Configure and enable TLS

This topic applies to XenApp and XenDesktop Version 7.6 and later.

To use TLS encryption for all Citrix Receiver for Windows communications, configure the user device, Citrix Receiver for Windows , and, if using Web Interface, the server running the Web Interface. For information about securing Web Interface, see Secure section in the Web Interface documentation.

Pre-requisites

User devices must meet the requirements specified in the System requirements.

Use this policy to configure the TLS options that ensure the Citrix Receiver for Windows securely identifies the server that it is connecting to, and encrypts all communication with the server.

You can use the options below to:

  • Enforce use of TLS. Citrix recommends that all connections over untrusted networks, including the Internet, use TLS.
  • Enforce use of FIPS (Federal Information Processing Standards) Approved cryptography and help comply with the recommendations in NIST SP 800-52. These options are disabled by default.
  • Enforce use of a specific version of TLS, and specific TLS cipher suites, Citrix supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols between Citrix Receiver for Windows, and XenApp or XenDesktop.
  • Connect only to specific servers.
  • Check for revocation of the server certificate.
  • Check for a specific server certificate issuance policy.
  • Select a particular client certificate, if the server if is configured to request one.

Configuring TLS support using Group Policy Object administrative template

  1. As an administrator, open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.

    • To apply the policy on a single computer, launch the Citrix Receiver Group Policy Object administrative template from the Start menu.
    • To apply the policy on a domain, launch the Citrix Receiver Group Policy Object administrative template using the Group Policy Management Console.
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Receiver > Network routing, and select the TLS and Compliance Mode Configuration policy.

    localized image

  3. Select Enabled to enable secure connections and to encrypt communication on the server. Set the following options:

    Note: Citrix recommends TLS for secure connections.

    1. Select Require TLS for all connections to force Citrix Receiver for Windows to use TLS for all connections to published applications and desktops.
    2. From the Security Compliance Mode drop-down, select the appropriate option:
      1. None - No compliance mode is enforced.
      2. SP800-52 – Select SP800-52 for compliance with NIST SP 800-52. Select this option only if the servers or gateway complies with NIST SP 800-52 recommendations.

        Note: If you select SP800-52, FIPS Approved cryptography is automatically used, even if Enable FIPS is not selected. You must also enable the Windows security option System Cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing. Otherwise, Citrix Receiver for Windows might fail to connect to published applications and desktops.

        If you select SP800-52, you must select either the Certificate Revocation Check Policy setting with Full Access Check, Full access check and CRL required.

        If you select SP800-52, Citrix Receiver for Windows verifies that the server certificate complies with the recommendations in NIST SP 800-52. If the server certificate does not comply, Citrix Receiver for Windows might fail to connect.

    3. Enable FIPS – Select this option to enforce the use of FIPS approved cryptography. You must also enable the Windows security option from the operating system group policy, System Cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing. Otherwise, Citrix Receiver for Windows might fail to connect to published applications and desktops.

    4. From the Allowed TLS servers drop-down, select the port number. You can ensure that Citrix Receiver connects only to a specified server by a comma-separated list. You can specify wildcards and port numbers. For example, *.citrix.com:4433 allows connections to any server whose common name ends with .citrix.com on port 4433. The issuer of the certificate asserts the accuracy of the information in a security certificate. If Citrix Receiver does not recognize and trust the issuer, the connection is rejected.

    5. From the TLS version drop-down, select any of the following options:

      • TLS 1.0, TLS 1.1, or TLS 1.2 - This is the default setting. This option is recommended only if there is a business requirement for TLS 1.0 for compatibility.

      • TLS 1.1 or TLS 1.2 – Use this option to ensure that the ICA connections use either TLS 1.1 or TLS 1.2

      • TLS 1.2 - This option is recommended if TLS 1.2 is a business requirement.

    6. TLS cipher suite - To enforce the use of specific TLS cipher suites, select either Government (GOV), Commercial (COM), or All (ALL). In certain cases of NetScaler Gateway configurations, you might need to select COM. Citrix Receiver for Windows supports RSA keys of 1024, 2048, and 3072-bit lengths. Root certificates with RSA keys of 4096-bit length are also supported.

      Note: Citrix does not recommend using RSA keys of 1024-bit length

      See the table below that lists all the supported cipher suites.

      • Any: When “Any” is set, the policy is not configured and any of the following cipher suites are allowed:

        • TLS_RSA_WITH_RC4_128_MD5
        • TLS_RSA_WITH_RC4_128_SHA
        • TLS_RSA_WITH_3DES_EDE_CBC_SHA
        • TLS_RSA_WITH_AES_128_CBC_SHA
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_AES_128_GCM_SHA256
        • TLS_RSA_WITH_AES_256_GCM_SHA384
      • Commercial: When “Commercial” is set, only the following cipher suites are allowed:
        • TLS_RSA_WITH_RC4_128_MD5
        • TLS_RSA_WITH_RC4_128_SHA
        • TLS_RSA_WITH_AES_128_CBC_SHA
        • TLS_RSA_WITH_AES_128_GCM_SHA256
      • Government: When “Government” is set, only the following cipher suites are allowed:
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_3DES_EDE_CBC_SHA
        • TLS_RSA_WITH_AES_128_GCM_SHA256
        • TLS_RSA_WITH_AES_256_GCM_SHA384
    7. From the Certificate Revocation Check Policy drop-down, select any of the following:

      • Check with No Network Access - Certificate Revocation list check is performed. Only local certificate revocation list stores are used. All distribution points are ignored. Finding the Certificate Revocation List is not mandatory to verify the server certificate that is presented by the target SSL Relay/Secure Gateway server.

      • Full Access Check - Certificate Revocation List check is performed. Local Certificate Revocation List stores and all distribution points are used. If revocation information for a certificate is found, the connection is rejected. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by the target server.

      • Full Access Check and CRL Required - Certificate Revocation List check is performed, excluding the root CA. Local Certificate Revocation List stores and all distribution points are used. If revocation information for a certificate is found, the connection is rejected. Finding all required Certificate Revocation Lists is critical for verification.

      • Full Access Check and CRL Required All - Certificate Revocation List check is performed, including the root CA. Local Certificate Revocation List stores and all distribution points are used. If revocation information for a certificate is found, the connection is rejected. Finding all required Certificate Revocation Lists is critical for verification.

      • No Check - No Certificate Revocation List check is performed.

    8. Using the Policy Extension OID, you can limit Citrix Receiver for Windows to connect only to servers with a specific certificate issuance policy. When you select Policy Extension OID, Citrix Receiver for Windows accepts only server certificates containing that Policy Extension OID.

    9. From the Client Authentication drop-down, select any of the following:

      • Disabled - Client Authentication is disabled.
      • Display certificate selector - Always prompt the user to select a certificate.
      • Select automatically if possible - Prompt the user only if there a choice of the certificate to identify.
      • Not configured – Indicates that client authentication is not configured.
      • Use specified certificate - Use the client certificate as set in the Client Certificate option.
    10. Use the Client Certificate setting to specify the identifying certificate’s thumbprint to avoid prompting the user unnecessarily.
  4. Click Apply and OK to save the policy.

The following table lists the cipher suites in each set:

localized image

Configure and enable TLS