Setting up a secure XenApp enviroment–Storefront

So this is part two of my securing XenApp enviroment, this time I’ve moved my focus to Storefront. Now how does Storefront need to be secured ?

In most cases, Storefront is the aggregator that allows clients to connect to a citrix infrastructure. Im most cases the Storefront is located on the internal network and the Netscaler is placed in DMZ. Even if Storefront is located on the internal network and the firewall and Netscaler does alot of the security work, there are still things that need to be take care of on the Storefront.

In many cases many users also connect to the Storefront directly if they are connected to the internal network. Then they are just bypassing the Netscaler. But since Storefront is a Windows Server there are alot of things to think about.

So where to begin.

1: Setting up a base URL with a HTTPS certificate (if you are using a internal signed certificate make sure that you have a proper set up Root CA which in most cases should be offline. Or that you have a public signed third party CA. Which also in many cases is useful because if users are connecting directly to Storefront their computers might not regonize the internally signed CA.


2: Remove the HTTP binding on the IIS site. To avoid HTTP requests.

Use a tool like IIS crypto to disable the use of older SSL protocols on IIS server and older RC ciphers


You can also define ICA file signing. This allows for Citrix Receiver clients which support signed ICA files to verify that the ICA fiels they get comes from a verified source.

3: We can also setup so that Citrix Receiver is unable to caching password, this can be done by changing authenticate.aspx under C:\inetpub\wwwroot\Citrix\Authentication\Views\ExplicitForms\

and you change the following parameter

<% Html.RenderPartial(«SaveCredentialsRequirement»,
              SaveCredentials); %>

<%– Html.RenderPartial(«SaveCredentialsRequirement»,
                SaveCredentials); –%>

4: Force ICA connections to go trough Netscaler using Optimal Gateway feature of Storefront –> using this option will also allow you to use Insight to monitor clients connection to Citrix as well, and depending on the Netscaler version give you some historical data.

And with using Windows pass-trough you can have Kerberos authenticating to the Storefront and then have ICA sessions go trough the Netscaler –>

5: Use SSL in communication with the delivery controllers –>

6: Install Dynamic IP restrictions on the IIS server, this stops DDoS happning against Storefront from the same IP-address

 IIS fig4

7: Windows updated!  and Antivirus software running (Note that having Windows updated, having some sort of antivirus running with limited access to the server) also let the Windows Firewall keep runnign and only open the necessery ports to allow communication with AD, Delivery Controllers and with Netscaler.

8: Define audit policies to log (Credential validation, Remote Desktop connections, terminal logons and so on)

9: Use the Storefront Web Config GUI from Citrix to define lockout and session timeout values


10: Use a tool like Operations Manager with for instance ComTrade to monitor the Storefront Instances. Or just the IIS management pack for IIS, this gives some good insight on how the IIS server is operating.

11: Make sure that full logging is enabled on the IIS server site.

IIS Logging Configuration for System Center Advisor Log Management

Stay tuned for more, next part is the delivery controllers and the VDA agents.

Setting up a secure XenApp enviroment– Netscaler

Now I had the pleasure of talking PCI-DSS compliant XenApp enviroment for a customer. Now after working with it for the last couple of days there are lot of usefull information that I thought I would share.

Now PCI-DSS compliance is needed for any merchant who accepts credit cards for instance an e-commerce size. Or using some sort of application. So this includes all sorts of

* Different procedures for data shredding and logging

* Access control

* Logging and authorization

Now the current PCI-DSS standard is in version 3 –>

The different requirements and assesment procedures can be found in this document. Now Citrix has also created a document for how to setup a compliant XenApp enviroment you can also find some more information here –>

Now instead of making this post a pure PCI-DSS post I decided to do a more “howto secure yout XenApp enviroment” and what kind of options we have and where a weakness might be.

Now a typical enviroment might looks like this.


So let’s start by exploring the first part of the Citrix infrastructure which is the Netscaler, in a typical enviroment it might be located in the DMZ. Where the front-end firewall has statefull packet inspection to see what traffic goes back and forth. The best way to do a secure setup of Netscaler is one-armed mode and use routing to backend resources and then have another Firewall in between to do deep packet inspection.

First thing we need to do with Netscaler when setting up Netscaler Gateway for instance is to disable SSL 3.0 and default (We should have MPX do to TLS 1.1 and TLS 1.2 but with VPX we are limited to TLS 1.0

Also important to remember th use TRUSTED third party certificates from known vendors, without any known history. Try to avoid SHA-1 based certificates, Citrix now supports SHA256.

Important to setup secure access to management only (since it by default uses http)


This can be done by using SSL profiles which can be attached to the Netscaler Gateway


Also define NONSECURE SSL renegotiation. Also we need to define some TCP parameters. Firstly make sure that TCP SYN Cookie is enabled, this allows for protection against SYN flood attacks and that SYN Spoof Protection is enabled to protect against spoofed SYN packets.


Under HTTP profiles make sure that the Netscaler drops invalid HTTP requests


Make sure that ICA proxy migration is enabled, this makes sure that there is only 1 session at a time established for a user via the Netscaler


Double hop can also be an option if we have multiple DMZ sones or a private and internal zone.

Specify a max login attempts and a timeout value, to make sure that your services aren’t being hammered by a dictonary attack


Change the password for the nsuser!!!


Use an encrypted NTP source which allows for timestamping when logging. (Running at version 4 and above) and also verify that the timezones are running correctly.


Sett up a SNMP monitoring based solution or Command Center to get monitoring information from Netscaler, or use a Syslog as well to get more detailed information. Note that you should use SNMP v3 which gives both Authentication and encryption.

Use LDAPS based authetication against the local active directory server, since LDAP is pure-text based, and use TLS not SSL, and make sure that the Netscaler verifies the server certificate on the LDAP server


It also helps to setup two-factor authentication to provide better protection against user thefts. Make sure that if you are using a two factor authentication vendor that it uses CHAP authentication protocol instead of PAP. Since CHAP is much more secure authentication protocol then PAP

Use NetProfiles to control traffic flow from a particular SNIP to backend resources (This allows for easier management when setting up firewall rules for Access.


Enable ARP spoof validation, so we don’t have any forging ARP requests where the Netscaler is placed (DMZ Zone)


Use a DNSSEC based DNS server, this allows for signed and validated responses. This way you cannot its difficult to hijack a DNS or do MITM on DNS queries.  Note that this requires that you add a nameserver with both TCP and UDP enabled. (Netscaler can function as both a DNSSEC enabled authoritative DNS server and proxy mode for DNSSEC)

If you wish to use Netscaler as an VPN access towards the first DMZ zone, first things you need to do is

1: Update the SWOT library


Create a preauthetnication policy to check for updated antivirus software


Same goes for Patch updates


In most cases try to use the latest firmware, Citrix does release a new Netscaler firmware atleast one every three months which contains bug fixes and security patches as well.

Do not activate enhanced authentication feedback, this enabled hackers to learn more about lockout policies and or if the user is non existant or locked out, disabled and so on.


Set up STA communication using HTTPS (Which requires a valid certificate and that Netscaler trusts the root CA) You also need to setup Storefront using a valid certificate from a trusted Root CA. This should not be a internal PKI root CA since third party vendors have a much higher form a physical security.

If you for some reason cannot use SSL/TLS based communication with backend resources you can use MACSec which is a layer 2 feature which allows for encrypted traffic between nodes on ethernet.

Citrix Connector for System Center Configuration manager 7.5 walkthrough

Earlier today, Citrix released their updated System Center Configuration Manager connector to XenDesktop 7.5. It can be downloaded from here –> note that it requires an mycitrix account in order to download it.

So what does it do ? well a couple of things. Mostly it’s about pushing software out to regular clients and servers including XenApp/XenDesktop servers where the clients might get the XD/XA version of an application. You can also use it to publish applications directly to XD/XA from Configuration Manager which makes it easy to maintain a consistant software library.

Now there are a couple of components here that are needed.

* Citrix Connector Service (This does the syncing, publishing and orchestration jobs between Configuration Manager site and the XA/XD site)

* Citrix DT handler (This component is needed on VDA servers/clients and on managed clients which you want to use the integration between) NOTE: There are different DT handlers for clients and VDA agents


So in my case I installed the Citrix Connector Service on my site server since it is a demo-enviroment. Now the installation is pretty straight forward.


Install both the service and the console extension


Enter a service account for the connector serivce


New in this release is the ability to define maintance windows, in case you want automated deployment to VDA agents.


Now after the installation is finished there are a few things which should be done first.

Make sure that Configuration Manager client is installed on the VDA agents you want to use with this deployment. Now you should create an application of the DT handler and deploy out to all VDA agents.

  • Using the following installation paramters msiexec /i «CitrixDTHandler_x64.msi» /q
  • Also all applications you want to publish should be pre-created and added to Configuration manager.

Now in my case, I have installed the DThandler on 1 VDA server, and have created 7-zip as an application in Configuration Manager. When we open Configuration Manager Console we have some new options. First of under Assets and Complliance we have the machine catalogs listed up


First of we need to deploy 7-zip to the machine catalog and VDA agents. After that Configuration Manager has gotten the info that the application has been installed


We can go ahead and do a publication action. Go into Software library and into Citrix Applications Publications andchoose Create Publication.


Then we run trough the wizard


Now the connector has been added a nifty new feature which check if all the prerequistes are in place.


So after we have done the wizard and the syncronization is complete the application will appear in the XenDesktop studio.


So now we have successfully installed 7-zip on a VDA agent and successfully published it from Configuration Manager. So this means that the application is available as an resource if the user starts up Citrix Receiver or logs into StoreFront.

Now onto the next option, what if we want users to get applications from Software Center or the Application Catalog (But they can start a citrix session if we want them to?) this is part of the DT handler on the managed clients.

Now let’s deploy 7-zip from Configuration Manager to some managed clients, first of we need to create a new deployment type which references the newly published applications. in the the deployment type choose XenApp


Under publishing you need to choose the existing Citrix deployment that was published earlier.


NOTE: Citrix DT handler needs to be installed on the clients.

Now go trough the wizard and after you are done with the wizard you need to give the XenApp deployment type a lower priority then the other option.

Now after you have created the deployment type and you want to deploy the appliaction you need to choose the clients or the users which are defined in the delivery groups


Now if you head over to the application portal on a managed client with a valid user, the application will appear.


Now if you click this application the configuration manager agent and the DT components will interact and publish the application in the receiver. If you have a valid single-sign-on deployment working on your Xendesktop enviroment you can see that 7-zip is published on the managed clients desktop


this is a quick walkthrough but it gives you the quick overview of what you can use this connector with. You can also integrate it with MCS and PVS, also we can integrate App-V applications. Also important to remember that with XenDesktop 7.5 you can integrate with Configuration Manager for Wake on lan functionality.

SCVMM and XenApp 6.5 + PVS = Trouble!

Having been involved in a case for a long time now where a partner wanted to use SCVMM with XenApp 6.5 and PVS 7.1 for a customer and it has not been quite as successfull.

Now I wanted to share some notes with PVS and Hyper-V and what the limitations are there at the moment.

  • First of it is important to note that PVS 7.1 is the only version of provisioning that supports SCVMM 2012 R2, as the support matrix lists.

  • Using PVS with Hyper-V is now functional with PVS 7.1 this requires Legacy adapters in Hyper-V since Legacy adapters are the only NICs in Hyper-V that support PXE boot


  • Citrix has implemented a failover mechanism between Legacy and Synthetic which means that the streaming traffic can start from the Legacy adapter and then switch to the synthetic.


  • Hyper-V 2012 R2 does support PXE with Sythentic devices with Generation 2 Virtual Machines, but THIS IS NOT SUPPORTED BY CITRIX YET.
  • If we for instance are using a VM with two Legacy adapters, Hyper-V will always boot from the last legacy NIC added to the virtual machine, if we are using “Stream VM wizard” in PXE it will add the first NIC in the virtual machine meaning that we get the wrong MAC address in the PVS database
    • Hyper-V creates a new NIC GUID when creating a machine from a tempalte unlike Vmware or XenServer which does not.
    • Stream VM wizard in PVS creates virtual machines from templates which means that NIC’s on the PVS virtual machines get reinitialized when booting and therefore service stop responding since it delays the network start.
    • The only solution to this is to clone machines and then add them manually to PVS like in this CTX article –>
    • XenDestkop setup wizard in PVS DOES NOT create virtual machines from template, but clones the virtual machine using a set of PowerShell cmdlets.

Hopefully 7.5 has support for Generation 2 Virtual Machines!

Citrix on Microsoft Azure

This is huge news! Microsoft Azure has for some time now had a solid IaaS platform with suppor for most of the different Windows Server roles and features, except the most importent one RDS.

Since Microsoft until recently didn’t allow for use of RDS or other options like Citrix to run against Azure, (because of the licensing) people would have to use on-premise solutions until that was allowed / fixed
But now with the latest changes on the Volume Licensing agreement you can now bring SPLA based RDS sal usage in the cloud.

Now this brings two options for a service provider in Azure.

* Session Shared Terminal Servers
* Server VDI Workers (VM/Server Isolation)

So first of, this makes ALL of the different Citrix components supported in Azure not just XenDesktop 7, of course this restricts itself such as RemotePC cannot be used there.

And Citrix has also created two design guides for how you can setup Citric XenApp / XenDesktop in Microsoft Azure. This also requires that users enter to the citrix servers trough a Netscaler gateway on-premise. XenDesktop 7 XenApp 6.5

And im guessing with the next release of XenDesktop 7 (Project Merlin) will include provisioning options against Azure but until that arrives we will have to manually provision and use PowerShell. Since also Citrix and Microsoft has a strong relationship im guessing that more options on how to host Citrix in Azure will appear.

Citrix Project Excalibur training

Citrix has released a number of training videos regarding Project Excalibur, you can find them in the links below.

Part 1, Excalibur introduction

Part 2, Excalibur installation

Part 3, Citrix Studio

Part 4, Master Image

Part 5, Citrix Storefront

Part 6, Machine Catalog

Part 7, Deliver Groups

Part 8, Delivering Applications

Part 9, Citrix Receiver

Part 10, Citrix Director

Citrix Project Excalibur

For those that have been living under a rock for the last month or so (or hasn’t been to much involved in Citrix in a while) Citrix has just released a tech preview of their new solution (Which is at the
moment called Project Excalibur) Project Excalibur is the merging of XenDesktop and XenApp also with other components such as Storefront, the DDC and Citrix Studio(Desktop Studio)
And now with the merging of these products, the whole XenApp architecture is gone, there is no more IMA just FMA so no more Zones, Data Stores and so on.. It is much more reliant on the SQL database.

Now for those that aren’t so familiar with the Citrix terms and product names ill give a brief intro:

Receiver provides users with self-service access to resources published on
XenApp or XenDesktop servers. Receiver combines ease of deployment and use, and
offers quick, secure access to hosted applications, desktops, and data. Receiver also
provides on-demand access to Windows, Web, and Software as a Service (SaaS)

StoreFront authenticates users to XenDesktop sites and manages stores
of desktops and applications that users access.

Studio enables you to configure and manage your XenDesktop deployment.
Studio provides various wizards to guide you through the process of setting up your
environment, creating your desktops, and assigning desktops to users.

Delivery Controller.
The Delivery Controller is responsible for distributing
applications and desktops, managing user access, and optimizing connections to
applications. Each site has one or more delivery controllers.

Server OS Machines. (XenApp)
VMs or physical machines based on Windows Server operating
system used for delivering applications or hosted shared desktops to users.

Desktop OS Machines. (XenDesktop)
VMs or physical machines based on Windows Desktop
operating system used for delivering personalized desktops to users, or applications
from desktop operating systems.

This is a quick overview of how the topology is:


Also for those that are familiar with XenApp the term farm is now gone, it is now called a site
The Zone master function is also gone, in this release the function is distributed evenly across all controllers in a site.

Now lets take a walkthrough of the installation.
BTW: All of this was installed on one virtual server.


Now as you see there are basically two components here, Delivery Controller and you have the Deliver Agent.
The Studio can be installed as part of the delivery controller.


So since this is my first setup I’m going to install the Delivery Controller.With all the components!


This setup will also install a local SQL Express 2008 R2 if you choose it, (Which I only recommend for test / labs etc )


The Setup will also configure the firewall for incoming connections. After the setup is completed, you can have auto launch of the Studio where we can configure everything.


And now remember that farms are now switched out with Sites. So we are going to start with creating an empty site.




So here we just defined a name for the Site, and assigned a license to that site. After that is done we can start the “real” configuration.


Before we continue here I wish to explain what the different options here are –>

Search: says itself
Machine Catalog: A group of VMs or physical machines (For earlier XA people think of it as Worker Groups Smile
Deliver Groups: This is where you assign applications and desktops to users.
Applications: This is where to publish applications you wish to use.
HDX policy: Old Group Policy management
Logging: Configuration logging.
Here you set site administrator
Controllers: Here you have an overview of the site controllers
Hosting: Here you have the overview of what hosting environment you have, vSphere, SCVMM or XenServer.
Licensing: Overview of the license server.
Profile Management: Here you can define policy settings such as folder redirection etc (You can see how it is defined in the picture below)

Now Citrix has also implemented a lot of other nice to have features in the GUI for instance the PowerShell pane, shows all the commands that have been run as PowerShell commands.


And you also have a nice overview of the license usage.


Now part 1 of Excalibur post is complete, more will follow. Stay tuned Smile
But for System Center people like me there are new possibilities to get here.
Citrix recently released Project Thor which allows for an integration for XenApp into Configuration Manager. I’m exited to see what kind of integrations you can get here.

So something missing here, session lingering and session prelaunch where did it go?!!?