The spread of ransomware and malware is an ever-increasing problem around the world. The chance of a single infected device, when brought into a protected network, being able to replicate and cause widespread disruption to the entire datacenter is constantly on the rise. It is becoming necessary to isolate different workloads so that only legitimate communication occurs over the network. This can be achieved within the datacenter by implementing Software-defined Networking.

Software-defined networking becomes a de-facto standard for agile workload deployments, as well as securing communications. This is even more important for deploying critical apps and desktops with XenApp and XenDesktop, as the machines that users use to access the internet (which would have been outside the data center) are all in the datacenter. Using micro-segmentation, we can restrict the types of data being exchanged and open only the required ports on which each machine should communicate with the others. This can also be used to separate the network traffic between large multi-tenant deployments, such as different departments with different data confidentiality levels or a number of tenants in a service provider deployment.

It’s important to note that the micro-segmentation presents a network to which Citrix Services should be agnostic, hence XenApp and XenDesktop can be easily deployed in VMware NSX environments. Therefore, we have validated VMware NSX, more on how this helps you as an administrator later in the blog.

The following deployment scenarios describe in more depth how to implement VMware NSX for XenDesktop. This allows utilizing micro-segmentation to isolate data between different machines or tenants in a single environment or even restrict access to a different department’s network traffic from each other on the network.

NOTE: Even though in our examples we discuss the deployment of VDI with XenDesktop, all deployment scenarios are equally applicable to XenApp deployments for the delivery of Apps and Hosted Shared Desktops.

Deployment Scenarios

First, we consider the standard deployment scenario without VDI, where a number of different departments in the same company have a requirement to isolate their network traffic from other departments. This can be achieved as shown in the diagram below.


Now consider the same use case with VDI – all the VMs created are from the same base disk and are identical. The IT Security policy requires a network separation between the Finance User desktops and IT Administrator desktops. Citrix administrators can dynamically implement this using NSX and XenDesktop allowing Finance department employees access their desktops on the Finance vxLAN.

Now consider, after a while, the Administrators set up a back-office team that needs access to the contents of the desktops in the Finance and Users delivery group. Citrix admins can work with NSX admins to simply add firewall rules that allow their security group to have access to the Finance and Users vxLAN and resulting in the required segmentation (highlighted in red).


Let’s extend the same principle in a multi-tenant deployment for a large ISV, which has a number of tenants where the network traffic needs to be separated. We can isolate each tenant (with each of their Active Directory Domains) to their own respective vxLANs.

Adding NetScaler in this deployment would simplify the setup and allow the users of all the tenants access the same landing URL and still have complete isolation from each other’s data and resources.


How to implement micro-segmentation in your XenDesktop and NSX environment.

The feature set exposed by NSX for micro-segmentation can be universally applied to any services that require specific ports to be used. The first step is to use flow monitoring in your environment to analyze the traffic that is flowing between the different Citrix servers, your application servers and the VDAs. This will help you to find the right set of ports that are needed to have the end users be productive. Then we can create a set of services in NSX. For example, the standard set of ports for XenApp and XenDesktop are 1494 and 2598 on TCP/UDP or 443 on HTTPS, (depending on whether StoreFront is using HTTP or HTTPS) would constitute the ICA (HDX) Service.


These services could also be put together to create a service group, so the admin can apply changes to them together, when creating the firewall rules that are needed.  You can optionally add traffic from Provisioning Services and other Citrix services.


The services and service groups are pairs of ports and layer three services that would then be controlled using specific firewall rules mapped to XenApp or XenDesktop users via Security groups.

Citrix XenDesktop and NetScaler are platform-agnostic and integrate with both Cisco ACI and VMware NSX to offer network isolation for workloads.

Only with Citrix XenDesktop and NetScaler can a service provider aggregate the set of tenants, manage the same storage subsystem deliver the resources via a single portal, and still have data isolation as needed.

Next Steps

Come visit us at the Citrix booth at VMworld (Booth No 1307). If you answer a few simple questions, you stand a chance to win a LootCrate daily.

Have questions? Reach out to me on Twitter @techmayank.

Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know!

xenapp xendesktop banner