NEW

The True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
Contact us
Menu iconX icon
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right
Sign In
Contact us

Arrow pointing leftBlog

Exposing Citrix Latency Caused by VPN Overload

How one ExtraHop customer used network visibility to ensure availability for remote workers

Celine Rosak

April 16, 2020

With COVID-19 forcing employees out of the office and into remote work, many IT and security teams are feeling the burden of the sudden shift. That was the case for one ExtraHop customer, who, with the increase in remote workers due to COVID-19, had to dramatically increase the number of people using their Citrix VPN.

Within hours on the first day of the COVID "stay at home" mandate in France, large numbers of remote employees reported being unable to start some Citrix applications via the VPN. Clearly the sudden increase in users was causing issues, but it was difficult to tell which assets were being affected or why.

Using ExtraHop Reveal(x), the customer was able to gain visibility into the Citrix storefront servers, XenApp servers, and NetScaler devices running in their AWS environment. ExtraHop's Citrix dashboards showed a significant increase (from a few milliseconds to several seconds) in network latency and aborts.

Citrix latency over time

Upon looking into the detailed metrics of the ICA protocol, the customer was quickly able to identify which Citrix applications were slowing down, the users affected, the client devices initiating the sessions, and the XenApp servers in question.

Citrix latency by program

From there, the customer clicked down to the device TCP level in order to easily identify that the NetScaler devices were being overloaded with connection requests, as indicated by a significant increase in TCP retransmissions and zero windows.

Zero windows in TCP

They also noticed a peak in aborted SSL connections between these Citrix components. Because Reveal(x) decrypts PFS-encrypted TLS traffic in real time, the customer was able to see into their HTTP transactions in order to monitor errors and address long processing times.

Reveal(x) provides the visibility you need to go from detection to answers in a matter of clicks. We invite you to watch this short threat scenario runthrough to see a guided investigation in Reveal(x) in real time:

You can explore the Reveal(x) workflow for yourself in the full product demo, available for free online. Start your demo now!

Discover more

RevealXCybersecurityPerformanceTechCommunity

Explore related articles

Top 3 Considerations for Enterprise IoT Security

February 18, 2020

IoT discovery, behavioral profiling, and advanced threat detection and response are critical for enterprise IoT security. Learn how ExtraHop Reveal(x) secures IoT.

CybersecurityIndustry TrendsTips and HacksLaunchesRevealX
Read articleArrow pointing right

Resources to Help IT & Security Teams Cope with COVID-19

March 23, 2020

This is a growing list of resources we hope will help IT and security teams deal with remote access challenges, IoT security, and other pressures stemming from COVID-19.

RevealXCybersecurity
Read articleArrow pointing right

Remote Access Considerations: How to Ensure Availability and Security for Remote Workers

March 20, 2020

The COVID-19 pandemic is driving people to work from home and straining remote access infrastructure. Here's how IT and Security teams can cope.

RevealXCybersecurityTech
Read articleArrow pointing right

Experience RevealX NDR for Yourself

Schedule a demo
Contact us