Integrating and deploying Secure Web
To integrate and deliver Secure Web, follow these general steps:
-
To enable single sign-on (SSO) to the internal network, configure Citrix Gateway.
For HTTP traffic, Citrix ADC can provide SSO for all proxy authentication types supported by Citrix ADC. For HTTPS traffic, the Web password caching policy enables Secure Web to authenticate and provide SSO to the proxy server through MAM SDK. MSM SDK supports basic, digest, and NTLM proxy authentication only. The password is cached using MAM SDK and stored in the Endpoint Management shared vault, a secure storage area for sensitive app data. For details about Citrix Gateway configuration, see Citrix Gateway.
- Download Secure Web.
- Determine how you want to configure user connections to the internal network.
- Add Secure Web to Endpoint Management, by using the same steps as for other MDX apps and then configure MAM SDK policies. For details about policies specific to Secure Web, see About Secure Web Policies.
Configuring user connections
Secure Web supports the following configurations for user connections:
-
Tunneled – Web SSO: Connections that tunnel to the internal network can use a variation of a clientless VPN, referred to as Tunneled – Web SSO.
-
Reverse Split Tunneling: In the REVERSE mode, the traffic for intranet applications bypasses the VPN tunnel while other traffic goes through the VPN tunnel. This policy can be used to log all non-local LAN traffic.
Split Tunneling
In split tunneling mode, the traffic for the intranet applications is routed through a VPN, while other traffic bypasses it. This feature improves the performance of applications that don’t require VPN protection and it also makes sure security when accessing internal resources when connected to the internet.
For both Android and iOS, when the Split Tunneling is on, you have two options:
-
Define an intranet IP address range: It allows you to access the intranet site by opening Secure Web (with mVPN) and using the IP address that you define (for example,
https://10.8.0.8
). -
Define intranet applications that support wildcards: It allows you to access the intranet site by opening Secure Web (with mVPN) and using the domain address that you define (for example,
https://abc.example.com
).
Configuration steps for reverse split tunneling
To configure Split Tunneling Reverse mode on the Citrix Gateway, do the following steps:
- Navigate to Policies > Session policy.
- Select the Secure Hub policy and then navigate to Client Experience > Split Tunnel.
- Select REVERSE.
The Reverse Split Tunnel Mode Exclusion list MDX policy
You configure the Reverse Split Tunnel Mode policy with the Exclusion range from within Citrix Endpoint Management. The range is based on a comma-separated list of DNS suffixes and FQDN. This list defines the URLs for which traffic should be directed over the device’s LAN, and not sent to Citrix ADC.
The following table notes whether Secure Web prompts a user for credentials, based on the configuration and site type:
Connection mode | Site type | Password Caching | SSO configured for Citrix Gateway | Secure Web prompts for credentials on first access of a website | Secure Web prompts for credentials on subsequent access of the website | Secure Web prompts for credentials on after password change |
---|---|---|---|---|---|---|
Tunneled – Web SSO | HTTP | No | Yes | No | No | No |
Tunneled – Web SSO | HTTPS | No | Yes | No | No | No |
Secure Web policies
When adding Secure Web, be aware of these MAM SDK policies that are specific to Secure Web. For all supported mobile devices:
Allowed or blocked websites
Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. A plus sign (+) or minus sign (-) precedes each pattern in the list. The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the prefix dictates the action taken as follows:
- A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address can’t be resolved.
- A plus (+) prefix allows the URL to be processed normally.
- If neither + or - is provided with the pattern, + (allow) is assumed.
- If the URL does not match any pattern in the list, the URL is allowed
To block all other URLs, end the list with a minus sign followed by an asterisk (-*). For example:
- The policy value
+http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-*
allows HTTP URLs withinmycorp.com
domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all other URLs. - The policy value
+http://*.training.lab/*,+https://*.training.lab/*,-*
allows users to open any sites in Training.lab domain (intranet) via HTTP or HTTPS. The policy value doesn’t let users open public URLs, such as Facebook, Google, Hotmail, irrespective of protocol.
The default value is empty (all URLs allowed).
Block pop-ups
Popups are new tabs that websites open without your permission. This policy determines whether Secure Web allows popups. If On, Secure Web prevents websites from opening pop-ups. The default value is Off.
Preloaded bookmarks
Defines a preloaded set of bookmarks for the Secure Web browser. The policy is a comma-separated list of tuples that include a folder name, friendly name, and web address. Each triplet must be of the form folder, name, url where folder and name might optionally be enclosed in double quotes (“).
For example, the policy values,"Mycorp, Inc. home page",https://www.mycorp.com, "MyCorp Links",Account logon,https://www.mycorp.com/Accounts "MyCorp Links/Investor Relations","Contact us",https://www.mycorp.com/IR/Contactus.aspx
define three bookmarks. The first is a primary link (no folder name) titled “Mycorp, Inc. home page”. The second link is placed in a folder titled “MyCorp Links” and labeled “Account logon”. The third is placed in the “Investor Relations’ subfolder of the “MyCorp Links” folder and displayed as “Contact us”.”
The default value is empty.
Home page URL
Defines the website that Secure Web loads when started. The default value is empty (default start page).
For supported Android and iOS devices only:
Browser user interface
Dictates the behavior and visibility of browser user interface controls for Secure Web. Normally all browsing controls are available. These include forward, backward, address bar, and the refresh/stop controls. You can configure this policy to restrict the use and visibility of some of these controls. The default value is All controls visible.
Options:
- All controls visible. All controls are visible and users aren’t restricted from using them.
- Read-only address bar. All controls are visible, but users can’t edit the browser address field.
- Hide address bar. Hides the address bar, but not other controls.
- Hide all controls. Suppresses the entire toolbar to provide a frameless browsing experience.
Enable web password caching
When Secure Web users enter credentials when accessing or requesting a web resource, this policy determines whether Secure Web silently caches the password on the device. This policy applies to passwords entered in authentication dialogs and not to passwords entered in web forms.
If On, Secure Web caches all passwords users enter when requesting a web resource. If Off, Secure Web does not cache passwords and removes existing cached passwords. The default value is Off.
Proxy servers
You can also configure proxy servers for Secure Web when used in Tunneled – Web SSO mode. For details, see this blog post.
DNS suffixes
On Android, if DNS suffixes aren’t configured, the VPN might fail. For details on configuring DNS suffixes, see Supporting DNS Queries by Using DNS Suffixes for Android Devices.
Preparing intranet sites for Secure Web
This section is for website developers who need to prepare an intranet site for use with Secure Web for Android and iOS. Intranet sites designed for desktop browsers require changes to work properly on Android and iOS devices.
Secure Web relies on Android WebView and iOS WkWebView to provide web technology support. Some of the web technologies supported by Secure Web are:
- AngularJS
- ASP .NET
- JavaScript
- jQuery
- WebGL
- WebSockets (only in unrestricted mode)
Some of the web technologies not supported by Secure Web are:
- Flash
- Java
The following table shows the HTML rendering features and technologies supported for Secure Web. ‘X’ indicates that the feature is available for a platform, browser, and component combination.
Technology | Secure Web for iOS | Secure Web for Android |
---|---|---|
JavaScript engine | JavaScriptCore | V8 |
Local Storage | X | X |
AppCache | X | X |
IndexedDB | X | |
SPDY | X | |
WebP | X | |
srcet | X | X |
WebGL | X | |
requestAnimationFrame API | X | |
Navigation Timing API | X | |
Resource Timing API | X |
Technologies work the same across devices; however, Secure Web returns different user agent strings for different devices. To determine the browser version used for Secure Web, you can view its user agent string. You can check the user agent from the Secure Web logs. To collect the Secure Web logs, navigate to Secure Hub > Help > Report Issue. Select Secure Web from the list of apps. You receive an email, which has the zipped log files attached.
Troubleshooting intranet sites
To troubleshoot rendering issues when your intranet site is viewed in Secure Web, compare how the website renders on Secure Web and a compatible third-party browser.
For iOS, the compatible third-party browsers for testing are Chrome and Dolphin.
For Android, the compatible third-party browser for testing is Dolphin.
Note:
Chrome is a native browser on Android. Do not use it for the comparison.
In iOS, make sure that the browsers have device-level VPN support. You can configure this support on the device in Settings > VPN > Add VPN Configuration.
You can also use VPN client apps available on the App Store, such as Citrix Secure Access, Cisco AnyConnect, or Pulse Secure.
- If a webpage renders the same for the two browsers, the issue is with your website. Update your site and make sure it works well for the OS.
- If the issue on a webpage appears only in Secure Web, contact Citrix Support to open a support ticket. Please provide your troubleshooting steps, including the tested browser and OS types. If Secure Web for iOS has rendering issues, you can include a web archive of the page as described in the following steps. Doing so helps Citrix resolve the issue faster.
Verify SSL connectivity
Make sure that the SSL certificate chain is properly configured. You can check for missing Root or Intermediate CAs that aren’t linked or installed on mobile devices by using the SSL Certificate Checker.
Many server certificates are signed by multiple hierarchical Certificate Authorities (CA), which means that the certificates form a chain. You must link these certificates. For information about installing or linking your certificates, see Install, link, and update certificates.
To create a web archive file
By using Safari on macOS 10.9 or later, you can save a webpage as a web archive file (referred to as a reading list). The web archive file includes all linked files, such as images, CSS, and JavaScript.
-
From Safari, empty the Reading List folder: In the Finder, click the Go menu in the Menu bar, choose Go to Folder, type the path name ~/Library/Safari/ReadingListArchives/. Now delete all the folders in that location.
-
In the Menu bar, go to Safari > Preferences > Advanced and enable Show Develop menu in menu bar.
-
In the Menu bar, go to Develop > User Agent and enter the Secure Web user agent: (Mozilla/5.0 (iPad; CPU OS 8_3 like macOS) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69 Secure Web/ 10.1.0(build 1.4.0) Safari/8536.25).
-
In Safari, open the website you want to save as a reading list (web archive file).
-
In the Menu bar, go to Bookmarks > Add to Reading List. This step can take a few minutes. The archiving occurs in the background.
-
Locate the archived reading list: In the Menu bar, go to View > Show Reading List Sidebar.
-
Verify the archive file:
- Turn off network connectivity to your Mac.
-
Open the website from the reading list.
The website renders completely.
-
Compress the archive file: In the Finder, click the Go menu in the Menu bar, choose Go to Folder, and then type the path name ~/Library/Safari/ReadingListArchives/. Then, compress the folder that has a random hex string as a file name. This file is the file that you can send to Citrix support when you open a support ticket.
Secure Web features
Secure Web uses mobile data exchange technologies to create a dedicated VPN tunneling for users to access internal and external websites and all other websites. The sites include sites with sensitive information in an environment secured by your organization’s policies.
The integration of Secure Web with Secure Mail and Citrix Files offers a seamless user experience within the secure Endpoint Management container. Here are some examples of integration features:
- When users tap Mailto links, a new email message opens in Secure Mail with no additional authentication required.
-
Allow links to open in Secure Web keeping data secure: In Secure Web for Android, a dedicated VPN tunnel allows users to access sites with sensitive information securely. They can click links from Secure Mail, from within Secure Web, or from a third-party app. The link opens in Secure Web, and the data is securely contained. Users can open an internal link that has the ctxmobilebrowser scheme in Secure Web. In doing so, Secure Web transforms the
ctxmobilebrowser://
prefix tohttp://
. To open an HTTPS link, Secure Web transformsctxmobilebrowsers://
tohttps://
.In Secure Web for iOS, this feature depends on an App Interaction MDX policy called Inbound Document Exchange. The policy is set to Unrestricted by default. This setting allows URLs to open in Secure Web. You can change the policy setting so that only apps that you include in an allow list can communicate with Secure Web.
-
When users click an intranet link in an email message, Secure Web goes to that site with no additional authentication required.
- Users can upload files to Citrix Files that they download from the web in Secure Web.
Secure Web users can also do the following actions:
-
Block pop-ups.
Note:
Much of Secure Web memory goes into rendering pop-ups, so performance is often improved by blocking pop-ups in Settings.
- Bookmark their favorite sites.
- Download files.
- Save pages offline.
- Auto-save passwords.
- Clear cache/history/cookies.
- Disable cookies and HTML5 local storage.
- Securely share devices with other users.
- Search within the address bar.
- Allow web apps that they run with Secure Web to access their location.
- Export and import settings.
- Open files directly in Citrix Files without having to download the files. To enable this feature, add ctx-sf: to the Allowed URLs policy in Endpoint Management.
- In iOS, use 3D Touch actions to open a new tab and access offline pages, favorite sites, and downloads directly from the home screen.
-
In iOS, download files of any size and open them in Citrix Files or other apps.
Note:
Putting Secure Web in the background causes the download to stop.
-
Search for a term within the current page view using Find in Page.
Secure Web also has dynamic text support, so it displays the font that users set on their devices.
Note:
- Citrix Files for XenMobile has reached End of Life (EOL) on July 1, 2023. For more information, see EOL and deprecated apps