Citrix Director assurance: OData interface by TLS

5:49 PM
Citrix Director assurance: OData interface by TLS -

Citrix XenDesktop offers OData interface that can be used to obtain the reports for XenDesktop environment (for extra help, see this blog for more information).

Citrix Director uses this interface extensively query and display various historical trends. By default, this interface works on HTTP protocol, which makes on the network during the transaction between a director and monitoring service, the data visible to third parties. This problem can be solved by securing the transaction with TLS.

In this paper, we will work on to discuss how we can configure Monitor OData port on TLS. Here are four simple steps OData channel with TLS

step 1 to secure .. Enable TLS on DDC machine

To support TLS for OData channel should TLS communications are enabled on the machine. This can registry key on DDC machine and rebooting the machine are carried out by adding TLS. To perform this task to simply make we have made available under PowerShell command-lets. Introduce them to PowerShell with administrative privileges

New-Item -Path 'HKLM SYSTEM CurrentControlSet Control Security SCHANNEL Protocols TLS 1.2'. -Force

New-Item -Path "HKLM SYSTEM CurrentControlSet Control Security SCHANNEL Protocols TLS 1.2 Client" -Force

New-ItemProperty -Path "HKLM SYSTEM CurrentControlSet Control Security SCHANNEL Protocols TLS 1.2 client" name "DisabledByDefault" -PropertyType DWord -Value 0

New-ItemProperty -Path "HKLM SYSTEM CurrentControlSet Control Security SCHANNEL Protocols TLS 1.2 client" name "Activated" -PropertyType DWord -Value 1

New -Item -Path "HKLM: SYSTEM CurrentControlSet Control Security SCHANNEL Protocols TLS 1.2 Server" -Force

New-ItemProperty -Path "HKLM: SYSTEM CurrentControlSet Control Security SCHANNEL Protocols TLS 1.2 Server" name "DisabledByDefault" -PropertyType DWord -Value 0

New-ItemProperty -Path " HKLM SYSTEM CurrentControlSet Control Security SCHANNEL Protocols TLS 1.2 Server "name" Activated "-PropertyType DWord -Value 1

restart now DDC

step 2 :. Binding Certificate 443 port

TLS uses certificates that encrypt the network packets. You can use verified third-party certificate. Incase certificate does not exist, we have to create a self-signed certificate on IIS in DDC machine

After the certificate is created on 443 Port binded must be

Step 3 ..: install the certificate to Director Server.

After the certificate to the port 443 is binded, we need to install the certificate to Director-machine. This is sure Director to familiarize the certificate that is used to encrypt OData channel and requests, can easily fetch the required data. The following steps will help you to install the certificate.

  • Open IE browser Director Server
  • Open any website on DDC machine (showcase) with https
  • you get Click on the certificate error with certificate at the top
  • on the certificate and install it in the trusted root folder
  • Restart IE and open the same Web page, make sure that no error is now shown

step 4: Setting up surveillance service for TLS to communicate

This is the most important part and should be done carefully. In this step, we are changing the monitoring service OData interface the request to port to listen 443rd We have asked the PowerShell command-lets available, perform the following commands on DDC PowerShell with administrator privileges .:

ASNP citrix *

$ servicegroup = get-configregisteredserviceinstance -servicetype monitor | Select -First 1 ServiceGroupUid

remove-configserviceGroup -ServiceGroupUid $ serviceGroup.ServiceGroupUid

, 'C: program Files Citrix monitor service. Citrix.monitor.exe -RequireODataSdkTls -RequireODataTls -OdataPort 443 -OdataSdkPort 443

ASNP citrix. * (If not in this window) already running

get-MonitorServiceInstance | register ConfigServiceInstance

follow these steps carefully allow director OData through port 443 to go calls and safer. It can be checked with Wireshark.

Previous
Next Post »
0 Komentar