Citrix Virtual Apps and Desktops

Browser content redirection policy settings

The browser content redirection section contains policy settings to configure this feature.

Browser content redirection controls and optimizes the way Citrix Virtual Apps and Desktops deliver any web browser content (for example, HTML5) to users. Only the visible area of the browser where content is displayed is redirected.

HTML5 video redirection and browser content redirection are independent features. The HTML5 video redirection policies are not needed for this feature to work, but the Citrix HDX HTML5 Video Redirection Service is used for browser content redirection. For more information, see Browser content redirection.

Policy settings:

The following policy settings are available for the browser content redirection feature in Citrix Studio. These policies can be overridden with registry keys on the VDA, but registry keys are optional.

Browser content redirection policy settings

TLS and browser content redirection

You can use browser content redirection to redirect HTTPS websites. The JavaScript injected into those websites must establish a TLS connection to the Citrix HDX HTML5 Video Redirection Service (WebSocketService.exe) running on the VDA. To achieve this redirection and maintain the TLS integrity of the webpage, the Citrix HDX HTML5 Video Redirection Service generates two custom certificates in the certificate store on the VDA.

HdxVideo.js uses Secure Websockets to communicate with WebSocketService.exe running on the VDA. This process runs on the Local System, and performs SSL termination and user session mapping.

WebSocketService.exe is listening on 127.0.0.1 port 9001.

Browser content redirection

By default, Citrix Workspace app tries client fetch and client render. If client fetch client and render fails, server-side rendering is tried. If you also enable the browser content redirection proxy configuration policy, Citrix Workspace app tries only server fetch and client render.

By default, this setting is Allowed.

Browser content redirection server fetch web proxy authentication setting

Note:

This policy is available only on 1912 CU3 and later.

This setting routes HTTP traffic originating at an overlay through a downstream web proxy. The downstream web proxy authorizes and authenticates HTTP traffic using the VDA user’s domain credentials through the Negotiate authentication scheme.

You must configure browser content redirection for server fetch mode in the PAC file using the Browser content redirection proxy configuration policy. In the PAC script, provide instructions to route the overlay traffic through a downstream web proxy. Then configure the downstream web proxy to authenticate the VDA users through the Negotiate authentication scheme.

When set to Allowed, the web proxy responds with a 407 Negotiate challenge, containing a Proxy-Authenticate: Negotiate header. Browser content redirection then obtains a Kerberos service ticket by using the VDA user’s domain credentials and includes the service ticket in subsequent requests to the web proxy.

When set to Prohibited, browser content redirection proxies all TCP traffic between the overlay and the web proxy without interfering. The overlay uses basic authentication credentials or any other available credentials to authenticate to the web proxy.

By default, this setting is Prohibited.

Browser content redirection Access Control List (ACL) policy settings

Use this setting to configure an Access Control List (ACL) of URLs that can use browser content redirection or are denied access to browser content redirection.

Authorized URLs are the whitelisted URLs whose content is redirected to the client.

The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL.

Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*

Not allowed: http://*.xyz.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only the index.html page is redirected.

By default, this setting is set to https://www.youtube.com/*

For more information, see the Knowledge Center article CTX238236.

Browser content redirection authentication sites

Use this setting to configure a list of URLs. Sites redirected by using browser content redirection use the list to authenticate a user. The setting specifies the URLs for which browser content redirection remains active (redirected) when navigating away from a whitelisted URL.

A classic scenario is a website that relies on an Identity Provider (IdP) for authentication. For example, website www.xyz.com must be redirected to the endpoint, but a third party IdP, like Okta (www.xyz.okta.com) handles the authentication portion. The administrator uses the browser content redirection ACL configuration policy to whitelist www.xyz.com, and then uses browser content redirection authentication sites to whitelist www.xyz.okta.com.

For more information, see the Knowledge Center article CTX238236.

Browser content redirection blacklist setting

This setting works along with the browser content redirection ACL configuration setting. If URLs are present in the browser content redirection ACL configuration setting and the blacklist configuration setting, the blacklist configuration takes precedence and the browser content of the URL isn’t redirected.

Unauthorized URLs: Specifies the blacklisted URLs whose browser content isn’t redirected to the client, but rendered on the server.

The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL.

Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*

Not allowed: http://*.xyz.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only index.html is blacklisted.

Browser content redirection proxy setting

Important:

The following settings apply only to 1912 LTSR CU1 or later.

This setting provides configuration options for proxy settings on the VDA for browser content redirection. If enabled with a valid proxy address and port number, PAC / WPAD URL, or Direct/Transparent setting, Citrix Workspace app tries only server fetch and client rendering.

If disabled or not configured and using a default value, Citrix Workspace app tries client fetch and client rendering.

By default, this setting is Prohibited.

Allowed pattern for an explicit proxy:

http://\<hostname/ip address\>:\<port\>

Example:

http://proxy.example.citrix.com:80 http://10.10.10.10:8080

Allowed patterns for PAC/WPAD files:

http://<hostname/ip address>:<port>/<path>/<Proxy.pac>

Example: http://wpad.myproxy.com:30/configuration/pac/Proxy.pac

https://<hostname/ip address>:<port>/<path>/<wpad.dat>

Example: http://10.10.10.10/configuration/pac/wpad.dat

Allowed patterns for direct or transparent proxies:

Type the word DIRECT in the policy text box.

Browser content redirection registry key overrides

Warning

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Registry override options for policy settings:

\HKLM \SOFTWARE\Wow6432Node\Citrix\HdxMediastream

Name Type Value
WebBrowserRedirection DWORD 1=Allowed, 0=Prohibited
WebBrowserRedirectionAcl REG_MULTI_SZ  
WebBrowserRedirectionAuthenticationSites REG_MULTI_SZ  
WebBrowserRedirectionProxyAddress REG_SZ http://myproxy.citrix.com:8080 or http://10.10.10.10:8888
WebBrowserRedirectionBlacklist REG_MULTI_SZ  

Browser content redirection policy ACL settings edit

HDXVideo.js insertion for browser content redirection

Browser content redirection image

HdxVideo.js is injected on the webpage by using the browser content redirection Chrome extension or the Internet Explorer Browser Helper Object (BHO). The BHO is a plug-in model for Internet Explorer. It provides hooks for browser APIs and allows the plug-in to access the Document Object Model (DOM) of the page to control navigation.

The BHO decides whether to inject HdxVideo.js on a given page. The decision is based on the administrative policies shown in the previous flow chart.

After it decides to inject the JavaScript and redirect browser content to the client, the webpage on the Internet Explorer browser on the VDA is blanked out. Setting the document.body.innerHTML to empty removes the entire body of the webpage on the VDA. The page is ready to be sent to the client to be displayed on the overlay browser (Hdxbrowser.exe) on the client.