Citrix Virtual Apps and Desktops

ICA policy settings

Note:

This page provides you descriptions and supported configuration values for ICA policy settings. For more information on working with policies, see Work with policies section.

Adaptive transport

This setting allows or prevents data transport over EDT as primary and over TCP as fallback.

By default, adaptive transport is enabled (Preferred), and EDT is used when possible, with fallback to TCP. You can change its setting as needed:

  • Preferred. Adaptive transport over EDT is used when possible, with fallback to TCP.

  • Diagnostic mode. EDT is forced on and fallback to TCP is disabled. We recommend this setting only for troubleshooting.

  • Off. TCP is forced on, and EDT is disabled.

For more information, see Adaptive transport.

Drag and drop setting

This setting allows or prevents the dragging of files between the client and virtual applications or desktops. By default, the drag and drop policy is disabled. You can enable this policy if needed.

Application launch wait timeout

This setting specifies the wait timeout value in milliseconds for a session to wait for the first application to start. If the start of the application exceeds this time period, the session ends.

You can choose the default time (10,000 milliseconds) or specify a number in milliseconds.

Client clipboard redirection

This setting allows or prevents the clipboard on the user device being mapped to the clipboard on the server.

By default, clipboard redirection is allowed.

To prevent copy-and-paste data transfer between a session and the local clipboard, select Prohibit. Users can still copy and paste data between applications running in sessions.

After allowing this setting, configure the maximum allowed bandwidth the clipboard can consume in a client connection. Use the Clipboard redirection bandwidth limit or the Clipboard redirection bandwidth limit percent settings.

Client clipboard write allowed formats

When the Restrict client clipboard write setting is Enabled, host clipboard data cannot be shared with the client endpoint. You can use this setting to allow specific data formats to be shared with the client endpoint clipboard. To use this setting, enable it and add the specific formats to be allowed.

The following clipboard formats are system defined:

  • CF_TEXT
  • CF_BITMAP
  • CF_METAFILEPICT
  • CF_SYLK
  • CF_DIF
  • CF_TIFF
  • CF_OEMTEXT
  • CF_DIB
  • CF_PALETTE
  • CF_PENDATA
  • CF_RIFF
  • CF_WAVE
  • CF_UNICODETEXT
  • CF_ENHMETAFILE
  • CF_HDROP
  • CF_LOCALE
  • CF_DIBV5
  • CF_OWNERDISPLAY
  • CF_DSPTEXT
  • CF_DSPBITMAP
  • CF_DSPMETAFILEPICT
  • CF_DISPENHMETAFILE
  • CF_HTML

The following custom formats are predefined in XenApp and XenDesktop and Citrix Virtual Apps and Desktops:

  • CFX_RICHTEXT
  • CFX_OfficeDrawingShape
  • CFX_BIFF8
  • CFX_FILE

HTML format is disabled by default. To enable this feature:

  • Verify that Client clipboard redirection is set to Allowed.
  • Verify that Restrict client clipboard write is set to Enabled.
  • Add an entry for CF_HTML (and any other formats that you want supported) in Client clipboard write allowed formats.

You can add more custom formats. The custom format name must match the formats to be registered with the system. Format names are case-sensitive.

This setting does not apply if the Client clipboard redirection policy is set to Prohibited or the Restrict client clipboard write policy is set to Disabled.

Note:

Enabling HTML format clipboard copy support (CF_HTML) copies any scripts from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they are live only if you save the destination file as an HTML file and run it.

Limit clipboard client to session transfer size

This setting specifies the maximum size of clipboard data that a user can transfer from a client endpoint to a virtual session during a single copy-and-paste operation.

To limit clipboard transfer size, enable the Limit clipboard client to session transfer size setting. Then, in the Size Limit field, enter a value in kilobytes to define the size of data transfer between the local clipboard and a session.

By default, this setting is disabled and there’s no limit on client to session transfers.

HDX Direct

HDX Direct allows the client to automatically establish a direct connection with the session host when direct communication is available. Connections are established securely using network-level encryption.

HDX Direct mode

HDX Direct can be used to establish direct connections with session hosts for internal and external clients. This setting determines if HDX Direct is available for internal clients only or for both internal and external clients.

When set to Internal only, HDX Direct attempts to establish direct connections for clients in the internal network only.

When set to Internal and external, HDX Direct attempts to establish direct connections for internal and external clients.

By default, HDX Direct is set for internal clients only.

HDX Direct port range

The range of ports that are used by HDX Direct for connections from external users. By default, HDX Direct uses the port range: 55000–55250.

Limit clipboard session to client transfer size

This setting specifies the maximum size of clipboard data that a user can transfer from a virtual session to a client endpoint during a single copy-and-paste operation.

To limit clipboard transfer size, enable the Limit clipboard session to client transfer size setting. Then, in the Size Limit field, enter a value in kilobytes to define the size of data transfer between a session and the local clipboard.

By default, this setting is disabled and there’s no limit on session to client transfers.

Restrict client clipboard write

If this setting is Enabled, host clipboard data cannot be shared with the client endpoint. You can allow specific formats by enabling the Client clipboard write allowed formats setting.

By default, this setting is Disabled.

Restrict session clipboard write

When this setting is Enabled, client clipboard data cannot be shared within the user session. You can allow specific formats by enabling the Session clipboard write allowed formats setting.

By default, this setting is Disabled.

Session clipboard write allowed formats

When the Restrict session clipboard write setting is Enabled, client clipboard data cannot be shared with session applications. You can use this setting to allow specific data formats to be shared with the session clipboard.

The following clipboard formats are system defined:

  • CF_TEXT
  • CF_BITMAP
  • CF_METAFILEPICT
  • CF_SYLK
  • CF_DIF
  • CF_TIFF
  • CF_OEMTEXT
  • CF_DIB
  • CF_PALETTE
  • CF_PENDATA
  • CF_RIFF
  • CF_WAVE
  • CF_UNICODETEXT
  • CF_ENHMETAFILE
  • CF_HDROP
  • CF_LOCALE
  • CF_DIBV5
  • CF_OWNERDISPLAY
  • CF_DSPTEXT
  • CF_DSPBITMAP
  • CF_DSPMETAFILEPICT
  • CF_DISPENHMETAFILE
  • CF_HTML

The following custom formats are predefined in XenApp and XenDesktop and Citrix Virtual Apps and Desktops:

  • CFX_RICHTEXT
  • CFX_OfficeDrawingShape
  • CFX_BIFF8

HTML format is disabled by default. To enable this feature:

  • Verify that Client clipboard redirection is set to Allowed.
  • Verify that Restrict session clipboard write is set to Enabled.
  • Add an entry for CF_HTML (and any other formats that you want supported) in Session clipboard write allowed formats.

You can add more custom formats. The custom format name must match the formats to be registered with the system. Format names are case-sensitive.

This setting does not apply if the Client clipboard redirection policy is set to Prohibited or the Restrict session clipboard write policy is set to Disabled.

Note:

Enabling HTML format clipboard copy support (CF_HTML) copies any scripts from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they are live only if you save the destination file as an HTML file and run it.

Desktop starts

This setting allows or prevents connections to a session on that VDA using an ICA connection by non-administrative users in a VDA Direct Access Users group.

By default, non-administrative users can’t connect to these sessions.

This setting doesn’t affect non-administrative users in a VDA Direct Access Users group who are using an RDP connection. These users can connect to the VDA when this setting is enabled or disabled. This setting doesn’t affect non-administrative users who aren’t in a VDA Direct Access Users group. These users can’t connect to the VDA when this setting is enabled or disabled.

FIDO2 redirection

This setting enables or disables FIDO2 redirection. FIDO2 redirection lets users take advantage of the local endpoint FIDO2 components in a virtual machine. Users can authenticate virtual session through FIDO2 security keys or integrated biometrics on devices that have TPM 2.0 and Windows Hello.

When this setting is Allowed, users can do FIDO2 authentication by using the local endpoint capabilities. By default, this setting is Allowed.

ICA listener connection timeout

This setting specifies the maximum wait time for a connection using the ICA protocol to be completed.

By default, the maximum wait time is 120,000 milliseconds, or two minutes.

ICA listener port number

This setting specifies the TCP/IP port number used by the ICA protocol on the server.

By default, the port number is set to 1494.

Valid port numbers must be in the range of 0-65535 and must not conflict with other well-known port numbers. If you change the port number, restart the server for the new value to take effect. If you change the port number on the server, you must also change it on every Citrix Workspace app or plug-in that connects to the server.

Keyboard and Input Method Editor (IME)

This setting enables or disables the following:

  • Dynamic keyboard layout synchronization
  • Input Method Editor (IME)
  • Unicode keyboard layout mapping
  • Hides or shows the keyboard layout switch notification dialog message
  1. In Web Studio, select Keyboard and IME.
  2. Select Client keyboard layout synchronization and IME improvement to control the dynamic keyboard layout synchronization and generic client Input Method Editor (IME) features in the VDA. You can configure:

    Disabled - dynamic keyboard layout synchronization and generic client Input Method Editor (IME).

    Support dynamic client keyboard layout synchronization - enables dynamic keyboard layout synchronization.

    Support dynamic client keyboard layout synchronization and IME improvement - enables both dynamic keyboard layout synchronization and generic client Input Method Editor (IME).

  3. Select Enable Unicode keyboard layout mapping to enable or disable Unicode keyboard mapping.
  4. Select Hide keyboard layout switch pop-up message box to control whether or not a message appears, indicating that the keyboard layout is synchronizing when the user changes the client keyboard layout. If you prevent the message from appearing, the users must wait for a few moments before typing to avoid incorrect character input.

Default settings:

  • Client keyboard layout synchronization and IME improvement
    • Disabled in Windows Server 2016 and Windows Server 2019.
    • Support dynamic client keyboard layout synchronization and IME improvement in Windows Server 2012 and Windows 2010.
  • Disable Unicode keyboard layout mapping
  • Show keyboard layout switch pop-up message box

This policy replaces the registry settings that are listed in the Description section of the policy settings.

Logoff checker startup delay

This setting specifies the duration to delay the logoff checker startup. Use this policy to set the time (in seconds) that a client session waits before disconnecting the session.

This setting also increases the time that it takes for a user to log off from the server.

Loss tolerant mode

Important:

  • The feature requires a minimum of Citrix Workspace app 2002 for Windows. This version of the VDA supports it when it becomes available.

  • Loss tolerant mode is not supported on Citrix Gateway or Citrix Gateway Service. This mode is available only with direct connections.

This setting enables or disables loss tolerant mode.

By default, loss tolerant mode is Allowed.

When allowed, the mode is entered when the packet loss and latency are above a threshold. You can set the thresholds using the loss tolerant thresholds policy.

Loss tolerant thresholds

When the Loss tolerant mode is available, this setting specifies the network metrics thresholds at which the session switches to loss tolerant mode.

The default thresholds are:

  • Packet loss: 5%
  • Latency: 300 ms (RTT)

For more information, see loss tolerant mode.

Rendezvous protocol

This setting changes how HDX sessions are proxied when using the Citrix Gateway Service. When enabled, HDX traffic no longer flows through the Citrix Cloud Connector. Instead, the VDA establishes an outbound connection directly to the Citrix Gateway Service (enhancing Cloud Connector scalability).

Important:

A feature toggle in Citrix Cloud and an HDX policy setting controls this feature. The Citrix Cloud feature toggle is enabled by default while the HDX setting is disabled by default. The HDX setting affects only HDX sessions established through the Citrix Gateway Service. This setting does not affect sessions established directly between client and VDA or through an on-premises Citrix Gateway.

For information, see Rendezvous protocol.

Rendezvous proxy configuration

This setting allows you to configure an explicit proxy for use with the Rendezvous protocol. If using a transparent proxy, this setting does not need to be enabled.

By default, this setting is disabled.

When disabled, the VDA doesn’t route outbound traffic through any non-transparent proxies when trying to establish a Rendezvous connection with the Gateway Service.

When enabled, the VDA attempts to establish a Rendezvous connection with the Gateway Service through the proxy defined in this setting.

The VDA supports using HTTP and SOCKS5 proxies for Rendezvous connections. To configure the VDA to use a proxy for the Rendezvous connection, you must enable this setting. Also, specify either the address of the proxy or the path to the PAC file. For example:

  • Proxy address: http://<URL or IP>:<port> or socks5://<URL or IP>:<port>
  • PAC file: http://<URL or IP>/<path>/<filename>.pac

    VDA version 2103 is the minimum supported version for proxy configuration with a PAC file. For more information on the PAC file schema for SOCKS5 proxies, see Proxy configuration.

Note:

Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.

For more information, see Rendezvous protocol.

Starting of non-published programs during client connection

This setting specifies whether to allow starting initial applications through RDP on the server.

By default, starting initial applications through RDP on the server isn’t allowed.

Tablet mode toggle policy settings

Tablet mode toggle optimizes the look and behavior of Store apps, Win32 apps, and the Windows shell on the VDA. It does so by automatically toggling the virtual desktop to Tablet mode when connecting from small form factor devices like phones and tablets, or any touch-enabled device.

If this policy is disabled, the VDA is in the mode the user sets it to and maintains the same mode throughout, regardless of the type of client.