XenApp and XenDesktop

USB and client drive considerations

HDX technology provides optimized support for most popular USB devices. This includes:

  • Monitors
  • Mice
  • Keyboards
  • VoIP phones
  • Headsets
  • Webcams
  • Scanners
  • Cameras
  • Printers
  • Drives
  • Smart card readers
  • Drawing tablets
  • Signature pads

Optimized support offers an improved user experience with better performance and bandwidth efficiency over a WAN. Optimized support is usually the best option, especially in high latency or security-sensitive environments.

HDX technology provides generic USB redirection for specialty devices that don’t have optimized support or where it is unsuitable, for example:

  • The USB device has additional advanced features that are not part of optimized support, such as a mouse or webcam with additional buttons.
  • Users need functions which are not part of optimized support, such as burning a CD.
  • The USB device is a specialized device, such as test and measurement equipment or an industrial controller.
  • An application requires direct access to the device as a USB device.
  • The USB device only has a Windows driver available. For example, a smart card reader may not have a driver available for Citrix Receiver for Android.
  • The version of Citrix Receiver does not provide optimized support for this type of USB device.

With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

Note

  • Generic USB redirection can be used together with optimized support. If you enable generic USB redirection, configure Citrix USB devices policy settings for both generic USB redirection and optimized support to avoid inconsistent and unexpected behavior.
  • The Citrix policy setting Client USB device optimization rules is a specific setting for generic USB redirection, for a particular of USB device. It is not optimized support as described here.
  • Client USB plug and play device redirection is a related feature that provides optimized support for devices such as cameras and media players that use the Picture Transfer Protocol (PTP) or Media Transfer Protocol (MTP). Client USB plug and play redirection is not part of generic USB redirection. For the list of supported VDA versions, see Default policy settings.

Performance considerations for USB devices

With generic USB redirection, for some types of USB devices, network latency and bandwidth can affect user experience and USB device operation. For example, timing-sensitive devices may not operate correctly over high-latency low-bandwidth links. Use optimized support instead where possible.

Some USB devices require high bandwith to be usable, for example a 3D mouse (used with 3D apps that also typically require high bandwidth). You can avoid performance problems using Citrix polices. For more information, see Bandwidth policy settings for Client USB device redirection, and Multi-stream connection policy settings.

Security considerations for USB devices

Some USB devices are security-sensitive by nature, for example, smart card readers, fingerprint readers, and signature pads. Other USB devices such as USB storage devices can be used to transmit data that may be sensitive.

USB devices are often used to distribute malware. Configuration of Citrix Receiver, XenApp and XenDesktop can reduce, but not eliminate, risk from these USB devices. This applies whether generic USB redirection or optimized support is used.

Important

For security-sensitive devices and data, always secure the HDX connection using either TLS or IPSec.

Only enable support for the USB devices that you need. Configure both generic USB redirection and optimized support to meet this need.

Provide guidance to users for safe use of USB devices: only use USB devices that have been obtained from a trustworthy source; not to leave USB devices unattended in open environments - for example, a flash drive in an Internet cafe; explain the risks of using a USB device on more than one computer.

Compatibility with generic USB redirection

Generic USB redirection is supported for USB 2.0 and earlier devices. Generic USB redirection is also supported for USB 3.0 devices connected to a USB 2.0 or USB 3.0 port. Generic USB redirection does not support USB features introduced in USB 3.0, such as super speed.

These Citrix Receivers support generic USB redirection:

For Citrix Receiver versions, see the Citrix Receiver feature matrix.

If you are using earlier versions of Citrix Receiver, refer to Citrix Receiver documentation to confirm that generic USB redirection is supported. Refer to Citrix Receiver documentation for any restrictions on USB device types that are supported.

Generic USB redirection is supported for desktop sessions from VDA for Desktop OS version 7.6 through current.

Generic USB redirection is supported for desktop sessions from VDA for Server OS version 7.6 through current, with these restrictions:

  • The VDA must be running Windows Server 2012 R2 or Windows Server 2016.
  • The USB device drivers must be fully compatible with Remote Desktop Session Host (RDSH) for Windows 2012 R2, including full virtualization support.

Some types of USB devices are not supported for generic USB redirection because it would not be useful to redirect them:

  • USB modems.
  • USB network adapters.
  • USB hubs. The USB devices connected to USB hubs are handled individually.
  • USB virtual COM ports. Use COM port redirection rather than generic USB Redirection.

For information on USB devices that have been tested with generic USB redirection, see CTX123569. Some USB devices do not operate correctly with generic USB redirection.

Configure generic USB redirection

You can control which types of USB devices use generic USB redirection. This is separately configurable:

  • On the VDA, using Citrix policy settings. For more information, see Redirection of client drives and user devices and USB devices policy settings in the Policy settings reference
  • In Citrix Receiver, using Citrix Receiver-dependent mechanisms. For example, Citrix Receiver for Windows is configured with registry settings that can be controlled by an Administrative Template. By default, USB redirection is allowed for certain classes of USB devices and denied for others; for more information, see Configuring USB support in the Citrix Receiver for Windows documentation for details.

This separate configuration provides flexibility. For example:

  • If two different organizations or departments are responsible for Citrix Receiver and VDA they can enforce control separately. This would apply when a user in one organization accesses an application in another organization.
  • If USB devices should be allowed only for certain users or for users only connecting over LAN (rather than with NetScaler Gateway), this can be controlled with Citrix policy settings.

Enable generic USB redirection

To enable generic USB Redirection, configure both Citrix policy settings and Citrix Receiver.

In Citrix policy settings:

  1. Add the Client USB device redirection to a policy and set its value to Allowed.

    localized image

  2. (Optional) To update the list of USB devices available for redirection, add the Client USB device redirection rules setting to a policy and specify the USB policy rules.

    In Citrix Receiver:

  3. Enable USB support when you install Citrix Receiver on user devices. You can do this using an Administrative template or in Citrix Receiver for Windows > Preferences > Connections.

localized image

If you specified USB policy rules for the VDA in the previous step, specify those same policy rules for Citrix Receiver.

For thin clients, consult the manufacturer for details of USB support and any required configuration.

Configuring the types of USB devices available for generic USB redirection

USB devices are automatically redirected when USB support is enabled and the USB user preference settings are set to automatically connect USB devices. USB devices are also automatically redirected when operating in Desktop Appliance mode and the connection bar is not present.

Users can explicitly redirect devices that are not automatically redirected by selecting the devices from the USB device list. Users can get more help on how to do this in the Citrix Receiver for Windows user help article, Display your devices in the Desktop Viewer.

localized image

To use generic USB redirection rather than optimized support, you can either:

  • In Citrix Receiver, manually select the USB device to use generic USB redirection, choose Switch to generic from the Devices tab of the Preferences dialog box.
  • Automatically select the USB device to use generic USB redirection, by configuring auto-redirection for the USB device type (for example, AutoRedirectStorage=1) and set USB user preference settings to automatically connect USB devices. For more information, see CTX123015.

Note:

Only configure generic USB redirection for use with a webcam if the webcam is found to be incompatible with HDX multimedia redirection.

To prevent USB devices from ever being listed or redirected, you can specify device rules for Citrix Receiver and the VDA.

For generic USB redirection, you will need to know at least the USB device class and subclass. Not all USB devices use their obvious USB device class and subclass. For example:

  • Pens use the mouse device class.
  • Smart card readers may use the vendor-defined or HID device class.

For more precise control, you will also need to know the Vendor ID, Product ID, and Release ID. You can get this information from the device vendor.

Important

Malicious USB devices may present USB device characteristics that do not match their intended usage. Device rules are not intended to prevent this behavior.

You control the USB devices available for generic USB redirection by specifying USB device redirection rules for both VDA and Citrix Receiver, to override the default USB policy rules.

For the VDA:

  • Edit the administrator override rules for the Server OS machines through group policy rules. The Group Policy Management Console is included on the installation media:
    • For x64: dvd root \os\lang\x64\Citrix Policy\ CitrixGroupPolicyManagement_x64.msi
    • For x86: dvd root \os\lang\x86\Citrix Policy\ CitrixGroupPolicyManagement_x86.msi

At Citrix Receiver for Windows:

  • Edit the user device registry. An Administrative template (ADM file) is included on the installation media so you can change the user device through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm

Warning

Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The product default rules are stored in HKLM\SOFTWARE\Citrix\PortICA\GenericUSB\DeviceRules. Do not edit these product default rules. Instead, use them as a guide for creating administrator override rules as explained below. The GPO overrides are evaluated before the product default rules.

The administrator override rules are stored in HKLM\SOFTWARE\Policies\Citrix\PortICA\GenericUSB\DeviceRules. GPO policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by white space.

The following tags are supported:

Tag Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor; see the USB Web site at https://www.usb.org/ for available USB Class Codes
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor

When creating new policy rules, note the following:

  • Rules are case-insensitive.
  • Rules may have an optional comment at the end, introduced by #. A delimiter is not required, and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • White space is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule, but Deny: Class=0 Sub Class=05 is not.
  • Tags must use the matching operator =. For example, VID=1230.
  • Each rule must start on a new line or form part of a semicolon-separated list.

Note

If you are using the ADM template file, you must create rules on a single line, as a semicolon-separated list.

Examples:

  • The following example shows an administrator-defined USB policy rule for vendor and product identifiers:

     Allow: VID=046D PID=C626 # Allow Logitech SpaceNavigator 3D Mouse
                    Deny: VID=046D # Deny all Logitech products
     <!--NeedCopy-->
    
  • The following example shows an administrator-defined USB policy rule for a defined class, sub-class, and protocol:

      Deny: Class=EF SubClass=01 Prot=01 # Deny MS Active Sync devices
              Allow: Class=EF SubClass=01 # Allow Sync devices
              Allow: Class=EF # Allow all USB-Miscellaneous devices
     <!--NeedCopy-->
    

Use and remove USB devices

Users can connect a USB device before or after starting a virtual session.

When using Citrix Receiver for Windows, the following apply:

  • Devices connected after a session starts appear immediately in the USB menu of the Desktop Viewer.
  • If a USB device is not redirecting properly, you can try to resolve the problem by waiting to connect the device until after the virtual session starts.
  • To avoid data loss, use the Windows “Safely Remove Hardware” icon before removing the USB device.

Security controls for USB mass storage devices

Optimized support is provided for USB mass storage devices. This is part of XenApp and XenDesktop client drive mapping. Drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders with mapped drive letters. To configure client drive mapping, use the Client removable drives setting in the File Redirection policy settings section of the ICA policy settings.

With USB mass storage devices you can use either Client drive mapping or generic USB redirection, or both, controlled by Citrix polices. The main differences are:

Feature Client drive mapping Generic USB redirection
Enabled by default Yes No
Read-only access configurable Yes No
Encrypted device access Yes, if encryption is unlocked before the device is accessed No
Safe to remove device during a session No Yes, provided users follow operating system recommendations for safe removal

If both generic USB redirection and the client drive mapping policies are enabled and a mass storage device is inserted either before or after a session starts, it will be redirected using client drive mapping. When both generic USB redirection and the client drive mapping policies are enabled and a device is configured for automatic redirection (see https://support.citrix.com/article/CTX123015) and a mass storage device is inserted either before or after a session starts, it will be redirected using generic USB redirection.

Note

USB redirection is supported over lower bandwidth connections, for example 50 Kbps, however copying large files will not work.

Control file access with client drive mapping

You can control whether users can copy files from their virtual environments to their user devices. By default, files and folders on mapped client-drives are available in read/write mode from within the session.

To prevent users from adding or modifying files and folders on mapped client-devices, enable the Read-only client drive access policy setting. When adding this setting to a policy, make sure the Client drive redirection setting is set to Allowed and is also added to the policy.