Virtual Environment Security - Once the virtualization solutions have been implemented, you should secure access to the network, applications, and other resources in the environment using Citrix solutions such as Access Gateway and Single Sign-on.
Introduction
Single Sign-on (SSO) provides password security and single sign-on access to Windows, Web, and terminal emulator applications in a virtualized environment. SSO enhances password security in an organization as well as reduces help desk calls by allowing end users to reset their passwords or unlock their accounts. SSO is a Platinum edition component of XenDesktop and XenApp. The Single Sign-on Plug-in must be installed on XenApp servers in order for end users to receive the service when using published applications. The plug-in must also be installed on XenDesktop vDisk images to have the service available for use with locally installed applications. SSO requires a central store, which holds end user credentials and configurations. In the CVE-401 lab environment, we will use a network file share. Production deployments typically use Active Directory for the configuration and integration of end users.
XenDesktop Security - You can ensure that your XenDesktop environment is secure by configuring:
User Authentication - If XenDesktop virtual desktops need to be delivered securely over the Internet in an environment, then you can implement Citrix Access Gateway. The Citrix Access Gateway provides connections to the Web Interface and presents a logon page to the end user. When the end user authenticates and clicks on a desktop group, an HDX session that is encapsulated within an SSL tunnel launches.
For more information about how to configure Access Gateway with XenDesktop, see Citrix article CTX127595
Certificates - Citrix recommends HTTPS for communication between XenDesktop and XenServer. In order to configure the setup to use HTTPS, you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority. For more information about replacing the default XenServer SSL certificate, see Citrix eDocs at eDocs.citrix.com
Endpoint Antivirus Protection - User devices that are managed and administered outside of an organization's control cannot be assumed to be under administrative control. For example, some organizations allow end users to obtain and configure their own end user devices. This practice does not guarantee that those end users will follow Citrix recommended XenDesktop security practices. Antivirus protection from within a virtual desktop environment should meet the organizational standards and security practices of the organization. To successfully deliver antivirus protection in a virtual desktop operating system, consider the following:
Introduction
Single Sign-on (SSO) provides password security and single sign-on access to Windows, Web, and terminal emulator applications in a virtualized environment. SSO enhances password security in an organization as well as reduces help desk calls by allowing end users to reset their passwords or unlock their accounts. SSO is a Platinum edition component of XenDesktop and XenApp. The Single Sign-on Plug-in must be installed on XenApp servers in order for end users to receive the service when using published applications. The plug-in must also be installed on XenDesktop vDisk images to have the service available for use with locally installed applications. SSO requires a central store, which holds end user credentials and configurations. In the CVE-401 lab environment, we will use a network file share. Production deployments typically use Active Directory for the configuration and integration of end users.
XenDesktop Security - You can ensure that your XenDesktop environment is secure by configuring:
- Secure end user authentication
- Certificates
- Endpoint antivirus protection
User Authentication - If XenDesktop virtual desktops need to be delivered securely over the Internet in an environment, then you can implement Citrix Access Gateway. The Citrix Access Gateway provides connections to the Web Interface and presents a logon page to the end user. When the end user authenticates and clicks on a desktop group, an HDX session that is encapsulated within an SSL tunnel launches.
For more information about how to configure Access Gateway with XenDesktop, see Citrix article CTX127595
Certificates - Citrix recommends HTTPS for communication between XenDesktop and XenServer. In order to configure the setup to use HTTPS, you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority. For more information about replacing the default XenServer SSL certificate, see Citrix eDocs at eDocs.citrix.com
Endpoint Antivirus Protection - User devices that are managed and administered outside of an organization's control cannot be assumed to be under administrative control. For example, some organizations allow end users to obtain and configure their own end user devices. This practice does not guarantee that those end users will follow Citrix recommended XenDesktop security practices. Antivirus protection from within a virtual desktop environment should meet the organizational standards and security practices of the organization. To successfully deliver antivirus protection in a virtual desktop operating system, consider the following:
- The real-time scanning features of an antivirus application should be configured to minimize the performance impact on virtual desktops. This can be done by enabling Scan On Write Access and disabling Scan On Read Access.
- Virtual desktops that are in standard image mode can use group policies, logon scripts or other management tools to ensure that each virtual desktop restart triggers an antivirus update.