PoC Guide: Citrix Secure Internet Access with Citrix Virtual Apps and Desktops

Overview

Citrix Secure Internet Access provides a full cloud-delivered security stack to protect users, apps, and data against all threats without compromising the employee experience. This proof of concept (PoC) guide is designed to help you quickly configure Citrix Secure Internet Access within your Citrix Virtual Apps and Desktops environment. At the end of this PoC guide you are able to protect your Citrix Virtual Apps and Desktops deployment with Citrix Secure Internet Access. You are able to allow your users access applications using Direct Internet Access (DIA) without compromising on performance.

Scope

In this Proof-of-Concept guide, you experience the role of a Citrix administrator and you create a connection between your organization’s Citrix Virtual Apps & Desktop deployment and Citrix Secure Internet Access.

This guide showcases how to perform the following actions:

• Logging into Citrix Secure Internet Access (CSIA)
• Interfacing CSIA Security Groups with Groups from Domain Integration
• Configuring the Proxy settings of the CSIA cloud platform
• Configure web security policies to allow/deny access to certain websites or categories via the CSIA Console.
• Applying Policies to Security Groups
• Download the CSIA agent (Cloud Connector)
• Configure the CSIA agent (Cloud Connector) via Agent Policy
• Configure the CSIA agent (Cloud Connector) Manually (OPTIONAL - Windows Only)
• Deploy CSIA agent (Cloud Connector) manually to VDA main image
• Deploy CSIA agent (Cloud Connector) via AD group policy to VDA image

Prerequisites

• Microsoft Windows 7, 8, 10 (x86, x64, and ARM64)
• Microsoft Server 2008R2, 2012, 2016, 2019
• Microsoft .NET 4.5, or above
• PowerShell 7 (only for Windows 7)
• The following Firewall rules

Network Requirements

Port / Firewall settings

CSIA –> Outbound

Citrix Secure Internet Access (CSIA) Cloud Configuration

In this section we focus on the configuration of CSIA within the administration console.

Log into Citrix Secure Internet Access

1. Log into Citrix Cloud and Access the Secure Internet Access tile.
   

2. Select the Configuration tab and Click Open Citrix SIA Configuration to access the Configuration Console.
   

Configure the Citrix Secure Internet Access PAC Settings

1. From the Configuration tab navigate to Locations & Geomapping.
   
2. On the Zones tab click Edit Default Zone.
   
3. Click PAC Settings.
   
4. If you must bypass a domain, use the Add a Function.
   
5. These are the recommended Citrix Domain and Subdomains to be added to the PAC File:
   ⋅ cloud.com & *.cloud.com
   ⋅ citrixdata.com & *.citrixdata.com
   ⋅ citrixworkspaceapi.net & *.citrixworkspaceapi.net
   ⋅ citrixworkspacesapi.net & *.citrixworkspacesapi.net
   ⋅ citrixnetworkapi.net & *.citrixnetworkapi.net
   ⋅ nssvc.net & *.nssvc.net
   ⋅ xendesktop.net & *.xendesktop.net
   ⋅ cloudapp.net & *.cloudapp.net
   ⋅ netscalergateway.net & *.netscalergateway.net
6. Note the node shown “node-clusterxxxxxx-swg.ibosscloud.com:80”. This must match the customer’s SWG node in Node Collection Management
   

Interfacing CSIA Security Groups with Groups from Domain Integration

Users connecting to Citrix Secure Internet Access (CSIA) communicate domain OU information if it is available from their current user login and device. The CSIA cloud platform can be used to match the groups provided by domain-controlled user accounts. Correlating the groups of your domain integration with the security groups contained on the CSIA cloud platform allows you to administer policies and restrictions in a manner similar to the existing security policies within your organization.

The strategy for integrating domain group information into the CSIA cloud platform is to edit security groups to match the aliases of domain groups reported to the platform.

Integration Example

To demonstrate the execution of this concept, let’s map the domain credentials of a Windows user into a security group on the CSIA cloud platform.

1. Open a command prompt on the target computer, and run the command “net user (user name) /domain”
2. Gather the aliases of groups reported back by the domain controller.
   
3. Go to the CSIA cloud platform and edit either the Group Name or the Alias Name to correspond to one of the groups reported by the domain user.
   
4. Now when users from the integrated domain group authenticate to the CSIA cloud platform, they are assigned automatically to their corresponding security group.

Configuring the Proxy settings of the CSIA cloud platform

1. Navigate to the Proxy & Caching module.
   
2. Set Enable Proxy Settings to YES.
   
3. Set User Authentication Method to Local User Credentials + Cloud Connections.
   
4. Click Save.
   

Configure Web Security Policies

In this section we focus on the configuration of CSIA Web Security Policies within the administration console. This is the main place where we set actions on web categories.

Applying Policies to Security Groups

1. Navigate to the Web Security module.
   
2. For web security policies that have a group-based implementation available a drop-down menu is present at the top of the page above the configuration form for the policy. The status of this drop-down menu indicates which group’s policy configuration you are currently viewing.
   
3. Click the Group drop-down menu and then select group that you want to reconfigure for the current web security policy.
   
4. Clicking Save saves the current policy’s configuration only to the currently selected security group from the Group drop-down menu.
   ⋅ Note: If you are looking to apply these settings to multiple groups
5. (Optional) Click Save to Multiple Groups opens a window that allows you to assign the current policy’s configuration to multiple security groups simultaneously.
   
6. Click the corresponding check box for any security group you want to apply the current policy configuration.
   
7. Click Add to add the selected security groups to the configure group.
   Groups can either be reconfigured to accept only configuration changes that have currently been applied or accept and overwrite all configuration settings for the current policy.
8. The default selection is Apply Changed Settings which only apply the changes you have configured. Select to overwrite all configured settings for the designated security groups.
   
9. Individual groups can be removed by clicking Remove or remove all groups selected for configuration by clicking Remove All. Click Save to confirm the configuration being applied to all designated security groups.
   

Web Categories

Domains are tagged with web categories based on their content. The categories of visited websites are recorded in Reporting & Analytics.

Category Actions

You can associate actions with web categories. This enables you to deploy security policies quickly while minimizing the need to allow or block individual URLs. Possible actions include Allow, Block, Stealth, Soft Override, or SSL Decryption Enabled.

1. Each category can have actions that are applied independently from the other categories.

   Action	Description
   Allow	Allows users to access sites of this category. Allow is the default state for all categories.
   Block	Blocks access to sites of a particular category.
   Stealth	Flags traffic to that category as violations in the logs but still allow access to the site.
   Soft Override	Presents a block page to the user but includes an option to bypass the block temporarily. This allows users to access blocked content without requiring immediate administrator intervention. Soft overrides last until the next day at 2:00 AM in the time zone configured for the gateway. Any block page presented with a soft override appears in Reporting & Analytics as “soft-blocked.” After a user has requested a soft override, any traffic to that URL shows as “allowed” until the override has expired.
   SSL Decryption	Disable this option to clear SSL Decryption for a specific category. This ensures privacy compliance and concerns with specific categories like Finance or Health. The priority value for this category does NOT apply to this setting. If a site belongs to multiple categories, and any of those categories has the “SSL Decryption Disabled” option on, that site is not be decrypted.
   Lock	When a category is locked by the primary administrator into either an Allowed or Blocked state, delegated administrators cannot log in to the web gateway management interface and change the status of that category.
   Category Override	When you activate a category override, a delegated administrator cannot log in to the web gateway management interface and add a URL to the allow list that would contradict the rule for this category. For example, the “Art” category is blocked and set to “Overrides,” so delegated administrators cannot add art.com to the Allow List for that group.

2. Click each icon to toggle the action for the respective web category.
   
3. Actions that you want to generally apply to all web categories can be implemented with the Actions drop-down menu.
   
   NOTE: Be careful with the “Not Rated” category, as it matches against many sites that are not categorized

Category Priorities

If a domain is associated with multiple categories, the action is determined by comparing the priority values for the categories. Categories with higher priority value take precedence.

Example:

1. A domain is categorized as both government and hacking. In the web categories configuration, the government is allowed with a weight of 100 while hacking is blocked with a weight of 200.
2. This domain would be blocked when visited by a user due to the block action of the hacking web category possessing a higher priority value.
3. Click the priority value field and enter a numerical value to reconfigure a category’s priority level. The priority value has a configurable range of 0-65535.

Additional Settings

Settings relevant to web categories are configured with toggles under Additional Settings. Configuring a toggle to Yes enables the setting while configuring a toggle to No disables the setting. For a full set of descriptions for all available web category settings refer to the following table:

Category Scheduling

Block events can also be configured on an advanced weekly schedule to allow access during particular times.

1. Set Category Scheduling to Allow Selected Categories Using an Advanced Schedule to enable the scheduling feature. Click Advanced Scheduling to begin scheduling blocked categories.
   
2. The current advanced schedule can either be configured to apply to all blocked categories or only to a particular blocked category.
   
3. Each day during the week can be delegated specific periods of time that the category is allowed. These particular periods of time are indicated by a blue rectangle.
   
4. After finalizing the schedule for a particular category, you can click the category drop-down menu once again and select a new category to configure.
5. Click Save to confirm all schedule configurations.
   

Allow List

The allow lists selectively provides access to a specific website or network resource. This feature enables you to override security policies and allow certain users to access a website. In particular, you can use this to grant access to specific URLs for a domain that is otherwise blocked. This is sometimes referred to as “punching a hole.”

Adding a URL to an Allow List

1. Navigate to Web Security Policies.
2. On the drop-down menu click Allow List.
   
3. From above the list section, click URL/IP Range.
   
4. Type a domain, subdomain, URL, IP address, or IP Range. This is the only required field, but many other criteria can be specified.
5. From the right side of the list, click +Add. The entry is now added to the list.

Scrape Tool

The Allow List section includes the handy Scrape Tool. Use this to quickly identify all of the domains that a website uses. In the modern web, many sites use resources from other domains that are not immediately apparent. With the Scrape Tool, these are easily revealed and added to an allow list.

Another use for the Scrape Tool is to selectively only allow portions of a website, while not allowing unwanted content, such as ad servers.

1. From above the list section, click Scrape.
   
2. Enter the URL to Scrape and click Scan.
   
3. Select domains to add to Allow List and click Add Selected to Allow List.
   

Keyword Block List / Allow List

Keyword filtering is used to inspect URLs for specific words. If a keyword is identified, the content can be allowed or blocked.

Adding a URL to a Block List / Allow List

1. Navigate to Web Security Policies.
2. On the drop-down menu click Keywords.
   
3. Enter the keyword that you would like to block in the Keyword field and specify the designations that apply to this keyword. Click Add.
   

Pre-defined Keyword Lists

You can enable filtering for pre-defined lists of Adult and High-Risk keywords or add more keywords manually.

The Pre-defined Keyword Lists contain common Adult and High-Risk keywords. Wildcard matching is applied to all keywords in these lists. A wildcard match recognizes the keyword’s sequence of characters anywhere in the URL, including the host name. The High-Risk list generates an email to the recipient of alert emails when a High-Risk keyword is detected by the Reporting & Analytics functionality of the CSIA cloud platform.

1. To enable either one of the keyword lists, set the Adult or High-Risk toggle to Yes. Click Save.
   

Citrix Secure Internet Access Agent Configuration

In this section we focus on the configuration and the installation of the Citrix Secure Internet Access (CSIA) Agent.

Configure the CSIA Agent Download (Cloud Connector)

1. From the CSIA admin console, go to Connect Device to Cloud > Cloud Connectors.
   
2. Click Configure Connector Download.
   
3. Click the Use HTTP PAC drop-down menu and select No.
   (Note: Use HTTP PAC to “No” if you want to use HTTPS for PAC download)
   
4. Click Security Group and select the desired default security group for this particular installation file download.
   
5. Keep the remaining connector download settings as Default and Click Save.
   

Configure the CSIA Agent Advanced Connector Settings (Cloud Connector)

1. From the CSIA admin console, go to Connect Device to Cloud > Cloud Connectors > Advanced Connector Settings.
   
2. Under Global Settings Enable the below:
   ⋅ Enable Security Cloud Connector Filtering
   ⋅ Configure Auto Login Cloud Connectors to use Key for Group
   ⋅ Use Session Encryption
3. Under Source IP Logging Enable - Use private source IP of client (if available).
4. Under Group Specific Settings verify that the Correct Group is selected and Click Save.
   

Download the Citrix Secure Internet Access Agent (Cloud Connector)

1. From the CSIA admin console, go to Connect Device to Cloud > Cloud Connectors > Download Connectors.
   
2. Under Windows Cloud Connector, click Download and Download All.
   
   The .msi installation packages can be downloaded directly from the CSIA admin console. Before starting the installation, be sure that you are using the correct package for the version of Windows and processor architecture.

Configure the CSIA Agent Policies in the CSIA Admin Console

1. From the CSIA admin console, go to Connect Device to Cloud > Agent Policies.
   
2. Click Add Agent Policies.
   
3. Provide a Name for your Agent Policy and Select Add Agent Policy.
   
4. To configure the policy, click Edit Agent Policy.
   

5. Click Agent Settings and set the recommended settings.
   

   Recommended Settings for Multi-Session OS VDA Deployments

   Setting	Recommended Value
   Multi-User Mode:	Enable Multi-User/Terminal Server Mode - Enable to support multiple user sessions when running a terminal server. This must be enabled for terminal servers even if users are not logged in simultaneously.
   Use Machine Name for User name:	Disable Setting - Use the user account name as the user name.
   Use UPN for User name:	Disable Setting - Use the Security Account Manager (SAM) account name, such as DOMAIN\user name.
   Redirect All Ports:	Enable Setting
   Bypass Private Subnets:	Enable Setting
   Captive Portal Detection:	Disable Setting
   Auto-Update Enabled:	Enable Setting
   Auto-Update Release Level:	Level 1 - Mature
   Enable Windows Desktop App: (Agent is not supported Multi-User Deployments)	Disable Setting

   Recommended Settings for Single-Session OS VDA Deployments

   Setting	Recommended Value
   Multi-User Mode:	Disable Multi-User/Terminal Server Mode - Enable to support multiple user sessions when running a terminal server. This must be enabled for terminal servers even if users are not logged in simultaneously.
   Use Machine Name for User name:	Disable Setting - Use the user account name as the user name.
   Use UPN for User name:	Disable Setting - Use the Security Account Manager (SAM) account name, such as DOMAIN\user name.
   Redirect All Ports:	Enable Setting
   Bypass Private Subnets:	Enable Setting
   Captive Portal Detection:	Disable Setting
   Auto-Update Enabled:	Enable Setting
   Auto-Update Release Level:	Level 1 - Mature
   Enable Windows Desktop App: (Agent is not supported on Multi-User Deployments)	Enable Setting
   Allow End Users to Disable Security:	Disable Setting
   Require Password to Disable Security:	Enable Setting
   Require Password to View Diagnostics Info:	Enable Setting

6. Click Dynamic Linking and select the Groups you want to assign the policy too.
   
7. Click Save.
   

(OPTIONAL) Manual Configuration of the of the Citrix Secure Internet Access Agent

The CSIA Agent for Windows .msi editing via Orca is only recommended for troubleshooting.

Orca.msi is available in the Windows Cloud Connector “Download All” option

Opening an .MSI File with Orca

1. Open Zip file and install Orca.msi
   
2. Locate the desired installation file in a file explorer program.
3. Right-click the .msi installation file.
4. Click Edit with Orca.
   

Configuring Properties of an .MSI in Orca

1. Double-click to open the Property table.
   

2. Each property can be edited by double-clicking the property’s Value field.
   

   Recommended Settings for Multi-Session OS VDA

   Setting	Recommended Value
   Multi-User Mode: (PARAM_MULTI_USER_SUPPORT)	(1): Enable multi-user mode. Enable to support multiple user sessions when running a terminal server. This must be enabled for terminal servers even if users are not logged in simultaneously.
   Terminal Server Mode: (PARAM_TERMINAL_SERVER_MODE)	(0): Disabled - this appears to be deprecated in favor of Multi-User Support
   Use Machine Name for User name: (PARAM_USE_MACHINE_NAME_FOR_USER NAME)	(0): Disabled - Use the user account name as the user name.
   Redirect All Ports: (PARAM_REDIRECT_ALL_PORTS)	(1): Enabled - Redirect all ports to the proxy.
   Bypass Private Subnets: PARAM_BYPASS_PRIVATE_SUBNETS)	(1): Enable bypass
   Captive Portal Detection: (PARAM_CAPTIVE_PORTAL_DETECTION)	(0): Disabled
   Auto-Update Enabled: (PARAM_AUTO_UPDATE_ENABLE)	(1): Enabled – The cloud connector to be updated automatically.
   Restart After Upgrade: (PARAM_RESTART_AFTER_UPGRADE)	(0): Disabled - Does not prompt a restart.

   Recommended Settings for Single-session OS VDA

   Setting	Recommended Value
   Multi-User Mode: (PARAM_MULTI_USER_SUPPORT)	(0): Disable multi-user mode. Enable to support multiple user sessions when running a terminal server. This must be enabled for terminal servers even if users are not logged in simultaneously.
   Terminal Server Mode: (PARAM_TERMINAL_SERVER_MODE)	(0): Disabled - this appears to be deprecated in favor of Multi-User Support
   Use Machine Name for User name: (PARAM_USE_MACHINE_NAME_FOR_USER NAME)	(0): Disabled - Use the user account name as the user name.
   Redirect All Ports: (PARAM_REDIRECT_ALL_PORTS)	(1): Enabled - Redirect all ports to the proxy.
   Bypass Private Subnets: (PARAM_BYPASS_PRIVATE_SUBNETS)	(1): Enable bypass
   Captive Portal Detection: (PARAM_CAPTIVE_PORTAL_DETECTION)	(0): Disabled
   Auto-Update Enabled: (PARAM_AUTO_UPDATE_ENABLE)	(1): Enabled – The cloud connector to be updated automatically.
   Restart After Upgrade: (PARAM_RESTART_AFTER_UPGRADE)	(0): Disabled - Does not prompt a restart.

3. Within Orca, click the Save icon to save changes made to the parameters of the Windows Cloud Connector.
   
   Note: Ensure files are saved within Orca only using this method (not using Save As). This causes issues with the functionality of the Windows cloud connector if it is not saved in this manner.

Deployment of the Citrix Secure Internet Access Agent to Main Image

Citrix recommends you save copies or snapshots of main images before you update the machines in the catalog. The database keeps a historical record of the main images used with each machine catalog. You can roll back (revert) machines in a catalog to use the previous version of the main image if users encounter problems with updates you deployed to their desktops, thereby minimizing user downtime. Do not delete, move, or rename main images; otherwise, you cannot be able to revert a catalog to use them.

For catalogs that use Provisioning Services, you must publish a new virtual disk to apply changes to the catalog. For details, see the Provisioning Services documentation.

After a machine is updated, it restarts automatically.

Deploy CSIA agent (Cloud Connector) manually to VDA main image

Update Main Image

Before you update the catalog, either update an existing main image or create a new one on your host hypervisor.

1. On your hypervisor or cloud service provider, take a snapshot of the current VM and give the snapshot a meaningful name. This snapshot can be used to revert (roll back) machines in the catalog, if needed.
2. Power on the main image and log on.
3. Install the appropriate CSIA Agent .msi package for your platform to the main image.
   
4. If the main image uses a Personal vDisk, update the inventory.
5. Power off the VM.
6. Take a snapshot of the VM and give the snapshot a meaningful name that can be recognized when the catalog is updated in Studio. Although Studio can create a snapshot, Citrix recommends that you create a snapshot using the hypervisor management console, and then select that snapshot in Studio. This enables you to provide a meaningful name and description rather than an automatically generated name.

Update the catalog

To prepare and roll out the update to all machines in a catalog:

1. Select Machine Catalogs in the Studio navigation pane.
2. Select a catalog and then select Update Machines in the Actions pane.
3. On the Main Image page, select the host and the image you want to roll out.
4. On the Rollout Strategy page, choose when the machines in the Machine Catalog can be updated with the new main image: on the next shutdown or immediately. See below for details.
5. Verify the information on the Summary page and then click Finish. Each machine restarts automatically after it is updated.

Deploy CSIA agent (Cloud Connector) via AD group policy to Static VDA images

Create a Distribution Point

1. Create folder on an AD joined computer that acts as the file server.
2. Save the CSIA Agent .msi package inside that folder.
3. Right-Click the newly created folder, select properties.
4. Go to “Sharing” tab.
5. Select “Advanced Sharing”.
6. Enable “Share this Folder”.
7. In Settings under Share name add a $ after the CSIA Agent folder name. (Example. CSIA_Agent$).
8. Select Apply.
9. Then Close.

Create Group Policy Object

1. Open Group Policy Management.
2. Right-click Group Policy Object.
3. Select New, and name new GPO (Example: Deploy CSIA Agent).
4. Right-click the newly created Group Policy Object from above, Select Edit.
5. Expand Software Settings folder.
6. Select software installation.
7. Right-click in the right panel.
8. Select New.
9. Select Package.
10. In the corresponding window, type in the location (file path) of your CSIA Agent folder containing the CSIA Agent .msi package.
11. Select the MSI.
12. Select Open.
13. In the Deploy Software window, choose “Advanced” underneath Select Deployment Method.
14. Under Deployment select Uninstall This Application when…. (this means next time the endpoint runs a gpupdate and the CSIA Agent has been removed it is removed from the endpoint as well).
15. Select OK and Close.

Scenario 1: Static VDA with user data stored in local disk

1. On your hypervisor or cloud service provider, take a snapshot of the VDAs and give the snapshot a meaningful name.
2. In your Group Policy Management, expand your domain.
3. Right-click the location of your Static VDAs, then select “Link an existing GPO”.
4. Select the Deploy CSIA Agent GPO that was created.
5. Select OK.
6. Once the Group Policy is applied you must reboot the VDAs.

Scenario 2: Static VDA with user data discarded on logout

1. On your hypervisor or cloud service provider, take a snapshot of the current VM and give the snapshot a meaningful name. This snapshot can be used to revert (roll back) machines in the catalog, if needed.
2. In your Group Policy Management, expand your domain.
3. Right-click the location of your Main Image, then select “Link an existing GPO”.
4. Select the Deploy CSIA Agent GPO that was created.
5. Select OK.
6. Once the Group Policy is applied you must reboot the machines.
7. Take a snapshot of the VM and give the snapshot a meaningful name that is recognized when the catalog is updated in Studio. Although Studio can create a snapshot, Citrix recommends that you create a snapshot using the hypervisor management console, and then select that snapshot in Studio. This enables you to provide a meaningful name and description rather than an automatically generated name.
8. Update your Machine Catalogs in the Studio navigation pane. (See the Update the catalog section above)

Scenario 3: non-MCS Static VDA with user data stored in local disk

1. On your hypervisor or cloud service provider, take a snapshot of the current VM and give the snapshot a meaningful name. This snapshot can be used to revert (roll back) machines in the catalog, if needed.
2. In your Group Policy Management, expand your domain.
3. Right-click the location of your Main Image, then select “Link an existing GPO”.
4. Select the Deploy CSIA Agent GPO that was created.
5. Select OK.
6. Once the Group Policy is applied you must reboot the machines.

Validated Use Cases

Deployed CSIA agent (Cloud Connector) manually to VDA main image

MCS: Pooled-random desktop

• Windows 10 Enterprise (Single-Session)
• Windows Server 2019 (Multi-Session)

MCS: Pooled-static desktop

• Windows 10 Enterprise (Single-Session)

MCS: Dedicated desktop

• Windows 10 Enterprise (Single-Session)

PVS: Pooled-random desktop

• Windows 10 Enterprise (Single-Session)
• Windows Server 2019 (Multi-Session)

PVS: Pooled-static desktop

• Windows 10 Enterprise (Single-Session)

PVS: Dedicated desktop

• Windows 10 Enterprise (Single-Session)

Non-MCS: Random desktop

• Windows 10 Enterprise (Single-Session)
• Windows Server 2019 (Multi-Session)

Non-MCS: Static desktop

• Windows 10 Enterprise (Single-Session)

Deployed CSIA agent (Cloud Connector) via AD group policy to Static VDA images

MCS

• Static VDA with user data stored in local disk
• Static VDA with user data discarded on logout

Non-MCS

• Static VDA with user data saved into local disk

VDAs in Different Regions

Troubleshooting

Important Tools for Troubleshooting

1. Windows Event Log
2. CSIA Real-Time Dashboard (Reporting & Analytics > Real-Time Log)
3. CSIA Event Logs (Reporting & Analytics > Logs > Event Log)
4. CSIA IPS Logs (Reporting & Analytics > Logs > IPS Log)
5. Registration Information for Connected Devices (Users, Groups & Devices > Cloud Connected Device > Info)
6. URL Lookup Tool (Tools > URL Lookup)
7. Enhanced Logging
   ⋅ To set this, the following registry key must be altered, varying from 0 to 4, the higher giving more verbose logging.
   ⋅ HKEY_LOCAL_MACHINE\SOFTWARE\IBoss\IBSA\Parameters\LogLevel
   ⋅ Once the registry key has been set, the IBSA service under Windows Services must be restarted for the setting to take effect. Checking windows event viewer, you see many entries being logged depending on the log level set.
8. Windows Agent Logs (C:\Windows\SysWOW64\ibsa_0.log)

A Keyword is not Being Blocked

There is a multitude of policies and variables within and surrounding the operations of the CSIA cloud platform that can interfere with properly blocking configured keywords. Refer to the following;

1. Ensure that SSL decryption is active for this website. Keywords cannot be observed or controlled for HTTPS websites.
2. If the source IP of the client workstation or the destination IP of the webserver has been added to the Network > Bypass IP Ranges list, web security controls are not enforced.
3. Keywords configured to block do not take effect if the website is added to the Web Security > Allow List without the Keyword/Safesearch option enabled. With the Keyword / SafeSearch check box selected, Web Gateway allows access to the website but still to enforce Keyword controls and Safesearch.
4. The keyword contains asterisks, instead remove the asterisks and activate Wildcard matching for the keyword if that is the desired effect.
5. The keyword has multiple words, and Wildcard Matching is not enabled, or the spaces were not indicated with a plus sign (“+”).
6. The user is not associated with the expected web security group that has the keyword control enabled.

Conflicting Actions from Pre-defined Keyword Lists

In some situations, a word in one of the built-in lists of keywords may inadvertently block content unexpectedly. To correct this action, edit the specific pre-defined keyword list. When you click the pencil icon to edit a built-in list, the CSIA cloud platform interface presents a page of keywords with check boxes next to them. To remove the keyword from the built-in list, clear the box next to the keyword you would like to remove and click Save. To apply this action to all groups, check the box that is labeled Apply to All Groups.

Identifying the Customer’s Citrix Secure Internet Access Node

1. From the Home navigate to the Node Collection Management.
   
2. Click Node Groups.
   
3. This provides you with both the Customer CSIA Node-reports.ibosscloud.com and the Customer CSIA Node-swg.ibosscloud.com Node Clusters.

Splunk Integration with Citrix Secure Internet Access Node

Splunk Server Setup

1. Navigate to the Splunk Server instance and click the Settings link at the top of the page, followed by the Data inputs link under the “Data” subsection.
   
2. Click the Add new link to the right of the “UDP” section.
   
3. Enter a port into the “port” field (above 1023, if possible, to avoid security restrictions with the operating system). In the “Only accept connection from” field, enter your CSIA Reporter Node’s IP address. If nothing is entered in this field, connections from all hosts are accepted. When done, click Next.
   
4. On the next page, click Select Source Type and type “syslog,” then select it.
   
5. Change the App Context to Search & Reporting (search).
   
6. Change the Host Method to IP.
   
7. Click Review (review current configuration), then click Submit.
   

CSIA Reporting & Analytics Module Setup

1. Navigate to Reporting & Analytics > Log Forwarding > Forward From Reporter in the iboss cloud platform interface.
   
2. Under Splunk Integration, click Actions, then click Add Server.
   
3. Add the Address/Host name of the Splunk Server to the “Host name” and the port number chosen on the Splunk server. Next, in the drop-down menu “Splunk Integration Protocol,” choose a protocol.The options available when adding a Splunk server appear as follows:
   
4. You can also configure the Splunk server’s integration protocol as HEC. Configuring integration with a Splunk server using the HEC protocol requires the acquisition of the HEC token from the configuration of the Splunk server. Place the retrieved token into the Token field below the Splunk Integration Protocol selection drop-down menu.
   
5. If implementing an ELFF log format for Splunk logging the Splunk Integration ELFF Batch Size field becomes available for configuration. The default value for configuration is 100.
   
6. A toggle called “Accept All SSL Certs” is available under the “Splunk Integration” section within Settings > External Logging. If a non-standard SSL Certificate such as a Self-Signed certificate or a certificate signed by a non-trusted root CA is used, switch this toggle to “YES” to bypass SSL certificate verification, otherwise leave the switch off.
7. Select the format in which the log data is delivered from the “Log Format” drop-down menu. Finally, switch one or more of the toggles at the bottom of the interface to select the desired logging information types. Click the Save button to update the changes. The logging begins immediately. Perform a search on the Splunk instance to check data is being sent and indexed properly. See the sample output below.
   

Changing the Proxy Port

The CSIA proxy port may be changed, but you mustn’t attempt to change the proxy port to one that the gateway uses for other services.

Ports that cannot be used include: 53, 139, 199, 443, 445, 953, 1080, 1344, 5432, 6001, 7009, 7080, 7443, 8008 ,8015, 8016, 8025, 8026, 8035, 8036, 8080, 8200, 8201, 9080, 9443, 17500, 22022

All other ports are an acceptable alternative to the default port.

1. Navigate to Proxy & Caching > Proxy Settings
   
2. Under the Settings tab, enter the desired port number on which the proxy listens for traffic into the Proxy Port field.
   Note: The port configured for this setting is used when configuring proxy settings in other platform functionalities. Some ports may not be available for assignment to this setting due to pre-configured gateway services.
   
3. Click Save to apply this change.
   

Appendix

Main Category List

Note: Be careful with the “Not Rated” category, as it matches against many sites that are not categorized.