By Fredrik Brattstig @virtualbrat
22nd November 2023
IGEL has integrated with the Device Posture Service (DPS) team at Citrix to add the functionality of validating that the endpoint fulfills requirements set to access the Citrix Cloud environment.
Device Posture service with IGEL OS offers conditional access control to your Citrix Cloud environment and is a key component to Zero Trust based access.
This is new technology, but the legacy come from the Citrix Endpoint Analysis (EPA) plugin. Let’s look into what the Device Posture service and EPA provide as capabilities to enhance your security (based on the Citrix DPS Documentation and Citrix EPA Documentation):
As you can see in the IGEL tab on the Citrix DPS Documentation, the first version of DPS integration will support analyzing File existence, name and path. But it also contains the possibility to do a MD5 checksum of a file.
With this evaluation support, we can check if the connecting device has a UMS server certificate installed, and if the file has the md5 checksum matching your UMS certificate. Running md5sum /path/to/your/file.ext on a IGEL OS endpoint will give you the md5 checksum back.
By checking for the UMS certificate in the designated folder on the endpoint, and also validating the MD5 checksum can give good confidence that the endpoint trying to access your Citrix Cloud environment is under management and belongs to you. You might think that: “yepp, but it is only validation against a file, if I just copy that file to the same path on a different endpoint, a rouge endpoint will be allowed access”. While that is true, you as an admin has all the tools you need with IGEL OS and the UMS to protect from unauthorized access the file you are evaluating against.
The IGEL OS is easily set to disallow file system access for users, which renders it impossible for a user to reach the file and copy it to external media. And the IGEL OS file system isn’t readable by any other operating system, so even mounting the physical disc in a separate pc will not allow access to the file.
How to configure IGEL OS 11 for Device Posture evaluations
The Citrix EPA plugin is for your benefit installed and automatically enabled for your browsers in IGEL OS 11.09.114 (private build), so you do not need to do anything else than making sure you have the right firmware. You have to access your Citrix Cloud environment using a web browser. When the web browser connects to you access site, the evaluation will trigger the plugin in the browser to validate that your endpoint is compliant or not. If your endpoint is compliant, you will be granted access, if not, you will be denied, or possible a limited access based on how you set up the Device Posture configuration. When everything is done, and you select your published Desktop or App, it will automatically launch the Citrix Workspace App and run the session.
How to configure the evaluation checks in Citrix Cloud Console
Open your Citrix Cloud console and click “Manage” for your DaaS environment. Open the waffle in the top left corner and go to Identity and Access Management. Then select Device Posture, click on Manage and then click on Linux and start creating your evaluation policys. When you are done, don’t forget to enable the service!
In the picture above you have an example of how to create a MD5 check on the file /wfs/server.crt
How to get Citrix Device Posture Service running with IGEL?
IGEL OS 11.09.114 Private Build has the new Citrix EPA app integrated and enabled by default. It will also be part of the upcoming rolling release on IGEL OS 11 due date 6th of December. For IGEL OS 12, it will be released soon with limited support, and fully supported in Q1/2024
You will need to sign up for the Citrix tech preview of Device Posture Service for IGEL at: https://podio.com/webforms/29062020/2362942
As said you will need the IGEL firmware 11.09.114 which you can request in the form below the video showing IGEL OS with Device Posture Service, fill it out and I’ll send you a download link, but first, let us check a video with the user experience.
The video starts by accessing the Citrix Cloud access site, using chromium browser, without having the evaluations fulfilled and gets Access Denied, then I create the expected file by the policy, run another connection attempt and succeeds and I’m enabled to login to access my Citrix published resources. Watch the video:
Thats is! Fill out the form below get the link to 11.09.114 firmware, and/or keep an eye out at the IGEL App Portal for the IGEL OS 12 version, that will be named Citrix Gateway EPA client
version 23.10.3 and available shortly!
Best
/Fred
VirtualBrat 