Securing DDC XML Broker communication over HTTPS

For Citrix StoreFront and Delivery Controller communication, you need to specify XML service broker communication to travel over HTTPS or HTTP and specify a port such as 80 or 443. The XML service is used for application and desktop resource enumeration including handling user name and password data from StoreFront to DDCs.

This is configured within the StoreFront management console under Stores -> Manage Delivery Controllers, against one or more of your stores. The Citrix Broker Service participates in authenticating users, brokering a user connection to a least busy server and collecting application information to be presented to the user connecting in to StoreFront either via Receiver self-service or Receiver for Web.

By default, there is little to no configuration needed when you have configured StoreFront and your Delivery Controllers to communicate over HTTP port 80, as shown below.

1-min

If you want to secure communication by using HTTPS and port 443, or another port, notice what happens when I specify HTTPS/443 and then try and connect to Receiver for Web to retrieve my list of published applications.

2-min

 

As below, I get the message There are no apps or desktops available to you at this time.

3-min

 

Having a look in Event Viewer -> Applications and Services Logs -> Citrix Delivery Services on the StoreFront server, the following errors are recorded by the Citrix Store Service.

4-min

I already know the Citrix XML Service is running on my Delivery Controller because I checked. IIS is also not installed on my Delivery Controller virtual machine so no port clashing. What needs to be done is a port and application needs bound to a certificate for HTTPS communication to work. If IIS was installed on the Delivery Controller I simply bind certificates to the HTTPS IIS binding but most of the time in the enterprise the Delivery Controller does not run IIS.

In my case, my Delivery Controller’s FQDN is ddc.citrixpro.co.uk, and I want to secure communication over port 443. This means, for me, I need to install a computer certificate on my Delivery Controller with Server Authentication capabilities, issued to ddc.citrixpro.co.uk and then tied to port 443 and the Citrix Broker Service.

 

Firstly ensure you have the correct certificate issued to your Delivery Controller(s). If you are using a load balanced address for example make sure the certificate matches the FQDN of the load balanced address and is installed on all Delivery Controller servers. Also make sure this load balanced address is configured within StoreFront under Edit Delivery Controllers. You can request a certificate via certreq, ADCS Web Enrolment, Group Policy or via the Certificate MMC snap-in for example. I have used Group Policy and automatically set the Computer certificate to auto-enrol to all domain computers in my domain. This results in the Delivery Controller machine getting a computer certificate as shown below.

5-min 6-min

 

At this stage. I can move on to using NETSH to bind ports and applications to my certificate. Firstly we need to collect two pieces of information. The certificate thumbprint and the Citrix Broker Service Application ID.

To obtain the certificate thumbprint, open the computer certificate and navigate to the Details tab -> Thumbprint. Make sure you copy the whole thumbprint string then delete any spaces so that all number and letters are together, using a text editor such as notepad.7-min

 

To obtain the Application ID of the Citrix Broker Service, open CMD, type wmic product where “name like ‘Citrix Broker Service'”. Look for the Citrix Broker Service and take a copy of the App ID located with the {} brackets.8-min

Now with all the required information collected we can run the NETSH command (as an administrator) as shown below. This binds the certificate to our desired port and the Citrix Broker Service. Ensure the IPPORT field contains the IP of your own Delivery Controller server (not a load balanced IP) followed by the port you want to use for HTTPS communication which will likely be 443. If you have an IPv4 and IPv6 address configured on your Delivery Controller(s), use 0.0.0.0 for the IP address.9-min

 

You can then view the certificate binding by running netsh http show sslcert.10-min

If you want to remove an SSL binding you would run command http delete sslcert 192.168.0.102:443

Back over on Receiver for Web after a new log on the applications are showing.

11-min

It is also good practice to disable non SSL XML brokering on each DDC. To do this, start RegEdit.

Navigate to HKLM -> Software -> Citrix -> DesktopServer.

Create a DWORD value XMLServicesEnableNonSSL=0

12-min

Additional notes:

  • Certificates will expire and renew meaning the thumbprint will change and as a result NETSH will have to be used again to bind the new thumbprint with the Citrix Broker Service.

8 Comments

  • Phil

    February 9, 2017

    If you’ve set up the DDC with IIS is it easy to change?

    Is it simply a case of unbinding the cert, remove IIS then use this method?

    Great website BTW..

    Reply
  • George Spiers

    February 9, 2017

    Yes absolutely, your Delivery Controller’s do not depend on IIS. If you are load balancing DDCs, take one offline and change one at a time etc.

    Reply
  • Jason

    August 14, 2017

    If we have 2 DDCs that are not behind a load balanced VIP, do we need an SSL cert for each DDC and bind the Certificate for each to the broker service? If so would that work, or would it be preferred to set them up behind a VIP and request a Cert for the VIP? I was under the impression that when you list the Delivery controllers in StoreFront it was load balancing them.

    Reply
    • George Spiers

      August 14, 2017

      You are correct in that when you specify multiple Controllers in the Edit Delivery Controller list, they are Load Balanced. However if you have a NetScaler, you are best to set up a VIP because it provides both Load Balancing and monitoring using health probes for failure detection. With a VIP, you enrol a certificate against the VIP FQDN and bind that certificate to your two DDCs. If you don’t use a VIP then yes enrol a certificate for each DDC FQDN and bind the correct certificate to each broker service.

      Reply
      • Tom

        September 26, 2017

        What is the max Key Size for the Certificate? Does a 4096 Cert work or is it limited to 2048 like Netscaler VPX? we receive an Error with 4096 (The TLS protocol defined fatal alert code is 43.)

        Reply
        • George Spiers

          September 26, 2017

          What version of StoreFront? I have StoreFront 3.12/DDC 7.15 working with 4K certificates.

          Reply
  • SaaJ

    October 13, 2017

    Are any further changes required on Netscaler gateway to get this working externally?

    Reply
    • George Spiers

      October 13, 2017

      No as NetScaler talks to StoreFront, and StoreFront does the talking to your DDCs.

      Reply

Leave a Reply