Citrix Virtual Apps and Desktops

WebSocket communication between VDA and Delivery Controller

This article describes how to set up a WebSocket connection for communication between VDAs and Delivery Controllers as an alternative to using WCF communication. It provides the benefit that only the TLS port 443 for communication from the VDA to the Delivery Controller.

Currently this is only available for MCS provisioned machines. Manually provisioned machines is in tech preview, see Enroll non-MCS provisioned VDAs using tokens (Preview).

How it works

The following section describes the workflow for the WebSocket connection between a Delivery Controller and a VDA:

  1. Citrix Virtual Apps and Desktops admins initiate the process by provisioning VDAs using the Machine Creation Service (MCS).
  2. During the MCS provisioning process, MCS generates public-private key pairs for each VDAs and registers the public keys with the FMA trust service on the Delivery Controller. MCS saves the public-private key pair as a file under the identity disk on the VDAs.
  3. When the VDA machine boots up, the MCS agent installed on the VDA machine reads the key pair from the identity disk and writes this information to the VDA registry location.
  4. The broker agent installed on the VDA reads the key pairs from the registry and generates an SSL-enabled WebSocket request to the Delivery Controller with the service key signed by the private key.
  5. The Delivery Controller verifies the signed service key authorization header with the public key from the FMA trust service.
  6. Once the verification is complete, the system establishes the WebSocket connection between the VDA and the Delivery Controller.

WebSocket support

Before you begin

  1. Configure your site. For more information, see Create a site.
  2. Install TLS certificates on the Delivery Controllers. For more information, see Install TLS server certificates on Controllers.
  3. Install root CA and intermediate CA on VDA to trust the Delivery Controller.

Procedure

Follow the instructions to set up a WebSocket connection:

  1. Enable WebSocket connection on the Delivery Controller. Run the following command on each Delivery Controller present on your site:

    New-ItemProperty "HKLM:\SOFTWARE\Citrix\DesktopServer\WorkerProxy" -Name "WebSocket_Enabled" -PropertyType "DWord" -Value 1 -Force

    Note:

    Ensure that you restart the Delivery Controllers after enabling the WebSocket.

  2. Create a machine catalog for AD-joined VDAs with MCS provisioning. For more information, see Create machine catalog.
  3. Create a delivery group and add your VDA to it. For more information, see Create delivery groups.
  4. Enable WebSocket connection on the VDA. Run the following PowerShell command on the VDA:

    New-ItemProperty "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CitrixBrokerAgent\WebSocket" -Name "Enabled" -PropertyType "DWord" -Value 1 -Force
    <!--NeedCopy-->
    
    • To check if WebSocket is enabled, check the following registry key value. The value of Enabled must be 1.

      Key:

       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CitrixBrokerAgent\WebSocket
       <!--NeedCopy-->
      

      Name: Enabled

      Type: REG_DWORD

      Value: 1

WebSocket communication between VDA and Delivery Controller