Digi-Sign, The Certificate Corporation
Published on Digi-Sign, The Certificate Corporation (https://www.digi-sign.com)

Home > Advanced Edition

By Digi-Sign
Created Feb 19 2008 - 13:22

Advanced Edition

Access Gateway Advanced Edition

The Access Gateway and the servers running Advanced Edition can both be required to use secure client certificates. Use the following guidelines when configuring for client certificate use:

  • The Secure Access Client can read certificates from the Windows user’s profile, from a smart card, or a hardware token that supports the Microsoft Crypto API.
  • The client certificate does not authenticate the user; it serves only as an additional client requirement, such as an end point scan. Users still have to type in their password or token code.
  • When set to require client certificates, the Access Gateway can no longer make direct connections to Citrix Presentation Server using Citrix Presentation Server Clients. The Secure Access Client is required to make ICA connections through the Access Gateway.

2.3 Selecting an Encryption Type for Client Connections

All communications between the Secure Access Client and the Access Gateway are encrypted with SSL. The SSL protocol allows two computers to negotiate encryption ciphers to accomplish the symmetric encryption of data over a secure connection.
You can select the specific cipher that the Access Gateway uses for the symmetric data encryption on an SSL connection. Selecting a strong cipher reduces the possibility of malicious attack. The security policies of your organization may also require you to select a specific symmetric encryption cipher for secure connections.

Note: If you are using the Access Gateway to provide access to Citrix Presentation Server, ICA traffic transmitted to the Access Gateway is also encrypted using these ciphers.

You can select RC4, 3DES, or AES encryption ciphers for SSL connections. The default setting is RC4 128-bit. The MD5 or SHA hash algorithm is negotiated between the client and the server.

The Access Gateway uses RSA for public key encryption in a secure connection. The encryption ciphers and hash algorithms that you can select for symmetric encryption are listed below:

    - RC4 128-bit, MD5/SHA
    - 3DES, SHA
    - AES 128/256-bit, SHA

To select an encryption type for client connections:

    1. Click the Global Cluster Policies tab.
    2. Under Select security options, in Select encryption type for client connections, select the bulk encryption cipher you want to use for secure connections. Click Submit.


  • Citrix Implementation Guide

Source URL: https://www.digi-sign.com/support/digi-access/citrix-section2.2