Securing StoreFront with HTTPS
Citrix strongly recommends securing communications between StoreFront and users’ devices using HTTPS. This ensures that passwords and other data sent between the client and StoreFront are encrypted. Furthermore, plain HTTP connections can be compromised by various attacks, such as man-in-the-middle attacks, particularly when connections are made from insecure locations such as public Wi-Fi hotspots. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.
Depending on your configuration, users may access StoreFront via a gateway or load balancer. You can terminate the HTTPS connection at the gateway or load balancer. However in this case Citrix still recommends that you secure connections between the gateway and StoreFront using HTTPS.
If StoreFront is not configured for HTTPS it displays the following warning:
Creating Certificates
-
Ensure that the FQDN(s) used to access StoreFront are included in the DNS field as Subject Alternative Name (SANs). If you are using a load balancer then include both the individual server’s FQDN and the load balancer FQDN
-
Sign the certificate using a third party CA such as Verisign or an enterprise root CA for your organization.
-
Export the certificate in PFX format including the private key.
Configure IIS for HTTPS
To configure Microsoft Internet Information Services (IIS) for HTTPS on the StoreFront server:
-
Open Internet Information Services (IIS) Manager console
-
In the tree view on the left select the server.
-
In the right hand pane double click Server Certificates
-
From the Server Certificates screen you can import an existing certificate or create a new certificate.
-
In the tree view on the left select Default Web Site (or the appropriate website)
-
In the Actions pane click Bindings…
-
In the bindings window click Add…
-
In the Type drop down select https
-
On Windows Server 2022 or above, click Disable Legacy TLS to disable TLS older than 1.2.
On older Windows Server versions, you can disable legacy TLS versions using Windows registry settings, see Windows Server Documentation.
-
Select the certificate previously imported. Press OK
-
To remove HTTP access, select HTTP and click Remove.
Change StoreFront server base URL from HTTP to HTTPS
If you install and configure Citrix StoreFront without first installing and configuring an SSL certificate, StoreFront uses HTTP for communications.
If you install and configure an SSL certificate at some time later, use the following procedure to ensure StoreFront and its services use HTTPS connections.
- In the Citrix StoreFront management console, in the left pane select Server Group.
- In the Actions pane, select Change Base URL.
-
Update the base URL to start
https:
and click OK.
HSTS
The user’s client device is vulnerable even after you enable HTTPS on the server side. For example, a man-in-the-middle attacker could spoof the StoreFront server and trick the user into connecting to the spoof server over plain HTTP. They could then get access to sensitive information such as the user’s credentials. The solution is to ensure that the user’s browser doesn’t attempt to access the RfWeb server over HTTP. You can achieve this with the HTTP Strict Transport Security (HSTS).
When HSTS is enabled, the server indicates to web browsers that requests to the web site should only ever be made over HTTPS. If a user attempts to access the URL using HTTP, the browser will automatically switch to using HTTPS instead. This ensures client-side validation of a secure connection as well as the server-side validation in IIS. The web browser maintains this validation for a configured period.
On Windows Server 2019 and above:
- Open Internet Information Services (IIS) Manager.
- Select Default Web Site (or the appropriate website).
- In the Actions pane on the right hand side, click HSTS…
- Tick Enable, enter a max age, e.g. 31536000 for one year and tick Redirect HTTP to HTTPS.
- Press OK
Note:
Enabling HSTS affects all web sites on the same domain. For example, if the website is accessible at https://www.company.com/Citrix/StoreWeb, then the HSTS policy will apply to all web sites under https://www.company.com, which may not be desired.