Transport Layer Security (TLS) 编辑

Configuring a XenApp or XenDesktop Site to use the Transport Layer Security (TLS) protocol includes the following procedures:

  • Obtain, install, and register a server certificate on all Delivery Controllers, and configure a port with the TLS certificate. For details, see Install TLS server certificates on Controllers.

    Optionally, you can change the ports the Controller uses to listen for HTTP and HTTPS traffic.

  • Enable TLS connections between users and Virtual Delivery Agents (VDAs) by completing the following tasks:

    Requirements and considerations:

    • Enabling TLS connections between users and VDAs is valid only for XenApp 7.6 and XenDesktop 7.6 Sites, plus later supported releases.
    • Configure TLS in the Delivery Groups and on the VDAs after you install components, create a Site, create Machine Catalogs, and create Delivery Groups.
    • To configure TLS in the Delivery Groups, you must have permission to change Controller access rules; a Full Administrator has this permission.
    • To configure TLS on the VDAs, you must be a Windows administrator on the machine where the VDA is installed.
    • If you intend to configure TLS on VDAs that have been upgraded from earlier versions, uninstall any SSL relay software on those machines before upgrading them.
    • The PowerShell script configures TLS on static VDAs; it does not configure TLS on pooled VDAs that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets on each restart.

Warning:

For tasks that include working in the Windows registry—editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

For information about enabling TLS to the Site database, see CTX137556.

Note:

If both TLS and UDT are enabled at the VDA:

  • For direct access to the VDA, Citrix Receiver always uses TLS over TCP (not UDP and UDT).
  • For indirect access to the VDA using NetScaler Gateway, Citrix Receiver uses DTLS over UDP for communication with NetScaler Gateway. The communication between NetScaler Gateway and the VDA uses UDP without DTLS. UDT is used.

Install TLS server certificates on Controllers

For HTTPS, the XML Service supports TLS features by using server certificates, not client certificates. This section describes acquiring and installing TLS certificates in Delivery Controllers. The same steps can be applied to Cloud Connectors to encrypt STA and XML traffic.

Although there are various different types of certificate authorities and methods of requesting certificate from them, this article describes the Microsoft Certificate Authority. The Microsoft Certificate Authority needs to have a certificate template published with a purpose of Server Authentication.

If the Microsoft Certificate Authority is integrated into an Active Directory domain or into the trusted forest the Delivery Controllers are joined to, you can acquire a certificate from the Certificates MMC snap-in Certificate Enrollment wizard.

Requesting and installing a certificate

  1. On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.
  2. Expand Personal > Certificates, then use the All Tasks > Request New Certificate context menu command.

    MMC Certificates snap-in

  3. Click Next to begin, and Next to confirm that you are acquiring the certificate from Active Directory enrollment.
  4. Select the template for Server Authentication certificate. If the template has been set up to automatically provide the values for Subject you can click Enroll without providing more details.

    Request certificates dialog

  5. To provide more details for the certificate template, click the Details arrow button and configure the following:

    Subject name: select Common Name and add the FQDN of the Delivery Controller.

    Alternative name: select DNS and add the FQDN of the Delivery Controller.

    Certificate properties

Configuring SSL/TLS listener port

  1. Open a PowerShell command window as an administrator of the machine.
  2. Run the following commands to get Broker Service Application GUID:

    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
    
    $Service_Guid = Get-ChildItem HKCR:\Installer\Products -Recurse -Ea 0 | Where-Object { $key = $_; $_.GetValueNames() | ForEach-Object { $key.GetValue($_) } | Where-Object { $_ -like 'Citrix Broker Service' } } | Select-Object Name
    
    $Service_Guid.Name -match "[A-Z0-9]*$"
    
    $Guid = $Matches[0]
    
    [GUID]$Formatted_Guid = $Guid
    
    Remove-PSDrive -Name HKCR
    
    Write-Host "Broker Service Application GUID: $($Formatted_Guid)" -ForegroundColor Yellow
    <!--NeedCopy-->
    

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:15 次

字数:7137

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文