SSL configuration on VDA

Install SSL server certificates on Controllers

For HTTPS, the XML Service supports SSL features through the use of server certificates, not client certificates. To obtain, install, and register a certificate on a Controller, and to configure a port with the SSL certificate:

• If the Controller has IIS installed, follow the guidance inhttps://technet.microsoft.com/en-us/library/cc771438%28v=ws.10%29.aspx.
• If the Controller does not have IIS installed, one method of configuring the certificate is:
  1. Obtain an SSL server certificate and install it on the Controller using the guidance inhttp://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx. For information on the certreq tool, seehttp://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx.

     If you intend to use the PowerShell script to configure SSL on VDAs, and unless you intend on specifying the SSL certificate’s thumbprint, make sure the certificate is located in the Local Computer > Personal > Certificates area of the certificate store. If more than one certificate resides in that location, the first one found will be used.

  2. Configure a port with the certificate; seehttp://msdn.microsoft.com/en-us/library/ms733791%28v=vs.110%29.aspx.

Change HTTP or HTTPS ports

By default, the XML Service on the Controller listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. Although you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks. Deploying a standalone StoreFront server is preferable to changing the defaults.

To change the default HTTP or HTTPS ports used by the Controller, run the following command from Studio:BrokerService.exe -WIPORT -WISSLPORT

where is the port number for HTTP traffic and is the port number for HTTPS traffic.

Note: After changing a port, Studio might display a message about license compatibility and upgrading. To resolve the issue, re-register service instances using the following PowerShell cmdlet sequence:

Get-ConfigRegisteredServiceInstance -ServiceType Broker -Binding XML_HTTPS | Unregister-ConfigRegisteredServiceInstance Get-BrokerServiceInstance | where Binding -eq "XML_HTTPS" | Register-ConfigServiceInstance

Enforce HTTPS traffic only

If you want the XML Service to ignore HTTP traffic, set the following registry value in HKLM\Software\Citrix\DesktopServer\ on the Controller and then restart the Broker Service.

To ignore HTTP traffic, set XmlServicesEnableNonSsl to 0.

There is a corresponding registry value to ignore HTTPS traffic: XmlServicesEnableSsl. Ensure that this is not set to 0.

About SSL settings on VDAs

When you configure SSL on VDAs, it changes permissions on the installed SSL certificate, giving the ICA Service read access to the certificate’s private key, and informing the ICA Service of the following:

• Which certificate in the certificate store to use for SSL.
• Which TCP port number to use for SSL connections.

  The Windows Firewall (if it is enabled) must be configured to allow incoming connection on this TCP port. This configuration is done for you when you use the PowerShell script.

• Which versions of the SSL protocol to allow.

  The supported SSL protocol versions follow a hierarchy (lowest to highest): SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. You specify the minimum allowed version; all protocol connections using that version or a higher version are allowed.

  For example, if you specify TLS 1.1 as the minimum version, then TLS 1.1 and TLS 1.2 protocol connections are allowed. If you specify SSL 3.0 as the minimum version, then connections for all the supported versions are allowed. If you specify TLS 1.2 as the minimum version, only TLS 1.2 connections are allowed.

• Which SSL ciphers to allow.

  A cipher suite is a list of common SSL ciphers. When a client connects and sends a list of supported SSL ciphers, the VDA matches one of the client’s ciphers with one of the ciphers in its configured cipher suite and accepts the connection. If the client sends a cipher that is not in the VDA’s cipher suite, the VDA rejects the connection.

  Three cipher suites are supported: GOV(ernment), COM(mercial), and ALL. The ciphers in those cipher suites depend on the Windows FIPS mode; seehttp://support.microsoft.com/kb/811833for information about Windows FIPS mode. The following table lists the ciphers in each supported cipher suite.

  SSL cipher suite	GOV	COM	ALL	GOV	COM	ALL
  FIPS Mode	Off	Off	Off	On	On	On
  RSA_KEYX	x	x	x	x	x	x
  RSA_SIGN	x	x	x	x	x	x
  3DES	x		x	x		x
  RC4		x	x
  MD5	x	x	x
  SHA	x	x	x	x	x	x
  SHA_256	x	x	x	x	x	x
  SHA_384	x	x	x	x	x	x
  SHA_512	x	x	x	x	x	x
  AES	x	x	x	x	x	x

A Delivery Group cannot have a mixture of some VDAs with SSL configured and some VDAs without SSL configured. When you configure SSL for a Delivery Group, you should have already configured SSL for all of the VDAs in that Delivery Group.

Note:VDA DDC / CC注册函数将工作using TCP/Http ports only. We do not have the support for https/443 available as of today.

Configure SSL on a VDA using the PowerShell script

Enable-VdaSSL。ps1脚本启用或禁用the SSL listener on a VDA. This script is available in the Support >Tools > SslSupport folder on the installation media.

When you enable SSL, the script disables all existing Windows Firewall rules for the specified TCP port before adding a new rule that allows the ICA Service to accept incoming connections only on the SSL TCP port. It also disables the Windows Firewall rules for:

• Citrix ICA (default: 1494)
• Citrix CGP (default: 2598)
• Citrix WebSocket (default: 8008)

The result is that users can connect only over SSL; they cannot use raw ICA, CGP, or WebSocket to connect.

The script contains the following syntax descriptions, plus additional examples; you can use a tool such as Notepad++ to review this information.

You must specify either the –Enable or –Disable parameter; all other parameters are optional.

Syntax

Enable-VdaSSL {-Enable | -Disable} [–SSLPort ] [-SSLMinVersion “”] [-SSLCipherSuite“”] [-CertificateThumbPrint “”]

Parameter	Description
-Enable	Installs and enables the SSL listener on the VDA. Either this parameter or the –Disable parameter is required.
-Disable	Disables the SSL listener on the VDA. Either this parameter or the –Enable parameter is required. If you specify this parameter, no other parameters are valid.
–SSLPort	SSL port. Default: 443
-SSLMinVersion “”	Minimum SSL protocol version, enclosed in quotation marks. Valid values: "SSL_3.0", "TLS_1.0", "TLS_1.1", and "TLS_1.2". Default: "TLS_1.0"
-SSLCipherSuite “”	SSL cipher suite, enclosed in quotation marks. Valid values: "GOV", "COM", and "ALL". Default: "ALL"
-CertificateThumbPrint “”	Thumbprint of the SSL certificate in the certificate store, enclosed in quotation marks. This parameter is generally used when the certificate store has multiple certificates; the script uses the thumbprint to select the certificate you want to use. Default: the first available certificate found in the Local Computer > Personal > Certificates area of the certificate store.

Examples

The following script installs and enables the SSL listener, using default values for all optional parameters.

Enable-VdaSSL –Enable

The following script installs and enables the SSL listener, and specifies SSL port 400, the GOV cipher suite, and a minimum TLS 1.2 SSL protocol value.

Enable-VdaSSL – Enable –SSLPort 400 ‘SSLMinVersion “TLS_1.2” –SSLCipherSuite “GOV”

The following scripts install and enable the SSL Listener on non persistent machine(MCS Catalog) ,thumprint and machine name added of server vda and a minimum TLS 1.2 SSL Protocol value.

Enable-VdaSSL。ps1启用-CertificateThumbPrint (((GEt-ChildItem -Path Cert:\LocalMachine\My -DnsName ([System.Net.DNS]::GetHostByName(($env::ComputerName))).Hostname -SSLServerAuthentication) | Where HasPrivateKey -eq 1).Thumbprint) -Confirm:$false -SSLMinVersion TLS_1.2

The following script disables the SSL listener on the VDA.

Enable-VdaSSL –Disable.
or
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\Wds\icawd" -Name "SSLEnabled" -Value 1 -Type DWORD

Manually configure SSL on a VDA

When configuring SSL on a VDA manually, you grant generic read access to the SSL certificate’s private key for the appropriate service on each VDA: NT SERVICE\PorticaService for a VDA for Windows Desktop OS, or NT SERVICE\TermService for a VDA for Windows Server OS. On the machine where the VDA is installed:

1. Launch the Microsoft Management Console (MMC): Start > Run > mmc.exe.
2. Add the Certificates snap-in to the MMC:
   1. Select File > Add/Remove Snap-in.
   2. Select Certificates and then click Add.
   3. When prompted with “This snap-in will always manage certificates for:” choose “Computer account”and then click Next.
   4. When prompted with “Select the computer you want this snap-in to manage” choose “Local computer” and then click Finish.
3. Under Certificates (Local Computer) > Personal > Certificates, right–click the certificate and then select All Tasks > Manage Private Keys.
4. The Access Control List Editor displays “Permissions for (FriendlyName) private keys” where (FriendlyName) is the name of your SSL certificate. Add one of the following services and give it Read access:
   • For a VDA for Windows Desktop OS, "PORTICASERVICE"
   • For a VDA for Windows Server OS, "TERMSERVICE"
5. Double-click the installed SSL certificate. In the certificate dialog, select the Details tab and then scroll to the bottom. Click Thumbprint.
6. Run regedit and go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icawd.
   1. Edit the SSL Thumbprint key and copy the value of the SSL certificate’s thumbprint into this binary value. You can safely ignore unknown items in the Edit Binary Value dialog box (such as '0000' and special characters).
   2. Edit the SSLEnabled key and change the DWORD value to 1. (To disable SSL later, change the DWORD value to 0.)
   3. If you want to change the default settings (optional), use the following in the same registry path:
      • SSLPort DWORD – SSL port number. Default: 443.
      • SSLMinVersion DWORD – 1 = SSL 3.0, 2 = TLS 1.0, 3 = TLS 1.1, 4 = TLS 1.2. Default: 2 (TLS 1.0).
      • SSLCipherSuite DWORD – 1 = GOV, 2 = COM, 3 = ALL. Default: 3 (ALL).
7. Ensure the SSL TCP port is open in the Windows Firewall if it is not the default 443. (When you create the inbound rule in Windows Firewall, make sure its properties have the "Allow the connection" and "Enabled" entries selected.)
8. Ensure that no other applications or services (such as IIS) are using the SSL TCP port.
9. For VDAs for Windows Server OS, restart the machine for the changes to take effect. (You do not need to restart machines containing VDAs for Windows Desktop OS.)

Configure SSL on Delivery Groups

Complete this procedure for each Delivery Group that contains VDAs you have configured for SSL connections.

1. From Studio, open the PowerShell console.
2. Run asnp Citrix.* to load the Citrix product cmdlets.
3. Run Get-BrokerAccessPolicyRule –DesktopGroupName ‘’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $true.

   where is the name of the Delivery Group containing VDAs.

4. Run Set-BrokerSite –DnsResolutionEnabled $true.

Troubleshooting

If a connection error occurs, check the VDA's system event log.

When using Receiver for Windows, if you receive a connection error (such as 1030) that indicates an SSL error, disable Desktop Viewer and then try connecting again; although the connection will still fail, an explanation of the underlying SSL issue might be provided (for example, you specified an incorrect template when requesting a certificate from the certificate authority).