Product Documentation

Specifying Trusted Servers for Streamed Services and Profiles

Mar 15, 2011
To ensure that unsigned profiles and services stream only from approved locations, edit the registry on user devices to enable a whitelist of trusted servers:
  • For unsigned profiles that include services, you must create a whitelist of approved server locations on the user device. If profiles attempt to stream a service from a location that is not on the whitelist, the service launch is denied and an event is sent to the event log.
  • Optionally, to extend the whitelist requirement to unsigned profiles without services, create an additional registry setting.

Alternatively, signed profiles are always trusted, whether or not they include services, and a whitelist is not required for them.

경고

Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Creating a Whitelist of Locations for Unsigned Profiles with Services

To ensure that user devices run only approved services, edit the registry on user devices to enable a whitelist of approved server locations.

  1. On the user device, create the following registry location:

    64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Rade

    32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Rade

    Value: AppHubWhiteList

    Type: REG_SZ

  2. Add the server names (or local file system folder) plus the App Hub location in the registry value in a semicolon (;) or comma (,) delimited format, with or without spaces before or after the semicolon or comma.
    For example:
    • \\server\sharename
    • \\server.example.net\sharename\directory
    • \\server.example.net\profiles

    If the application has been streamed from a web location (also called http streaming), the server name must be prefixed with http (or https) in the AppHubWhiteList registry entry. Also there is clear distinction between http and https servers.

    That is, if a profile location is https://12.0.0.1/profiles/office/office.profile, then the AppHubWhiteList must contain https://12.0.0.1 or https://12.0.0.1/profiles.

    The following examples are valid entries:
    • http://streamauto;https://12.0.0.1
    • http://webshare.example.com/sharename
    • 12.0.0.1;streamauto;webshare.example.com
    • 12.0.0.1;c:\profiles;c:\folder with spaces;webshare.example.com
    • 12.0.0.1; c:\profiles; webshare.example.com

After you create the registry entry and whitelist on user devices, unsigned profiles with services can load only from the locations on the whitelist. Signed profiles are always allowed.

Extending the Whitelist to Unsigned Profiles without Services

Optionally, to require all profiles, even those without services, to stream only from locations on the whitelist, after creating the registry entry and whitelist in the previous steps, create an additional registry entry:
  1. On the user device, create the following registry location:

    64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Rade

    32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Rade

    Value: AppHubWhiteListRequired

    Type: REG_DWORD

  2. Set the value:
    • 1 - Enables the whitelist requirement to profiles without services
    • 0 - Disables the whitelist requirement to profiles without services

After you create the registry entry and whitelist in the previous steps and then create and enable this registry entry on the user device, all unsigned profiles, with or without services, can load only from the locations on the whitelist. Signed profiles are always allowed.

Disabling Backward Compatibility

When you create a white list, by default, you can add both server names (as allowed by the 6.0 release) and the better protected share names (added in 6.5) to the AppHubWhiteList path. No registry change is needed for the default behavior.

To disable backward compatibility with the 6.0 release and allow only share names, create the following registry setting:
  1. On the user device, create the following registry location:

    64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Rade\

    32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Rade\

    Value: AppHubBackWardCompatible

    Type: REG_DWORD

  2. Set the value:
    • 0 - Disables backward compatibility
    • 1 - Enables backward compatibility
Note: To re-enable backward compatibility, either change the registry value or delete the registry entry.