Jump to content
Welcome to our new Citrix community!

Anyone else notice the Windows Firewall Profile issue with the Secure Access Client plugin when installed with WFP instead of DNE?

Eric Karas

Recommended Posts

I opened a case back on the second week of August this year regarding this issue that was discovered during pre-production testing. As usual, support is dragging and it has been escalated to Engineering a little over a week ago, and now it has been finally admitted that there is a "bug" with what I would assume pretty much any version of Citrix Secure Access plug-in for Windows when it is installed with the WFP option (instead of the default DNE filter) because I personally tested close to half a dozen releases which yielded the same results (22.x.x.x through 23.x.x.x).


What we discovered was that any iteration of the plugin that offers a WFP option exhibits a concerning symptom with regards to the Windows Firewall Profile assignment when a VPN tunnel session is established. If a machine is domain-joined and has multiple firewall policies (Domain, Public, Private), and when a VPN session is established ( and when the plugin uses WFP), the Windows OS will deactivate the Public Profile from the physical adapter and only apply the Domain Profile. This occurs regardless if your gateway is configured with a full or split tunnel option in the session profile. This profile application also remains until the machine is rebooted or network adapters are manually reset. I tested the same plugins without WFP (Default DNE), and the symptom doesn't occur.


Why should anyone be concerned? Well there could be enterprises that have Domain Firewall profiles with more lax rule sets compared to the Public or Private Profiles, which leads to a broader attack surface and in general... EXPOSURE of an endpoint system. 


What do customers expect? Customers expect Citrix to take this a bit more seriously by acknowledging and announcing this "bug" publicly (which they have admitted to me), and to expedite their fix efforts by working on and releasing a fixed and thoroughly tested new release of the Citrix Secure Access plugin for Windows. This is a serious issue, and we should all not be endlessly waiting for the next release cycle.


If anyone else is having the same issue and would like to reference my open support case, please reach out to me. If you are wondering why we need to use the WFP option not just settle for the DNE option: Citrix support advised to used that because of known certificate issues related to DNE filter drivers (discovered after kernel-level analysis by Microsoft support). Long story short, it was a lingering issue we limped by on for close to two years. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...