Objective

Jul 02, 2020. Citrix Provisioning and Machine Creation Services will allow TLS 1.0, 1.1, and TLS 1.2 connections by default (no action required) until later this year when it will change to TLS 1.2 only. Note: If your security policy requires strict enforcement of TLS 1.2 connections, the following registry setting changes are required on each Citrix Cloud. TLS Handshake version 1.2. TLS Handshake process involves the following: Both exchange hello messages to select necessary algorithms, exchange random value, and check for session re-use. Exchange crypto algorithms that help in agreeing on a pre-master secret. Certificates are Exchange to authenticate each other. Apr 04, 2018.

To improve the security of connections to Citrix Cloud, Citrix will block any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019.
Upgrading to latest Receiver or Citrix Workspace App
Retrieving a list of users connecting on older Receiver versions
Citrix Cloud Management
Citrix Director
Citrix Cloud Connector
Troubleshooting
Refer to the following article to configure Citrix Gateway for Citrix Endpoint Management:
Citrix Endpoint Management TLS Version Deprecation

Instructions

Upgrading to latest Receiver or Citrix Workspace App

To ensure successful connection to Citrix Workspace from user endpoint devices, the version of Citrix Receiver installed must be equal to or greater than the versions listed below that support TLS 1.2.

Receiver

Version

Windows

4.2.1000

Mac

12.0

Linux

13.2

Android

3.7

iOS

7.0

Chrome/HTML5

Latest (Browser must support TLS 1.2)

Citrix recommends upgrading to Citrix Workspace app if your version of Receiver is earlier than those listed above. Download here: https://www.citrix.com/products/receiver.html
Thin Clients with Earlier Receiver Versions
If you are using Thin Clients with earlier versions of Citrix Receiver that cannot be updated, install an on-prem StoreFront in your resource location and have all of the Citrix Receivers point to it.

Download tls 1.2

Retrieving a list of users connecting on older Receiver versions

To retrieve a list of Receivers connecting to your Citrix Cloud environment, log into Citrix Cloud and click the Manage button for the Virtual Apps and Desktops service. The details include user, version, connection date, and endpoint device name.

Virtual Apps and Desktops (Full Edition)

  1. Click Monitor > Trends > Custom Reports > Create Reports.

  2. Select OData Query, provide a report name, and copy/paste the following query (change date range as needed).

  3. Click Save, and then Execute to open the list in Excel.

    Sessions?$filter = StartDate ge datetime'2019-02-01’ and StartDate le datetime'2019-03-31'&$select = CurrentConnection/ClientVersion,CurrentConnection/ClientName,User/UserName,StartDate&$expand = CurrentConnection,User
  1. Click Monitor, and then select a catalog.

  2. Click Export to open the list in Excel.

Citrix Cloud Management

To ensure successful connection to the Citrix Cloud management console (citrix.cloud.com), your browser must support TLS 1.2 (latest version of most web browsers).

If you noticed, the original 'Brady Bunch' font was made completely from scratch in Softy. This font is loosely based on the logo from the Brady Bunch television show and movie. If you use it, please let me know!Changes in this version:1.) I added a lowercase 'g'2.) Did some general touch-ups. It includes all international characters and a cool dingbat picture of yours truly. Brady bunch font mac download. The original version was made from scratch, and this version was touched up in Font Creator Program and Fontographer.

Citrix Director

TLS 1.2 connection will be required when using OData APIs. To enforce use of TLS 1.2 on the client machine for clients such as MS Excel, PowerShell, LinqPad, refer to the following KB article: https://support.citrix.com/article/CTX245765

Citrix Cloud Connector

All connections to Citrix Cloud services from Citrix Cloud Connectors will require TLS 1.2. Citrix Provisioning and Machine Creation Services will allow TLS 1.0, 1.1, and TLS 1.2 connections by default (no action required) until later this year when it will change to TLS 1.2 only.

Note: If your security policy requires strict enforcement of TLS 1.2 connections, the following registry setting changes are required on each Citrix Cloud Connector.

.NET

[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv2.0.50727]
'SchUseStrongCrypto'=dword:00000001

Tls 1.2 Mac

[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319]
'SchUseStrongCrypto'=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]
'SchUseStrongCrypto'=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]
'SchUseStrongCrypto'=dword:00000001

SCHANNEL

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
'Enabled'=dword:00000000
'DisabledByDefault'=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]
'Enabled'=dword:00000000
'DisabledByDefault'=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]
'Enabled'=dword:00000000
'DisabledByDefault'=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]
'Enabled'=dword:00000001
'DisabledByDefault'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]
'Enabled'=dword:00000001
'DisabledByDefault'=dword:00000000

For more details, refer to the Microsoft article “Transport Layer Security (TLS) best practices with the .NET Framework”, section “SystemDefaultTlsVersions” https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversion

Troubleshooting

Since Citrix Cloud supports only TLS 1.2 and above, all clients accessing any data from Citrix Services with TLS versions 1.0 and 1.1 will see one of the following errors:

Director

Error:
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
Refer to the following article to configure clients for TLS 1.2 communication:
https://support.citrix.com/article/CTX245765

Receiver

Error:
'Unable to launch your app..Cannot connect to the Citrix XenApp server. SSL Error 4.. The server rejected the connection.'
Refer to Upgrading to latest Receiver or Citrix Workspace app above.

Connector

If your Citrix Cloud Connector machine is not able to establish a connection with Citrix Cloud after Mar 15, 2019, check the following registry key to ensure TLS 1.2 is not disabled:
HKLM SYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
More details:
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
https://docs.microsoft.com/en-us/windows/desktop/secauthn/protocols-in-tls-ssl--schannel-ssp-
Note: Internet Explorer group policy settings also control the values found in SCHANNEL registry key; Internet Explorer > Internet Properties can be used to check enabled/disabled protocols.

TLS Protocol Version 1.0 is not secure and as a result, needs to be disabled on servers that offer PCI compliance.

Currently, we only support TLS 1.2.

Goodbye TLS 1.0 and 1.1

The TLS 1.0 and 1.1 protocol are no longer secure and are now disabled. If you try and establish a secure connection using your Apple Mail email client to the GreenGeeks mail server, you will receive an error message similar to the one below:

Unfortunately, it’s difficult to determine exactly what the problem is when this message appears. It could very well be something basic, such as an incorrect setting.

Please ensure all of your settings are correct. If you believe they are, then you have two options:

1. Update OS X

Update the operating system to OS X Sierra, or 10.12. High Sierra seems to have the best support, though, which is 10.13. Older versions of OS X prevent Apple Mail from working correctly with newer versions of security protocols.

Many people have had this problem, and the general consensus of the majority was to update to Sierra or later.

Updating OS X is relatively simple.

Open the App Store from your computer system.

Click on the “Updates” tab along the menu bar on the top.

You’ll see the info for the OS X software. Click “Update.”

The OS will then download and install the software needed.

When the installation is complete, the computer will restart.

Once it loads back up, your computer will be running the newest OS.

2. Use a Different Mail Client

I know many of you don’t want to move your mail to a new client, but sometimes it’s easier and cheaper in the long run. For example, Thunderbird has an amazing ability to utilize new security protocols without putting up much of a fight.

Download and install Mozilla Thunderbird.

Total av for mac download. Download TotalAV free Mac antivirus software 2020. Stay 100% safe from malware and viruses with TotalAV free antivirus for mac.

Keep it Secure

Keeping updated and current with latest systems and security provides safety. As much of a pain it can be, it’s far better than the alternative. Don’t underestimate the value of spending some money to keep your computer optimized.

In many instances, updating OS X is worth the investment for peace of mind and a stress-free operating experience.

Author: Kaumil Patel

Kaumil Patel is the Chief Operating Officer of GreenGeeks and has over 13 years of experience in the web hosting industry working for and owning web hosting companies. Kaumil’s expertise is in marketing, business development, operations, acquisitions and mergers.

Was this article helpful?

Related Articles