Product Documentation

Sample Deployment with SSL Relay and the Web Interface

Oct 09, 2015

This deployment uses the SSL Relay to provide end-to-end TLS/SSL encryption between the XenApp server and the plugin.

This diagram shows sample deployment A, which uses the SSL Relay.


The deployment uses a server farm comprising XenApp 6 servers. Users run the Citrix online plug-in 12.x on their client devices.

How the Components Interact

Use TLS/SSL to secure the connections between client devices and the XenApp servers. To do this, deploy TLS/SSL-enabled plug-ins to users and configure the SSL Relay on the XenApp servers.

This deployment provides end-to-end encryption of the communication between the client device and the XenApp servers. Both the SSL Relay and the appropriate server certificate must be installed and configured on each server in the farm.

The SSL Relay operates as an intermediary in communication between client devices and the XML Service on each server. Each client device authenticates the SSL Relay by checking the SSL Relay’s server certificate against a list of trusted certificate authorities. After this authentication, the client device and the SSL Relay negotiate requests in encrypted form. The SSL Relay decrypts the requests and passes them to the XenApp servers. All information sent to the client device from the servers passes through the SSL Relay, which encrypts the data and forwards it to the client device to be decrypted. Message integrity checks verify that each communication has not been tampered with.

This diagram shows a detailed view of sample deployment A.


Security Considerations for This Depolyment

FIPS 140 Validation in Sample Deployment A

In this deployment, the SSL Relay uses the Microsoft cryptographic service providers (CSPs) and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between client devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation.

For Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2 (in a XenApp 6 farm), Windows Server 2008 (in a XenApp 5 farm), and Windows Server 2003 (in a XenApp 5 farm), TLS/SSL support and the supported ciphersuites can also be controlled using the following Microsoft security option:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

For more information, see the documentation for your operating system.

TLS/SSL Support in Sample Deployment A

You can configure XenApp to use either the Transport Layer Security 1.0 protocol or the Secure Sockets Layer 3.0 protocol. In sample deployment A, the components are configured for TLS.

When using the SSL Relay Configuration Tool, ensure that TLS is selected on the Connection tab.

Supported Ciphersuites for Sample Deployment A

In this deployment, XenApp can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect “sensitive but unclassified” data.

When using the SSL Relay Configuration Tool, ensure that only GOV is selected on the Ciphersuite tab.

Alternatively, for TLS connections, you can use AES as defined in FIPS 197. The government ciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys and RSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC 3268 http://www.ietf.org/rfc/rfc3268.txt, these ciphersuites use RSA key exchange and AES encryption. For more information about AES, see csrc.nist.gov.

Certificates and Certificate Authorities in Sample Deployment A

Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In sample deployment A, a separate server certificate is configured for each XenApp server on which the SSL Relay is used. A root certificate is required for each client device.

Smart Card Support in Sample Deployment A

In this deployment, you can configure XenApp to provide smart card authentication. To do this, you must configure authentication with Microsoft Active Directory and use the Microsoft Certificate Authority.

Plug-ins Used in Sample Deployment A

In this deployment, users access their applications using the Citrix plug-in. For more information about the security features and capabilities of Citrix plug-ins, see Receiver and Plug-in Security.