| 
XenApp Security - You can configure the following areas to provide security in XenApp environment:
- Data and application access
- ICA Traffic
- Two-Factor Authentication
- Secure Paste
- Antivirus and Endpoint Security Software
Data and application access - While configuring the security needs of a virtualized environment, you must also maintain data and application access for users within the XenApp environment. For example, when securing an environment, you need to consider whether or not to allow printer creation, map client drives for data access through user sessions, or enable copy and paste functionality between the ICA session and the local user device. These considerations are based on the specific security policies and standards within each organization which need to be reviewed and enforced within the XenApp infrastructure.
ICA Traffic - There are two methods of securing ICA Traffic:
- Secure ICA - You can secure ICA traffic on the internal network using SecureICA encryption to meet regulations such as HIPAA, SOX, and PCI compliance, which require the encryption of all end-to-end application communications. SecureICA encryption is a standard feature of the XenApp infrastructure and can be set to one of the following encryption levels:
• Basic
• RC5 (128-bit) logon only
• RC5 (40-bit}
• RC5 (56-bit)
• RC5 (128-bit)
Note: RC5 (Rivest Cipher) is a block cipher method of cryptography. RC5 was the basis for the latest Advanced Encryption Standard (AES), which is the encryption standard used by the U.S. Government.
- SSL Relay - ICA traffic between the Web Interface servers and the XenApp servers can be secured by configuring SSL Relay for the XenApp infrastructure. SSL Relay is commonly used to secure Citrix XML traffic, especially when the Web Interface server is located in the perimeter network.
Two-Factor Authentication - Environments that require two-factor authentication, through the use of a smart card or security token, can be integrated into a XenApp environment using the Web Interface or Citrix Access Gateway. The following two-factor authentication methods are built-in:
• RSA SecurlD
• RADIUS server
• Aladdin SafeWord for Citrix
Secure Paste - You can further secure XenApp sessions by enabling the Secure Paste registry setting on each of the XenApp servers. When enabled, end users are unable to copy and paste data from a published application to a local application. Users can still copy and paste data from a local application to a published application and between published applications. This ensures secure data remains in the datacenter and not on a local device. You should be aware that enabling Secure Paste will affect all sessions on the XenApp server. Conduct proper testing before implementing Secure Paste in a production environment.
Antivirus and Endpoint Security Software - You should configure antivirus and endpoint security software on all servers within a XenApp infrastructure. End users can access servers directly, therefore putting those servers at risk as a first-tier application interface. When an antivirus solution is installed on a XenApp server, you should configure it to reduce the performance impact on the XenApp servers. By default, antivirus solutions typically use real-time scanning functionality to scan every read and write action that occurs on a system. Constant scanning of every read and write that occurs on a XenApp server can create high resource utilization of the CPU, memory and disk.
It is recommended to configure real-time scanning on every write to the XenApp server, rather than on every read. Viruses and worms perform write actions; therefore, limiting the real-time scanning to writing is an effective way to provide protection, while still limiting the performance impact to the XenApp servers. Another method of providing virus protection is to install the antivirus software on the XenApp servers but turn off the real-time scanning functionality for both read and write actions. You can then configure regularly scheduled complete system scans to meet security requirements, as well as provide adequate protection for the XenApp environment. Antivirus and endpoint security solutions can also be moved to the network level to avoid the installation of these solutions locally on the XenApp infrastructure. For more information about antivirus software guidelines, see Citrix article CTX114522
XenApp Farm Migration - Manually building and migrating to a new XenApp farm can be time consuming and can lead to errors if not planned properly. You can automate the migration of XenApp 5 farms or newer, by using the Citrix XenApp Migration Center or PowerShell cmdlets from a XenApp server in the new farm.
Object Types - The following table describes which object types can be automatically migrated to the new XenApp farm and which object types must be manually migrated.
- Data and application access
- ICA Traffic
- Two-Factor Authentication
- Secure Paste
- Antivirus and Endpoint Security Software
Data and application access - While configuring the security needs of a virtualized environment, you must also maintain data and application access for users within the XenApp environment. For example, when securing an environment, you need to consider whether or not to allow printer creation, map client drives for data access through user sessions, or enable copy and paste functionality between the ICA session and the local user device. These considerations are based on the specific security policies and standards within each organization which need to be reviewed and enforced within the XenApp infrastructure.
ICA Traffic - There are two methods of securing ICA Traffic:
- Secure ICA - You can secure ICA traffic on the internal network using SecureICA encryption to meet regulations such as HIPAA, SOX, and PCI compliance, which require the encryption of all end-to-end application communications. SecureICA encryption is a standard feature of the XenApp infrastructure and can be set to one of the following encryption levels:
• Basic
• RC5 (128-bit) logon only
• RC5 (40-bit}
• RC5 (56-bit)
• RC5 (128-bit)
Note: RC5 (Rivest Cipher) is a block cipher method of cryptography. RC5 was the basis for the latest Advanced Encryption Standard (AES), which is the encryption standard used by the U.S. Government.
- SSL Relay - ICA traffic between the Web Interface servers and the XenApp servers can be secured by configuring SSL Relay for the XenApp infrastructure. SSL Relay is commonly used to secure Citrix XML traffic, especially when the Web Interface server is located in the perimeter network.
Two-Factor Authentication - Environments that require two-factor authentication, through the use of a smart card or security token, can be integrated into a XenApp environment using the Web Interface or Citrix Access Gateway. The following two-factor authentication methods are built-in:
• RSA SecurlD
• RADIUS server
• Aladdin SafeWord for Citrix
Secure Paste - You can further secure XenApp sessions by enabling the Secure Paste registry setting on each of the XenApp servers. When enabled, end users are unable to copy and paste data from a published application to a local application. Users can still copy and paste data from a local application to a published application and between published applications. This ensures secure data remains in the datacenter and not on a local device. You should be aware that enabling Secure Paste will affect all sessions on the XenApp server. Conduct proper testing before implementing Secure Paste in a production environment.
Antivirus and Endpoint Security Software - You should configure antivirus and endpoint security software on all servers within a XenApp infrastructure. End users can access servers directly, therefore putting those servers at risk as a first-tier application interface. When an antivirus solution is installed on a XenApp server, you should configure it to reduce the performance impact on the XenApp servers. By default, antivirus solutions typically use real-time scanning functionality to scan every read and write action that occurs on a system. Constant scanning of every read and write that occurs on a XenApp server can create high resource utilization of the CPU, memory and disk.
It is recommended to configure real-time scanning on every write to the XenApp server, rather than on every read. Viruses and worms perform write actions; therefore, limiting the real-time scanning to writing is an effective way to provide protection, while still limiting the performance impact to the XenApp servers. Another method of providing virus protection is to install the antivirus software on the XenApp servers but turn off the real-time scanning functionality for both read and write actions. You can then configure regularly scheduled complete system scans to meet security requirements, as well as provide adequate protection for the XenApp environment. Antivirus and endpoint security solutions can also be moved to the network level to avoid the installation of these solutions locally on the XenApp infrastructure. For more information about antivirus software guidelines, see Citrix article CTX114522
XenApp Farm Migration - Manually building and migrating to a new XenApp farm can be time consuming and can lead to errors if not planned properly. You can automate the migration of XenApp 5 farms or newer, by using the Citrix XenApp Migration Center or PowerShell cmdlets from a XenApp server in the new farm.
| Utility | Description |
| Migration Center |
Allows you to easily configure the required migration settings · Imports all object types from the source XenApp farm · Imports all property values for the object types · Supports only the direct migration method |
| PowerShell | · Requires a series of cmdlets, which must be fully understood and ran in the correct order · Allows you to select which object types to import from the source XenApp farm · Allows you to select which property values to import · Supports both direct and indirect migration methods An indirect migration exports legacy XenApp farm settings to an XML file that can later be imported into the new XenApp farm. |
Object Types - The following table describes which object types can be automatically migrated to the new XenApp farm and which object types must be manually migrated.
| Migrated Automatically | Not Migrated Automatically |
| · Administrator accounts · Applications · Folders (application and server) · Health Monitoring and Recovery (HMR) test configurations · Load evaluators · Session printers · XenApp farm administrators · XenApp farm policies · XenApp farm settings · XenApp server settings |
· Active Directory policies · Configuration Logging settings · Custom HMR test executable files · Printer drivers · Printer driver mappings · XenApp server registry settings · Zones |