In environments that use the Citrix Gateway service, the Rendezvous protocol allows HDX sessions to bypass the Citrix Cloud Connector and connect directly and securely to the Citrix Gateway service.
- Access to environment using Citrix Workspace and Citrix Gateway service.
- Control Plane: Citrix Virtual Apps and Desktops Service (Citrix Cloud)
- VDA: Version 1912 or later.
- Enable the Rendezvous protocol in the Citrix policy. For more information, see Rendezvous protocol policy setting.
- The VDAs must have access to
https://*.nssvc.net, including all subdomains. If you can’t add all subdomains to the allow list in that manner, use
https://*.g.nssvc.netinstead. For more information, see the Internet Connectivity Requirements section of the Citrix Cloud documentation (under Virtual Apps and Desktop service) and the Knowledge Center article CTX270584.
- Cloud Connectors must obtain the VDAs’ FQDNs when brokering a session. Accomplish this in one of these two ways:
Enable DNS resolution for the site. Using the Citrix Virtual Apps and Desktops Remote PowerShell SDK, run the command
Set-BrokerSite -DnsResolutionEnabled $true. For more information about the Citrix Virtual Apps and Desktops Remote PowerShell SDK, see SDKs and APIs.
- DNS Reverse Lookup Zone with PTR records for the VDAs. If you choose this option, we recommend that you configure VDAs to always attempt to register PTR records. To do so, use the Group Policy Editor or Group Policy Object, navigate to Computer Configuration > Administrative Templates > Network > DNS Client, and set Register PTR Records to Enabled and Register. If the connection’s DNS suffix does not match the domain’s DNS suffix, you must also configure the Connection-specific DNS suffix setting for the machines to register PTR records successfully.
- Enable DNS resolution for the site. Using the Citrix Virtual Apps and Desktops Remote PowerShell SDK, run the command
The VDA supports establishing Rendezvous connections through a proxy.
Consider the following when using proxies with Rendezvous:
- Transparent proxies, non-transparent HTTP proxies, and SOCKS proxies are supported.
- Packet decryption and inspection are not supported. Configure an exception so that the ICA traffic between the VDA and the Gateway Service is not intercepted, decrypted, or inspected. Otherwise, the connection breaks.
- Authentication at the proxy is not supported. Configure an exception so that traffic destined to the Gateway Service addresses – specified in the requirements – can bypass authentication.
- Only Rendezvous with TCP is supported. Rendezvous with EDT is currently not supported with proxies.
If using a transparent proxy in your network, no additional configuration is required on the VDA.
If using a non-transparent proxy in your network, configure the Rendezvous proxy configuration setting. When the setting is enabled, specify the HTTP or SOCKS proxy address for the VDA to know which proxy to use. For example,
“http://<FQDN or IP>:<port>” or
“socks5://<FQDN or IP>:<port>”.
Proxy configuration with PAC files is currently not supported.
If you meet all requirements, follow these steps to validate if Rendezvous is in use:
- Launch PowerShell or a command prompt within the HDX session.
- The transport protocols in use indicate the type of connection:
- TCP Rendezvous: TCP > SSL > CGP > ICA
- EDT Rendezvous: UDP > DTLS > CGP > ICA
- Proxy through Cloud Connector: TCP > CGP > ICA
Windows cipher suite order
For a custom cipher suite order, make sure that you include the VDA-supported cipher suites from the following list:
If the custom cipher suite order does not contain these cipher suites, the Rendezvous connection fails.
Zscaler Private Access
If using Zscaler Private Access (ZPA), it is highly recommended that you configure bypass settings for the Gateway Service to avoid increased latency and the associated performance impact. To do so, you must define application segments for the Gateway Service addresses – specified in the requirements – and set them to always bypass. For information on configuring application segments to bypass ZPA, see Zscaler documentation.
How Rendezvous works
This diagram is an overview of the Rendezvous connection flow.
Follow the steps to understand the flow:
- Navigate to Citrix Workspace.
- Enter credentials in Citrix Workspace.
- If using on-premises Active Directory, the Citrix Virtual Apps and Desktops service authenticates credentials with Active Directory using the Cloud Connector channel.
- Citrix Workspace displays enumerated resources from the Citrix Virtual Apps and Desktop service.
- Select resources from Citrix Workspace. The Citrix Virtual Apps and Desktop service sends a message to the VDA to prepare for an incoming session.
- Citrix Workspace sends an ICA file to the endpoint that contains an STA ticket generated by Citrix Cloud.
- The endpoint connects to the Citrix Gateway service, provides the ticket to connect to the VDA, and Citrix Cloud validates the ticket.
- The Citrix Gateway service sends connection information to the Cloud Connector. The Cloud Connector determines if the connection is supposed to be a Rendezvous connection and sends the information to the VDA.
- The VDA establishes a direct connection to the Citrix Gateway service.
- If a direct connection between the VDA and the Citrix Gateway service isn’t possible, the VDA proxies its connection through the Cloud Connector.
- The Citrix Gateway service establishes a connection between the endpoint device and the VDA.
- The VDA verifies its license with the Citrix Virtual Apps and Desktop service through the Cloud Connector.
- The Citrix Virtual Apps and Desktop service sends and applies the session policies to the VDA through the Cloud Connector.