Product Documentation

Configuring the Relay Port and Server Connection Settings

May 03, 2016

April 2016 Documentation Update:

Software updates to XenApp 6.5 and to Secure Gateway 3.3 are available that introduce support for Versions 1.1 and 1.2 of the Transport Layer Security (TLS) protocol. To upgrade your XenApp and/or Secure Gateway deployments, download and apply the following software updates:

For XenApp 6.5: Update XA650R06W2K8R2X64021

For Secure Gateway 3.3: Update 4 (English: SGE330W004; JA: SGJ330W004)

The SSL Relay relays packets only to the target computers listed on the Connection tab of the Citrix SSL Relay Configuration Tool. By default, the SSL Relay is configured to relay packets only to the target computer on which the SSL Relay is installed. You can add other computers in the same server farm for redundancy.  

Use the Connection tab to configure the listener port and allowed destinations for the SSL Relay. The SSL Relay relays packets only to the target computers listed on the Connection tab. The target server and port specified on your server running the Web Interface or Citrix Receiver must be listed on this tab. By default, no servers are listed.

See Configuring TCP ports for a list of ports used in a server farm.

Once a certificate is added, the default ICA and Citrix XML Service ports are added for the local computer.
  • Relay Listening Port. The TCP port where SSL clients connect to the SSL Relay. The default port number is 443. If your server has multiple IP addresses, this port is used on all of them. If you change this value, you must make the same change on the client device. You may also need to open the port on any firewalls between the client device and the SSL Relay.
  • Encryption Standard. SSL Relay can be configured to use either SSL or TLS. The protocol that is required is configured using the SSL Relay configuration tool.
    Important: The latest version of TLS (v1.2) is recommended. SSL v3.0 and TLS v1.0/v1.1 are less secure and should only be used while transitioning Citrix Receiver to the latest versions that support TLS v1.2.
  • Server Name. The fully qualified domain name (FQDN) of the server to which to relay the decrypted packets. If certificates are not configured, no servers are listed. If certificates are configured, the FQDN of the server on which the SSL Relay is running appears here.
  • Ports. The TCP ports where ICA and the Citrix XML Service are listening.
Important: If you change the default Citrix SSL Relay port, you must set SSLProxyHost to the new port number in the Citrix Receiver icaclient.adm file. For more information, see the Receiver administrator documentation.

To modify the destination server list

  1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix > Administration Tools > Citrix SSL Relay Configuration Tool.
  2. Click the Connection tab.
    • To add a server to the destination server list:
      1. Click New.
      2. Type the FQDN of the computer in the Server Name box. (This additional server must also be specified in the configuration of servers running the Web Interface.)
      3. Type the port number of the Citrix XML Service in the Destination ports box and click Add.
    • To change the port for a server listed in the destination server list:
      1. Select the server entry and click Edit.
      2. In the Target Server Properties dialog box, select a destination port to remove and click Delete.
      3. In the field below Destination ports, type the number of the new destination port and click Add.

Configuring TCP Ports

This table lists the TCP/IP ports that the servers, Citrix Receiver, IMA Service, and other Citrix services use in a server farm. This information can help you configure firewalls and troubleshoot port conflicts with other software.
Communication Default port Configuration
Citrix AppCenter 135 Not configurable
Citrix SSL Relay 443 See Using the SSL Relay with the Microsoft Internet Information Service (IIS)
Citrix XML Service 80 See Install and Configure
Client-to-server (directed UDP) 1604 Not configurable
ICA sessions (clients to servers) 1494 See ICAPORT
Citrix Vendor Daemon 7279 See the licensing documentation
License Management Console 8082 See the licensing documentation
Server to license server 27000 In the console, open the farm or server properties page, and select License Server
Server to Microsoft SQL Server or Oracle server 139, 1433, or 443 for MS-SQL See the documentation for the database software
Server to server 2512 See IMAPORT
Remote AppCenter to server 2513 See IMAPORT
Session reliability 2598 See Maintaining Session Activity

Adding Proxy Servers

A proxy server accepts connection requests from user devices and redirects those requests to the appropriate XenApp servers. Using a proxy server, much like using a firewall, gives you more control over access to the XenApp servers and provides a heightened level of security for your network. A proxy server, as opposed to a firewall, uses a different port from that used by the XenApp servers.

For information about using proxy servers with the Citrix Receiver, see the Citrix Receiver documentation.

Supported proxy servers are:

  • Microsoft Internet Security and Acceleration (ISA) Server 2004 and 2006
  • iPlanet Web Proxy Server 3.6
  • Squid 2.6 STABLE 4
  • Microsoft Proxy Server 2.0

Configuring Authentication for Workspace Control

If users log on using smart cards or pass-through authentication, you must set up a trust relationship between the server running the Web Interface and any server in the farm that the Web Interface accesses for published applications. Without the trust relationship, the Disconnect, Reconnect, and Log Off (“Workspace Control”) commands fail for those users logging on with smart card or pass-through authentication. For more information about Workspace Control, see Ensuring Session Continuity for Mobile Workers.

You do not need to set up a trust relationship if your users authenticate to the Web Interface or Citrix Receiver by typing in their credentials.

To set up the trust relationship, configure the Citrix Computer policy Trust XML requests setting. The Citrix XML Service communicates information about published applications among servers running the Web Interface and servers running XenApp.

If you configure a server to trust requests sent to the Citrix XML Service, consider these factors:
  • The trust relationship is not necessary unless you want to implement Workspace Control and your users log on using smart cards or pass-through authentication.
  • Enable the trust relationship only on servers directly contacted by the Web Interface. These servers are listed in the Web Interface Console.
  • When you set up the trust relationship, you depend on the Web Interface server to authenticate the user. To avoid security risks, use SSL Relay, IPSec, firewalls, or any technology that ensures that only trusted services communicate with the Citrix XML Service. If you set up the trust relationship without using IPSec, firewalls, or other security technology, it is possible for any network device to disconnect or terminate client sessions.
  • Configure SSL Relay, IPSec, firewalls, or other technology that you use to secure the environment so that they restrict access to the Citrix XML Service to only the Web Interface servers. For example, if the Citrix XML Service is sharing a port with IIS, you can use the IP address restriction capability in IIS to restrict access to the Citrix XML Service.

To run the SSL Relay on port 443 without using HTTPS

  1. Stop the Microsoft Internet Information Service.
  2. Configure and start the SSL Relay service.
  3. Restart the Microsoft Internet Information Service.

The SSL Relay uses port 443 before IIS, including when the server is restarted.

Note: When you configure XenApp, members of the User group are allowed to edit registry entries in the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Secure\Citrix\Citrix SSL Relay, or HKEY_LOCAL_MACHINE\SOFTWARE\Secure\Citrix\Citrix SSL Relay on XenApp, 32-bit Edition. You can use the Microsoft Security Configuration and Analysis tool to prevent members of the User group from editing these registry entries.

Configuring the Ciphersuites Allowed by the SSL Relay

Use the Citrix SSL Relay Configuration Tool to configure which combinations of ciphersuites the SSL Relay will accept from the client (a server running the Web Interface or Citrix Receiver). The Ciphersuites dialog box lists the available and allowed ciphersuites. The SSL Relay accepts connections only from clients that support at least one of the allowed ciphersuites. Installing additional ciphersuites is not supported.

Note: TLS v1.2 is not supported for Web Interface XML transport type SSL Relay.

Available ciphersuites are grouped into GOV (Government) or COM (Commercial). Note that GOV ciphersuites are normally used when TLS is specified. However, any combination of ciphersuite and security protocol can be used. Contact your organization’s security expert for guidance about which ciphersuites to use.

Descriptions of ciphersuites are found in Appendix C of the Internet Society RFC 2246, available online at http://www.rfc-editor.org.

By default, connections using any of the supported ciphersuites are allowed.

To add or remove ciphersuites

  1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix > Administration Tools > Citrix SSL Relay Configuration Tool. Click the Ciphersuites tab.
  2. Select a ciphersuite from the left column. To allow it, click Add. To disallow it, from the right column, click Remove.