This article provides information on the technical risks inherent with the deployment of third-party solutions that rewrite ICA file information.

ICA File Rewrite for Citrix XenDesktop and XenApp Installations

Citrix Support Policy

Citrix Systems recommends that any device (hardware or software-based) that rewrites the contents of ICA files must not be used in any Citrix XenApp or XenDesktop environment. This technical recommendation applies to any product that is deployed in the XenApp or XenDesktop data path, and includes remote access solutions (for example, SSL VPN products), WAN optimization products, and load balancing devices.

In-depth technical analysis of Citrix developers and engineers has determined that the introduction of any such device has the potential to impact the security, functionality and/or user experience of XenDesktop and XenApp deployments.

Consequently, third-party vendor must principally address technical customer support issues that arise from the introduction of third-party devices that rewrite the contents of ICA files. Citrix Technical Support resources will be assigned only after all devices that rewrite ICA files are removed from the environment, and the technical issue is demonstrated to persist. This is necessary to ensure that Citrix technical support teams can obtain proper troubleshooting information to correctly diagnose issues. Further, Citrix is not responsible for any future technical support issues that result from any changes or modifications made to ICA file structures.

The remainder of this document outlines the specific risks involved in utilizing third-party ICA rewrite solutions.

Technical Description

Citrix recommends that any device (hardware or software-based) that rewrites ICA files not be deployed into any Citrix XenApp or XenDesktop environment. This recommendation is based upon the following issues that may occur in production installations when rewriting ICA files:

1. Client Connection Failure: The ICA file issued by a Citrix Web Interface server contains critical IP addressing and server identity information, which is required by the client to connect to a Citrix XenApp or XenDesktop server. Errors introduced during the rewrite operation may corrupt essential ICA file information, preventing one or more clients from establishing a connection.

2. Change to Security Posture: Citrix XenApp and XenDesktop solutions support optional ICA file signing capabilities. This feature ensures the integrity of ICA files and can help to protect users from risks associated with unauthorized application or desktop launches. The Citrix online plug-in integrates ICA file signing, verifying that the ICA file meets strictly defined administrator polices. This digital signing capability can be used to prevent untrusted sources from launching application or desktops.
   Any product that rewrites ICA files will render the ICA file invalid, based upon signature verification. As a consequence, connections will be rejected and trusted XenApp and XenDesktop users will be denied legitimate access. To make use of the ICA file signing feature, any data path device that rewrites ICA files must be removed or disabled.

3. Loss of Customized and/or Default Configuration Settings: The ICA file includes a large number of INI configuration settings that define critical aspects of the XenDesktop or XenApp user experience. These include, for example, settings that effect local printer mappings, audio quality, proper window sizing for the display of virtual applications and keyboard and mouse responsiveness. An error introduced during ICA file rewrite operations may impact one or more configuration settings, inadvertently degrading the user experience.

On-Going Supportability

Citrix reserves the right to make changes to ICA file structures, syntax, file signing capabilities and validation methods. Citrix does not provide formal notice or technical information to any third-party IT vendor regarding such changes for the purposes of preserving interoperability. Citrix makes no assurances that third-party solutions that rewrite ICA files will continue to interoperate in any XenApp or XenDesktop installation at any point in the future.