Objective
This article describes how to enable SSL on XenDesktop 5 controllers to secure XML traffic from Web Interface or Access Gateway, and how to configure Web Interface site to secure the XML traffic.
Note: For Access Gateway communication, this secures the Secure Ticket Authority (STA) ticket that uses the XML service as well.
For XenDesktop 7.x, refer to CTX218986 - Secure XML traffic between StoreFront and Delivery Controller 7.x
Requirements
- XenDesktop 5
- Web Interface 5.x
Note: For this article, XenDesktop 5 Service Pack 1 was used along with Web Interface 5.4.
Instructions
From XenDesktop Controller
IIS Installed on XenDesktop Controller
In this scenario, the XenDesktop controller has IIS installed and functioning to serve Web Interface or other web services. To complete this setup, you must request a Server Certificate and install it on IIS.
There are two ways to generate Server Certificates on IIS 7.x:
Create Certificate Request: This generates a CSR file to be submitted to a third party Certification Authority (CA) or to your internal Microsoft CA. For more information, refer to Microsoft TechNet article – Request an Internet Server Certificate (IIS 7)
Create Domain Certificate: This generates a CSR file and submits it to your domain registered Microsoft CA server. For more information, refer to the Microsoft TechNet article – Create a Domain Server Certificate on IIS 7.
After the Server Certificate is installed on IIS, ensure to set the Bindings to enable HTTPS on IIS by completing the following procedure:
Select the IIS site that you want to enable HTTPS and select Bindings under Edit Site.
Click Add, select Type as https, port number as 443, select the SSL Certificate that you installed and click OK.
Open Registry Editor on XenDesktop Controller and look for the following key name.
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer.Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
Verify that XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to 443.
Change the XML service port.
You can do this using PowerShell by running the following command:
BrokerService –WiSslPort <port number>
Note: If you decide to change the XML service port number on XenDesktop Controller, ensure to update the IIS port number as well under Bindings to match the new value.
IIS is not Installed on XenDesktop Controller
In this scenario, the XenDesktop Controller does not have IIS installed. As a result, there are a few ways to obtain a Server Certificate for the Controller:
Export an existing Server Certificate from another server in PFX format. When exporting the Server Certificate, ensure to select the private key as well.
You can use the Certreq utility from Microsoft to generate a Certificate Signing Request and submit it to a third party CA or your internal Microsoft CA server. For more information, refer to the Microsoft TechNet article – Certreq.exe Syntax.
Note: Ensure to always import the PFX server certificates under the XenDesktop controller Local Computer certificate store and not My user account.
After the Server Certificate is installed on XenDesktop Controller, register the SSL certificate for HTTPS on the server. To accomplish this, Windows 2008 has a built-in utility called netsh that allows you to bind SSL certificates to a port configuration. For more information, refer to the Microsoft MSDN article – How to: Configure a Port with an SSL Certificate
The following is the command that you must use:
netsh http add sslcert ipport=0.0.0.0:<port Number> certhash=<hash number> appid={XenDesktop Broker Service GUID}
To obtain the certificate hash of a Server Certificate, open the Registry Editor, and open the following key name location and search for the Server Certificate that you want to use:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
- Open the Server Certificate and under the Details tab, select Thumprint:
Obtain the GUID of the XenDesktop controller Citrix Broker Service.
Open Registry Editor and select Find.
Search for Broker Service words. By default, the location is in HKEY_CLASSES_ROOT\Installer\Products\ (see the following example):
Now that you have the certificate hash and Citrix Broker Service GUID, you can run the netsh command to bind the SSL certificate to port 443 and Citrix Broker Service. The following example is based on the GUID and certificate hash values taken from the preceding screenshots:
Here is command to get the GUID
Run the below command in Elevated command prompt on the DDC
wmic product where "Name like 'Citrix Broker Service'" get Name,identifyingnumber
IdentifyingNumber
C:\ >netsh http add sslcert ipport=10.12.37.231:443 certhash=298B8AB50322A5A601A57D4976875191D85A2949 appid={13C9D851-5D94-7C44-4A2B-218F89A28DC7}
Note: For GUID, ensure to include dashes (-). Otherwise, the command cannot run successfully.
Note:
certhash : Thumbprint of Certificate
Command to find appid : wmic product where "Name like 'Citrix Broker Service'" get Name,identifyingnumber
A successful bind looks as displayed in the following screen shot:
From the Web Interface server
Configure the XenApp Web Site or XenApp Services Site to use HTTPS and 443 as Transport Type and XML Service port respectively under Server Farms.
Note: To have a successful SSL connection to the XenDesktop 5 Controller, ensure that Web Interface has installed the Trusted Root certificate (under Local Computer certificate store).
