Security – restrict Citrix Xenapp users to viewing only certain sites or domains in their browser

citrixSecurity

I'd like to allow certain users access to our network via Citrix. We're using XenApp 5.0 and we will allow Internet Explorer, but want to restrict what sites they can visit. For instance, I'd like to allow browsing Intranet site A, but not sites B or C, or any external sites.

Can this sort of thing be controlled via Citrix?

Best Answer

You could force these users to use a proxy script using a GPO.

The proxy script is a simple JavaScript, allowing you to direct connection through different proxies or direct.

Create the script so that allowed sites are sent DIRECT or through the proxy used on your network (if any), but any undefined sites are sent to a bogus proxy address.

It could be something like this:

var local_ip = myIpAddress();

function FindProxyForURL(url, host) 
{

    // Resolve host to IP address
    var resolved_ip = dnsResolve(host);


    // --- BEGIN ALLOWED DESTINATIONS ---

    // Hosts and domains
    if (localHostOrDomainIs(host,   "intranet")                     ||
        localHostOrDomainIs(host,   "servicedesk")                  ||
        localHostOrDomainIs(host,   "serverfault.com"))
    return "DIRECT";

    // IP addresses
    if ((resolved_ip == "10.11.12.13")  ||
        (resolved_ip == "60.61.62.63")  ||  
        (resolved_ip == "80.81.82.83")) 
    return "DIRECT";

    // IP ranges
    if (isInNet(resolved_ip,    "10.0.0.0", "255.0.0.0")    ||
        isInNet(resolved_ip,    "172.16.0.0",   "255.240.0.0")  ||
        isInNet(resolved_ip,    "192.168.0.0",  "255.255.0.0")  ||
        isInNet(resolved_ip,    "127.0.0.0",    "255.255.255.0"))
    return "DIRECT";

    // --- END ALLOWED DESTINATIONS ---

    // Default to bogus proxy server on same subnet as client!
    return "PROXY 10.10.10.10:9999";

    // --------------------------------------------------

}

Replace "DIRECT" with "PROXY ProxyIP:ProxyPort" if a proxy is used. Replace the bogus proxy "PROXY 10.10.10.10:9999" with an IP address on the same site as your Citrix servers, to keep the dead-end traffic on the LAN.

If you wish, you can add more sophisticated conditions, e.g. regex matching on either the "url" or "host" variable.

Test your own script with http://code.google.com/p/pactester/.

Put the script on an internal web server with a .pac extension and put the URL in the GPO. Make sure to add the .pac file extension to the web server's MIME type list as "text/javascript".

I have never used PAC files for this purpose, so you probably want to ensure that Internet Explorer doesn't somehow fallback on DIRECT, when it fails to use the bogus proxy server.

Just an idea.

Related Topic