Citrix DaaS

HDX Direct (Tech preview)

When accessing Citrix-delivered resources, HDX Direct allows client devices to establish a secure direct connection with the VDA if there is a direct line of sight.


HDX Direct is currently in tech preview. To submit feedback or report issues, use this form.


The following are the requirements for using HDX Direct:

  • Control plane

    • Citrix DaaS
    • Citrix Virtual Apps and Desktops 2303 or later
  • Virtual Delivery Agent (VDA)

    • Windows: version 2303 or later
  • Workspace app

    • Windows: version 2303 or later
  • Access tier

    • Citrix Workspace
    • Citrix Gateway Service
    • NetScaler Gateway
  • Firewall

    • VDA machine

      • TCP 443 inbound (ICA over TCP)
      • UDP 443 inbound (ICA over EDT)
    • Network

      Protocol Port Source Destination
      TCP 443 Client VDA
      UDP 443 Client VDA


HDX Direct is disabled by default. You can configure this feature using the HDX Direct setting in Citrix policy.

  • Allowed: HDX Direct is enabled and attempts to establish a direct connection to the session host when a session is connected.
  • Prohibited: The default setting. HDX Direct is disabled and prevents the client from attempting to connect directly to the session host when connected through a Gateway.

To confirm that HDX Direct successfully established a direct connection, use the CtxSession.exe utility on the VDA machine.

To use the CtxSession.exe utility, launch a Command Prompt or PowerShell within the session and run ctxsession.exe -v. If an HDX Direct connection was successfully established, you will see the following:

  • Transport protocol

    • UDP > DTLS > CGP > ICA (if using EDT)
    • TCP > SSL > CGP > ICA (if using TCP)
  • Remote Address and Client Address are the same

    HDX Direct remote and client address


The following are considerations for using HDX Direct:

  • When using non-persistent machines for your virtual apps and desktops, do not enable HDX Direct in the master/template image to avoid generating certificates for the master virtual machine (VM).

How it works

HDX Direct allows clients to establish a direct connection to the session host when direct communication is available. When direct connections are made using HDX Direct, network-level encryption (TLS/DTLS) is used to secure them, leveraging self-signed certificates.

There are three stages that cover different parts of the feature: pre-launch, launch, and post-launch.

Pre-launch stage

This is the initial stage, which covers certificate creation and management. These tasks are handled by the following services on the VDA machine, both of which are set to run automatically at machine startup:

  • Citrix ClxMtp Service: responsible for CA certificate generation and rotation.
  • Citrix Certificate Manager Service: responsible for generating and managing the self-signed root CA certificate, the machine certificates’ keys, and the machine certificates.

The following is an overview of the certificate management process:

  1. The services start at machine startup.
  2. Citrix ClxMtp Service creates keys if none have been created already.
  3. Citrix Certificate Manager Service checks if HDX Direct is enabled. If not, the service stops itself.
  4. If HDX Direct is enabled, Citrix Certificate Manager Service checks if a self-signed root CA certificate exists. If not, a self-signed root certificate is created.
  5. Once a root CA certificate is available, the Citrix Certificate Manager Service checks if a self-signed machine certificate exists. If not, the service generates keys and creates a new certificate using the machine’s FQDN.
  6. If there is an existing machine certificate created by the Citrix Certificate Manager Service and the subject name does not match the machine’s FQDN, a new certificate is generated.


The Citrix Certificate Manager Service generates RSA certificates that leverage 2048-bit keys.

Launch stage

To successfully establish a secure HDX Direct connection, the client must trust the certificates used to secure the session. To facilitate this, the VDA sends the Broker its certificate information when a session is being brokered. Subsequently, the Broker sends this information to Workspace to include in the ICA file that is sent to the client to launch the session.

Post-launch stage

Once a session is brokered successfully, the session is launched. The following is an overview of the HDX Direct connection process:

HDX Direct connection process

  1. The client establishes a connection with the VDA through the Gateway Service.
  2. Upon a successful connection, the VDA sends the VDA machine’s FQDN and a list of its IP addresses to the client.
  3. The client probes the IP addresses to see if it can reach the VDA directly.
  4. If the client is able to reach the VDA directly with any of the shared IP addresses, the client establishes a secure direct connection with the VDA.
  5. Once the direct connection is successfully established, the session transfers to the new connection and the connection to the Gateway Service ends.

Known issues

The following are known issues with HDX Direct:

  • The HDX Direct connection may fail when Rendezvous is disabled.
  • The HDX Direct connection may fail when launching sessions from an on-prem Citrix Virtual Apps and Desktops 2303 site.
  • Workspace app may crash if the VDA is running on Windows 11.
HDX Direct (Tech preview)