Manage security keys

Note:

• You must use this feature in combination with StoreFront 1912 LTSR CU2 or later.

• The Secure XML feature is supported only on Citrix ADC and Citrix Gateway release 12.1 and later.

This feature lets you allow only approved StoreFront and Citrix Gateway machines to communicate with Citrix Delivery Controllers. After you enable this feature, any requests that do not contain the key are blocked. Use this feature to add an extra layer of security to protect against attacks originating from the internal network.

A general workflow to use this feature is as follows:

1. 显示年代ecurity key settings in the Full Configuration interface. (Use the Remote PowerShell SDK)

2. Configure settings for your deployment. (Use the Full Configuration interface or Remote PowerShell SDK).

3. Configure settings in StoreFront. (Use PowerShell).

4. Configure settings in Citrix ADC.

显示年代ecurity key settings in the Full Configuration interface

By default, settings for security keys are hidden from the Full Configuration interface. To display them in that interface, use the Remote PowerShell SDK. For more information about the Remote PowerShell SDK, seeSDKs and APIs.

Detailed steps are as follows:

1. 运行远程PowerShell SDK。
2. In a command window, run the following commands:
   • Add-PSSnapIn Citrix*. This command adds the Citrix snap-ins.
   • Set-ConfigSiteMetadata -Name "Citrix_DesktopStudio_SecurityKeyManagementEnabled" -Value "True"

Configure settings for your deployment

You can configure settings for your deployment by using Full Configuration or PowerShell.

Use the Full Configuration interface

After enabling the feature, navigate toFull Configuration > Settings > Manage security keyand clickEdit. TheManage Security Keyblade appears. ClickSaveto apply your changes and to exit the blade.

Important:

• There are two keys available for use. You can use the same key or different keys for communications over the XML and STA ports. We recommend that you use only one key at a time. The unused key is used only for key rotation.
• Do not click the refresh icon to update the key already in use. If you do, service interruption will occur.

Click the refresh icon to generate new keys.

Require key for communications over XML port (StoreFront only). If selected, require a key to authenticate communications over the XML port. StoreFront communicates with Citrix Cloud over this port. For information about changing the XML port, see Knowledge Center articleCTX127945.

Require key for communications over STA port. If selected, require a key to authenticate communications over the STA port. Citrix Gateway and StoreFront communicate with Citrix Cloud over this port. For information about changing the STA port, see Knowledge Center articleCTX101988.

After applying your changes, clickCloseto exit theManage Security Keyblade.

Use the Remote PowerShell SDK

The following are PowerShell steps equivalent to the operations performed in the Full Configuration interface.

1. 运行远程PowerShell SDK。

2. In a command window, run the following command:
   • Add-PSSnapIn Citrix*
3. Run the following commands to generate a key and set up Key1:
   • New-BrokerXmlServiceKey
   • Set-BrokerSite -XmlServiceKey1
4. Run the following commands to generate a key and set up Key2:
   • New-BrokerXmlServiceKey
   • Set-BrokerSite -XmlServiceKey2
5. Run one or both of the following commands to enable the use of a key in authenticating communications:
   • To authenticate communications over the XML port:
     • Set-BrokerSite -RequireXmlServiceKeyForNFuse $true
   • To authenticate communications over the STA port:
     • Set-BrokerSite -RequireXmlServiceKeyForSta $true

See the PowerShell command help for guidance and syntax.

Configure settings in StoreFront

完成设置后,您的部署,you need to configure relevant settings in StoreFront by using PowerShell.

On the StoreFront server, run the following PowerShell commands:

• To configure the key for communications over the XML port, use theGet-STFStoreServieandSet-STFStoreServicecommands. For example:
  • PS C:\> Set-STFStoreFarm $farm -Farmtype XenDesktop -Port 80 -TransportType HTTP -Servers -XMLValidationEnabled $true -XMLValidationSecret
• To configure the key for communications over the STA port, use theNew-STFSecureTicketAuthoritycommand. For example:
  • PS C:\> $sta = New-STFSecureTicketAuthority –StaUrl -StaValidationEnabled $true -StavalidationSecret

See the PowerShell command help for guidance and syntax.

Configure settings in Citrix ADC

Note:

Configuring this feature in Citrix ADC is not required unless you use Citrix ADC as your gateway. If you use Citrix ADC, follow the steps below.

1. Ensure that the following prerequisite configuration is already in place:

   • The following Citrix ADC related IP addresses are configured.
     • Citrix ADC Management IP (NSIP) address for accessing the Citrix ADC console. For details, seeConfiguring the NSIP address.

     

     • Subnet IP (SNIP) address for enabling communication between the Citrix ADC appliance and the back-end servers. For details, seeConfiguring Subnet IP Addresses.
     • Citrix Gateway virtual IP address and load balancer virtual IP address to log in to the ADC appliance for session launch. For details, seeCreate a virtual server.

     

   • The required modes and features in the Citrix ADC appliance are enabled.
     • To enable the modes, in the Citrix ADC GUI navigate toSystem > Settings > Configure Mode.
     • To enable the features, in the Citrix ADC GUI navigate toSystem > Settings > Configure Basic Features.
   • Certificates related configurations are complete.
     • The Certificate Signing Request (CSR) is created. For details, seeCreate a certificate.

     

     • The server and CA certificates and root certificates are installed. For details, seeInstall, link, and updates.

     

     

     • A Citrix Gateway has been created for Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). Test the connectivity by clicking theTest STA Connectivitybutton to confirm that the virtual servers are online. For details, seeSetting up Citrix ADC for Citrix Virtual Apps and Desktops.

     

2. Add a rewrite action. For details, seeConfiguring a Rewrite Action.

   1. Navigate toAppExpert > Rewrite > Actions.
   2. ClickAddto add a new rewrite action. You can name the action as “set Type to INSERT_HTTP_HEADER”.

   

   1. InType, selectINSERT_HTTP_HEADER.
   2. InHeader Name, enter X-Citrix-XmlServiceKey.
   3. InExpression, addwith the quotes. You can copy the XmlServiceKey1 value from your Desktop Delivery Controller configuration.

   

3. Add a rewrite policy. For details, seeConfiguring a Rewrite Policy.

   1. Navigate toAppExpert > Rewrite > Policies.

   2. ClickAddto add a new policy.

   

   1. InAction, select the action created in the earlier step.
   2. InExpression, add HTTP.REQ.IS_VALID.
   3. ClickOK.

4. Set up load balancing. You must configure one load balancing virtual server per STA server. If not the sessions fail to launch.

   For details, seeSet up basic load balancing.

   1. Create a load balancing virtual server.
      • Navigate toTraffic Management > Load Balancing > Servers.
      • InVirtual Serverspage, clickAdd.

      

      • InProtocol, selectHTTP.
      • Add the load balancing virtual IP address and inPortselect80.
      • ClickOK.
   2. Create a load balancing service.
      • Navigate toTraffic Management > Load Balancing > Services.

      

      • InExisting Server, select the virtual server created in the previous step.
      • InProtocol, selectHTTPand inPortselect80.
      • ClickOK,and then clickDone.
   3. Bind the service to the virtual server.
      • Select the virtual server created earlier and clickEdit.
      • InServices and Service Groups, clickNo Load Balancing Virtual Server Service Binding.

      

      • InService Binding, select Citrix DaaS created earlier.
      • ClickBind.
   4. Bind the rewrite policy created earlier to the virtual server.
      • Select the virtual server created earlier and clickEdit.
      • InAdvanced Settings, clickPolicies,and then inPoliciessection click+.

      

      • InChoose Policy, selectRewriteand inChoose Type, selectRequest.
      • ClickContinue.
      • InSelect Policy, select the rewrite policy created earlier.
      • ClickBind.
      • ClickDone.
   5. Set up persistence for the virtual server, if necessary.
      • Select the virtual server created earlier and clickEdit.
      • InAdvanced Settings, clickPersistence.

      

      • Select persistence type asOthers.
      • SelectDESTIPto create persistence sessions based on the IP address of the service selected by the virtual server (the destination IP address)
      • InIPv4 Netmask, add network mask same as that of the DDC.
      • ClickOK.
   6. Repeat these steps for the other virtual server as well.

Configuration changes if the Citrix ADC appliance is already configured with Citrix DaaS

如果您已经配置了Citrix ADC达成iance with Citrix DaaS, then to use the Secure XML feature, you must make the following configuration changes.

• Before the session launch, change theSecurity Ticket Authority URLof the gateway to use the FQDNs of the load balancing virtual servers.
• Ensure that theTrustRequestsSentToTheXmlServicePortparameter is set to False. By default,TrustRequestsSentToTheXmlServicePortparameter is set to False. However, if the customer has already configured the Citrix ADC for Citrix DaaS, then theTrustRequestsSentToTheXmlServicePortis set to True.

1. In the Citrix ADC GUI, navigate toConfiguration > Integrate with Citrix Productsand clickXenApp and XenDesktop.

2. Select the gateway instance and click the edit icon.

   

3. In the StoreFront pane, click the edit icon.

   

4. Add theSecure Ticket Authority URL.
   • If the Secure XML feature is enabled, then the STA URL must be the URL of the load balancing service.
   • If the Secure XML feature is disabled, then the STA URL must be the URL of STA (DDC’s address) and the TrustRequestsSentToTheXmlServicePort parameter on the DDC must be set to True.