Product Documentation

Securing Client-Server Communications

Apr 29, 2015

There are two methods for encrypting the session data transmitted between clients and servers: SecureICA and SSL/TLS encryption.

By default, all ICA communications are set to Basic ICA protocol encryption. The Basic setting obfuscates data but does not provide industry standard encryption. You can increase the level of SecureICA encryption up to 128-bit and/or add SSL/TLS encryption.

The difference between the two types of client-server encryption is as follows:

  • SecureICA. The SecureICA feature encrypts the session data sent between a server running XenApp and a client. In general, increase the level of ICA protocol encryption when you want to encrypt internal communication within a LAN or a WAN, or you want to encrypt internal access to an intranet. Increasing the level of ICA protocol encryption prevents session data from being sent in clear text, but it does not perform any authentication.
  • SSL/TLS protocols. SSL/TLS protocols can protect you from internal and external threats, depending on your network configuration. Citrix recommends that you enable SSL/TLS protocols. Enabling SSL/TLS ensures the confidentiality, authentication, and integrity of session data.

If you enable protection against both internal and external threats, you must enable SSL encryption. Using SecureICA with SSL or TLS provides end-to-end encryption.

Both protocols are enabled on the server side, when you publish an application or resource. The Web Interface and Citrix online plug-in automatically detect and use the settings specified on the server (that is, when you publish a resource).

The settings you specify for client-server encryption can interact with any other encryption settings in XenApp and your Windows operating system. If a higher priority encryption level is set on either a server or client device, settings you specify for published resources can be overridden. The most secure setting out of any of the settings below is used:

  • The setting in Remote Desktop Server Configuration
  • The XenApp policy setting that applies to the connection
  • The client-server setting (that is, the level you set when you publish a resource)
  • The Microsoft Group Policy

When you set an encryption level, make sure that it is consistent with the encryption settings you specified elsewhere. For example, any encryption setting you specify in the TSCC or connection policies cannot be higher than the application publishing setting.

If the encryption level for an application is lower than what you specified through the TSCC and connection policies, the TSCC settings and the policies override the application settings.

Using SecureICA

Updated: 2015-04-29

By default, client-server communications are obfuscated at a basic level through the SecureICA feature, which can be used to encrypt the ICA protocol.

Plug-ins use the ICA protocol to encode user input (keystrokes and mouse clicks) and address it to a server farm for processing. Server farms use the ICA protocol to format application output (display and audio) and return it to the client device.

You can increase the level of encryption for the ICA protocol when you publish a resource or after you publish a resource.

In addition to situations when you want to protect against internal security threats, such as eavesdropping, you may want to use ICA encryption in the following situations:

  • You need to secure communications from devices that use Microsoft DOS or run on Win16 systems
  • You have older devices running plug-in software that cannot be upgraded to use SSL
  • As an alternative to SSL/TLS encryption, when there is no risk of a “man-in-the-middle” attack

When traversing public networks, Citrix does not recommend SecureICA as your only method of encryption. Citrix recommends using SSL/TLS encryption for traversing public networks. Unlike SSL/TLS encryption, SecureICA, used on its own, does not provide authentication of the server. Therefore information could be intercepted as it crosses a public network and then be rerouted to a counterfeit server. Also, SecureICA does not check data integrity.

Enabling SSL/TLS Protocols

If client devices in your environment communicate with your farm across the Internet, Citrix recommends enabling SSL/TLS encryption when you publish a resource. If you want to use SSL/TLS encryption, you must use either the SSL Relay feature or the Secure Gateway to relay ICA traffic to the computer running XenApp.

The nature of your environment may determine the way in which you enable SSL:

  • For client devices communicating with your farm remotely, Citrix recommends that you use the Secure Gateway to pass client communications to the computer running XenApp. The Secure Gateway can be used with SSL Relay on the computer running XenApp to secure the Secure Gateway to XenApp traffic, depending on your requirements.
  • For client devices communicating with your farm internally, you can do one of the following to pass client communications to the computer running XenApp:
    • Use the Secure Gateway with an internal firewall and place your farm behind the firewall
    • Use the SSL Relay feature to secure the traffic between servers in your farm

In larger environments, it may not be convenient to use SSL Relay because doing so requires storing certificates on every server in your farm. In large environments, you may want to use the Secure Gateway with an internal firewall if you are concerned with internal threats.

Regardless of whether you use the Secure Gateway or SSL Relay, if you want to use SSL, you must select the Enable SSL and TLS protocols setting when you publish an application.

If you are using Web Interface with the Secure Gateway, see the information about SSL in the Secure Gateway and Web Interface administrator documentation.

To configure session data encryption

The following procedure explains how to increase the level of encryption by enabling SecureICA (ICA protocol encryption) or SSL/TLS (Secure Sockets Layer and Transport Layer Security) encryption after you publish an application.

  1. From the Delivery Services Console, select a published application in the left pane.
  2. From the Action menu, select Application properties.
  3. In the Application Properties dialog box, select Advanced > Client options.
  4. In the Connection encryption section, select one or more of the following:
    • Select the Enable SSL and TLS protocols check box. This option requests the use of the SSL and TLS protocols for clients connecting to the published application.
    • In the Encryption section, select a higher level of encryption from the drop-down list box.

If you are using SecureICA and you want to ensure that ICA traffic is always encrypted at a certain level, you can set a policy for encryption. Creating a SecureICA policy prevents you from accidentally publishing a resource at a lower level of encryption. If this policy is enabled and you publish a resource at a lower level of encryption than the policy requires, the server rejects client connections. For plug-ins that take their encryption settings from the server, such as the Web Interface and the Citrix online plug-in, this can be problematic.

Therefore, Citrix recommends as a best practice, that if you enable an encryption policy, you publish applications (or resources) by replicating an existing published application and editing it so as to replace the application with the new application you want to publish.

To set a policy for ICA encryption

The settings you specify for client-server encryption can interact with any other encryption settings in XenApp and your Windows operating system. If a higher priority encryption level is set on either a server or client device, settings you specify for published resources can be overridden.

SecureICA does not perform authentication or check data integrity. To provide end-to-end encryption for your server farm, use SecureICA with SSL/TLS encryption. SecureICA does not use FIPS-compliant algorithms. If this is an issue, configure the server and plug-ins to avoid using SecureICA.

  1. Configure the Citrix User policy SecureICA minimum encryption level setting with one of the following options:
    • Basic. Encrypts the client connection using a non-RC5 algorithm. It protects the data stream from being read directly, but it can be decrypted.
    • RC5 (128 bit) logon only. Encrypts the logon data with RC5 128-bit encryption and the client connection using Basic encryption.
    • RC5 (40 bit). Encrypts the client connection with RC5 40-bit encryption.
    • RC5 (56 bit). Encrypts the client connection with RC5 56-bit encryption.
    • RC5 (128 bit). Encrypts the client connection with RC5 128-bit encryption.