There are two methods for encrypting the session data transmitted between clients and servers: SecureICA and SSL/TLS encryption.
By default, all ICA communications are set to Basic ICA protocol encryption. The Basic setting obfuscates data but does not provide industry standard encryption. You can increase the level of SecureICA encryption up to 128-bit and/or add SSL/TLS encryption.
The difference between the two types of client-server encryption is as follows:
If you enable protection against both internal and external threats, you must enable SSL encryption. Using SecureICA with SSL or TLS provides end-to-end encryption.
Both protocols are enabled on the server side, when you publish an application or resource. The Web Interface and Citrix online plug-in automatically detect and use the settings specified on the server (that is, when you publish a resource).
The settings you specify for client-server encryption can interact with any other encryption settings in XenApp and your Windows operating system. If a higher priority encryption level is set on either a server or client device, settings you specify for published resources can be overridden. The most secure setting out of any of the settings below is used:
When you set an encryption level, make sure that it is consistent with the encryption settings you specified elsewhere. For example, any encryption setting you specify in the TSCC or connection policies cannot be higher than the application publishing setting.
If the encryption level for an application is lower than what you specified through the TSCC and connection policies, the TSCC settings and the policies override the application settings.
By default, client-server communications are obfuscated at a basic level through the SecureICA feature, which can be used to encrypt the ICA protocol.
Plug-ins use the ICA protocol to encode user input (keystrokes and mouse clicks) and address it to a server farm for processing. Server farms use the ICA protocol to format application output (display and audio) and return it to the client device.
You can increase the level of encryption for the ICA protocol when you publish a resource or after you publish a resource.
In addition to situations when you want to protect against internal security threats, such as eavesdropping, you may want to use ICA encryption in the following situations:
When traversing public networks, Citrix does not recommend SecureICA as your only method of encryption. Citrix recommends using SSL/TLS encryption for traversing public networks. Unlike SSL/TLS encryption, SecureICA, used on its own, does not provide authentication of the server. Therefore information could be intercepted as it crosses a public network and then be rerouted to a counterfeit server. Also, SecureICA does not check data integrity.
If client devices in your environment communicate with your farm across the Internet, Citrix recommends enabling SSL/TLS encryption when you publish a resource. If you want to use SSL/TLS encryption, you must use either the SSL Relay feature or the Secure Gateway to relay ICA traffic to the computer running XenApp.
The nature of your environment may determine the way in which you enable SSL:
In larger environments, it may not be convenient to use SSL Relay because doing so requires storing certificates on every server in your farm. In large environments, you may want to use the Secure Gateway with an internal firewall if you are concerned with internal threats.
Regardless of whether you use the Secure Gateway or SSL Relay, if you want to use SSL, you must select the Enable SSL and TLS protocols setting when you publish an application.
If you are using Web Interface with the Secure Gateway, see the information about SSL in the Secure Gateway and Web Interface administrator documentation.
The following procedure explains how to increase the level of encryption by enabling SecureICA (ICA protocol encryption) or SSL/TLS (Secure Sockets Layer and Transport Layer Security) encryption after you publish an application.
If you are using SecureICA and you want to ensure that ICA traffic is always encrypted at a certain level, you can set a policy for encryption. Creating a SecureICA policy prevents you from accidentally publishing a resource at a lower level of encryption. If this policy is enabled and you publish a resource at a lower level of encryption than the policy requires, the server rejects client connections. For plug-ins that take their encryption settings from the server, such as the Web Interface and the Citrix online plug-in, this can be problematic.
Therefore, Citrix recommends as a best practice, that if you enable an encryption policy, you publish applications (or resources) by replicating an existing published application and editing it so as to replace the application with the new application you want to publish.
The settings you specify for client-server encryption can interact with any other encryption settings in XenApp and your Windows operating system. If a higher priority encryption level is set on either a server or client device, settings you specify for published resources can be overridden.
SecureICA does not perform authentication or check data integrity. To provide end-to-end encryption for your server farm, use SecureICA with SSL/TLS encryption. SecureICA does not use FIPS-compliant algorithms. If this is an issue, configure the server and plug-ins to avoid using SecureICA.