Citrix Virtual Apps and Desktops

Rendezvous protocol

In environments that use the Citrix Gateway service, the Rendezvous protocol allows HDX sessions to bypass the Citrix Cloud Connector and connect directly and securely to the Citrix Gateway service. Requirements:

  • Access to environment using Citrix Workspace and Citrix Gateway service.
  • Control Plane: Citrix Virtual Apps and Desktops Service (Citrix Cloud)
  • VDA: Version 1912 or later.
  • Enable the Rendezvous protocol in the Citrix policy. For more information, see Rendezvous protocol policy setting.
  • The VDAs must have access to the resources outlined in the Internet Connectivity Requirements section of the Citrix Cloud documentation (under Virtual Apps and Desktop service).
  • DNS Reverse Lookup Zone with PTR records for the VDAs.
  • On the VDA, configure the SSL Cipher Suite Order. Use the Group Policy Editor or Group Policy Object. Under the Computer Configuration node, go to Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.

    Select this order:

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

Important:

The Rendezvous protocol doesn’t support transparent or explicit proxies. To use proxies, continue to use the Cloud Connector for ICA traffic.

If you enable Rendezvous and the VDA can’t reach the Citrix Gateway service directly, the VDA falls back to proxy the HDX session through the Cloud Connector.

If you meet all requirements, follow these steps to validate if Rendezvous is in use:

  1. Launch PowerShell or a command prompt within the HDX session.
  2. Run ctxsession.exe –v.
  3. Note the local address. If Rendezvous is in use, the local address is 0.0.0.0 followed by a 5-digit port number (for example, 0.0.0.0:50343).

This diagram is an overview of the Rendezvous connection flow. Follow the steps to understand the flow.

Rendezvous protocol overview

  1. Navigate to Citrix Workspace
  2. Enter credentials in Citrix Workspace.
  3. If using on-premises Active Directory, Citrix Virtual Apps and Desktops service authenticates credentials with Active Directory using the Cloud Connector channel.
  4. Citrix Workspace displays enumerated resources from the Citrix Virtual Apps and Desktop service.
  5. Select resources from Citrix Workspace. The Citrix Virtual Apps and Desktop service sends a message to the VDA to prepare for an incoming session.
  6. Citrix Workspace sends an ICA file to the endpoint that contains an STA ticket generated by Citrix Cloud.
  7. The endpoint connects to the Citrix Gateway service, provides the ticket to connect to the VDA, and Citrix Cloud validates the ticket.
  8. The Citrix Gateway service sends connection information to the Cloud Connector. The Cloud Connector determines if the connection is supposed to be a Rendezvous connection and sends the information to the VDA.
  9. The VDA establishes a direct connection to the Citrix Gateway service.
  10. If a direct connection between the VDA and the Citrix Gateway service isn’t possible, the VDA proxies its connection the Cloud Connector.
  11. The Citrix Gateway service establishes a connection between the endpoint device and the VDA.
  12. The VDA verifies its license with the Citrix Virtual Apps and Desktop service through the Cloud Connector.
  13. The Citrix Virtual Apps and Desktop service sends session policies to the VDA through the Cloud Connector. Those policies are applied.

Rendezvous protocol

In this article