In the recent announcement Citrix XenApp and XenDesktop 7.6, the security feature "FIPS compliance" and "Common Criteria" were prominent. This paper describes one of the most important building blocks for these services: enabling TLS / SSL support in XenApp and XenDesktop, all the way from end-receiver, through the gateway and on the hosted meeting or workstation
The need for. FIPS compliance in the federal market has for a long time. What is new is that it is. to a topic of interest in commercial spaces always Customers in banks, credit card companies and medical industry have all expressed interest in traffic in its data center to secure. , The SSL VDA feature of XenApp and XenDesktop 7.6 supports this goal
FIPS compliance - Was that for a long time
Citrix support for FIPS compliance is not new. Here is a link to a long list of Citrix FIPS configuration documents for all MetaFrame XP FR3 by XenApp 6.5 and XenDesktop 5.6.
What "new" is that the VDA on XenApp and XenDesktop 7.6 can now natively speak TLS / AES and FIPS, without the use of network-level security such as IPsec and without the use of separate application components such as SSL Relay.
See the green circle in the graph with TLS / 443 internal data center secure communications. This is the focus of this function
FIPS 140-2-network architecture, Citrix XenApp and XenDesktop 7.6
Outside -. Nothing is new
Outside's all been for a long time, SSL / TLS. to note in the above figure that the storefront (or Web) traffic is HTTPS and ICA traffic from Citrix Receiver to the gateway are all secured by TLS. Outside, things have used FIPS algorithms (usually TLS / AES) approved for a long time. With the excitement over SSL VDA support in this version, it is worth noting that not a single line of code in the Citrix Receiver the function has been modified to enable; the recipients for a long time to reach the right security language. This also means that it is not necessary to update the receiver to accept the SSL VDA in 7.6; there may be other good reasons for updating the receiver, but always TLS is not one of them, the recipients should know already how it goes
Inside -. Things are new
Inside FIPS support in XenDesktop and XenApp additional work such as the use of IPsec on the internal network or the use of separate application-level components such as Citrix SSL Relay has required in the past. The new thing in 7.6 is that FIPS TLS / AES / ICA conversion natively happened without the need for additional components and configuration within the VDA.
introduction is complete, we can now get to the meat of this post
SSL Relay goes away
in XenApp 6.x and back was named in Presentation Server, a feature "SSL Relay" uses SSL to ICA ICA Relay and SSL. The SSL Relay application (.exe) was loaded onto the XenApp server and would listen for incoming chatter over SSL port (443) and after receiving decrypt, and re-transmitted to localhost: 1494/2598, where the ICA code, would get him to. This works and courtesy of the SSL Relay application, it has never been historically necessary to teach the ICA stack, even to speak TLS.
ring junctions are bad
A ring transition is when code passes the border from user mode mode or back in the other direction to the kernel. On Intel / Windows computers, this is an expensive operation. Since SSL Relay is an executable user space when encrypted network traffic on the network is, the Microsoft TCP stack receives the data (in kernel mode) and passes them for processing (ring junction) to user space. The SSL Relay process receives the packet, decrypts and forwards the packet to the ICA code on localhost: 1494/2598. This is the local machine, so it close. But is the transmission via the TCP stack, which is in the kernel, the system goes back to the core area (ring transition). The TCP stack receives the packet and forwards it to the ICA stack - also in the core (at least that one was close), and finally the data for ICA material can be studied. I have lost the count of the number of ring transitions, but there are "many". This series of steps is done for each package! There are millions of packets! Even at 3 GHz, this adds up.
SSL in VDA
A better solution skips the ring transitions. The packages come kernel mode, the VDA will be passed in the kernel mode, in which the VDA makes decryption / encryption and passes the packet to the ICA stack in kernel mode. Ring transition count = 0. The "SSL VDA" feature in the 7.6 version offers this possibility.
HTTPS in the VDA
The ICA stack speaks several layers. ICA protocol on the core (1494); it's complicated CGP protocol (2598), then wrapped the WebSockets HTTP protocol (HTML5-based receiver only) and finally through SSL / TLS (443) prior to transmission over TCP / IP. Here is a picture of the network stack.
Citrix ICA / CGP / HTML5 / TLS / TCP stack in XenApp and XenDesktop 7.6
Before 7.6, which were respectively These elements in a separate device driver and the SSL portion was in user mode. The driver stack chain of tdwsk.sys, tdcgp.sys and tdhtml5.sys hand data with one another. With the addition of TLS to the native mix, the complexity has been mounting since would be another driver in the chain to be. Instead, all that has been replaced with a single new driver, TDICA.sys which is responsible for all protocol transitions including TLS / SSL support.
The key point is that it is now in a place where all the activity of processing packets, whether encrypted or not encrypted is carried out with local function calls. No ring transitions, no movement between the drivers. The end result is equal to "efficiently".
A positive side effect is that the HTML5 driver who wins by customers of Chrome receiver "Session Reliability" from the CGP driver is used. CGP used outside the HTTPS path to ICA to be, now it is in.
The goal is to safely, efficiently a bonus
Efficient for TLS / AES traffic is great, but the actual the aim is sure and specifically the use of FIPS-approved algorithms encouraging and validates cryptographic modules within the data center with. We want to "easily" reach only FIPS compliance to encourage them to make use of TLS in commercial spaces instead of the historic Federal.
With TLS now implemented in the ICA stack, SSL Relay is no longer used and IPsec is no longer needed. Whether have on old Presentation Server, XenApp 4, 5 or 6 or older versions of XenDesktop, all configurations now a way inside and outside the data center using FIPS approved algorithms.
Administrator Configuration
SSL / TLS use outside the data center has long been "standard". Administrators have set up extensive experience Web server (Storefront, Web Interface), with installing certificates Configuring Firewalls and otherwise support HTTPS. Nothing here has changed.
Administrators have also set up experience secure access to NetScaler Gateway. Install a certificate on the gateway, usually from a public CA, Citrix Receiver outside the corporate network can be reached by Gateway and speaking SSL / TLS / AES. Again, nothing has changed.
The Citrix Receiver also known how to speak since the beginning of time TLS / AES. You can speak to both the gateway and the internal case directly to meetings within the data center and they have known how to do this, because at least Presentation Server 4 (04). They still do. This means that TLS include within the data center Citrix Receiver is not necessary to update.
Certificate Installation on terminal servers
get XenApp 6.x terminal servers or even to Presentation Server back, certificates installed on the terminal servers and clients and gateways connect over SSL / TLS, where SSL relay would be used to convert TLS ICA for processing by the hosted session. Here, the amount of terminal servers comparatively small (10s, 100s), and installing certificates is usually a one-time task. With the certificates in place, things speak safe and life is happy.
When the count of terminal servers is larger, it makes IT management and financial terms, a company to use a certification body for the issuance of certificates. Active Directory can also help.
Certificate Installation on VDA workstations
What is "new" with SSL VDA accepting TLS is extended on the inside that can XenDesktop LOSE "Server" have. A "server" may be and each VDA has its own certificate for secure TLS-based communication, a terminal server (XenApp) or a hosted Workstation (XenDesktop). If the number of jobs ... 10,000, certificate installation is a non-trivial problem that requires automation.
In a follow-up post, my colleagues will check with TLS to configure as XenApp and XenDesktop 7.6 inside and outside the data center, including descriptions of certificate distribution; use configuration of VDAS certificates and how to tell the broker to arrange TLS-based compounds
Update :. 11-Dec-2014 :. Link to part 2 Blog is here, Andy Cooper
SSL VDA - the function is here, we'll do it, put to work the world and secure
Joe Nord
,
0 Komentar