TLS and Compliance Mode Configuration

This option enables Citrix Receiver to identify secure connections and encrypt communication within the server.

Note: Citrix recommends TLS type of secure connection.

Following are the type of TLS secure connection between Citrix Receiver and XA/XD that Citrix supports:
1. TLS 1.0
2. TLS 1.1
3. TLS 1.2
Select Required TLS for all connection to ensure that Citrix Receiver uses TLS for all type of connections.
The Security Compliance Mode values are:
- None - No compliance mode is enforced
- SP800-52 - NIST SP800-52r1 compliance is enforced
When you select SP800-52 from the Security Compliance Mode drop down menu , the following Certificate Revocation Check Policy (CRCP) is allowed:
-Full Access Check And CRL Required. This is the default option.
-Full Access Check And CRL Required All

You can restrict Citrix Receiver to connect only to specified servers by a comma separated list in the "Allowed TLS servers" option Wildcards and port numbers can be specified here, for example, *.citrix.com:4433 allows connection to any server whose common name ends with .citrix.com on port 4433. The accuracy of the information in a security certificate is asserted by the certificate's issuer. If Citrix Receiver does not recognize and trust a certificate's issuer, the connection is rejected.
The TLS version can be restricted to any combination of:

- TLS 1.0, TLS 1.1 or TLS 1.2
- TLS 1.1 or TLS 1.2
- TLS 1.2 only

The TLS cipher suite can be configured to one of the following:

- Any : When "Any" is set the policy is un configured and the following cipher suites are allowed:

> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA
> TLS_RSA_WITH_AES_128_CBC_SHA
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_RC4_128_MD5
> TLS_RSA_WITH_3DES_EDE_CBC_SHA

- Commercial: When "Commercial" is set only the following cipher suites are allowed:
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_128_CBC_SHA
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_RC4_128_MD5

- Government: When "Government" is set only the following cipher suites are allowed:
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA
> TLS_RSA_WITH_3DES_EDE_CBC_SHA

The Certificate Revocation Check Policy is used to improve the cryptographic authentication of the Citrix server and improves the overall security of the TLS connections between a client and a server.

When you enable this setting, the client checks whether or not the server's certificate is revoked. There are several levels of certificate revocation list checking. For example, the client can be configured to check only its local certificate list, or to check the local and network certificate lists. In addition, certificate checking can be configured to allow users to log on only if all Certificate Revocation lists are verified.

Certificate Revocation Check Policy is an advanced feature supported by some certificate issuers. It allows an administrator to revoke security certificates (invalidated before their expiry date) in the case of compromise of the certificate private key.

Applicable values for this setting include:

- NoCheck - No Certificate Revocation List check is performed.
- Check With No Network Access - Certificate revocation list check is performed. Only local certificate revocation list stores are used. All distribution points are ignored. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by the target SSL Relay/Secure Gateway server.
- Full Access Check - Certificate Revocation List check is performed. Local Certificate Revocation List stores and all distribution points are used. If revocation information for a certificate is found, the connection will be rejected. Finding a Certificate Revocation List is not critical for verification of the server certificate presented by the target server.
- Full Access Check And CRL Required - Certificate Revocation List check is performed, excluding the root CA. Local Certificate Revocation List stores and all distribution points are used. If revocation information for a certificate is found, the connection will be rejected. Finding all required Certificate Revocation Lists is critical for verification.
- Full Access Check And CRL Required All - Certificate Revocation List check is performed, including the root CA. Local Certificate Revocation List stores and all distribution points are used. If revocation information for a certificate is found, the connection will be rejected. Finding all required Certificate Revocation Lists is critical for verification.

Organizations that configure TLS for a range of products can choose to identify servers intended for Citrix Receiver by specifying a Certificate Policy OID as part of the security certificate. If a Policy OID is configured here, Citrix Receiver accepts only certificates that declare a compatible Policy.

When connecting by TLS, the server may be configured to require Citrix Receiver to provide a security certificate identifying itself. Use the "Client Authentication" setting to configure whether or not identification is provided automatically or if the user is notified. Options include:

- Disabled - Client Authentication is disabled
- Display certificate selector - Always prompt the user to select a certificate
- Select automatically if possible - Prompt the user only if there a choice of certificate to supply
never supply identification
- Use specified certificate - Use the Client Certificate specified in the setting below

Use the "Client Certificate" setting to specify the identifying certificate's thumbprint to avoid prompting the user unnecessarily.

Supported on: All Receiver supported platforms

Require TLS for all connections

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLEnable
Value Type	REG_SZ
Default Value	true
True Value	true
False Value	*

Security Compliance Mode

NONE

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLSecurityComplianceMode
Value Type	REG_SZ
Value	NONE

SP800-52

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLSecurityComplianceMode
Value Type	REG_SZ
Value	SP800-52

FIPS

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLSecurityComplianceMode
Value Type	REG_SZ
Value	FIPS

TLS version

TLS1.2

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SecureChannelProtocol
Value Type	REG_SZ
Value	TLS12

TLS1.1 | TLS1.2

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SecureChannelProtocol
Value Type	REG_SZ
Value	TLS11_TLS12

TLS1.0 | TLS1.1 | TLS1.2

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SecureChannelProtocol
Value Type	REG_SZ
Value	TLS11_TLS12_TLS13

TLS cipher suite

Any

Registry Hive HKEY_LOCAL_MACHINE

Registry Path Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL

Value Name SSLCiphers

Value Type REG_SZ

Value
Government

Registry Hive HKEY_LOCAL_MACHINE

Registry Path Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL

Value Name SSLCiphers

Value Type REG_SZ

Value GOV
Commercial

Registry Hive HKEY_LOCAL_MACHINE

Registry Path Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL

Value Name SSLCiphers

Value Type REG_SZ

Value COM

Certificate Revocation Check Policy

NoCheck

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLCertificateRevocationCheckPolicy
Value Type	REG_SZ
Value	NoCheck

Check with no network access

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLCertificateRevocationCheckPolicy
Value Type	REG_SZ
Value	CheckNoNetworkAccess

Full Access Check

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLCertificateRevocationCheckPolicy
Value Type	REG_SZ
Value	FullAccessCheck

Full access check and CRL required

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLCertificateRevocationCheckPolicy
Value Type	REG_SZ
Value	FullAccessCheckAndCrlRequired

Full access check and CRL required All

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLCertificateRevocationCheckPolicy
Value Type	REG_SZ
Value	FullAccessCheckAndCrlRequiredAll

Client Authentication

Not Configured

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLClientAuthentication
Value Type	REG_SZ
Value

Display certificate selector

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLClientAuthentication
Value Type	REG_SZ
Value	AlwaysPromptUser

Disabled

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLClientAuthentication
Value Type	REG_SZ
Value	Off

Use specified certificate

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLClientAuthentication
Value Type	REG_SZ
Value	On

Select automatically if possible

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value Name	SSLClientAuthentication
Value Type	REG_SZ
Value	PromptUser

receiver.admx

Administrative Templates (Computers)

Citrix Components
- Citrix Receiver
  - CEIP
    - CEIP Configuration
    - Enable CEIP
  - Client Engine
  - Diagnostics
    - Always-On Tracing
  - DPI
    - High DPI
  - Fast Connect API Support
    - Manage FastConnectAPI Support
  - HDX MediaStream Flash Redirection - Client
  - Multi-Stream ICA
    - Multi-Stream ICA
  - Network routing
  - Receiver Updates
    - Receiver Updates
    - Set the Delay in Checking for Update
  - Remoting client devices
  - SelfService
  - StoreFront
    - NetScaler Gateway URL/StoreFront Accounts List
  - User authentication
  - User experience
  - Allow client connections
  - Host to client redirection settings
Citrix Components
- Citrix Receiver
  - Remoting client devices
    - Generic USB Remoting
Citrix Components
- Enable ICA File Signing
Citrix Components
- Citrix Receiver
  - Citrix Client Selective Trust x64
    - Internet Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Intranet Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Restricted Sites Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Trusted Sites Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Create Client Selective Trust Keys
  - Citrix Client Selective Trust x86
    - Internet Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Intranet Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Restricted Sites Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Trusted Sites Region
      - IcaAuthorizationDecision
        
        FileSecurityPermission
        
        MicrophoneAndWebcamSecurityPermission
        
        PdaSecurityPermission
        
        ScannerAndDigitalCameraSecurityPermission
    - Create Client Selective Trust Keys
HDX MediaStream Flash Redirection - Client
Enable ICA File Signing

Administrative Templates (Users)

Citrix Components
- Citrix Receiver
  - Client Engine
  - HDX MediaStream Flash Redirection - Client
  - Multi-Stream ICA
    - Multi-Stream ICA
  - Network routing
  - Remoting client devices
    - Generic USB Remoting
    - Client drive mapping
    - Client hardware access
    - Client microphone
    - Client printers
    - Clipboard
    - Image capture
    - USB Plug-n-Play Devices
    - USB Point of Sale Devices
  - User authentication
  - User experience
  - Allow client connections
Citrix Components
- Citrix Receiver
  - Remoting client devices
    - Generic USB Remoting
HDX MediaStream Flash Redirection - Client