Secure ICA connection to VDA using SSL

One of the requirements of using Receiver for HTML5 internally with HTTPS StoreFront sites is to encrypt the ICA connection rather than using clear text. This is a requirement since all modern browsers do not support unencrypted Web Socket connections from an HTTPS site which Receiver for HTML5 uses.

When you make a connection to Receiver for HTML5 the ICA/CGP (Session Reliability) protocols are wrapped inside the HTML5 protocol. Browsers do not like the fact you’re making an HTTP Web Sockets connection from an HTTPS StoreFront site. For this reason, we further encapsulate the HTML5 protocol inside SSL/TLS 443. This method ensures that a TLS/SSL connection is made from the end-client Receiver to the VDA and it’s worth noting that this is FIPS 140-2 (Federal Information Processing Standard) compliant.

Note: You must be using XenApp/XenDesktop 7.6 or later.

You can connect to published resources using Receiver for HTML5 from NetScaler or internally using HTTP StoreFront servers however when you want to connect internally using an HTTPS StoreFront server extra configuration is required:

  1. Certificate installed on each VDA.
  2. SSL enabled on the VDA.
  3. HDX SSL connections enabled on the selected Delivery Group.
  4. DNS resolution enabled on the Citrix site.

For your VDA’s to obtain certificates, you’ll need something like Active Directory Certificate Services to automate the enrolment. For persistent machines, this works just fine. For non-persistent machines that reset after reboot, you’ll need to configure a way for the machines to request a new certificate after every reboot.

For those persistent machines, use Group Policy and navigate to Computer Configuration -> Policies -> Windows Settings -> Public Key Policies -> Automatic Certificate Request Settings -> New -> Automatic Certificate Request.

Click Next. Select the Computer template. Next. Finish. At this stage, computer certificates will enrol for every machine that receives this Group Policy. You should also configure the Group Policy setting Certificate Services Client – Auto-Enrollment to configure the renewal of expired certificates and removal of revoked certificates. When machines receive the new Group Policy and restart they will receive a computer certificate. Next copy the Enable-VdaSSL.ps1 script from your XenApp/XenDesktop media’s Support/Tools/SslSupport folder to a central location, accesibly by each VDA. On the VDA, run command Enable-VdaSSL.ps1 – Enable. Followed by A to set ACLs, configure the firewall rules (TCP 443) and enable SSL to VDA. This command disables the ICA (1494), Session Reliability (2598) and WebSocket (8008) firewall rules on the VDA so that TLS connections is only possibly. You should eventually get the message that SSL to VDA has been enabled.

Note: If you have more than one computer certificate on your VDA, you must specify the certificate you want to use for SSL using the certificates thumprint. The command would then be: Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint “thumbprint”

Note: If you want to specify a port other than 443 for TLS, use command Enable-VdaSSL.ps1 -Enable -SSLPort 4443 for example.

Note: You can change the minimum SSL protocol used. By default TLS 1.0 is used. Run command Enable-VdaSSL -Enable -SSLMinVersion TLS_1.2 for example. Valid values are SSL_3.0, TLS_1.0, TLS_1.1, TLS_1.2

Note: You can disable VDA SSL by running command Enable-VdaSSL.ps1 -Disable. This deletes the SSL ICA rule, and re-enables CGP/ICA and WebSocket firewall rules.Now on your Delivery Controller, add the Citrix PowerShell snapins. Run the following commands:

  • Set-BrokerSite -DnsResolutionEnabled $true – This ensures the FQDN of the VDA is passed to the client within the ICA file. The FQDN matches the computer certificate so encryption can take place.
  • Get-BrokerAccessPolicyRue -DesktopGroupName “Delivery Group Name” | Set-BrokerAccessPolicyRule -HdxSslEnabled $true – This command enables SSL on the Delivery Group. You can’t enable SSL on individual machines.

On a side not if you are experiencing issues with connecting to resources using RfHTML5 you can enable logging by browsing to https://yourreceiverforwebsite.domain.com/citrix/storenameweb/clients/HTML5Client/src/ViewLog.html. Now click Start Logging.

Note: Also check the VDA’s Event Log for events generated by the TcIca.Then log on to your Receiver for Web site, start a published application and a log file is generated. It can be downloaded to text file. This is a bad working log file, where the session was unexpectedly terminated before launch. And this is a good working log file where the session was successfully established. Finally after the certificate is enrolled and SSL enabled on the VDA/Delivery Controllers, I can make a successful direct connection.

The session is encrypted using TLS 1.2 and AES 256 bit encryption.


Tags: , , , ,

20 Comments

  • Travis

    November 12, 2017

    How does this work with a NetScaler? I’ve seen several guides but none discuss Secure ICA with a NetScaler.

    Reply

    • George Spiers

      November 13, 2017

      If you have NetScaler in the mix, ICA traffic from an endpoint out on the internet to NetScaler is encryted by default. Then, ICA traffic from NetScaler to back-end VDAs is either unencrypted or encrypted depending on if you have implemented Secure ICA or not.

      Reply

      • Travis

        November 13, 2017

        My question was meant more along the lines of “How does NS know that the VDA is using Secure ICA”. I assume it’s in the ICA file, but I can’t find any details on this or what I should look for in my ICA file to ensure it’s there.

        Reply

        • George Spiers

          November 13, 2017

          Ah so yes, StoreFront ultimately produces the launch.ica file from information gathered from your Delivery Controllers. Such information contains the port on which HDX will connect on. From this NetScaler will know to establish 443 to the end-client but proxy ICA over port 1494 to the back-end for example.

          Reply

      • Mcharm

        March 30, 2023

        my senario is that the back end is previously SSLenable. ADC were deploy afterward. how do i go about encrypting the traffic between ADC and VDA???

        Reply

        • David

          May 7, 2023

          Did you find an answer to this?
          I have a client that is using Big-IP APM as their external gateway. As far as I can see, it re-writes a portion of the ICA file, including the SSLProxyHost parameter which is set to :443. Now that we have Secure ICA enabled on the VDA’s, ICA connections fail, presumably because F5 doesnt know to connect to the VDA over SSL. I was searching for information on how it works with netscaler gateway in case there are similarities in how it can be resolved for F5.

          Reply

  • Pingback: SSL connection between Citrix Delivery Controllers and VDA’s with Receiver for HTML 5 or not | Apttech's Blog

  • Henrik

    March 22, 2018

    I have sessions that sometimes disconnect and they will not reconnect – using session reliability and SSL does not seem to work?

    Reply

    • George Spiers

      March 22, 2018

      What version of XenApp/XenDesktop?
      Do the sessions drop due to a network drop or have they just randomly dropped under good network conditions? Have you ran a WireShark trace to see what could be causing the session disconnects and reconnections to fail?

      Reply

  • SH

    March 4, 2019

    Hey George,
    How we can achive for provisioned read only machines. Having 50 + vDisk in environment and atleast two or more servers are streamed from each vDisk.
    Thanks

    Reply

    • George Spiers

      March 4, 2019

      Hello. For non-persistent machines, each machine needs to request a certificate each time they are restarted. Automatic certificate requests (configured via Group Policy) should help, and a Scheduled Task that runs the Enable-VdaSSL script on system startup.

      Reply

      • Eric Harrison

        October 9, 2022

        With PVS each VDA has a unique Thumbprint, so how can I automate this process using Enable-vdassl? I won’t know the Thumbprint in advance, so I am not sure how this will work? The -CertificateThumbPrint parameter seems to be required for my environment.

        Reply

        • JustJen

          January 17, 2024

          You may have already solved this yourself, but came across this thread and wanted to share how we resolved this without having to use a wild card cert in my environment.

          We created a scheduled task that runs with trigger event windows event log, CertificateServicesClient-Lifecycle-System EventID 1006, which is generated when certificates are enrolled/renewed that then runs a script (we use powershell) to change the permissions on the newly enrolled machine cert because that also needs to be done on new certs, retrieve the thumbprint, and update the registry and set a delay for 1 min.
          We also went a little extra for troubleshooting ease and created a unique event log and send success/fails in both to it so a machine can quickly be looked at to verify if permissions were successfully changed and if thumbprint was updated in registry that we can use for visual inspection and/or have other actions and/or alerts key off of.

          Reply

  • CEM

    September 12, 2019

    Hello George,
    For For non-persistent machines, you know how to request certificate without Group policy ?
    Many thanks.
    Best Regards

    Reply

    • George Spiers

      September 29, 2019

      No, is there a reason why you would not want to use Group Policy?

      Reply

  • Stan

    December 10, 2020

    Hi,
    Do you have to implement VDASSL if you are running all your connections with NSGW in place to have DTLS 1.2 in use? I was looing though the documentation and it’s only states that specific cyphers are required but nothing else.
    I can see that TLS 1.2 is in use but when we are trying to force DTLS 1.2 it’s only DTLS 1.0 in use.

    Reply

  • Al

    February 10, 2021

    Hi George,

    I experience issue whilst loading session with the following error:
    [Sat, 06 Feb 2021 23:00:37 GMT] SESSION:|:ICA:|:TRANSPORT:|:DRIVER:|:close with code=1006
    [Sat, 06 Feb 2021 23:00:37 GMT] ERROR:|:error =error-server,error-local-access

    Would appreciate any guidance n this error

    Reply

    • Amar Honnungar

      April 22, 2022

      Plus one, me too am getting the same error. Were you able to sort this out?

      Reply

  • Tony

    June 20, 2021

    Hi George,

    I’m having problem while trying to let Netscaler Gateway behind Imperva WAF to protect Storefront from internet. The SSL offloading on Imperva WAF is working well. I’m able to authenticate, but when I click Desktop icon, seems like ICA cannot be proxied through Imperva, thus the connection between client (from internet) gets timeout.
    Do you have any idea or solution to let this deployment model work?

    Many thanks

    Reply

  • Khanh

    August 3, 2022

    How would this work for persistence desktop and virtual app when you have more than one cert and can’t use a wildcard for security reason. When the cert expires for each vda, the thumbprint will change and would be a nightmare to manage.

    Reply

Leave a Reply