Citrix Secure Workspace Access

Posted on  by admin

Working remotely has become the norm for enterprise employees. At the same time, the risk of cyberattacks is ever-present. As a result, it has become top of mind for companies to enable secure business continuity for these workers, while also delivering an optimal user experience. Simply put, businesses must protect their employees and intellectual property but not at the expense of reduced productivity and decreased employee satisfaction.

To address these challenges, Citrix and Cisco Duo have joined forces, integrating their products to enable employees to work from anywhere, seamlessly and securely.

The Citrix Secure Workspace Access service enables the administrators to provide a cohesive experience integrating single sign-on, remote access, and content inspection into a single solution for end-to-end access control. IT administrators can govern access to approved SaaS apps with a simplified single sign-on experience.

  1. In Part 1 of our series on Citrix Secure Workspace Access, we looked at why organizations need to embrace modern, consumer-modeled, user-friendly, and cloud-based working models, allowing choice and flexibility for BYO and modern SaaS applications. But at the same time, they need to ensure a safe and secure experience for external and hosted.
  2. Explore Citrix Secure Workspace Access use cases. See how Citrix solves your business and IT challenges. Solutions for IT. Replace traditional VPNs with a zero trust approach. Meet the needs of your remote workforce with a VPN alternative. Simplify and secure user access.
  3. Citrix Secure Workspace Access provides one cohesive, zero trust security strategy from a single trusted partner.

Take the case of MarinHealth Medical Center, a midsized hospital based in Marin County, California. For this healthcare provider, it’s now standard practice for employees to remotely access both cloud-based applications such as Office 365 and internal applications such as electronic medical record (EMR) systems.

Unfortunately, today’s business landscape is permeated by malicious practices, such as credential stuffing where cybercriminals buy credentials from the dark web and attempt to use them to log into an organization’s network. A single-login security posture can’t defend against this type of vulnerability. Though a security team can certainly warn users not to share passwords across accounts, reuse passwords or click on unknown links, it has no control over actual behavior.

This is where the partnership between Citrix and Cisco Duo comes in.

The market-leading Citrix Workspace delivery platform

Founded in the late 80’s, Citrix is well known—among other things—for allowing employees to run remote applications using a local device, such as a laptop or smartphone.

Today, the Citrix Gateway product consolidates remote access infrastructure to provide a single sign-on across all applications whether they are running on premises in a data center, off premises in a cloud, or delivered by a third-party SaaS application.


In concert, Citrix Workspace provides a secure, contextual, and unified workspace—on any device. This workspace gives employees instant access to their SaaS and web apps, virtual apps, files, and desktops from an easy-to-use, all-in-one interface powered by Citrix Workspace services.

Cisco Duo adds secure authentication with advanced endpoint security

Cisco Duo increases security for employees connecting over Citrix by adding multifactor authentication (MFA) to provide a crucial second level of defense against cyberattacks such as credential stuffing.

Cisco Duo also goes a step further by checking the security posture of the devices used to access the corporate environment. If an iPad device is used, for example, Duo will verify that the operating system is on the latest patch level and that the device hasn’t been jailbroken, which can introduce additional security vulnerabilities.

Cisco Duo provides adaptive access policies as well, examining information such as the device’s physical location when issuing an MFA request to authenticate the user and device. If the device is at the employee’s home, connected on a known IP address, an administrator may select to let the employee choose a lower assurance MFA option such as one-time password. However, an access request from a different location than the employee’s home, could mean a stronger level of MFA is required such as Duo Push.

In addition, Cisco Duo makes it easier to read, filter and export analytics, enabling a security team to review why login denials have occurred. Perhaps these requests are fraudulent, or an employee must update their operating system.

Simple to use

The zero-trust Citrix and Cisco Duo security framework is also easy to use. Ease of use is particularly important because complicated logins can lead not only to disgruntled employees, but also to a host of support requests from employees simply trying to read their email remotely.

For MarinHealth, the Citrix and Cisco Duo joint solution has proven to be the right answer; it enhances logins to the hospital’s Citrix Gateway with MFA as employees and patients remotely access applications. Perhaps best of all, MarinHealth has been pleased by the small number of tickets and issues it has experienced, given the pervasiveness of use of Citrix Gateway and Cisco Duo for the hospital.

So, if your employees are working remotely, and you want to greatly reduce the risk of security breaches, learn more about how the Citrix and Cisco Duo integration might be the right answer for your organization.

Visit Citrix or learn more about the

Cisco partnership with Citrix!

Having spent a great week in Anaheim at Citrix Synergy 2018, one of the standout capabilities announced is Citrix Access Control. The more I think about it, the more of a great feature I think this is.

Citrix Workspace App has been announced and will shortly be released, providing access to Citrix Apps (XenApp), Citrix Desktops (XenDesktop), Citrix Secure Collaboration (ShareFile) and SaaS applications from a single pane of glass. Why is this a great thing? Well, let me share my view…

The idea of a single pane of glass presenting Apps, Desktops and SaaS applications has been around for a while, and Citrix even did it for a while in the form of App Controller. This was very much in the early days of broad SaaS adoption, so gained little traction in the customer base.

The landscape has changed now and most organisations will be consuming some form of SaaS solution – be it Office 365, Concur or Workday to name a few.

Even looking at the core traditional services – the integration of ShareFile and XenApp/XenDesktop resources (forgive my dropping of Citrix <Function> names already as this is being written following 15 hours of travelling – call it a minor rebellion) is powerful in and of itself. The ability to natively launch documents stored in ShareFile using the appropriate published application is a great example of the traditionally separate products integrated in a way that is pleasing for users and gives further credibility to the view that Citrix are now providing integrated Workspace solutions.

I digress. We can all agree – Workspace App is super cool and we’ll all no doubt use it.

One other thing I will note about Workspace App is that a Christian Reilly demo showed the upcoming FAS integration for the Workspace App Service – this is a must have as it brigdes the gap between a user’s Cloud identity (typically Azure AD) and on-premises windows credentials and makes a Cloud based Workspace with two-factor authentication a viable option.

Why Citrix Access Control is going to be awesome

The concept of the Secure Digital Perimeter is that all the resources that a user accesses to comprise their workspace should be governed by a single centrally configured set of policies allowing for consistent application of security with the user being the new security perimeter. But how does this apply to SaaS applications?

Previously the only solution Citrix had to handle SaaS was Citrix Secure Web Gateway to provide auditing and access control (in an allow/block configuration). What is it that Citrix Access Control gives us?

Simple SSO

Using a set of predefined templates for common SaaS applications, administrators can configure SSO to these SaaS applications from within their workspace. This enables users to access these SaaS applications using their Workspace App without having to ever know the credentials for these applications.

This is great for a few reasons:

  • Time to value: the predefined templates enable administrators to on-board these SaaS applications with minimal configuration. Certainly better than having to follow lengthy “How-To” documents.
  • Simplified User Identity Management: By using SAML authentication with a central identity store (either on-premises AD or Azure AD), you can be sure that user’s that are provisioned using SSO will not be able to access the SaaS resources once they leave the organisation.
  • Ease of Access – by presenting these SaaS applications in the user’s Workspace App it ensures that key SaaS applications are easily accessible alongside traditional applications.

The SSO component is delivered by a combination of the Workspace App Service and the NetScaler Gateway Service in Citrix Cloud. The NetScaler Gateway Service provides the IDP (Identity Provider) capabilities for transitioning the user’s native authentication to SAML/OpenID for consumption by the third party applications.

Note: The SSO Templates will also be released as part of the NetScaler (Citrix ADC) Unified Gateway feature in Q2, so for organisations wanting to gain some of these capabilities while remaining “On-Prem” there are still options available for you!

Security Controls

This is where things get interesting – actually applying security policies to SaaS applications.

What policy controls can you use?

You can enable:

  • Restricted Clipboard Access (Copy/Paste)
  • Watermarking (Displaying Username and IP on top of the SaaS application) to catch people using screen-grabs
  • Restricting Downloads
  • Restricting Printing
  • Restricting Navigation (Forwards/Back)

Citrix Workspace Privacy

How does it do this?

When you install Workspace App, a Citrix-customised integrated browser based on Chromium is installed. Using this customised browser engine, Workspace app can present the SaaS application to you while enforcing the policy you have defined.

If you are accessing using just a browser and don’t have Workspace App installed, the link will be redirected to the Secure Browser Service, where the same policy will be applied, ensuring consistent application of policies in a client-based or client-less deployment.

How is it better than what we can do today?

Some of you may be aware of the product Microsoft Cloud App Security – this has a similar function of controlling user activities within SaaS applications. The main limitation with this is that the controls are based on API integration with the SaaS application, meaning that if Microsoft don’t have your SaaS app on their list then you’re stuck. And the level of control available will be dependent on the level of API integration that is made available by the vendor and Microsoft which will vary on an app by app basis.

Cloud App Security also utilises SAML authentication to the SaaS application, but there’s no real control on where you can access things from and how they integrate with the device that you access it from.

How would you use it?

Say you want to secure your CRM database that is provided by, you would do the following;

  • Configure the application to use only SAML authentication.
  • In the NetScaler Gateway Service configure the SaaS Application template for (or create a new custom application)
  • Configure your security policy

If a user launches the SaaS application from Workspace App, the SaaS Application will be loaded in the customised chromium based browser and the security policies will be applied.

If the user launches the SaaS application from the browser based Workspace App, the SaaS application will be launched in the Secure Browser service and the security policies will be applied.

If the user tries to log in by going direct to they won’t be able to log in as firstly they won’t know their credentials, and secondly only SAML authentication via the NetScaler Gateway Service is allowed.

This means that users cannot access the service without having your security policies applied.

Thing’s I’d like to see being addressed

As a v1 solution it looks pretty good, but after a couple of days to think about it there are a few challenges I think need some thought which I’ve listed below.

  • Custom Browser Support – the embedded Chromium browser is a great idea, however it will be interesting to see how customers view this from a security perspective. As it’s effectively another browser, it will need security updates on a regular basis to ensure it does not become a risk, so will need more focus than Citrix Receiver typically receives in Enterprise deployments.
  • Browser Extensions – it’s currently unclear if or how browser extensions that may be needed are supported. Also there is the assumption that all SaaS applications will render correctly in Chromium.
  • Data Locality and Security in Secure Browser – The fallback to Secure Browser is a great idea, however again it will be interesting to see the security take on this as you are potentially loading sensitive IP into memory on a third party service. At very least I would expect to see some robust security statements on the Secure Browser service in terms of protections in place to prevent data breaches – e.g. could I host a website which leverages an exploit that enables me to access memory from another session? How are local caches handled? Are they encrypted at rest? What antivirus is in use if any?
  • BYO Secure Browser – Potentially to address the above issue, it would be nice to see the option to launch the SaaS application in a customer hosted secure browser session.
  • The templates need to include guidance on what steps need to be completed in the SaaS applications to firstly enable SAML authentication, and secondly to disable other authentication methods to ensure that user’s cannot bypass the security controls.
  • SaaS App Discovery – Microsoft have Cloud App Discovery which can parse your network and proxy logs to discover unauthorised SaaS applications in use. It would be good to see something in this space from Citrix. This could be either a solution similar to Microsoft’s, or something as simple as a FREE Secure Web Gateway appliance that you could deploy transparently in front of your proxy server to monitor all web traffic and report back to Citrix Access Control to identify the apps it has seen. You can gain this info by deploying Secure Web Gateway, however a light-touch approach for just monitoring SaaS application usage would be extremely helpful as a discovery tool, and also to demonstrate to customers pre-deployment what value they could gain from using Citrix Access Control.

Citrix Secure Workspace Access Login

Hopefully this has given you a taste of what Citrix Access Control can do for your SaaS applications in your environment. It’s currently in Tech Preview and you can sign up for access here: