Secure XML Traffic on Cloud Connector

Securing your XML Traffic is crucial. Many organizations rely on security and using encryption is important.

Best practice for any deployments in recent years is to secure the traffic between components, and Cloud Connector is no exception.

There’s a KB by Citrix for it but requires more manual interaction: CTX221671

Note: VDA Registration still uses Port 80 (bidirectional) but is secured by WCF. For those who consider Port 80 as insecure regardless of the protocol behind it, the VDA port can also be changed to a custom port. My advice is to leave it default as it generates more complexity in your environment. Citrix Environments are already complex, so do yourself and your colleagues a favor

Table of Contents

The original script has been developed by Bjoern Mueller and has been adapted by myself during my last projects. Kudos to Bjoern – give his blog a visit 🙂

Key changes include better readability (at least for me), improved certificate selection (showing Friendly Name, Thumbprint, and Common Name), and the automatic removal of previous bindings. These improvements help when managing multiple machine certificates on a local machine.

The script also drops non-secure requests for XML traffic.

Step-by-step guideline

I assume you have an internal PKI and a custom web server certificate template. I’m using RSA 4096 and SHA512 for encryption. This works well, but documentation is quite unclear on this. The usage should be only for Server Authentication; Client authentication is not required.

Side Note: Certificates with a Key Size > 4096 are not supported on Netscaler!

Request a new certificate

Adjust and select your template

Add required information

Specify a friendly name, this is always useful

Result

Script execution

Script

				
					<#
.SYNOPSIS
    Configures Citrix XML traffic on a Cloud Connector to use SSL, ensuring secure communication.
.DESCRIPTION
    This script automates the configuration of SSL for Citrix XML services by:
    - Retrieving the Citrix Broker Service GUID from the registry.
    - Displaying installed certificates for user selection.
    - Binding the selected SSL certificate to port 443.
    - Disabling non-SSL communication for XML services by updating the Citrix registry key.
.PARAMETER None
    No parameters are required to execute this script.
.EXAMPLE
    .\secure_xml_cc.ps1
    Prompts for a certificate selection, reconfigures SSL bindings, and enforces secure XML traffic.
.NOTES
    - Created by Björn Müller (v0.1).
    - Updated by Balint Oberrauch (v0.2): Enhanced error handling, added certificate selection by Friendly Name, CN, and Thumbprint, and automated removal of existing bindings.
    - Followed Citrix guidelines as per CTX221671.
    Ensure you run this script with administrative privileges.
.LINK
    https://support.citrix.com/article/CTX221671
#>
# Retrieve the Citrix Broker Service GUID from the registry
# This GUID is required to associate the SSL certificate with the Citrix XML Service.
$keys = Get-Item -Path Registry::"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"
foreach ($key in $keys) {
    if ((Get-ItemProperty $key[0].PsPath).DisplayName -eq 'Citrix Remote Broker Provider - x64') {
        $CtxBrokerServiceValues = ($key.Name).Substring(71, 38)        
    }
}
# Display installed certificates and prompt user to select one
# Certificates are fetched from the Local Machine certificate store.
$certs = Get-ChildItem Cert:\LocalMachine\My\
Write-Host "=================================================" -ForegroundColor Cyan
Write-Host "              Installed Certificates" -ForegroundColor Green
Write-Host "=================================================" -ForegroundColor Cyan
$i = 0
foreach ($cert in $certs) {
    $i++
    $cn = $cert.Subject -replace ".*CN=(.*?)(,|$)", '$1'
    Write-Host "[$i]" -ForegroundColor Yellow -NoNewline
    Write-Host " Friendly Name: " -ForegroundColor White -NoNewline
    Write-Host "$($cert.FriendlyName)" -ForegroundColor Magenta
    Write-Host "     Common Name: $cn" -ForegroundColor Cyan
    Write-Host "     Thumbprint: $($cert.Thumbprint)" -ForegroundColor DarkGray
    Write-Host "-------------------------------------------------" -ForegroundColor Cyan
}
# Prompt the user to select a certificate
# If an invalid option is selected, the script exits gracefully.
[int]$selectedCertIndex = Read-Host "Enter the number of the certificate you want to select"
if ($selectedCertIndex -le $i -AND $selectedCertIndex -gt 0) {
    $selectedCert = $certs[$selectedCertIndex - 1]
    $selectedCert
} else {
    Write-Host "Certificate not found." -ForegroundColor Yellow
    $selectedCert = $null
    break # Exit if no certificate is selected
}
# Remove previous SSL binding on port 443
# This ensures no conflicting bindings exist before adding the new certificate binding.
netsh http delete sslcert ipport=0.0.0.0:443
# Add the new SSL binding using the selected certificate thumbprint and Citrix Broker Service GUID
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certhash appid=$CtxBrokerServiceValues
# Update Citrix XML Service registry key to enforce SSL-only traffic
$registryPath = "HKLM:\Software\Citrix\DesktopServer"
$Name = "XmlServicesEnableNonSsl"
$value = "0"
# Create or update the registry key
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

				
			

The script is available here on GitHub. Eventual maintenance will be done on GitHub.

As always, drop your ideas and improvement suggestions as a comment here or open a request on GitHub.

Leave a Reply

Your email address will not be published. Required fields are marked *

Leave a Reply

Your email address will not be published. Required fields are marked *