Citrix Cloud is updating the method used for traffic ingress to improve resiliency, which requires inserting a new service in the path used to communicate with Citrix’s services. We are targeting the full rollout of this new ingress method for the Cloud Connector by 28th February 2022.

While most users will not be affected, users who have configured their operating system’s usable ciphers may need to review and possibly update this configuration to ensure that the ciphers available include those supported by the new traffic ingress method.

In particular, a previous iteration of the Citrix Cloud Secure Deployment guide included a recommendation for Windows Server 2012 to use a cipher that is not supported by the new ingress method. The secure deployment guide has already been updated with the cipher suites supported by the new ingress method.

Supported Cipher suites

For TLS 1.2, the following cipher suites are supported by the new ingress method:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

If accessing the Citrix Cloud control plane from Windows Server 2016, Windows Server 2019, or Windows Server 2022, the following strong ciphers are recommended:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

If accessing the Citrix Cloud control plane from Windows Server 2012 R2, the strong ciphers are not available, so the following ciphers must be added to retain connectivity as services are transitioned to the new ingress method:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

The following ciphers must still be enabled Windows Server 2012 R2 to access services that are not using the new ingress method:

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Recommended action

If the above cipher suites are not available for use by the Cloud Connector before 28th February 2022 you may experience a service outage for your users. As such, Citrix strongly recommends reviewing both methods of restricting Cipher suites – an allow list via GPO and a deny list via registry entries. Check both methods to ensure that you do not have restrictions that would prevent the specific cipher suites above from being usable.

• Verify the certificates usable with SSL Labs Client test: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
• Ensure either no policy is defined, or the ciphers above are permitted in the group policy https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls
• Ensure either no restrictions are in place, or that the restrictions do not prevent the usage of the supported ciphers (e.g. on Windows Server 2012, ensure that Diffie-Hellman is not disabled) https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

Citrix Cloud: Changes to Cipher suites for Federated Authentication Service