In my time as a virtualization consultant on Citrix’s Americas Professional Services team, I have been part of more than 30 Citrix environment assessment engagements. In these, we review the customer’s Citrix Virtual Apps and Desktops environment and its supporting components.
Through the years, I’ve seen things customers often overlook that would help them to keep their environment secure, highly available, and stable. In this blog post, I’ll take you through some of our frequent findings and the associated risks and recommendations. Of course, this isn’t an exhaustive list, but it is meant to help improve your life. (Maybe that’s a bit of an exaggeration, but fewer support calls are good, right? 😊).
- Not up to date with known security vulnerabilities. Keeping up with known security vulnerabilities is essential when it comes to maintaining your security posture. Consult the Citrix Trust Center to get the latest security alerts and learn how Citrix responds to security vulnerabilities. Citrix recommends applying associated actions provided in applicable Security Bulletins.
- Citrix Gateway LDAP authentication traffic is unencrypted. Many customers still use unencrypted Lightweight Directory Access Protocol (LDAP – default port 389) as the authentication protocol on their Citrix Gateway servers. LDAP is used for authentication from the user endpoint to Active Directory, which sends obfuscated credentials instead of encrypted and presents a security risk to the user’s password information. Use Secure LDAP (LDAPS – default port 636) to obstruct credentials when users authenticate with Active Directory.
- XML traffic between Citrix StoreFront and Delivery Controllers/Cloud Connectors is unencrypted. When using the HTTP protocol for XML traffic, information such as usernames and passwords are passed in clear text (passwords are obfuscated but transmitted unencrypted). This presents a security risk because intercepting this traffic can allow a malicious actor to gain access to user credentials. Learn more in our Transport Layer Security (TLS) article in the Citrix Virtual Apps and Desktops product documentation.
- Lack of intelligent load balancing of Delivery Controllers. Load balancing Delivery Controllers using StoreFront cause additional load on the StoreFront servers and uses a less efficient method than a load balancing appliance such as Citrix ADC. Citrix ADC load balancing uses a built-in Delivery Controller monitor (CITRIX-XD-DDC) to determine if the proper services for the Delivery Controller are running (instead of a basic ping Up/Down probe). Citrix recommends using Citrix ADC load balancing if available to increase availability of the Citrix Virtual Apps and Desktops site. Learn more in the this blog post on load balancing XML services and local host cache mode.
- End-of-Life or End-of-Support product versions present. We are all familiar with the phrase, “If it ain’t broke, don’t fix it.” That’s largely applicable to a Citrix environment. The exception to the rule would be around patch management. If the solution to the problem is a product upgrade, it most likely means you were not up to date on your patch management! When LTSR components are not on the latest CU, this may expose the environment to the latest vulnerabilities as you are not benefiting from the latest patches and updates fixes which each new CU provides. Please note, support is available for any LTSR version level, but code-level maintenance will be provided on the latest released Cumulative Update (CU). Citrix recommends reviewing the Citrix Product Matrix on a regular basis. Check out this helpful reference on the difference between Current Release and Long Term Service Release.
- Delivery Controllers/Cloud Connectors not optimized for Local Host Cache (LHC) Mode Operation. Citrix Delivery Controllers and Cloud connectors contain an instance of Microsoft SQL Server Express (Local DB) that is utilized in LHC mode. SQL Server Express has a limit on CPU configuration (four cores on a single socket), which can have a significant performance impact when a virtual machine is configured with multiple sockets with only one or two cores per socket. Since many of the SQL queries can be CPU intensive and have a direct impact on the performance of brokering, it is important to scale the Delivery Controllers for a worst-case scenario. Additionally, the Local DB will consume additional RAM above and beyond normal operations. See our Local Host Cache documentation for more information. In short, ensure that you have set your virtual machines to one socket and with multiple cores per socket on your Delivery Controllers (minimum of four cores recommended).
- A single SQL Server represents a single point of failure. In the event of any server maintenance, failed connection to the database, or server failure, the customer will rely on the Local Host Cache (LHC), which should really only be used in a worst case scenario if SQL high availability is unable to properly address the situation. To avoid possible issues due to SQL server failure and/or possible databases corruption, the customer should consider SQL Always on Availability Groups (AG) or other methods that provide automatic failover found in High Availability.
- Citrix’s recommended anti-virus exclusions are not applied to the environment. Incomplete or erroneous antivirus exclusions can impact performance, and user density, and, in certain cases, can have an impact on functionality of a component. Refer to our Endpoint Security and Antivirus Best Practices documentation for a detailed list of recommended antivirus exclusions per server type.
- Citrix Optimizer tool not used on VDA images. I have seen many customers not run Citrix Optimizer on their Windows Server/Windows Desktop images. The Citrix Optimizer is a Windows tool to help Citrix admins optimize various components in their environment, most notably operating systems with a Virtual Delivery Agent (VDA). It’s a PowerShell-tool that also includes a graphical UI. Citrix recommends customers run Citrix Optimizer on VDA images. Test, analyze, and implement changes if applicable.
- Citrix Provisioning (PVS) threads per port not configured optimally. Sometimes PVS threads per port configuration are not aligned with Citrix leading practices, resulting in suboptimal streaming performance (high retry count). For optimal performance, the threads per port setting should be configured to the number of vCPUs allocated to the PVS server as highlighted in our Updated Guidance on PVS Ports and Threads blog post.
I hope that Citrix engineers out there can benefit from these low-effort, high-impact items. If you have any questions, just drop them in the comments below.