When using the Citrix Gateway service, the Rendezvous protocol allows traffic to bypass the Citrix Cloud Connectors and connect directly and securely with the Citrix Cloud control plane.
There are two types of traffic to consider: 1) control traffic for VDA registration and session brokering; 2) HDX session traffic.
Rendezvous V1 allows for HDX session traffic to bypass Cloud Connectors, but it still requires Cloud Connectors to proxy all control traffic for VDA registration and session brokering.
Standard AD domain joined machines and non-domain joined machines are supported for using Rendezvous V2 with single-session and multi-session Linux VDAs. With non-domain joined machines, Rendezvous V2 allows for both HDX traffic and control traffic to bypass the Cloud Connectors.
The requirements for using Rendezvous V2 are:
- Access to the environment using Citrix Workspace and Citrix Gateway service.
- Control Plane: Citrix DaaS (formerly Citrix Virtual Apps and Desktops service).
- VDA version 2201 or later.
- Version 2204 is the minimum required for HTTP and SOCKS5 proxies.
- Enable the Rendezvous protocol in the Citrix policy. For more information, see Rendezvous protocol policy setting.
The VDAs must have access to:
TCP 443. If you can’t allow all subdomains in that manner, you can use
<customer_ID>is your Citrix Cloud customer ID as shown in the Citrix Cloud administrator portal.
https://*.nssvc.net, including all subdomains. If you cannot whitelist all subdomains in that manner, use
https://*.g.nssvc.netinstead. For more information, see the Internet Connectivity Requirements section of the Citrix Cloud documentation (under Virtual Apps and Desktop service) and the Knowledge Center article CTX270584.
- The VDAs must be able to connect to the addresses mentioned previously:
- On TCP 443, for TCP Rendezvous.
- On UDP 443, for EDT Rendezvous.
The VDA supports connecting through proxies for both control traffic and HDX session traffic when using Rendezvous. The requirements and considerations for both types of traffic are different, so review them carefully.
- Only HTTP proxies are supported.
- Packet decryption and inspection are not supported. Configure an exception so the control traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
- Proxy authentication is not supported.
To configure a proxy for control traffic, edit the registry as follows:
/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent" -t "REG_SZ" -v "ProxySettings" -d "http://<URL or IP>:<port>" --force <!--NeedCopy-->
- HTTP and SOCKS5 proxies are supported.
- EDT can only be used with SOCKS5 proxies.
- To configure a proxy for HDX traffic, use the Rendezvous proxy configuration policy setting.
- Packet decryption and inspection are not supported. Configure an exception so the HDX traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
HTTP proxies support machine-based authentication by using the Negotiate and Kerberos authentication protocols. When you connect to the proxy server, the Negotiate authentication scheme automatically selects the Kerberos protocol. Kerberos is the only scheme that the Linux VDA supports.
To use Kerberos, you must create the service principal name (SPN) for the proxy server and associate it with the proxy’s Active Directory account. The VDA generates the SPN in the format
HTTP/<proxyURL>when establishing a session, where the proxy URL is retrieved from the Rendezvous proxy policy setting. If you don’t create an SPN, authentication fails.
- Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, you must configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
- Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.
Transparent HTTP proxy is supported for Rendezvous. If using a transparent proxy in your network, no additional configuration is required on the VDA.
How to configure Rendezvous V2
Following are the steps for configuring Rendezvous in your environment:
- Make sure that all requirements are met.
After the VDA is installed, run the following command to set the required registry key:
/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent" -t "REG_DWORD" -v "GctRegistration" -d "0x00000001" --force <!--NeedCopy-->
- Restart the VDA machine.
- Create a Citrix policy, or edit an existing one:
- Set the Rendezvous Protocol setting to Allowed.
- Ensure that the Citrix policy filters are set properly. The policy applies to the machines that need Rendezvous to be enabled.
- Ensure that the Citrix policy has the correct priority so that it does not overwrite another one.
To check whether a session is using the Rendezvous protocol, run the
/opt/Citrix/VDA/bin/ctxquery -f iP command in the terminal.
The transport protocols displayed indicate the type of connection:
- TCP Rendezvous: TCP - TLS - CGP - ICA
- EDT Rendezvous: UDP - DTLS - CGP - ICA
- Proxy through Cloud Connector: TCP - PROXY - SSL - CGP - ICA or UDP - PROXY - DTLS - CGP - ICA
If Rendezvous V2 is in use, the protocol version shows 2.0.
If the VDA cannot reach the Citrix Gateway service directly with Rendezvous enabled, the VDA falls back to proxy the HDX session through the Cloud Connector.