Citrix Virtual Apps and Desktops

ICA policy settings

Adaptive transport

This setting allows or prevents data transport over EDT as primary and fallback to TCP.

By default, adaptive transport is enabled (Preferred), and EDT is used when possible, with fallback to TCP. If it’s been disabled and you want to enable it, follow this procedure.

  1. In Studio, enable the policy setting, HDX adaptive transport. We also recommend that you do not enable this feature as a universal policy for all objects in the Site.
  2. To enable the policy setting, set the value to Preferred, then click OK.

Preferred. Adaptive transport over EDT is used when possible, with fallback to TCP.

Diagnostic mode. EDT is forced on and fallback to TCP is disabled. We recommend this setting only for troubleshooting.

Off. TCP is forced on, and EDT is disabled.

For more information, see Adaptive transport.

Application launch wait timeout

This setting specifies the wait timeout value in milliseconds for a session to wait for the first application to start. If the start of the application exceeds this time period, the session ends.

You can choose the default time (10,000 milliseconds) or specify a number in milliseconds.

Client clipboard redirection

This setting allows or prevents the clipboard on the user device being mapped to the clipboard on the server.

By default, clipboard redirection is allowed.

To prevent cut-and-paste data transfer between a session and the local clipboard, select Prohibit. Users can still cut and paste data between applications running in sessions.

After allowing this setting, configure the maximum allowed bandwidth the clipboard can consume in a client connection. Use the Clipboard redirection bandwidth limit or the Clipboard redirection bandwidth limit percent settings.

Client clipboard write allowed formats

When the Restrict client clipboard write setting is Enabled, host clipboard data cannot be shared with the client endpoint. You can use this setting to allow specific data formats to be shared with the client endpoint clipboard. To use this setting, enable it and add the specific formats to be allowed.

The following clipboard formats are system defined:

  • CF_TEXT
  • CF_BITMAP
  • CF_METAFILEPICT
  • CF_SYLK
  • CF_DIF
  • CF_TIFF
  • CF_OEMTEXT
  • CF_DIB
  • CF_PALETTE
  • CF_PENDATA
  • CF_RIFF
  • CF_WAVE
  • CF_UNICODETEXT
  • CF_ENHMETAFILE
  • CF_HDROP
  • CF_LOCALE
  • CF_DIBV5
  • CF_OWNERDISPLAY
  • CF_DSPTEXT
  • CF_DSPBITMAP
  • CF_DSPMETAFILEPICT
  • CF_DISPENHMETAFILE
  • CF_HTML

The following custom formats are predefined in XenApp and XenDesktop and Citrix Virtual Apps and Desktops:

  • CFX_RICHTEXT
  • CFX_OfficeDrawingShape
  • CFX_BIFF8
  • CFX_FILE

HTML format is disabled by default. To enable this feature:

  • Ensure that Client clipboard redirection is set to Allowed.
  • Ensure that Restrict client clipboard write is set to Enabled.
  • Add an entry for CF_HTML (and any other formats you want supported) in Client clipboard write allowed formats.

You can add more custom formats. The custom format name must match the formats to be registered with the system. Format names are case-sensitive.

This setting does not apply if the Client clipboard redirection policy is set to Prohibited or the Restrict client clipboard write policy is set to Disabled.

Note

Enabling HTML format clipboard copy support (CF_HTML) copies any scripts from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they are live only if you save the destination file as an HTML file and execute it.

Limit clipboard client to session transfer size

This setting specifies the maximum size of clipboard data a user can transfer from a client endpoint to a virtual session during a single cut-and-paste operation.

To limit clipboard transfer size, enable the Limit clipboard client to session transfer size setting. Then, in the Size Limit field, enter a value in kilobytes to define the size of data transfer between the local clipboard and a session.

By default, this setting is disabled and there is no limit on client to session transfers.

Limit clipboard session to client transfer size

This setting specifies the maximum size of clipboard data a user can transfer from a virtual session to a client endpoint during a single cut-and-paste operation.

To limit clipboard transfer size, enable the Limit clipboard session to client transfer size setting. Then, in the Size Limit field, enter a value in kilobytes to define the size of data transfer between a session and the local clipboard.

By default, this setting is disabled and there is no limit on session to client transfers.

Restrict client clipboard write

If this setting is Enabled, host clipboard data cannot be shared with the client endpoint. You can allow specific formats by enabling the Client clipboard write allowed formats setting.

By default, this setting is Disabled.

Restrict session clipboard write

When this setting is Enabled, client clipboard data cannot be shared within the user session. You can allow specific formats by enabling the Session clipboard write allowed formats setting.

By default, this setting is Disabled.

Session clipboard write allowed formats

When the Restrict session clipboard write setting is Enabled, client clipboard data cannot be shared with session applications. You can use this setting to allow specific data formats to be shared with the session clipboard.

The following clipboard formats are system defined:

  • CF_TEXT
  • CF_BITMAP
  • CF_METAFILEPICT
  • CF_SYLK
  • CF_DIF
  • CF_TIFF
  • CF_OEMTEXT
  • CF_DIB
  • CF_PALETTE
  • CF_PENDATA
  • CF_RIFF
  • CF_WAVE
  • CF_UNICODETEXT
  • CF_ENHMETAFILE
  • CF_HDROP
  • CF_LOCALE
  • CF_DIBV5
  • CF_OWNERDISPLAY
  • CF_DSPTEXT
  • CF_DSPBITMAP
  • CF_DSPMETAFILEPICT
  • CF_DISPENHMETAFILE
  • CF_HTML

The following custom formats are predefined in XenApp and XenDesktop and Citrix Virtual Apps and Desktops:

  • CFX_RICHTEXT
  • CFX_OfficeDrawingShape
  • CFX_BIFF8

HTML format is disabled by default. To enable this feature:

  • Ensure that Client clipboard redirection is set to Allowed.
  • Ensure that Restrict session clipboard write is set to Enabled.
  • Add an entry for CF_HTML (and any other formats you want supported) in Session clipboard write allowed formats.

You can add more custom formats. The custom format name must match the formats to be registered with the system. Format names are case-sensitive.

This setting does not apply if the Client clipboard redirection policy is set to Prohibited or the Restrict session clipboard write policy is set to Disabled.

Note:

Enabling HTML format clipboard copy support (CF_HTML) copies any scripts from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they are live only if you save the destination file as an HTML file and execute it.

Desktop starts

This setting allows or prevents connections to a session on that VDA using an ICA connection by non-administrative users in a VDA Direct Access Users group.

By default, non-administrative users cannot connect to these sessions.

This setting doesn’t affect non-administrative users in a VDA Direct Access Users group who are using an RDP connection. These users can connect to the VDA whether this setting is enabled or disabled. This setting doesn’t affect non-administrative users who are not in a VDA Direct Access Users group. These users cannot connect to the VDA whether this setting is enabled or disabled.

FIDO2 redirection

This setting enables or disables FIDO2 redirection. FIDO2 redirection lets users take advantage of the local endpoint FIDO2 components in a virtual machine. Users can authenticate in their virtual session by using FIDO2 security keys or integrated biometrics on devices that have TPM 2.0 and Windows Hello.

When this setting is Allowed, users can perform FIDO2 authentication by using the local endpoint capabilities. By default, this setting is Allowed.

FIDO2 redirection can also be enabled or disabled on client endpoints by configuring the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\

Name: FIDO2

Type: REG_DWORD

Value: 1

Set the value to 0 to disable the feature and 1 to enable it. By default, the feature is enabled.

Caution:

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

ICA listener connection timeout

This setting specifies the maximum wait time for a connection using the ICA protocol to be completed.

By default, the maximum wait time is 120,000 milliseconds, or two minutes.

ICA listener port number

This setting specifies the TCP/IP port number used by the ICA protocol on the server.

By default, the port number is set to 1494.

Valid port numbers must be in the range of 0-65535 and must not conflict with other well-known port numbers. If you change the port number, restart the server for the new value to take effect. If you change the port number on the server, you must also change it on every Citrix Workspace app or plug-in that connects to the server.

Keyboard and Input Method Editor (IME)

This setting enables or disables dynamic keyboard layout synchronization, Input Method Editor (IME), Unicode keyboard layout mapping, and hides or shows the keyboard layout switch notification dialog message.

  1. In Studio, select Keyboard and IME.
  2. Select Client keyboard layout synchronization and IME improvement to control the dynamic keyboard layout synchronization and generic client Input Method Editor (IME) features in the VDA. You can configure:

    Disabled - dynamic keyboard layout synchronization and generic client Input Method Editor (IME).

    Support dynamic client keyboard layout synchronization - enables dynamic keyboard layout synchronization.

    Support dynamic client keyboard layout synchronization and IME improvement - enables both dynamic keyboard layout synchronization and generic client Input Method Editor (IME).

  3. Select Enable Unicode keyboard layout mapping to enable or disable Unicode keyboard mapping.
  4. Select Hide keyboard layout switch pop-up message box to control whether or not a message appears, indicating that the keyboard layout is synchronizing when the user changes the client keyboard layout. If you prevent the message from appearing, the users need to wait for a few moments before typing to avoid incorrect character input.

Default settings:

  • Client keyboard layout synchronization and IME improvement
    • Disabled in Windows Server 2016 and Windows Server 2019.
    • Support dynamic client keyboard layout synchronization and IME improvement in Windows Server 2012 and Windows 2010.
  • Disable Unicode keyboard layout mapping
  • Show keyboard layout switch pop-up message box

This policy replaces the registry settings that are listed in the Description section of the policy settings.

Logoff checker startup delay

This setting specifies the duration to delay the logoff checker startup. Use this policy to set the time (in seconds) that a client session waits before disconnecting the session.

This setting also increases the time it takes for a user to log off from the server.

Loss tolerant mode

Important:

  • The feature requires a minimum of Citrix Workspace app 2002 for Windows. This version of the VDA will support it when it becomes available.

  • Loss tolerant mode is not supported on Citrix Gateway or Citrix Gateway Service. This mode is available only with direct connections.

This setting enables or disables loss tolerant mode.

By default, loss tolerant mode is Allowed.

When allowed, the mode is entered when the packet loss and latency are above a threshold. You can set the thresholds using the loss tolerant thresholds policy.

For more information, see Loss tolerant mode.

Loss tolerant thresholds

When the loss tolerant mode is available, this setting specifies the network metrics thresholds at which the session switches to loss tolerant mode.

The default thresholds are:

  • Packet loss: 5%
  • Latency: 300 ms (RTT)

For more information, see Loss tolerant mode.

Rendezvous protocol

This setting changes how HDX sessions are proxied when using the Citrix Gateway Service. When enabled, HDX traffic no longer flows through the Citrix Cloud Connector. Instead, the VDA establishes an outbound connection directly to the Citrix Gateway Service (enhancing Cloud Connector scalability).

Important:

This feature is controlled by a feature toggle in Citrix Cloud and an HDX policy setting. The Citrix Cloud feature toggle is enabled by default while the HDX setting is disabled by default. The HDX setting affects only HDX sessions established through the Citrix Gateway Service. This setting does not affect sessions established directly between client and VDA or through an on-premises Citrix Gateway.

For information, see Rendezvous protocol.

Rendezvous proxy configuration

This setting allows you to configure an explicit proxy for use with the Rendezvous protocol. If using a transparent proxy, this setting does not need to be enabled.

By default, this setting is disabled.

When disabled, the VDA doesn’t route outbound traffic through any non-transparent proxies when trying to establish a Rendezvous connection with the Gateway Service.

When enabled, the VDA attempts to establish a Rendezvous connection with the Gateway Service through the proxy defined in this setting.

The VDA supports using HTTP and SOCKS5 proxies for Rendezvous connections. To configure the VDA to use a proxy for the Rendezvous connection, you must enable this setting and specify either the address of the proxy or the path to the PAC file. For example:

  • Proxy address: http://<URL or IP>:<port> or socks5://<URL or IP>:<port>
  • PAC file: http://<URL or IP>/<path>/<filename>.pac

    VDA version 2103 is the minimum supported version for proxy configuration with a PAC file. For more information on the PAC file schema for SOCKS5 proxies, see Proxy configuration.

Note:

Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as transport protocol for ICA.

For more information, see Rendezvous protocol.

Starting of non-published programs during client connection

This setting specifies whether to allow starting initial applications through RDP on the server.

By default, starting initial applications through RDP on the server is not allowed.

Tablet mode toggle policy settings

Tablet mode toggle optimizes the look and behavior of Store apps, Win32 apps, and the Windows shell on the VDA. It does so by automatically toggling the virtual desktop to Tablet mode when connecting from small form factor devices like phones and tablets, or any touch enabled device.

If this policy is disabled, the VDA is in the mode the user sets it to and maintains the same mode throughout, irrespective of the type of client.