Product Documentation

Configuring Citrix Receiver for Windows with the Group Policy Object administrative template

Mar 02, 2017

Citrix recommends using the Windows Group Policy Object Editor to configure Citrix Receiver for Windows. Citrix Receiver for Windows includes administrative template files (receiver.adm or receiver.admx\receiver.adml -depending on the Operating System) in the installation directory.

Note

Starting with Citrix Receiver for Windows Version 4.6, the installation directory includes CitrixBase.admx and CitrixBase.adml files.
Citrix recommends that you use the CitrixBase.admx and CitrixBase.adml files to ensure that the options are correctly organized and displayed within the Group Policy Object Editor.

Note

The .adm file is for use with Windows XP Embedded platforms only. The .admx/.adml files are for use with Windows Vista/Windows Server 2008 and all later versions of Windows.

Note

If Citrix Receiver for Windows is installed with VDA, admx/adml files are found in the Citrix Receiver for Windows installation directory. For example: <installation directory>\Online Plugin\Configuration.

Note

If Citrix Receiver for Windows is installed without VDA, the admx/adml files are typically found in the C:\Program Files\Citrix\ICA Client\Configuration directory.

See the table below for information on Citrix Receiver for Windows templates files and their respective location.

File Type        

File Location

receiver.adm     

<Installation Directory>\ICA Client\Configuration

 

receiver.admx    

<Installation Directory>\ICA Client\Configuration

receiver.adml    

<Installation Directory>\ICA Client\Configuration\[MUIculture]

CitrixBase.admx <Installation Directory>\ICA Client\Configuration
CitrixBase.adml <Installation Directory>\ICA Client\Configuration\[MUIculture]

To add the receiver.adm template file to the local GPO (Windows XP Embedded Operating System only)

NOTE: You can use .adm template files to configure Local GPO and/or Domain-Based GPO.

1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying policies to a single computer, or by using the Group Policy Management Console when applying domain policies.
Note: If you already imported the Citrix Receiver for Windows template into the Group Policy Editor, you can leave out steps 2 to 5.
2.In the left pane of the Group Policy Editor, select the Administrative Templates folder.
3.From the Action menu, choose Add/Remove Templates.
4.Select Add and browse to the template file location <Installation Directory>\ICA Client\Configuration\receiver.adm
5.Select Open to add the template and then Close to return to the Group Policy Editor.
Citrix Receiver for window template file will be available on local GPO in path Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver.

After the .adm template files are added to the local GPO, the following message is displayed:
“The following entry in the [strings] section is too long and has been truncated:
Click OK to ignore the message.

To add the receiver.admx/adml template files to the local GPO (later versions of Windows Operating System)

NOTE: You can use admx/adml template files to configure Local GPO and/or Domain-Based GPO. Refer Microsoft MSDN article on managing ADMX files here
1. After installing Citrix Receiver for Windows, copy the template files.

admx:
From : <Installation Directory>\ICA Client\Configuration\receiver.admx
To : %systemroot%\policyDefinitions

From : <Installation Directory>\ICA Client\Configuration\CitrixBase.admx
To : %systemroot%\policyDefinitions

adml:
From: <Installation Directory>\ICA Client\Configuration\[MUIculture]receiver.adml
To: %systemroot%\policyDefinitions\[MUIculture]

From : <Installation Directory>\ICA Client\Configuration\[MUIculture]\CitrixBase.adml
To : %systemroot%\policyDefinitions\[MUIculture]

Note

Citrix Receiver for Window template files are available on local GPO in Administrative Templates > Citrix Components > Citrix Receiver folder only when the user adds the CitrixBase.admx/CitrixBase.adml to the \ policyDefinitions folder.

About TLS and Group Policies

Use this policy to configure the TLS options that ensure Citrix Receiver for Windows securely identifies the server that it is connecting to, and encrypts all communication with the server.

You can use these options to:

  • enforce use of TLS. Citrix recommends that all connections over untrusted networks, including the Internet, use TLS.
  • enforce use of FIPS (Federal Information Processing Standards) Approved cryptography and help comply with the recommendations in NIST SP 800-52. These options are disabled by default.
  • enforce use of a specific version of TLS, and specific TLS cipher suites, Citrix supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols between Citrix Receiver for Windows, and XenApp or XenDesktop.
  • connect only to specific servers.
  • check for revocation of the server certificate.
  • check for a specific server certificate issuance policy.
  • select a particular client certificate, if the server if is configured to request one.

When this policy is enabled, you can force Citrix Receiver for Windows to use TLS for all connections to published applications and desktops by checking the Require TLS for all connections checkbox.

To enforce use of FIPS Approved cryptography, select Enable FIPS.

localized image

Important

If you select Enable FIPS, you must also enable the Windows security option System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, or Citrix Receiver for Windows may fail to connect to published applications and desktops.

For compliance with NIST SP 800-52 recommendations, select Security Compliance Mode SP800-52. Only do this if all servers or gateways also comply with NIST SP 800-52 recommendations.

Important

If you select Security Compliance Mode SP800-52, FIPS Approved cryptography is automatically used, even if Enable FIPS is not selected. You must also enable the Windows security option System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, or Citrix Receiver for Windows may fail to connect to published applications and desktops.

 If you select Security Compliance Mode SP800-52, you must also select either select the Certificate Revocation Check Policy setting with Full Access Check, or Full access check and CRL required.

If you select Security Compliance Mode SP800-52, Citrix Receiver for Windows will verify that the server certificate complies with the recommendations in NIST SP 800-52.  If the server certificate does not, Citrix Receiver for Windows will fail to connect.

To enforce use of a specific version of TLS, select the TLS version setting.

Some regulations do not permit the use of TLS 1.0, and prefer the use of TLS 1.2. Citrix Receiver will use the highest version of TLS that is also available at the server or gateway.

You can choose:

  • TLS 1.0 or TLS 1.1 or TLS 1.2- This is the default setting. This option is recommended only if there is a business requirement for TLS 1.0 for compatibility.
  • TLS 1.1 or TLS 1.2.
  • TLS 1.2 only- This option is recommended if TLS 1.2 is a business requirement.

To enforce use of specific TLS cipher suites, select either Government (GOV), Commercial (COM) or All (ALL). For certain NetScaler Gateway configurations, you might need to select COM.

The available cipher suites depend also on the Enable FIPS and Security Compliance Mode settings.

The following table lists the cipher suites in each set:

TLS cipher suite GOV COM ALL GOV COM ALL GOV COM ALL
Enable FIPS Off Off Off On On On On On On
Security Compliance Mode SP800-52 Off Off Off Off Off Off On On On
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384                 X   X X   X      
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384                 X   X X   X      
TLS_RSA_WITH_AES_256_GCM_SHA384 X   X X   X X   X
TLS_RSA_WITH_AES_128_GCM_SHA256  X X X X X X X X X
TLS_RSA_WITH_AES_256_CBC_SHA256                   X   X X   X      
TLS_RSA_WITH_AES_256_CBC_SHA X   X X   X X   X
TLS_RSA_WITH_AES_128_CBC_SHA        X X   X X   X X
TLS_RSA_WITH_RC4_128_SHA                       X X            
TLS_RSA_WITH_RC4_128_MD5                       X X            
TLS_RSA_WITH_3DES_EDE_CBC_SHA             X   X X   X X   X

You can restrict Citrix Receiver for Windows to connect only to particular servers. Citrix Receiver for Windows identifies the server by the name in the security certificate that the server presents. This has the form of a DNS name (for example, www.citrix.com). Specify the list of names, separated by commas, in the Allowed TLS servers setting. Wildcards and port numbers can be specified here; for example, *.citrix.com:4433 allows connection to any server whose common name ends with.citrix.com on port 4433. The accuracy of the information in a security certificate is asserted by the certificate's issuer. If Citrix Receiver for Windows does not recognize and trust a certificate's issuer, the connection is rejected.

Citrix Receiver for Windows checks whether a server certificate has been revoked, using a Certificate Revocation List (CRL). If the certificate has been revoked, the connection is rejected. The certificate's issuer can revoke a certificate if the server has been compromised.

Select the Certificate Revocation Check Policy setting as follows:

  • No Check- Select this option if you wish the connection to proceed with no CRL check.
  • Check with no network access- Select this option if you want the CRL to be checked, without retrieving an up-to-date CRL. 
  • Full Access Check- Select this option if you want the CRL to be checked, first retrieving an up-to-date CRL if possible.
  • Full access check and CRL required- Select this option if you want the CRL to be checked. The connection will be rejected if an up-to-date CRL is not available.

You can restrict Citrix Receiver for Windows to connect only to servers with a specific certificate issuance policy. This is identified by the Policy Extension OID. If selected, Citrix Receiver for Windows accepts only server certificates containing that Policy Extension OID.

When connecting using TLS, the server may be configured to request Citrix Receiver for Windows to provide a client certificate.
Select Client Authentication setting as follows:

  • Disabled- Select this option if the server is not configured to request a client certificate. This protects the information in the client certificate from being disclosed incorrectly.
  • Select automatically if possible- This is usually the best option if the server is configured to request a client certificate.
  • Display certificate selector- Select this option if Select automatically if possible does not select the correct certificate. The user will be prompted.
  • Use specified certificate - Select this option if Select automatically if possible does not select the correct certificate, and you do not want the user to be prompted. You must then specify the certificate's thumbprint.

Session reliability group policy

When configuring session reliability group policy, set the transparency level. Using this option, you can control the transparency level applied to a published app (or desktop) during the session reliability reconnection period. 

To configure the transparency level, select Computer Configuration - > Administrate Templates-> Citrix Components - > Network Routing -> Session reliability and automatic reconnection - > Transparency Level.

Note

 By default, Transparency Level is set to 80.

localized image