Product Documentation

Configuring the Citrix XML Service Port and Trust

Apr 23, 2015

The Citrix XML Service is used by user devices connecting over the TCP/IP + HTTP protocol and the Web Interface.

By default, XenApp server role installation configures the Citrix XML Service and Internet Information Service (IIS) to share the same TCP/IP port (80) for communications. In this case, you cannot change the XML Service setting.

During the installation of Citrix XenApp on your server, you configured the XML Service to either share the port with your Microsoft Internet Information Server or to use a particular port. For details about the XenApp and Web Server (IIS) server roles, refer to the System Requirements topic for your version of XenApp.

If you specified a custom XML Service port during installation, you can change the XML port number if necessary.

Note: The port option appears only if you entered a different port number than the default Share with IIS during the Web Interface installation. Use the XML Service policy setting to change the port number.

To change the XML service port

  1. Locate the Citrix Computer policy setting for the XML Service.
  2. Configure the XML service port setting. Citrix recommends using port 8080.

To enable XenApp to trust requests sent to the XML Service

The trust setting is needed only for Smooth Roaming when users authenticate using pass-through or smart-card authentication with Web Interface, or for smart-card authentication with the Citrix Receiver (formerly called the Online Plug-in). Trust is not required for explicit authentication.

  1. Locate the Citrix Computer policy setting for the XML Service.
  2. Configure the Trust XML requests setting (disabled by default).
If you do not trust XML requests, certain features of XenApp are not available. Trusting requests sent to the XML Service means:
  • Smooth Roaming works when connecting with the Web Interface using pass-through or smart card authentication, and when connecting with the Receiver using smart card authentication or the Kerberos pass-through option.

    For example, you can use workspace control to assist health-care workers in a hospital using smart cards, who need to move quickly among workstations and be able to pick up where they left off in published applications.

  • XenApp can use the information passed on from Access Gateway (starting with Version 4.0) to control application access and session policies. This information includes Access Gateway filters that can be used to control access to published applications and to set XenApp session policies. If you do not trust requests sent to the XML Service, this additional information is ignored.

Before enabling the Citrix XML Service to trust requests it receives, use IPsec, firewalls, or another technology to ensure that only trusted services communicate with the Citrix XML Service.

To avoid security risks, enable the setting only under the following conditions:

  • Some users connecting to their sessions using the Web Interface are also using pass-through authentication or smart cards.
  • The same users need to move from one client device to another and still be able to pick up where they left off in published applications.
  • You implemented IPsec, firewalls, or any technology that ensures that only trusted services communicate with the XML Service.
  • You are selecting this setting only on servers that are contacted by the Web Interface.
  • You are restricting access to the XML Service to the servers running the Web Interface. When Internet Information Services (IIS) and the XML Service share a port, you can use IIS to restrict port access to include the IP addresses of servers running the Web Interface only.

To manually change the XML Service port to use a port different from IIS after installation

Note: This setting takes effect only after the XML Service restarts.

The XML Service port that is set by using a Group Policy Object takes precedence over the port you set using the command-line in this method.

  1. At a command prompt, stop IIS by typing: net stop w3svc
  2. Delete the following files from the IIS scripts directory on your Web server:
    • ctxadmin.dll
    • CtxConfProxy.dll
    • ctxsta.dll
    • radexml.dll
    • wpnbr.dll
  3. At a command prompt, restart IIS by typing: net start w3svc The XML Service no longer shares a port with IIS.
  4. To ensure the XML Service is stopped, at a command prompt, type: net stop ctxhttp
  5. At a command prompt, to unload the XML Service from memory, type: ctxxmlss /u
  6. To install the XML service, type: ctxxmlss /rnn where nn is the number of the port you want to use; for example, ctxxmlss /r88 forces the Citrix XML Service to use TCP/IP port 88.
  7. At a command prompt, start the XML Service by typing: net start ctxhttp

To manually configure Citrix XML Service to share the TCP port with IIS

You must have Administrator privileges to configure the Citrix XML Service.

  1. At a command prompt, stop the XML Service by typing: net stop ctxhttp
  2. At a command prompt, to unregister the Citrix XML Service, type: ctxxmlss /u
  3. Copy the following files to the IIS scripts directory on your Web server:
    • ctxconfproxy.dll
    • ctxsta.config
    • ctxsta.dll
    • ctxxmlss.exe
    • ctxxmlss.txt
    • radexml.dll
    • wpnbr.dll
    These files are installed in \Program Files (x86)\Citrix\System32 during XenApp installation. The default scripts directory is \Inetpub\AdminScripts.
  4. In the IIS scripts directory, create a folder called ctxadmin and copy the file ctxadmin.dll from \Program Files (x86)\Citrix\System32 to \Inetpub\AdminScripts\ctxadmin.
  5. Ensure that you have read and write permission to the files in the IIS scripts directory; for example, use Windows Explorer to view and change the permissions.
  6. At a command prompt, stop and restart the Web server by typing: iisreset This setting takes effect after the Web server restarts.