Transport Layer Security (TLS) 编辑

Configuring a XenApp or XenDesktop Site to use the Transport Layer Security (TLS) protocol includes the following procedures:

• Obtain, install, and register a server certificate on all Delivery Controllers, and configure a port with the TLS certificate. For details, see Install TLS server certificates on Controllers.

  Optionally, you can change the ports the Controller uses to listen for HTTP and HTTPS traffic.

• Enable TLS connections between users and Virtual Delivery Agents (VDAs) by completing the following tasks:

  • Configure TLS on the machines where the VDAs are installed. (For convenience, further references to machines where VDAs are installed are simply called “VDAs.”) You can use a PowerShell script supplied by Citrix, or configure it manually. For general information, see About TLS settings on VDAs. For details, see Configure TLS on a VDA using the PowerShell script and Manually configure TLS on a VDA.
  • Configure TLS in the Delivery Groups containing the VDAs by running a set of PowerShell cmdlets in Studio. For details, see Configure TLS on Delivery Groups.

  Requirements and considerations:

  • Enabling TLS connections between users and VDAs is valid only for XenApp 7.6 and XenDesktop 7.6 Sites, plus later supported releases.
  • Configure TLS in the Delivery Groups and on the VDAs after you install components, create a Site, create Machine Catalogs, and create Delivery Groups.
  • To configure TLS in the Delivery Groups, you must have permission to change Controller access rules; a Full Administrator has this permission.
  • To configure TLS on the VDAs, you must be a Windows administrator on the machine where the VDA is installed.
  • If you intend to configure TLS on VDAs that have been upgraded from earlier versions, uninstall any SSL relay software on those machines before upgrading them.
  • The PowerShell script configures TLS on static VDAs; it does not configure TLS on pooled VDAs that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets on each restart.

Warning:

For tasks that include working in the Windows registry—editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

For information about enabling TLS to the Site database, see CTX137556.

Note:

If both TLS and UDT are enabled at the VDA:

• For direct access to the VDA, Citrix Receiver always uses TLS over TCP (not UDP and UDT).
• For indirect access to the VDA using NetScaler Gateway, Citrix Receiver uses DTLS over UDP for communication with NetScaler Gateway. The communication between NetScaler Gateway and the VDA uses UDP without DTLS. UDT is used.

Install TLS server certificates on Controllers

For HTTPS, the XML Service supports TLS features by using server certificates, not client certificates. This section describes acquiring and installing TLS certificates in Delivery Controllers. The same steps can be applied to Cloud Connectors to encrypt STA and XML traffic.

Although there are various different types of certificate authorities and methods of requesting certificate from them, this article describes the Microsoft Certificate Authority. The Microsoft Certificate Authority needs to have a certificate template published with a purpose of Server Authentication.

If the Microsoft Certificate Authority is integrated into an Active Directory domain or into the trusted forest the Delivery Controllers are joined to, you can acquire a certificate from the Certificates MMC snap-in Certificate Enrollment wizard.

Requesting and installing a certificate

1. On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

2. Expand Personal > Certificates, then use the All Tasks > Request New Certificate context menu command.

   

3. Click Next to begin, and Next to confirm that you are acquiring the certificate from Active Directory enrollment.

4. Select the template for Server Authentication certificate. If the template has been set up to automatically provide the values for Subject you can click Enroll without providing more details.

   

5. To provide more details for the certificate template, click the Details arrow button and configure the following:

   Subject name: select Common Name and add the FQDN of the Delivery Controller.

   Alternative name: select DNS and add the FQDN of the Delivery Controller.

   

Configuring SSL/TLS listener port

1. Open a PowerShell command window as an administrator of the machine.

2. Run the following commands to get Broker Service Application GUID:

   New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
   
   $Service_Guid = Get-ChildItem HKCR:\Installer\Products -Recurse -Ea 0 | Where-Object { $key = $_; $_.GetValueNames() | ForEach-Object { $key.GetValue($_) } | Where-Object { $_ -like 'Citrix Broker Service' } } | Select-Object Name
   
   $Service_Guid.Name -match "[A-Z0-9]*$"
   
   $Guid = $Matches[0]
   
   [GUID]$Formatted_Guid = $Guid
   
   Remove-PSDrive -Name HKCR
   
   Write-Host "Broker Service Application GUID: $($Formatted_Guid)" -ForegroundColor Yellow
   <!--NeedCopy-->