Product Documentation

Securing Citrix Receiver for Mac communications

Sep 25, 2017

This section provides information on Secure communication in Citrix Receiver for Mac.

To secure the communication between your server farm and Citrix Receiver for Mac, you can integrate your connections to the server farm with a range of security technologies, including Citrix NetScaler Gateway. For information about configuring this with Citrix StoreFront, see the StoreFront documentation.

Note

Citrix recommends using NetScaler Gateway to secure communications between StoreFront servers and users' devices.

  • A SOCKS proxy server or secure proxy server (also known as security proxy server, HTTPS proxy server). You can use proxy servers to limit access to and from your network and to handle connections between Citrix Receiver and servers. Citrix Receiver for Mac supports SOCKS and secure proxy protocols.
  • Secure Gateway. You can use Secure Gateway with the Web Interface to provide a single, secure, encrypted point of access through the Internet to servers on internal corporate networks.
  • SSL Relay solutions with Transport Layer Security (TLS) protocols
  • A firewall. Network firewalls can allow or block packets based on the destination address and port. If you are using Citrix Receiver for Mac through a network firewall that maps the server's internal network IP address to an external Internet address (that is, network address translation, or NAT), configure the external address.

About certificates

Private (Self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization's certificate authority must be installed on the user device to successfully access Citrix resources using Citrix Receiver for Mac.

Note

If the remote gateway's certificate cannot be verified upon connection (because the root certificate is not included in the local keystore), an untrusted certificate warning appears. If a user chooses to continue through the warning, a list of applications is displayed; however, applications fail to launch.

Importing root certificates on Receiver for Mac devices

Obtain the certificate issuer's root certificate and email it to an account configured on your device. When clicking the attachment, you are asked to import the root certificate.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Receiver for Mac supports wildcard certificates.

Intermediate certificates with NetScaler Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be mapped to the NetScaler Gateway server certificate. For information on this task, see NetScaler Gateway documentation. For more information about installing and linking an intermediate certifcate with Primary CA on a NetScaler Gateway appliance, refer to the article How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway.

Joint Server Certificate Validation Policy

Citrix Receiver for Mac has a stricter validation policy for server certificates.

Important

Before installing this version of Citrix Receiver for Mac, confirm that the certificates at the server or gateway are correctly configured as described here. Connections may fail if:

- the server or gateway configuration includes a wrong root certificate
- the server or gateway configuration does not include all intermediate certificates
- the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
- the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Receiver for Mac now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Receiver for Mac releases, it then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates.  An incorrect set of certificates might cause Citrix Receiver for Mac's connection to fail.

Suppose a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Receiver for Mac:

- "Example Server Certificate"
- "Example Intermediate Certificate"
- "Example Root Certificate"

Then, Citrix Receiver for Mac will check that all these certificates are valid. Citrix Receiver for Mac will also check that it already trusts "Example Root Certificate". If Citrix Receiver for Mac does not trust "Example Root Certificate", the connection fails.

Important

Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates ("DigiCert"/"GTE CyberTrust Global Root", and "DigiCert Baltimore Root"/"Baltimore CyberTrust Root") that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available ("DigiCert Baltimore Root"/"Baltimore CyberTrust Root"). If you configure "GTE CyberTrust Global Root" at the gateway, Citrix Receiver for Mac connections on those user devices will fail. Consult the certificate authority's documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.

Note

Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose a gateway is configured with these valid certificates. This configuration, omitting the root certificate, is normally recommended:

- "Example Server Certificate"
- "Example Intermediate Certificate"

Then, Citrix Receiver for Mac will use these two certificates. It will then search for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as "Example Root Certificate"), the connection succeeds. Otherwise, the connection fails. Note that this configuration supplies the intermediate certificate that Citrix Receiver for Mac needs, but also allows Citrix Receiver for Mac to choose any valid, trusted, root certificate.

Now suppose a gateway is configured with these certificates:

- "Example Server Certificate"
- "Example Intermediate Certificate"
- "Wrong Root Certificate"

A web browser may ignore the wrong root certificate. However, Citrix Receiver for Mac will not ignore the wrong root certificate, and the connection will fail.

Some certificate authorities use more than one intermediate certificate.  In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

- "Example Server Certificate"
- "Example Intermediate Certificate 1"
- "Example Intermediate Certificate 2"

Important

Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and a earlier root certificate is still in use at the same time as a later root certificate.  In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5”. However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority”. The later root certificate does not use a cross-signed intermediate certificate.  

Note

The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To), but the cross-signed intermediate certificate has a different Issuer name (Issued By).  This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such "Example Intermediate Certificate 2").

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

- "Example Server Certificate"
- "Example Intermediate Certificate"

Avoid configuring the gateway to use the cross-signed intermediate certificate, as it will select the earlier root certificate:

- "Example Server Certificate"
- "Example Intermediate Certificate"
- “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the gateway with only the server certificate:

- "Example Server Certificate"

In this case, if Citrix Receiver for Mac cannot locate all the intermediate certificates, the connection will fail.

Connecting with NetScaler Gateway

To enable remote users to connect to your XenMobile deployment through NetScaler Gateway, you can configure these to work with StoreFront. The method for enabling access depends on the edition of XenMobile in your deployment.

If you deploy XenMobile in your network, allow connections from internal or remote users to StoreFront through NetScaler Gateway by integrating NetScaler Gateway with StoreFront. This deployment allows users to connect to StoreFront to access published applications from XenApp and virtual desktops from XenDesktop. Users connect through Citrix Receiver.

For information on configuring these connections with NetScaler Gateway, see the Integrating with NetScaler Gateway and NetScaler documentation.

Connecting with the Secure Gateway

This topic applies only to deployments using the Web Interface.

You can use the Secure Gateway in either Normal mode or Relay mode to provide a secure channel for communication between Citrix Receiver for Mac and the server. No configuration of Citrix Receiver for Mac is required if you are using the Secure Gateway in Normal mode and users are connecting through the Web Interface.

Citrix Receiver for Mac uses settings that are configured remotely on the Web Interface server to connect to servers running the Secure Gateway. For more information about configuring proxy server settings for Citrix Receiver for Mac, see the Web Interface documentation.

If the Secure Gateway Proxy is installed on a server in the secure network, you can use the Secure Gateway Proxy in Relay mode. For more information about Relay mode, see the XenApp and Secure Gateway documentation.

If you are using Relay mode, the Secure Gateway server functions as a proxy and you must configure Citrix Receiver for Mac to use:
  • The fully qualified domain name (FQDN) of the Secure Gateway server.
  • The port number of the Secure Gateway server. Note that Relay mode is not supported by Secure Gateway Version 2.0.
The FQDN must list, in sequence, the following three components:
  • Host name
  • Intermediate domain
  • Top-level domain

For example, my_computer.example.com is a FQDN, because it lists, in sequence, a host name (my_computer), an intermediate domain (example), and a top-level domain (com). The combination of intermediate and top-level domain (example.com) is generally referred to as the domain name.

Connecting through a proxy server

Proxy servers are used to limit access to and from your network, and to handle connections between Citrix Receiver for Mac and servers. Citrix Receiver for Mac supports both SOCKS and secure proxy protocols.

When communicating with the XenApp or XenDesktop server, Citrix Receiver for Mac uses proxy server settings that are configured remotely on the Web Interface server. For information about configuring proxy server settings for Receiver, see the Web Interface documentation.

When communicating with the Web server, Citrix Receiver for Mac uses the proxy server settings that are configured for the default Web browser on the user device. You must configure the proxy server settings for the default Web browser on the user device accordingly.

Connecting through a firewall

Network firewalls can allow or block packets based on the destination address and port. If you are using a firewall in your deployment, Citrix Receiver for Mac must be able to communicate through the firewall with both the Web server and Citrix server. The firewall must permit HTTP traffic (often over the standard HTTP port 80 or 443 if a secure Web server is in use) for user device to Web server communication. For Receiver to Citrix server communication, the firewall must permit inbound ICA traffic on ports 1494 and 2598.

If the firewall is configured for Network Address Translation (NAT), you can use the Web Interface to define mappings from internal addresses to external addresses and ports. For example, if your XenApp or XenDesktop server is not configured with an alternate address, you can configure the Web Interface to provide an alternate address to Citrix Receiver for Mac. Citrix Receiver for Mac then connects to the server using the external address and port number. For more information, see the Web Interface documentation.

Connecting using TLS

Citrix Receiver for Mac 12.3, supports TLS 1.0, 1.1 and 1.2 with the following cipher suites for TLS connections to XenApp/XenDesktop:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

Note: Citrix Receiver for Mac running on Mac OS Sierra does not support the following TLS cipher suites:

  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5

Transport Layer Security (TLS) is the latest, standardized version of the TLS protocol. The Internet Engineering Taskforce (IETF) renamed it TLS when it took over responsibility for the development of TLS as an open standard.

TLS secures data communications by providing server authentication, encryption of the data stream, and message integrity checks. Some organizations, including U.S. government organizations, require the use of TLS to secure data communications. These organizations may also require the use of validated cryptography, such as Federal Information Processing Standard (FIPS) 140. FIPS 140 is a standard for cryptography.

Citrix Receiver for Mac supports RSA keys of 1024, 2048, and 3072-bit lengths. Root certificates with RSA keys of 4096-bit length are also supported.

For information about configuring and using SSL Relay to secure your installation, see the XenDesktop and StoreFront documentation.

Note

Citrix Receiver for Mac uses platform (OS X) crypto for connections between Citrix Receiver for Mac and StoreFront. 

Configuring and enabling Citrix Receiver for Mac for TLS

There are two main steps involved in setting up TLS:

  1. Set up SSL Relay on your XenApp or XenDesktop server and your Web Interface server and obtain and install the necessary server certificate. For more information, see the XenApp and Web Interface documentation.
  2. Install the equivalent root certificate on the user device.

Installing root certificates on user devices

To use TLS to secure communications between TLS-enabled Citrix Receiver for Mac and the server farm, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate.

Mac OS X comes with about 100 commercial root certificates already installed, but if you want to use another certificate, you can obtain one from the Certificate Authority and install it on each user device.

Depending on your organization’s policies and procedures, you may want to install the root certificate on each user device instead of directing users to install it. The easiest and safest way is to add root certificates to the Mac OS X keychain.

To add a root certificate to the keychain

  1. Double-click the file containing the certificate. This automatically starts the Keychain Access application.
  2. In the Add Certificates dialog box, choose one of the following from the Keychain pop-up menu:
    • login (The certificate applies only to the current user.)
    • System (The certificate applies to all users of a device.)
  3. Click OK.
  4. Type your password in the Authenticate dialog box and then click OK.

The root certificate is installed and can be used by TLS-enabled clients and by any other application using TLS.

About TLS policies

This section provides information for configuring security policies for ICA sessions over TLS in Citrix Receiver for Mac. You can configure certain TLS settings used for ICA connections in Citrix Receiver for Mac. These settings are not exposed in the user interface; changing them requires running a command on the device running Citrix Receiver for Mac.

Note

TLS policies can be managed in other ways, such as when devices are controlled by OS X server or another mobile device management solution.

TLS policies include the following settings:

SecurityComplianceMode. Sets the security compliance mode for the policy. If you don’t configure SecurityComplianceMode, FIPS is used as the default value. Applicable values for this setting include:

  • None. No compliance mode is enforced
  • FIPS. FIPS cryptographic modules are used
  • SP800-52. NIST SP800-52r1 compliance is enforced
Setting SecurityComplianceMode to SP800-52: Copy

defaults write com.citrix.receiver.nomas SecurityComplianceMode SP800-52

SecurityAllowedTLSVersions. This setting specifies the TLS protocol versions that should be accepted during protocol negotiation. This information is represented as an array and any combination of the possible values is supported. When this setting is not configured, the values TLS10, TLS11 and TLS12 are used as the default values. Applicable values for this setting include:

  • TLS10. Specifies that the TLS 1.0 protocol is allowed.
  • TLS11. Specifies that the TLS 1.1 protocol is allowed.
  • TLS12. Specifies that the TLS 1.2 protocol is allowed.
Setting SecurityAllowedTLSVersions to TLS 1.1 and TLS 1.2: Copy

defaults write com.citrix.receiver.nomas SecurityAllowedTLSVersions -array TLS11 TLS12

SSLCertificateRevocationCheckPolicy. This feature improves the cryptographic authentication of the Citrix server and improves the overall security of the SSL/TLS connections between a client and a server. This setting governs how a given trusted root certificate authority is treated during an attempt to open a remote session through SSL when using the client for OS X.

When you enable this setting, the client checks whether or not the server’s certificate is revoked. There are several levels of certificate revocation list checking.  For example, the client can be configured to check only its local certificate list, or to check the local and network certificate lists. In addition, certificate checking can be configured to allow users to log on only if all Certificate Revocation lists are verified.

Certificate Revocation List (CRL) checking is an advanced feature supported by some certificate issuers. It allows an administrator to revoke security certificates (invalidated before their expiry date) in the case of cryptographic compromise of the certificate private key, or simply an unexpected change in DNS name.

Applicable values for this setting include:

  • NoCheck. No Certificate Revocation List check is performed.
  • CheckWithNoNetworkAccess. Certificate revocation list check is performed. Only local certificate revocation list stores are used. All distribution points are ignored. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by the target SSL Relay/Secure Gateway server.
  • FullAccessCheck. Certificate Revocation List check is performed. Local Certificate Revocation List stores and all distribution points are used. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by the target SSL Relay/Secure Gateway server.
  • FullAccessCheckAndCRLRequired. Certificate Revocation List check is performed, excluding the root CA. Local Certificate Revocation List stores and all distribution points are used. Finding all required Certificate Revocation Lists is critical for verification.
  • FullAccessCheckAndCRLRequiredAll. Certificate Revocation List check is performed, including the root CA. Local Certificate Revocation List stores and all distribution points are used. Finding all required Certificate Revocation Lists is critical for verification.

Note

If you don’t set SSLCertificateRevocationCheckPolicy, FullAccessCheck is used as the default value.

Setting SSLCertificateRevocationCheckPolicy to FullAccessCheckAndCRLRequred: Copy

defaults write com.citrix.receiver.nomas SSLCertificateRevocationCheckPolicy FullAccessCheckAndCRLRequired

Configuring TLS policies

To configure TLS settings on an unmanaged computer, run the defaults command in Terminal.app.

defaults is a command line application that you can use to add, edit, and delete app settings in an OS X preferences plist file.

To change settings:

1.      Open Applications > Utilities > Terminal.

2.      In Terminal, run the command:

defaults write com.citrix.receiver.nomas <name> <type> <value>

Where:

<name>:  The name of the setting as described above.

<type>:   A switch identifying the type of the setting, either -string or -array. If the setting type is a string, this can be omitted.

<value>: The value for the setting. If the value is an array and you are specifying multiple values, the values must be separated by a space.

For example: Copy

defaults write com.citrix.receiver.nomas SecurityAllowedTLSVersions -array TLS11 TLS12

Reverting to the default configuration

To reset a setting back to its default:

1.      Open Applications > Utilities > Terminal.

2.      In Terminal, run the command:

defaults delete com.citrix.receiver.nomas <name>

Where:

<name>: The name of the setting as described above.

For example: Copy

defaults delete com.citrix.receiver.nomas SecurityAllowedTLSVersions

Using the UI to configure security settings

Numerous security improvements and enhancements were introduced with Citrix Receiver for Mac version 12.3, including:

  • improved security configuration user interface. In previous releases, the command line was the preferred method to make security-related changes; configuration settings related to session security are now simple and accessible from the UI, which improves the user experience while creating a seamless method for the adoption of security-related preferences.
  • view TLS connections. Citrix Receiver for Mac allows you to verify connections made to servers that are using a specific TLS version, with additional information including the encryption algorithm used for the connection, mode, key size and whether SecureICA is enabled. In addition, you can view the server certificate for TLS connections.
The improved Security and Privacy screen includes the following new options in the TLS tab:
  • set the compliance mode
  • configure the crypto module
  • select the appropriate TLS version
  • select the certificate revocation list
  • enable settings for all TLS connections
The image below illustrates the Security and Privacy settings accessible from the UI:
localized image