Transport Layer Security (TLS) 编辑

Citrix Virtual Apps and Desktops support the Transport Layer Security (TLS) protocol for TCP-based connections between components. Citrix Virtual Apps and Desktops also support the Datagram Transport Layer Security (DTLS) protocol for UDP-based ICA/HDX connections, using adaptive transport.

TLS and DTLS are similar, and support the same digital certificates. Configuring a Citrix Virtual Apps or Citrix Virtual Desktops Site to use TLS also configures it to use DTLS. Use the following procedures; the steps are common to both TLS and DTLS except where noted:

• Obtain, install, and register a server certificate on all Delivery Controllers, and configure a port with the TLS certificate. For details, see Install TLS server certificates on Controllers.

  Optionally, you can change the ports the Controller uses to listen for HTTP and HTTPS traffic.

• Enable TLS connections between Citrix Workspace app and Virtual Delivery Agents (VDAs) by completing the following tasks:

  • Configure TLS on the machines where the VDAs are installed. (For convenience, further references to machines where VDAs are installed are simply called “VDAs.”) For general information, see TLS settings on VDAs. It is highly recommended that you use the Citrix supplied PowerShell script to configure TLS/DTLS. For details, see Configure TLS on a VDA using the PowerShell script. However, if you want to configure TLS/DTLS manually, see Manually configure TLS on a VDA.

  • Configure TLS in the Delivery Groups containing the VDAs by running a set of PowerShell cmdlets in Studio. For details, see Configure TLS on Delivery Groups.

    Requirements and considerations:

    • Enabling TLS connections between users and VDAs is valid only for XenApp 7.6 and XenDesktop 7.6 Sites, plus later supported releases.
    • Configure TLS in the Delivery Groups and on the VDAs after you install components, create a Site, create machine catalogs, and create Delivery Groups.
    • To configure TLS in the Delivery Groups, you must have permission to change Controller access rules. A Full Administrator has this permission.
    • To configure TLS on the VDAs, you must be a Windows administrator on the machine where the VDA is installed.
    • On pooled VDAs that are provisioned by Machine Creation Services or Provisioning Services, the VDA machine image is reset on restart, causing previous TLS settings to be lost. Run the PowerShell script each time the VDA is restarted to reconfigure the TLS settings.

Warning:

For tasks that include working in the Windows registry—editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

For information about enabling TLS to the Site database, see CTX137556.

Install TLS server certificates on Controllers

For HTTPS, the XML Service supports TLS features by using server certificates, not client certificates. This section describes acquiring and installing TLS certificates in Delivery Controllers. The same steps can be applied to Cloud Connectors to encrypt STA and XML traffic.

Although there are various different types of certificate authorities and methods of requesting certificate from them, this article describes the Microsoft Certificate Authority. The Microsoft Certificate Authority needs to have a certificate template published with a purpose of Server Authentication.

If the Microsoft Certificate Authority is integrated into an Active Directory domain or into the trusted forest the Delivery Controllers are joined to, you can acquire a certificate from the Certificates MMC snap-in Certificate Enrollment wizard.

Requesting and installing a certificate

1. On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

2. Expand Personal > Certificates, then use the All Tasks > Request New Certificate context menu command.

   

3. Click Next to begin, and Next to confirm that you are acquiring the certificate from Active Directory enrollment.

4. Select the template for Server Authentication certificate. If the template has been set up to automatically provide the values for Subject you can click Enroll without providing more details.

   

5. To provide more details for the certificate template, click the Details arrow button and configure the following:

   Subject name: select Common Name and add the FQDN of the Delivery Controller.

   Alternative name: select DNS and add the FQDN of the Delivery Controller.

   

Configuring SSL/TLS listener port

1. Open a PowerShell command window as an administrator of the machine.

2. Run the following commands to get Broker Service Application GUID:

   New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
   
   $Service_Guid = Get-ChildItem HKCR:\Installer\Products -Recurse -Ea 0 | Where-Object { $key = $_; $_.GetValueNames() | ForEach-Object { $key.GetValue($_) } | Where-Object { $_ -like 'Citrix Broker Service' } } | Select-Object Name
   
   $Service_Guid.Name -match "[A-Z0-9]*$"
   
   $Guid = $Matches[0]
   
   [GUID]$Formatted_Guid = $Guid
   
   Remove-PSDrive -Name HKCR
   
   Write-Host "Broker Service Application GUID: $($Formatted_Guid)" -ForegroundColor Yellow
   <!--NeedCopy-->