Product Documentation

Connect with Secure Sockets Layer Relay

May 08, 2015

This topic does not apply to XenDesktop 7.

You can integrate Receiver with the Secure Sockets Layer (SSL) Relay service. Receiver supports both SSL and TLS protocols.

  • SSL provides strong encryption to increase the privacy of your ICA connections and certificate-based server authentication to ensure the server you are connecting to is a genuine server.
  • TLS (Transport Layer Security) is the latest, standardized version of the SSL protocol. The Internet Engineering Taskforce (IETF) renamed it TLS when it took over responsibility for the development of SSL as an open standard. TLS secures data communications by providing server authentication, encryption of the data stream, and message integrity checks. Because there are only minor technical differences between SSL Version 3.0 and TLS Version 1.0, the certificates you use for SSL in your software installation will also work with TLS. Some organizations, including U.S. government organizations, require the use of TLS to secure data communications. These organizations may also require the use of validated cryptography, such as FIPS 140 (Federal Information Processing Standard). FIPS 140 is a standard for cryptography.

By default, Citrix SSL Relay uses TCP port 443 on the XenApp server for SSL/TLS-secured communication. When the SSL Relay receives an SSL/TLS connection, it decrypts the data before redirecting it to the server, or, if the user selects SSL/TLS+HTTPS browsing, to the Citrix XML Service.

If you configure SSL Relay to listen on a port other than 443, you must specify the nonstandard listening port number to the plug-in.

You can use Citrix SSL Relay to secure communications:

  • Between an SSL/TLS-enabled client and a server. Connections using SSL/TLS encryption are marked with a padlock icon in the Citrix Connection Center.
  • With a server running the Web Interface, between the XenApp server and the Web server.

For information about configuring SSL Relay to secure your installation, refer to Configuring SSL/TLS Between Servers and Clients in the XenApp documentation.

User device requirements

In addition to the System Requirements, you also must ensure that:

  • The user device supports 128-bit encryption
  • The user device has a root certificate installed that can verify the signature of the Certificate Authority on the server certificate
  • Receiver is aware of the TCP listening port number used by the SSL Relay service in the server farm
  • Any service packs or upgrades that Microsoft recommends are applied

If you are using Internet Explorer and you are not certain about the encryption level of your system, visit the Microsoft Web site at http://www.microsoft.com to install a service pack that provides 128-bit encryption.

Important: Receiver supports certificate key lengths of up to 4096 bits. Ensure that the bit lengths of your Certificate Authority root and intermediate certificates, and those of your server certificates, do not exceed the bit length your Receiver supports or connection might fail.

To apply a different listening port number for all connections

If you are changing this on a local computer, close all Receiver components, including the Connection Center.

  1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying policies to a single computer or by using the Group Policy Management Console when applying domain policies.
    Note: If you already imported the icaclient template into the Group Policy Editor, you can omit Steps 2 to 5.
  2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
  3. From the Action menu, choose Add/Remove Templates.
  4. Choose Add and browse to the plug-in Configuration folder (usually C:\Program Files\Citrix\ICA Client\Configuration) and select icaclient.adm.
  5. Select Open to add the template and then Close to return to the Group Policy Editor.
  6. In the Group Policy Editor, go to Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > Network routing > TLS/SSL data encryption and server identification.
  7. From the Action menu, choose Properties, select Enabled, and type a new port number in the Allowed SSL servers text box in the following format:

    server:SSL relay port number

    where SSL relay port number is the number of the listening port. You can use a wildcard to specify multiple servers. For example, *.Test.com:SSL relay port number matches all connections to Test.com through the specified port.

To apply a different listening port number to particular connections only

If you are changing this on a local computer, close all Receiver components, including the Connection Center.

  1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying policies to a single computer or by using the Group Policy Management Console when applying domain policies.
    Note: If you already added the icaclient template to the Group Policy Editor, you can omit Steps 2 to 5.
  2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
  3. From the Action menu, choose Add/Remove Templates.
  4. Choose Add and browse to the Receiver Configuration folder (usually C:\Program Files\Citrix\ICA Client\Configuration) and select icaclient.adm.
  5. Select Open to add the template and then Close to return to the Group Policy Editor.
  6. In the Group Policy Editor, go to Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > Network routing > TLS/SSL data encryption and server identification.
  7. From the Action menu, choose Properties, select Enabled, and type a comma-separated list of trusted servers and the new port number in the Allowed SSL servers text box in the following format:

    servername:SSL relay port number,servername:SSL relay port number

    where SSL relay port number is the number of the listening port. You can specify a comma-separated list of specific trusted SSL servers similar to this example:

     
    csghq.Test.com:443,fred.Test.com:443,csghq.Test.com:444 
    

    which translates into the following in an example appsrv.ini file:

    [Word]

    SSLProxyHost=csghq.Test.com:443

    [Excel]

    SSLProxyHost=csghq.Test.com:444

    [Notepad]

    SSLProxyHost=fred.Test.com:443