Secure Configuration of Licensing Heartbleed Update
In response to the recent Heartbleed vulnerability in OpenSSL (CVE-2014-0160) Citrix released a security advisory, CTX140605, advising customers of its potential effects on some Citrix Licensing components. As part of the Citrix response to this vulnerability, a configuration document was published providing manual steps to temporarily mitigate the effects of this vulnerability on the affected components.
Citrix has released new versions of the product that are not affected by this vulnerability and this article provides detailed instructions on ensuring the updated licensing components are securely configured. New product versions are downloadable here.
License Server for Windows
For installations of the License Server for Windows
By default, communication to version 11.11.1 of the License Administration Console is carried out using HTTP on port 8082. Citrix recommends that administrators configure the License Administration Console to use HTTPS using the following steps:
-
On the License Administration Console go to Administration > Server Configuration > Secure Web Server Configuration. Select Enable HTTPS.
-
To enable HTTP to HTTPS redirection, select Redirect non-secure web access to secure web access click Save and restart the license server. This moves HTTP traffic to go over HTTPS.
-
For systems that previously had the Citrix Simple License Service Windows Service installed, the service has been combined into Citrix Web Services for Licensing that is installed by the Citrix Licensing installer. This service no longer requires a separate installation and is configured by the License Server installer.
Citrix Licensing Administration Snap-in
The Citrix Licensing Administration Snap-in is normally installed on computers with Citrix Desktop Studio. Some installations with custom configurations might also have this Snap-in installed standalone. The Citrix Licensing Administration Snap-in communicates with the Web Services for Licensing component over port 8083. Communication to the License Server over this port was manually blocked in the Windows firewall by the prior suggested Heartbleed mitigation.
Log on to each computer where the Administration Snap-in is installed as an Administrator and open a command prompt. Note that on Windows Server 2008 and later the command prompt might have to run with elevated permission if UAC is enabled. Type the following command:
netsh advfirewall firewall delete rule name="Temporary Block for Licensing Admin PowerShell" dir=out protocol=TCP remoteip=<IP of License Server> remoteport=8083
For additional details on netsh firewall configuration see Netsh AdvFirewall Firewall Commands.
Impact
Citrix Studio and custom installations of the Citrix Licensing Administration Snap-in will now be able to administer licensing.
Citrix Usage Collector
Some customer environments might have the Citrix Usage Collector installed. Servers running the Citrix Usage Collector must have outgoing port 443 re-enabled in the Windows Firewall.
Log on to the Citrix Usage Collector servers as an Administrator and open a command prompt. Note that on Windows Server 2008 and later the command prompt might have to run with elevated permission if UAC is enabled. Type the following commands:
netsh advfirewall firewall delete rule name="Temporary Block Web Services For Licensing" dir=out protocol=TCP program="c:Program Files (x86)CitrixLicensingUsageCollectorctxurt.exe" remoteport=443
Note that for 32-bit systems the program path is “c:Program FilesCitrixLicensingUsageCollectorctxurt.exe”.
For additional details on netsh firewall configuration see Netsh AdvFirewall Firewall Commands.
Impact
Now Citrix Usage Collector can safely transmit the usage data over the network.