TLS/SSL data encryption and server identification

Use this policy to configure the TLS options that ensure Citrix Receiver securely identifies the server that it is connecting to and to encrypt all communication with the server. Citrix recommends that connections over untrusted networks use TLS. Citrix supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols between Receiver and XenApp or XenDesktop.

When this policy is enabled, you can force Receiver to use TLS for all connections to published applications and desktops by checking the "Require SSL for all connections" checkbox.

Receiver identifies the server by the name on the security certificate that the server presents. This has the form of a DNS name (for example, -www.citrix.com). You can restrict Receiver to connect only to particular servers specified by a comma separated list in the "Allowed SSL servers" setting. Wildcards and port numbers can be specified here; for example, *.citrix.com:4433 allows connection to any server whose common name ends with .citrix.com on port 4433. The accuracy of the information in a security certificate is asserted by the certificate's issuer. If Receiver does not recognize and trust a certificate's issuer, the connection is rejected.

When connecting by TLS, the server may be configured to require Receiver to provide a security certificate identifying itself. Use the "Client Authentication" setting to configure whether or not identification is provided automatically or if the user is notified. Options include:

- never supply identification
- only use the certificate configured here
- to always prompt the user to select a certificate
- to prompt the user only if there a choice of certificate to supply
Use the "Client Certificate" setting to specify the identifying certificate's thumbprint to avoid prompting the user unnecessarily.

When verifying the server's security certificate, you can configure the plug-in to contact the certificate's issuer to obtain a Certificate Revocation List (CRL) to ensure that the server certificate has not been revoked. This enables a certificate to be invalidated by its issuer should a system be compromised. Use the "CRL verification setting" to configure the plug-in to:
- not check CRLs at all
- only check CRLs that have been previously obtained from the issuer
- actively retrieve an up-to-date CRL
- to refuse to connect unless it can obtain an up-to-date CRL

Organizations that configure TLS for a range of products can choose to identify servers intended for Citrix plug-ins by specifying a Certificate Policy OID as part of the security certificate. If a Policy OID is configured here, Receiver accepts only certificates that declare a compatible Policy.

Some security policies have requirements related to the cryptographic algorithms used for a connection. You can restrict the plug-in to use only TLS v1.0, TLS 1.1 and TLS 1.2 with the "TLS version" setting. Similarly, you can restrict the plug-in to use only certain cryptographic ciphersuites: These ciphersuite include:

Government Ciphersuites:
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384

Commercial Ciphersuites:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_128_GCM_SHA256

Supported on: All Receiver supported platforms
Require TLS for all connections
Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value NameSSLEnable
Value TypeREG_SZ
Default Valuetrue
True Valuetrue
False Value*
Security Compliance Mode


  1. NONE
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLSecurityComplianceMode
    Value TypeREG_SZ
    ValueNONE
  2. SP800-52
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLSecurityComplianceMode
    Value TypeREG_SZ
    ValueSP800-52

Enable FIPS
Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
Value NameSSLFIPSEnable
Value TypeREG_SZ
Default Value*
True Valuetrue
False Value*
TLS version


  1. TLS1.2
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSecureChannelProtocol
    Value TypeREG_SZ
    ValueTLS12
  2. TLS1.1 | TLS1.2
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSecureChannelProtocol
    Value TypeREG_SZ
    ValueTLS11_TLS12
  3. TLS1.0 | TLS1.1 | TLS1.2
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSecureChannelProtocol
    Value TypeREG_SZ
    ValueTLS11_TLS12_TLS13

TLS cipher suite


  1. Any
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCiphers
    Value TypeREG_SZ
    Value
  2. Government
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCiphers
    Value TypeREG_SZ
    ValueGOV
  3. Commercial
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCiphers
    Value TypeREG_SZ
    ValueCOM

Certificate Revocation Check Policy


  1. NoCheck
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCertificateRevocationCheckPolicy
    Value TypeREG_SZ
    ValueNoCheck
  2. Check with no network access
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCertificateRevocationCheckPolicy
    Value TypeREG_SZ
    ValueCheckNoNetworkAccess
  3. Full Access Check
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCertificateRevocationCheckPolicy
    Value TypeREG_SZ
    ValueFullAccessCheck
  4. Full access check and CRL required
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCertificateRevocationCheckPolicy
    Value TypeREG_SZ
    ValueFullAccessCheckAndCrlRequired
  5. Full access check and CRL required All
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLCertificateRevocationCheckPolicy
    Value TypeREG_SZ
    ValueFullAccessCheckAndCrlRequiredAll

Client Authentication


  1. Not Configured
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLClientAuthentication
    Value TypeREG_SZ
    Value
  2. Display certificate selector
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLClientAuthentication
    Value TypeREG_SZ
    ValueAlwaysPromptUser
  3. Disabled
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLClientAuthentication
    Value TypeREG_SZ
    ValueOff
  4. Use specified certificate
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLClientAuthentication
    Value TypeREG_SZ
    ValueOn
  5. Select automatically if possible
    Registry HiveHKEY_CURRENT_USER
    Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\SSL
    Value NameSSLClientAuthentication
    Value TypeREG_SZ
    ValuePromptUser


receiver.admx

Administrative Templates (Computers)