>From what I can find, SSL v3 support is already there in just about every >Citrix recent product.
http://support.citrix.com/proddocs/topic/xenapp65-sec/ps-sec-tls-ssl-protocols-xa6.html http://support.citrix.com/proddocs/topic/xenapp65-sec/ps-sec-considerations-xa-deployment-xa6.html When you publish a resource, on the Client Options screen, you can "Enable SSL and TLS". This will use SSL v3 OR TLS 1.0. Both will use the same server certificate. Citrix Secure Gateway also allows the use of TLS v1 or SSL v3 and TLS v1. I am surprised that security audits for a Citrix XenApp environment never catch that SSLRelay is not in use to secure traffic between the various servers. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Carl Webster <[email protected]<mailto:[email protected]>> Reply-To: NT Issues <[email protected]<mailto:[email protected]>> Date: Tue, 10 Jan 2012 17:38:12 +0000 To: NT Issues <[email protected]<mailto:[email protected]>> Subject: Re: IIS 6.0 Security I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Michael Smith <[email protected]<mailto:[email protected]>> Reply-To: NT Issues <[email protected]<mailto:[email protected]>> Date: Tue, 10 Jan 2012 16:49:40 +0000 To: NT Issues <[email protected]<mailto:[email protected]>> Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 – I don’t know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:[email protected]] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron… Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note – the server is accessed via web through a MIP’s IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet… - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
