When using the Citrix Gateway Service, the Rendezvous protocol allows VDAs to bypass the Citrix Cloud Connectors to connect directly and securely with the Citrix Cloud control plane.
Rendezvous V2 is supported with standard domain joined machines, Azure AD joined machines, and non-domain joined machines.
At this time, connectorless deployments are possible with Azure AD joined and non-domain joined machines only. Standard domain joined machines still require Cloud Connectors for VDA registration and session brokering. However, there are no DNS requirements for using Rendezvous V2.
The requirements for using Rendezvous V2 are:
- Access to the environment using Citrix Workspace and Citrix Gateway Service
- Control plane: Citrix DaaS
- VDA version 2203
- Session Reliability must be enabled on the VDAs
- The VDA machines must have access to
https://*.nssvc.net, including all subdomains. If you can’t allow all subdomains in that manner, you can use
https://*.g.nssvc.netinstead. For more information, see Knowledge Center article CTX270584.
- The VDAs must be able to connect to the addresses mentioned previously:
- On TCP 443, for TCP Rendezvous.
- On UDP 443, for EDT Rendezvous.
The VDA supports connecting through proxies for both control traffic and HDX session traffic when using Rendezvous. The requirements and considerations for both types of traffic are different, so review them carefully.
Control traffic proxy considerations
- Only HTTP proxies are supported.
- Packet decryption and inspection are not supported. Configure an exception so the control traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
- Proxy authentication is not supported.
HDX traffic proxy considerations
- HTTP and SOCKS5 proxies are supported.
- EDT can only be used with SOCKS5 proxies.
- By default, HDX traffic uses the proxy defined for control traffic. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use the Rendezvous proxy configuration policy setting.
- Packet decryption and inspection are not supported. Configure an exception so the HDX traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
- Machine-based authentication is supported only with HTTP proxies and if the VDA machine is AD domain joined. It can use Negotiate/Kerberos or NTLM authentication.
To use Kerberos, create the service principal name (SPN) for the proxy server and associate it with the proxy’s Active Directory account. The VDA generates the SPN in the format
HTTP/<proxyURL>when establishing a session, where the proxy URL is retrieved from the Rendezvous proxy configuration policy setting. If you don’t create an SPN, authentication falls back to NTLM. In both cases, the VDA machine’s identity is used for authentication.
- Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
- Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.
If using a transparent proxy in your network, no additional configuration is required on the VDA.
If using a non-transparent proxy in your network, specify the proxy during the VDA installation so that control traffic can reach the Citrix Cloud control plane. Make sure to review the control traffic proxy considerations before proceeding with the installation and configuration.
In the VDA installation wizard, select Rendezvous Proxy Configuration in the Additional Components page. This option makes the Rendezvous Proxy Configuration page available later in the installation wizard. Once here, enter the proxy address or the path to the PAC file for the VDA to know which proxy to use. For example:
- Proxy address:
http://<URL or IP>:<port>
- PAC file:
http://<URL or IP>/<path/<filename>.pac
As stated in the HDX traffic proxy considerations, HDX traffic uses the proxy defined during the VDA installation by default. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use the Rendezvous proxy configuration policy setting. When the setting is enabled, specify the HTTP or SOCKS5 proxy address. You can also enter the path to the PAC file so the VDA knows which proxy to use. For example:
- Proxy address:
http://<URL or IP>:<port>or
socks5://<URL or IP>:<port>
- PAC file:
http://<URL or IP>/<path/<filename>.pac
If you use the PAC file to configure the proxy, define the proxy using the syntax required by the Windows HTTP service:
PROXY [<scheme>=]<URL or IP>:<port>. For example,
PROXY socks5=<URL or IP>:<port>.
How to configure Rendezvous
Following are the steps for configuring Rendezvous in your environment:
- Make sure that all requirements are met.
- If you must use a non-transparent HTTP proxy in your environment, configure it during the VDA installation. Refer to the proxy configuration section for details.
After the VDA is installed, add the following registry value:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent Value type: DWORD Value name: GctRegistration Value data: 1
- Reboot the VDA machine.
- Create a Citrix policy, or edit an existing one:
- Set the Rendezvous Protocol setting to Allowed.
- If you must configure an HTTP or SOCKS5 proxy for HDX traffic, configure the Rendezvous proxy configuration setting.
- Ensure that the Citrix policy filters are set properly. The policy applies to the machines that need Rendezvous enabled.
- Ensure that the Citrix policy has the correct priority so that it does not overwrite another one.
If you meet all requirements and have completed the configuration, follow these steps to validate if Rendezvous is in use:
- Within the virtual desktop, open a command prompt or PowerShell.
- The transport protocols displayed indicate the type of connection:
- TCP Rendezvous: TCP > SSL > CGP > ICA
- EDT Rendezvous: UDP > DTLS > CGP > ICA
- Not Rendezvous: TCP > CGP > ICA
- The Rendezvous version reported indicates the version in use.
Windows cipher suite order
If the cipher suite order has been modified in the VDA machines, make sure that you include the VDA-supported cipher suites:
If the custom cipher suite order does not contain these cipher suites, the Rendezvous connection fails.
Zscaler Private Access
If using Zscaler Private Access (ZPA), it is recommended that you configure bypass settings for the Gateway Service to avoid increased latency and the associated performance impact. To do so, you must define application segments for the Gateway Service addresses – specified in the requirements – and set them to always bypass. For information on configuring application segments to bypass ZPA, see the Zscaler documentation.
VDA installer does not allow entering a slash ( / ) for the proxy address
As a workaround, you can configure the proxy in the registry after the VDA is installed:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent Value type: String Value name: ProxySettings Value data: Proxy address or path to pac file. For example: Proxy address: http://squidk.test.local:3128 Pac file: http://file.test.com/config/proxy.pac