This article covers how to secure an ICA session between the user endpoint and the VDA.
Typically, security is considered between the NetScaler Gateway and the endpoint when establishing a connection out of the corporate network (internet). The connectivity that is established between NetScaler Gateway and the VDA is not usually protected. If using Receiver for HTML5 for connections made internally, secure ICA connections are mandatory. Additionally, some companies require an end to end communication encryption to meet specific security compliance policies.
Below is a diagram that depicts the communication flow without encrypting the connection between the NetScaler and the VDA:
Requirements:
-
Enable-VdaSSL.ps1 PowerShell script, which is located in the XenApp installation media (Support\Tools\SslSupport)
-
A machine SSL certificate installed in each VDA
-
Enable SSL on the Delivery Group(s)
-
DNS resolution must be enabled in the site. This is important because the connection to the VDA should be stablished by using the machine name instead of the IP address.
For a persistent VDA, a machine certificate must be installed. Copy the Enabled-VdaSSL.ps1 PowerShell script to the VDA and run the following command: Enable-VdaSSL.ps1 – Enable -confirm: $false. A message saying “SSL to VDA enabled” will be displayed.
Once that has been completed, go to any of the Delivery Controllers configured in the site and run these PowerShell commands:
-
Start with:
Asnp Citrix*
-
To enable SSL on the selected Delivery Group:
Get-BrokerAccessPolicyRule –DesktopGroupName ‘<delivery-group-name>’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $true -
To enable DNS Resolution on the XenApp/XenDesktop site:
Set-BrokerSite –DnsResolutionEnabled $true
Keep in mind that there are other optional parameters available:
Enable-VdaSSL {-Enable | -Disable} [–SSLPort <port>] [-SSLMinVersion “<min-ssl-version>”] [-SSLCipherSuite“<suite>”] [-CertificateThumbPrint “<thumbprint>”]
Further information regarding the parameters mentioned above can be found in this article: https://support.citrix.com/article/CTX220062
For non-persistent VDAs (PVS or MCS), an enterprise CA is required in order to provide a machine certificate each time these VDAs are rebooted. A wildcard certificate is a valid option, but it implies a security risk.
An enterprise CA can distribute certificates to the machines by configuring a Group Policy Object (GPO) with the following settings:
-
Auto-Enrollment Settings: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies
-
Automatic Certificate Request: Computer Configuration -> Policies -> Windows Settings -> Public Key Policies -> Automatic Certificate Request Settings -> New -> Automatic Certificate Request.
Once a machine certificate is installed, it registers the event ID 1006 located in Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational. This event ID is necessary as the trigger for a scheduled task that will run the Enable-VdaSSL.ps1 PowerShell script.
On the master image or vDisk, copy the Enable-VdaSSL.ps1 PowerShell script. Then, create a scheduled task with the following settings:
-
In the Triggers tab, select “On an event” in the “Begin the task” drop down list. Select “Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational” in the “Log” drop down list. Then, select “CertificateServicesClient-Lifecycle-System” in the “Source” drop down list. Finally, type 1006 in the Event ID field.
-
In the Action tab, select “Start a program” in the “Action” drop down list. Then, type “C:\Windows\System32\WindowsPowerShell\V1.0\powershell.exe” in the “Program/script” field. Finally, in the “Add arguments” field type “Enable-VdaSsl.ps1 -Enable -Confirm:$False”
At this point the configuration is ready to be tested. After the VDA gets a machine certificate, the Enable-VdaSSL.ps1 PowerShell script is executed successfully and SSL is enabled on the selected Delivery Groups, open a session and verify that the connection to the VDA is encrypted by running the following command in the VDA: ctxsession.exe -v.
This can also be verified by opening the client connection status in Citrix Workspace.
Some considerations:
-
If there is more than one machine certificate in the Personal Store, the certificate’s thumbprint that is going to be used must be specified as a parameter in the command. For example, Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint (Get-ChildItem -path cert:\LocalMachine\My | where-object { $_.Subject -like “*$myFQDN*”} | Select-Object -ExpandProperty Thumbprint), where $myFQDN is a variable that stores the FQDN of the VDA which also is the name of the machine certificate that will be used to secure the ICA connection.
-
All VDAs in the selected Delivery Group must have TLS enabled, so machine certificates must be deployed in all of them.
Leave a Reply