Citrix Virtual Apps and Desktops service

Manage security keys

June 4, 2021

Contributed by:

Note:

You must use this feature in combination with StoreFront 1912 LTSR CU2 or later.

This feature lets you allow only approved StoreFront and Citrix Gateway machines to communicate with Citrix Cloud. After you enable this feature, any requests that do not contain the key are blocked. Use this feature to add an extra layer of security to protect against attacks originating from the internal network.

A general workflow to use this feature is as follows:

Enable the feature in Studio by using the PowerShell SDK.
Configure settings in Studio. (Use the Studio console or PowerShell).
Configure settings in StoreFront. (Use PowerShell).

Enable the security key feature

By default, the feature is disabled. To enable it, use the Remote PowerShell SDK. For more information about the Remote PowerShell SDK, see SDKs and APIs.

To enable the feature, perform these steps:

Run the Citrix Virtual Apps and Desktops Remote PowerShell SDK.
In a command window, run the following commands:
- Add-PSSnapIn Citrix*. This command adds the Citrix snap-ins.
- Set-ConfigSiteMetadata -Name "Citrix_DesktopStudio_SecurityKeyManagementEnabled" -Value "True"

Configure settings in Studio

You can configure settings in Studio by using the Studio console or PowerShell.

Use the Studio console

After enabling the feature, navigate to Studio > Settings > Manage security key and click Edit. The Manage Security Key window appears. Click Save to apply your changes and to exit the window.

Manage Security Key wizard

Important:

There are two keys available for use. You can use the same key or different keys for communications over the XML and STA ports. We recommend that you use only one key at a time. The unused key is used only for key rotation.

Do not click the refresh icon to update the key already in use. If you do, service interruption will occur.

Click the refresh icon to generate new keys.

Require key for communications over XML port (StoreFront only). If selected, require a key to authenticate communications over the XML port. StoreFront communicates with Citrix Cloud over this port. For information about changing the XML port, see Knowledge Center article CTX127945.

Require key for communications over STA port. If selected, require a key to authenticate communications over the STA port. Citrix Gateway and StoreFront communicate with Citrix Cloud over this port. For information about changing the STA port, see Knowledge Center article CTX101988.

After applying your changes, click Close to exit the Manage Security Key window.

Use PowerShell

The following are PowerShell steps equivalent to Studio operations.

Run the Citrix Virtual Apps and Desktops Remote PowerShell SDK.
In a command window, run the following command:
- Add-PSSnapIn Citrix*
Run the following commands to generate a key and set up Key1:
- New-BrokerXmlServiceKey
- Set-BrokerSite -XmlServiceKey1 <the key you generated>
Run the following commands to generate a key and set up Key2:
- New-BrokerXmlServiceKey
- Set-BrokerSite -XmlServiceKey2 <the key you generated>
Run one or both of the following commands to enable the use of a key in authenticating communications:
- To authenticate communications over the XML port:
  - Set-BrokerSite -RequireXmlServiceKeyForNFuse $true
- To authenticate communications over the STA port:
  - Set-BrokerSite -RequireXmlServiceKeyForSta $true

See the PowerShell command help for guidance and syntax.

Configure settings in StoreFront

After completing the configuration in Studio, you need to configure relevant settings in StoreFront by using PowerShell.

On the StoreFront server, run the following PowerShell commands:

To configure the key for communications over the XML port, use the Get-STFStoreServie and Set-STFStoreService commands. For example:
- PS C:\> Set-STFStoreFarm $farm -Farmtype XenDesktop -Port 80 -TransportType HTTP -Servers <domain name1, domain name2> -XMLValidationEnabled $true -XMLValidationSecret <the key you generated in Studio>
To configure the key for communications over the STA port, use the New-STFSecureTicketAuthority command. For example:
- PS C:\> $sta = New-STFSecureTicketAuthority –StaUrl <STA URL> -StaValidationEnabled $true -StavalidationSecret <the key you generated in Studio>

See the PowerShell command help for guidance and syntax.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Manage security keys

June 4, 2021

Contributed by:

June 4, 2021

Contributed by:

Manage security keys

Enable the security key feature

Configure settings in Studio

Use the Studio console

Use PowerShell

Configure settings in StoreFront

In this article