Jump to content
Welcome to our new Citrix community!

Question

Hello,

 

I have a Citrix Virtual Apps and Desktops LTSR 7.15 installation scenario where only Citrix Storefront is being used for user authentication (without Citrix Gateway). I know for a fact that the Secure Ticket Authority (STA) mechanism takes place when Citrix Gateway is being used as ICA reverse proxy (https://citrix.sharefile.com/share/view/saeb3312328f46d98). What happens when only Storefront is used for user authentication? Is the STA mechanism still used and is Storefront validating STA tickets against the STA service, instead of the Netscaler? This is a reasonable security concern when such as scenario is implemented.

Link to comment

5 answers to this question

Recommended Posts

  • 0

STA tickets are only used by ICA Proxy on Citrix Gateway.

 

Internally, the ICA connection goes directly from the Citrix client to the VDA machine and is not proxied through a Gateway and thus there's no STA ticket. There is a ticket to facilitate Single Sign-on to the VDA but this is not an STA ticket and instead the ticket is between the Controller and VDA (no STA).

  • Like 1
Link to comment
  • 0

Hi Stefanos,

 

Storefront does not use STA mechanism.

- When the user enters credential on the SF page, SF uses it to perform user authentication. 
- It contacts Domain Controller on port 88 (Kerberos) for authentication

- Once user is authenticated, things proceed for enumeration and further

This is a reasonable security concern when such as scenario is implemented?

Well it depends.

- If your users are connecting internally then set-up without Citrix Gateway should be fine
- If your users are coming over internet then implementing Citrix Gateway would be a good idea

Hope it helps.

Cheers,

Aseem

Link to comment
  • 0

Thank you Aseem, 

 

It would be good from Citrix side to clarify the above in the Citrix official documentation and security best practices (https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/best-practices.html) as well as in the architecture poster (https://citrix.sharefile.com/share/view/saeb3312328f46d98), so that the Citrix Storefront-only scenario is documented. 

Link to comment
  • 0

There are two connections from every Citrix client:

  • HTTP is the StoreFront connection.
  • ICA is the connection after you click an icon.

Citrix Gateway will proxy the HTTP connection directly to StoreFront. By default, Citrix Gateway asks the user to authenticate before allowing the HTTP connection but it's not required.

 

Citrix Gateway will not proxy any ICA traffic without a STA ticket. StoreFront generates the STA ticket. Then the Citrix Client gives the ticket ID to Gateway so Gateway can verify the ticket and get the IP address of the VDA machine.

 

So in your case, even though Gateway is not doing HTTP authentication, it is still doing ICA authentication using STA tickets.

Link to comment
  • 0

Thank you Carl for the prompt reply, 

I need to clarify that in my environment there are no Citrix ADC or Citrix Gateway appliances installed. Users are only internally accessing the Citrix infrastructure directly via Storefront. So in this case where only Storefront is installed, will Storefront perform ICA authentication using STA tickets? Or is there no STA authentication taking place?

 

 

Quote

There are two connections from every Citrix client:

  • HTTP is the StoreFront connection.
  • ICA is the connection after you click an icon.

Citrix Gateway will proxy the HTTP connection directly to StoreFront. By default, Citrix Gateway asks the user to authenticate before allowing the HTTP connection but it's not required.

 

Citrix Gateway will not proxy any ICA traffic without a STA ticket. StoreFront generates the STA ticket. Then the Citrix Client gives the ticket ID to Gateway so Gateway can verify the ticket and get the IP address of the VDA machine.

 

So in your case, even though Gateway is not doing HTTP authentication, it is still doing ICA authentication using STA tickets.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...