1: The diagrams depicted in this slide are a logical representation to illustrate the traffic flows between customer managed components and the various Citrix Cloud services. It does not represent the actual physical implementation of the components used in the Citrix managed and operated Cloud service.
2: Additional detail on the Gateway Service as part of Citrix Cloud: In this diagram the Gateway Service is depicted as a component of the XenApp/XenDesktop service. The reason for this is because the Gateway Service currently only provides ICA Proxy functionality. However, end-user connectivity through the Gateway Service is run from separate PoPs (Point of Presence) across the globe to provide the best performance and user experience. https://www.citrix.com/content/dam/citrix/en_us/documents/product-overview/netscaler-gateway-service-product-overview.pdf
Details on WebSocket protocol: https://en.wikipedia.org/wiki/WebSocket
Full Connectivity Requirements: https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html
1: https://docs.citrix.com/en-us/citrix-cloud/overview/get-started/secure-deployment-guide-for-the-citrix-cloud-platform.html
2/3: https://docs.citrix.com/en-us/xenmobile/xenmobile-service/prerequisites-administration.html
4/5/6: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/manage-deployment/local-host-cache.html
7/8/9: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview.html & http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html Additional Config for XML Traffic to utilize port 443: please contact Citrix Support for instructions. Customizing the VDA Registration port is currently not supported in a Citrix Cloud environment
10: https://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/netscaler-gateway-as-a-service.html
11: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/install-configure/machine-catalogs-create.html Additional detail on supported Hypervisors and IaaS platforms: https://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/configure-provisioning.html
12: http://docs.citrix.com/en-us/citrix-cloud/about-citrix-cloud-labs/session-manager.html
*The diagram depicted for the XenApp/XenDesktop Service is a logical representation of the service to illustrate the traffic flows between customer managed components such as Citrix Receiver, Cloud Connector, StoreFront, NetScaler Gateway and VDAs and the Citrix XenApp/XenDesktop Service. It does not represent the actual physical implementation of the components used in the Citrix managed and operated Cloud service.
See also for more details:
http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html (Cloud Service Specific)
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview.html (XenApp/XenDesktop generic documentation)
*The diagram depicted for the XenApp/XenDesktop Service is a logical representation of the service to illustrate the traffic flows between customer managed components such as Citrix Receiver, Cloud Connector, StoreFront, NetScaler Gateway and VDAs and the Citrix XenApp/XenDesktop Service. It does not represent the actual physical implementation of the components used in the Citrix managed and operated Cloud service.
See also for more details:
http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html (Cloud Service Specific)
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview.html (XenApp/XenDesktop generic documentation)
*The diagram depicted for the XenApp/XenDesktop Service is a logical representation of the service to illustrate the traffic flows between customer managed components such as Citrix Receiver, Cloud Connector, StoreFront, NetScaler Gateway and VDAs and the Citrix XenApp/XenDesktop Service. It does not represent the actual physical implementation of the components used in the Citrix managed and operated Cloud service.
See also for more details:
http://docs.citrix.com/en-us/citrix-cloud/xenapp-and-xendesktop-service/technical-security-overview.html (Cloud Service Specific)
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-13/technical-overview.html (XenApp/XenDesktop generic documentation)
Handling of user passwords is a key concern for many customers. Unfortunately, with app and desktop virtualization, it’s something that has to be done in order to provide end users with a single sign-on experience to Windows, without prompting them for their password multiple times. The Apps and Desktops Service handles this by encrypting passwords on-premises, ensuring that components in the cloud cannot decrypt them.
Let’s look at the flow for a typical Workspace Cloud deployment with StoreFront hosted on premises behind the NetScaler Gateway. The user’s password is entered into Receiver, and flows through the NetScaler, to the StoreFront, and then to the Connector. The Connector encrypts all plaintext passwords with AES encryption before forwarding them to the cloud.
As we saw earlier in the multi-geo demo, the VDA may not be in the same location as the StoreFront, so the cloud routes the password to the proper connectors. Connectors only communicate with the cloud, and not with each other.
The encryption key itself is the ICA logon ticket. This is sent back to Receiver, and never seen by the cloud service. Thus, even though the cloud relays the encrypted password, it has no means of decrypting it.
When Receiver connects to the VDA, it sends the logon ticket. This provides the VDA with the key it needs to decrypt the user’s password, enabling them to log on to Windows without re-entering their password.