Citrix Gateway

Citrix Gateway VPN client registry keys

The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the Citrix Gateway VPN client registry keys, values, and a brief description of each value.

Registry key Registry type Values and description
AlwaysOnService REG_DWORD 1 => Establish machine level tunnel but not user level tunnel. 2 => Establish machine level tunnel and user level tunnel.
AlwaysOnURL REG_SZ URL of the Citrix Gateway virtual server the user wants to connect to. Example: https://xyz.companyDomain.com
AlwaysOn REG_DWORD 1 => Allow network access on VPN failure. 2=> Block network access on VPN failure.
locationDetection REG_DWORD 1 => To enable location detection. 0 => To disable location detection.
suffixList REG_SZ Semicolon list of intranet domains. Used when location detection is enabled.
AlwaysOnAllowlist REG_SZ Semicolon separated list of IP addresses or FQDNs allowed by the driver in Always On strict mode.
ProductVersion REG_SZ Current Citrix Secure Access agent installed version.
InstallDir REG_SZ Location where the Citrix Secure Access agent is installed.
userCertCAList REG_SZ Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from.
addedRoutes/modifiedRoutes REG_SZ Created for internal plug-in communication. Users must not modify this key.
ProductCode REG_SZ This key is used internally. Users must not modify this key
EnableAutoUpdate REG_DWORD Used to control plug-in update functionality from the client side. Set to 0 to disable auto-update functionality. Set to 1 to respect ADC configuration.
Connected REG_DWORD On successful connection this key is set to 1 and else set to 0. This key is used internally. Users must not modify this key.
EnableVA REG_DWORD If Citrix Virtual adapter must be enabled when IIP is present. This key is used internally. Users must not modify this key.
DisableGA REG_DWORD Set to 1 to disable Google analytics.
DisableCredProv REG_DWORD When Always On before user logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1.
ClientControl REG_DWORD 1 => Allows users to log out or connect to other gateways. 0 => Blocks users to log out or connect to other gateways.
ForcedLogging REG_DWORD Set this key to 1 to enable debug logging.
NoDHCPRoute REG_DWORD If set to 1, the DHCP server route is not added.
DisableIntuneDeviceEnrollment REG_DWORD If set to 1, Intune device enrollment is not performed.
HttpTimeout REG_DWORD HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards.
secureDNSUpdate REG_DWORD 0 => The VPN plug-in tries the unsecure DNS update only. 1 => The VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in then tries the secure DNS update. This is the default behavior starting from the 21.3.1.2 Windows plug-in build. 2 => The VPN plug-in tries only the secure DNS update.
DisableIconHide REG_DWORD 1 => The Citrix Workspace app and the gateway plug-in are displayed on the taskbar. 0 => The gateway plug-in icon is integrated with Citrix Workspace app for Windows. The gateway plug-in is not visible on the taskbar when running a full VPN session.
SecureChannelResetTimeoutSeconds REG_DWORD By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0xFFFFFFFF or not present in the registry, the VPN plug-in waits for the SecureChannelReset() API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete.
DisableDNSRoutes REG_DWORD Default value 0 => VPN plug-in adds routes for DNS servers if they are different from the default gateway for a physical interface. However, based on the Windows client machine topology, DNS server routes might not be always required. If set to 1, the VPN plug-in does not add explicit routes for the DNS servers.
overrideIP6DnsDrop REG_DWORD 1 => Allow IPv6 DNS traffic to flow over VPN. 0 => Restrict IPv6 DNS traffic flow.
DisallowCaptivePortals REG_DWORD 1 => VPN plug-in checks for captive portals by trying to connect to the Microsoft Connect test page before starting a VPN session. 0 => VPN plug-in skips the captive portals check.
EnableWFP REG_DWORD Default value 0 => By default, DNE is enabled. 1 => VPN plug-in uses WFP. 0 => VPN plug-in uses DNE.
SecureAccessLogInScript REG_SZ Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.
SecureAccessLogOutScript REG_SZ Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.

Important:

  • You can apply registry keys based on your deployments. For example, the AlwaysOnService registry key is applicable only to the Always on service whereas the ClientControl registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details.

  • secureDNSUpdate is applicable only for domain joined client devices and is not common for other OS types.

Citrix Gateway VPN client registry keys

In this article