31 July 2012

Configure Citrix XenApp Web site to use HTTPS / SSL

By default the XenApp Web interface sites do not use HTTPS.  To ensure that credential being passed to the interface are not in clear text a good recommendation is to encrypt the site using SSL.

Step 1 Add the required management console
The Citrix installer does a great job of installing all the prerequisites but for this procedure you will have to add the IIS 7 management console


  • Open Server Manager
  • Expand roles
  • Select IIS
  • Add Role Services
  • Check Management Tools so that all the child check boxes are ticked



Step 2 Add the SSL certificate
HTTPS / SSL requires a certificate.  Depending on your configuration you would different certificates.  But since the most interoperable of these is to use a trusted public 3rd part cert I will step through that process.


  • Open the IIS Management Console
  • Select the Web server (not the site)
  • In the Middle Pane Open Server Certificates
  • In the Actions Pane select Create Certificate Request
  • Specify the web sites URL's FQDN
  • Complete the rest of the details
  • On the Next page select  Bit length of 2048
  • Complete the wizard


The process will generate a text file that contains the certificate request.  This will be required by the 3rd party CA to generate the certificate for you.  Follow their process and they should return a similar text file contain the response.



  • Open the IIS Management Console
  • Select the Web server (not the site)
  • In the Middle Pane Open Server Certificates
  • In the Actions Pane select Complete Certificate Request
  • Specify the file that contains the response
  • Complete the wizard


The certificate should now be installed on the Web server and can be selected in configuring the IIS site.

Step 3 Enable SSL on the XenApp web site
Once we have the site and the certificate we now need to configure the site to use it and always require SSL.



  • Open the IIS Management Console
  • Select the Web Site
  • In the Actions pane select Bindings
  • Click Add
  • Type is HTTPS
  • For SSL Certificate - select the certificate created earlier



  • Select SSL setting from the middle pane
  • Check Require SSL
  • Client Certificates should be left as Ignore
  • Click Apply in the Actions Pane



Step 4 Redirect HTTP to HTTPS
Once you change the site SSL setting to Require SSL an normal  HTTP requiest will fail with a 403 Forbidden Access.  To fix this configure a redirect in the 403 Error page.



  • Open the IIS Management Console
  • Select the Web Site
  • In the Actions pane select Error Pages
  • Edit status code 403
  • Select Respond with a 302 Redirect
  • Specify the full URL - eg httpS://citrixwebint.company.com 


That is all there is to it.




No comments:

Post a Comment