Gateway

NetScaler Gateway Windows VPN client registry keys

The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the NetScaler Gateway Windows VPN client registry keys, values, and a brief description of each value.

Registry key Registry type Values and description
addedRoutes/modifiedRoutes REG_SZ Created for internal plug-in communication. Users must not modify this key.
AlwaysOnService REG_DWORD 1 => Establish machine level tunnel but not user level tunnel. 2 => Establish machine level tunnel and user level tunnel.
AlwaysOnURL REG_SZ URL of the NetScaler Gateway virtual server the user wants to connect to. Example: https://xyz.companyDomain.com
AlwaysOn REG_DWORD 1 => Allow network access on VPN failure. 2=> Block network access on VPN failure.
AlwaysOnAllowlist REG_SZ Semicolon separated list of IP addresses or FQDNs allowed by the driver in Always On strict mode.
ClientControl REG_DWORD 1 => Allows users to log out or connect to other gateways. 0 => Blocks users to log out or connect to other gateways.
ConfigSize REG_DWORD Windows client supports 64 KB configuration file size, by default. Use this registry to increase configuration file size. If the configuration file size is larger than the default value (64 KB), then the ConfigSize registry value must be set to 5 x 64 KB (after converting to bytes) for every addition of 64 KB. For example, if you are adding additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.
Connected REG_DWORD On successful connection this key is set to 1 and else set to 0. This key is used internally. Users must not modify this key.
DisableGA REG_DWORD Set to 1 to disable Google analytics.
DisableCredProv REG_DWORD When Always On before user logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1.
DisableIconHide REG_DWORD 1 => The Citrix Workspace app and the gateway plug-in are displayed on the taskbar. 0 => The gateway plug-in icon is integrated with Citrix Workspace app for Windows. The gateway plug-in is not visible on the taskbar when running a full VPN session.
DisableDNSRoutes REG_DWORD Default value 0 => VPN plug-in adds routes for DNS servers if they are different from the default gateway for a physical interface. However, based on the Windows client machine topology, DNS server routes might not be always required. If set to 1, the VPN plug-in does not add explicit routes for the DNS servers.
DisallowCaptivePortals REG_DWORD 1 => VPN plug-in checks for captive portals by trying to connect to the Microsoft Connect test page before starting a VPN session. 0 => VPN plug-in skips the captive portals check.
DisableIntuneDeviceEnrollment REG_DWORD If set to 1, Intune device enrollment is not performed.
EnableAutoUpdate REG_DWORD Used to control plug-in update functionality from the client side. Set to 0 to disable auto-update functionality. Set to 1 to respect ADC configuration.
EnableKerberosAuth REG_DWORD 0 => Default value. 1 => VPN client uses the Kerberos authentication method for auto-logon.
EnableVA REG_DWORD If Citrix Virtual adapter must be enabled when IIP is present. This key is used internally. Users must not modify this key.
EnableWFP REG_DWORD Default value 0 => By default, DNE is enabled. 1 => VPN plug-in uses WFP. 0 => VPN plug-in uses DNE.
ForcedLogging REG_DWORD Set this key to 1 to enable debug logging.
HttpTimeout REG_DWORD HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards.
InstallDir REG_SZ Location where the Citrix Secure Access client is installed.
locationDetection REG_DWORD 1 => To enable location detection. 0 => To disable location detection.
NoDHCPRoute REG_DWORD If set to 1, the DHCP server route is not added.
overrideIPV6DnsDrop REG_DWORD 1 => Allow IPv6 DNS traffic to flow over VPN. 0 => Restrict IPv6 DNS traffic flow.
OverrideSpoofIPRange Need Eng inputs Detects if there are conflicts in the default or admin-configured spoof IP address range and applies a new spoof IP address range.
ProductVersion REG_SZ Current Citrix Secure Access client installed version.
ProductCode REG_SZ This key is used internally. Users must not modify this key.
secureDNSUpdate REG_DWORD 0 => The VPN plug-in tries the unsecure DNS update only. 1 => The VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in then tries the secure DNS update. This is the default behavior starting from the 21.3.1.2 Windows plug-in build. 2 => The VPN plug-in tries only the secure DNS update.
SecureChannelResetTimeoutSeconds REG_DWORD By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0xFFFFFFFF or not present in the registry, the VPN plug-in waits for the SecureChannelReset() API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete.
SecureAccessLogInScript REG_SZ Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.
SecureAccessLogOutScript REG_SZ Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.
suffixList REG_SZ Semicolon list of intranet domains. Used when location detection is enabled.
SicBeginPort REG_DWORD Avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. The allowed range is 49152 to 64535 (C000 to FC17 in hexadecimal format). The VPN client uses up to 1000 ports starting from SicBeginPort only if EnableWFP is also set to 1.
userCertCAList REG_SZ Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from.

Important:

  • You can apply registry keys based on your deployments. For example, the AlwaysOnService registry key is applicable only to the Always on service whereas the ClientControl registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details.

  • secureDNSUpdate is applicable only for domain joined client devices.

  • For Citrix Secure Access client for Windows 23.1.1.8 and later versions, the registry key name is overrideIPV6DnsDrop. For Citrix Secure Access client for Windows 22.10.1.9 and prior versions, the registry key name is overrideIP6DnsDrop.

NetScaler Gateway Windows VPN client registry keys

In this article