Citrix Independent Computing Architecture (ICA) information is a critical part of your Citrix deployment. It allows your internal and external users to securely connect to applications and desktops. This information is commonly found in a .ICA file, which the Citrix Workspace app or browser uses to complete the connection.
Because the information in the ICA file provides access to your systems, it is important to implement security best practices. This paper will cover the various launch methods available for ICA files, information recommendations, and best practices for hardening this critical part of your infrastructure.
When a user launches an application or desktop, StoreFront generates ICA information, which contains instructions to the client on how to connect to the VDA. This is a text document with the same format as an INI file. This document refers to this as an ICA ‘file’ regardless of whether it is a file stored on disk or data held in memory.
StoreFront generates this ICA file based on the information it receives from Citrix Virtual Apps and Desktop or Citrix Desktop as a Service (DaaS), along with its own configuration and logic.
If you open an ICA file, you’ll see name-value pairs, including the following:
| Field | Description |
| Address | For internal access, the IP address of the VDA to connect to.When a resource is accessed via a Gateway, this contains the Secure Ticket Authority (STA) ticket. |
| SSLProxyHost | If the resource is accessed via a Gateway, this contains the address of the Gateway. |
| LaunchReference | This contains the launch reference that is used to retrieve ancillary session data. This is a one-time ticket with a limited lifespan. |
| LogonTicket | This contains the logon ticket used to validate that the VDA is launching the connection that the DDC prepared. This is a one-time ticket with a limited lifespan. |
Note that the ICA file includes a field called ClearPassword. Despite its name, this is a legacy field that does not contain a password. Current versions of the Citrix Workspace app do not use this field.
There are three ways for a user to view their store and connect to their resources:
- Users can open the store in the Citrix Workspace app. This provides the best and most secure experience. It avoids using unmanaged web browsers, securely handles ICA files, and allows the use of anti-keylogging protection during authentication.
- Users can open their store and connect to resources within a web browser. This provides an option for situations where the Citrix Workspace app cannot be installed. ICA information is stored in memory within the browser.
- Users can open the store in their web browsers but launch resources in their locally installed Citrix Workspace app. This is known as a “hybrid launch”. This requires handing ICA information between the browser and the locally installed app. There are a number of mechanisms in this work.
For more information on how your users can access their stores and launch resources, see StoreFront documentation.
Hybrid Launch mechanism details
This section describes how hybrid launches can transfer data between the browser and locally installed Citrix app.
Hybrid Launch using Citrix Workspace web extensions
Users can install Citrix Workspace web extensions on Chrome, Edge, and Safari. If the website detects this, it uses it to communicate securely with the locally installed Citrix Workspace app to launch applications. The user does not have the option to download ICA files to disk.
Hybrid Launch using Citrix Workspace launcher
Citrix Workspace app for Windows, Mac, and Linux includes a component called the Workspace app launcher. When the user launches a resource, the browser signals to the locally installed Citrix Workspace app to retrieve the ICA file from the StoreFront server.
Hybrid Launch using ICA download
If the browser cannot detect a locally installed Citrix Workspace via either Web Extensions or the Workspace launcher, then when a user launches a resource, it downloads an ICA file. The user must then open this file Citrix Workspace app.
Whichever launch method is used, StoreFront contacts a Secure Ticket Authority to get a ticket when you launch a resource via a Gateway. If using Citrix Virtual Apps and Desktops, this is normally the Delivery Controller. If using DaaS, this is normally the Cloud Connector, which proxies requests to the cloud ticketing authority. This ticket entitles the caller to connect to the resource for a limited period of time and is only valid for a single use.
When the HDX client sees an SSLProxyHost in the ICA file, it contacts the Gateway, providing the STA ticket. The Gateway, in turn, contacts the STA server to check whether the ticket is still valid and to get the address of the VDA to which it should forward the traffic. The Gateway acts as a reverse proxy between the HDX client and the VDA.
It is important that ICA files are managed securely as they provide direct access to connect and log into a VDA.
Deploy the latest Citrix Workspace app
A locally installed Citrix Workspace app is the best and most secure experience for launching VDAs, as the launch process is entirely encapsulated within the app. Therefore, we recommend deploying the Citrix Workspace app and configuring it to connect to the store wherever possible. Ensure you keep it updated so you always have the latest improvements.
Deploy Citrix Workspace Web Extensions
Where native launch is not possible, and you need to allow hybrid launches, we recommend deploying Citrix Workspace web extensions to your users. This provides the most reliable and secure hand-off between the browser and the locally installed Citrix Workspace app.
Disable ICA file downloads
In the case of a hybrid launch, where neither Citrix Workspace Web Extensions nor Citrix Workspace launcher are used, the browser downloads an ICA file to disk. The file is not immediately launched and instead relies on the user opening the file. This allows a user to email the file to someone else or malicious software could access it and send it directly to the attacker. Therefore, we recommend disabling ICA file downloads for most deployments and only use launch methods where the ICA file is transferred in-memory and immediately launched.
StoreFront 2402
StoreFront has new settings to control whether ICA downloads are allowed.
The first applies only to platforms where Citrix Workspace launcher is supported (Windows, macOS, Linux). Normally, when users first open their store in a browser, it prompts the user to open the Citrix Workspace launcher. Once they’ve done this, the Citrix Workspace launcher is used for subsequent app launches. However, the users can press instead ‘Already installed’ which falls back to download ica downloads. You can remove this option by clearing “Show ‘Already installed’ link on the client detection page.
Citrix Workspace app for iOS and Android does not support Workspace launcher, so hybrid launches always download ICA files. You can disable these downloads by ticking “Prevent ICA downloads on all platforms.” In this case, users should add their store directly to the Citrix Workspace app for iOS and Android to use native launches.
For more information, see StoreFront documentation
Earlier versions of StoreFront
You can achieve the same results in earlier versions of StoreFront by applying the customization described in CTX584240.
Citrix Workspace
Citrix Workspace has a similar setting to hide the “Already installed” link. This is called “disallowIcaDownload”. This removes the “Already installed” link on Windows and Mac and does not impact other operating systems. We recommend opening the store in a locally installed Citrix Workspace app for other operating systems.
You can configure Citrix Workspace to enforce protocol detection using the Workspace powershell module. This does not force users who have previously clicked “Already installed” to use the Citrix Workspace launcher; therefore, we recommend prompting your users to clear their cookies after enabling this setting.
Reduce the lifetime of launch reference and logon tickets
Reducing session validity and launch times decreases an attacker's opportunity window if the system has been compromised.
This launch reference and logon tickets are valid for 200s by default, but you can use the PowerShell Set-BrokerServiceConfigurationData command to configure them with the MaxSessionEstablishmentTimeSecs setting. For example:
Set-BrokerServiceConfigurationData Core.MaxSessionEstablishmentTimeSecs -SettingValue 100
Ensure you carefully test your configuration in the worst-case performance scenarios—if the ticket life is too low, it will expire before connecting to the VDA, and the launch will fail.
Prevent launching of unauthorized ICA files
Another concern is that a threat actor could provide a user with a malicious ICA file, for example, as part of a phishing email. This ICA file could, for instance, connect to a VDA-enabled local drive mapping and pull data off the drives.
Prevent launching of ICA files from disk
As long as you’ve enabled in-memory ICA launches for your own systems, we recommend that you configure your Windows clients to refuse to launch ICA files from disk. This prevents users from launching ICA files they have been sent via email or other messaging systems. See Citrix Workspace app for Windows documentation.
ICA Signing
ICA signing is a more comprehensive way to block users from opening ICA files from unauthorized sources in Windows. This involves configuring StoreFront to add a signature to the ICA file and configuring the Citrix Workspace app to only allow launches where that specific signature is present. You can configure Workspace apps to either block unsigned launches completely or to prompt the user to allow unsigned launches. This can apply to all unauthorized launches, whether from disk or in-memory. This feature is not available in Citrix Workspace.
For more details, see StoreFront documentation and Citrix Workspace app for Windows documentation.
As you can see, there are multiple ways to improve ICA security. Some of these may not apply to your organization, but you should use a layered and defense-in-depth approach to apply as many as you can. Start testing these recommendations today to harden your environment!
Product Documentation: StoreFront 2402 Long Term Service Release Overview
Product Documentation: Secure your StoreFront deployment
Product Documentation: Citrix Workspace
Tech Paper: Security best practices for Citrix Virtual Apps and Desktops
Tech Paper: Citrix VDA Operating System Hardening Guide
