Receiver
Version
Windows
4.2.1000
Mac
12.0
Linux
13.2
Android
3.7
iOS
7.0
Chrome/HTML5
Latest (Browser must support TLS 1.2)
Citrix recommends upgrading to Citrix Workspace app if your version of Receiver is earlier than those listed above. Download here: https://www.citrix.com/products/receiver.html
Thin Clients with Earlier Receiver Versions
If you are using Thin Clients with earlier versions of Citrix Receiver that cannot be updated, install an on-prem StoreFront in your resource location and have all of the Citrix Receivers point to it.
Retrieving a list of users connecting on older Receiver versions
To retrieve a list of Receivers connecting to your Citrix Cloud environment, log into Citrix Cloud and click the Manage button for the Virtual Apps and Desktops service. The details include user, version, connection date, and endpoint device name.
Virtual Apps and Desktops (Full Edition)
Click Monitor > Trends > Custom Reports > Create Reports.
Select OData Query, provide a report name, and copy/paste the following query (change date range as needed).
Click Save, and then Execute to open the list in Excel.
Sessions?$filter = StartDate ge datetime'2019-02-01’ and StartDate le datetime'2019-03-31'&$select = CurrentConnection/ClientVersion,CurrentConnection/ClientName,User/UserName,StartDate&$expand = CurrentConnection,User
Click Monitor, and then select a catalog.
Click Export to open the list in Excel.
Citrix Cloud Management
To ensure successful connection to the Citrix Cloud management console (citrix.cloud.com), your browser must support TLS 1.2 (latest version of most web browsers).
Citrix Director
TLS 1.2 connection will be required when using OData APIs. To enforce use of TLS 1.2 on the client machine for clients such as MS Excel, PowerShell, LinqPad, refer to the following KB article: https://support.citrix.com/article/CTX245765
Citrix Cloud Connector
All connections to Citrix Cloud services from Citrix Cloud Connectors will require TLS 1.2. Citrix Provisioning and Machine Creation Services will allow TLS 1.0, 1.1, and TLS 1.2 connections by default (no action required) until later this year when it will change to TLS 1.2 only.
Note: If your security policy requires strict enforcement of TLS 1.2 connections, the following registry setting changes are required on each Citrix Cloud Connector.
.NET
Citrix Receiver For Mac Latest Version
SCHANNEL
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
'Enabled'=dword:00000000
'DisabledByDefault'=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]
'Enabled'=dword:00000000
'DisabledByDefault'=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]
'Enabled'=dword:00000000
'DisabledByDefault'=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]
'DisabledByDefault'=dword:00000001
'Enabled'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]
'Enabled'=dword:00000001
'DisabledByDefault'=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]
'Enabled'=dword:00000001
'DisabledByDefault'=dword:00000000
For more details, refer to the Microsoft article “Transport Layer Security (TLS) best practices with the .NET Framework”, section “SystemDefaultTlsVersions” https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversion
Troubleshooting
Since Citrix Cloud supports only TLS 1.2 and above, all clients accessing any data from Citrix Services with TLS versions 1.0 and 1.1 will see one of the following errors:
Director
Error:
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
Refer to the following article to configure clients for TLS 1.2 communication:
https://support.citrix.com/article/CTX245765
Receiver
Error:
'Unable to launch your app....Cannot connect to the Citrix XenApp server. SSL Error 4... The server rejected the connection.'
Refer to Upgrading to latest Receiver or Citrix Workspace app above.
Connector
Citrix Receiver For Mac Latest Version
If your Citrix Cloud Connector machine is not able to establish a connection with Citrix Cloud after Mar 15, 2019, check the following registry key to ensure TLS 1.2 is not disabled:
HKLM SYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
More details:
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
https://docs.microsoft.com/en-us/windows/desktop/secauthn/protocols-in-tls-ssl--schannel-ssp-
Note: Internet Explorer group policy settings also control the values found in SCHANNEL registry key; Internet Explorer > Internet Properties can be used to check enabled/disabled protocols.