Session Recording is designed to be deployed within a secure network and accessed by administrators, and as such, is secure. Out-of-the-box deployment is designed to be simple and security features such as digital signing and encryption can be configured optionally.
Communication between Session Recording components is achieved through Internet Information Services (IIS) and Microsoft Message Queuing (MSMQ). IIS provides the web services communication link between each Session Recording component. MSMQ provides a reliable data transport mechanism for sending recorded session data from the Session Recording Agent to the Session Recording Server.
Consider these security recommendations when planning your deployment:
For information about configuring Session Recording features, see http://support.citrix.com/article/CTX200868.
On the computer on which the Session Recording Server is installed, the IIS Web server sends its server certificate to the client when establishing a TLS connection from the Session Recording Agent, Session Recording Player, or Session Recording Policy Console. When receiving a server certificate, the Session Recording Agent, Session Recording Player, or Policy Console determines which Certificate Authority (CA) issued the certificate and if the CA is trusted by the client. If the CA is not trusted, the certificate is declined and an error is logged in the Application Event log for the Session Recording Agent or an error message appears to the user in the Session Recording Player or Policy Console.
A server certificate is installed by gathering information about the server and requesting a CA to issue a certificate for that server. You must specify the correct information when requesting a server certificate and ensure the server name is specified correctly. If the fully qualified domain name (FQDN) is used for connecting clients (Session Recording Agent, Session Recording Player, and Policy Console) the certificate information specified to the CA must use the FQDN of the server rather than the NetBIOS name. If you specify NetBIOS names, do not specify the FQDN when requesting a server certificate. Install the server certificate into the local server’s certificate store. Install the issuing CA certificate on each connecting client.
Your organization may have a private CA that issues server certificates that you can use with Session Recording. If you are using a private CA, ensure each client device has the issuing CA certificate installed. Refer to Microsoft documentation about using certificates and certificate authorities. Alternatively, some companies and organizations currently act as CAs, including VeriSign, Baltimore, Entrust, and their respective affiliates.
All certificates have an expiration date defined by the CA. To find the expiration date, check the properties of the certificate. Ensure certificates are renewed before the expiration date to prevent any errors occurring in Session Recording.
The Session Recording installation is configured to use HTTPS by default and requires that you configure the default Web site with a server certificate issued from a CA. If you need instructions for installing server certificates in IIS, consult your IIS documentation.