Citrix Cloud is updating the method used for traffic ingress to improve resiliency, which requires inserting a new service in the path used to communicate with Citrix’s services. Rollout of this new ingress method for the Federated Authentication Service is in progress and is targeted for completion by the end of July 2022.
While most users will not be affected, users who have configured their operating system’s usable ciphers may need to review and possibly update this configuration to ensure that the ciphers available include those supported by the new traffic ingress method.
In particular, a previous iteration of the Citrix Cloud Secure Deployment guide included a recommendation for Windows Server 2012 to use a cipher that is not supported by the new ingress method. The secure deployment guide has already been updated with the cipher suites supported by the new ingress method.
Supported Cipher suites
For TLS 1.2, the following cipher suites are supported by the new ingress method:
If accessing the Citrix Cloud control plane from Windows Server 2016, Windows Server 2019, or Windows Server 2022, the following strong ciphers are recommended:
If accessing the Citrix Cloud control plane from Windows Server 2012 R2, the strong ciphers are not available, so the following ciphers must be added to retain connectivity as services are transitioned to the new ingress method:
The following ciphers must still be enabled in Windows Server 2012 R2 to access services that are not using the new ingress method:
If the above cipher suites are not available for use by the Federated Authentication Service by July 31, 2022, you may experience a service outage for your users. As such, Citrix strongly recommends reviewing both methods of restricting Cipher suites – an allow list via GPO and a deny list via registry entries. Check both methods to ensure that you do not have restrictions that would prevent the specific cipher suites above from being usable.
- Verify the certificates usable with SSL Labs Client test: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
- Ensure either no policy is defined, or the ciphers above are permitted in the group policy https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls
- Ensure either no restrictions are in place, or that the restrictions do not prevent the usage of the supported ciphers (e.g. on Windows Server 2012, ensure that Diffie-Hellman is not disabled) https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings