.com Windows XP Client Configuration

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Hands-on Lab Exercise Guide

my.airproducts.com Windows Vista Client Configuration

Communication ports used by Citrix Technologies. July 2011 Version 1.5

CWS- 300: Deploying and Managing Citrix Workspace Suite

XenApp/Citrix Program Neighborhood Installation

2X ApplicationServer & LoadBalancer Manual

Implementation Guide

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

ViPNet ThinClient 3.3. Quick Start

OpenText Secure MFT Network and Firewall Requirements

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual

1. Begin by opening XenCenter to manage the assigned XenServer.

Goliath Performance Monitor Prerequisites v11.6

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

What is the Barracuda SSL VPN Server Agent?

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Payment Card Industry (PCI) Data Security Standard

XIA Configuration Server

Mobile Admin Security

FastPass Password Manager

PDFDumps. PDFDumps can solve all your IT exam problems and broaden your knowledge

simplify monitoring Environment Prerequisites for Installation Simplify Monitoring 11.4 (v11.4) Document Date: January

CXD Citrix XenDesktop 5 Administration

Remote Access: Citrix Client Setup

Course: CXD-202 Implementing Citrix XenDesktop Administration

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Citrix XenApp and XenDesktop 7.6 FIPS Sample Deployments

CTX-1259BI Citrix Presentation Server 4.5 and XenApp 5.0 for Windows Server 2003: Administration

Transcription:

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios Overview Citrix XenApp, XenDesktop and NetScaler are commonly used in the creation of Payment Card Industry (PCI), Data Security Standard (DSS) compliant data processing systems. This document describes common PCI data processing designs and provides vendor guidance to the construction of secure data processing systems based on Citrix remoting technologies. In the normal design, sensitive credit card data is restricted to a PCI data processing backend, with accessing applications hosted on Citrix XenApp or XenDesktop and the screen and keyboard user experience delivered to the user, always on remote networks, via Citrix Independent Computing Architecture (ICA) display remoting protocol. The PCI data processing backend is firewalled and separated from the main corporate network and all user interaction is remote, across gateways, with no VPN and no direct network connectivity between the user computer and the protected applications. The only applications which can interact with the secure data are the ones specifically included in the administrator defined PCI backend and all user view of the protected data is via remote execution of the approved applications and systems. By enabling centralized data processing and restricting PCI data access to only the approved components specifically included inside the protected environment, the scope of PCI evaluation is greatly reduced and security is greatly improved compared to making the protected systems and data accessible from all user devices. Data centralization is a core reason that Citrix technologies are often a primary component of a PCI Compliant data processing system. Revision History 2014-09-04 1.2 Clarified that double hop network configuration is partner or remote office 2014-02-26 1.1 Changed nomenclature describing NetScaler Gateway and Web App to clarify that these are modules running on NetScaler rather than included in all revisions 2013-12-10 1.0 First release PCI Introduction Payment Card Industry (PCI) Data Security Standard (DSS) is a credit card industry standard which defines a required level of computer system security that must exist when processing credit card data. PCI DSS applies to merchants, processors, financial institutions, and service providers, as well as all other entities that store, process, or transmit cardholder data. PCI DSS certification is ultimately an agreement that a specified level of security is required, and certification that it exists. Version 1.1 (26 Feb 2014)

2 Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios PCI Compliance is a certification given to a PCI data processing environment; there is no PCI Certification for Citrix XenApp or XenDesktop, but it is very common for a PCI compliant data processing system to include these systems in their design. PCI Tiers The required level of security will often grow as a merchant s business grows and their PCI tier changes. The specific requirements of a certification will vary based upon the requirements of the issuing bank and the Qualified Security Assessor (QSA) and these may include expanded or reduced requirements compared to those presented in this paper. Citrix XenApp and XenDesktop Introduction Citrix XenApp and XenDesktop are server based computing systems whose design goes back to the founding of Citrix in 1989. The technology has gone by many names including WinFrame, MetaFrame, Presentation Server and most recently, XenApp and XenDesktop. Applications on a Windows Terminal Server system (XenApp) or a whole desktop Windows operating system (XenDesktop) are run on computers inside of a data center. Users are physically remote compared to the hosting computers. The screen, keyboard and other user experience items are presented to the user via the Citrix Receiver (terminal) which presents the remote execution of applications and desktops to the user as though the execution is occurring locally. While the computing is central, the user view is that computing is on their end-user device. A single application can be overlaid onto the user s main desktop screen, or an entire separate desktop system can be run and reflected onto the user s computing device. Whether remoting applications or desktops, the user experience and remote delivery are the same; the execution and data are central, the screen and keyboard interaction are remote. With the addition of ICA Proxy in NetScaler Gateway Module, it is possible to completely separate the user computer network from the protected network and eliminate the need for a traditional IP VPN. The ICA Proxy can relay keyboard and screen information from the protected PCI space to the user computer, permitting the user to do their work, but keeping the end user computer completely out of the protected network. The diagrams that follow show a simple non-pci XenApp / XenDesktop configuration and then grow that to include PCI and eventually a double-hop PCI configuration which includes wide area accessibility.

3 Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Simple XenApp / XenDesktop User Devices Simple XenApp / XenDesktop Server Based Computing Lacks separate networks Introduction only Publishing data XenApp XenDesktop Broker Independent Computing Architecture (ICA) with Citrix Receiver Single network scope from users to hosted execution Not sufficient for most protected data processing TS Workers and Workstation VMs Remote Access using XenApp and XenDesktop Citrix XenApp and XenDesktop are very popular tools for remote access to enterprise applications. The diagram below shows a hosted XenApp / XenDesktop farm along with publishing and the ability to get to corporate applications from both inside the company as well as access for internet based users via Citrix Receiver and NetScaler Gateway module. Observe that in this diagram, there is no separation between the company main XenApp and XenDesktop spaces and the PCI applications, so this is an incomplete picture for remote access PCI, but it does provide the foundation to build the PCI solution that will follow. Citrix Remote Access Configuration User Devices 443 HTTPS NetScaler Web App XenApp XenDesktop Broker Publishing 443 TLS Gateway 1494 / 2598 ICA Proxy No VPN ICA / CGP with Citrix Receiver Public Network (Internet) DMZ TS Workers and Workstation VMs Internal Network

4 Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Whether a user is local or remote, they get the same experience of hosted application and desktop execution. It is common that authentication from outside of the company require two-factor authentication and access from inside the network require only username and password.

5 Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Publishing and Application Launch The starting point for a user is using the Citrix Receiver or a web browser to logon to and enumerate the applications and desktops available to the user. This can be done using either a web browser or the Citrix Receiver. The user will ultimately request an application or desktop launch. The launch process is described in detail below. Application enumeration and launch via Citrix Receiver or Web Browser access to : 1. An endpoint user uses a web browser or Citrix Receiver to view the login page a. is a web service, running on top of Microsoft IIS b. User authenticates; this can be standard domain based logon or smart card 2. queries published applications and desktops for this user a. Application names, desktop names and icons are returned to the client machine b. A web page is constructed and provided to the user s browser/receiver 3. User clicks a hyperlink in the web page or selects an application from Citrix Receiver a. Request is sent to to retrieve the ICA (Independent Computing Architecture) file for the selected application or desktop..ica file is a text file which contains publishing information needed to tell the Citrix Receiver how to connect to the server based execution of the application or desktop b. contacts publishing backend on XenApp/XenDesktop and requests a TS server or workstation assignment c. For local execution cases, the ICA file includes the server assignment (not PCI case) d. For remote execution, ICA file includes i. NetScaler fully-qualified domain name. The ICA file does not contain any information regarding the internal network addresses or server assignment ii. A Secure Ticket Authority launch ticket is created (STA Ticket) and is included in the.ica file 4. Citrix Receiver on the client initiates connection to the gateway and provides tickets a. This connection uses TLS to ensure data confidentiality and integrity is maintained b. NetScaler Gateway contacts the Secure Ticket Authority server and provides STA ticket c. The Secure Ticket Authority validates the STA ticket and returns the stored IP address of the Server or workstation that contains the requested application or desktop 5. The NetScaler Gateway initiates an ICA session with that server / workstation 6. NetScaler Gateway is ICA proxy between the networks a. From end user Receiver view, the ICA Proxy gateway is the server b. From server view, the gateway is the user c. Keyboard and Screen data are relayed by the NetScaler Gateway d. No direct network connection exists from user network to protected network 7. Eventually the application or desktop terminates and the connection is closed PCI Implementation Internal Network Only When a merchant s quantity of PCI transactions grows, the Issuing Bank may require improvements to data processing security so that credit card data processing occurs in a space that is separate from

6 Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios the main corporate network. If no existing XenApp or XenDesktop environment exists and if remote access from internet is not required, the following solution can provide an effective separation of the primary corporate network and the PCI space. This has advantage of limiting vision to the PCI data to only the applications and systems in the PCI back-end, keeping the majority of the existing corporate network out of scope for PCI. PCI Internal Access Configuration, App and ICA Proxy Gateway User Devices 443 HTTPS NetScaler Web App Publishing XenApp XenDesktop Broker 443 TLS Gateway ICA Proxy No VPN Independent Computing Architecture (ICA) Citrix Gateway Protocol (CGP) Credit Card Database with Citrix Receiver Internal Network PCI Network TS Workers and Workstation VMs Out of Scope In Scope for PCI evaluation Observe that remote access is used inside. In the diagram, the internal network is drawn small, but it would normally be much larger than the restricted PCI area. The value of using this configuration is that the PCI applications can be separated from the non-pci majority of the corporate data center, creating a smaller scope for evaluation. Only the PCI space applications and desktops can see the protected data and the only connection from protected space to main corporate computers is via ICA Proxy. There is no user network connectivity between the corporate network and secured spaces.

(Optional) 7 Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios PCI With Remote Access (XenApp and XenDesktop) To achieve PCI data separation AND remote access utilizes two-hops. The first hop gets the remote user into the company internal network; the second hop provides access to the PCI applications. The diagram below is effectively equal to the XenApp/XenDesktop remote access configuration combined with the simple PCI internal-only deployment earlier in this document. In this configuration, the users will be 1) Internal; shown in the diagram as User Computers or 2) External; shown in the diagram as User Computers with Citrix Receiver In both cases, the user view of the applications is the same, though in the external case, an additional hop is required to get to the protected data as these are published only to internal resources. PCI Network Double-Hop ICA Proxy Configuration User Computers with Citrix Receiver 443 HTTPS 443 TLS NetScaler Web App Gateway ICA Proxy No VPN Publishing ICA & CGP 1494 / 2598 XenApp XenDesktop Non-PCI Applications 443 HTTPS 443 TLS NetScaler Web App Gateway ICA Proxy No VPN Publishing ICA & CGP 1494 / 2598 XA/XD PCI Apps Broker Credit Card Database User Computers Workers Remote Network DMZ Internal network DMZ PCI Environment Out of Scope for PCI Evalulation Primary corporate network and existing remote access systems Outside users can access PCI space via two-hop Citrix environment Internal PCs and other computers can access PCI environment on single hop In Scope for PCI evaluation PCI data processing is firewalled from corporate network Accessed by users using Citrix Receiver Access to PCI published components is restricted to internal resources. User sessions running on the internal network XenApp/XenDesktop cannot themselves see the PCI protected applications, but they can be used to remotely execute the applications running on the protected PCI back-end. Remote users will first logon to a hosted desktop in the Internal Network and then run a PCI application on the PCI network. Internal network users can access the PCI space directly via the PCI environment remoting to their computers inside the corporate network. Some customers prefer to limit all access to PCI space to exclusively double-hop configurations, even for internal users. s In the diagrams, many firewalls are shown, often on both sides of the NetScaler in the DMZ. Installed firewalls should follow the firewall vendor guidance for configuration with a minimum of

8 Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios ports open to access the protected systems. In most external spaces, only TLS port 443 must be open. Internally, TLS and ICA ports are opened to the NetScaler Gateway. NetScaler Gateway Web Application NetScaler Platinum Edition provides the Web Application that is placed in front of the IIS web server hosting. NetScaler can provide this function as well as the ICA Proxy functions required for display remoting across networks. NetScaler Gateway - ICA Proxy NetScaler Gateway module provides the Access Gateway ICA Proxy to connect hosted application and desktop execution to the Citrix Receivers on user systems. Before starting ICA relay, the Gateway receives Secure Ticket Authority (STA) tickets and commands to define proxy relays from specific host systems to specific user machines. The gateway relays ICA data only to/from specific endpoints. There is no traditional VPN between the protected and non-protected spaces. Conclusion Data centralization, hosted computing and remote display provide significant value in security and also in audit. By restricting PCI data to only a small protected space, that space can be audited more completely and efficiently than attempting to certify an entire corporate internal network. Data centralization, firewalls and remote execution provide an environment for protecting data from unauthorized access, while enabling access to that data for authorized users from a variety of end user Citrix Receiver devices. Since the receiver is logically a terminal, the quantity of data that leaves the protected space is minimized and business can operate with a well understood configuration and accepted level of risk. Supporting documents Overview of NetScaler Web Application module and PCI DSS http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/pci-dsssuccess-achieving-compliance-and-increasing-web-application-availability.pdf Common Criteria Certifications and Security Targets for XenApp, XenDesktop and NetScaler http://www.citrix.com/support/security-compliance/common-criteria.html

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information