Securing On-Premises Monitor OData API Access

IMPORTANT: This section is NOT applicable for cloud customers.

If you choose to use TLS, you must configure TLS on all Delivery Controllers in the Site; you cannot use a mixture of TLS and non-TLS. To improve the security of the Citrix Virtual Apps and Desktops, Citrix will block any communication over Transport Layer Security (TLS) 1.0 and 1.1 as of March 15, 2019, allowing only TLS 1.2 communications.

To enforce the usage of TLS 1.2, update the registry as described in the Knowledge Center article CTX245765

To secure Monitor Service endpoints using TLS, you must perform the following configuration. Some steps need to be done only once per Site, others must be run from every machine hosting the Monitor Service in the Site. The steps are described below.

Part 1: Certificate registration with the system

1. Create a certificate using a trusted certificate manager. The certificate must be associated with the port on the machine that you wish to use for OData TLS.
2. Configure the Monitor Service to use this port for TLS communication. The steps depend on your environment and how this works with certificates. The following example shows how to configure port 443:
3. Associate the certificate with a port:

netsh http add sslcert ipport=0.0.0.0:443
certhash=97bb629e50d556c80528f4991721ad4f28fb74e9

appid='{00000000-0000-0000-0000-000000000000}'

<!--NeedCopy-->

Tip: In a PowerShell command window, ensure you put single quotes around the GUID in the appID, as shown above, or the command will not work. Note that a line break has been added to this example for readability only.

Part 2.1: Modify the Monitor Service configuration settings (applicable for OData V1 to V3 only)

1. From any Delivery Controller in the Site, run the following PowerShell commands once. This removes the Monitor Service registration with the Configuration Service. asnp citrix.\* \$serviceGroup = get-configregisteredserviceinstance -servicetype Monitor | Select -First 1 ServiceGroupUid remove-configserviceGroup -ServiceGroupUid \$serviceGroup.ServiceGroupUid

2. Do the following on all Controllers in the Site:

   • Using a cmd prompt, locate the installed Citrix Monitor directory (typically in C:\Program Files\Citrix\Monitor\Service). Within that directory run: Citrix.Monitor.Exe -CONFIGUREFIREWALL -ODataPort 443 -RequireODataSsl
   • Run the following PowerShell commands: asnp citrix.\* (if not already run within this window) get-MonitorServiceInstance | register-ConfigServiceInstance Get-ConfigRegisteredServiceInstance -ServiceType Config | Reset-MonitorServiceGroupMembership

Part 2.2: Modify the Monitor Service configuration settings (applicable for OData V4 only)

1. Open the Citrix.Monitor.exe.Config file and modify the element given below (http to https): <add key="owin:baseAddress" value="https://localhost/citrix/monitor/odata/v4" />

2. From any Delivery Controller in the Site, run the following PowerShell commands once. This removes the Monitor Service registration with the Configuration Service.asnp citrix.\* \$serviceGroup = get-configregisteredserviceinstance -servicetype Monitor | Select -First 1 ServiceGroupUid remove-configserviceGroup -ServiceGroupUid \$serviceGroup.ServiceGroupUid

3. Do the following on all Controllers in the Site:
   • Using a cmd prompt, locate the installed Citrix Monitor directory (typically in C:\Program Files\Citrix\Monitor\Service). Within that directory run: Citrix.Monitor.Exe -ConfigureFirewall -ODataPort 443 -RequireODataTls -ODataSdkPort 443 -RequireODataSdkTls
   • Run the following PowerShell commands:asnp citrix.\* (if not already run within this window) get-MonitorServiceInstance | register-ConfigServiceInstance Get-ConfigRegisteredServiceInstance -ServiceType Config | Reset-MonitorServiceGroupMembership