-
-
Integrate Citrix Virtual Apps and Desktops with Citrix Gateway
-
Enable TLS on Delivery Controllers
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Enable TLS on Delivery Controllers
To enable TLS on a delivery controller, you must:
- Obtain, install, and register a server certificate on all Delivery Controllers. For details, see Requesting and installing a certificate.
- Configure a port with the TLS certificate. For details, see Requesting and installing a certificate.
- Enforce HTTPS traffic by disabling HTTP. For more details, see .
- Optionally, you can change the ports the Controller uses to listen for HTTP and HTTPS traffic. For more details, see Change HTTP or HTTPS ports.
Requesting and installing a certificate
To use TLS, you must install a certificate whose Alternative Name includes the DDC’s FQDN. You must create a suitable certificate. This can be done using a Microsoft Certificate Authority or other internal or external certificate authorities.
Create certificate using Microsoft Certificate Authority
If the Microsoft Certificate Authority is integrated into an Active Directory domain or into the trusted forest the Delivery Controllers are joined to, you can acquire a certificate from the Certificates MMC snap-in Certificate Enrollment wizard. The Microsoft Certificate Authority needs to have a certificate template published suitable for use by web servers. If you are using a Citrix Gateway or a StoreFront server on a different domain then you need to export the Root Certification Authority Certificate and import it into the Citrix Gateway and StoreFront.
-
On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.
-
Expand Personal > Certificates, then use the All Tasks > Request New Certificate context menu command.
-
Click Next to begin, and Next to confirm that you are acquiring the certificate from Active Directory enrollment.
-
Select a suitable template such as Web Server Exportable. If the template has been set up to automatically provide the values for Subject you can click Enroll without providing more details.
-
To provide more details for the certificate template, click the Details arrow button and configure the following:
Subject name: select Common Name and add the FQDN of the Delivery Controller.
Alternative name: select DNS and add the FQDN of the Delivery Controller.
-
Press OK.
-
Press Enroll to create an install the certificate
Install existing certificate file
If you have an existing certificate as a file then you can install it:
-
On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.
-
Expand Personal > Certificates, then use the All Tasks > Import context menu command.
-
Browse for the certificate file.
Configuring SSL/TLS listener port
- Open a PowerShell command window as an administrator of the machine.
-
Run the following commands to get Broker Service Application GUID:
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT $Service_Guid = Get-ChildItem HKCR:\Installer\Products -Recurse -Ea 0 | Where-Object { $key = $_; $_.GetValueNames() | ForEach-Object { $key.GetValue($_) } | Where-Object { $_ -like 'Citrix Broker Service' } } | Select-Object Name $Service_Guid.Name -match "[A-Z0-9]*$" $Guid = $Matches[0] [GUID]$Formatted_Guid = $Guid Remove-PSDrive -Name HKCR Write-Host "Broker Service Application GUID: $($Formatted_Guid)" -ForegroundColor Yellow <!--NeedCopy-->
-
Run the following commands on the same PowerShell window to get the Thumbprint of the certificate you installed previously:
$HostName = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname $Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match ("CN=" + $HostName)}).Thumbprint -join ';' Write-Host -Object "Certificate Thumbprint for $($HostName): $($Thumbprint)" -Foreground Yellow <!--NeedCopy-->
-
Run the following commands on the same PowerShell window to configure the Broker Service TLS port to use the certificate for encryption:
$IPV4_Address = Test-Connection -ComputerName $HostName -Count 1 | Select-Object -ExpandProperty IPV4Address $IPPort = "$($IPV4_Address):443" $SSLxml = "http add sslcert ipport=$IPPort certhash=$Thumbprint appid={$Formatted_Guid}" $SSLxml | netsh . netsh http show sslcert <!--NeedCopy-->
When correctly configured, the output from the last command .netsh http show sslcert
shows that the listener is using the correct IP:port
, and that Application ID
matches the Broker Service Application GUID. For more information, see Microsoft documentation.
Providing the servers trust the certificate installed on the Delivery Controllers, you can now configure StoreFront Delivery Controllers and Citrix Gateway STA bindings to use HTTPS instead of HTTP.
Configure cipher suites
The cipher suite order list must include the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
cipher suites (or both); and these cipher suites must precede any TLS_DHE_
cipher suites.
- Using the Microsoft Group Policy Editor, browse to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
- Edit the policy “SSL Cipher Suite Order”. By default, this policy is set to “Not Configured”. Set this policy to Enabled.
- Arrange suites in the correct order; remove any cipher suites suites you do not want to use.
Ensure that either TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
precedes any TLS_DHE_
cipher suites.
On Microsoft Learn, see also Configuring TLS Cipher Suite Order.
Enforce HTTPS traffic only
It is recommended that you configure the XML Service to ignore HTTP traffic.
- Run
regedit
- Open HKLM\Software\Citrix\DesktopServer\
- Create a new DWORD value with name
XmlServicesEnableNonSsl
and set it to 0. - Restart the Broker Service.
There is a corresponding registry DWORD value XmlServicesEnableSsl
you can create to ignore HTTPS traffic. Ensure that it is not set to 0.
Change HTTP or HTTPS ports
By default, the XML Service on the Controller listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. Although you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks. Deploying a standalone StoreFront server is preferable to changing the defaults.
To change the default HTTP or HTTPS ports used by the Controller, run the following command from Studio:
BrokerService.exe -StoreFrontPort <http-port> -StoreFrontTlsPort <https-port>
where <http-port>
is the port number for HTTP traffic and <https-port>
is the port number for HTTPS traffic.
Note:
After changing a port, Studio might display a message about license compatibility and upgrading. To resolve the issue, re-register service instances using the following PowerShell cmdlet sequence:
Get-ConfigRegisteredServiceInstance -ServiceType Broker -Binding XML_HTTPS |
Unregister-ConfigRegisteredServiceInstance
Get-BrokerServiceInstance | where Binding -eq "XML_HTTPS" |
Register-ConfigServiceInstance
<!--NeedCopy-->
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.