Monthly Archives: June 2018

Citrix and utilizing it with EMS and Azure AD Joined Devices

This is based upon a session that I presented at Citrix User Group Ireland and you can view the SlideShare presentation here –> https://www.slideshare.net/mariussandbu/citrix-with-microsoft-ems but the session was about, how can we leverage Citrix with EMS ( Enterprise Mobility and Security) and also shows the configuration for Citrix FAS together with Azure AD.

Now the focus on this post in purely about having Azure AD with Azure AD Joined Devices (Not Hybrid) and authentication is happening in Azure AD and not On-premises, but there are some supported workloads or topologies further down. 

I have previously written about setting up SSO between Azure AD and Citrix FAS (Which is one of the core components to setting up a simple way to get SSO to an on-premises environment (http://msandbu.org/setting-up-citrix-sso-with-windows-10-and-azure-ad-join/) and also how to tune Storefront to get SSO working properly especially in cases where the end-users close the browsers it self (http://msandbu.org/citrix-fas-with-azure-ad-and-error-404-not-found/)

This allows end-users to access Citrix as part of Azure AD using, for instance, the My Apps Portal. (Or end-users can continue to use NetScaler Gateway as their application portal but Azure AD portal can be easily accessed from Windows 10 Azure AD Joined devices.

citrix-azuread

If customers are moving towards Azure AD, it also means that computer objects and user objects are stored in Azure Active Directory, and it therefore also requires some other tools to handle security as well and some other features as well such as Printing.

Moving Clients out to Azure AD brings a lot of security benefits, because now we don’t have a large Kerberos domain where we might have 10,000+ of clients which have direct communication with each other and able to communicate with fileservers / print-servers and able to communicate directly with the Active Directory Domain Controllers, where it makes it easier for an end-client to spread ransomware across.

With EMS we also have other services such as (Which I will come back to in another blog post)

  • Azure AD (Allows us to monitor Azure AD users and take actions against suspicious activities)
  • Cloud App Security (Allows us to secure end-users and data across SaaS using a Cloud Access Security Broker)
  • Windows Defender ATP (Allows us to monitor the end-user device for suspicious activity and take actions against the device)
  • Azure ATP (Allows us to monitor against suspicious activity against Active Directory)
  • Intune (Allows us to deploy policies and compliance rules against end-users devices)

Of course in the middle of this is Conditional Access, which allows us to use data from both Azure AD and Windows Defender ATP to determine if an end-user should be allowed access to a certain application. If we can also trigger that all traffic to a specific SaaS application should only go through Cloud App Security such as a forward web-proxy. So how do these features work with Citrix? Using Azure AD and FAS we can only connect to Citrix using Receiver for Web.
NB: If you are using Azure MFA and enabled that for all users, this will effectivly override Conditional Access Rules

citrix-ca

So what other aspects of Citrix can we manage or configure using Microsoft EMS?

We can now manage VPN deployment of VPN profiles in Microsoft Intune, which allows us to deploy for instance a Always-ON VPN Profile directly to Intune managed devices. This was previously only available for iOS and Android, but is now supported on Windows 10 as well as long as we have NetScaler 12.0.57 endpoint client installed to be able to read the configuration.

citrix-vpn

And also since Citrix is supported running VPN in Microsoft Azure it allows us to easily build a new modern workspace client with VPN together with Citrix in Microsoft Azure. And using authentication with Certificate and using SCEP protocol on Intune as well we can easily have a process where we deploy a fully new endpoint to end-users. Also with us defining Auto Triggered VPN as well, we can connect a VPN profile directly to a desktop application that we have running on Desktop.  (https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-profile-options)

When it comes to application deployment via Intune, we have two options that work we can either deploy applications using the native built-in which only supports MSI based deployments, which works great with the NetScaler Gateway plugin, this is, of course, an issue with Citrix Receiver since that is an exe file, luckily Aaron Parker made a Citrix Reciever installer which can be used through the PowerShell (https://github.com/aaronparker/Intune/tree/master/Apps)

Now there are also other supported workloads which I’ve not described in detail but we have.

  • Netscaler with Azure MFA using NPS with Extension ( You can read more about it here –> https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn but this is only useful if you want to replace your current MFA provider through a RADIUS provider against the NetScaler and should not be combined with Conditional Access.
  • NetScaler with Intune and Graph API NAC access. This requires that we have an Enterprise license, but it allows the NetScaler to check for end device compliance trough Intune before they are allowed to authenticate with a NetScaler Gateway (Note this works with the NetScaler VPN configuration) and you can think of this as a replacement of OPSWAT or Endpoint Scan (https://docs.citrix.com/en-us/netscaler-gateway/12/microsoft-intune-integration/configuring-network-access-control-device-check-for-netscaler-gateway-virtual-server-for-single-factor-authentication-deployment.html)
  • Storefront with Native Receiver and Azure AD SAML Authentication. As mentioned earlier native receiver doesn’t work well with Azure AD authentication as long as it is on the outside, but Citrix Receiver works with SAML Authentication when it is on the Inside and this can be configured to be setup with Azure AD and MFA using Conditional Access. This is useful if you want to have two-factor authentication on the inside for certain users, such as the business executives.

Now, of course, this is some of the steps involved in setting up a simple SSO mechanism and building up VPN to reach those legacy applications. In the next posts I will focus a bit more on building up a security policy which combines WDATP with Conditional Access.

 

A review of Citrix Analytics

This post is also based on a session I had at Citrix User Group about Citrix Analytics. Now even though that Citrix Analytics is still not released and I did a lot of research about the product in advance. So in this post, I will go into a bit of depth about the product and about features that are available now and also what I think is missing in the product as of now.

Citrix Analytics was announced at Citrix last year. In its core, it is about machine learning and analytics of data that is already available. So is about gathering the data from these different sources into a big data platform and using historical data from these sources to build a baseline and predict what normal behavior is and what abnormal behavior is. It is also about moving from being reactive to being proactive.

Like most monitoring tools today they are reactive meaning that they see that a process stops, a server goes down or that a service stops running and therefore we need to go and troubleshoot. With analytics, we try to shift that focus to be proactive seeing that “here we have the historical data, showing that based upon the last 12 months this occurred on the same data it was because of user load on the server” and based upon this historical data we can take actions. The same method that is looked at from a security perspective. For instance, if we have someone in HR let’s call him Dave and every day he accesses the HR system, and this is his trend for the last 6 months from the same physical device in the same location. Suddenly he accesses another application from another system from another location, and this then falls into abnormal behavior and based upon this we might have a risk, then we need to have an automation action.

tsgpsljd.png

Citrix Analytics is going to be available in three modules, but right now only the Security module is available (Which is now in Preview and you can request access here –> https://www.citrix.com/products/citrix-cloud/form/citrix-analytics/ ) Analytics can gather information from Citrix products only which means XenDesktop/XenApp, ShareFile, NetScaler and Citrix XenMobile.

The data collected from these sources is then placed into Citrix Analytics (Which is a cloud-only service) which consists of a data lake, event processing, and machine learning and will then store information for 13 months to generate a baseline (or user trends) based upon the historical data. Of course, having data stored for this long period allows the system to create more accurate models on user behavior.

NOTE: Even if Analytics is a cloud-only platform it can still get data from existing on-premises deployments

Now Citrix Analytics can also take actions against these systems. If we, for instance, have a user which suddenly is marked as a high risk (based upon risk indicators, failed EPA scan, unknown location for instance) we can then directly disconnect the end-user from XenDesktop or terminate the session. So all the data collected from the different sources can then be turned into actions.

To get the data into Analytics, we need to have other agents installed. For NetScaler we need to MA Service, which is actually sending AppFlow data to see the session information, for XenDesktop we need to have the an agent installed on the delivery controller and we also need to define Citrix Director access because it taps into it to get the historical data stored there.

Source: https://docs.citrix.com/content/dam/docs/en-us/citrix-analytics/downloads/citrix-analytics-getting-started-guide.pdf

Now as mentioned, Analytics creates a user score to determine if they are seen as a high risk or not, and if they are on a certain risk level based upon risk conditions, we can take actions.
So for instance if we see an excessive level of external file sharing on a particular user.

Or any other type of activity which might be a risk indicator.

We can take action on that rule such as disabling the user’s access or log off the account to NetScaler.

Source: https://www.youtube.com/watch?time_continue=1389&v=BJc_ePqHTa4

Now as a product Citrix Analytics has some promise. That it can enable to automatically detect abnormal behavior and react to it. Now when it comes to the limitations of the product so far as I see it is that.

1: It doesn’t as of now have any integrations with a SIEM tool to forward alerts/actions directly. Or any form of API that can be called upon to get that type of information (at least to my knowledge, there might be some API underneath but it is not documented yet)
2: It is Citrix only – when it comes to sources and actions is now only to other Citrix products, which is something that they to extend. Citrix announced something called Citrix Access Control as well during Synergy (source: https://www.citrix.com/blogs/2018/05/08/secure-the-access-and-use-of-saas-web-apps-in-your-digital-workspace/) which provides SaaS access control. Now, this also extends into Office 365 so it might be in the long run that Analytics can also handle against Office 365. Hopefully, Analytics can also re-use information across tenants, so for instance if they can see suspicious behavior from the same IP address across tenants that they can take action on it.
3: I see it a bit overlapping with Azure AD / Intune and Conditional Access – With Conditional Access also we have multiple conditions that we can use to determine or take action of a particular user or device. Now Conditional Access doesn’t use any form of analytics but we have risk levels which are based upon information from Azure ATP, Windows Defender ATP, Azure AD and Device Security which determines if a user should get access or not. Also, Microsoft has its own Security Graph API which has a lot of historical and analytics data. Microsoft also has Cloud App Security which can act as a proxy in web sessions and deny/allow access to the application.

Now what I would love to have here is a integration between Citrix and Microsoft so we could have an integration point between Conditional Access and Citrix when it comes to sources


and then have actions on Azure AD and SaaS and Citrix environments, then it would be really awesome!

 

 

 

 

Gotchas with Citrix Cloud

After spending a couple of days now with the best Citrix User Group in the world! (cugtech.no) I wanted to publish this blog post which was based on one of my sessions, which was about Citrix Cloud Gotchas. I got some personal feedback after the session because they felt like I delivered my honest feedback about the product in general and the current limitations, what works and what I feel that Citrix needs to improve on the product itself moving forward which I want to the blogs to focus about. Now the focus of this blog post is on the XenApp and XenDesktop offerings on Citrix Cloud, have another one on Analytics coming a bit later. Now some interesting fun facts about the backend architecture.

Backend:
Communication between the Control Plane and On-premises is done trough Cloud Connectors. The Cloud Connectors are just Windows Servers installed with that specific component.  Most of the backend services are running on Microsoft Azure and using a combination of App Service, Service Bus, Storage Blog and Virtual Infrastructure. The Control Plane is now available either in the US, EMEA or Asia Pacific, and the NGaaS Service is available in 12 regions worldwide and uses a form of GSLB with proximity to route users to the closest region. Because of the Service Bus architecture the cloud connector acts as a Service Bus Subscriber and listens for jobs from the control plane, therefore the Cloud Connector doesn’t need any public IP since traffic is never initiated from the Citrix Cloud down to the Cloud Connectors. Also with Citrix Cloud, the Cloud Connectors replace the DDC role and acts as the control point for the VDA’s but the Cloud Connector is stateless, unlike the DDC.

  • Note: If you are like me and an early adopter of Citrix Cloud you might be placed in the US plane, and as of now there are not any migration offerings to move one tenant from one location to another. In most cases, you would need to rebuild your environment. 

Citrix has a goal is to maintain at least 99.9% SLA which is equal to 45 minutes downtime each month.

Picture2

 

Offerings: Now Citrix Cloud with XenApp and XenDesktop comes in many different flavors. I’m not going into detail on each of these offerings because the differences between them are listed here –> https://www.citrix.com/content/dam/citrix/en_us/documents/reference-material/xa-xd-deployment-options-feat-comp-matrix.pdf the biggest challenge I have with these offerings right now are two things.
1: No capability to mix between different options. Which means that we cannot have for instance 10 users on XenApp Essentials and 20 users on XenDesktop essentials. 
2: No ability to use concurrent licensing, only user/device.
3: No unified UI across the offerings, right now some are still using Citrix Studio while Citrix is also making a new web UI offering. 

Now as part of Citrix Cloud, there are two components which are optional which are NGaaS and Citrix Workspace, both services can be enabled through the Control Plane.

Picture2

NetScaler Gateway as a Service: This service which runs as a managed cloud service which replaces regular NetScaler ICA-Proxy to a Citrix environment, since the traffic is going through the Cloud Connector to the VDA. As mentioned there will always be traffic through the Cloud Connector through a Windows Service which is responsible for the traffic. When an end-user connects through a NetScaler (GaaS) it will be routed to one of the 12 closest endpoints worldwide.

Picture1

Pros:
Runs as a Managed Service

Doesn’t require any dedicated public IP or certificate since the service is running on top of the Cloud Connector
Highly available worldwide (on 12 different Points of presence)

Cons:
Only ICA-proxy service

No options for advanced features such as Smart Access, HDX Insight (AppFlow) Some additional latency
No support for EDT (UDP based transport)

Citrix Workspace: Which is the new name for the cloud-based storefront, which is now available for all customers on Citrix Cloud after December 2017. (NB: Not yet available for the customer which subscribed to Citrix Cloud before yet, will be migrated soon) and like NGaaS is a fully managed service which now can aggregate all Citrix applications and has a feature in Tech Preview to provide SSO to 3.party based applications.

Pros:
Runs as a Managed Service

Doesn’t require any dedicated public IP or certificate
Cons:
No options for advanced features such as Optimal Gateway Routing

No options for advanced UI changes (Some features such as Logo changes and such are now possible)
No options for regular on-premises MFA providers can only be done trough Azure MFA.

Availability:
Now, most Citrix Cloud services are US based, but Citrix also announced that the control plane is also now available in EMEA as well, which makes management and selling a bit easier since it has quite lower latency to make management a bit easier. However you should be aware of that not all services are not available in EMEA yet, such as Applayering feature still requires to connect to the US endpoint.

Picture3

Security:
When it comes to Security, all traffic is encrypted between the different components, and credentials such as Active Directory is not stored and needs to be entered each time we update a machine catalog or make some changes to an existing one. Credentials to the hypervisor and/or cloud are stored in the connection. Now since Citrix is managing the infrastructure we have no access to the underlying infrastructure and also we don’t have the administrative logging capabilities on Citrix Cloud, so if we want to get out logs on what has happened we would need to contact Citrix Cloud Support (within 30 days to get that information) Note that Citrix Cloud login can also be setup using Azure AD credentials, ensure that if you are using this, setup Azure AD setup with Azure MFA (Because if someone managed to gain access to your Azure AD account they can actually delete an entire machine catalog) 

Other components:
Other components also support Citrix Cloud, such as PVS can support Citrix Cloud but this requires version 7.7 and download of a specific Citrix Cloud PowerShell SDK, but you would still need to set up an on-prem licensing server and SQL to store the information (https://docs.citrix.com/en-us/provisioning/cloud-connector.html) Applayering is available in Citrix Cloud but only the management plane you will still to have the on-prem appliance (ELM) to handle the actual layering jobs. WEM is not there but was recently announced that it will be available in Citrix Cloud soon. https://www.citrix.com/blogs/2018/04/30/workspace-environment-management-service-coming-soon-to-citrix-cloud/

Other things missing:
As part of the other missing capabilities, there are also some other features which as missing such as lack of App-V integration and also lacking monitoring support. Since we now are moving the DDC role away, not all monitoring vendors which many might use don’t support Citrix Cloud yet, and also some of the management packs which was part of the Comtrade deal, will no longer work since they are dependant on some of the services that the DDC is using. Also if we move NetScaler and Storefront as well they are no longer under our control and therefore we need to handle monitoring in some other way such as load testing tools. Also, one thing that caught my eye is the ability to run PowerShell commands natively which you can read more about here –> http://citrixtips.com/disabling-rearm-of-os-and-office-on-mcs-in-citrix-cloud/

Monitoring and troubleshooting:
When it comes to troubleshooting and monitoring Citrix Cloud we only have a few options, first of is the view if there are any issues on Citrix Cloud using the Citrix Cloud status board –> https://status.cloud.com (this allows us to subscribe to alerts using SMS, Phone or WebHook to forward to Microsoft Teams or Slack) The Cloud Connector itself doesn’t have a dedicated event log but provides events into the Application log on the server it is installed on. If you are looking for errors, sort after these event sources on the Cloud Connector Server.
Picture5

Logs are also placed within C:\ProgramData\Citrix\WorkspaceCloud\Logs (In case you are using some log gathering tool such as Log Analytics) also we can view session information using the OData API against Director –> https://www.citrix.com/blogs/2018/03/23/monitor-data-for-xenapp-and-xendesktop-in-citrix-cloud-now-available-through-odata/

Best-practices for Cloud Connector:
Don’t install anything else on the Cloud Connector server (it is self-managed)
Setup AV exceptions and Proxy exceptions for the Cloud Connector traffic –> https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html and AV exceptions for Cloud Connector –> https://www.citrix.com/blogs/2016/12/02/citrix-recommended-antivirus-exclusions/
Setup Cloud Connector with Server Core –> https://xenappblog.com/2018/citrix-windows-server-core/ (allows for better throughput and higher security) but this kills the troubleshooting Citrix.
Setup Cloud Connector on Windows Server with Cubic Congestion algorithm –> netsh int tcp set supplemental template=internet congestionprovider=cubic
You need to have Cloud Connector for each AD Domain
You need to have at least two Cloud Connectors for redundancy
You should have a stable internet connection.

End-architecture:
Using most of the cloud-based components with Cloud Connectors with an hypervisor such as Nutanix or Cloud-based deployment you don’t need that much of infrastructure, but as of now if you want to leverage some of the advanced capabilities such as HDX Insight, Optimal Gateway Routing and using PVS and WEM you are still going to be needing some servers to host these different components, such as licensing, SQL and management servers.

picture4

High-availability:
For High-availability for the plain architecture you just need to have multiple cloud connectors installed, they are stateless, unlike the regular Cloud Connector. However the Cloud Connectors have Local Host Cache enabled by default, so all CC have a SQL Express installed to handle that. If internet drops out more then 20 seconds the LHC cache will kick-in to ensure existing users will be able to reconnect. Note that this doesn’t work with VDI sessions and it requires that we have a local Storefront server.

Conclusion: Still most of the management in Citrix Cloud is done trough Receiver for Web against Citrix Studio which is a still an MMC console which for me personally is not an elegant solution if we want to deliver the cloud message across. Citrix needs to make it more native web-based management combined with modern automation solutions to allow us to make it easy to script and automate. Also, Citrix needs to ensure that they remove the overhead with a Citrix deployment. Looking at Microsoft RDMI which is more PaaS services, Citrix should look at creating their services as a container instead of individual servers with roles. This could also reduce their own overhead on their infrastructure as well with more container-based deployments so we aren’t stuck with the 25 users limit. Also having more role based access control inside the platform itself combined with administrative configuration control is also something that should be implemented to ensure that companies with high level of security can adopt the solution. Also, they should have an easier way to do migration from on-prem to Cloud, at the end of the day a setup is just a bunch of configuration (luckily someone in the community fixed that for us –> http://citrixtips.com/citrix-cloud-migration-tool/) 

Nextly ill follow up on Citrix Analytics and capabilities.