- MetaFrame 1.8 Service Pack 2 and Feature Release 1: Frequently Asked Questions (FAQ), Part 1
- What Functionality Requires an FR1 License?
- Do I Need to Run the Citrix XML Service?
- What Exactly Does the Encryption Service Do?
- What Happens if the Encryption Service Is Stopped?
- Should I Be Utilizing the Strong ICA Encryption Feature of FR1?
Should I Be Utilizing the Strong ICA Encryption Feature of FR1?
The simple answer to this question is a definite "yes." If you are already planning to implement FR1 in your environment, then regardless of whether you are providing MetaFrame access via the Internet or from within your corporate intranet, you should be looking to implement strong ICA encryption.
If you are not implementing FR1, then you should take a serious look at your existing MetaFrame access and decide whether the Basic encryption included with MetaFrame is sufficient for your environment. Although it's better than no encryption at all, Citrix openly states that Basic encryption in no way should be considered secure. If you are providing access via the Internet with only Basic ICA encryption, then you are leaving yourself vulnerable to an attacker sniffing ICA session passwords off the network. Earlier this year, it was announced that the Basic encryption scheme for ICA had been cracked. You can find the full contents of this article by performing a search for "ICA" on the site http://www.securiteam.com/.
To utilize strong encryption, you will need to have either FR1 or SecureICA installed on each MetaFrame server that will be providing secure connections. The users will also have to be running an ICA client that supports strong encryption. I will look at the currently supported clients shortly. The overhead introduced by the strong encryption is minimal and typically will not cause any perceivable performance degradation. Strong encryption is activated simply by setting the desired encryption level for the ICA connections, as shown in Figure 7. Clients will be capable of connecting only if they support the same encryption level.
Setting the encryption level for ICA connections in Terminal Services Configuration.
Although it is not mandatory that you modify this setting, because users can use encryption simply by specifying it on the client side, the only way to ensure that encryption is being enforced is to configure it for all ICA connections.
The most current list of ICA clients that support strong encryption can be found in the Citrix download section, at http://download.citrix.com/.