- Using the SSL Relay with the Microsoft Internet Information Service (IIS)
- Configuring the Relay Port and Server Connection Settings
April 2016 Documentation Update:
Software updates to XenApp 6.5 and to Secure Gateway 3.3 are available that introduce support for Versions 1.1 and 1.2 of the Transport Layer Security (TLS) protocol. To upgrade your XenApp and/or Secure Gateway deployments, download and apply the following software updates:
For XenApp 6.5: Update XA650R06W2K8R2X64021
The SSL Relay relays packets only to the target computers listed on the Connection tab of the Citrix SSL Relay Configuration Tool. By default, the SSL Relay is configured to relay packets only to the target computer on which the SSL Relay is installed. You can add other computers in the same server farm for redundancy.
Use the Connection tab to configure the listener port and allowed destinations for the SSL Relay. The SSL Relay relays packets only to the target computers listed on the Connection tab. The target server and port specified on your server running the Web Interface or Citrix Receiver must be listed on this tab. By default, no servers are listed.
See Configuring TCP ports for a list of ports used in a server farm.
|Citrix AppCenter||135||Not configurable|
|Citrix SSL Relay||443||See Using the SSL Relay with the Microsoft Internet Information Service (IIS)|
|Citrix XML Service||80||See Install and Configure|
|Client-to-server (directed UDP)||1604||Not configurable|
|ICA sessions (clients to servers)||1494||See ICAPORT|
|Citrix Vendor Daemon||7279||See the licensing documentation|
|License Management Console||8082||See the licensing documentation|
|Server to license server||27000||In the console, open the farm or server properties page, and select License Server|
|Server to Microsoft SQL Server or Oracle server||139, 1433, or 443 for MS-SQL||See the documentation for the database software|
|Server to server||2512||See IMAPORT|
|Remote AppCenter to server||2513||See IMAPORT|
|Session reliability||2598||See Maintaining Session Activity|
A proxy server accepts connection requests from user devices and redirects those requests to the appropriate XenApp servers. Using a proxy server, much like using a firewall, gives you more control over access to the XenApp servers and provides a heightened level of security for your network. A proxy server, as opposed to a firewall, uses a different port from that used by the XenApp servers.
For information about using proxy servers with the Citrix Receiver, see the Citrix Receiver documentation.
Supported proxy servers are:
If users log on using smart cards or pass-through authentication, you must set up a trust relationship between the server running the Web Interface and any server in the farm that the Web Interface accesses for published applications. Without the trust relationship, the Disconnect, Reconnect, and Log Off (“Workspace Control”) commands fail for those users logging on with smart card or pass-through authentication. For more information about Workspace Control, see Ensuring Session Continuity for Mobile Workers.
You do not need to set up a trust relationship if your users authenticate to the Web Interface or Citrix Receiver by typing in their credentials.
To set up the trust relationship, configure the Citrix Computer policy Trust XML requests setting. The Citrix XML Service communicates information about published applications among servers running the Web Interface and servers running XenApp.
The SSL Relay uses port 443 before IIS, including when the server is restarted.
Use the Citrix SSL Relay Configuration Tool to configure which combinations of ciphersuites the SSL Relay will accept from the client (a server running the Web Interface or Citrix Receiver). The Ciphersuites dialog box lists the available and allowed ciphersuites. The SSL Relay accepts connections only from clients that support at least one of the allowed ciphersuites. Installing additional ciphersuites is not supported.
Note: TLS v1.2 is not supported for Web Interface XML transport type SSL Relay.
Available ciphersuites are grouped into GOV (Government) or COM (Commercial). Note that GOV ciphersuites are normally used when TLS is specified. However, any combination of ciphersuite and security protocol can be used. Contact your organization’s security expert for guidance about which ciphersuites to use.
Descriptions of ciphersuites are found in Appendix C of the Internet Society RFC 2246, available online at http://www.rfc-editor.org.
By default, connections using any of the supported ciphersuites are allowed.