How ICA connections in XenApp and XenDesktop 7.6 Secure SSL use

2:08 PM
How ICA connections in XenApp and XenDesktop 7.6 Secure SSL use -

Hi, I'm Andy Cooper of the Citrix Security Team. Joe North already introduced a new feature in XenDesktop 7.6that SSL security for HDX connections. Now that SSL has been integrated into the core of the VDA, so that it is easier than ever before, and the solution can scale to large installations, while the level of performance provides Citrix customers have come to expect. In this follow-on blog you'll go through the essential steps SSL in a common use-case scenario, and outline some potential for configuration i. I will then show how SSL configuration for pooled, non-persistent VDI desktops.

to start

Enabling SSL Step-by-Step

, let the process overview SSL to a XenApp add, or XenDesktop deployment for dedicated users VDI desktops and persistent RDS server - it might be easier than you expected

  1. and install certificates for each VDA
  2. Run the Enable-VdaSsl.ps1 .. PowerShell script on the VDA.
  3. Enable SSL on the delivery controller.

established to overcome the biggest hurdle certificates and trust management and deployment. The Citrix Receiver clients must trust the certification authority (CA) that to be spent VDA certificates for the HDX connection successful. You can download a wide range of public (usually commercial) CAs provide certificates that will be familiar from the Citrix Receiver without further configuration -. There he used the same list of trusted CA, which are integrated into Windows

in general, this would speak be performed on the VDA by creating a request.inf file with the following contents. The exact parameters may vary here, this is just one example - talk to your certification body for further details. The important part is the issue here, where you should see the CN (Common Name) replaced with the fully qualified domain name of your VDA:

  [NewRequest] Provider = 12 RequesterName = "Administrator" Request = "PKCS10" Subject = "CN = vda1.mycompany.test" provider name = "Microsoft RSA SChannel Cryptographic provider" key length = 2048 = KeyAlgorithm RSA HashAlgorithm = sha256 MachineKeySet = true  

you now the following command on the VDA lead a certificate Signing Request file to create, you can specify a public CA to use to generate a certificate:

  certreq -new request. inf csr.txt  

, the certification body will now enter a certificate file that you install on the VDA with the following command:

  certreq -accept testvda1.cer  

Once certificates are provided to the VDA, the rest of the process is simple. The Enable-VdaSsl.ps1 PowerShell script, see 7.6 product media files were found in the XenApp or XenDesktop Support folder. In most cases, it is as simple as it is carried out:

  Enable VdaSsl.ps1 -enable  

This is on the VDA SSL allow through the discovery, and the certificate is present (if more than one certificate is available, this will not work). The script also takes care of the Windows Firewall to configure to enable SSL connections. Be careful, as once this script is, non-SSL connections is run by the Windows Firewall blocks. Further configuration options are with this command is available and you can eDocsfor check the full set of arguments.

To SSL on the Delivery Controller enable, enable first SSL delivery group. SSL can be enabled for an entire delivery group. It is not possible to enable SSL for specific applications, as it was for XenApp 6.5. As a last step, the delivery controller fully qualified domain name must be used, be configured to VDA instead of IP addresses address (used by default). This is important because otherwise the end point address is an IP address that is not likely match the names on the VDA certificate. Here is how this is done as a XenDesktop administrator to do on the Delivery Controller in a PowerShell window .:

  1. ASNP citrix *
  2. Get-BrokerAccessPolicyRule -DesktopGroupName 'GROUP NAME' | Set-BrokerAccessPolicyRule -HdxSslEnabled $ true
  3. Set broker site -DnsResolutionEnabled $ true

Enabling SSL for Pooled VDAS

The steps in the previous section is not given a non-persistent disk for Pooled VDAS work. You could follow them, but every time the VDA for use restarts by another user, it would return to the base image, made all the hard work undone.

One possibility would be to use the same wildcard certificate for each VDA, where the common name in the certificate contains a value such as * .mycompany.test, all VDAS meaning as vda1.mycompany.test and VDA2. mycompany.test would rely on the same certificate. This is not a safe option. If a is the VDAS impaired, that would be omnipotent certificate HDX connections to all VDAS endangered heard would mean.

Instead of a safe alternative is Microsoft Active Directory Certificate Services to use. This already provides a mechanism for the provision of certificates automatically Group Policy. We are a startup script to the VDA that dynamically provisions a new certificate and to allow SSL to the VDA.

Add Note that this approach only for desktop VDAS works . For server VDAS the ICA listener is brought too early during the boot process before certificates can be provided automatically.

Because Active Directory Certificate Services uses an internal Enterprise Certificate Authority, it is not automatically trusted by all Windows installations. If the customers are managed by the company and part of a domain structure, the trusted CA certificates automatically Group Policy can be distributed. connected for BYOD and other non-domain devices have the trusted CA certificates to the user by some other mechanism (such as offering a download link).

to distribute the remainder of this blog the steps walking through involved in configuring the VDA certificates Active Directory Certificate Services automatic registration for the provision, and then, as a pooled Windows 7 VDA enable SSL or Windows 8 .x VDA.

activate the certificate auto-enrollment

make sure first that you have installed in your forest VDA domain on a server providing an enterprise CA, otherwise automatic registration is not Active Directory Certificate Services role possible be.

Note that this may place as usually much higher load of the enterprise CA because VDAS will submit a certificate request every time. Ensure sufficient CPU and memory on the CA server allocate to cope with the load, and as always test the scalability of the deployment in a lab environment before they move into production.

in the Group Policy Management Editor to create a new policy that applies to the OU that you will include pooled VDAS with SSL enabled, as follows:

  1. Expand Computer Configuration -> Policies - > Windows settings -> Security settings -> public key Policies
  2. edit the 'Certificate Services client - auto Enrollment Policy "object properties
  3. configure, as shown in the screenshot below
  4. right click on automatic certificate request container and select New -.> automatic certificate request ...
  5. in the application Setup Wizard for automatic certificate, click Next
  6. ensure template to the computer certificate is selected, click Next
  7. click Finish

to prepare the Windows 7 master image

to the VdaSsl.ps1 Enable script copy (on the product installation media in the Support provided> Tools> SslSupport folder) of the VDA master image, at a location within the system path environment (eg% systemRoot% system32). Note should not contain any certificates, the master image can be used for HDX SSL connections. The certificates will be provided when the MCS or PVS equipment catalog is created. Now create a new scheduled task, as follows (not the scheduled task now run):

  1. Enter an appropriate name and description for the scheduled task
  2. Click Change User or group ... and in the Select user or group dialog box, enter system and click OK on
  3. click Run whether user is logged on or not
  4. Select the trigger [tab
  5. click new ...
  6. in the new trigger dialog, select the task, beginning: at an event
  7. select log: application
  8. source Select: Microsoft Windows Certificate CertEnroll
  9. Select event ID: 19
  10. Click the Actions tab
  11. Click OK
  12. Select the Activities tab
  13. Click new ...
  14. in the new action dialog select action: Start a program
  15. in the program / script field, enter ' powershell.exe '
  16. Add the arguments field, enter' -ExecutionPolicy RemoteSigned enable VdaSsl.ps1 -Enable -Confirm: $ false '

here are some screenshots showing what the resulting scheduled task should look like this: you pay attention, should that create these scheduled task on locally the master image, not delivered via Active Directory group Policy. Update Now to the machine catalog and SSL should be on the Windows 7 pooled VDAS activated.

Preparing the Windows 8.x master image

The steps for a Windows 8.x master image are the same as for Windows 7, except in the scheduled task trigger the event the setting as follows:

  1. Select log: Microsoft Windows Certificate Lifecycle system / Operational
  2. Select source: Microsoft Windows Certificate Lifecycle Systems
  3. Select event ID: 1006

I hope you found this blog useful. Please use the comment box if you have any questions. And let me know if there are any other security-related issues that you want to be covered in the future to see.

Previous
Next Post »
0 Komentar