Citrix Gateway

Citrix Gateway VPN client registry keys

The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the Citrix Gateway VPN client registry keys, values, and a brief description of each value.

Registry key Registry type Values and description
AlwaysOnService REG_DWORD 1 => Establish machine level tunnel but not user level tunnel. 2 => Establish machine level tunnel and user level tunnel.
AlwaysOnURL REG_SZ URL of the Citrix Gateway virtual server the user wants to connect to. Example:
AlwaysOn REG_DWORD 1 => Allow network access on VPN failure. 2=> Block network access on VPN failure.
locationDetection REG_DWORD 1 => To enable location detection. 0 => To disable location detection.
suffixList REG_SZ Comma separated list of intranet domains. Used when location detection is enabled.
AlwaysOnWhitelist REG_SZ Semicolon separated list of IP addresses or FQDNs to be whitelisted by the driver in Always On strict mode.
ProductVersion REG_SZ Current Citrix Gateway plug-in installed version.
InstallDir REG_SZ Location where the Citrix Gateway plug-in is installed.
userCertCAList REG_SZ Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from.
addedRoutes/modifiedRoutes REG_SZ Created for internal plug-in communication. Users must not modify this key.
ProductCode REG_SZ This key is used internally. Users must not modify this key
EnableAutoUpdate REG_DWORD Used to control plug-in update functionality from the client side. Set to 0 to disable auto-update functionality. Set to 1 to respect ADC configuration.
Connected REG_DWORD On successful connection this key is set to 1 and else set to 0. This key is used internally. Users must not modify this key.
EnableVA REG_DWORD If Citrix Virtual adapter must be enabled when IIP is present. This key is used internally. Users must not modify this key.
DisableGA REG_DWORD Set to 1 to disable Google analytics.
DisableCredProv REG_DWORD When Always On before user logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1.
ClientControl REG_DWORD 1 => Allows users to log out or connect to other gateways. 0 => Blocks users to log out or connect to other gateways.
ForcedLogging REG_DWORD Set this key to 1 to enable debug logging.
NoDHCPRoute REG_DWORD If set to 1, the DHCP server route is not added.
DisableIntuneDeviceEnrollment REG_DWORD If set to 1, Intune device enrollment is not performed.
HttpTimeout REG_DWORD HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards.
DisableIconHide REG_DWORD 1 => The Citrix Workspace app and the gateway plug-in are displayed on the taskbar. 0 => The gateway plug-in icon is integrated with Citrix Workspace app for Windows. The gateway plug-in is not visible on the taskbar when running a full VPN session.


You can apply registry keys based on your deployments. For example, the AlwaysOnService registry is applicable only for Always on service whereas the ClientControl registry is not applicable for Always on service. Check the individual deployment documentation for more details.

Citrix Gateway VPN client registry keys

In this article