How to encrypt XML Traffic on a Custom Port

Network encryption is a security best practice as it protects the privacy and confidentiality of network
traffic as it travels from source to destination.

In a XenApp or XenDesktop deployment, services exposed to the end user are mostly encrypted
(e.g. external traffic to NetScaler Gateway and internal traffic to the StoreFront server)
but it's recommended to protect traffic between other Citrix components also. 
This article describes how to enable SSL on XenApp & XenDesktop 7 controllers to secure XML traffic
from the StoreFront server to the XenApp or XenDesktop controller. 
Additionally, since some of our customers are not allowed to run services on standard ports,
we will explain how to change the standard port for the encrypted XML service.

In this scenario, the XenDesktop controller server also hosts the Citrix desktop director. 
So, IIS is installed on the controller.

Install an SSL certificate on the controller

First things first J.  Since we will encrypt traffic, you won't be surprised that we will need an SSL certificate.

This certificate can be issued by an internal certificate authority.  Mostly, this will be a Microsoft CA.   
You don't have an internal CA ? 
No worries, we can also provide other methods to issue internal certificates.

As a next step, the issued certificate is installed on IIS and we make an SSL binding
for the default website on port 443.

Important remark: the certificate should have a private key!

Let's test if the certificate is installed correctly by browsing to https://srv-xa.labo.tst or https://srv-xa.labo.tst/director. 
Since desktop director is also installed on the controller, the SSL traffic for this website is also encrypted with a certificate now!

Your browser will tell you if the certificate is correctly installed:

Or not:

In this case the certificate is correctly installed but issued for srv-xa.labo.tst and not for 'localhost'.

Change the XML service SSL port

By default, the standard SSL port for the XML service (WI SSL Port) is 443.  This can be checked with the following command:

Important remark: always execute commands from an elevated command prompt!

We change the default XML SSL port with the BrokerService.exe command line executable.  The following screenshot shows that the WI SSL Port is now 7443.

Mission accomplished?  Not completely...  If you decide to change the XML service SSL port number, update the IIS port number bindings as well.

Configure StoreFront

In the Citrix StoreFront management console, change the transport type to https and update the SSL port number.

Import remark: if you are using multiple StoreFront servers in a server group, don't forget to replicate changes.

Desktop Director

After making these changes, we try to login to desktop director.  After entering the credentials, desktop director becomes unresponsive.

The behavior is because of the multiple site bindings issue in IIS.  This is described in a Citrix support article:  After changing the required config file, you will be able to use desktop director again.

Trend Micro
Liquidware Labs