Citrix Virtual Apps and Desktops

Secure HDX™

Secure HDX is an Application Level Encryption (ALE) solution that prevents any network elements in the traffic path from being able to inspect the HDX traffic. It does this by providing true End-to-End Encryption (E2EE) at the application level between the Citrix Workspace™ app (client) and the VDA (session host) using AES-256-GCM encryption.

System requirements

The following list depicts the system requirements for using Secure HDX.

  • Control plane
    • Citrix DaaS™
    • Citrix Virtual Apps and Desktops™ 2503 or later
  • Session host
    • Operating System
      • Windows 10 22H2
      • Windows 11 22H2 or later
      • Windows Server 2019 or later
    • Virtual Delivery Agent (VDA)
      • Windows: version 2503 or later
      • Linux: version 2407 or later
  • Workspace app
    • Windows: version 2503 or later
    • Linux: version 2408 or later
    • Mac: version 2409 or later
    • Chrome OS: version 2409 or later
    • HTML5: version 2408 or later
  • Access tier
    • Citrix Workspace
    • Citrix StoreFront™ 2402 or later

NOTE:

For details on configuring Secure HDX with Linux VDA, refer to the Linux VDA documentation.

Configuration

Secure HDX is disabled by default. You can configure this feature using the Secure HDX setting in Citrix policy:

Secure HDX: Defines whether to enable or disable the feature.

IMPORTANT:

If you have Secure ICA® enabled on the delivery groups that you want to enable Secure HDX on, you must first disable Secure ICA (Edit delivery group > User Settings).

HDX Insight and Smart Control

The following are the requirements to use HDX Insight and SmartControl with NetScaler Gateway when Secure HDX is enabled:

  • NetScaler 14.1 Build 47.46 or newer.
  • Network telemetry must be enabled in Citrix policy.
  • Session Reliability must be enabled. This setting is enabled by default, so ensure there are no policies disabling it.

Note:

HDX Insight and SmartControl with Secure HDX is available only in the following scenarios:

  • Connections using TCP as transport protocol
  • Connections using IPv4
  • Clients using the following Workspace app versions:

    • Windows: 2503 or newer
    • Mac: 2505 or newer
    • Linux: 2508 or newer

Considerations

The following are considerations for using Secure HDX:

  • If a user tries to connect to a session host with Secure HDX enabled using a client that does not support the feature, the connection will be denied.

  • Only Service Continuity for connector-less workloads is supported with Secure HDX. If you are using the standard version of Service Continuity, you will not be able to connect to any session hosts that have Secure HDX enabled if there is a Cloud service outage.

  • Multi-Stream ICA is not supported when Secure HDX is enabled.

  • If you use any third-party solutions that rely on inspecting HDX traffic, they would no longer work if you enable Secure HDX since HDX traffic is encrypted.

Troubleshooting

To confirm that Secure HDX is active, you can use the ctxsession.exe utility on the VDA machine.

To use the CtxSession.exe utility, open a Command Prompt or PowerShell within the session and run ctxsession.exe -v. If Secure HDX is in use, ICA Encryption displays SecureHDX AES-256 GCM.

Secure HDX

When Secure HDX does not get enabled in the session

  • Ensure the VDA version in use supports the feature per the system requirements.

  • Confirm that you have a policy applied to the VDA that enables Secure HDX and that there are no other policies with higher priority disabling the feature.

  • If the session host was already running when you configured Secure HDX, restart the machine to ensure changes take effect.

Secure HDX™