ExtraHop Citrix Web Interface Bundle (Users & Applications)

Description

Background

The ExtraHop system already performs great out-of-the box real-time analysis of the ICA protocol. However, XenApp and XenDesktop solutions from Citrix rely not only on ICA, but on a variety of other protocols, like HTTP, DNS, LDAP, CIFS, etc.. to deliver the infrastructure to the user.

The following bundle analyzes the HTTP traffic of the Citrix web front end servers to accomplish the following: 1. Automatically detects XenDesktop vs XenApp traffic and creates of separate ICA Application for each 2. Extracts Citrix username and application at the Citrix web front end (note: Citrix web front end username is different from ICA username, which is often simply the name of the workstation accessing the Citrix server)

Screenshots

Overview

Launches by User

Launch Latency by User

Launches by Application

Launch Latency by Application

Requirements

1. This bundle assumes that Citrix applications are accessed through Citrix Web Interface and that this traffic is passed in the clear over HTTP (or that SSL decryption is enabled and the Citrix Web Interface private key is uploaded into ExtraHop). Legacy methods not relying on logging in through the web interface are not going to work with this approach.
2. This solution works regardless of the Citrix ICA encryption mode and does not require the HTTP to ICA correlation to work.
3. This bundle was tested with XenDesktop 5.5 and XenApp 6.5 and the latest Windows, Mac, and Linux Citrix Receiver clients.
4. If you already have the "ExtraHop Citrix XenApp and XenDesktop Bundle" installed and working, this information is already captured in that bundle. This solution is intended for environments where the HTTP to ICA correlation does not apply or where ICA encryption is something other than "none" or "Basic".

Installation Instructions

1. Download the bundle
2. Upload the bundle into the ExtraHop appliance by going to Settings >> Bundles >> Upload bundle file.
3. Apply the bundle to extract triggers and custom pages.
4. Triggers and custom pages are automatically Applied to All and enabled. If you leave them running, they should auto-detect your Citrix web front end infrastructure and create "CitrixWebFE-All", "CitrixWebFE-XD", and "CitrixWebFE-XA" applications under Applications, assuming both XenDesktop and XenApp is present in the traffic.
5. As a performance optimization, consider assigning triggers more narrowly to Citrix web front end web servers and assiging the "CitrixWebFE Detail" custom page only to the applications listed above.
6. If troubleshooting is required, enable Debug Mode on the triggers and look at the Runtime Logs for more information - it is possible that correlation is not present on all versions (see Compatibility Notes section).