Product Documentation

Sample Deployment with SSL Relay

Sep 15, 2015

This deployment uses the SSL Relay to provide end-to-end SSL/TLS encryption between the XenApp server and the Receiver running on the user devices.

This diagram shows the deployment that uses the SSL Relay.


The following table lists the components of the deployment and the operating systems required for the servers and user devices.

  Components Operating systems
XenApp farm

XenApp 6.5 for Microsoft Windows Server 2008 R2

SSL Relay enabled

Secure Ticket Authority installed on XenApp server

Windows Server 2008 R2

User devices

Receiver for Windows 3.0

TLS-enabled Web browser

Windows 7

Windows Vista

Windows XP Professional

How the Components Interact

The network protocol SSL/TLS secures connections between user devices and XenApp servers. To do this, deploy SSL/TLS-enabled plug-ins to users and configure SSL Relay on the XenApp servers.

This deployment provides end-to-end encryption of the communication between the user device and the XenApp servers. Both the SSL Relay and the appropriate server certificate must be installed and configured on each server in the farm.

The SSL Relay operates as an intermediary in communication between user devices and the XML Service on each server. Each user device authenticates the SSL Relay by checking the SSL Relay’s server certificate against a list of trusted certificate authorities. After this authentication, the user device and the SSL Relay negotiate requests in encrypted form. The SSL Relay decrypts the requests and passes them to the XenApp servers. All information sent from the servers to the user device passes through the SSL Relay, which encrypts the data and forwards it to the user device to be decrypted. Message integrity checks verify that each communication has not been tampered with.

This diagram shows a detailed view of this deployment.


Security Considerations for This Deployment

FIPS 140 Validation in This Deployment

In this deployment, the SSL Relay uses the Microsoft cryptographic service providers (CSPs) and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between user devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation.

SSL/TLS support and the supported ciphersuites can also be controlled using the Microsoft security option System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing for the following configurations:

XenApp farm Operating System
XenApp 6.5 Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2
XenApp 6.0 Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2
XenApp 5.0 Windows Server 2008, Windows Server 2003

For more information, see the documentation for your operating system.

SSL/TLS Support

You can configure XenApp to use either the Secure Sockets Layer 3.0 protocol or the Transport Layer Security 1.0 protocol. In sample deployment A, the components are configured for TLS. When using the SSL Relay Configuration Tool, ensure that TLS is selected on the Connection tab.

Supported Ciphersuites

In this deployment, XenApp can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect “sensitive but unclassified” data. When using the SSL Relay Configuration Tool, ensure that only GOV is selected on the Ciphersuite tab.

For TLS connections, you can choose other Government Ciphersuites that employ RSA key exchange and the Advanced Encryption Standard (AES).

Certificates and Certificate Authorities

Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In sample deployment A, a separate server certificate is configured for each XenApp server on which the SSL Relay is used. A root certificate is required for each user device. For information on the root certificate source for your user devices, see Citrix Receiver and Plug-ins

Smart Card Support

In this deployment, you can configure XenApp to provide smart card authentication. To do this, you must configure authentication with Microsoft Active Directory and use the Microsoft Certificate Authority.

Plug-ins Used in This Deployment

In this deployment, users access their applications by using the Receiver. For more information about the security features and capabilities of the Receiver, see Citrix Receiver and Plug-ins Security.