Citrix Cloud TLS Version Deprecation

Receiver

Version

Windows

4.2.1000

Mac

12.0

Linux

13.2

Android

3.7

iOS

7.0

Chrome/HTML5

Latest (Browser must support TLS 1.2)

Citrix recommends upgrading to Citrix Workspace app if your version of Receiver is earlier than those listed above. Download here: https://www.citrix.com/products/receiver.html

Thin Clients with Earlier Receiver Versions

If you are using Thin Clients with earlier versions of Citrix Receiver that cannot be updated, install an on-prem StoreFront in your resource location and have all of the Citrix Receivers point to it.

Retrieving a list of users connecting on older Receiver versions

To retrieve a list of Receivers connecting to your Citrix Cloud environment, log into Citrix Cloud and click the Manage button for the Virtual Apps and Desktops service. The details include user, version, connection date, and endpoint device name.

Virtual Apps and Desktops (Full Edition)

  1. Click Monitor > Trends > Custom Reports > Create Reports.

  2. Select OData Query, provide a report name, and copy/paste the following query (change date range as needed).

  3. Click Save, and then Execute to open the list in Excel.

    Sessions?$filter = StartDate ge datetime’2019-02-01’ and StartDate le datetime’2019-03-31’&$select = CurrentConnection/ClientVersion,CurrentConnection/ClientName,User/UserName,StartDate&$expand = CurrentConnection,User

Virtual Apps/Desktops Essentials

  1. Click Monitor, and then select a catalog.

  2. Click Export to open the list in Excel.

Citrix Cloud Management

To ensure successful connection to the Citrix Cloud management console (citrix.cloud.com), your browser must support TLS 1.2 (latest version of most web browsers).

Citrix Director

TLS 1.2 connection will be required when using OData APIs. To enforce use of TLS 1.2 on the client machine for clients such as MS Excel, PowerShell, LinqPad, refer to the following KB article: https://support.citrix.com/article/CTX245765

Citrix Cloud Connector

All connections to Citrix Cloud services from Citrix Cloud Connectors will require TLS 1.2. Citrix Provisioning and Machine Creation Services will allow TLS 1.0, 1.1, and TLS 1.2 connections by default (no action required) until later this year when it will change to TLS 1.2 only.

Note: If your security policy requires strict enforcement of TLS 1.2 connections, the following registry setting changes are required on each Citrix Cloud Connector.

.NET

[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

SCHANNEL

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]

“Enabled”=dword:00000000

“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]

“Enabled”=dword:00000000

“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]

“Enabled”=dword:00000000

“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]

“Enabled”=dword:00000001

“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]

“Enabled”=dword:00000001

“DisabledByDefault”=dword:00000000

For more details, refer to the Microsoft article “Transport Layer Security (TLS) best practices with the .NET Framework”, section “SystemDefaultTlsVersions” https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversion

Troubleshooting

Since Citrix Cloud supports only TLS 1.2 and above, all clients accessing any data from Citrix Services with TLS versions 1.0 and 1.1 will see one of the following errors:

Director

Error:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. —> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

Refer to the following article to configure clients for TLS 1.2 communication:

https://support.citrix.com/article/CTX245765

Receiver

Error:

“Unable to launch your app….Cannot connect to the Citrix XenApp server. SSL Error 4… The server rejected the connection.”

Refer to Upgrading to latest Receiver or Citrix Workspace app above.

Connector

If your Citrix Cloud Connector machine is not able to establish a connection with Citrix Cloud after Mar 15, 2019, check the following registry key to ensure TLS 1.2 is not disabled:

HKLM SYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL

More details:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

https://docs.microsoft.com/en-us/windows/desktop/secauthn/protocols-in-tls-ssl–schannel-ssp-

Note: Internet Explorer group policy settings also control the values found in SCHANNEL registry key; Internet Explorer > Internet Properties can be used to check enabled/disabled protocols.

Related:

  • No Related Posts

Leave a Reply