For XenApp to accept connections encrypted with SSL or TLS, you must use SSL Relay to configure support on each XenApp server.
Citrix SSL Relay can secure communications between clients, servers running the Web Interface, and XenApp servers that are using SSL or TLS. Data sent between the two computers is decrypted by the SSL Relay and then redirected using SOCKSv5 to the Citrix XML Service.
SSL Relay operates as an intermediary in the communications between the plug-in and the Citrix XML Service running on each server. Each plug-in authenticates the SSL Relay by checking the relay’s server certificate against a list of trusted certificate authorities. After this authentication, the plug-in and SSL Relay negotiate requests in encrypted form. SSL Relay decrypts the requests and passes them to the server.
When returning the information to the plug-in, the server sends all information through SSL Relay, which encrypts the data and forwards it to the client to be decrypted. Message integrity checks verify that each communication is not tampered with.
Configure SSL Relay and the appropriate server certificate on each XenApp server in the server farm. By default, SSL Relay is installed with XenApp in C:\Program Files (x86)\Citrix\SSLRelay, where C is the drive where you installed XenApp.
The Citrix XML Service provides an HTTP interface for enumerating applications available on the server. It uses TCP packets instead of UDP, which allows connections to work across most firewalls. The Citrix XML Service is included in the server. The default port for the Citrix XML Service is 80.
A separate server certificate is required for each XenApp server on which you want to configure SSL or TLS. The server certificate identifies a specific computer, so you must know the fully qualified domain name (FQDN) of each server. Certificates must be signed by a trusted entity called a Certificate Authority (CA). In addition to installing a server certificate on each server, you must install the root certificate from the same CA on each client device that will communicate with SSL Relay.
Root certificates are available from the same CAs that issue the server certificates. You can install server and client certificates from a CA that is bundled with your operating system, an enterprise CA (a CA that your organization makes accessible to you), or a CA not bundled with your operating system. Consult your organization’s security team to find out which of the following methods they require for obtaining certificates.
Install the server certificate on each server. SSL Relay uses the same registry-based certificate store as IIS, so you can install certificates using IIS or the Microsoft Management Console (MMC) Certificate Snap-in. When you receive a certificate from the CA, you can restart the Web Server Certificate wizard in IIS and the wizard will install the certificate. Alternatively, you can view and import certificates on the computer using the MMC and adding the certificate as a stand-alone snap-in.
You can obtain and install certificates for your servers and client devices in the following ways:
After acquiring the signed certificate and password from your CA, install the certificates on each server and client in your configuration using the appropriate method.
This check box determines which information from the certificate appears in the Server Certificate list. Some certificates contain an additional friendly name field. If you check this box and no friendly name exists, the certificate’s subject common name is used (which is typically the server name). If Display Friendly Name is not checked, the entire subject name is used.
To use the SSL Relay and Microsoft Internet Information Services (IIS) on the same server, for example, if you install the Web Interface and XenApp on the same server, you must change the port number that IIS or the SSL Relay use. SSL Relay uses TCP port 443, the standard port for SSL connections. Most firewalls open this port by default. Optionally, you can configure the SSL Relay to use another port. Be sure that the port you choose is open on any firewalls between the client devices and the server running the SSL Relay.
Microsoft IIS is installed by default on Windows Server 2003 and allocates port 443 for SSL connections. It is not installed by default on Windows Server 2008. To run SSL Relay on a server running Windows Server 2003 or 2008 (with Web Server IIS installed and enabled), you must:
To change the SSL port for Internet Information Services, see the relevant Microsoft documentation.
The SSL Relay relays packets only to the target computers listed on the Connection tab of the Citrix SSL Relay Configuration Tool. By default, the SSL Relay is configured to relay packets only to the target computer on which the SSL Relay is installed. You can add other computers in the same server farm for redundancy.
Use the Connection tab to configure the listener port and allowed destinations for the SSL Relay. The SSL Relay relays packets only to the target computers listed on the Connection tab. The target server and port specified on your server running the Web Interface or XenApp plug-in must be listed on this tab. By default, no servers are listed.
See Configuring TCP ports for a list of ports used in a server farm.
Use the Citrix SSL Relay Configuration Tool to configure which combinations of ciphersuites the SSL Relay will accept from the client (a server running the Web Interface or Citrix online plug-in). The Ciphersuites dialog box lists the available and allowed ciphersuites. The SSL Relay accepts connections only from clients that support at least one of the allowed ciphersuites. Installing additional ciphersuites is not supported.
Available ciphersuites are grouped into GOV (Government) or COM (Commercial). Note that GOV ciphersuites are normally used when TLS is specified. However, any combination of ciphersuite and security protocol can be used. Contact your organization’s security expert for guidance about which ciphersuites to use.
Descriptions of ciphersuites are found in Appendix C of the Internet Society RFC 2246, available online at http://www.rfc-editor.org.
By default, connections using any of the supported ciphersuites are allowed.