To enable IPSec
to secure communication between Secure Gateway and the XenApp server farm, you
must configure IPSec on each server, including the Secure Gateway server.
configured using the local security settings (IP security policies) for each
server. In sample deployment E, IPSec is enabled on the requisite servers and
the security method is configured for 3DES encryption and SHA-1 integrity to
meet FIPS 140 requirements.
deployment, the SSL Relay uses the Microsoft cryptographic service providers
and associated cryptographic algorithms available in the Microsoft Windows
CryptoAPI to encrypt and decrypt communication between client devices and
servers. For more information about the FIPS 140 validation of the CSPs, see
the Microsoft documentation.
Vista, Windows XP, Windows Server 2008, and Windows Server 2003, TLS/SSL
support and the supported ciphersuites can also be controlled using the
following Microsoft security option:
System cryptography: Use
FIPS compliant algorithms for encryption, hashing, and signing
information, see the documentation for your operating system.
deployment, you can configure Secure Gateway and the Web Interface to use the
Transport Layer Security 1.0 protocol.
deployment, Secure Gateway and the Web Interface can be configured to use
government-approved cryptography, such as the ciphersuite
RSA_WITH_3DES_EDE_CBC_SHA, to protect “sensitive but unclassified” data.
for TLS connections, you can use AES as defined in FIPS 197. The government
ciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys and
RSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC 3268
these ciphersuites use RSA key exchange and AES encryption. For more
information about AES, see
and Certificate Authorities
use standard Public Key Infrastructure (PKI) as a framework and trust
infrastructure. In sample deployment E, one server certificate is configured on
Secure Gateway and one on the Web Interface. A certificate is also configured
on each XenApp server and on the server running the Password Manager service.
deployment, you can configure XenApp to provide smart card authentication. To
do this, you must configure authentication with Microsoft Active Directory and
use the Microsoft Certificate Authority.
deployment, users access their applications using the Citrix plug-in. For more
information about the security features and capabilities of Citrix plug-ins,
Receiver and Plug-in Security.