How to Configure Encryption in XenApp
Article ID: CTX125087
Updated On:
Description
This article explains how to configure the encryption level for ICA connections on the ICA listener, on published applications, or both.
Requirements
- Access to the registry on the XenApp server(s)
- Citrix Administrative privileges
- Access to modify Domain and local policies.
Background
In XenApp 4.0, the Citrix Configuration Tool was used to configure the encryption level on the ICA listener. In XenApp 4.5, this tool no longer exists, and the encryption section on the ICA listener is disabled.
Instructions
Notes:
- To secure connections for users who are opening applications only through Web Interface portal or Services (PNA) site, the encryption must at least be enabled on the properties of the published application(s) in the console.
-
To secure connections for users who are opening published applications from Program Neighborhood, encryption must be enabled at least on the properties of the published application(s) in the console, and in the Default Options tab in application set settings.
- To secure all connections, including custom ICA connections to the server desktop, encryption must be enabled on the properties of the published application(s) in the console, on the ICA listener on all XenApp servers in the farm, and in the Default Options tab in application set settings.
-
To secure connections for users who are opening published applications using a saved .ica file, encryption must be enabled at least on the properties of the published application(s) in the console, and within the ICA file.
- To secure all connections to the XenApp server(s), encryption must be enabled on the properties of the published application(s) in the console, on the ICA listener on all XenApp servers in the farm, and within the ICA file.
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
Complete the following steps to enable encryption for all connections:-
Open the Registry, and browse to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-Tcp\ -
Find the following registry value:
MinEncryptionLevel
If this value does not exist, create it (MinEncryptionLevel – Reg_Dword).
-
Open the Access Management Console or Delivery Services Console.
-
Select the Properties of your published application.
-
Under the Advanced section, select Client options.
-
Click the drop-down menu in Connection encryption section, and select the same encryption level you specified for the ICA listener.
- If users are connecting through Web Interface or Program Neighborhood Agent, no additional configuration is required.
-
If users are connecting through Program Neighborhood Client or Quicklaunch, the encryption level must be set.
-
Right-click your application set or the application you want to launch while in Program Neighborhood Client.
Select Application Set Settings. -
Click the Default Options tab, and clear the Encryption Server Default check box.
-
Expand the drop-down, and select the appropriate Encryption Level.
-
Expand the drop-down in the Citrix QuickLaunch Tool dialogue, and in the ICA Options section, choose the appropriate encryption level. Then create the ICA file.
- None: 0 (0)
- Basic: 1 (1)
- RC5 (128 bit) login only: a (10)
- RC5 (40 bit): 14 (20)
- RC5 (56 bit): 1e (30)
- RC5 (128 bit): 28 (40)
Environment
Issue/Introduction
Additional Information
The encryption can also be enabled using a Microsoft GPO.
Note: This only works for 128-bit encryption.
-
Run the command gpedit.msc to open the local group policy console.
-
Browse to the computer configuration, and then go to Administrative Tools > Windows Components > Terminal Services > Encryption and Security.
-
Set Client connection encryption level: setting this value to high is the equivalent of 128-bit encryption on the ICA listener.
