Detecting and Mitigating Password Spraying Attacks on NetScaler Gateway Understanding Password Spraying Attacks Password spraying attacks continue to increase, with major security vendors reporting significant rises throughout 2024. Unlike traditional brute force attacks that try many passwords against a single account, password spraying attempts to avoid detection through various techniques: Using leaked credentials from the dark web. Generating synthetic usernames based on company naming patterns. Distributing attempts across thousands...

Automated Monitoring of Cloud Connector Health and Metrics Overview This Tech Paper focuses on automated monitoring of already deployed Cloud Connectors in a Citrix DaaS Resource Location using REST-API calls, PowerShell scripts, and a self-written .NET application. REST API calls are the most flexible way to trigger health checks on the Cloud Connectors and retrieve records of past health events. The Advanced HealthData API provides a detailed time series of metrics and connectivity data from all services running on the Cloud Connectors....

Horizon to Citrix Migration: What to Know Overview Migrating from Omnissa Horizon to the Citrix Platform requires detailed planning and execution. Though both technologies allow users to access virtual desktops and apps, it is necessary to understand their differences and respective architectures. Both Omnissa and Citrix deliver applications and desktops to users, but they employ different technologies to achieve this. Omnissa supports various remoting protocols, including Blast Extreme, PCoIP, and RDP, offering flexibility...

Networking SSL/TLS Best Practices (Q1 2025 Edition) Overview This Tech Paper aims to convey what someone skilled in NetScaler would configure as a generic implementation to receive an A+ grade at Qualys SSL Labs. Qualys SSL Labs performs a robust series of tests and provides a scorecard that you can use to improve your configuration. The scan is free and only takes about a minute to complete. While an A+ at SSL Labs is a useful benchmark, it may not be suitable for every environment. Organizations should weigh the benefits of...

Key Exchange in SSL/TLS: Understanding RSA, Diffie-Hellman, and Elliptic Curves Overview When you connect to a secure website, your browser and the server must establish an encrypted connection to exchange data. Many will say this connection is "protected with the server's certificate," but this oversimplifies what's happening. Certificates are crucial in authenticating the server and enabling key exchange, but they’re just one piece of the puzzle. Modern websites depend on seamless yet robust encryption to ensure data security. Understanding how key exchanges...

Citrix Strong Network We welcome Strong Network to the Citrix Platform family. Strong Network Tech Zone content will be coming soon. Please visit the Strong Network home page for information and resources.

Managing Timeout Settings Across Citrix Components for Optimized User Experience and Security Overview This article provides a comprehensive guide for End User Computing (EUC) administrators on configuring and managing timeout settings across Citrix components, including NetScaler, StoreFront, Citrix Identity Platform, and third-party Identity Providers (IDPs). Since multiple components manage session and timeout policies independently, configuring these settings optimally is crucial for delivering a secure, seamless user experience. Admins can leverage Citrix's timeout...

Citrix NetScaler Cheat Sheet Overview This cheat sheet for Citrix NetScaler provides a comprehensive list of commands and their functions for system status, service management, network configuration, high availability, authentication, SSL certificates, backup, traffic analysis, connectivity testing, and system resources. Key commands and functions include: System Status: Commands to check system uptime, CPU, memory, SSL utilization, hardware, firmware, licenses, current time, operating modes, and feature status....

POC Guide: Citrix Session Remote Start POC Guide - Citrix Session Remote Start.pdf Overview Session Remote Start offers APIs that allow trusted third-party services to enumerate, launch, and log off Citrix sessions. It enables unattended logins triggered by events such as building badge scans and reduces delays in time-intensive environments. Optional login scripts can disconnect sessions after logon, keeping them available for users to reconnect as needed. With seamless integration into existing Citrix components,...

Implementing DISA STIGs for Citrix Environments Overview This tech paper is designed to provide the most up-to-date configurations and exemptions that we have tested. This is meant to be a helpful guide and NOT a definitive solution for STIG implementation or a guarantee to pass an audit. We plan to update this tech document frequently with the release of new products, DISA STIGs, and lessons learned from the field. If you’re a US Government DoD IT engineer, then you’re undoubtedly familiar with the Secure Technical...

Citrix Cheat Sheet - DISA STIGs in Citrix Virtual Apps and Desktops Environments Citrix Cheat Sheets - DISA STIG.pdf The Citrix Cheat Sheet - DISA STIGs in Citrix Virtual Apps and Desktop environments points out some of the standard STIG settings that might be giving you trouble, as well as a few pointers and tips. If you have already finished implementing STIGs, this is a good list to lead you to a setting that might be breaking your environment. If you haven’t implemented STIG settings yet, cheat sheet will give you a good head start on what to look for and may...

Citrix Federated Authentication Service POC Guide - Citrix FAS.pdf Overview Citrix Federated Authentication Service (FAS) is a privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range of authentication options, such as Security Assertion Markup Language (SAML) assertions. SAML is commonly used as an alternative...

Migrating Citrix DaaS from Single Tenant to Multitenant Introduction This document provides guidance for Citrix Service Providers (CSPs) to migrate a customer from an existing standalone single-tenant Citrix DaaS service to a CSP multitenant service. A CSP admin can follow the steps detailed in the document to complete the migration process. When a CSP transitions an existing single-tenant DaaS Customer to the partner’s multitenant service for centralized management and greater economy of scale, a parallel deployment for the customer in...

NetScaler Credential Protection: A Comprehensive Technical Analysis Executive Summary This paper provides a comprehensive technical analysis of credential protection within NetScaler environments. It examines the evolution from static encryption keys to the modern Key Encryption Key (KEK) system that automatically generates unique encryption materials for each deployment. NetScaler distinguishes between two credential types with different security requirements: recoverable service passwords that use AES-256-CBC encryption with KEK and non-recoverable...

Using Citrix Automation with Terraform and Ansible to deploy Citrix DaaS on Microsoft Azure (2025 Update) Using Citrix Automation with Terraform and Ansible to deploy Citrix DaaS on Microsoft Azure (2025 Update) Overview This guide provides an overview of using Terraform and Ansible to create a complete Citrix DaaS deployment on Microsoft Azure. At the end of the process, you will have created: A new Citrix Cloud Resource Location (RL) on Azure (optional) A Shared Image Gallery (SIG) on Azure A Shared Master Image Definition and a shared Master Image...

Installing and Configuring Ansible, Terraform, and Packer for Citrix Infrastructure-as-Code-based Environments Installing and Configuring Ansible, Terraform, and Packer for Citrix Infrastructure-as-Code-based Environments Overview This guide provides an overview of using Ansible, Terraform, and Packer to deploy Infrastructure-as-Code-based environments. We will install all the prerequisites and IaC frameworks needed on one Virtual Machine to ensure smooth communication between Ansible, Terraform, and Packer. Our standard installation of an IaC-VM also has Docker installed. However, the...

Multi-Domain Federated Authentication Service (FAS) Architecture Tech Paper_Multi-Domain Federated Authentication Service (FAS) Architecture.pdf Overview Many public and private organizations are integrating Citrix solutions into Active Directory infrastructures in multi-forest scenarios, typically to separate user objects from resources. In addition to this deployment type, many companies are moving toward SAML-based authentication to improve security, as it offers more flexibility and granular authentication policies. SAML could be a...

Security Recommendations When Deploying XenServer Overview This tech paper helps you design security for a virtualized XenServer environment. It includes general best practices as well as information about the following: Protecting XenServer networks and storage Installing and deploying XenServer securely Configuring virtual machines Securing virtualized storage The recommendations and guidance in this document are not intended to be exhaustive. Unless needed for clarity, this document does not provide...

XenServer Reference Architectures XenServer for Citrix Workloads - Provides a blueprint for deploying XenServer to run Citrix workloads suitable for enterprise-sized deployments that can scale from a few hundred to a few thousand VDAs. Deployment Guides VMware to XenServer Migration Guide - Provides high-level steps and tools for migrating Citrix workloads and infrastructure components from VMware to XenServer. Tech Papers Security Recommendations When Deploying XenServer -...

VMware to XenServer Migration Guide Overview Multiple scenarios and tools exist for migrating your Citrix workloads and infrastructure components from VMware to XenServer. The best combination of methods or tools will depend on what you are migrating. This guide is meant to offer high-level steps. It is not meant to be a step-by-step guide of every task. This guide should be used along-side Citrix and XenServer product documentation for full prerequisites, system requirements, planning, tasks, etc. We recommend testing...

XenServer for Citrix Workloads Overview This document serves as a blueprint for deploying XenServer to run Citrix workloads for the most common commercial-sized deployment that can scale from a few hundred to a few thousand VDAs. Whether using Citrix Virtual Apps and Desktops or Citrix DaaS, this reference architecture is valid. Enterprise-sized deployments may have additional considerations that are not covered in this reference architecture. Use XenServer product documentation alongside this document. Blueprint...

Unicon Unicon provides a Secure, Lean Operating System and Management Tool for Virtual Desktop Endpoints. With its eLux OS and Scout management system, Unicon’s software is highly suitable for on-premises and cloud use cases, consisting of endpoints like thin clients, desktop PCs, and laptops. Deployment Guides

eLux 7 2503 VM on XenServer eLux OS is a secure, lightweight, hardened operating system designed for Citrix environments. Combined with Scout, it provides a centralized solution for efficiently managing all endpoints in your enterprise. eLux enhances security, reduces operational costs, and supports hybrid and cloud-based workspaces. Ideal for VDI and DaaS scenarios, eLux ensures a reliable and consistent user experience. The eLux 7 2503 release supports eLux 7 as a virtual machine on XenServer (formerly Citrix...

POC Guide: eLux and Scout OverviewThis guide is designed to help IT administrators, solution architects, and technical decision-makers evaluate the eLux® Operating System, Scout Management Suite, and ELIAS (eLux Image Administration Service) through a structured and practical Proof of Concept (PoC). Whether you're looking to modernize endpoint management, improve security posture, or validate a Citrix-integrated thin client solution, this document walks you through each step needed to get hands-on with the Unicon™...

Deploying Strong Network in Azure Kubernetes OverviewThe Strong Network™ platform provides a secure and productive cloud development environment that can be deployed on public, private clouds, and self-hosted servers. It also works in full air-gapped modes, such as high-security settings. The primary purpose of the Strong Network platform is to provide secure, cloud development environments (CDEs) that boost developer productivity while ensuring enterprise-level security. It allows organizations to streamline the provisioning and...

Citrix® Hypervisor 8.2 to XenServer® 8.4 Migration OverviewCitrix Hypervisor 8.2 CU1 will reach its end of life on June 25, 2025. It was initially released in June 2020 and was the first Long-Term Service Release (LTSR) version released under the Citrix Hypervisor name. With its end of life near, migrating your Citrix Hypervisor 8.2 servers to XenServer 8.4 is necessary. This guide provides detailed steps to ensure that Citrix Virtual Apps and Desktops™ infrastructure servers and Virtual Delivery Agent hosts running on Citrix Hypervisor 8.2...

Deploying Citrix Secure Developer Spaces on OpenShift OverviewThis guide explains in detail how to deploy Citrix Secure Developer Spaces, formerly known as Strong Network proof of concept platform, to an existing OpenShift cluster. General prerequisitesContainer registry to which you have push permissions An up-and-running OpenShift cluster Basic tools for working with that OpenShift cluster: oc and kubectl You should already be authenticated in both oc and kubectl with your OpenShift cluster. Deployment stepsObtain a Citrix Secure Developer...

Deployment Guide: Using HashiCorp Packer to Automate the Creation of Master Images OverviewWhat is HashiCorp Packer?HashiCorp Packer is an open-source tool designed to automate the creation of machine images for multiple platforms from a single source configuration. It enables developers and DevOps teams to define Image Creation workflows in code, allowing for consistent, repeatable, and version-controlled Image builds. Packer supports a wide range of platforms, including: AWS AMIs (Amazon Machine Images) Azure Managed Images Azure Compute Galleries Google Cloud Images...

AWS Cross-Account Provisioning OverviewAdmins using Citrix Machine Creation Services (MCS) technology have use-cases where Cloud Connectors (or Delivery Controllers) would like to be placed in a primary AWS account with IAM roles that have cross-account resource access to MCS-provisioned machine catalogs in separate secondary accounts. No additional Cloud Connectors should be needed in the secondary accounts. Such a deployment model is not currently supported by MCS, which requires cloud connectors to be placed in every...

Deployment Guide: Citrix MCS for Amazon WorkSpaces Core OverviewIn this Deployment Guide, we will walk you through the process of deploying Citrix MCS for Amazon WorkSpaces Core environments. The new integration introduces an Amazon WorkSpaces Core Host Connection type, which allows Citrix MCS to manage the power and lifecycle of VDAs across Amazon WorkSpaces Core environments. What´s NewWith this new product, we’re expanding Citrix MCS non-persistent provisioning capabilities to work with Amazon WorkSpaces Core environments. Here’s what’s now...