Citrix XenApp 7.6 and XenDesktop 7.6 Public Sector ... by: Citrix Solutions Lab Citrix XenApp 7.6...

Prepared by: Citrix Solutions Lab

Citrix XenApp 7.6 and XenDesktop 7.6 Public Sector Lockdown Design Guide

Validated design and configuration overview for a common criteria and Federal Information Processing Standards (FIPS) 140-2 public sector configuration.

This document was prepared by Citrix Solutions Lab and is intended to aid business decision makers, IT architects and managers and system administrators by providing an overview of the Citrix XenApp 7.6 and XenDesktop 7.6 solution architecture for the public sector. It includes an overview of the key concepts and considerations when implementing hardened OS images, enabling FIPS compliance, and using antivirus software. It also provides a comparison of the scalability effects of having hardening and FIPS crypto enabled or disabled.

Updated: August 2015

!

! !

Table of Contents Executive Summary .............................................................................................................................. 1

Project Overview .............................................................................................................................. 1 Architectural Overview .......................................................................................................................... 2

Architectural Components ............................................................................................................... 3 Configuration Differences ................................................................................................................ 5

Testing Methodology ............................................................................................................................ 8 Test Tools ........................................................................................................................................ 8

Testing Scenarios ................................................................................................................................. 9 Baseline ........................................................................................................................................... 9 Common Criteria .............................................................................................................................. 9 FIPS 140-2 ....................................................................................................................................... 9

Solutions Lab Measurements and Interpretation ................................................................................ 10 Data collected here shows the impact of public sector normal configuration items and compares to the commercial base. ............................................. 10 Baseline (VSImax) ......................................................................................................................... 11 Lockdown Including HBSS Anti-virus ............................................................................................ 11 Encryption inforduction: Basic, SecureICA, TLS ........................................................................... 12 Basic encryption ............................................................................................................................ 12 SecureICA ..................................................................................................................................... 12 TLS Outside with Basic inside ....................................................................................................... 13 FIPS Inside .................................................................................................................................... 13 FIPS Outside, FIPS Inside ............................................................................................................. 14

Conclusion .......................................................................................................................................... 14

Citrix XenApp 7.6 and XenDesktop 7.6 Lock-Down for Public Sector Validated Design Guide

1 © Copyright 2015 Citrix Systems, Inc.

Executive Summary Designing, deploying, and managing virtual application, desktop, and mobile IT solutions in the public sector can be a complicated process. This document aims to guide partners and customers through the process using secure Citrix solutions.

This documentation explains the following topics for public sector use cases:

• Key concepts, considerations, and the necessary information to configure and deploy hardened OS images with virtual desktops and applications using XenApp, XenDesktop, and other Citrix components.

• Key concepts, considerations, and the necessary information to configure and enable FIPS compliance with virtual desktops and applications using XenApp, XenDesktop, and other Citrix components.

• Necessary information for anti-virus configuration to enable proper operation of virtual desktops and applications using XenApp, XenDesktop, and other Citrix components.

• A comparison of performance measurements with and without HBSS antivirus software enabled.

• A comparison of performance measurements with and without FIPS crypto enabled.

Audience This document is intended for IT decision makers, architects, and partners who are seeking to implement XenApp and XenDesktop solutions for their customers.

Document Overview This design guide focuses on the unique configurations for the public sector vertical, including common criteria and system lockdown, including HBSS antivirus configuration and FIPS 140-2 crypto usage, all the way from end user remote access through NetScaler Gateway and onto hosted terminal server or workstations running on XenApp and XenDesktop. Disclaimer This guide is not intended to constitute legal advice. Customers should consult with their legal counsel regarding compliance with laws and regulations applicable to their particular industry and intended use of Citrix products and services. Citrix makes no warranties, express, implied, or statutory, as to the information in this document.



Architectural Overview This guide explains how Citrix solutions can be leveraged to meet the unique needs specific to the public sector, including governance, risk, and compliance initiatives.

The Citrix Solutions Lab architecture focused on a single-server environment and configuration of the operating systems, virtual desktops, and XenDesktop specific to public sector requirements. It did not focus on the physical hardware layout, such as the hypervisor or network layers. For more information about the XenApp and XenDesktop system requirements, go to http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-system-requirements-76.html.

To validate the public sector categories listed in this design guide, Citrix Solutions Lab deployed and configured a healthcare compliance-aware solution as the base. The environment was built with Citrix XenApp 7.6 and XenDesktop 7.6 with Machine Creation Services (MCS) 7.6 streaming hosted shared desktops and dedicated VDI desktops, running on hosts configured with VMware ESXi 5.5 Update 2.

Hardware Layer

Control Layer

Access LayerUser Layer Resource Layer

DesktopDelivery Controller

Director

Studio

SQL Database

SSL

Internal Users

Remote Users

1 ESX Cluster4 HP DL380 Gen8Resource HostsPhysical, Virtual

Desktop VMs

VMsServers

1 HP DL 380 Gen8 Host – Part of same ClusterAccess & Control Hosts

Physical, Virtual

VMsServers

Active Directory

License Server

NetScaler MPX - FIPS

Dedicated Desktops

Hosted Shared Desktops

Pooled Desktops



Architectural Components This architecture includes the following software components:

Component Version Vendor

Virtual Desktop Broker XenApp and XenDesktop 7.6 Citrix

Endpoint Client Citrix Receiver 4.1.2 for Windows Citrix

Web Portal StoreFront 2.6 Citrix

User Profile Management Profile Management 5.1 Citrix

Licensing License Server 11.12 Citrix

Workload Generator Login VSI 4.2 Login VSI

Office Microsoft Office 2013 SP1 Microsoft

Endpoint OS Microsoft Windows 7 SP1 Microsoft

Virtual Desktop OS (Random VDI) Microsoft Windows 7 SP1 Microsoft

Virtual Desktop OS (Dedicated VDI) Microsoft Windows 8.1 Microsoft

Virtual Desktop OS (Hosted Shared Desktops)

Microsoft Windows Server 2012 R2 Microsoft

Database Server Microsoft SQL Server 2012 R2 Microsoft

VDI Hypervisor ESXi 5.5 Update 2 VMware

VDI Hypervisor Management vCenter 5.5 VMware

Antivirus McAfee VSE, MOVE, EPO McAfee



This architecture includes the following Hardware components:

Hardware Details

Infrastructure Servers HP DL380p Gen8, Dual Eight Core 2.6GHz Intel Xeon E5-2697 v2, 384GB RAM, 16 x 300 GB SAS 10K, 1x 4 port HP 331i Care, 4 x 1Gbps and 2x 10Gbps

Client Launcher Servers HP BL460c G7, Dual Six Core 2.67GHz Intel Xeon X5650, 192GB RAM, 2 x 10Gbps

Network Appliances FIPS-Compliant NetScaler SDX 10.5.x

Storage Systems Shared



Configuration Differences Baseline Configuration Overview The baseline will contain secured versions of ESXi and guest/server OS. Below are the detailed settings for each component according to the vendor.

1. Citrix

• Install all the XenApp/XenDesktop components without any FIPS- or CCEVS-specific settings.

• Secure user devices.

2. VMware

• CCEVS-validated components: VMware vSphere 5.5 Update 2

• Hypervisor: ESXi 5.5u2

• VM Management: vCenter Server 5.5u2

• FIPS required component

• Java JCE module

• Kernel cryptographic module

• NSS cryptographic module

• VMware cryptographic module

• PCoIP cryptographic module

• ACE cryptographic module

3. Microsoft

• SQL level encryption

• Disable the following features:

o DirectAccess

o Network Access Protection

• In the Security Configuration Wizard, enable the following components:

o Password Policy

o Account Lockout Policy

o Windows Security Policy

o Local policies to add enhanced security settings (http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-policies-article/xad-policies-defaults.html)



Common Criteria Evaluation and Validation Scheme (CCEVS) Configuration Overview All systems within the test environment will be deployed in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements (www.citrix.com/about/legal/security-compliance/common-criteria.html). This will satisfy the “lockdown” aspect of this vertical. VMware and Microsoft should be CCEVS-compliant at this point because the settings were implemented during the “base” deployment phase.

1. Citrix

• XenDesktop

o XenApp 7.6 and XenDesktop 7.6 are CCEVS-certified

o Links to certificates: XenApp: (www.cesg.gov.uk/finda/Pages/CCITSECProduct.aspx?PID=190&backpage=CCITSECResults.aspx?post=1&company=Citrix+Systems+Inc&status=Certified&sort=name) XenDesktop: (www.cesg.gov.uk/finda/Pages/CCITSECProduct.aspx?PID=191&backpage=CCITSECResults.aspx?post=1&company=Citrix+Systems+Inc&status=Certified&sort=name)

o CCEVS-compliant settings are inherited from the Windows Server security and encryption components

o Configuration as defined in Common Criteria Security Target, zip file download from Citrix.com: (www.citrix.com/content/dam/citrix/en_us/documents/support/common-criteria-documents-for-xendesktop-xenapp-7.zip)

o FIPS 140-2 Configuration (www.citrix.com/content/dam/citrix/en_us/documents/about/citrix-xenapp-and-xendesktop-76-fips-140-2-sample-deployments.pdf)

• XenApp – Verify the following components:

o Authentication of users

o User access control

o Control over use of endpoint device resources

o Secure communications

o TLS/AES (NetScaler to StoreFront)

o Apply any Microsoft security updates

o Apply any Citrix hotfixes

o Disable XenApp features with policies

o Redirection of client devices, ports, audio, and printers

o Client drive and clipboard mapping

o Multimedia and Flash acceleration

o Session reliability and shadowing

o Secure executables with AppLocker

o Secure gateway local group policies



o Install and enable Common Criteria web plugin local group policies and registry settings

o Remove anonymous users from XenApp servers

o Enable FIPS-compliant ciphers between the web plugin and StoreFront

o Verify HTTPs on StoreFront

o Verify TLS is enabled from Receiver to Gateway

2. McAfee

• HBSS was implemented using Defense Information Systems Agency (DISA) guidelines

o HBSS antivirus software was installed and configured according to McAfee guidelines

o McAfee workstation antivirus software is the HBSS standard configuration (used for all testing)

o McAfee MOVE is also used in many government environments. The testing measured HBSS, not McAfee MOVE

o Antivirus software was configured for aggressive operation. In commercial spaces, it is normal to fully scan machine images before deployment and then at runtime to scan only “writes.” For this public sector configuration, the runtime scanning was configured for both reads and writes..

FIPS 140-2 Configuration Overview All systems within the test environment were built in accordance to FIPS 140-2, including non-Citrix components.

1. Microsoft – MS cryptographic modules (FIPS mode) must be incorporated

• Ensure all cryptographic modules stored in the “windows\system32” or “windows\system32\drivers” directory are selected and installed

• Ensure all FIPS local/group security policy flags are set

2. Citrix – Ensure all components within XenApp 7.6 and XenDesktop 7.6 are FIPS-compliant

• NetScaler to VDA – TLS/AES must be enabled

• SSL to VDA support must be enabled (default)

• XenDesktop

o Encryption inherited from Windows Server

• XenApp

o Enterprise and Platinum editions are FIPS-compliant



Testing Methodology All validation testing was performed on site at the Citrix Solutions Lab.

Test metrics were gathered for all components, such as the hypervisor, virtual desktop, storage, and from the workload generation system, Login VSI, to determine the overall success of a test run. Each test run would need to be within the threshold of the success criteria as defined below to consider it a passing run. A test procedure is followed to provide consistency between runs.

Test Objectives The primary objective for the testing was to obtain single-server scalability numbers for several different testing platforms that were configured based on the criteria outlined during the architecture process of this project. A comparison was done using the scalability numbers as well as the performance data between each configured scenario.

Test Tools The main tools used during testing are System Two Automation Tool (STAT) and LoginVSI. STAT is an internally developed tool used to capture performance data of components under test. LoginVSI is a publicly available tool that provides an in-session workload representative of a typical user, and session launching and orchestration.

STAT Functionality In this test, STAT provided the following key functions:

• Orchestrated the flow of a user through the environment. This feature of STAT is not used as Login VSI is used for this purpose.

• Provided a centralized location for collecting and evaluating performance characteristics gained from:

o Specific measurements taken for the time to perform STAT-specific action, such as XML brokering time, user logon time, etc.

o Windows Performance Monitor collection for systems involved with the test; enabling real-time and historical data analysis for the performance of components monitored in the environment.

VSI Workload Login VSI 4.1.2 simulates a medium-load user (knowledge worker) workload, running generic applications such as Microsoft Office 2013, Internet Explorer, etc. This workload is configured to run within a session to simulate user load on the system.

• The medium workload is the default workload in Login VSI.

• This workload emulated a medium knowledge worker using Office, IE, and PDF.

• Once a session has been started, the medium workload will repeat every 12 minutes.

• During each loop, the response time is measured every two minutes.

• The medium workload opens up to five apps simultaneously.

• The type rate is 160ms for each character.

• Approximately two minutes of idle time is included to simulate real-world users.

• Each loop will open and use:

o Outlook 2013 to browse 10 messages.



o Internet Explorer: one instance is left open (BBC.co.uk); one instance is browsed to Wired.com, Lonelyplanet.com and heavy

o Flash app gettheglass.com (not used with MediumNoFlash workload).

o Word 2013: one instance to measure response time; one instance to review and edit document.

o Bullzip PDF Printer and Acrobat Reader: the Word document is printed and reviewed to PDF.

o Excel 2013: a very large randomized sheet is opened.

o PowerPoint 2013: a presentation is reviewed and edited.

o 7-zip: using the command line version, the output of the session is zipped.

Further details about the workload and technical information about the tool can also be found at www.loginvsi.com.

Testing Scenarios Baseline

• One test iteration for internal clients (No NetScaler)

o Success criteria: VSImax reached

o Output: performance data

Common Criteria • One test iteration for internal clients (No NetScaler)



• One test iteration for external clients



• Security settings confirmation and validation

FIPS 140-2 • One test iteration for external clients



• One test iteration for internal clients (No NetScaler)



• Encryption settings confirmation and validation



Solutions Lab Measurements and Interpretation This chart below shows the data that was gathered during the various testing, including a commercial base, lockdown configuration, base encryption, and movement to FIPS encryption with measurements taken both on local network and in a NetScaler Gateway ICA Proxy remote access configuration. Each test set was measured with user systems running workstation and terminal server operating systems, Windows 7, Windows Server 2012 and Windows 8.1. In some tests, consistent results were anticipated with Windows 7 versus 8.1. The 8.1 test was omitted to reduce testing.

This chart below represents the differences of a commercial versus public sector/federal configuration. Using information in this chart on a single-server scalability, it is possible to extrapolate numbers for comparison against large-scale multiserver testing of single-server scalability.

Data collected here shows the impact of public sector normal configuration items and compares to the commercial base.



Baseline (VSImax) The tests begin with a baseline configuration of a commercial installation with no lockdown applied, no antivirus software, and the lowest security encryption. The base test provides interesting results showing the relative single-server scalability of workstation OS VDI workloads versus terminal services/XenApp and the relative costs of running Windows 8.1 in a VDI configuration versus Windows 7.

Operating System Baseline (VSImax) TSvsVDI VDIvsTS W7v8

Windows 7 164 33% -25% 40%

Win Server 2012 R2 218

Windows 8.1 117 86% -46% -29%

The baseline (VSImax) column above are measurements conducted in the Solutions Lab. All testing occurred on the same server. From a single-server scalability perspective, terminal services (XenApp) is the winner, achieving 218 users per server. Because Windows 8.1 and Windows Server 2012 R2 are based on same operating system foundation, these provide a good measurement of the scalability of workstation loads versus terminal services.

The measurements show that XenApp on the same hardware as workstation VDI load permits 86 percent more users:

• Calculation: (218 – 117) / 117 = 86% increase in single server scalability for TS versus VDI

Comparing Windows 7 to terminal services on Windows Server 2012 R2 has a closer result, showing a 33 percent increase in single-server scalability for XenApp versus VDI.

• Calculation: (218 – 164) / 164 = 33% increase in scalability for terminal services versus Windows 7

Comparing workstation to workstation, Windows 7 provides an increase in single-server scalability of 40 percent versus Windows 8.1

• Calculation: (164 – 117) / 117 = 40% increase in scalability for Windows 7 versus 8.1

While these results are interesting, they are only the “baseline” for the present testing. The goal of this run is to measure a commercial baseline and then compare public sector lockdown and encryption so estimates can be made on scalability of large government computer farms versus commercial systems.

Lockdown Including HBSS Antivirus Software Antivirus software configuration in the tests was according to HBSS federal standards. In contrast to commercial configurations, which normally scan the machine image fully before deployment and then at runtime scan only writes, tests were conducted with McAfee antivirus software configured to scan both reads and writes at runtime. Additionally, though McAfee, MOVE is available for use in many government spaces. HBSS calls for traditional per-machine A/V, and the HBSS configuration is what was measured.

For terminal services (XenApp), the lockdown plus antivirus software impact to single-server scalability was a 15 percent reduction in single-server scalability. For workstation operating systems, the reduction was 10 percent. These measured numbers are significantly better than those predicted before conducting the tests. The measured costs of antivirus software, while still real, at 15 percent are lower than anticipated and well within the customer acceptable range for implementing A/V.

The following table lists the numbers for scalability in the lockdown plus HBSS configuration:



Operating System Lockdown CC w/ HBSS Basic

Encrypt

TSvsVDI VDIvsTS W7v8.1

Windows 7 147 26% -21% 40%

Win Server 2012 R2 185

Windows 8.1 105 76% -43% -29%

Encryption Introduction: Basic, SecureICA, and TLS Encryption with XenApp and XenDesktop comes in three versions: Basic, SecureICA, and TLS.

Basic encryption is a relatively simple XOR-based algorithm that scrambles the data so it doesn’t show up clearly on a network analyzer. SecureICA came later and uses the Diffie-Hellman key exchange between the client and server, and a 128-bit RC5 cipher to scramble the data. Though excellent choices in the past, today, neither the key exchange nor the cipher in SecureICA are FIPS-approved algorithms, and though the data is pretty well scrambled versus the basic version, the encryption is not as good as TLS.

XenApp and XenDesktop also support TLS. This has existed via SecureICA all the way back to XenApp versions 4, 5, and 6. For XenDesktop 7.6, the Virtual Desktop Agent gained the ability to natively speak TLS, which provides excellent deployment opportunities for secure networks that can be FIPS-secured without requiring use of IPsec or other network-based encryption.

Basic encryption To calculate the “costs” of SecureICA or TLS encryption, it is necessary first to have a baseline of the lowest capability encryption option. This is Basic, which was included in the baseline numbers because it is always present as a minimum scrambling of the data on an ICA connection.

SecureICA Changing crypto from Basic to SecureICA provided changes in single-server scalability that are barely effect measurements. For a Windows 7 workstation, a 2 percent reduction in single-server scalability versus a 3 percent increase for terminal services. Both of these are in the range of “noise,” indicating that the single-server scalability is largely not affected by the selection of Basic versus SecureICA encryption.

Operating System Basic SecureICA Change

Windows 7 147 144 -2%

Win Server 2012 R2 185 191 3%

Windows 8.1 105

When installing XenApp and XenDesktop, administrators are asked which level of encryption they want to deploy. The options are Basic and SecureICA. Deploying TLS takes additional steps. When presented with the options of Basic versus SecureICA, these measurements indicate that it is always advantageous



to select SecureICA. While neither of these are as good as TLS, they are both available with no additional administrator effort, and neither requires administrator-managed certificate distribution.

TLS Outside With Basic Inside Routing traffic through the FIPS-enabled NetScaler on the outside and Basic encryption on the inside provided no detriment to single-server scalability in this test. The NetScaler keeps up without hurting throughput and without reducing the number of users that can be run on a single server.

The numbers in the table below show an increase in single-server scalability by routing traffic through NetScaler Gateway, which was not anticipated, but rather a result of “no effect” was expected. Experts consulted attribute the small increase to high-speed networks going in/out of the network and some potential benefits from buffering.

Operating System Basic NetScaler FIPS Out

Basic In

Change

Windows 7 147 155 5%

Win Server 2012 R2 185 200 8%

Windows 8.1 105

FIPS Inside Finally getting to the desired end measurements of this test, the first step is a FIPS configuration on a purely internal network. Because customers moving to this FIPS configuration are likely running SecureICA, the data below compares the FIPS configuration to the SecureICA results rather than the Basic baseline.

Operating System SecureICA FIPS Internal (TLS + AES)

Change

Windows 7 144 158 10%

Win Server 2012 R2 191 207 8%

Windows 8.1 105

Data indicates that switching from SecureICA to TLS provides an increase to single-server scalability of about 8 percent versus SecureICA.

FIPS usage is TLS plus AES encryption, and the key negotiation is “once” per session, so it is “zero.” AES execution on modern Intel CPUs is done in hardware, and this was anticipated to be very efficient, which it is.

It was not expected that FIPS usage inside would provide a measureable improvement to single-server scalability versus SecureICA. The tests were repeated to ensure there was no measurement mistake, but the results were consistent. When TLS encryption occurs, Basic or SecureICA also occurs. In a FIPS



configuration, the machine is placed into FIPS mode, which means that SecureICA will fail intentionally so a TLS wrapping of ICA traffic means a TLS wrapping of a Basic encrypted (XOR) of ICA traffic. This implies that it should be impossible to be “faster” when adding more processing, which was not expected A suggested explanation is that Basic encryption is not occurring when TLS is occurring. The relative efficiency of AES in hardware versus Basic encryption in software would be sufficient to explain the observed measurement.

FIPS Outside, FIPS Inside In a full FIPS 140-2 compliant configuration, the results are largely unchanged. The “cost” of running in a TLS plus AES FIPS configuration is “zero.” In measurements, a slight improvement of 6 percent to single-server scalability is observed versus SecureICA.

Operating System SecureICA NetScaler FIPS Out +FIPS In

Change

Windows 7 144 161 12%

Win Server 2012 R2 191 203 6%

Windows 8.1

Conclusion

Largely due to lockdown and A/V, highly locked-down public sector deployments of XenApp and XenDesktop will observe single-server scalability of approximately 85 percent of commercial solutions, not locked down, with no A/V. Because many benchmarks run in that nonsecure configuration, this report’s measurement provides a tool to use in scaling commercial benchmarks to public sector equivalent configurations.

When choosing encryption for ICA of Basic versus SecureICA, always choose SecureICA. When choosing encryption of SecureICA versus FIPS, there are no performance reasons not to select FIPS. There are reasons why customers may place the security boundary at a gateway and not require FIPS on the internal network. These security tradeoffs were not evaluated as part of this test.



Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com.

Copyright © 2015 Citrix Systems, Inc. All rights reserved. [list Citrix trademarks (without ® or ™ symbols!) in document] are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.

Citrix XenApp 7.6 and XenDesktop 7.6 Public Sector ... by: Citrix Solutions Lab Citrix XenApp 7.6...

Documents

Transcript of Citrix XenApp 7.6 and XenDesktop 7.6 Public Sector ... by: Citrix Solutions Lab Citrix XenApp 7.6...