Citrix Virtual Apps and Desktops

Generic USB redirection and client drive considerations

HDX technology provides optimized support for most popular USB devices. Optimized support offers an improved user experience with better performance and bandwidth efficiency over a WAN. Optimized support is usually the best option, especially in high latency or security-sensitive environments.

HDX technology provides generic USB redirection for specialty devices that don’t have optimized support or where it is unsuitable, for example:

  • The USB device has more advanced features that are not part of optimized support, such as a mouse or webcam having more buttons.
  • Users need functions which are not part of optimized support.
  • The USB device is a specialized device, such as test and measurement equipment or an industrial controller.
  • An application requires direct access to the device as a USB device.
  • The USB device only has a Windows driver available. For example, a smart card reader might not have a driver available for the Citrix Workspace app for Android.
  • The version of the Citrix Workspace app does not provide any optimized support for this type of USB device.

With generic USB redirection:

  • Users do not need to install device drivers on the user device.
  • USB client drivers are installed on the VDA machine.

Important:

  • Generic USB redirection can be used together with optimized support. If you enable generic USB redirection, configure Citrix USB devices policy settings for both generic USB redirection and optimized support.
  • The Citrix policy setting in Client USB device optimization rules is a specific setting for generic USB redirection, for a particular USB device. It doesn’t apply to optimized support as described here.

Performance considerations for USB devices

Network latency and bandwidth can affect user experience and USB device operation when using generic USB redirection for some types of USB devices. For example, timing-sensitive devices might not operate correctly over high-latency low-bandwidth links. Use optimized support instead where possible.

Some USB devices require high bandwidth to be usable, for example a 3D mouse (used with 3D apps that also typically require high bandwidth). If bandwidth cannot be increased, you might be able to mitigate the issue by tuning bandwidth usage of other components using the bandwidth policy settings. For more information, see Bandwidth policy settings for Client USB device redirection, and Multi-stream connection policy settings.

Security considerations for USB devices

Some USB devices are security-sensitive by nature, for example, smart card readers, fingerprint readers, and signature pads. Other USB devices such as USB storage devices can be used to transmit data that might be sensitive.

USB devices are often used to distribute malware. Configuration of Citrix Workspace app and Citrix Virtual Apps and Desktops can reduce, but not eliminate, risk from these USB devices. This situation applies whether generic USB redirection or optimized support is used.

Important:

For security-sensitive devices and data, always secure the HDX connection, see Communication between client and VDA.

Only enable support for the USB devices that you need. Configure both generic USB redirection and optimized support to meet this need.

Provide guidance to users for safe use of USB devices:

  • Use only USB devices that have been obtained from a trustworthy source.
  • Don’t leave USB devices unattended in open environments - for example, a flash drive in an internet cafe.
  • Explain the risks of using a USB device on more than one computer.

Security controls for USB mass storage devices

Optimized support is provided for USB mass storage devices. This support is part of Citrix Virtual Apps and Desktops client drive mapping. Drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders that have mapped drive letters. To configure client drive mapping, use the Client removable drives setting. This setting is in the File Redirection policy settings section of the ICA policy settings.

With USB mass storage devices you can use either Client drive mapping or generic USB redirection, or both. Control them using Citrix policies. The main differences are:

Feature Client drive mapping Generic USB redirection
Enabled by default Yes No
Read-only access configurable Yes No

Note:

USB redirection is supported over lower bandwidth connections, for example 50 Kbps. However, copying large files doesn’t work.

Generic USB redirection and client drive considerations