Citrix Virtual Apps and Desktops

Enable TLS on Delivery Controllers

To enable TLS on a delivery controller, you must:

Requesting and installing a certificate

To use TLS, you must install a certificate whose Alternative Name includes the DDC’s FQDN. You must create a suitable certificate. This can be done using a Microsoft Certificate Authority or other internal or external certificate authorities.

Create certificate using Microsoft Certificate Authority

If the Microsoft Certificate Authority is integrated into an Active Directory domain or into the trusted forest the Delivery Controllers are joined to, you can acquire a certificate from the Certificates MMC snap-in Certificate Enrollment wizard. The Microsoft Certificate Authority needs to have a certificate template published suitable for use by web servers. If you are using a Citrix Gateway or a StoreFront server on a different domain then you need to export the Root Certification Authority Certificate and import it into the Citrix Gateway and StoreFront.

  1. On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

  2. Expand Personal > Certificates, then use the All Tasks > Request New Certificate context menu command.

    MMC Certificates snap-in

  3. Click Next to begin, and Next to confirm that you are acquiring the certificate from Active Directory enrollment.

  4. Select a suitable template such as Web Server Exportable. If the template has been set up to automatically provide the values for Subject you can click Enroll without providing more details.

    Request certificates dialog

  5. To provide more details for the certificate template, click the Details arrow button and configure the following:

    Subject name: select Common Name and add the FQDN of the Delivery Controller.

    Alternative name: select DNS and add the FQDN of the Delivery Controller.

    Certificate properties

  6. Press OK.

  7. Press Enroll to create an install the certificate

Install existing certificate file

If you have an existing certificate as a file then you can install it:

  1. On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

  2. Expand Personal > Certificates, then use the All Tasks > Import context menu command.

  3. Browse for the certificate file.

Configuring SSL/TLS listener port

  1. Open a PowerShell command window as an administrator of the machine.
  2. Run the following commands to get Broker Service Application GUID:

    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
    $Service_Guid = Get-ChildItem HKCR:\Installer\Products -Recurse -Ea 0 | Where-Object { $key = $_; $_.GetValueNames() | ForEach-Object { $key.GetValue($_) } | Where-Object { $_ -like 'Citrix Broker Service' } } | Select-Object Name
    $Service_Guid.Name -match "[A-Z0-9]*$"
    $Guid = $Matches[0]
    [GUID]$Formatted_Guid = $Guid
    Remove-PSDrive -Name HKCR
    Write-Host "Broker Service Application GUID: $($Formatted_Guid)" -ForegroundColor Yellow
    <!--NeedCopy-->
    
  3. Run the following commands on the same PowerShell window to get the Thumbprint of the certificate you installed previously:

    $HostName = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
    $Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match ("CN=" + $HostName)}).Thumbprint -join ';'
    Write-Host -Object "Certificate Thumbprint for $($HostName): $($Thumbprint)" -Foreground Yellow
    <!--NeedCopy-->
    
  4. Run the following commands on the same PowerShell window to configure the Broker Service TLS port to use the certificate for encryption:

    $IPV4_Address = Test-Connection -ComputerName $HostName -Count 1  | Select-Object -ExpandProperty IPV4Address
    $IPPort = "$($IPV4_Address):443"
    $SSLxml = "http add sslcert ipport=$IPPort certhash=$Thumbprint appid={$Formatted_Guid}"
    $SSLxml | netsh
    . netsh http show sslcert
    <!--NeedCopy-->
    

When correctly configured, the output from the last command .netsh http show sslcert shows that the listener is using the correct IP:port, and that Application ID matches the Broker Service Application GUID. For more information, see Microsoft documentation.

Providing the servers trust the certificate installed on the Delivery Controllers, you can now configure StoreFront Delivery Controllers and Citrix Gateway STA bindings to use HTTPS instead of HTTP.

Configure cipher suites

The cipher suite order list must include the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suites (or both); and these cipher suites must precede any TLS_DHE_ cipher suites.

  1. Using the Microsoft Group Policy Editor, browse to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  2. Edit the policy “SSL Cipher Suite Order”. By default, this policy is set to “Not Configured”. Set this policy to Enabled.
  3. Arrange suites in the correct order; remove any cipher suites suites you do not want to use.

Ensure that either TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 precedes any TLS_DHE_ cipher suites.

On Microsoft Learn, see also Configuring TLS Cipher Suite Order.

Enforce HTTPS traffic only

It is recommended that you configure the XML Service to ignore HTTP traffic.

  1. Run regedit
  2. Open HKLM\Software\Citrix\DesktopServer\
  3. Create a new DWORD value with name XmlServicesEnableNonSsl and set it to 0.
  4. Restart the Broker Service.

There is a corresponding registry DWORD value XmlServicesEnableSsl you can create to ignore HTTPS traffic. Ensure that it is not set to 0.

Change HTTP or HTTPS ports

By default, the XML Service on the Controller listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. Although you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks. Deploying a standalone StoreFront server is preferable to changing the defaults.

To change the default HTTP or HTTPS ports used by the Controller, run the following command from Studio:

BrokerService.exe -StoreFrontPort <http-port> -StoreFrontTlsPort <https-port>

where <http-port> is the port number for HTTP traffic and <https-port> is the port number for HTTPS traffic.

Note:

After changing a port, Studio might display a message about license compatibility and upgrading. To resolve the issue, re-register service instances using the following PowerShell cmdlet sequence:

Get-ConfigRegisteredServiceInstance -ServiceType Broker -Binding XML_HTTPS |
Unregister-ConfigRegisteredServiceInstance
Get-BrokerServiceInstance | where Binding -eq "XML_HTTPS" |
Register-ConfigServiceInstance
<!--NeedCopy-->
Enable TLS on Delivery Controllers