Bidirectional content redirection policy settings
The Bidirectional Content Redirection section has policy settings to enable or disable the client-to-VDA and VDA-to-client URL redirection.
Server policies are set in Web Studio. Starting with the Citrix Workspace app version 2311, this setting replaces the following three legacy settings in Web Studio which are deprecated:
- Allow bidirectional content redirection
- Allowed URLs to be redirected to VDA
- Allowed URLs to be redirected to Client
It also replaces the following three local Group Policy Object (GPO) settings on Windows clients:
- Bidirectional content redirection
- Bidirectional content redirection overrides
- OAuth redirection
If this setting is enabled, the client-to-VDA settings are sent to the client upon connecting to a published app or desktop to configure bidirectional content redirection.
If this setting is configured, it takes precedence over the legacy settings in Web Studio and on the client. Citrix recommends using only the new policy settings and deleting any legacy settings to avoid unexpected behavior.
Client policies must not be set if the VDA and DDC are running version 2311 or later. Otherwise, client policies are set from the Citrix Workspace app Group Policy Object administration template.
Citrix offers host-to-client redirection and Local App Access for client-to-URL redirection. However, Citrix recommends that you use bidirectional content redirection for domain-joined Windows clients.
Citrix recommends using the new UI in Web Studio to configure the feature instead of the Desktop Studio.
Wildcard redirection
Bidirectional content redirection supports the use of wildcards when defining the URLs to be redirected. For more details and to configure bidirectional content redirection, see the Configuration instructions.
In Web Studio, set the wildcard URL by editing the JSON string as a value in the url key in the hostToClientUrls array or the clientToHostUrls array.
Note:
- Don’t set the same URL in
hostToClientUrlsandclientToHostUrlsto avoid infinite loops.- Top-level domains are not supported. For example, https://www.citrix.* or http://www.citrix.co* is not redirected.
Bidirectional content redirection configuration
Set this policy to Enabled to start configuring the feature and click Manage URLs. Set the following configurations:
- VDA-to-client redirection
- Client-to-VDA redirection
VDA-to-client redirection
To redirect URLs from VDA to the client, enter one URL per line. Wildcards are allowed. OAuth redirection enables you to use the browser on the client endpoint to perform authentication and send the token back to the VDA.
Benefits:
- You can avoid storing these credentials in the hosted environment.
- You can use biometric capabilities that are available on the endpoint and not on the VDA.
Configurations:
To configure VDA-to-client redirection for the URL, specify the following:
- URL (Required) Add the URL that must redirect from the VDA to open on the client. For OAuth Redirection, set the authentication scheme and pattern on the client to redirect the session back to the host.
- Pattern: (Optional) URL regular expression that, when redirected to the client through VDA-to-Client URL redirection, is tracked as if an OAuth authentication flow has begun, and when the flow completes (detected by the resulting scheme or redirect URL pattern being opened), that resulting URL is redirected back into the host VDA that initiated that flow.
-
Scheme: (Optional) If Scheme is specified, the terminating URL is expected to be of the form:
<scheme>://<something>. Consider Scheme is not specified (empty). In that case, the original resulting URL pattern is extracted from the Pattern through a regular expression capture group (must be specified in the Pattern), and the original URL is rewritten to use acitrix-oauth-redir://redirect URL. When the flow completes, the original redirect URL is then redirected back into the Host (VDA). In this case, any OAuth Authorization server must be configured to allowcitrix-oauth-redir://byIndex/1 (2, 3, ... N)redirect URLs.
Note:
Though both Pattern and Scheme are optional, if Pattern is specified, you must also specify Scheme.
Client-to-VDA redirection
To redirect URLs from the client to VDA, complete the following steps:
- Configure the destination for client URLs.
- Select either Published Application or Published Desktop.
- Specify the name of that resource.
- Add all URLs that must be redirected to that resource. You can override this default resource by adding a new application or desktop and then specifying the URLs to redirect to that resource.
Desktop Studio
Note:
Citrix recommends using Web Studio to configure this feature from Citrix Virtual Apps and Desktops version 2402 onwards.
To configure bidirectional content redirection for 2311, create a JSON string with the following format:
{
"version": 1,
"hostToClientConfig": [
{
"hostToClientUrls": [
{
"url": "http://www.citrix.com/*"
},
{
"url": "www.example.com"
},
{
"url": "https://login.example.org/*",
"oAuthRedirectionPattern": "https://login.example.org/oauth2?.*",
"oAuthScheme": "idm.desktop-authentication"
}
]
}
],
"clientToHostConfig": [
{
"publishedAppOrDesktopNameType": "Desktop",
"publishedAppOrDesktopName": "Win11Desktop",
"clientToHostUrls": [
"https://www.example.net",
"https://*.citrix.example"
]
},
{
"publishedAppOrDesktopNameType": "Application",
"publishedAppOrDesktopName": "Chrome",
"clientToHostUrls": [
"https://tibco.example"
]
}
]
}
<!--NeedCopy-->
The following parameters must be set:
-
version: (Required) Set to 1.
-
For VDA-to-client URL redirection, create a single
hostToClientConfig. -
hostToClientUrls: (Required) List of URLs to be redirected from host (VDA) to client. Wildcards are allowed.
OAuth redirection
OAuth redirection enables you to use the client endpoint browser to authenticate and send the token back to the VDA.
Benefits:
- You can avoid storing these credentials in the hosted environment.
- You can use biometric capabilities that are available on the endpoint and not on the VDA.
To configure OAuth redirection for the URL, specify the following parameters:
- oAuthRedirectionPattern: (Optional) URL regular expression that, when redirected to the client via VDA-to-Client URL redirection, is tracked as if an OAuth authentication flow has begun, and when the flow completes (detected by the resulting scheme or redirect URL pattern being opened), that resulting URL is redirected back into the host VDA that initiated that flow.
-
oAuthScheme: (Optional) If a Scheme is specified, the terminating URL is expected to be in the form:
<scheme>://<something>. Consider Scheme is not specified (empty). In that case, the original resulting URL pattern is extracted from the Pattern through a regular expression capture group (must be specified in the Pattern), and the original URL is rewritten to use acitrix-oauth-redir://redirect URL. When the flow completes, the original redirect URL is then redirected back into the Host (VDA). In this case, any OAuth Authorization server must be configured to allowcitrix-oauth-redir://byIndex/1 (2, 3, ... N)redirect URLs.
For a client-to-VDA redirection, create clientToHostConfig for each resource to redirect. For each resource, include the following parameters:
- publishedAppOrDesktopNameType: (Required) Either a published desktop (“Desktop”) or a published application (“Application”) configured in Web Studio. If the resource is not valid, redirection does not function correctly.
- publishedAppOrDesktopName: (Required) Resource name as configured in Web Studio.
- clientToHostUrls: (Required) List of URLs to be redirected from client to host (VDA). Wildcards are allowed.
Known limitation
When you launch a browser using PowerShell with a custom URL scheme (not HTTP or HTTPS), the custom URLs are not redirected to the client.