Secure Deployment Guide for the Citrix Cloud Platform 编辑

November 10, 2022 Contributed by:  C J E

Secure Deployment Guide for the Citrix Cloud Platform

The Secure Deployment Guide for Citrix Cloud provides an overview of security best practices when using Citrix Cloud and describes the information Citrix Cloud collects and manages.


Technical security overviews for services

Consult the following articles for more information about data security within Citrix Cloud services:


Guidance for administrators

  • Use strong passwords and regularly change your passwords.
  • All administrators within a customer account can add and remove other administrators. Ensure that only trusted administrators have access to Citrix Cloud.
  • Administrators of a customer have, by default, full access to all services. Some services provide a capability to restrict the access of an administrator. Consult the per-service documentation for more information.
  • Two-factor authentication for Citrix Cloud administrators is achieved using the default Citrix identity provider. When administrators sign up for Citrix Cloud or are invited to a Citrix Cloud account, they are required to enroll in multifactor authentication (MFA). If a customer uses Microsoft Azure to authenticate Citrix Cloud administrators, multifactor authentication can be configured as described in Configure Azure AD Multi-Factor Authentication settings
    on the Microsoft website.
  • By default, Citrix Cloud automatically terminates administrator sessions after 60 minutes of inactivity. This 60-minute timeout cannot be changed. Inactive means the session is completely idle and the administrator is not interacting with the Citrix Cloud console in any way. Activity refers to actions such as navigating the graphical interface, selecting configuration options, saving configuration changes, or waiting for a change to take effect.


Password compliance

Citrix Cloud prompts administrators to change their passwords if one of the following conditions exists:

  • The current password hasn’t been used to sign in for more than 60 days.
  • The current password has been listed in a known database of compromised passwords.

New passwords must meet all of the following criteria:

  • At least 8 characters long (128 characters maximum)
  • Includes at least one upper-case and lower-case letter
  • Includes at least one number
  • Includes at least one special character: ! @ # $ % ^ * ? + = -

Rules for changing passwords:

  • The current password can’t be used as a new password.
  • The previous 5 passwords can’t be reused.
  • The new password can’t be similar to the account user name.
  • The new password must not be listed in a known database of compromised passwords. Citrix Cloud uses a list provided by https://haveibeenpwned.com/
    to determine if new passwords violate this condition.


Encryption and key management

The Citrix Cloud control plane does not store sensitive customer information. Instead, Citrix Cloud retrieves information such as administrator passwords on-demand (by prompting the administrator explicitly). There is no data-at-rest that is sensitive or encrypted, and thus you do not need to manage any keys.

For data-in-flight, Citrix uses industry standard TLS 1.2 with the strongest cipher suites. Customers cannot control the TLS certificate in use, as Citrix Cloud is hosted on the Citrix-owned cloud.com domain. To access Citrix Cloud, customers must use a browser capable of TLS 1.2, and must have accepted cipher suites configured.

  • If accessing the Citrix Cloud control plane from Windows Server 2016, Windows Server 2019, or Windows Server 2022, the following strong ciphers are recommended: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • If accessing the Citrix Cloud control plane from Windows Server 2012 R2, the strong ciphers are not available, so the following ciphers must be used: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

For more information about encryption and key management within each cloud service, consult the service’s documentation.

For more information about TLS 1.2 configuration, consult the following articles:

  • Enforce use of TLS 1.2 on client machines: CTX245765
    , Error: “The underlying connection was closed: An unexpected error occurred on a send.” when querying Monitoring Service’s OData endpoint
  • Configure ShareFile storage zones controllers for TLS 1.2: CTX209211
    , Configure StorageZone Controller for TLS v1.2 Inbound Connections
  • Update and configure the .NET Framework to support TLS 1.2
    on the Microsoft Docs web site.


Data sovereignty

The Citrix Cloud control plane is hosted in the United States, the European Union, and Australia. Customers do not have control over this.

The customer owns and manages the resource locations that they use with Citrix Cloud. A resource location can be created in any data center, cloud, location, or geographic area the customer desires. All critical business data (such as documents, spreadsheets, and so on) are stored in resource locations and are under customer control.

For Content Collaboration, consult the following resources for information about controlling where the data resides:

Other services may have an option to store data in different regions. Consult the Geographical Considerations
topic or the Technical Security Overviews
(listed at the beginning of this article) for each service.


Security issues insight

The website status.cloud.com
provides transparency into security issues that have an ongoing impact on the customer. The site logs status and uptime information. There is an option to subscribe for updates to the platform or individual services.


Citrix Cloud Connector

Installing the Cloud Connector

For security and performance reasons, Citrix recommends that customers do not install the Cloud Connector software on a domain controller.

Also, Citrix strongly recommends that the machines on which the Cloud Connector software is installed be inside the customer’s private network and not in the DMZ. For network and system requirements and instructions for installing the Cloud Connector, see Citrix Cloud Connector
.

Configuring the Cloud Connector

The customer is responsible for keeping the machines on which the Cloud Connector is installed up-to-date with Windows security updates.

Customers can use antivirus alongside the Cloud Connector. Citrix tests with McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8. Citrix supports customers who use other industry standard AV products.

In the customer’s Active Directory (AD) Citrix strongly recommends that the Cloud Connector’s machine account be restricted to read-only access. This is the default configuration in Active Directory. Also, the customer can enable AD logging and auditing on the Cloud Connector’s machine account to monitor any AD access activity.

Logging on to the machine hosting the Cloud Connector

The Cloud Connector allows sensitive security information to pass through to other platform components in Citrix Cloud services, but also stores the following sensitive information:

  • Service keys for communicating with Citrix Cloud
  • Hypervisor service credentials for power management in Citrix DaaS (formerly Citrix Virtual Apps and Desktops service)

This sensitive information is encrypted using the Data Protection API (DPAPI) on the Windows server hosting the Cloud Connector. Citrix strongly recommends allowing only the most privileged administrators to log on to Cloud Connector machines (for example, to perform maintenance operations). In general, there is no need for an administrator to log on to these machines to manage any Citrix product. The Cloud Connector is self-managing in that respect.

Do not allow end users to log on to machines hosting the Cloud Connector.

Installing other software on Cloud Connector machines

Customers can install antivirus software and hypervisor tools (if installed on a virtual machine) on the machines where the Cloud Connector is installed. However, Citrix recommends that customers do not install any other software on these machines. Other software creates possible security attack vectors and might reduce the security of the overall Citrix Cloud solution.

Inbound and outbound ports configuration

The Cloud Connector requires outbound port 443 to be open with access to the internet. Citrix strongly recommends that the Cloud Connector have no inbound ports accessible from the Internet.

Customers can locate the Cloud Connector behind a web proxy for monitoring its outbound Internet communications. However, the web proxy must support SSL/TLS encrypted communication.

The Cloud Connector might have other outbound ports with access to the Internet. The Cloud Connector negotiates across a wide range of ports to optimize network bandwidth and performance if other ports are available.

The Cloud Connector must have a wide range of inbound and outbound ports open within the internal network. The following table lists the base set of open ports required.

Client PortServer PortService
49152 -65535/UDP123/UDPW32Time
49152 -65535/TCP135/TCPRPC Endpoint Mapper
49152 -65535/TCP464/TCP/UDPKerberos password change
49152 -65535/TCP49152-65535/TCPRPC for LSA, SAM, Netlogon (*)
49152 -65535/TCP/UDP389/TCP/UDPLDAP
49152 -65535/TCP636/TCPLDAP SSL
49152 -65535/TCP3268/TCPLDAP GC
49152 -65535/TCP3269/TCPLDAP GC SSL
53, 49152 -65535/TCP/UDP53/TCP/UDPDNS
49152 -65535/TCP49152 -65535/TCPFRS RPC (*)
49152 -65535/TCP/UDP88/TCP/UDPKerberos
49152 -65535/TCP/UDP445/TCPSMB

Each of the services used within Citrix Cloud extends the list of open ports required. For more information, consult the following resources:

Monitoring outbound communication

The Cloud Connector communicates outbound to the Internet on port 443, both to Citrix Cloud servers and to Microsoft Azure Service Bus servers.

The Cloud Connector communicates with domain controllers on the local network that are inside the Active Directory forest where the machines hosting the Cloud Connector reside.

During normal operation, the Cloud Connector communicates only with domain controllers in domains that are not disabled on the Identity and Access Management page in the Citrix Cloud user interface.

Each service within Citrix Cloud extends the list of servers and internal resources that the Cloud Connector might contact during normal operations. Also, customers cannot control the data that the Cloud Connector sends to Citrix. For more information about services’ internal resources and data sent to Citrix, consult the following resources:

Viewing Cloud Connector logs

Any information relevant or actionable to an administrator is available in the Windows Event Log on the Cloud Connector machine.

View installation logs for the Cloud Connector in the following directories:

  • %AppData%\Local\Temp\CitrixLogs\CloudServicesSetup
  • %windir%\Temp\CitrixLogs\CloudServicesSetup

Logs of what the Cloud Connector sends to the cloud are found in %ProgramData%\Citrix\WorkspaceCloud\Logs.

The logs in the WorkspaceCloud\Logs directory are deleted when they exceed a specified size threshold. The administrator can control this size threshold by adjusting the registry key value for HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CloudServices\AgentAdministration\MaximumLogSpaceMegabytes.

SSL/TLS Configuration

The Windows Server hosting the Cloud Connector must have the ciphers detailed in Encryption and key management
enabled.

The Cloud Connector must trust the certification authority (CA) that the Citrix Cloud SSL/TLS certificates and Microsoft Azure Service Bus SSL/TLS certificates use. Citrix and Microsoft might change certificates and CAs in the future, but always use CAs that are part of the standard Windows Trusted Publisher list.

Each service within Citrix Cloud might have different SSL configuration requirements. For more information, consult the Technical Security Overviews
for each service (listed at the beginning of this article).

Security compliance

To ensure security compliance, the Cloud Connector self-manages. Do not disable reboots or put other restrictions on the Cloud Connector. These actions prevent the Cloud Connector from updating itself when there is a critical update.

The customer is not required to take any other action to react to security issues. The Cloud Connector automatically applies any security fixes.


Citrix Connector Appliance for Cloud Services

Installing the Connector Appliance

The Connector Appliance is hosted on a hypervisor. This hypervisor must be inside your private network and not in the DMZ.

Ensure that the Connector Appliance is within a firewall that blocks access by default. Use an allow list to allow only expected traffic from the Connector Appliance.

Ensure that the hypervisors that host your Connector Appliances are installed with up-to-date security updates.

For network and system requirements and instructions for installing the Connector Appliance, see Connector Appliance for Cloud Services
.

Logging on to the hypervisor hosting a Connector Appliance

The Connector Appliance contains a service key for communicating with Citrix Cloud. Allow only the most privileged administrators to log on to a hypervisor hosting the Connector Appliance (for example, to perform maintenance operations). In general, there is no need for an administrator to log on to these hypervisors to manage any Citrix product. The Connector Appliance is self-managing.

Inbound and outbound ports configuration

The Connector Appliance requires outbound port 443 to be open with access to the internet. Citrix strongly recommends that the Connector Appliance have no inbound ports accessible from the internet.

You can locate the Connector Appliance behind a web proxy for monitoring its outbound internet communications. However, the web proxy must support SSL/TLS encrypted communication.

The Connector Appliance might have other outbound ports with access to the internet. The Connector Appliance negotiates across a wide range of ports to optimize network bandwidth and performance if other ports are available.

The Connector Appliance must have a wide range of inbound and outbound ports open within the internal network. The following table lists the base set of open ports required.

Connection DirectionConnector Appliance PortExternal PortService
Inbound443/TCPAnyLocal Web UI
Outbound49152-65535/UDP123/UDPNTP
Outbound53, 49152-65535/TCP/UDP53/TCP/UDPDNS
Outbound67/UDP68/UDPDHCP and broadcast
Outbound49152 -65535/UDP123/UDPW32Time
Outbound49152 -65535/TCP464/TCP/UDPKerberos password change
Outbound49152 -65535/TCP/UDP389/TCP/UDPLDAP
Outbound49152 -65535/TCP636/TCPLDAP SSL
Outbound49152 -65535/TCP3268/TCPLDAP GC
Outbound49152 -65535/TCP3269/TCPLDAP GC SSL
Outbound49152 -65535/TCP/UDP88/TCP/UDPKerberos
Outbound49152 -65535/TCP/UDP445/TCPSMB
Outbound137/UDP137/UDPNetBIOS Name Service
Outbound138/UDP138/UDPNetBIOS Datagram
Outbound139/TCP139/TCPNetBIOS Session

Each of the services used within Citrix Cloud extends the list of open ports required. For more information, consult the following resources:

Monitoring outbound communication

The Connector Appliance communicates outbound to the Internet on port 443 to Citrix Cloud servers.

Each service within Citrix Cloud extends the list of servers and internal resources that the Connector Appliance might contact during normal operations. Also, customers cannot control the data that the Connector Appliance sends to Citrix. For more information about services’ internal resources and data sent to Citrix, consult the following resources:

Viewing Connector Appliance logs

You can download a diagnostic report for your Connector Appliance that includes various log files. For more information about getting this report, see Connector Appliance for Cloud Services
.

SSL/TLS Configuration

The Connector Appliance does not need any special SSL/TLS configuration.

The Connector Appliance trusts the certification authority (CA) used by Citrix Cloud SSL/TLS certificates. Citrix might change certificates and CAs in the future, but always use CAs that the Connector Appliance trusts.

Each service within Citrix Cloud might have different SSL configuration requirements. For more information, consult the Technical Security Overviews
for each service (listed at the beginning of this article).

Security compliance

To ensure security compliance, the Connector Appliance self-manages and you cannot log in to it through the console.

You are not required to take any other action to react to connector security issues. The Connector Appliance automatically applies any security fixes.

Ensure that the hypervisors that host your Connector Appliances are installed with up-to-date security updates.

In your Active Directory (AD) we recommend that the Connector Appliance machine account be restricted to read-only access. This is the default configuration in Active Directory. Also, the customer can enable AD logging and auditing on the Connector Appliance machine account to monitor any AD access activity.


Guidance for handling compromised accounts

  • Audit the list of administrators in Citrix Cloud and remove any who are not trusted.
  • Disable any compromised accounts within your company’s Active Directory.
  • Contact Citrix and request rotating the authorization secrets stored for all the customer’s Cloud Connectors. Depending on the severity of the breach, take the following actions:
    • Low Risk: Citrix can rotate the secrets over time. The Cloud Connectors continue to function normally. The old authorization secrets become invalid in 2-4 weeks. Monitor the Cloud Connector during this time to ensure that there are no unexpected operations.
    • Ongoing high risk: Citrix can revoke all old secrets. The existing Cloud Connectors will no longer function. To resume normal operation, the customer must uninstall and reinstall the Cloud Connector on all applicable machines.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:2 次

字数:27033

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文