Managing Internet requests from Citrix server users

Applies to:
  • Forcepoint URL Filtering, v8.5.x

When Forcepoint URL Filtering is integrated with Citrix:

  • A recommended maximum of 10 Citrix servers can connected to one Filtering Service instance. This number can be configured and depends on the user load.

    Multiple Filtering Service instances are needed if more than 15 Citrix servers are used, with each Citrix server handling about 20 to 30 Citrix users.

  • The Filtering Service and Network Agent monitoring Citrix traffic should be installed on a dedicated machine, and not on a Citrix server.
  • Separate Filtering Service and Network Agent instances must be used to monitor non-Citrix traffic.
  • The Filtering Service and Network Agent instances monitoring Citrix traffic use the same Policy Broker, Policy Server, User Service, and other components as the Filtering Service and Network Agent instances used to monitor non-Citrix traffic.
  • Do not configure a separate integration product to filter HTTP, HTTPS, FTP, or SSL requests from Citrix servers.

    If you want to use Network Agent to manage other protocol traffic from the Citrix servers:

    • Network Agent must be located where it can see all of the traffic between the Citrix servers and Filtering Service instances. For example, the machine running Network Agent could be connected to a span port on the same network switch as the machines running Filtering Service.
    • If the Citrix server is configured to use virtual IP addresses, configure Network Agent to monitor the entire range of the IP addresses. Also, a single policy should be set for this range. See the “Network Configuration” topic in the Administrator Help for instructions on configuring IP address ranges for Network Agent.
    • If you have standalone instances of Filtering Service (not configured to integrate with Citrix or any other integration product), use a dedicated instance of Network Agent to monitor users of the Citrix servers. Do not monitor non-Citrix traffic with this Network Agent.

      While Network Agent can be used to manages protocols for Citrix, user-based and group-based policies cannot be applied. Policies can be applied to individual computers and network ranges, identified by IP address or range. Otherwise, the Default policy is applied to all users.

This diagram shows a typical deployment to manage requests from users who access the Internet through a Citrix server. To simplify the diagram, not all components are shown.

The main web policy enforcement components are installed on a separate, dedicated machine that can communicate with all of the Citrix server machines, and non-Citrix users, if applicable. The Citrix Integration Service must be installed on each Citrix server to allow it to communicate with Filtering Service. No other web protection components should be installed on the Citrix server machines.

Managing Internet requests for both Citrix and non-Citrix users

If your network includes some users who access the Internet via a Citrix server, and others who access the Internet through another gateway (firewall, caching appliance, or proxy server), the integrations can be configured to work together.

  • To install the Citrix Integration Service on a Citrix Server, see Citrix Integration Service installation overview.
  • If you have Citrix users and non-Citrix users in your network, the same web protection components, except for Network Agent, can be used for both sets of users. A separate installation of Network Agent is needed for the Citrix users. See Install Filtering Service and Network Agent to integrate with Citrix for instructions.
  • To configure the web protection components installed with the non-Citrix integration to communicate with Citrix, refer to the section pertaining to your integration in Combining Citrix with another integration section in Initial Setup of Citrix integration.