Deploy DLP Endpoint Prevent in a Citrix Environment
search cancel

Deploy DLP Endpoint Prevent in a Citrix Environment


Article ID: 174312


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention


You want to deploy Symantec Data Loss Prevention (DLP) Endpoint Prevent in a Citrix environment.
You need the steps involved, best practice recommendations, or version support information.


Citrix XenApp or XenDesktop


About Citrix support with Endpoint Prevent

Note: To ensure that you have the most up-to-date support information for Citrix with DLP Endpoint Prevent, refer to the on-line help page About Citrix XenDesktop and Citrix XenApp support and Symantec Data Loss Prevention System Requirements and Compatibility Guide. (Select the version deployed in your environment from the version drop-down menu.)

DLP Endpoint Prevent can monitor virtual desktops that are hosted by Citrix XenDesktop and Citrix XenApp/Application servers. Prevent also prevents remote users from copying any sensitive data that is accessible through a virtual desktop. A DLP Agent can be installed in each virtual desktop. By running a DLP Agent in the virtual host, you can prevent a user from copying any confidential data that is accessible from the hosted virtual desktop to a remote computer or device that may not be secure. You can configure the DLP Agent to monitor storage volumes, print and fax requests, clipboards, and network activity on the virtual desktop.

The DLP Agent is installed on Citrix XenDesktop and Citrix XenApp/Application servers, where it can detect confidential data that is sent to a Citrix client computer.

Refer to the Symantec Data Loss Prevention System Requirements and Compatibility Guide for supported versions.

Citrix virtualized endpoint monitor coverage

The DLP Agent monitors the following locations and activities on the Citrix virtualized endpoint:

  • Volumes
  • Print/fax requests
  • Clipboard
  • Network
  • Scanning Microsoft Office files
  • Restoring files on Citrix client drives
  • Monitoring application file access and files that are uploaded to browsers

Incidents logged from Citrix virtualized endpoints

All incidents that are generated on Citrix drives by the DLP Agent display as Removable Storage Device incidents. In the Enforce Server administration console, you cannot deselect the Removable Storage event for Citrix drives. The Removable Storage event always gets monitored by the agents that are deployed to Citrix servers. Note: The IP addresses in incident snapshots contain the IP address of the XenDesktop virtual machine or XenApp server and not a Citrix client. 

Citrix XenApp

  • You must install the DLP Agent software on each XenApp server host and on any individual application servers that publish applications through XenApp.
  • All detection on Citrix XenApp is performed in a single thread (all user activities are analyzed sequentially).
  • Symantec tests indicate that the DLP Agent software can support a maximum of 40 simultaneous clients per Citrix server. However, detection performance varies depending on the server hardware, the type of applications that are used, and the activities that Citrix clients perform. You must verify the DLP Agent performance characteristics for your environment.
  • Note: If XenApp streams an application directly to an endpoint computer, the Symantec DLP Agent that is deployed to the XenApp server cannot monitor the streamed application.
  • Refer to the help topics for more information and additional recommendations.

Detection server restriction for Symantec DLP Agents on Citrix XenApp

Symantec does not recommend using a single Endpoint Prevent detection server with both physical endpoint computers and Citrix XenApp servers. When you use the Enforce Server administration console to configure endpoint events to monitor, you must deselect CD/DVD and Local Drive events for Citrix XenApp agents. (These items are present on the Agent Configuration screen, but they are not supported for Citrix XenApp.) Using the same Endpoint Server for non-Citrix agents limits the functionality of those agents. You must disable Local Drive and CD/DVD events for the server as a whole. To support the DLP Agent on both Citrix XenApp servers and physical endpoint computers, Symantec recommends that you deploy two Endpoint Servers. Ensure that each server is reserved for either Citrix XenApp agents or physical endpoint agent installations.

Citrix XenDesktop

  • You must install the DLP Agent software on each virtual machine on the XenDesktop server.
  • The DLP Agent software can connect either to a dedicated Endpoint Prevent server or to an Endpoint Prevent server that is shared with non-Citrix agents. You cannot connect to an Endpoint Prevent server that is reserved for Citrix XenApp.
  • Note: If you use the same server for both Citrix and non-Citrix agents, you cannot configure events independently for each environment.


Additional Information

You may also want to review Article ID: 206132 Managing the DLP Agent in a VDI environment