Proxy Pac File Support
PAC files are commonly used to manage employee proxies in many large corporate groups.
Our product also supports reading PAC files to retrieve proxy settings.
Our PAC proxy is primarily applied in the following four business areas:
- Enrollment
- VDA Registration
- NGS Registration
- Rendezvous
Conventionally, traffic between VDA and Citrix Cloud control plane is called control traffic, and traffic between VDA and CWA is called HDX traffic.
The Enrollment, VDA Registration, and NGS Registration are in the category of control traffic while Rendezvous is in the category of HDX traffic.
Proxy Configuration
The VDA supports connecting through proxies for both control traffic and HDX traffic when using Rendezvous.
The requirements and considerations for both types of traffic are different, so review them carefully.
Control traffic proxy considerations
-
Only HTTP proxies are supported.
-
Packet decryption and inspection are not supported. Configure an exception so the control traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
-
Proxy authentication is not supported.
-
To configure a proxy for control traffic, edit the registry as follows:
/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent" -t "REG_SZ" -v "ProxySettings" -d "<Proxy address or PAC file>" --force - Proxy address:
http://<URL or IP>:<port> - PAC file:
http://<URL or IP>/<path/<filename>.pac
HDX traffic proxy considerations
-
HTTP and SOCKS5 proxies are supported.
-
EDT can only be used with SOCKS5 proxies.
-
To configure a proxy for HDX traffic, use the Rendezvous proxy configuration policy setting.
-
Packet decryption and inspection are not supported. Configure an exception so the HDX traffic between the VDA and CWA is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
-
Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, you must configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
-
Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.
Without any proxy being configured through GroupPolicy or a utility ctxreg, we also support reading proxy configurations from the macOS system where VDA is located and parsing PAC files to obtain the final proxy configuration.
Traffic interaction is conducted based on the proxy configuration. However, we only support HTTP/HTTPS proxies for the first three business scenarios, while SOCKS proxies will be supported later. Rendezvous supports both HTTP/HTTPS proxies and unauthenticated SOCKS proxies.
With the proxy Pac File Support, our VDA can access https://*.nssvc.net, enabling VDA enrollment and registration to DDC and Gateway. Rendezvous is used during session initiation to allow CWA and VDA to communicate using the Rendezvous protocol.