Director Version Matrix – Install or Upgrade compatibility of Director with Delivery Controller, VDA

Important: All new features of Director will be available and work as expected only in combination with the required minimum versions of the Delivery Controller (DC) and the VDA listed below.

Note: This article is applicable to XenApp 6.5 and later, XenDesktop 7 and later.

Director Version Features Dependency

(Min Version required)


Edition
1906 Session Auto Reconnect DC 7 1906 and VDA 1906 All
Session startup duration DC 7 1906 and VDA 1903 All
Desktop probing DC 7 1906 and Citrix Probe Agent 1903 Premium
7.9 and later Citrix Profile Management Duration in Profile Load VDA 1903 All
1811 Profile load DC 7 1811 and VDA 1811 All
Hypervisor Alerts Monitoring DC 7 1811 Premium
Application probing DC 7 1811 and Probe Agent 1811 Premium
Microsoft RDS license health DC 7 1811 and VDA 7.16 All
Key RTOP Data display DC 7 1811 and VDA 1808 Premium
1808 Export of Filters data DC 7 1808 and VDA 1808 All
Interactive Session drill down DC 7 1808 and VDA 1808
GPO drill down DC 7 1808 and VDA 1808
Machine historical data available using OData API DC 7 1808
7.18 Application probing DC 7.18 Platinum
Built-in alert policies
Health Assistant link None All
Interactive Session drill-down
7.17 PIV smart card authentication None All
7.16 Application Analytics DC 7.16 || VDA 7.15 All
OData API V.4 DC 7.16 All
Shadow Linux VDA users VDA 7.16 All
Domain local group support None All
Machine console access DC 7.16 All
7.15 Application Failure Monitoring DC 7.15 || VDA 7.15 All
7.14 Application-centric troubleshooting DC 7.13 || VDA 7.13 All
Disk Monitoring DC 7.14 || VDA 7.14 All
GPU Monitoring DC 7.14 || VDA 7.14 All
7.13 Application-centric troubleshooting DC 7.13 || VDA 7.13 Platinum
Transport protocol on Session Details panel DC 7.x || VDA 7.13 All
7.12 User-friendly Connection and Machine failure descriptions DC 7.12 || VDA 7.x All
Increased historical data availability in Enterprise edition Enterprise
Custom Reporting Platinum
Automate Director notifications with SNMP traps Platinum
7.11 Resource utilization reporting DC 7.11 || VDA 7.11 All
Alerting extended for CPU, Memory and ICA RTT conditions DC 7.11 || VDA 7.11 Platinum
Export report improvements DC 7.11 || VDA 7.x All
Automate Director notifications with Citrix Octoblu DC 7.11 || VDA 7.x Platinum
Integration with NetScaler MAS DC 7.11 || VDA 7.x

MAS version 11.1 Build 49.16
Platinum
7.9 Logon Duration Breakdown DC 7.9 || VDA 7.x All
7.7 Proactive monitoring and alerting DC 7.7 || VDA 7.x Platinum
SCOM integration DC 7.7 || VDA 7.x || SCOM 2012 R2 || PowerShell 3.0 or later* Platinum
Windows Authentication Integration DC 7.x || VDA 7.x All
Desktop and Server OS Usage DC 7.7 || VDA 7.x Platinum

* Director and SCOM server must have the same PowerShell version

Upgrade sequence – XenApp and XenDesktop Components

Illustration of the upgrade sequence is as below. To upgrade all the installed components, run the installer on all the machines containing respective components.

User-added image

Note: Once DC is updated successfully, the Studio will prompt you to upgrade the Site. Complete this step for the new features to be available in Director.

How Do I Articles

Related:

  • No Related Posts

Citrix UPS Printers are not visible via Control Panel, Devices And Printers


This is an known issue with printers provided by Citrix Universal Printer server on windows operating systems Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012r2, Windows Server 2012.

Citrix is working with Microsoft to correct this interaction between Microsoft operating systems and Citrix universal print server print provider.


Citrix Documentation:

This issue has been documented in our XenApp/XenDesktop documentation since 7.5

  • Universal Print Server printers selected in the virtual desktop do not appear in the Devices and Printers window in Windows Control Panel. However, when users are working in applications, they can print using those printers. This issue occurs only on Windows Server 2012, Windows 2012 R2 , Windows 10 and Windows 8 platforms. [#335153]

Microsoft Documentation:

The Device Setup Manager service is discussed in the following article from Microsoft it applies to both Windows 8 and Windows 2012.

Device setup user experience in Windows 8

Microsoft released a hotfix for server 2012r2 which partially addressed some issues with 3rd party print provider visibility in newer windows releases.

However this was not a complete solution, and printers provided by Citrix Universal Print Server remained not visible.​

https://support.microsoft.com/en-us/help/2966038/printer-managed-by-custom-print-providers-is-not-visible-in-devices-an

Related:

  • No Related Posts

Citrix Webcam not supported in x64 application like Google Chrome or Microsoft Teams

Webcam redirection is not supported in 64-bit applications with XenApp / XenDesktop 7.16 or older. This was fixed on 7.17 and Receiver 4.11 for Windows.

Also, note downloading Google Chrome and installing – you may note that the application appears in the folder:

C:Program Files (x86)GoogleChromeApplication

User-added image
Which would normally indicate that application is 32bit; however, checking Task manager displays as 64bit application:

User-added image
Capturing a CDF trace and observe that similar information is logged on the VDA CDF trace when a 64-bit application attempts to use a webcam (aka Media capture)…

112496 0 2017/04/09 09:44:12:15668 3036 4020 -1 HostMMTransport IcaMMTransport::Connect 9 Error [Id=1] IcaMMTransport::Connect: Media capture is not supported for 64-bit applications.

Install *Google Chrome for business* available now as Chrome MSI 32-bit to resolve the issue.

Related:

  • No Related Posts

Citrix MSI Log Analyzer

Description

The Citrix MSI Log Analyzer is designed to assist with the following scenarios:

  • When failure occurred during install or upgrade or uninstall of XenApp/XenDesktop
  • The Citrix MSI Log Analyzer analyzes the failure and provides helpful info for troubleshooting the issue
  • The Citrix MSI Log Analyzer will also try to point to a knowledge base article helpful to troubleshoot and resolve the issue

What’s New in v1.2.0.9

  • Added support for Storefront logs
  • Added support for uploading experience metrics through TLS 1.2/TLS 1.1.
  • Minor bug fixes and inputs from the feedback

Prerequisites

The user needs to be a Local Administrator on the target machine in order to run the tool.

How to use Citrix MSI Log Analyzer

The Citrix MSI Log Analyzer is a standalone executable file and does not require installation. Just download the tool to a local folder and execute the application.

Citrix MSI Log Analyzer offers various command line to deal with different use cases.

  1. To analyze the failure in the msi log file:

    CitrixMSILogAnalyzer.exe -msilogfile <msi log file path>



    Look for MSI log file under %TEMP%CitrixXenDesktop InstallerMSI Log files” folder and specify the absolute path of the failing msi log file in the above command line.

  2. To analyze the failure from the XenApp/XenDesktop Metainstaller log file::

    CitrixMSILogAnalyzer.exe -metainstallerlogfolder <metainstaller log folder path>

    Example: CitrixMSILogAnalyzer.exe -metainstallerlogfolder “C:UsersxxxxAppDataLocalTempCitrixXenDesktop Installer” where xxxx is the admin user name specific to the user environment

  3. To analyze Citrix XenApp/XenDesktop failure log file under temp folder

    CitrixMSILogAnalyzer.exe

    This option is useful to run the tool on the target machine where the MSI installation failure happened and one is not sure on where to look for msi failure log file.

  4. To view help:

    CitrixMSILogAnalyzer.exe -help

Note: In order to improve Citrix XenApp/XenDesktop and Citrix MSI Log Analyzer, the troubleshooting data not containing any identifiable information from the tool is uploaded to Citrix. This can be controlled using –upload [Yes | No]

Output from the tool

The output of the tool on the console provides:

1. Troubleshooting info of the actual error

2. CTX article to troubleshoot or resolve the issue

3. Log file saved under %TEMP% with prefix mLog_*.txt. The exact name and path is displayed in the output.

Delete Citrix MSI Log Analyzer

Delete the downloaded executable from the current directory. One may also cleanup mLog_*.txt files under %TEMP% directory

Contact Information:

Questions? Concerns? Send any feedback to:

https://podio.com/webforms/18778954/1263577

Disclaimer

These software applications are provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.

Related:

How to Configure Multiple License Types within a Single XenApp and XenDesktop Site

NOTE:

  • This feature does not allow you to use a mix of licenses for different Product Editions. For example, you can’t combine XenApp Platinum and XenApp Advanced licenses in the same site. You’d still need two sites for that.
  • Choice of Product Code and Edition combination can depend on the features you want to enable for your deployment’s sessions. There are some differences between XenApp and XenDesktop enabled features for the same Product Edition.
  • Changes to the Site licensing type could invalidate your custom licensing Delivery Group due to XenApp User/Device not being an accepted combination

Reference:

https://www.citrix.com/blogs/2017/07/07/introducing-multi-type-licensing-in-xenapp-xendesktop-7-14/

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/manage-deployment/licensing/multi-type-licensing.html

https://www.citrix.com/products/citrix-virtual-apps-and-desktops/feature-matrix.html%20to

Related:

  • No Related Posts

Receiver for HTML5 – Unable to Launch Apps Using HTTPS URL

When Receiver for HTML5 is hosted on a https site (default and recommended), non SSL/TLS websocket connections are prohibited by browsers.

In explaining the technical reason behind this it is important to understand the following two principles:

1. As opposed to existing as a separate process, Citrix Receiver for HTML5 operates within the frame and process space of the browser itself. As such the browser has the ability to enforce certain security parameters.

2. Additionally, when any Receiver (or Workspace App for newer versions) makes a connection to a VDA for either a published desktop or app, the underlying connection is made to the VDA and not the Storefront server as any kind of intermediate proxy.


This second point is less obvious in the case of Citrix Receiver for HTML5 because the published desktop or app displays within the browser frame and “appears” to be connected via the Storefront server. Despite this appearance though, the underlying TCP/UDP connection is still between the client and the VDA. If the Storefront base URL is SSL enabled (where it begins with https as is best practice) and the VDA is not SSL enabled (which it is not by default) the browser in this case will prevent the connection due to what it sees as an underlying inconsistency. The inconsistency is that while the URL shown in the browser frame is prefixed with https, the actual underlying connection is not https even though it is not obvious to the user.

There are two solutions for this.

Solution 1 is to enable SSL on the VDA using one of these guides:

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/tls.html#configure-tls-on-a-vda-using-the-powershell-script

https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/

This will ensure that the connection path is SSL enabled between the internal client and the VDA.

Solution 2 is to have your connections from the clients first go through a Netscaler Gateway. Netscaler Gateway will proxy the connections and perform a SSL handshake between the client and the Netscaler. In this scenario there is no inconsistency and connections via HTML5 Receiver will succeed.

Related:

Bluefin (Ingenico) IPP320 failing to communicate with Sage Exchange Desktop via ICA Channel Serial COM Port

Configuration consists of 3 parts, Citrix Policies, VDA registry keys and client registry keys.

To configure Citrix Polices:

  1. Navigate to any of the Delivery Controllers in the Site and open Citrix Studio;
  2. In Citrix Studio navigate to the Policies console;
  3. In the Polices console, create new polices or add to existing policy following settings:

3.1 Select Enabled for “Auto Connect client COM ports”

User-added image

3.2 Select Allowed for “Client COM port redirection”

User-added image

3.3 If the policies shows “Disabled”, make sure you enable the policy.

User-added image

On the VDA, using the information from the following Citrix document https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/policies/policies-settings-reference/xad-policies-settings-deprecated.html, create following registry keys:

“AllowComPortRedirection”, and

“AutoConnectClientComPorts”.

On the client machines, please create following registry keys:

HKEY_LOCAL_MACHINESOFTWARECitrixICA Client

Name: CommBufferSize

Type: REG_DWORD

Data: 2048 (maximum value)

As per https://support.citrix.com/article/CTX138197.

HKEY_LOCAL_MACHINESOFTWARE{Wow6432Node}CitrixICAClientEngineConfigurationAdvancedModulesClientComm

Name: WindowSize

Type: REG_SZ

Data: 2048 (maximum value)

Related:

How to Troubleshoot XenApp and XenDesktop MSI Installation or Upgrade Errors

Table of Contents

Pre-requisites

You need Administrator rights on your account to perform the steps listed in this article. Check User Accounts to see if you have Administrator rights or contact your Network Administrator to gain permissions.

Back to top

Troubleshooting Steps

Rectify Incomplete Installation which could interrupt any future installations

When an installation does not complete or roll back successfully, some files may remain in the system. Windows Installer considers the incomplete installation to be active and does not install new products or re-install existing products until the installation is resolved. Follow the instructions in this article to resolve this issue: Error: When Trying to Install or Remove XenApp Software, a 1603 Error Message is Displayed

Back to top

Troubleshoot/Resolve issues using Citrix MSI Log Analyzer

Citrix MSI Log Analyzer is a tool that troubleshoots install issues or upgrade issues and enables customers to resolve common issues by pointing them to a specific support article.

Note. You may skip this step if you were pointed to this article by the MSI Log Analyzer tool or the XenApp Xendesktop 7.16 Metainstaller, which has been integrated with the MSI Log Analyzer.

  1. Follow instructions in CTX229734 to download the latest version of the tool on the target machine where the installation failed occurred. Citrix recommends that you obtain the latest version of the tool.

Review these additional troubleshooting steps, in cases where steps above did not resolve the issue

Back to top

Resolve issues which could be due to corruption

Though the exact cause may vary from case to case, there could be a sign of corruption in registry, Performance counters, WMI providers, C++ Runtimes or or .NET Installation.

This guide begins with the least intrusive methods to help troubleshoot these issues. It is not intended to be an exhaustive guide, but it should be able to provide solution for the majority of these issues.

  1. Fix problems that block programs from being installed or removed

    Refer to this article for more information.

  2. Repair Missing or corrupted System files

    Run ‘sfc /scannow’ both in online and offline mode. Refer to this link for more details.

  3. C++ RunTime

Occasionally, the C++ redistributable packages are corrupted or inconsistent which may cause installations and upgrades to fail.

  1. Each XA/XD release comes with the system requirements. For example: 7.15 requirements are available here.

    Note: For your case open the link specific to the XA/XD release version being installed

  2. In the page, refer to the section on Virtual Delivery Agent(VDA) for Desktop OS and Server OS which provides details on the specific Microsoft Visual C++ runtimes.

    User-added image
    For example: As shown above VDA 7.15 on Desktop OS needs VC++ 2013 and 2015 runtimes. Depending on the version you are installing the runtime versions for those VDA may be different.

  3. The version mention in the documentation list the year. Follow the below steps to note down the File Versions of the actual msi of the VC++ runtime. Open/Mount the XenApp/Xendesktop ISO layout and browse to the Support folder. For each VC++ runtimes noted in step ii above browse to that sub-folder within the Support folder. For each of those, Right click the vcredist msi file under the respective VCRedist folder, Click Properties and Note down the File Version under Details tab. Make a note of all the 4 parts separated by dot for each vcredist msi file.

    User-added image

  4. Launch Control Panel and under Installed Program list note down all the VC++ runtime versions with the dots. If any of the version noted in step above is missing then one should install the specific version from the support folder under the Layout. On a 64 bit machine, both 32 bit and 64 bit versions are required to be installed. If all versions are present in the control panel then there might be some corruption in which case it is recommended to uninstall and reinstall those specific versions.

Test to install again and see if the problem persists.

  1. .NET Repair

    1. Follow steps here https://support.microsoft.com/en-us/help/2698555/microsoft–net-framework-repair-tool-is-available to repair .NET
    2. Test to install again and see if the problem persists.
  • Performance Counters

    Verify that the Performance Counters can be reloaded by opening an elevated CMD shell and type the following commands ( hit [ENTER] after each line) :

    cd c:windowssystem32

    lodctr /R

    cd c:windowssysWOW64

    lodctr /R

    Resync the counters with Windows Management Instrumentation (WMI):

    WINMGMT.EXE /RESYNCPERF

    Stop and restart the Performance Logs and Alerts service.

    Stop and restart the Windows Management Instrumentation service.

    Check the event viewer for any errors.

  • WMI Repository Corruption

    If failures happen due to WMI corruption, for example, “RegisterEventManifest” or any other failure related to WMI, in the MSI failing log, please see Telemetry or CDF MSI fails to install or upgrade due to WMI repository Corruption.

Test to install again and see if the problem persists.

Back to top

Issues caused due to permissions or access issues

  1. Citrix MSI Log Analyzer output may point to the file/registry location where one should assess the permissions and ensure the administrator installing the VDA has necessary permissions. If not grant permission and try the installer again
  2. Try to temporarily move the VDA out of the OU enabled GPO and try installation once again, then move the VDA back to previous OU post the successful installation.

Back to top

Other causes to check

  1. You may receive this error message if any one of the following conditions is true:
  2. Windows Installer is attempting to install an app that is already installed on your PC.
  3. The folder that you are trying to install the Windows Installer package to is encrypted.
  4. The drive that contains the folder that you are trying to install the Windows Installer package to is accessed as a substitute drive.
  5. The SYSTEM account does not have Full Control permissions on the folder that you are trying to install the Windows Installer package to. You notice the error message because the Windows Installer service uses the SYSTEM account to install software.
  6. Sometimes AntiVirus may interfere with the installations. Disable the anti-virus software and attempt the installation.
  7. In some cases it is observed running in as a domain instead of a local Administrator or vice versa may help resolve the issue.

Back to top

What Next?

This really boils down to an OS based problem in most cases. Here are some solutions that have worked in other support cases.

  1. There is a deeper fix that can rebuild the performance counters from scratch. See links below.
  2. Admins can re-register the Windows installer service and look at other general Windows MSI repair options.
  3. Admins can attempt a repair install of Windows.
  4. If none of these steps delivers a resolution, further data can be captured by collecting MSI logs and running CDF Control on the machine while the installer runs.
  5. Links provided in the Additional Resources section.

Back to top

  1. Use the VDA Cleanup Utility

As a last resort, Download the utility from here and execute it as an administrator on the target machine. Try the installation again to see if it works.

Back to top

Related:

Citrix Cloud TLS Version Deprecation

Receiver

Version

Windows

4.2.1000

Mac

12.0

Linux

13.2

Android

3.7

iOS

7.0

Chrome/HTML5

Latest (Browser must support TLS 1.2)

Citrix recommends upgrading to Citrix Workspace app if your version of Receiver is earlier than those listed above. Download here: https://www.citrix.com/products/receiver.html

Thin Clients with Earlier Receiver Versions

If you are using Thin Clients with earlier versions of Citrix Receiver that cannot be updated, install an on-prem StoreFront in your resource location and have all of the Citrix Receivers point to it.

Retrieving a list of users connecting on older Receiver versions

To retrieve a list of Receivers connecting to your Citrix Cloud environment, log into Citrix Cloud and click the Manage button for the Virtual Apps and Desktops service. The details include user, version, connection date, and endpoint device name.

Virtual Apps and Desktops (Full Edition)

  1. Click Monitor > Trends > Custom Reports > Create Reports.

  2. Select OData Query, provide a report name, and copy/paste the following query (change date range as needed).

  3. Click Save, and then Execute to open the list in Excel.

    Sessions?$filter = StartDate ge datetime’2019-02-01’ and StartDate le datetime’2019-03-31’&$select = CurrentConnection/ClientVersion,CurrentConnection/ClientName,User/UserName,StartDate&$expand = CurrentConnection,User

Virtual Apps/Desktops Essentials

  1. Click Monitor, and then select a catalog.

  2. Click Export to open the list in Excel.

Citrix Cloud Management

To ensure successful connection to the Citrix Cloud management console (citrix.cloud.com), your browser must support TLS 1.2 (latest version of most web browsers).

Citrix Director

TLS 1.2 connection will be required when using OData APIs. To enforce use of TLS 1.2 on the client machine for clients such as MS Excel, PowerShell, LinqPad, refer to the following KB article: https://support.citrix.com/article/CTX245765

Citrix Cloud Connector

All connections to Citrix Cloud services from Citrix Cloud Connectors will require TLS 1.2. Citrix Provisioning and Machine Creation Services will allow TLS 1.0, 1.1, and TLS 1.2 connections by default (no action required) until later this year when it will change to TLS 1.2 only.

Note: If your security policy requires strict enforcement of TLS 1.2 connections, the following registry setting changes are required on each Citrix Cloud Connector.

.NET

[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

SCHANNEL

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]

“Enabled”=dword:00000000

“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]

“Enabled”=dword:00000000

“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]

“Enabled”=dword:00000000

“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]

“DisabledByDefault”=dword:00000001

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]

“Enabled”=dword:00000001

“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]

“Enabled”=dword:00000001

“DisabledByDefault”=dword:00000000

For more details, refer to the Microsoft article “Transport Layer Security (TLS) best practices with the .NET Framework”, section “SystemDefaultTlsVersions” https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversion

Troubleshooting

Since Citrix Cloud supports only TLS 1.2 and above, all clients accessing any data from Citrix Services with TLS versions 1.0 and 1.1 will see one of the following errors:

Director

Error:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. —> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

Refer to the following article to configure clients for TLS 1.2 communication:

https://support.citrix.com/article/CTX245765

Receiver

Error:

“Unable to launch your app….Cannot connect to the Citrix XenApp server. SSL Error 4… The server rejected the connection.”

Refer to Upgrading to latest Receiver or Citrix Workspace app above.

Connector

If your Citrix Cloud Connector machine is not able to establish a connection with Citrix Cloud after Mar 15, 2019, check the following registry key to ensure TLS 1.2 is not disabled:

HKLM SYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL

More details:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

https://docs.microsoft.com/en-us/windows/desktop/secauthn/protocols-in-tls-ssl–schannel-ssp-

Note: Internet Explorer group policy settings also control the values found in SCHANNEL registry key; Internet Explorer > Internet Properties can be used to check enabled/disabled protocols.

Related:

  • No Related Posts