This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
HDX Direct (Tech preview)
When accessing Citrix-delivered resources, HDX Direct allows client devices to establish a secure direct connection with the VDA if there is a direct line of sight.
Important:
HDX Direct is currently in tech preview. To submit feedback or report issues, use this form.
Requirements
The following are the requirements for using HDX Direct:
-
Control plane
- Citrix DaaS
- Citrix Virtual Apps and Desktops 2303 or later
-
Virtual Delivery Agent (VDA)
- Windows: version 2303 or later
-
Workspace app
- Windows: version 2303 or later
-
Access tier
- Citrix Workspace
- Citrix Gateway Service
- NetScaler Gateway
-
Firewall
-
VDA machine
- TCP 443 inbound (ICA over TCP)
- UDP 443 inbound (ICA over EDT)
-
Network
Protocol Port Source Destination TCP 443 Client VDA UDP 443 Client VDA
-
Configuration
HDX Direct is disabled by default. You can configure this feature using the HDX Direct setting in Citrix policy.
- Allowed: HDX Direct is enabled and attempts to establish a direct connection to the session host when a session is connected.
- Prohibited: The default setting. HDX Direct is disabled and prevents the client from attempting to connect directly to the session host when connected through a Gateway.
To confirm that HDX Direct successfully established a direct connection, use the CtxSession.exe utility on the VDA machine.
To use the CtxSession.exe utility, launch a Command Prompt or PowerShell within the session and run ctxsession.exe -v. If an HDX Direct connection was successfully established, you will see the following:
-
Transport protocol
- UDP > DTLS > CGP > ICA (if using EDT)
- TCP > SSL > CGP > ICA (if using TCP)
-
Remote Address and Client Address are the same
Considerations
The following are considerations for using HDX Direct:
- When using non-persistent machines for your virtual apps and desktops, do not enable HDX Direct in the master/template image to avoid generating certificates for the master virtual machine (VM).
How it works
HDX Direct allows clients to establish a direct connection to the session host when direct communication is available. When direct connections are made using HDX Direct, network-level encryption (TLS/DTLS) is used to secure them, leveraging self-signed certificates.
There are three stages that cover different parts of the feature: pre-launch, launch, and post-launch.
Pre-launch stage
This is the initial stage, which covers certificate creation and management. These tasks are handled by the following services on the VDA machine, both of which are set to run automatically at machine startup:
- Citrix ClxMtp Service: responsible for CA certificate generation and rotation.
- Citrix Certificate Manager Service: responsible for generating and managing the self-signed root CA certificate, the machine certificates’ keys, and the machine certificates.
The following is an overview of the certificate management process:
- The services start at machine startup.
- Citrix ClxMtp Service creates keys if none have been created already.
- Citrix Certificate Manager Service checks if HDX Direct is enabled. If not, the service stops itself.
- If HDX Direct is enabled, Citrix Certificate Manager Service checks if a self-signed root CA certificate exists. If not, a self-signed root certificate is created.
- Once a root CA certificate is available, the Citrix Certificate Manager Service checks if a self-signed machine certificate exists. If not, the service generates keys and creates a new certificate using the machine’s FQDN.
- If there is an existing machine certificate created by the Citrix Certificate Manager Service and the subject name does not match the machine’s FQDN, a new certificate is generated.
Note:
The Citrix Certificate Manager Service generates RSA certificates that leverage 2048-bit keys.
Launch stage
To successfully establish a secure HDX Direct connection, the client must trust the certificates used to secure the session. To facilitate this, the VDA sends the Broker its certificate information when a session is being brokered. Subsequently, the Broker sends this information to Workspace to include in the ICA file that is sent to the client to launch the session.
Post-launch stage
Once a session is brokered successfully, the session is launched. The following is an overview of the HDX Direct connection process:
- The client establishes a connection with the VDA through the Gateway Service.
- Upon a successful connection, the VDA sends the VDA machine’s FQDN and a list of its IP addresses to the client.
- The client probes the IP addresses to see if it can reach the VDA directly.
- If the client is able to reach the VDA directly with any of the shared IP addresses, the client establishes a secure direct connection with the VDA.
- Once the direct connection is successfully established, the session transfers to the new connection and the connection to the Gateway Service ends.
Known issues
The following are known issues with HDX Direct:
- The HDX Direct connection may fail when Rendezvous is disabled.
- The HDX Direct connection may fail when launching sessions from an on-prem Citrix Virtual Apps and Desktops 2303 site.
- Workspace app may crash if the VDA is running on Windows 11.
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.