Citrix Virtual Apps and Desktops

Browser content redirection policy settings

The browser content redirection section includes policy settings to configure this feature.

Browser content redirection controls and optimizes the way Citrix Virtual Apps and Desktops deliver any web browser content (for example, HTML5) to users. Only the visible area of the browser where content is displayed is redirected.

HTML5 video redirection and browser content redirection are independent features. The HTML5 video redirection policies aren’t needed for this feature to work. However, the Citrix HDX HTML5 Video Redirection Service is used for browser content redirection. For more information, see Browser content redirection.

Note:

Policy settings available in Web Studio can be overridden with registry keys on the VDA, but registry keys are optional.

TLS and browser content redirection

You can use browser content redirection to redirect HTTPS websites. The JavaScript injected into those websites must establish a TLS connection to the Citrix HDX HTML5 Video Redirection Service (WebSocketService.exe) running on the VDA. To achieve this redirection and maintain the TLS integrity of the webpage, the Citrix HDX HTML5 Video Redirection Service generates two custom certificates in the certificate store on the VDA.

HdxVideo.js uses Secure Web sockets to communicate with WebSocketService.exe running on the VDA. This process runs on the Local System, and performs SSL termination and user session mapping.

WebSocketService.exe is listening on 127.0.0.1 port 9001.

Browser content redirection

By default, Citrix Workspace app tries client fetch and client render. The server-side rendering is tried when client fetch and client render fail. If you also enable the browser content redirection proxy configuration policy, Citrix Workspace app tries only server fetch and client render.

By default, this setting is Allowed.

Browser content redirection Integrated Windows Authentication support setting

Browser content redirection enables the overlay that uses the Negotiate scheme for authentication. This enhancement provides single sign-on to a web server configured with Integrated Windows Authentication (IWA) within the same domain as the VDA.

When set to Allowed, the browser content redirection overlay obtains a Negotiate ticket by using the user’s VDA credentials. The user then authenticates to the web server with a single sign-on.

When set to Prohibited, the browser content redirection overlay doesn’t request a Negotiate ticket from the VDA. The user authenticates to a web server using a basic authentication method. This authentication method requires users to enter their VDA credentials each time they access the web server.

By default, this setting is Prohibited.

Browser content redirection server fetch web proxy authentication setting

This setting routes HTTP traffic originating at an overlay through a downstream web proxy. The downstream web proxy authorizes and authenticates HTTP traffic using the VDA user’s domain credentials through the Negotiate authentication scheme.

You must configure browser content redirection for server fetch mode in the PAC file using the Browser content redirection proxy configuration policy. In the PAC script, provide instructions to route the overlay traffic through a downstream web proxy. Then configure the downstream web proxy to authenticate the VDA users through the Negotiate authentication scheme.

When set to Allowed, the web proxy responds with a 407 Negotiate challenge, including a Proxy-Authenticate: Negotiate header. Browser content redirection then obtains a Kerberos service ticket by using the VDA user’s domain credentials. Also, include the service ticket in later requests to the web proxy.

When set to Prohibited, the browser content redirection proxies all TCP traffic between the overlay and the web proxy without interfering. The overlay uses basic authentication credentials or any other available credentials to authenticate to the web proxy.

By default, this setting is Prohibited.

Browser content redirection ACL (Access Control List) Configuration policy settings

Use this setting to configure an Access Control List (ACL) of URLs that can use browser content redirection or are denied access to browser content redirection.

Authorized URLs are the URLs in the allow list whose content is redirected to the client.

The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL. However, starting from Citrix Virtual Apps and Desktops 7 2206, wildcard * is permitted within the subdomain address part of the URL.

Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*, http://*.xyz.com/

Not allowed: http://*.*.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only the index.html page is redirected.

By default, this setting is set to https://www.youtube.com/*

For more information, see the Knowledge Center article CTX238236.

Note:

You can configure ACL to permit BCR to redirect websites to the endpoint and authentication sites can be configured to allow Identity Providers (IdP), such as Okta and Duo, for authentication used on the configured URL.

Browser content redirection authentication sites

Use this setting to configure a list of URLs. Sites redirected by using browser content redirection use the list to authenticate a user. The setting specifies the URLs for which browser content redirection remains active (redirected) when navigating away from a URL in the allow list.

A classic scenario is a website that relies on an Identity Provider (IdP) for authentication. For example, a website www.xyz.com must be redirected to the endpoint, but a third-party IdP, like Okta (www.xyz.okta.com) handles the authentication portion. The administrator uses the browser content redirection ACL configuration policy to add www.xyz.com to the allow list. Then uses browser content redirection authentication sites to add www.xyz.okta.com to the allow list.

For more information, see the Knowledge Center article CTX238236.

Browser content redirection block list setting

This setting works along with the browser content redirection ACL configuration setting. Consider URLs are present in the browser content redirection ACL configuration setting and the block list configuration setting. In this case, the block list configuration takes precedence and the browser content of the URL isn’t redirected.

Unauthorized URLs: Specifies the URLs in the block list whose browser content isn’t redirected to the client, but rendered on the server.

The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL.

Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*

Not allowed: http://*.xyz.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only index.html is in the block list.

Browser content redirection proxy setting

This setting provides configuration options for proxy settings on the VDA for browser content redirection. If enabled with a valid proxy address and port number, PAC / WPAD URL, or Direct/Transparent setting, Citrix Workspace app tries only server fetch and client rendering.

If disabled or not configured and using a default value, Citrix Workspace app tries client fetch and client rendering.

By default, this setting is Prohibited.

Allowed pattern for an explicit proxy:

http://\<hostname/ip address\>:\<port\>

Example:

http://proxy.example.citrix.com:80 http://10.10.10.10:8080

Allowed patterns for PAC/WPAD files:

http://<hostname/ip address>:<port>/<path>/<Proxy.pac>

Example: http://wpad.myproxy.com:30/configuration/pac/Proxy.pac

https://<hostname/ip address>:<port>/<path>/<wpad.dat>

Example: http://10.10.10.10/configuration/pac/wpad.dat

Allowed patterns for direct or transparent proxies:

Type the word DIRECT in the policy text box.

Browser content redirection registry key overrides

Warning:

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix can’t guarantee that problems resulting from the incorrect use of the Registry Editor can be solved. Use the Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Registries override options for policy settings:

\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\HdxMediastream

Name Type Value
WebBrowserRedirection DWORD 1=Allowed, 0=Prohibited
WebBrowserRedirectionAcl REG_MULTI_SZ  
WebBrowserRedirectionAuthenticationSites REG_MULTI_SZ  
WebBrowserRedirectionProxyAddress REG_SZ http://myproxy.citrix.com:8080 or http://10.10.10.10:8888
WebBrowserRedirectionBlacklist REG_MULTI_SZ  

Browser content redirection policy ACL settings edit

HDXVideo.js insertion for browser content redirection

Browser content redirection image

HdxVideo.js is injected on the webpage by using the browser content redirection Chrome extension or the Internet Explorer Browser Helper Object (BHO). The BHO is a plug-in model for Internet Explorer. It provides hooks for browser APIs and allows the plug-in to access the Document Object Model (DOM) of the page to control navigation.

The BHO decides whether to inject HdxVideo.js on a given page. The decision is based on the administrative policies shown in the previous flow chart.

After it decides to inject the JavaScript and redirect browser content to the client, the webpage is blank on the Internet Explorer browser on the VDA. Setting the document.body.innerHTML to empty removes the entire body of the webpage on the VDA. The page is ready to be sent to the client to be displayed on the overlay browser (Hdxbrowser.exe) on the client.