Citrix Endpoint Management TLS Version Deprecation

Citrix Endpoint Management TLS Version Deprecation

book

Article ID: CTX247095

calendar_today

Updated On:

Description

To improve the security of connections to Citrix Endpoint Management, Citrix will block any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019.
NOTE: On-Prem CEM customers also can follow the same instructions on their MDM (443 and 8443) and MAM (443) Service or Service Groups.


Instructions

All connections from on-premises resources will need to be able to communicate with the Citrix Endpoint Management (CEM) Service over TLS 1.2 as of March 15th, 2019. This includes on-premises NetScaler (Citrix Gateway) used for Mobile Application Management (MAM) as well as any servers needed for ActiveSync filtering. Below you will find the explanations for what needs to be done to support TLS 1.2 for the technologies that communicate with CEM from your datacenter.

NetScaler

Via GUI (View video of the procedure) :
 

1. Login to the NetScaler Administrative Web Page. 

2. Click on Traffic Management -> Load Balancing -> Services


User-added image

3. Locate used for Endpoint Management communication. 
NOTE: The service will be communicating the IP of your CEM environment over 8443


User-added image

4. Select the service and click Edit

User-added image

5. Click the pencil in the SSL Parameters section. 

User-added image

Check the box labeled TLSv12 to enable TLS 1.2, click OK, followed by Done.

User-added image

NOTE: Be sure to save the configuration of the NetScaler when completed by clicking the disk on the top right-hand corner.

User-added image
 
Via shell (Recommended for advanced users): 

1. Login to the NetScaler command prompt.   

2. You will need to find the service name of the service communicating to the Cloud.   

NOTE: This can be done by reviewing your running config and searching for the service name that is communicating to your cloud address. In this case we used the following command to identify the Endpoint Management Service. 
 
show run | grep 8443

3. Once the service is identified use the following command replacing <SERVICE_NAME> with the actual service name to enable TLS 1.2.

 
set ssl service <SERVICE_NAME> -tls12 ENABLED
 
Example: if service name is “_XM_CLOUD_mysite.xm.cloud.com_8443” command output would be as follows: 
 
set ssl service _XM_CLOUD_mysite.xm.cloud.com_8443 -tls12 ENABLED

4. Once the command is ran, save your NetScaler configuration by typing the following command. 

Save ns config