Technical security overview

Citrix Cloud manages the operation for Citrix Gateway Services, replacing the need for customers to manage the NetScaler Gateway appliance. Citrix Gateway Service is provisioned through Citrix Workspace app.

Citrix Gateway Service provides the following capabilities:

HDX Connectivity: The Virtual Delivery Agents (VDAs) hosting the apps and desktops remain under the customer’s control in the data center of their choice, either cloud or on-premises. These components are connected to the cloud service using an agent called the Citrix Cloud Connector.

DTLS 1.2 protocol support: Citrix Gateway Service supports Datagram Transport Layer Security (DTLS) 1.2 for HDX sessions over EDT (UDP-based transport protocol). The following cipher suites are supported:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS protocol support: Citrix Gateway Service supports the following TLS cipher suites:

• TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
• TLS1.2-ECDHE-RSA-AES-256-SHA384
• TLS1-ECDHE-RSA-AES128-SHA
• TLS1.2-AES256-GCM-SHA384
• TLS1-AES-256-CBC-SHA

Endpoint Management integration: When integrated with Citrix Endpoint Management plus Citrix Workspace, the Citrix Gateway Service provides secure remote device access to your internal network and resources. Onboarding the Citrix Gateway Service with Endpoint Management is fast and simple. The Citrix Gateway Service includes full support of Citrix SSO for apps such as Secure Mail and Secure Web.

Data flow

Citrix Gateway Service is a globally distributed multitenant service. End users use the nearest Point-of-Presence (PoP) where the particular function that they need is available, regardless of Citrix Cloud Control plane geo-selection or the location of the applications being accessed. Configuration, such as authorization meta-data is replicated to all PoPs.

Logs used by Citrix for diagnostic, monitoring, business, and capacity planning are secured and stored in one central location.

Customer configuration is stored in one central location and distributed globally to all PoPs.

Data flowing between the cloud and customer premises uses secure TLS connections over port 443.

Encryption keys used for user authentication and single sign-on are stored in hardware security modules.

Data isolation

The Citrix Gateway Service stores the following data:

• Configuration data needed for the brokering and monitoring of the customer’s applications – data is scoped by the customer when persisted.
• TOTP seeds for each user device – TOTP seeds are scoped by customer, user, and device.

Audit and Change Control

Currently the Citrix Gateway Service does not make auditing and change control logs available to customers. Logs are available to Citrix which can be used to audit the activities of end-user and administrator.

Credential handling

The service handles two types of credentials:

• User credentials: End-user credentials (passwords and authentication tokens) might be made available to the Citrix Gateway Service to perform the following:
  • Citrix Secure Private Access - The service uses the user’s identity to determine access to SaaS and Enterprise web applications and other resources.
  • Single sign-on - The service might have access to the user’s password to complete the SSO function to internal web applications using HTTP Basic, NTLM, or forms-based authentication. The encryption protocol used for password is TLS unless you specifically configure HTTP Basic authentication.
• Administrator credentials: Administrators authenticate against Citrix Cloud. This generates a one-time signed JSON Web Token (JWT) which gives the administrator access to the management consoles in Citrix Cloud.

Points to note

• All traffic over public networks is encrypted by TLS, using certificates managed by Citrix.
• Keys used for SaaS app SSO (SAML signing keys) are fully managed by Citrix.
• For MFA, the Citrix Gateway Service stores the per-device keys used to seed the TOTP algorithm.
• To enable Kerberos Single Sign-On functionality, customers might configure Connector Appliance with credentials (user name + password) for a service account trusted to perform Kerberos Constrained Delegation.

Deployment considerations

Citrix recommends that users consult the published best practices documentation for deploying Citrix Gateway Services. More considerations regarding SaaS apps and Enterprise web apps deployment, and network connector are as follows.

Selecting the correct Connector: The correct connector must be selected, depending on the use case:

Citrix Cloud Connector network access requirements

For information on Citrix Cloud Connector network access requirements, see https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html

Citrix Gateway Service HDX Connectivity

Using the Citrix Gateway Service avoids the need to deploy NetScaler Gateway within the customer data centers. To use the Citrix Gateway Service, it is a prerequisite to use Citrix Workspace delivered from Citrix Cloud.

Customer best practices

Customers are recommended to use TLS within their network and not enable SSO for applications over HTTP.

Deprecated cipher suites

The following cipher suites are deprecated for enhanced security:

• TLS1.2-AES128-GCM-SHA256
• TLS1.2-AES-128-SHA256
• TLS1.2-AES256-GCM-SHA384
• TLS1.2-AES-256-SHA256
• TLS1.2-DHE-RSA-AES-256-SHA256
• TLS1.2-DHE-RSA-AES-128-SHA256
• TLS1.2-DHE-RSA-AES256-GCM-SHA384
• TLS1.2-DHE-RSA-AES128-GCM-SHA256
• SSL3-DES-CBC3-SHA
• TLS1-ECDHE-RSA-AES256-SHA
• TLS1-AES-256-CBC-SHA
• TLS1-AES-128-CBC-SHA
• TLS1-ECDHE-ECDSA-AES256-SHA
• TLS1-ECDHE-ECDSA-AES128-SHA
• TLS1-DHE-RSA-AES-256-CBC-SHA
• TLS1-DHE-RSA-AES-128-CBC-SHA
• TLS1-DHE-DSS-AES-256-CBC-SHA
• TLS1-DHE-DSS-AES-128-CBC-SHA
• TLS1-ECDHE-RSA-DES-CBC3-SHA
• TLS1.2-ECDHE-RSA-AES-128-SHA256
• TLS1.2-ECDHE-ECDSA-AES128-SHA256
• TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384
• TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256