Citrix Virtual Apps and Desktops service

Optimization for Microsoft Teams

Citrix delivers optimization for desktop-based Microsoft Teams (1.2.00.31357 or higher) using Citrix Virtual Apps and Desktops and Citrix Workspace app. By default, we bundle all the necessary components into the Citrix Workspace app and the Virtual Delivery Agent (VDA).

Our optimization for Microsoft Teams contains VDA-side HDX services and an API to interface with the Microsoft Teams hosted app to receive commands. These components open a control virtual channel (CTXMTOP) to the Citrix Workspace app-side media engine. The endpoint decodes and renders the multimedia locally, moving the Citrix Workspace app window back into the hosted Microsoft Teams app.

Authentication and signaling occur natively on the Microsoft Teams-hosted app, just like the other Microsoft Teams services (for example chat or collaboration). Audio/video redirection doesn’t affect them.

CTXMTOP is a command and control virtual channel. That means that media isn’t exchanged between the Citrix Workspace app and the VDA.

Only client-fetch/client-render is available.

This video demo gives you an idea of how Microsoft Teams works in a Citrix virtual environment.

Optimization for Microsoft Teams demo

Microsoft Teams installation

Note:

We recommend installing the VDA before installing Microsoft Teams in the golden image. This installation order is needed for the ALLUSER=1 flag to take effect. If you installed Microsoft Teams in the virtual machine before installing the VDA, uninstall and reinstall Microsoft Teams. If you’re using App Layering, see For App Layering for more details.

We recommend that you follow the Microsoft Teams machine-wide installation guidelines and avoid using the .exe installer that installs Microsoft Teams in AppData. Instead, install in C:\Program Files (x86)\Microsoft\Teams by using the ALLUSER=1 flag from the command line.

msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSER=1 ALLUSERS=1

This example also uses the ALLUSERS=1 parameter. When you set this parameter, the Teams Machine-Wide Installer appears in Programs and Features in the Control Panel and in Apps & features in Windows Settings for all users of the computer. All users can then uninstall Microsoft Teams if they have administrator credentials.

It’s important to understand the difference between ALLUSERS=1 and ALLUSER=1. You can use the ALLUSERS=1 parameter in non-VDI and VDI environments. Use the ALLUSER=1 parameter only in VDI environments to specify a per-machine installation.

In ALLUSER=1 mode, the Microsoft Teams application doesn’t auto-update whenever there’s a new version. We recommend this mode for non-persistent environments, such as hosted shared apps or desktops out of a Windows Server or Windows 10 random/pooled catalogs. For more information, see Install Microsoft Teams using MSI (VDI Installation section).

Suppose you have Windows 10 dedicated persistent VDI environments. You want the Microsoft Teams application to auto-update and prefer Microsoft Teams to install per-user under Appdata/Local. In this case, use the .exe installer or the MSI without ALLUSER=1.

For Remote PC

We recommend that you install Microsoft Teams version 1.4.00.22472 or higher, after installing the VDA. Otherwise, you need to sign out and sign in again for Microsoft Teams to detect the VDA as expected. Version 1.4.00.22472 or higher includes augmented logic executed at Microsoft Teams launch time and sign in time for VDA detection. These versions also include active session type identification (HDX, RDP or locally connected to the client machine). If you are locally connected, previous versions of Microsoft Teams might fail to detect and disable certain features or UI elements. For example, Breakout Rooms, pop out windows for meetings and chat, or meeting reactions.

In some Remote PC scenarios, when you reconnect to a previously non-optimized session from a new endpoint that supports HDX optimization, you might need to relaunch Microsoft Teams to support HDX optimization.

For App Layering

If using Citrix App Layering to manage VDA and Microsoft Teams installations in different layers, deploy this registry key on Windows before installing Microsoft Teams with ALLUSER=1. For information, see Optimization for Microsoft Teams with Citrix App Layering in the list of features managed through the registry.

Profile Management recommendations

We recommend using the machine-wide installer for Windows Server and Pooled VDI Windows 10 environments.

When the ALLUSER=1 flag is passed to the MSI from the command line (the machine-wide installer), the Microsoft Teams app installs under C:\Program Files (x86) (~300 MB). The app uses AppData\Local\Microsoft\TeamsMeetingAddin for logs and AppData\Roaming\Microsoft\Teams (~600–700 MB) for user specific configurations, caching of elements in the user interface, and so forth.

Important:

If you don’t pass the ALLUSER=1 flag, the MSI places the Teams.exe installer and setup.json under C:\Program Files (x86)\Teams Installer. A registry key (TeamsMachineInstaller) is added under: HKEY_LOCAL_MACHINE \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

A subsequent user logon triggers the final installation in AppData instead.

Machine-wide installer

The following is an example of folders, desktop shortcuts, and registries created by installing Microsoft Teams machine-wide installer on a Windows Server 2016 64-bit VM:

Folder:

  • C:\Program Files (x86)\Microsoft\Teams
  • C:\Users\<username>\AppData\Roaming\Microsoft\Teams

Desktop Shortcut:

C:\Program Files (x86)\Microsoft\Teams\current\Teams.exe

Registry:

  • HKEY_LOCAL_MACHINE \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Name: Teams
  • Type: REG_SZ
  • Value: C:\Program Files (x86)\Microsoft\Teams\current\Teams.exe

Note:

The registry location varies based on the underlying Operating Systems and bitness.

Recommendations

  • We recommend disabling auto-start by deleting the Microsoft Teams registry keys. Doing so prevents many logons that occur at the same time (for example, at the beginning of your work day) from spiking up the VM’s CPU.
  • If the virtual desktop does not have a GPU/vGPU, we recommend setting Disable GPU hardware acceleration in the Microsoft Teams Settings to improve performance. This setting ("disableGpu":true) is stored in %Appdata%\Microsoft\Teams in desktop-config.json. You can use a logon script to edit that file and set the value to true.
  • If using Citrix Workspace Environment Management (WEM), enable CPU Spikes Protection to manage processor consumption for Microsoft Teams.

Per-user installer

When using the .exe installer, the installation process differs. All the files are placed in AppData.

Folder:

  • C:\Users\<username>\AppData\Local\Microsoft\Teams
  • C:\Users\<username>\AppData\Local\Microsoft\TeamsPresenceAddin
  • C:\Users\<username>\AppData\Local\Microsoft\TeamsMeetingAddin
  • C:\Users\<username>\AppData\Local\SquirrelTemp
  • C:\Users\<username>\AppData\Roaming\Microsoft\Teams

Desktop shortcut:

C:\Users\<username>\AppData\Local\Microsoft\Teams\Update.exe --processStart "Teams.exe"

Registry:

HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Best Practices

The best practice recommendations are based on the use-case scenarios. Using Microsoft Teams with a non-persistent setup requires a profile caching manager for efficient Microsoft Teams runtime data synchronization. With a profile caching manager, the appropriate user-specific information (for example, user data, profile, and settings) is cached during the user session. Synchronize the data in these two folders:

  • C:\Users\<username>\AppData\Local\Microsoft\IdentityCache
  • C:\Users\<username>\AppData\Roaming\Microsoft\Teams

Microsoft Teams cached content exclusion list for non-persistent setup

Exclude the following items from the Microsoft Teams caching folder, %AppData%/Microsoft/Teams. Excluding these items helps reduce the user caching size to further optimize your non-persistent setup.

Exclusion list – files

  • Roaming\Microsoft\Teams\* .txt

Exclusion list – directories

  • Roaming\Microsoft\Teams\Logs
  • Roaming\Microsoft\Teams\media-stack
  • Roaming\Microsoft\Teams\Service Worker\CacheStorage
  • Roaming\Microsoft\Teams\Application Cache
  • Roaming\Microsoft\Teams\Cache
  • Roaming\Microsoft\Teams\GPUCache
  • Roaming\Microsoft\Teams\meeting-addin\Cache (Critical for issues where the Add-in is missing in Outlook)

Use case: single-session scenario

In this scenario, the end user uses Microsoft Teams in one location at a time. They don’t need to run Microsoft Teams in two Windows sessions at the same time. For instance, in a common virtual desktop deployment, each user is assigned to one desktop, and Microsoft Teams is deployed in the virtual desktop as one application. We recommend enabling the Citrix Profile container and redirecting per-user directories listed in Per-user installer into the container.

  1. Deploy the Microsoft Teams machine-wide installer (ALLUSER=1) in the golden image.
  2. Enable Citrix Profile Management and set up the user profile store with the proper permissions.
  3. Enable the following Profile Management policy setting: File system > Synchronization > Profile container – List of folders to be contained in profile disk.

    Profile container

    List all the per-user directories into this configuration. You can also configure these settings using the Citrix Workspace Environment Management (WEM) service.

  4. Apply the settings to the correct delivery group.
  5. Log in to validate the deployment.

System requirements

If you’re using an earlier version, see Enable optimization of Microsoft Teams:

Supported operating systems:

  • Windows Server 2019, 2016, 2012R2 Standard and Datacenter Editions, and with the Server Core option

Minimum version - Virtual Delivery Agents (VDAs) 1906.2

Supported operating systems:

  • Windows 10 64-bit, versions 1607 and higher. (VM hosted apps aren’t supported).
  • Windows Server 2019, 2016, and 2012 R2 (Standard and Datacenter Editions).

Requirements:

  • BCR_x64.msi - the MSI that contains the Microsoft Teams optimization code and starts automatically from the GUI. If you’re using the command line interface for the VDA installation, don’t exclude it.
  • Windows 8 and 10 (32-bit and 64-bit editions, including Embedded editions) (Support for Windows 7 stopped at Version 2006)
  • Windows 10 IoT Enterprise 2016 LTSB (v1607) and 2019 LTSC (v1809)
  • Processor (CPU) architectures supported: x86 and x64 (ARM is not supported)
  • Endpoint requirement: Approximately 2.2–2.4 GHz dual core CPU that can support 720p HD resolution during a peer-to-peer video conference call.
  • Dual or quad-core CPUs with lower base speeds (~1.5 GHz) equipped with Intel Turbo Boost or AMD Turbo Core that can boost up to at least 2.4 GHz.
  • HP Thin Clients verified: t630/t640, t730/t740, mt44/mt45.
  • Dell Thin Clients verified: 5070, 5470 Mobile TC.
  • 10ZiG Thin Clients verified: 4510 and 5810q.
  • For a complete list of verified endpoints, see Thin Clients.
  • Citrix Workspace app requires at least 600 MB free disk space and 1 GB RAM.
  • Microsoft .NET Framework minimum requirement is version 4.6.2. Citrix Workspace app automatically downloads and installs .NET Framework if it’s not present in the system.

Administrators can enable/disable Microsoft Teams starting in optimized mode by changing the Teams Optimization policy. Users starting in optimized mode in Citrix Workspace app don’t have the option to disable Microsoft Teams.

Minimum version - Citrix Workspace app 2006 for Linux

For more information, see Optimization for Microsoft Teams in What’s new in 2006.

Software:

  • GStreamer 1.0 or later or Cairo 2
  • libc++-9.0 or later
  • libgdk 3.22 or later
  • OpenSSL 1.1.1d
  • x64 Linux distribution

Hardware:

  • Minimum 1.8 GHz dual-core CPU that can support 720p HD resolution during a peer-to-peer video conference call
  • Dual or quad-core CPU with a base speed of 1.8 GHz and a high Intel Turbo Boost speed of at least 2.9 GHz

For a complete list of verified endpoints, see Thin Clients.

For more information, see Prerequisites to install Citrix Workspace app.

You can disable Teams optimization updating the value of field VDWEBRTC to Off in file /opt/Citrix/ICAClient/config/module.ini. The default is VDWEBRTC=On. After performing the update, restart the Session. (Root permission is required).

Minimum version - Citrix Workspace app 2012 for Mac

Supported operating systems:

  • macOS Catalina (10.15).
  • macOS Big Sur 11.0.1 or higher.

Features supported:

  • Audio
  • Video
  • Screen sharing optimization (incoming and outgoing)

Note:

Citrix Viewer app requires access to MacOS Security & Privacy preferences for screen sharing to work. Users configure this preference in Apple menu > System preferences > Security & Privacy > Privacy tab > Screen recording and select Citrix Viewer.

Microsoft Teams optimization works by default if the user has Citrix Workspace app 2012 or later and macOS 10.15.

If you want to disable Microsoft Teams optimization, run this command in a terminal and restart Workspace app:

defaults write com.citrix.receiver.nomas mtopEnabled -bool NO

Minimum version - Citrix Workspace app 2105.5 for ChromeOS

Features supported:

  • Audio
  • Video
  • Screen sharing optimization (incoming and outgoing) - disabled by default. See these settings for instructions on how to turn it on.

Feature matrix and version support

Feature Windows CR Windows 1912 LTSR (and CU1-CU4) Windows 1912 CU5 (or higher) Mac Linux ChromeOS
Audio/Video (P2P and conference) 1907 Yes Yes 2009 2004 2106
Screensharing 1907 Yes Yes 2012 2006 2106 (1)
i. Screen Indicator Red border 2002 Yes Yes 2012 2006 X
ii. Limit capture to Desktop Viewer 2009.5 X Yes 2012 2006 X
iii. Multimonitor 2106 (2) X X 2106 2106 X
DTMF 2102 X Yes 2101 2101 X
Proxy Server support 2012 (3) X Yes (3) 2104 (4) 2101 (4) X
  1. Disabled by default, requires Admin to enable.
  2. CD Viewer in full screen mode only. SHIFT+F2 not supported.
  3. Negotiate/Kerberos, NTLM, Basic, and Digest. Pac files are also supported.
  4. Anonymous only.

Enable optimization of Microsoft Teams

To enable optimization for Microsoft Teams, use the Manage console policy described in Microsoft Teams redirection policy. It’s ON by default. In addition to this policy being enabled, HDX checks to verify that the version of the Citrix Workspace app is at least the minimum required version. If you enabled the policy and the Citrix Workspace app version is supported, the HKEY_CURRENT_USER\Software\Citrix\HDXMediaStream\MSTeamsRedirSupport registry key is set to 1 automatically on the VDA. Microsoft Teams reads the key to load in VDI mode.

Note:

If you’re using version 1906.2 VDAs or higher with older controller versions (for example, version 7.15) that don’t have the policy available in the Manage console (Studio), your VDA can still be optimized. HDX optimization for Microsoft Teams is enabled by default in the VDA.

If you click About > Version, the Citrix HDX Optimized legend displays:

Optimized for Citrix legend

If you see Citrix HDX Not Connected, the Citrix API is loaded in Microsoft Teams. Loading the API is the first step toward redirection. But there’s an error in later parts of the stack. The error is most likely in the VDA services or the Citrix Workspace app.

Not optimized for Citrix legend

If you don’t see any legend, Microsoft Teams failed to load the Citrix API. Exit Microsoft Teams by right-clicking the notification area icon and restarting. Make sure that the Manage console policy isn’t set to Prohibited and that the Citrix Workspace app version is supported.

No Citrix legend

Important: session reconnects

  • You might need to relaunch Microsoft Teams to get an HDX optimized session when your connectivity changes. For example, if you are roaming from an unsupported endpoint (Workspace app for iOS, Android, HTML5, or old versions of Windows/Linux/Mac) to a supported one (Workspace app for Windows/Linux/Mac/ChromeOS), or vice versa.
  • When you roam from a local session to an HDX session, you need to relaunch Microsoft Teams to optimize with HDX. This is a Remote PC Access scenario.

Network requirements

Microsoft Teams relies on Media Processor servers in Office 365 for meetings or multiparty calls. Microsoft Teams relies on Office 365 Transport Relays for these scenarios:

  • Two peers in a point-to-point call do not have direct connectivity
  • A participant does not have direct connectivity to the media processor.

So the network health between the peer and the Office 365 cloud determines the performance of the call.

We recommend evaluating your environment to identify any risks and requirements that can influence your overall cloud voice and video deployment. Use the Skype for Business Network Assessment Tool to test if your network is ready for Microsoft Teams. For support information, see Support.

Summary of key network recommendations for Real Time Protocol (RTP) traffic

  • Connect to the Office 365 network as directly as possible from the branch office.
  • If you must use any of the following at the branch office, make sure that RTP/UDP Teams traffic is unhindered. HdxTeams.exe doesn’t honor explicit proxies configured on the endpoint.
    • Bypass proxy servers
    • Network SSL intercept
    • Deep packet inspection devices
    • VPN hairpins (use split tunneling if possible)
  • Plan for and provide sufficient bandwidth.
  • Check each branch office for network connectivity and quality.

The WebRTC media engine in the Workspace app (HdxTeams.exe or HdxRtcEngine.exe) uses the Secure Real-time Transport Protocol (SRTP) for multimedia streams that are offloaded to the client. SRTP provides confidentiality and authentication to RTP by using symmetric keys (128 bit) to encrypt media and control messages and uses the AES encryption cipher in counter mode.

The following metrics are recommended for a positive user experience:

Metric Endpoint to Office 365
Latency (one way) < 50 msec
Latency (RTT) < 100 msec
Packet Loss <1% during any 15s interval
Packet inter-arrival jitter <30ms during any 15s interval

For more information, see Prepare your organization’s network for Microsoft Teams.

In terms of bandwidth requirements, optimization for Microsoft Teams can use a wide variety of codecs for audio (OPUS/G.722/PCM G711) and video (H264).

The peers negotiate these codecs during the call establishment process using the Session Description Protocol (SDP) Offer/Answer. Citrix minimum recommendations per user are:

Type Bandwidth Codec
Audio (each way) ~ 90 kbps G.722
Audio (each way) ~ 60 kbps Opus*
Video (each way) ~ 700 kbps H264 360p @ 30 fps 16:9
Screen sharing ~ 300 kbps H264 1080p @ 15 fps

* Opus supports constant and variable bitrate encoding from 6 kbps up to 510 kbps.

Opus is the preferred codec for peer-to-peer calls between two optimized VDI users.

G.722 and H264 are the preferred codecs for a VDI user joining a meeting.

Proxy servers

Depending on the location of the proxy, consider the following:

  • Proxy configuration on the VDA:

    If you configure an explicit proxy server in the VDA and route connections to localhost through a proxy, redirection fails. To configure the proxy correctly, you must select the Bypass proxy servers for local address setting in Internet Options > Connections > LAN Settings > Proxy Servers and make sure 127.0.0.1:9002 is bypassed.

    If you use a PAC file, your VDA proxy configuration script from the PAC file must return DIRECT for wss://127.0.0.1:9002. If not, optimization fails. To make sure that the script returns DIRECT, use shExpMatch(url, "wss://127.0.0.1:9002/*").

  • Proxy configuration on Citrix Workspace app:

    If the branch office is configured to access the internet through a proxy, these versions support proxy servers:

    • Citrix Workspace app for Windows version 2012 (Negotiate/Kerberos, NTLM, Basic, and Digest. Pac files are also supported)
    • Citrix Workspace app for Windows version 1912 CU5 (Negotiate/Kerberos, NTLM, Basic, and Digest. Pac files are also supported)
    • Citrix Workspace app for Linux version 2101 (anonymous authentication)
    • Citrix Workspace app for Mac version 2104 (anonymous authentication)

Client devices with earlier releases of Citrix Workspace app can’t read proxy configurations. These devices send traffic directly to Office 365 TURN servers.

Important:

Verify that the client device can connect to the DNS server to perform DNS resolutions. A client device must be able to resolve three Microsoft Teams TURN server’s FQDNs: worldaz.turn.teams.microsoft.com, usaz.turn.teams.microsoft.com, and euaz.turn.teams.microsoft.com.

Call establishment and media flow paths

When possible, the HDX WebRTC media engine in the Citrix Workspace app (HdxTeams.exe or HdxRtcEngine.exe) tries to establish a direct network Secure Real-time Transport Protocol (SRTP) connection over User Datagram Protocol (UDP) in a peer-to-peer call. If the UDP ports are blocked, the media engine falls back to TCP 443.

The HDX media engine supports ICE, Session Traversal Utilities for NAT (STUN), and Traversal Using Relays around NAT (TURN) for candidate discovery and establishing connection.

Note that this means that the endpoint must be able to perform DNS resolutions.

Suppose that there is no direct path between the two peers or between a peer and a conference server, say if the user is joining a multi-party call or meeting. HdxTeams.exe uses a Microsoft Teams transport relay server in Office 365 to reach the other peer or the media processor, where meetings are hosted. The user’s client machine must have access to two Office 365 subnet IP address ranges and 4 UDP ports. For more information, see the Architecture diagram in the Call setup and Office 365 URLs and IP address ranges ID 11

ID Category Addresses Destination Ports
11 Optimize required 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 UDP: 3478, 3479, 3480, 3481, TCP: 443 (fallback)

These ranges contain both Transport Relays and media processors. The Microsoft Teams Transport Relays provide STUN and TURN functionality, but they are not ICE endpoints. Also, the Microsoft Teams Transport Relays don’t terminate media or perform any transcoding. They can bridge TCP (if HdxTeams.exe uses TCP) to UDP when they forward traffic to other peers or media processors.

Workspace app WebRTC media engine contacts the closest Microsoft Teams Transport Relay in the Office 365 cloud. The media engine uses anycast IP and port 3478–3481 UDP (different UDP ports per workload, though multiplexing can happen) or 443 TCP TLSv1.2 for fallbacks. Call quality depends on the underlying network protocol. Because UDP is always recommended over TCP, we advise you to design your networks to accommodate UDP traffic in the branch office.

If Microsoft Teams loaded in optimized mode and HdxTeams.exe is running on the endpoint, ICE failures might cause a call setup failure or one-way-only audio/video. When a call can’t be completed or media streams aren’t full duplex, check the Wireshark trace on the endpoint first. For more information about the ICE candidate gathering process, see “Collecting logs” in the Support section.

Note:

If the endpoints don’t have internet access, the users might still be able to make a peer-to-peer call if they are both on the same LAN. Meetings fail. In this case, there’s a 30-second timeout before the call setup begins.

Call setup

Use this architecture diagram as a visual reference for the call flow sequence. The corresponding steps are indicated in the diagram.

Architecture

How optimization for Microsoft Teams works

  1. Start Microsoft Teams.
  2. Microsoft Teams authenticates to O365. Tenant policies are pushed down to the Microsoft Teams client, and relevant TURN and signaling channel information is relayed to the app.
  3. Teams detects that it’s running in a VDA and makes API calls to the Citrix JavaScript API.
  4. Citrix JavaScript in Microsoft Teams opens a secure WebSocket connection to WebSocketService.exe running on the VDA, which spawns WebSocketAgent.exe inside the user session.
  5. WebSocketAgent.exe instantiates a generic virtual channel by calling into the Citrix HDX Teams Redirection Service (CtxSvcHost.exe).
  6. Citrix Workspace app’s wfica32.exe (HDX engine) spawns a new process called HdxTeams.exe or HdxRtcEngine.exe, which is the new WebRTC engine used for Microsoft Teams optimization.
  7. Citrix media engine and Teams.exe have a 2-way virtual channel path and can start processing multimedia requests.

    —–User calls——

  8. Peer A clicks the call button. Teams.exe communicates with the Microsoft Teams services in Office 365, establishing an end-to-end signaling path with Peer B. Microsoft Teams asks HdxTeams for a series of supported call parameters (codecs, resolutions, and so forth, which is known as a Session Description Protocol (SDP) offer). These call parameters are then relayed using the signaling path to the Microsoft Teams services in Office 365 and from there to the other peer.
  9. The SDP offer/answer (single-pass negotiation) takes place through the signaling channel, and the ICE connectivity checks (NAT and Firewall traversal using STUN bind requests) complete. Then, Secure Real-time Transport Protocol (SRTP) media flows directly between HdxTeams.exe and the other peer (or Office 365 conference servers if it’s a meeting).

Microsoft Phone System

Phone System is Microsoft’s technology that enables call control and PBX in the Office 365 cloud with Microsoft Teams. Optimization for Microsoft Teams supports Phone System, using Office 365 Calling Plans or Direct Routing. With Direct Routing, you connect your own supported session border controller to the Microsoft Phone System directly without any additional on-premises software. Call queues, transfer, forward, hold, mute, and resume a call are supported.

DTMF:

Dual tone multi frequency (DTMF) is supported with these versions of Citrix Workspace app (or higher):

  • Citrix Workspace app for Windows version 2102
  • Citrix Workspace app for Windows LTSR 1912 CU5
  • Citrix Workspace app for Linux version 2101
  • Citrix Workspace app for Mac version 2101

Firewall considerations

When users start an optimized call using the Microsoft Teams client for the first time, they might notice a warning with the Windows firewall settings. The warning asks for users to allow communication for HdxTeams.exe or HdxRtcEngine.exe (HDX Overlay Teams).

Firewall warning

The following four entries are added under Inbound Rules in the Windows Defender Firewall > Advanced Security console. You can apply more restrictive rules if you want.

Firewall inbound rules

Microsoft Teams and Skype for Business Coexistence

You can deploy Microsoft Teams and Skype for Business side by side as two separate solutions with overlapping capabilities. For more information, see Understand Microsoft Teams and Skype for Business coexistence and interoperability.

Citrix RealTime Optimization Pack and HDX optimization for Microsoft Teams multimedia engines then honor the configuration set in your environment. Examples include island modes, Skype for Business with Microsoft Teams collaboration, and Skype for Business with Microsoft Teams collaboration and meetings.

Peripheral access can be granted only to a single application at the time. For example, webcam access by the RealTime Media Engine during a call locks the imaging device during a call. When the device is released, it becomes available for Microsoft Teams.

Teams and Skype coexistence

Citrix SD-WAN: optimized network connectivity for Microsoft Teams

Optimal audio and video quality require a network connection to the Office 365 cloud that has low latency, low jitter, and low packet loss. Backhauling of Microsoft Teams audio-video RTP traffic from Citrix Workspace app users at branch office locations to a data center before going to the internet can add excessive latency. It might also cause congestion on WAN links. Citrix SD-WAN optimizes connectivity for Microsoft Teams following Microsoft Office 365 network connectivity principles. Citrix SD-WAN uses the Microsoft REST-based Office 365 IP address and web service and proximate DNS to identify, categorize, and steer Microsoft Teams traffic.

Business broadband internet connections in many areas suffer from intermittent packet loss, periods of excessive jitter, and outages.

Citrix SD-WAN offers two solutions to preserve Microsoft Teams audio-video quality when network health is variable or degraded.

  • If you use Microsoft Azure, a Citrix SD-WAN virtual appliance (VPX) deployed in the Azure VNET provides advanced connectivity optimizations. These optimizations include seamless link failover and audio packet racing.
  • Citrix SD-WAN customers can connect to Office 365 through the Citrix Cloud Direct service. This service provides reliable and secure delivery for all internet-bound traffic.

If the quality of the branch office internet connection isn’t a concern, it might be enough to minimize latency by steering Microsoft Teams traffic directly from the Citrix SD-WAN branch appliance to the nearest Office 365 front door. For more information, see Citrix SD-WAN Office 365 optimization.

Citrix SD-WAN

Microsoft Teams supports Gallery, Large gallery, and Together mode layouts.

Microsoft Teams displays a 2x2 grid with video streams of four participants (known as Gallery). In this case, Teams sends four video streams to the client device for decoding. When more than four participants share video, only the last four most active speakers appear on the screen.

Microsoft Teams also provides the large gallery view with a grid up to 7x7. As a result, the Microsoft Teams conference server composites a single video feed and sends it to the client device for decoding, resulting in lower CPU consumption. This single, matrix-style feed might include users’ self-preview video as well.

Lastly, Microsoft Teams supports Together mode, which is part of the new meeting experience. Using AI segmentation technology to digitally place participants in a shared background, Teams puts all participants in the same auditorium.

The user can control these modes during a conference call by selecting Gallery, Large gallery, or Together mode layouts in the ellipses menu.

Video layout

Support for video aspect ratio constraints (CWA for Windows 2102, CWA for Linux 2106, CWA for MAC 2106 or higher):

  • The option Fill to frame is available in Gallery/Large Gallery View. This option crops the video size to fit it in the sub-window. Fit to frame, on the other hand, displays black bars (letterbox) on the sides of the video so there is no cropping.

The following table provides a comparison of Gallery and Large Gallery layouts:

  Gallery view 2x2 (default) Large Gallery view
Layout / Grid Displays a 2x2 grid with video streams of four participants. Only the last four most active speakers appear on the screen and other participants do not appear on the grid. Displays a 7x7 grid with video streams of 49 participants.
Mixing technique A media router forwards individual streams from each participant to every user. A central conference server mixes and transcodes all audio or video to create a tailored composite layout for every participant. This introduces some additional latency.
Active speaker The new active speaker replaces the least active speaker in the grid. Displays all participants irrespective of whether they are active or inactive.
Encoding at the endpoint A single quality video stream. You can set the encoding resolution value on the client. For more information, see Encoder performance estimator and Optimization for Microsoft Teams. Quality is defined as resolution and frames per second. Currently, simulcast video is not supported. A single quality video stream. You can set the encoding resolution value on the client. For more information, see Encoder performance estimator and Optimization for Microsoft Teams.
Decoding at the endpoint Each participant gets up to four individual media streams. This increases CPU consumption at the endpoint by HdxRtcEngine.exe (for decoding/rendering). Each participant gets only a single stream for audio and video. This lowers the CPU consumption at the endpoint.
Maximum resolution 720p. When four participants are sharing video, the maximum resolution is 360p per video feed. If less than four participants are sharing video, then the resolution per video feed might be higher. 720p for the composite layout or mixing. Each sender reduces resolution or upload bitrate because there is no need for a high-quality video stream per participant in a composite layout.
‘Slow-user’ problem Sender modifies each modality’s (audio/video/screenshare) quality to the lowest common network quality among the participants. This multimedia stream is then forwarded to all other participants. As a result, a participant with poor network condition impacts the quality for everyone else in the call. Less susceptible to the lowest common network quality scenario. The conference server provides different qualities based on the network conditions of individual participants.
Self-preview Displays yourself in a small thumbnail in real time. Displays yourself in thumbnail and mixed with the rest of the video feeds. As a result, you might see yourself included in the main video layout with some additional delay.

Screen sharing in Microsoft Teams

Microsoft Teams relies on video-based screen sharing (VBSS), effectively encoding the desktop being shared with video codecs like H264 and creating a high-definition stream. With HDX optimization, incoming screen sharing is treated as a video stream. So if you are in the middle of a video call and the other peer starts to share the desktop, the original camera video feed is paused. Instead, the screen sharing video feed shows. The peer must then manually resume the camera sharing.

Outgoing screen sharing is also optimized and offloaded to Citrix Workspace app. In this case, the media engine captures and transmits only the Citrix Desktop Viewer (CDViewer.exe) window, with a red border drawn around it. Any local application overlapping with Desktop Viewer is not captured.

Note

Set specific permission in Citrix Workspace app for Mac to enable screen sharing. For more information, see System Requirements.

Multimonitor

In cases where Desktop Viewer (CDViewer.exe) is in full-screen mode and spanning across multimonitor setups, Citrix Workspace app 2106 or higher (Windows/Linux/Mac) allows the screen picker to select the monitor to share.

Known limitation:

  • If Desktop Viewer is disabled (either by editing the .ica file template or StoreFront web.config) or if Desktop Lock is being used, multimonitor selection isn’t available in the Microsoft Teams screen picker. SHIFT+F2 hotkey isn’t compatible with multimonitor screen sharing.
  • In Workspace app versions older than 2106, only the primary monitor is shared. You must drag the application in the virtual desktop to the primary monitor for the other peer on the call to see it.
  • Multimonitor screen sharing might not work if you configure Worspace app with the virtual monitor layout feature (logical partition of a single physical monitor). In this case, all virtual monitors are shared as a composite image.
  • Older versions of Workspace app for Windows (1907 up to 2008) also supports sharing of a local application running in the client machine, if it was overlaid on top of Desktop Viewer. This behavior was removed in 2009.6 or higher, and 1912 CU5 or higher.

Screen sharing

Screensharing from seamless application:

If you’re publishing Microsoft Teams as a standalone, seamless application, screen sharing captures the local desktop of your physical endpoint. Citrix Workspace app minimum version 1909 is required.

App sharing

Starting with Citrix Workspace app for Windows 2109 and VDA 2019, Microsoft Teams supports screen sharing of specific apps running in the virtual session. To share a specific app:

  1. Navigate to the Microsoft Teams app within your remote session.
  2. Click Share content in your Microsoft Teams UI.
  3. Select an app to share in the meeting. The red border appears around an app you selected and the peers on the call can see the shared app.

To share a different app, click Share content again and select a new app.

Note:

  • This feature is available only after the roll-out of an update from Microsoft Teams. For information on ETA, see Microsoft page. When the update is rolled-out by Microsoft, you can check CTX253754 for the documentation update and the announcement.

  • If you minimize an app, Microsoft Teams displays the last image from the shared app. You can maximize the window to resume screen sharing.

  • Screen sharing depends on the VDA-side capturing of the window. The content is then relayed at a maximum rate of 30 frames per second to the Workspace app that forwards the content to the peers or conference server.

App sharing for Microsoft Teams

Known limitations with screen sharing of specific app:

  • Mouse pointer is not visible when you are screen sharing an app.
  • HDX 3D Pro is not supported.
  • Restart screen sharing if you resize the virtual desktop screen.
  • If you minimize an app when you are sharing it, only the app icon appears in the screen picker. The thumbnail of the app is not previewed in the screen picker. You cannot share the content and the red border does not appear until you maximize the app.

Compatibility with app protection The screen sharing of a specific app is compatible with the app protection feature in HDX optimized Microsoft Teams. You can screen share a specific app, if you have launched the app or desktop from a delivery group that has app protection enabled.

When you click Share content in the Microsoft Teams UI, the screen picker removes the Desktop option. You can only select the Window option to share any open app.

Peripherals in Microsoft Teams

When optimization for Microsoft Teams is active, the Citrix Workspace app accesses the peripherals (headsets, microphones, cameras, speakers, and so forth). Then the peripherals are properly listed in the Microsoft Teams UI (Settings > Devices).

Optimization mode for Microsoft Teams

Microsoft Teams does not access the devices directly. Instead, it relies on Workspace app WebRTC media engine for acquiring, capturing, and processing the media. Microsoft Teams lists the devices for the user to select.

The peripherals that are inserted while Microsoft Teams is active are not selected by default. You have to manually select the peripherals from the Settings > Devices screen of Microsoft Teams UI. After the peripheral is selected, Microsoft Teams caches the information of the peripherals. As a result, the peripherals are automatically selected when you reconnect to a session from the same endpoint.

Recommendations:

  • Microsoft Teams certified headsets with built-in echo cancellation. In setups with multiple peripherals, where microphone and speakers are on separate devices, there might be an echo. An example is a webcam with a built-in microphone and a monitor with speakers. When using external speakers, place them as far as possible from the microphone and from any surface that might refract the sound into the microphone.
  • Microsoft Teams certified cameras, although Skype for Business certified peripherals are compatible with Microsoft Teams.
  • Citrix Workspace app media engine can’t take advantage of CPU offloading with webcams that perform on-board H.264 encoding -UVC 1.1 and 1.5.

Note:

Workspace app 2009.6 for Windows can now acquire peripherals with audio formats with 24-bit or with frequencies above 96 kHz.

HdxTeams.exe (in Workspace app for Windows 2009 or older) supports only these specific audio device formats (channels, bit depth, and sample rate):

  • Playback Devices: up to 2 channels, 16 bit, frequencies up to 96,000 Hz
  • Recording Devices: up to 4 channels, 16 bit, frequencies up to 96,000 Hz

Even if one speaker or microphone does not match the expected settings, device enumeration in Teams fails and None displays under Settings > Devices.

Webrpc logs in HdxTeams.exe show this type of information:

Mar 27 20:58:22.885 webrtcapi.WebRTCEngine Info: init. initializing...

Mar 27 20:58:23.190 webrtcapi.WebRTCEngine Error: init. couldn't create audio module!

As a workaround, disable the specific device or:

  1. Open the Sound Control Panel (mmsys.cpl).
  2. Select the playback or recording device.
  3. Go to Properties > Advanced and change the settings to a supported mode.

Fallback mode

If Microsoft Teams fails to load in optimized VDI mode (“Citrix HDX Not Connected” in Teams/About/Version), the VDA falls back to legacy HDX technologies like webcam redirection and client audio and microphone redirection. If you are using a Workspace app version/platform OS that does not support Teams optimization, fallback registry keys do not apply. In fallback mode, the peripherals are mapped to the VDA. The peripherals appear to the Microsoft Teams app as if they were locally attached to the virtual desktop.

You can now granularly control the fallback mechanism by setting the registry keys in the VDA. For information, see Microsoft Teams fallback mode in the list of features managed through the registry.

This feature requires Teams version 1.3.0.13565 or later.

To determine if you are in optimized or unoptimized mode when looking at the Settings > Devices tab in Teams, the main difference is the camera name. If Microsoft Teams loaded in unoptimized mode, legacy HDX technologies launch. The webcam name has the Citrix HDX suffix as shown in the following graphic. The speaker and microphone device names might be slightly different (or truncated) when compared to the optimized mode.

Unoptimization mode for Microsoft Teams

When legacy HDX technologies are used, Microsoft Teams doesn’t offload audio, video, and screen sharing processing to the endpoint’s Citrix Workspace app WebRTC media engine. Instead, HDX technologies use server-side rendering. Expect high CPU consumption on the VDA when you turn on video. Real-time audio performance might not be optimal.

Known limitations

Citrix limitations

Limitations on Citrix Workspace app:

  • HID buttons - Answer and end call aren’t supported. Volume up and down are supported.
  • Secondary ringer (Teams > Settings > Devices) isn’t supported.
  • QoS settings in the Admin Center for Microsoft Teams don’t apply for VDI users.
  • App protection add-on feature for the Citrix Workspace app prevents outgoing screen sharing and blocks incoming screenshare and video.

Limitation on the VDA:

  • When you configure the Citrix Workspace app High DPI setting to Yes, the redirected video window appears out of place when the monitor’s DPI scaling factor is set to anything above 100%.

Limitations on Citrix Workspace app and the VDA:

  • Outgoing screen sharing: Application sharing isn’t supported.
  • You can only control the volume of an optimized call using the volume bar on the client machine – not on the VDA.

Microsoft limitations

  • The options to blur or customize the background aren’t supported.
  • A 3x3 gallery view isn’t supported. Microsoft Teams dependency – contact Microsoft for when to expect a 3x3 grid.
  • Interoperability with Skype for Business is limited to audio calls, no video modality.
  • Incoming and outgoing video stream maximum resolution is 720p. Microsoft Teams dependency – contact Microsoft for when to expect 1080p.
  • PSTN call ringback tone isn’t supported.
  • Media bypass for Direct Routing isn’t supported.
  • Only one video stream from an incoming camera or screen share stream is supported. When there’s an incoming screen share, that screen share is shown instead of the video of the dominant speaker.
  • Broadcast and live event producer and presenter roles aren’t supported. Attendee role is supported but not optimized (renders on the VDA instead).
  • The zoom in and zoom out function in Microsoft Teams isn’t supported.

Citrix and Microsoft limitations

  • When doing screen sharing, the option include system audio isn’t available.
  • Pop out chat (also known as multi-window chat or the new meeting experience) isn’t supported.
  • Breakout rooms are supported for VDI participants. Microsoft Teams doesn’t support breakout rooms if the organizer is a VDI user.
  • Give control and take control: Not supported during a desktop screen sharing or application sharing session. Supported only during a PowerPoint sharing session.
  • E911 and Location-Based Routing are not supported.
  • Live captions and live transcriptions are not supported.

Additional information