Citrix DaaS

Secure HDX (Preview)

Secure HDX is an Application Level Encryption (ALE) solution that prevents any network elements in the traffic path from being able to inspect the HDX traffic. It does this by providing true End-to-End Encryption (E2EE) at the application level between the Citrix Workspace app (client) and the VDA (session host) using AES-256-GCM encryption.


Secure HDX is currently in preview. This feature is provided without support and is not yet recommended for use in production environments. To submit feedback or report issues, use this form.

System requirements

The following list depicts the system requirements for using Secure HDX.

  • Control plane
    • Citrix DaaS
    • Citrix Virtual Apps and Desktops 2402 or later
  • Virtual Delivery Agent (VDA)
    • Windows: version 2402 or later
  • Workspace app
    • Windows: version 2402 or later
  • Access tier
    • Citrix Workspace
    • Citrix StoreFront 2402 or later


Secure HDX is disabled by default. You can configure this feature using the Secure HDX setting in Citrix policy:

Secure HDX: Defines whether to enable the feature for all sessions, only for direct connections, or disable it.


The following are considerations for using Secure HDX:

  • If a user tries to connect to a session host with Secure HDX enabled using a client that does not support the feature, the connection will be denied.

  • If you use HDX Insight, note that using Secure HDX prevents HDX Insight data collection as the NetScaler is not able to inspect the encrypted HDX traffic. If you must use HDX Insight, you can set Secure HDX to be enabled only for direct connections.

  • Service Continuity is not currently supported with Secure HDX. If you have Service Continuity enabled in your Citrix Cloud environment, you might not be able to connect to any session hosts that have Secure HDX enabled if there is a Cloud service outage.

  • If you use SmartControl, note that using Secure HDX prevents SmartControl from working as the NetScaler is unable to inspect the encrypted HDX traffic. If you must use SmartControl, you can set Secure HDX to be enabled only for direct connections.

  • Multi-Stream ICA is not supported when Secure HDX is enabled.

  • If you use any third-party solutions that rely on inspecting HDX traffic, they would no longer work if you enable Secure HDX since HDX traffic is encrypted.


To confirm that Secure HDX is active, you can use the ctxsession.exe utility on the VDA machine.

To use the CtxSession.exe utility, open a Command Prompt or PowerShell within the session and run ctxsession.exe -v. If Secure HDX is in use, ICA Encryption displays SecureHDX AES-256 GCM.

Secure HDX

When Secure HDX does not get enabled in the session

  • Ensure the VDA version in use supports the feature per the system requirements.

  • Confirm that you have a policy applied to the VDA that enables Secure HDX and that there are no other policies with higher priority disabling the feature.

  • If the client device is connecting through NetScaler Gateway or Gateway Service, ensure that Secure HDX is not set to “Direct Connections Only”.

  • If the session host was already running when you configured Secure HDX, restart the machine to ensure changes take effect.

Secure HDX (Preview)