Citrix Virtual Apps and Desktops

Enable TLS on Delivery Controllers

By default, both HTTP and HTTPS are enabled. HTTPS uses a self-signed certificate using the sever’s FQDN as the common name, which is not trusted by StoreFront or web browsers.

To enable TLS on a delivery controller, you must:

Requesting and installing a certificate

To use TLS, you must install a certificate whose Common Name or Subject Alternative Name matches the server’s FQDN. If you are using a load balancer in front of the delivery controllers then include both the server and the load balancer’s FQDNs as Subject Alternative Names. For more information, see Certificates. For StoreFront to connect to the delivery controller you must use a RSA digital signature algorithm. StoreFront does not support certificates using the ECDSA algorithm.

Configuring SSL/TLS listener port

If the IIS Windows component is installed on the same server, which is installed as part of Web Studio and Director, you can configure TLS using IIS. For more information, see Enable TLS on Web Studio and Director. Otherwise, to configure the certificate using PowerShell:

  1. To check if there is an existing certificate bound, open an command prompt and run netsh http show sslcert:

    netsh http show sslcert
  2. If there is an existing binding then delete it.

    netsh http delete sslcert ipport=0.0.0.0:443

    Replacing 0.0.0.0:443 with a specific IP address and port if there was one specified in the existing binding.

  3. Find the thumbprint of the certificate you installed previously. To view the thumbprint, open Manage computer certificates, browse to the certificate and open it and go to the Details tab.

    Screenshot of certificate properties showing thumbprint

    Alternatively you can use PowerShell. For example the following script looks for a certificate whose common name matches the server’s host name and prints the thumbnail:

    $HostName = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname $Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match ("CN=" + $HostName)}).Thumbprint -join ';' Write-Host -Object "Certificate Thumbprint for $($HostName): $($Thumbprint)" -Foreground Yellow

    If the certificate common name does not match the host names then this will fail. If there are multiple certificates for the host name then this returns multiple thumbprints concatenated together and you must choose the appropriate thumbprint.

    The following example looks for a certificate by friendly name:

    $friendlyName = "My certificate name" $Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -eq $friendlyNam}).Thumbprint -join ';' Write-Host -Object "Certificate Thumbprint for $friendlyName: $($Thumbprint)" -Foreground Yellow

    If there are multiple certificates with the specified friendly name then this returns multiple thumbprints concatenated together and you must choose the appropriate thumbprint.

  4. To bind the certificate to the port, use the netsh http add sslcert command:

    netsh http add sslcert ipport=[IP address]:443 certhash=[certificate hash] appid=[application GUID] disablelegacytls=enable
    • ipport specifies the IP address and port. Using 0.0.0.0:443 applies this to all IP addresses. You can instead specify a specific IP address.

    • appid - an arbitrary GUID used to identify the application that added the binding. You can use any valid GUID, for example {91fe7386-e0c2-471b-a252-1e0a805febac}.

    • disablelegacytls=enable - disables legacy versions of TLS. This parameter is available on Windows 2022 and higher. Windows 2022 it disables TLS 1.0 and 1.1. On Windows 2025 this is unnecessary as TLS 1.0 and 1.1 are disabled by default.

    For example, run the following command to bind the certificate with thumbprint bc96f958848639fd101a793b87915d5f2829b0b6 to port 443 on all IP addresses:

    netsh http add sslcert ipport=0.0.0.0:443 certhash=bc96f958848639fd101a793b87915d5f2829b0b6 appid={91fe7386-e0c2-471b-a252-1e0a805febac} disablelegacytls=enable

Once HTTPS is enabled, you should configure any StoreFront deployments and Netscaler Gateways to use HTTPS instead of HTTP to connect to the delivery controller.

Configure Monitor Service OData API for HTTPS

The monitor service provides OData v3 and v4 APIs to allow Citrix and third party applications to query data. Director connects to the monitoring service using the OData API V3. To configure the monitor OData APIs for HTTPS complete the following steps:

  1. Run the following PowerShell:

    $serviceGroup = Get-ConfigRegisteredServiceInstance -ServiceType Monitor | Select -First 1 ServiceGroupUid Remove-ConfigServiceGroup -ServiceGroupUid $serviceGroup.ServiceGroupUid & 'C:\Program Files\Citrix\Monitor\Service\citrix.monitor.exe' -ConfigureFirewall -RequireODataTls –OdataPort 443 -RequireODataSdkTls –OdataSdkPort 443 get-MonitorServiceInstance | register-ConfigServiceInstance Get-ConfigRegisteredServiceInstance -ServiceType Config | Reset-MonitorServiceGroupMembership
  2. Open file C:\Program Files\Citrix\Monitor\Service\Citrix.Monitor.exe.Config with a text editor. Find the element <add key="owin:baseAddress" value="http://localhost/citrix/monitor/odata/v4" /> and change it to <add key="owin:baseAddress" value="https://localhost/citrix/monitor/odata/v4" />.

Configure cipher suites

The cipher suite order list must include the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suites (or both); and these cipher suites must precede any TLS_DHE_ cipher suites.

  1. Using the Microsoft Group Policy Editor, browse to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  2. Edit the policy “SSL Cipher Suite Order”. By default, this policy is set to “Not Configured”. Set this policy to Enabled.
  3. Arrange suites in the correct order; remove any cipher suites suites you do not want to use.

Ensure that either TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 precedes any TLS_DHE_ cipher suites.

On Microsoft Learn, see also Configuring TLS Cipher Suite Order.

Enforce HTTPS traffic only

It is recommended that you configure the XML Service to ignore HTTP traffic.

  1. Run regedit
  2. Open HKLM\Software\Citrix\DesktopServer\
  3. Create a new DWORD value with name XmlServicesEnableNonSsl and set it to 0.
  4. Restart the Broker Service.

There is a corresponding registry DWORD value XmlServicesEnableSsl you can create to ignore HTTPS traffic. Ensure that it is not set to 0.

Change HTTP or HTTPS ports

By default, the XML Service on the Controller listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. Although you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks. Deploying a standalone StoreFront server is preferable to changing the defaults.

To change the default HTTP or HTTPS ports used by the Controller, run the following command from Studio:

BrokerService.exe -StoreFrontPort <http-port> -StoreFrontTlsPort <https-port>

where <http-port> is the port number for HTTP traffic and <https-port> is the port number for HTTPS traffic.

Note:

After changing a port, Studio might display a message about license compatibility and upgrading. To resolve the issue, re-register service instances using the following PowerShell cmdlet sequence:

Get-ConfigRegisteredServiceInstance -ServiceType Broker -Binding XML_HTTPS | Unregister-ConfigRegisteredServiceInstance Get-BrokerServiceInstance | where Binding -eq "XML_HTTPS" | Register-ConfigServiceInstance
Enable TLS on Delivery Controllers