Product Documentation

Secure user sessions using DTLS

Feb 26, 2018

With this release, Citrix is introducing DTLS to all supported Linux platforms as an experimental feature. This feature is disabled by default.

XenApp and XenDesktop support the Transport Layer Security (TLS) protocol for TCP-based connections between components. XenApp and XenDesktop also support the Datagram Transport Layer Security (DTLS) protocol for UDP-based ICA/HDX connections, using adaptive transport. For more information, see Transport Layer Security.

Enable DTLS encryption

Enable SSL encryption on the Linux VDA

On the Linux VDA, use the enable_vdassl.sh tool to enable (or disable) SSL encryption. The tool locates at /opt/Citrix/VDA/sbin. For information about options available in the tool, run the /opt/Citrix/VDA/sbin/enable_vdassl.sh –h command. 

Note

Now, Citrix Receivers support DTLS 1.0 only. Set SSLMinVersion to TLS_1.0 and SSLCipherSuite to COM or ALL using the enable_vdassl.sh tool.

Verify that adaptive transport is enabled

In Citrix Studio, verify that the HDX Adaptive Transport policy is set to Preferred or Diagnostic mode.

Enable DTLS encryption on the Linux VDA

To enable DTLS encryption, run the following command as a root user on the VDA.

Command Copy

sudo /opt/Citrix/VDA/bin/ctxreg update -k  "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\icawd\Tds\udp"   -v  "fDTLSEnabled" -d "0x00000001"

Set firewall rules to allow DTLS traffic

RHEL 7/CentOS 7

Run the following command as a root user.

Command Copy

firewall-cmd --permanent --zone=public --add-port=443/udp

RHEL 6/CentOS 6

1. Add the following line to the ctxhdx file at /etc/xdl/firewall.

-I INPUT 1 -p udp -m udp --dport 443 -j ACCEPT   

2. Run the following command as a root user.

Command Copy

lokkit --custom-rules=ipv4:filter:/etc/xdl/firewall/ctxhdx

SUSE 12

1. Add the following line to the ctxhdx file at /etc/sysconfig/SuSEfirewall2.d/services/.

UDP="443"  

2. Run the following command as a root user.

Command Copy

yast2 firewall services add zone=EXT service=service:ctxhdx

Ubuntu 16

Run the following command as a root user.

Command Copy

ufw allow proto udp from any to any port 443

Note

DTLS encryption uses the same port (443 by default) as SSL encryption. To configure a different port for DTLS encryption, set firewall rules accordingly. After enabling DTLS encryption, restart the VDA service and the HDX service, in this order, for your settings to take effect.