Preventing the Double Hop in Citrix XenApp and XenDesktop
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
For many organisations Citrix XenApp and XenDesktop provides a secure way of deploying applications to third parties, remote support staff and contractors.
Typical use cases can enable these users to connect to a Citrix-delivered application or desktop and allow them to access applications, maintain systems, provide remote assistance and or update network infrastructures.
Whilst this enables such users “local” access to resources to perform their task, this level of access introduces other security and access concerns for the Citrix and Security teams.
When deploying desktops to these remote users, the desktop being presented can become a “launch pad” to other network resources, servers, and websites that IT may not want users to access. For some remote users IT may need to provide applications such as telnet, MSTSC.exe and Internet Explorer. Whilst these tools and applications allow the remote user to have access to certain IP addresses and systems to do their job, they can use those tools and applications to access other back end systems to which they should not have access. To block unauthorized access, IT needs to ensure that a remote user who is presented with a Citrix desktop is not able to logon to another desktop or Citrix farm—a “double hop”.
Preventing this double hop can be resolved by using internal firewalls, VLAN’s and other methods, but typically this means additional overhead and/or support from other teams.
AppSense Application Manager (well known to help secure and ensure the stability of Citrix XenDesktop and XenApp when it comes to application control), includes a feature called Application Network Access Control. This feature was developed specifically to solve this issue for a large communications company some years ago who utilised Citrix to deliver remote desktops to contractors supporting an internal infrastructure. Since then, Application network access control has been deployed by 1000’s of customers to help restrict and prevent the double hop.
Utilising Application Network access control, IT can place a user-centric, per-application control on the ports, hostnames, and IP addresses the user and the application are able to use. This very simply helps allow the remote worker access to the desktop and applications they require, allows those applications to access the systems they require, but prevents the user from going places they shouldn’t.
In the most recent release of Application Manager 10.0, this functionality has been extended to include URLs. Based on the AppSense rules engine, URLs can be restricted or redirected based on the user and their context. Coupled with a new enhanced rules engine in 10.0, Application Manager now can provide granular control over a user, their context, and their application usage and protect against the “double hop” – even when using rules-based Citrix client settings such as Citrix Receiver.