Citrix Workspace app for Windows
b) From the Security Compliance Mode menu, select the appropriate option:
i. None - No compliance mode is enforced.
ii. SP800-52 – Select SP800-52 for compliance with NIST SP 800-52. Select this option
only if the servers or gateway complies with NIST SP 800-52 recommendations.
Note:
If you select SP800-52, FIPS Approved cryptography is automatically used, even if
Enable FIPS is not selected. You must also enable the Windows security option, Sys-
tem Cryptography: Use FIPS-compliant algorithms for encryption, hashing, and
signing. Otherwise, Citrix Workspace app might fail to connect to the published ap-
plications and desktops.
If you select SP800-52, set the Certificate Revocation Check Policy setting to Full access
check and CRL required.
When you select SP800-52, Citrix Workspace app verifies that the server certificate com-
plies with the recommendations in NIST SP 800-52. If the server certificate does not com-
ply, Citrix Workspace app might fail to connect.
i. Enable FIPS – Select this option to enforce the use of FIPS approved cryptography.
You must also enable the Windows security option from the operating system group
policy, System Cryptography: Use FIPS-compliant algorithms for encryption,
hashing, and signing. Otherwise, Citrix Workspace app might fail to connect to
published applications and desktops.
c) From the Allowed TLS servers drop-down menu, select the port number. Use a comma-
separated list to ensure that Workspace app connects only to a specified server. You can
specify wildcards and port numbers. For example, *.citrix.com: 4433 allows connections
to any server whose common name ends with .citrix.com on port 4433. The issuer of
the certificate asserts the accuracy of the information in a security certificate. If Citrix
Workspace does not recognize or trust the issuer, the connection is rejected.
d) From the TLS version menu, select one of the following options:
• TLS 1.0, TLS 1.1, or TLS 1.2 - This is the default setting. This option is recommended only
if there is a business requirement for TLS 1.0 for compatibility.
• TLS 1.1 or TLS 1.2 – Use this option to ensure that the connections use either TLS 1.1 or TLS
1.2.
• TLS 1.2 - This option is recommended if TLS 1.2 is a business requirement.
a) TLS cipher set - To enforce use of a specific TLScipher set, select either Government (GOV),
Commercial (COM),or All (ALL). In certain cases of Citrix Gatewayconfigurations, you might
need to select COM. Citrix Workspace app supports RSA keys of 1024, 2048, and 3072-bit
lengths. Root certificates with RSA keys of 4096-bit length are also supported.
© 1999-2021 Citrix Systems, Inc. All rights reserved. 172