Product Documentation

Securing endpoints using TLS

Jun 13, 2017

This document explains how to use TLS to secure the Monitor Service OData API endpoints. If you choose to use TLS, you must configure TLS on all Delivery Controllers in the site; you cannot use a mixture of TLS and non-TLS.

To secure Monitor Service endpoints using TLS, you must perform the following configuration. Some steps need to be done only once per site, others must be run from every machine hosting the Monitor Service in the site. The steps are described below.

Part 1: Certificate registration with the system

  1. Create a certificate using a trusted certificate manager. The certificate must be associated with the port on the machine that you wish to use for OData TLS.
  2. Configure the Monitor Service to use this port for TLS communication. The steps depend on your environment and how this works with certificates. The following example shows how to configure port 449:
  • Associate the certificate with a port:
    netsh http add sslcert ipport=0.0.0.0:449 certhash=97bb629e50d556c80528f4991721ad4f28fb74e9  
    appid='{00000000-0000-0000-0000-000000000000}'
    Tip: In a PowerShell command window, ensure you put single quotes around the GUID in the appID, as shown above, or the command will not work. Note that a line break has been added to this example for readability only.

Part 2: Modify the Monitor Service configuration settings

  1. From any Delivery Controller in the site, run the following PowerShell commands once. This removes the Monitor Service registration with the Configuration Service.
    asnp citrix.*  
     
    $serviceGroup = get-configregisteredserviceinstance -servicetype Monitor | Select -First 1 ServiceGroupUid 
      
    remove-configserviceGroup -ServiceGroupUid $serviceGroup.ServiceGroupUid 
    
  2. Do the following on all Controllers in the site:
    • Using a cmd prompt, locate the installed Citrix Monitor directory (typically in C:\Program Files\Citrix\Monitor\Service). Within that directory run:
      Citrix.Monitor.Exe -CONFIGUREFIREWALL -ODataPort 449 -RequireODataSsl
    • Run the following PowerShell commands:
    asnp citrix.*  (if not already run within this window) 
     
    get-MonitorServiceInstance | register-ConfigServiceInstance  
     
    Get-ConfigRegisteredServiceInstance -ServiceType Config | Reset-MonitorServiceGroupMembership