Transport Layer Security (TLS) on Universal Print Server

The Transport Layer Security (TLS) protocol is supported for TCP-based connections between the Virtual Delivery Agent (VDA) and the Universal Print Server.

Warning:

For tasks that include working in the Windows registry—editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Types of printing connections between the VDA and Universal Print Server

Cleartext connections

The following connections related to printing originate from the VDA and connect to ports on the Universal Print Server. These connections are made only when the SSL enabled policy setting is set to Disabled (the default).

  • Cleartext print web service connections (TCP port 8080)
  • Cleartext print data stream (CGP) connections (TCP port 7229)

The Microsoft support article Service overview and network port requirements for Windows describes the ports used by the Microsoft Windows Print Spooler Service. The SSL/TLS settings in this document do not apply to the NETBIOS and RPC connections made by the Windows Print Spooler service. The VDA uses the Windows Network Print Provider (win32spl.dll) as a fallback if the Universal Print Server enable policy setting is set to Enabled with fallback to Windows’ native remote printing.

universal print server secure

Encrypted connections

These SSL/TLS connections related to printing originate from the VDA and connect to ports on the Universal Print Server. These connections are made only when the SSL enabled policy setting is set to Enabled.

  • Encrypted print web service connections (TCP port 8443)
  • Encrypted print data stream (CGP) connections (TCP port 443)

universal print server secure 2

SSL/TLS client configuration

The VDA functions as the SSL/TLS client.

Use Microsoft Group Policy and the registry to configure Microsoft SCHANNEL SSP for encrypted print web service connections (TCP port 8443). The Microsoft support article TLS Registry Settings describes the registry settings for Microsoft SCHANNEL SSP.

Using the Group Policy Editor on the VDA (Windows Server 2016 or Windows 10), go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. Select the following order:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

Note:

When this Group Policy setting is configured, the VDA selects a cipher suite for encrypted print web service connections (default port: 8443) only if the connections appears in both SSL cipher suite lists:

  • Group Policy SSL cipher suite order list
  • List corresponding to the selected SSL Cipher Suite policy setting (COM, GOV, or ALL)

This Group Policy configuration also affects other TLS applications and services on the VDA. If your applications require specific cipher suites, you might need to add them to this Group Policy Cipher Suite Order list.

Important:

Group Policy changes for TLS configuration take effect only after an operating system restart.

Use a Citrix policy to configure SSL/TLS settings for encrypted print data stream (CGP) connections (TCP port 443).

SSL/TLS server configuration

The Universal Print Server functions as the SSL/TLS server.

Use the Enable-UpsSsl.ps1 PowerShell script to configure SSL/TLS settings.

Install the TLS server certificate on the Universal Print Server

For HTTPS, the Universal Print Server supports TLS features by using server certificates. Client certificates are not used. Use Microsoft Active Directory Certificate Services or another certification authority to request a certificate for the Universal Print Server.

Keep in mind the following considerations when enrolling/requesting a certificate using Microsoft Active Directory Certificate Services:

  1. Place the certificate in the Local Computer Personal certificate store.
  2. Set the Common Name attribute of the Subject Distinguished Name (Subject DN) of the certificate to the fully qualified domain name (FQDN) of the Universal Print Server. Specify this in the certificate template.
  3. Set the Cryptographic Service Provider (CSP) used to generate the certificate request and private key to Microsoft Enhanced RSA and AES Cryptographic Provider (Encryption). Specify this in the certificate template.
  4. Set the Key Size to at least 2048 bits. Specify this in the certificate template.

Configuring SSL on the Universal Print Server

The XTE Service on the Universal Print Server listens for incoming connections. It functions as an SSL server when SSL is enabled. The incoming connections have two types: print web service connections, which contain printing commands, and print data stream connections, which contain print jobs. SSL can be enabled on these connections. SSL protects the confidentiality and integrity of these connections. By default, SSL is disabled.

The PowerShell script used to configure SSL is on the installation media and has this file name: \Support\Tools\SslSupport\Enable-UpsSsl.ps1.

Configuring listening port numbers on the Universal Print Server

These are default ports for the XTE Service:

  • Cleartext print web service (HTTP) TCP port: 8080
  • Cleartext print data stream (CGP) TCP port: 7229
  • Encrypted print web service (HTTPS) TCP port: 8443
  • Encrypted print data stream (CGP) TCP port: 443

To change the ports used by the XTE Service on the Universal Print Server, run the following commands in PowerShell as administrator (see the later section for notes on the usage of the Enable-UpsSsl.ps1 PowerShell script):

  1. Stop-Service CitrixXTEServer, UpSvc
  2. Enable-UpsSsl.ps1 -Enable -HTTPSPort <port> -CGPSSLPort <port> or Enable-UpsSsl.ps1 -Disable -HTTPPort <port> -CGPPort <port>
  3. Start-Service CitrixXTEServer

TLS settings on Universal Print Server

If you have multiple Universal Print Servers in a load-balanced configuration, ensure that the TLS settings are configured consistently across all Universal Print Servers.

When you configure TLS on Universal Print Server, permissions on the installed TLS certificate are changed, giving the Universal Printing Service read access to the certificate’s private key, and informing the Universal Printing Service of the following:

  • Which certificate in the certificate store to use for TLS.
  • Which TCP port numbers to use for TLS connections.

The Windows Firewall (if enabled) must be configured to allow incoming connections on these TCP ports. This configuration is done for you when you use the Enable-UpsSsl.ps1 PowerShell script.

  • Which versions of the TLS protocol to allow.

Universal Print Server supports TLS protocol versions 1.2, 1.1 and 1.0. Specify the minimum allowed version.

The default TLS protocol version is 1.2.

  • Which TLS cipher suites to allow.

A cipher suite selects the cryptographic algorithms that are used for a connection. VDAs and Universal Print Server can support different sets of cipher suites. When a VDA connects and sends a list of supported TLS cipher suites, the Universal Print Server matches one of the client’s cipher suites with one of the cipher suites in its own list of configured cipher suites, and accepts the connection. If there is no matching cipher suite, the Universal Print Server rejects the connection.

The Universal Print Server supports the following sets of cipher suites named GOV(ernment), COM(mercial), and ALL for the OPEN, FIPS and SP800-52 native Crypto Kit modes. The acceptable cipher suites also depend on the SSL FIPS Mode policy setting and on the Windows FIPS Mode. See this Microsoft support article for information about Windows FIPS mode.

Cipher suite (in decreasing priority order) OPEN ALL OPEN COM OPEN GOV FIPS ALL FIPS COM FIPS GOV SP800-52 ALL SP800-52 COM SP800-52 GOV
TLS_ECDHE_RSA_ AES256_GCM_SHA384 X   X X   X X   X
TLS_ECDHE_RSA_ AES256_CBC_SHA384 X   X X   X X   X
TLS_ECDHE_RSA_ AES256_CBC_SHA X X   X X   X X  

Configure TLS on a Universal Print Server using the PowerShell script

Install the TLS Certificate in the Local Computer > Personal > Certificates area of the certificate store. If more than one certificate resides in that location, supply the thumbprint of the certificate to the Enable-UpsSsl.ps1 PowerShell script.

Note:

The PowerShell script finds the correct certificate based on the FQDN of the Universal Print Server. You do not need to supply the certificate thumbprint when only a single certificate is present for the Universal Print Server FQDN.

The Enable-UpsSsl.ps1 script enables or disables TLS connections originating from the VDA to the Universal Print Server. This script is available in the Support > Tools > SslSupport folder on the installation media.

When you enable TLS, the script disables all existing Windows Firewall rules for the Universal Print Server’s TCP ports. It then adds new rules that allow the XTE Service to accept incoming connections only on the TLS TCP and UDP ports. It also disables the Windows Firewall rules for:

  • Cleartext print web service connections (default: 8080)
  • Cleartext print data stream (CGP) connections (default: 7229)

The effect is that the VDA can make these connections only when using TLS.

Note:

Enabling TLS does not affect Windows Print Spooler RPC/SMB connections originating from the VDA and going to the Universal Print Server.

Important:

Specify either Enable or Disable as the first parameter. The CertificateThumbprint parameter is optional if only one certificate in the Local Computer Personal certificate store has the Universal Print Server’s FQDN. The other parameters are optional.

Syntax

Enable-UpsSSL.ps1 -Enable [-HTTPPort <port>] [-CGPPort <port>] [–HTTPSPort <port>] [-CGPSSLPort <port>] [-SSLMinVersion <version>] [-SSLCipherSuite <name>] [-CertificateThumbprint <thumbprint>] [-FIPSMode <Boolean>] [-ComplianceMode <mode>]
Enable-UpsSSL.ps1 -Disable [-HTTPPort <portnum>] [-CGPPort <portnum>]
Parameter Description
Enable Enables SSL/TLS on the XTE Server. Either this parameter or the Disable parameter is required.
Disable Disables SSL/TLS on the XTE Server. Either this parameter or the Enable parameter is required.
CertificateThumbprint "<thumbprint>" Thumbprint of the TLS certificate in the Local Computer Personal certificate store, enclosed in quotation marks. The script uses the specified thumbprint to select the certificate you want to use.
HTTPPort <port> Cleartext print web service (HTTP/SOAP) port. Default: 8080
CGPPort <port> Cleartext print data stream (CGP) port. Default: 7229
HTTPSPort <port> Encrypted print web service (HTTPS/SOAP) port. Default: 8443
CGPSSLPort <port> Encrypted print data stream (CGP) port. Default: 443
SSLMinVersion "<version>" Minimum TLS protocol version, enclosed in quotation marks. Valid values: “TLS_1.0”, “TLS_1.1”, and “TLS_1.2”. Default: TLS_1.2.
SSLCipherSuite “<name>” Name of TLS cipher suite package, enclosed in quotation marks. Valid values: “GOV”, “COM”, and “ALL” (default).
FIPSMode <Boolean> Enables or disables FIPS 140 mode in the XTE Server. Valid values: $true to enable FIPS 140 mode, $false to disable FIPS 140 mode.

Examples

The following script enables TLS. The thumbprint (represented as “12345678987654321” in this example) is used to select the certificate to use.

Enable-UpsSsl.ps1 –Enable -CertificateThumbprint "12345678987654321"

The following script disables TLS.

Enable-UpsSsl.ps1 –Disable

Configuring FIPS mode

Enabling US Federal Information Processing Standards (FIPS) mode ensures that only FIPS 140 compliant cryptography is used for Universal Print Server encrypted connections.

Configure FIPS mode on the server before configuring FIPS mode on the client.

Consult Microsoft’s documentation site for enabling/disabling Windows FIPS mode.

Enabling FIPS mode on the client

On the Delivery Controller, run Citrix Studio and set the SSL FIPS Mode Citrix policy setting to Enabled. Enable the Citrix policy.

Do this on each VDA:

  1. Enable Windows FIPS mode.
  2. Restart the VDA.

Enabling FIPS mode on the server

Do this on each Universal Print Server:

  1. Enable Windows FIPS mode.
  2. Run this PowerShell command as Administrator: stop-service CitrixXTEServer, UpSvc
  3. Run the Enable-UpsSsl.ps1 script with the -Enable -FIPSMode $true parameters.
  4. Restart the Universal Print Server.

Disabling FIPS mode on the client

On the Delivery Controller, run Citrix Studio and set the SSL FIPS Mode Citrix policy setting to Disabled. Enable the Citrix policy. You can also delete the SSL FIPS Mode Citrix policy setting.

Do this on each VDA:

  1. Disable Windows FIPS mode.
  2. Restart the VDA.

Disabling FIPS mode on the server

Do this on each Universal Print Server:

  1. Disable Windows FIPS mode.
  2. Run this PowerShell command as Administrator: stop-service CitrixXTEServer, UpSvc
  3. Run the Enable-UpsSsl.ps1 script with the -Enable -FIPSMode $false parameters.
  4. Restart the Universal Print Server.

Configuring SSL/TLS protocol version

The default SSL/TLS protocol version is TLS 1.2. TLS 1.2 is the only recommended SSL/TLS protocol version for production use. For troubleshooting, it might be necessary to temporarily change the SSL/TLS protocol version in a non-production environment.

SSL 2.0 and SSL 3.0 are not supported on the Universal Print Server.

Setting SSL/TLS protocol version on the server

Do this on each Universal Print Server:

  1. Run this PowerShell command as Administrator: stop-service CitrixXTEServer, UpSvc
  2. Run the Enable-UpsSsl.ps1 script with the -Enable -SSLMinVersion version parameters. Remember to set this back to TLS 1.2 when you are done testing.
  3. Restart the Universal Print Server.

Setting SSL/TLS protocol version on the client

Do this on each VDA:

1. On the Delivery Controller, set the SSL Protocol Version policy setting to the desired protocol version and enable the policy.

2. The Microsoft support article TLS Registry Settings describes the registry settings for Microsoft SCHANNEL SSP. Enable the client-side TLS 1.0, TLS 1.1 or TLS 1.2 using the registry settings.

Important:

Remember to restore the registry settings to their original values when you are done testing.

3. Restart the VDA.

Troubleshooting

If a connection error occurs, check the C:\Program Files (x86)\Citrix\XTE\logs\error.log log file on the Universal Print Server.

The error message SSL handshake from client failed appears in this log file if the SSL/TLS handshake fails. Such failures can occur if the SSL/TLS protocol version on the VDA and the Universal Print Server do not match.

Use the Universal Print Server FQDN in the following policy settings that contain Universal Print Server host names:

  • Session printers
  • Printer assignments
  • Universal Print Servers for load balancing

Ensure that the system clock (date, time, and time zone) are correct on the Universal Print Servers and the VDAs.