Citrix XenDesktop provides OData interface, which can be used to get the reports for XenDesktop environment (for extra help, refer this blog for more information).
Citrix Director uses this interface extensively to query and display various historical trends. By default, this interface works on HTTP protocol, which makes the data viewable by third party on the network during the transaction between director and monitoring service. This issue can be solved by securing the transaction with TLS.
In this post, we will discuss about how we can configure Monitor OData port to work on TLS. Here are 4 simple steps to secure OData channel with TLS.
Step 1: Enable TLS on DDC machine.
In order to support TLS for OData channel, TLS communication should be enabled on machine. This can be done by adding TLS registry keys on DDC machine and restarting the machine. To make this task simple we have provided PowerShell commandlets below. Execute them on PowerShell with administrative privilege.
New-Item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2’ -Force
New-Item -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client” -Force
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client” -Name “DisabledByDefault” -PropertyType DWord -Value 0
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client” -Name “Enabled” -PropertyType DWord -Value 1
New-Item -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server” -Force
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server” -Name “DisabledByDefault” -PropertyType DWord -Value 0
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server” -Name “Enabled” -PropertyType DWord -Value 1
Now restart DDC.
Step 2: Binding Certificate to 443 port
TLS uses certificates to encrypt the network packets. You can use verified third party certificate. Incase certificate is not available, We have to create a self-signed certificate on IIS in DDC machine.
Once the certificate is created it has to be binded to 443 port.
Step 3: install the certificate on Director server.
Once the certificate is binded to the 443 port, we need to install the certificate on Director Machine. This is make sure director trusts the certificate that is used to encrypt OData Channel and requests can fetch the required data smoothly. Following steps will help you to install the certificate.
- Open IE browser on Director server
- Open any website on DDC machine (storefront) with https
- You get the certificate error with certificate on the top
- Click on the certificate and install it into trusted root folder
- Restart IE and open the same webpage, make sure no error is shown now
Step 4 : Setting Up monitoring service to communicate on TLS
This is the important part and should be performed carefully. In this step we change the monitoring service OData interface to listen the request on 443 port. We have provided the PowerShell commandlets, Run the following commands on DDC PowerShell with administrator privilege :
asnp citrix.*
$serviceGroup = get-configregisteredserviceinstance -servicetype Monitor | Select -First 1 ServiceGroupUid
remove-configserviceGroup -ServiceGroupUid $serviceGroup.ServiceGroupUid
,\’C:\Program Files\Citrix\Monitor\Service.\citrix.monitor.exe -RequireODataSdkTls -RequireODataTls –OdataPort 443 –OdataSdkPort 443
asnp citrix.* (if not already run within this window)
get-MonitorServiceInstance | register-ConfigServiceInstance
Executing these steps carefully will enable director OData calls to go through 443 port and make it more secure. It can be verified using Wireshark.