Proxy Configuration Support
Citrix VDA for macOS support proxy configuration in following scope and priorities:
- Control traffic (VDA enrollment, registration): the proxy setting read by VDA then the following order:
- VDA local registry settings regarding proxy
- macOS system proxy setting (from PAC file configuration and so on, entries like BYPASS, WPAD,PAC, HTTP, HTTPS, SOCKS will be parsed)
- HDX session traffic:
- DDC policy (Rendezvous proxy configuration policy, DaaS only)
- VDA local registry settings regarding proxy
- System proxy setting (from PAC configuration and so on)
Proxy using PAC file/URI are commonly used in enterprises IT/security management, we support parsing PAC in VDA enrollment/registration (include Citrix Gateway Service registration), also when Rendezvous V2 is configured
Note:
Conventionally, network communication between VDA and Citrix Control Plane (DaaS or CVAD) is called Control Traffic, and between VDA and Citrix Workspace app (CWA) is called HDX Traffic or Session Traffic. VDA enrollment, registration, and CGS registration are in the category of control traffic while Rendezvous is in the category of HDX traffic.
Proxy Configuration
The VDA supports connecting through proxies for both control traffic and HDX traffic when using Rendezvous. The requirements and considerations are different, please review them accordingly:
Control traffic proxy considerations
- Only HTTP proxies are supported.
- Packet decryption and inspection are not supported. Configure an exception rule in your proxy setting, so the control traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection will fail.
- Proxy authentication is not supported.
- To configure a proxy for control traffic, edit the registry as follows:
/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent" -t "REG_SZ" -v "ProxySettings" -d "<Proxy address or PAC file>" --force
- Proxy address format: (http://(URL or IP):(port))
- PAC file: (http://(URL or IP)/(path/(filename).pac))
HDX traffic proxy considerations
- HTTP and SOCKS5 proxies are supported.
- EDT can only be used with SOCKS5 proxies.
- To configure a proxy for HDX traffic, use the Rendezvous proxy configuration policy setting.
- Packet decryption and inspection are not supported. Configure an exception so the HDX traffic between the VDA and CWA is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
- Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, you must configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
- Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.
If proxy configurations are not set by DDC policy or presence in VDA local registry, VDA will read proxy configurations from the macOS system and parse PAC files.
If using Zscaler Private Access (ZPA), it is recommended that you configure bypass settings for the Gateway Service to avoid increased latency and the associated performance impact. To do so, you must define application segments for the Gateway Service addresses – specified in the requirements – and set them to always bypass. For information on configuring application segments to bypass ZPA, see the Zscaler documentation.
For more information, see Proxy Configuration.