![]() ![]() Not worth it in my opinion but I’ve seen it. This saves just a little bit of cash on buying another cert as well as shaves off a few min off a StoreFront deployment (binding an SSL cert in IIS). In some environments I’ve seen, people like to use the NetScaler Gateway for HTTPS traffic to the clients, but leave the backend to StoreFront on HTTP over port 80. That’s fine but but we’re adding an HTTPS based NetScaler Gateway URL. An attacker gaining a foothold in your datacenter is all too common these days, make it as hard as possible for them to sniff out traffic.Ĭitrix doesn’t want you to add an HTTP based StoreFront URL here. In a nutshell, encrypt everything in your datacenter. ![]() Anytime I deploy something I always take on a FIPS 140-2 mindset because even though you may not have to worry about FIPS Compliance right now, you may need to do something similar later even through another regulatory body so it’s best to just start out on the right foot securing your infrastructure anytime you build something no matter what industry you are in. I always take this approach in Production environments. This is because the best practice is to always use SSL, whether on the front end for clients or backend communication to your servers. Please contact your system administrator. HTTP Store requires additional configuration before being added to the Citrix Receiver. If you add “HTTP” to the URL, it will give you a warning like this: If you add “HTTPS” to it, it will look fine as well: If you add your URL like this, it is by default going to go over HTTPS over an encrypted SSL/TLS connection: Left the crossed out text for anyone needing those instructions for whatever reason but I recently tested just moving the CRT to the directory and the rehash utility will convert as needed.The Windows Receiver requires an “HTTPS” URL by default. If the CA is not a known and trusted one present in the /usr/share/ca-certificates/mozilla directory mentioned above:ĭownload it using your browser's security info on the siteĬonvert it to PEM Move it, and rehash: Step 3 above. Link it to the Citrix directory and rehash: sudo ln -s NEW_CERT /opt/Citrix/ICAClient/keystore/cacerts/ Convert the desired CRT to PEM : sudo openssl x509 -outform pem -in -out ģ. If your installation is in /opt/Citrix/ICAClient and assuming the signing root certificate or CA is an existing one in ca-certificates:Ģ. Newer versions of the receiver require you to convert the CRT file to PEM, place the crt in a specific directory, and run a citrix utility. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |