Product Documentation

Configuring SSL/TLS Between Servers and Clients

Oct 09, 2015

For XenApp to accept connections encrypted with SSL or TLS, you must use SSL Relay to configure support on each XenApp server.

Citrix SSL Relay can secure communications between clients, servers running the Web Interface, and XenApp servers that are using SSL or TLS. Data sent between the two computers is decrypted by the SSL Relay and then redirected using SOCKSv5 to the Citrix XML Service.

SSL Relay operates as an intermediary in the communications between the plug-in and the Citrix XML Service running on each server. Each plug-in authenticates the SSL Relay by checking the relay’s server certificate against a list of trusted certificate authorities. After this authentication, the plug-in and SSL Relay negotiate requests in encrypted form. SSL Relay decrypts the requests and passes them to the server.

When returning the information to the plug-in, the server sends all information through SSL Relay, which encrypts the data and forwards it to the client to be decrypted. Message integrity checks verify that each communication is not tampered with.

In general, use SSL Relay for SSL/TLS support when you:
  • Want to secure communications with servers that host the Citrix XML Service.
  • Have a small number of servers to support (five or fewer). To use SSL/TLS to protect against internal threats in larger farms, consider configuring SSL/TLS support with Secure Gateway.
  • Do not need to secure access at a DMZ.
  • Do not need to hide server IP addresses or you are using Network Address Translation (NAT).
  • Need end-to-end encryption of data between clients and servers.

Configure SSL Relay and the appropriate server certificate on each XenApp server in the server farm. By default, SSL Relay is installed with XenApp in C:\Program Files (x86)\Citrix\SSLRelay, where C is the drive where you installed XenApp.

The Citrix XML Service provides an HTTP interface for enumerating applications available on the server. It uses TCP packets instead of UDP, which allows connections to work across most firewalls. The Citrix XML Service is included in the server. The default port for the Citrix XML Service is 80.

Installing and Configuring the SSL Relay Tool

If you configure the SSL Relay tool with the User Account Control (UAC) feature of Microsoft Windows enabled, you might be prompted for administrator credentials. To run the SSL Relay tool, you must have the following privileges and associated permissions:
  • Domain administrator
  • Delegated administrator
  • Administrator group of the local computer where you are installing the tool

Obtaining and Installing Server and Root SSL Certificates

A separate server certificate is required for each XenApp server on which you want to configure SSL or TLS. The server certificate identifies a specific computer, so you must know the fully qualified domain name (FQDN) of each server. Certificates must be signed by a trusted entity called a Certificate Authority (CA). In addition to installing a server certificate on each server, you must install the root certificate from the same CA on each client device that will communicate with SSL Relay.

Root certificates are available from the same CAs that issue the server certificates. You can install server and client certificates from a CA that is bundled with your operating system, an enterprise CA (a CA that your organization makes accessible to you), or a CA not bundled with your operating system. Consult your organization’s security team to find out which of the following methods they require for obtaining certificates.

Install the server certificate on each server. SSL Relay uses the same registry-based certificate store as IIS, so you can install certificates using IIS or the Microsoft Management Console (MMC) Certificate Snap-in. When you receive a certificate from the CA, you can restart the Web Server Certificate wizard in IIS and the wizard will install the certificate. Alternatively, you can view and import certificates on the computer using the MMC and adding the certificate as a stand-alone snap-in.

Choosing an SSL Certificate Authority

You can obtain and install certificates for your servers and client devices in the following ways:

  • Certificates from a CA bundled with the operating system. Some of the newer Windows operating systems include native support for many CAs. If you choose to install the certificate from a bundled CA, double-click the certificate file and the Windows Certificate Store wizard installs the server certificate on your server. For information about which operating systems include native support, see your Microsoft documentation.
  • Certificates from an enterprise CA. If your organization makes a CA accessible to you for use, that CA appears in your list of CAs. Double-click the certificate file and the Windows Certificate Store wizard installs the server certificate on your server. For more information about whether or not your company uses an enterprise CA, consult your security team.
  • Certificates from a CA not bundled with the operating system. Certificates from CAs that are not bundled with your operating system or made accessible to you by your organization must be installed manually on both the server running Citrix SSL Relay and on each client device. For instructions about installing certificates from an external CA, see the documentation for the servers and clients in your configuration. Alternatively, you can install certificates using Active Directory or the IIS snap-in:
    • If your computers belong to an Active Directory server, you can install the certificates using Active Directory. For instructions about how to use Active Directory to install your certificates, see your Microsoft documentation.
    • You can use the Microsoft Web Server Certificate wizard in the IIS snap-in to request and import a certificate. For more information about using this wizard, see your Microsoft documentation.

Acquiring a Signed SSL Certificate and Password

After you choose a Certificate Authority (CA), generate a certificate signing request (CSR) and send it to the CA using the Web server software that is compatible with the CA. For example, if you are using the IIS snap-in to obtain your certificates, you can use Microsoft Enterprise Certificate Services to generate the CSR. The CA processes the request and returns the signed SSL certificate and password to you. For information about what software you can use to generate the CSR, consult the documentation for your chosen CA.
Important: The common name for the certificate must be the exact fully qualified domain name of the server.

After acquiring the signed certificate and password from your CA, install the certificates on each server and client in your configuration using the appropriate method.

To enable the SSL Relay and select the relay credentials

  1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix > Administration Tools > Citrix SSL Relay Configuration Tool.
  2. Click the Relay Credentials tab.
  3. Select the Enable SSL relay check box to enable the relay features.
  4. Select the Display Friendly Name check box to display the certificate’s friendly name, if available.

    This check box determines which information from the certificate appears in the Server Certificate list. Some certificates contain an additional friendly name field. If you check this box and no friendly name exists, the certificate’s subject common name is used (which is typically the server name). If Display Friendly Name is not checked, the entire subject name is used.

  5. Select the server certificate from the Server Certificate drop-down box (used to identify the SSL Relay identity).

Using the SSL Relay with the Microsoft Internet Information Service (IIS)

To use the SSL Relay and Microsoft Internet Information Services (IIS) on the same server, for example, if you install the Web Interface and XenApp on the same server, you must change the port number that IIS or the SSL Relay use. SSL Relay uses TCP port 443, the standard port for SSL connections. Most firewalls open this port by default. Optionally, you can configure the SSL Relay to use another port. Be sure that the port you choose is open on any firewalls between the client devices and the server running the SSL Relay.

Microsoft IIS is installed by default on Windows Server 2003 and allocates port 443 for SSL connections. It is not installed by default on Windows Server 2008. To run SSL Relay on a server running Windows Server 2003 or 2008 (with Web Server IIS installed and enabled), you must:

  • Install a server certificate on IIS before you change the port number. You can use the same server certificate with IIS and the SSL Relay.
  • Configure IIS to use a different port or configure the SSL Relay to use a different port.

To change the SSL port for Internet Information Services, see the relevant Microsoft documentation.

Configuring the Relay Port and Server Connection Settings

The SSL Relay relays packets only to the target computers listed on the Connection tab of the Citrix SSL Relay Configuration Tool. By default, the SSL Relay is configured to relay packets only to the target computer on which the SSL Relay is installed. You can add other computers in the same server farm for redundancy.

Use the Connection tab to configure the listener port and allowed destinations for the SSL Relay. The SSL Relay relays packets only to the target computers listed on the Connection tab. The target server and port specified on your server running the Web Interface or XenApp plug-in must be listed on this tab. By default, no servers are listed.

See Configuring TCP ports for a list of ports used in a server farm.

Once a certificate is added, the default ICA and Citrix XML Service ports are added for the local computer.
  • Relay Listening Port. The TCP port where SSL clients connect to the SSL Relay. The default port number is 443. If your server has multiple IP addresses, this port is used on all of them. If you change this value, you must make the same change on the client device. You may also need to open the port on any firewalls between the client device and the SSL Relay.
  • Encryption Standard. SSL Relay can be configured to use either SSL or TLS. The protocol that is required is configured using the SSL Relay configuration tool.
  • Server Name. The fully qualified domain name (FQDN) of the server to which to relay the decrypted packets. If certificates are not configured, no servers are listed. If certificates are configured, the FQDN of the server on which the SSL Relay is running appears here.
  • Ports. The TCP ports where ICA and the Citrix XML Service are listening.
Important: If you change the default Citrix SSL Relay port, you must set SSLProxyHost to the new port number in the Citrix online plug-in icaclient.adm file. For more information about plug-in settings, see the plug-in administrator documentation.

To modify the destination server list

  1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix > Administration Tools > Citrix SSL Relay Configuration Tool.
  2. Click the Connection tab.
    • To add a server to the destination server list:
      1. Click New.
      2. Type the FQDN of the computer in the Server Name box. (Additional servers must also be specified in the configuration of servers running the Web Interface.)
      3. Type the port number of the Citrix XML Service in the Destination ports box and click Add.
    • To change the port for a server listed in the destination server list:
      1. Select the server entry and click Edit.
      2. In the Target Server Properties dialog box, select a destination port to remove and click Delete.
      3. In the field below Destination ports, type the number of the new destination port and click Add.

To run the SSL Relay on port 443 without using HTTPS

  1. Stop the Microsoft Internet Information Service.
  2. Configure and start the SSL Relay service.
  3. Restart the Microsoft Internet Information Service.
The SSL Relay uses port 443 before IIS, including when the server is restarted.
Note: When you configure XenApp, members of the User group are allowed to edit registry entries in the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Secure\Citrix\Citrix SSL Relay, or HKEY_LOCAL_MACHINE\SOFTWARE\Secure\Citrix\Citrix SSL Relay on XenApp, 32-bit Edition. You can use the Microsoft Security Configuration and Analysis tool to prevent members of the User group from editing these registry entries.

Configuring the Ciphersuites Allowed by the SSL Relay

Use the Citrix SSL Relay Configuration Tool to configure which combinations of ciphersuites the SSL Relay will accept from the client (a server running the Web Interface or Citrix online plug-in). The Ciphersuites dialog box lists the available and allowed ciphersuites. The SSL Relay accepts connections only from clients that support at least one of the allowed ciphersuites. Installing additional ciphersuites is not supported.

Available ciphersuites are grouped into GOV (Government) or COM (Commercial). Note that GOV ciphersuites are normally used when TLS is specified. However, any combination of ciphersuite and security protocol can be used. Contact your organization’s security expert for guidance about which ciphersuites to use.

Descriptions of ciphersuites are found in Appendix C of the Internet Society RFC 2246, available online at

By default, connections using any of the supported ciphersuites are allowed.

To add or remove ciphersuites

  1. On the server where you installed Citrix SSL Relay, click All Programs > Citrix > Administration Tools > Citrix SSL Relay Configuration Tool. Click the Ciphersuites tab.
  2. Select a ciphersuite from either the left column and click Add to allow it or from the right column and click Remove to disallow it.