Citrix Virtual Apps and Desktops

Bidirectional content redirection policy settings

The Bidirectional Content Redirection section has policy settings to enable or disable the client-to-VDA and VDA-to-client URL redirection.

Server policies are set in Studio. Starting with the Citrix Workspace app version 2311, this setting replaces the following three legacy settings in Studio which are deprecated:

  • Allow bidirectional content redirection
  • Allowed URLs to be redirected to VDA
  • Allowed URLs to be redirected to client

It also replaces the following three local GPO settings on Windows clients:

  • Bidirectional content redirection
  • Bidirectional content redirection overrides
  • OAuth redirection

If this setting is enabled, the client-to-VDA settings are sent to the client upon connecting to a published app or desktop to configure bidirectional content redirection.

If this setting is configured, it takes precedence over the legacy settings in Studio and on the client.

Client policies must not be set if the VDA and DDC are running version 2311 or later. Otherwise, client policies are set from the Citrix Workspace app Group Policy Object administration template.

Citrix offers host-to-client redirection and Local App Access for client-to-URL redirection. However, Citrix recommends that you use bidirectional content redirection for domain-joined Windows clients.

Citrix recommends using the new UI in Web Studio to configure the feature instead of the Desktop Studio.

Wildcard redirection

Bidirectional content redirection supports the use of wildcards when defining the URLs to be redirected. For more details and to configure bidirectional content redirection, see the Configuration instructions. In Web Studio, set the wildcard URL by editing the JSON string as a value in the url key in the hostToClientUrls array or the clientToHostUrls array.

Note:

  • Don’t set the same URL in hostToClientUrls and clientToHostUrls to avoid infinite loops.
  • Top-level domains are not supported. For example, https://www.citrix.* or http://www.citrix.co* is not redirected.

Bidirectional content redirection configuration

To configure bidirectional content redirection, create a JSON string with the following format:

{
  "version": 1,
  "hostToClientConfig": [
    {
      "hostToClientUrls": [
        {
          "url": "http://www.citrix.com/*"
        },
        {
          "url": "www.example.com"
        },
        {
          "url": "https://login.example.org/*",
          "oAuthRedirectionPattern": "https://login.example.org/oauth2?.*",
          "oAuthScheme": "idm.desktop-authentication"
        }
      ]
    }
  ],
  "clientToHostConfig": [
    {
      "publishedAppOrDesktopNameType": "Desktop",
      "publishedAppOrDesktopName": "Win11Desktop",
      "clientToHostUrls": [
        "https://www.example.net",
        "https://*.citrix.example"
      ]
    },
    {
      "publishedAppOrDesktopNameType": "Application",
      "publishedAppOrDesktopName": "Chrome",
      "clientToHostUrls": [
        "https://tibco.example"
      ]
    }
  ]
}
<!--NeedCopy-->

Edit setting

The following parameters must be set:

  • version: (Required) Set to 1.

  • For VDA-to-client URL redirection, create a single hostToClientConfig.

  • hostToClientUrls: (Required) List of URLs to be redirected from host (VDA) to client. Wildcards are allowed. If * is specified, then clientToHostConfig must be specified with publishedAppOrDesktopNameType, an empty publishedAppOrDesktopName, and an empty clientToHostUrls.

OAuth redirection

OAuth redirection enables you to use the client endpoint browser to authenticate and send the token back to the VDA.

Benefits:

  • You can avoid storing these credentials in the hosted environment.
  • You can use biometric capabilities that are available on the endpoint and not on the VDA.

To configure OAuth redirection for the URL, specify the following parameters:

  • oAuthRedirectionPattern: (Optional) URL regular expression that, when redirected to the client via VDA-to-Client URL redirection, is tracked as if an OAuth authentication flow has begun, and when the flow completes (detected by the resulting scheme or redirect URL pattern being opened), that resulting URL is redirected back into the host VDA that initiated that flow.
  • oAuthScheme: (Optional) If a Scheme is specified, the terminating URL is expected to be in the form: <scheme>://<something>. Supposed Scheme is not specified (empty). In that case, the original resulting URL pattern is extracted from the Pattern through a regular expression capture group (must be specified in the Pattern), and the original URL is rewritten to use a citrix-oauth-redir:// redirect URL. When the flow completes, the original redirect URL is then redirected back into the Host (VDA). In this case, any OAuth Authorization server must be configured to allow citrix-oauth-redir://byIndex/1 (2, 3, ... N) redirect URLs.

For a client-to-VDA redirection, create clientToHostConfig for each resource to redirect. For each resource, include the following parameters:

  • publishedAppOrDesktopNameType: (Required) Either a published desktop (“Desktop”) or a published application (“Application”) configured in Studio. If the resource is not valid, redirection does not function correctly.
  • publishedAppOrDesktopName: (Required) Resource name as configured in Studio.
  • clientToHostUrls: (Required) List of URLs to be redirected from client to host (VDA). Wildcards are allowed.
Bidirectional content redirection policy settings