Optional Configurations

1. Change Log File location and Permissions

If the Log File location is changed, make sure that the Session Remote Start service has the necessary permissions to modify the log file.

Log file permissions

1. Set an anonymous user identity to Application Pool Identity.

   1. Open IIS Manager > Sites > Default Web Site > SessionRemoteStart and then open Authentication under SessionRemoteStart Home page.

   

   1. Right-click Anonymous Authentication and click Enable.

   2. Right-click Anonymous Authentication and select Edit > Select Application pool identity.

      

2. Now you can create a folder at your preferred location, and grant permissions to log to the new folder.

   1. For example, after the folder creation under C:\SessionRemoteStartLog, right-click the folder and select Properties. In the Security tab, click Edit under Group or user names and then select Add to change the location to a local computer.

      

   2. Input the Session Remote Start user created in the previous section. (If the default identity is used, input “IIS AppPool\SrsAppPool” instead).

      

   3. Grant Modify and Write permissions. (If the default identity is used, grant access to SrsAppPool)

      

2. Configure Inbound Firewall Rules

Specifying IP addresses and host names of the trusted services and StoreFront ensures that only these sources can communicate with Session Remote Start and helps to prevent DoS or other opportunistic attacks against the Session Remote Start server.

After creating the https binding on port 443, customers can configure inbound firewall rules by ‘Windows Defender Firewall with Advanced Security’ UI to allow inbound TCP traffic.

1. Disable all 443 inbound rules except World Wide Web Service (HTTPS Traffic-In).

   

Note:

Remember to check if there are any enabled rules allowing all (all the limitations set to any) inbound traffic.

1. Double click ‘World Wide Web Service (HTTPS Traffic-In)’, open the ‘Properties’ configuration, switch to ‘Scope’ tab.

2. Add local IP address limitation. This is the local endpoint(s) (Network Interface) for 3rd-party Auth Service and StoreFront.

   

3. Add remote IP address limitation. Add IP addresses of 3rd-party Auth Service and StoreFront.

   

4. Switch to the Advanced tab and apply to related profile(s).

   

Third party firewall products will require configuring separately.

3. App Protection

If App Protection is enabled for a delivery group, the customization described in this Citrix documentation must be applied to the Session Remote Start store:

4. HTTP Proxy Configuration

Session Remote Start supports only unauthenticated HTTP proxies.

1. Configure the WinINet HTTP proxy. e.g.

   

2. Append the following code to web.config.

<system.net> <defaultProxy useDefaultCredentials="true"> <proxy usesystemdefault="true" /> </defaultProxy> </system.net>

5. mTLS configuration

The Session Remote Start API does not require end-user authentication, unlike StoreFront. Therefore, it is crucial to ensure that only trusted services can communicate with the Session Remote Start Service. One method to achieve this is by enforcing mutual TLS (mTLS) authentication between the Session Remote Start Service and other trusted services that need access.

1. In IIS Manager, select the Session Remote Start Site, and open SSL Settings.

   

2. On the SSL Settings page, select the Require SSL and Accept check boxes and click Apply.

   

3. Edit the Web.config and change mTLSEnabled to true.

   

4. To ensure that the responses return as expected, set the error response to Detailed errors.

   

   

6. Filter enumerated resource results by Smart Access

We support the viaAG broker access rules.

Assume we’ve got an existing access policy as below:

Edit Web.config: