Product Documentation

Configuring Citrix Receiver for Windows with the Group Policy Object template

Dec 22, 2016

Add or specify a store via GPO

Citrix recommends using the Group Policy Object and provides template file receiver.adm or receiver.admx\receiver.adml (depending on OS) to configure settings related to Citrix Receiver for Windows. 

Note

receiver.admx/receiver.adml  is available on Windows Vista / Windows Server 2008 or later. ADM files are available only on Windows XP Embedded platforms.

Note

If Citrix Receiver for Windows is configured via VDA installation, admx/adml files is found in the Citrix Receiver for Windows installation directory. For example: <installation directory>\online plugin\Configuration.

See the table below for information on Citrix Receiver for Windows templates files and their respective location.

File Type        

File Location

receiver.adm     

<Installation Directory>\ICA Client\Configuration

 

receiver.admx    

<Installation Directory>\ICA Client\Configuration

receiver.adml    

<Installation Directory>\ICA Client\Configuration\[MUIculture]

Note

Citrix recommends you to use the template files provided with the latest Citrix Receiver for Windows. While importing the latest files, the previous settings are retained.

To add adm template files to the local GPO

Note: You can use adm template files to configure Local GPO and/or Domain-Based GPO.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying policies to a single computer, or by using the Group Policy Management Console when applying domain policies.
Note: If you already imported the Citrix Receiver for Windows template into the Group Policy Editor, you can leave out steps 2 to 5.
2.In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3.From the Action menu, choose Add/Remove Templates.
4.Select Add and browse to the template file location <Installation Directory>\ICA Client\Configuration\receiver.adm
5.Select Open to add the template and then Close to return to the Group Policy Editor.
Citrix Receiver for window template file will be available on local GPO in path Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver.
After the adm template files are added to the local GPO, the following message is displayed:
“The following entry in the [strings] section is too long and has been truncated:
Click OK to ignore the message.


To add admx/adml template files to the local GPO

NOTE: You can use admx/adml template files to configure Local GPO and/or Domain-Based GPO. Refer Microsoft MSDN article on managing ADMX files here
1. After installing Citrix Receiver for Windows, copy the template files.

admx:
From : <Installation Directory>\ICA Client\Configuration\receiver.admx
To : %systemroot%\policyDefinitions

adml:
From: <Installation Directory>\ICA Client\Configuration\[MUIculture]receiver.adml
To: %systemroot%\policyDefinitions\[MUIculture]

Citrix Receiver for Window template file is available on local GPO in Administrative Templates > Citrix Components > Citrix Receiver directory. 

About TLS and Group Policies

Use this policy to configure the TLS options that ensure Citrix Receiver for Windows securely identifies the server that it is connecting to and to encrypt all communication with the server.  Citrix recommends that connections over untrusted networks use TLS. Citrix supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols between Citrix Receiver for Windows and XenApp or XenDesktop.

When this policy is enabled, you can force Citrix Receiver for Windows to use TLS for all connections to published applications and desktops by checking the "Require TLS for all connections" checkbox.

Citrix Receiver for Windows identifies the server by the name on the security certificate that the server presents.  This has the form of a DNS name (for example, www.citrix.com).  You can restrict Citrix Receiver for Windows to connect only to particular servers specified by a comma separated list in the "Allowed TLS servers" setting.  Wildcards and port numbers can be specified here; for example, *.citrix.com:4433 allows connection to any server whose common name ends with .citrix.com on port 4433. The accuracy of the information in a security certificate is asserted by the certificate's issuer.  If Citrix Receiver for Windows does not recognize and trust a certificate's issuer, the connection is rejected.

When connecting by TLS the server may be configured to require Citrix Receiver for Windows to provide a security certificate identifying itself.  Use the "Client Authentication" setting to configure whether or not identification is provided automatically or if the user is notified.  Options include:

  • never supply identification
  • only use the certificate configured here
  • to always prompt the user to select a certificate
  • to prompt the user only if there a choice of certificate to supply

Tip

Use the "Client Certificate" setting to specify the identifying certificate's thumbprint to avoid prompting the user unnecessarily.

When verifying the server's security certificate, you can configure the plug-in to contact the certificate's issuer to obtain a Certificate Revocation List (CRL) to ensure that the server certificate has not been revoked.  This enables a certificate to be invalidated by its issuer should a system be compromised.  Use the “CRL verification setting” to configure the plug-in to:

  • not check CRLs at all
  • only check CRLs that have been previously obtained from the issuer
  • actively retrieve an up-to-date CRL
  • to refuse to connect unless it can obtain an up-to-date CRL

Organizations that configure TLS for a range of products can choose to identify servers intended for Citrix plug-ins by specifying a Certificate Policy OID as part of the security certificate.  If a Policy OID is configured here, Citrix Receiver for Windows accepts only certificates that declare a compatible Policy.

Some security policies have requirements related to the cryptographic algorithms used for a connection.  You can restrict the plug-in to use only TLS v1.0, TLS 1.1 and TLS 1.2 with the "TLS version" setting.  Similarly, you can restrict the plug-in to use only certain cryptographic ciphersuites. These cipersuites include:

Government Ciphersuites:

  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

Commercial Ciphersuites:

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_AES_128_GCM_SHA256

FIPS security standard compliance

Citrix Receiver for Windows 4.5 introduces TLS and compliance mode configuration options to confgure FIPS (Federal Information Processing Standards). Use this feature to ensure that only FIPS (Publication 140-2) approved cryptography is used for all ICA connections. 

A new security compliance mode provides support for NIST SP 800-52. By default, this mode is disabled (set to NONE). 

Note

For additional information about compliance required for NIST SP 800-52, see the NIST page describing guidelines for TLS implementations.  

This version of Citrix Receiver for Windows also allows you to define the TLS version, which determines the TLS protocol for ICA connections. The highest and mutually available version between the client and server will be selected.

When using these features, in the TLS and Compliance Mode Configuration screen:

  • Use the Enable FIPS checkbox to use the approved cryptography for all ICA sessions.
  • Set the Security Compliance Mode to SP 800-52.
  • Select the TLS version.

The image below illustrates FIPS options.

localized image

Note

By default, FIPS is disabled (unchecked).

Configuring FIPS

To configure FIPS cryptography between all ICA clients :

  1. Select Computer Configuration > Administrative Templates > Citrix Components > Network Routing > TLS and Compliance Mode Configuration.
  2. In the TLS and Compliance Mode Configuration screen, select Enable FIPS.
  3. In the Security Compliance Mode section, use the drop down menu to select SP 800-52. When configuring this option: 
    • SP 800-52 compliance mode requires FIPS compliance; when SP 800-52 is enabled, FIPS mode is also enabled regardless of the FIPS setting.
    • The Certificate Revocation Check Policy is either Full access check and CRL required, or Full access check and CRL required all.
  4. Select the appropriate TLS protocol version for ICA connections; the highest and mutually available TLS version between the client and server will be selected, options include:
    • TLS 1.0 | TLS 1.1 | TLS 1.2 (the default)
    • TLS 1.1 | TLS 1.2
    • TLS 1.2

Session reliability group policy

When configuring session reliability group policy, set the transparency level. Using this option, you can control the transparency level applied to a published app (or desktop) during the session reliability reconnection period. 

To configure the transparency level, select Computer Configuration - > Administrate Templates-> Citrix Components - > Network Routing -> Session reliability and automatic reconnection - > Transparency Level.

Note

 By default, Transparency Level is set to 80.

localized image