Each XenApp application has the ability to use SSL Relay to secure traffic between the ICA client and the XenApp server. This requires that each XenApp server be issued a certificate exactly as the Fully Qualified Domain Name (FQDN) of the XenApp server where SSL Relay is being activated. This type of setup works well for securing all private ICA traffic, because the XenApp FQDN would easily be known through DNS in the private network.

However, going outside the private network requires that all XenApp servers have a public IP address mapped to their FQDN and registered to public DNS servers, unless you place Secure Gateway as your Gateway to all your private SSL Relay active XenApp servers.

This article explains how to use SSL Relay to protect private ICA traffic while using Secure Gateway to protect public ICA traffic.

Background

As Security oriented organizations move to secure data on the private and public networks. XenApp provides SSL Relay to secure ICA traffic on the private network while Secure Gateway provides secure ICA traffic on the public network. By combining Secure Gateway and SSL Relay the organization can have secure ICA traffic on the private and public network.

Requirements

• Web Interface 5.4 was tested but other releases should work.

• Secure Gateway 3.1 and later.

• XenApp 4.5 and above with SSL Relay enabled and with a local certificate installed. The certificate has to match the fully Qualified Domain Name of the server.

Instructions

Although you have to perform this on each XenApp server in the farm, ensure that these steps work on just one XenApp server and one application enabled for SSL and TLS protocols.

1. On each XenApp server in your Domain, install a certificate.

   1. Enable IIS on the box and request the certificate. Example - XAhostname.domain.example

   2. Ensure to use the hostname of the XenApp server for the Fully Qualified Domain Name (FQDN).

   3. Remove IIS if not needed once you have the certificate on the XenApp server.

2. One the XenApp server, open the Citrix SSL Relay Configuration tool.

   1. Select Enable SSL relay.

   2. Choose the newly installed server certificate.

   3. Navigate to the  Connection tab and ensure that the FQDN server name is listed there with the relative ports. Example - XML 80, ICA 1494.

   4. Choose either SSL v3 or TLS v1 as the Encryption Standard. Both must work.

   5. Click OK and restart the XenApp server for the settings to take effect.

3. On the XenApp server after the restart, check to ensure that the Citrix XTE service is started. If not started, check the error.log at \%programfiles%\Citrix\XTE\logs for clues.

4. On the Web Interface site used for this configuration, ensure that under the Secure Access settings a Gateway setting is enabled and Session Reliability is checked in subsequent section. Ensure that both the Secure Gateway and Web Interface sites have the same STA listed server.

5.  On the Secure Gateway, enable the following two registry entries to ensure that the connections are going over SSL Relay. Note that these registry entries are not required for SG to be restarted. The SG management console picks these up once reopened.

   1. To show the server and resource columns in the session information
      HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Secure Gateway\3.x
      Name: ShowServerAndAppForSession
      Type: DWORD
      Data: 1

   2. To show the time idle column in the session information
      HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Secure Gateway\3.x
      Name: ShowTimeIdleForSession
      Type: DWORD
      Data: 1

6. The following screen shot is an example of what you should be able to see when it is working properly. The highlighted section is the connection over to SSL Relay to that XenApp server:

   

Troubleshooting

To troubleshoot this setup in case of problems, note the following:

• Ensure that the Citrix XTE service is started which handles all SSL Relay connections. Review the error.log at \%programfiles%\Citrix\XTE\logs for clues.

• On the Secure Gateway, use a text log viewer to review the Secure Gateway error*.log at \%programfiles%\Citrix\Secure Gateway\logs for clues. You should always see the following line, otherwise, some issue exists. Ensure to enable all logging on Secure Gateway “All events including informational”.

[info] CGP forwarding session started: client IP [172.16.1.1:21973], username [tuser10@w2k8dc1], destination server [Ftlp2k3x64-xa45-1.w2k8dc1.ctx:443], resource [Notepad with TLS]

• On the Secure Ticket Authority (STA) server, using a text log viewer open the sta*.log from \%programfiles%\Citrix\logs. Ensure that you have enabled STA logging beforehand.
  Refer to the Knowledge Center article CTX120589 ‑ How to Enable STA Logging on the STA Servers only in XenApp Environments for more information.

You must be able to see the SSLRelayAddress keyword on the ticket request. The full FQDN used for the SSL Relay should be listed there and that should match the certificate FQDN from the XenApp server that it is going to.

Note: You can use your private Certificate Authority (CA) to create all the XenApp SSL Relay certificates. The root certificate from this CA should be installed in the trusted root location at all XenApp and Secure Gateway servers for this setup to work.

For more information about Enabling SSL/TLS Protocols refer to Citrix Documentation - Network and Authentication Protocols. Note that SSL Relay can as well be used to secure XML broker connections if this information is required to be encrypted. Refer to Citrix Documentation - Sample Deployment with SSL Relay and the Web Interface.