Using Citrix Cloud with a Proxy or VPN Solution
Article ID: CTX696422
Updated On:
Description
Common VPN/Proxy Technologies:
The following platforms commonly introduce these behaviors when SSL inspection or traffic redirection is enabled:
- zScaler
- Netskope
- Cisco AnyConnect
- Bluecoat
- Palo Alto GlobalProtect
- Symantec ProxySG
- Forcepoint
Common Impacts:
- TLS Inspection / Packet Decryption
- Many network security appliances perform packet decryption by intercepting encrypted traffic and replacing the original certificate chain with one issued by the appliance.
- When TLS inspection or packet decryption is enabled, the security appliance intercepts the TLS connection and presents a certificate issued by the appliance instead of the certificate expected from the destination service.
- This interception alters the expected certificate chain and TLS negotiation between the connector and the Citrix Cloud service endpoint. As a result, the TLS handshake may fail or become unstable because the secure session is no longer established directly between the connector and the destination service.
- Packet Decryption can result in:
- Failed TLS handshakes
- Connector communication failures
- Intermittent service connectivity
- Many network security appliances perform packet decryption by intercepting encrypted traffic and replacing the original certificate chain with one issued by the appliance.
- Asymmetric Routing
- VPN or proxy routing configurations can cause Citrix Cloud traffic to follow different outbound and return network paths.
- Asymmetric routing can lead to:
- Broken TCP sessions
- Misrouted packets
- Intermittent connector communication issues
- Asymmetric routing can lead to:
- VPN or proxy routing configurations can cause Citrix Cloud traffic to follow different outbound and return network paths.
- TCP Session Interruption
- Some WAN security platforms terminate or modify TCP sessions that do not meet expected inspection policies.
- If the Citrix Cloud traffic is not properly bypassed, these platforms may introduce:
- Unexpected TCP resets
- Interrupted TLS negotiations
- Termination of persistent service connections
Citrix Recommended Actions:
To maintain stable Citrix Cloud communication, Citrix recommends the following configuration for Cloud Connectors.
- TLS Inspection/Decryption Bypass List
- Citrix-hosted service addresses must be excluded from TLS inspection and SSL decryption wherever possible.
- This includes bypassing the Citrix service addresses from:
- Packet decryption
- Certificate substitution
- Traffic inspection that alters TLS negotiation
- This includes bypassing the Citrix service addresses from:
- Citrix-hosted service addresses must be excluded from TLS inspection and SSL decryption wherever possible.
- Firewall Allow-listing
- Citrix-hosted service addresses should be allowlisted within network firewall policies to permit outbound TCP 443 communication from the Cloud Connectors.
- Simplified Routing
- Connector traffic should follow a direct and predictable network path.
- Citrix recommends avoiding:
- Proxy chaining
- VPN hairpin routing
- Complex loopback interfaces
- Traffic redirection mechanisms
- Citrix-hosted service addresses should be allowlisted within network firewall policies to permit outbound TCP 443 communication from the Cloud Connectors.
Citrix Cloud Service Addresses
- While Citrix recommends whitelisting wildcard variations of these Service URL's, the different options can be found below
- Full list of required Service Addresses can be found here (Government here)
- JSON file containing the fully qualified Domain name (FQDN) Service Addresses can be found here (Government here)
- The JSON includes all of the Citrix Cloud Service Addresses, except for the Customer-specific XenDesktop.net address. The proper format will be the Account's Cloud CustomerID.XenDesktop.net. The CustomerID can be found from the Citrix Cloud Administrator Portal.
- Major service domains for non-Government customers include:
- https://*.xendesktop.net
- https://*.citrixworkspacesapi.net
- https://*.nssvc.net
- https://*.blob.core.windows.net
- https://*.servicebus.windows.net
- https://*.cloud.com
These domains support core Citrix Cloud platform functionality, including broker communication, service APIs, messaging infrastructure, and storage services.
Citrix Supportability Statements
- Citrix provides a Data Protection Whitepaper that explains how Citrix Cloud services secure both the control plane communication and data transport mechanisms used by Cloud Connectors. This document can be provided to internal network and security teams as vendor documentation explaining the security model used by Citrix Cloud.
- While Citrix supports environments that utilize VPN and proxy technologies, these platforms may alter the expected security posture of the Citrix software stack. Improper configuration can lead to:
- Degraded performance
- Intermittent service failures
- Loss of Cloud Connector functionality
- Ensuring that Citrix Cloud service addresses are properly bypassed from TLS inspection and traffic manipulation is critical to maintaining stable operation.
Issue/Introduction
When using VPN or proxy technologies with Citrix Cloud Connectors, several impacts may occur if proper bypasses or exclusions are not configured. While there are many reasons to deploy VPN or proxy technologies within an enterprise network, the Citrix Cloud Connector uses several security validation mechanisms that can be affected by these intermediary technologies.Citrix Cloud Connectors rely on persistent/stateful outbound TLS (TCP 443) connections to Citrix-hosted Service Addresses.
- Network security technologies that intercept, decrypt, or reroute this traffic can interfere with the connector’s ability to establish trusted communication with Citrix Cloud services. Proper bypass configuration is required to ensure reliable Citrix Cloud operation.
- If traffic inspection, proxy routing, or TLS decryption occurs between the Cloud Connector and Citrix Cloud service addresses, the resulting behavior may cause connection instability, degraded performance, or complete service disruption.
Understanding these impacts is important when troubleshooting Citrix Cloud environments.
Additional Information
Citrix Cloud Data Security Whitepaper: https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/citrix-cloud-services-data-protection-overview.pdf
Citrix Cloud Service Addresses: https://docs.citrix.com/en-us/citrix-cloud/overview/requirements/internet-connectivity-requirements.html
Citrix Cloud Service Address in JSON: https://fqdnallowlistsa.blob.core.windows.net/fqdnallowlist-commercial/allowlist.json
