Jump to content
Welcome to our new Citrix community!

How to prevent executable file upload through Citrix workspace for HTML5 in Citrix?


Recommended Posts

How to prevent executable file upload through Citrix workspace for HTML5 in Citrix?
Is it possible to prevent some types of files or executables from being transferred to Citrix through Citrix ADC?
Can Citrix ADC WAF prevent some types of files or executables from being transferred to Citrix?

Link to comment
Share on other sites

Note: This is more about CVAD policies than anything else.

 

1) How to prevent executable file upload through Citrix Workspace for HTML5 in Citrix?

Answer:  you can't granularly stop types of files over the file redirection virtual channel. Whether this is HTML5 or native client.  

The CVAD session policies can enable/disable file redirection and the types of drives mapped or not mapped. But none of the policies can filter types of traffic.

For native workspace app: You can enable filed redirection (read/write),  make it read only client drives (read from client drives into session; but not write out to local client drives), or disable file redirection so no access read or write to client drives are possible in session - session drives only.

 

For HTML5/ChromeOS clients, you can enable file transfer (on by default), or individually manage upload from client to session, or download to client from session.

However, nothing allows you to limit types of content.

 

 

Bottom line:  File Redirection and File Transfer policies allow you to enable/disable the virtual channel but NOT control the content within that channel.  Firewalls or Antivirus within the vdi would need to screen the "redirected" locations to prevent content you don't want in the new location.   Or some other OS/vdi level security would have to limit what you bring in over the virtual channel.  The virtual channel itself doesn't have a filter mechanism for this.

File Redirection/File Transfer Policies: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/file-redirection-policy-settings.html

 

2) Citrix ADC/Gateway cannot filter types of files.  Its Smart Control settings can only override available virtual channels and take them away. But it also cannot filter the types of content within the virtual channel.

 

3) The Web App Firewall also doesn't help here, as the WAF feature protects web content which means web pages like the StoreFront page.  The HTML5 client isn't a "web application" in the sense of a web page.  And its still an ICA client connection managed like other Workspace Apps/ ICA Proxy connections, so the App Firewall doesnt' apply to the ICA connection piece.

By default WAF doesn't integrate directly with the Gateway, though there is an article on integrating WAF with Gateway to add some features to the "Web" portal parts of the Gateway. Its also not going to filter the internals of a virtual channel.

 

 

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...