Citrix Virtual Delivery Agent for macOS

Proxy Configuration Support

March 13, 2025

Contributed by:

Proxy using PAC file/URI is commonly used in enterprise IT/security management, we have already supported PAC Proxy as part of Citrix VDA for macOS.

Citrix VDA for macOS supports proxy configuration in the following scopes:

Control traffic (VDA enrollment, registration):
- VDA local registry settings regarding proxy.
- macOS system proxy setting including BYPASS, PAC, HTTP, HTTPS proxies.
HDX session traffic:
- Citrix DDC policy (Rendezvous proxy configuration policy, applied to Citrix DaaS only).
- VDA local registry settings regarding proxy.
- macOS system proxy setting including BYPASS, PAC, HTTP, HTTPS, SOCKS proxies.

Note:

Conventionally, network communication between VDA and Citrix Control Plane (DaaS or CVAD) is called Control Traffic, and between VDA and Citrix Workspace app (CWA) is called HDX Traffic or Session Traffic. VDA enrollment, registration, and CGS registration are in the category of control traffic while Rendezvous is in the category of HDX traffic.

Proxy Configuration

The VDA supports connecting through proxies for both control traffic and HDX traffic. The requirements and considerations are different, please review them accordingly.

Proxy Configuration Methods

Citrix DDC policy
- Configure the policy by Admins: Rendezvous proxy configuration
- Work with the policy Rendezvous Protocol, and applied to Citrix DaaS with Citrix Gateway Service only
VDA local registry setting:
- Run the command: sudo /opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent" -t "REG_SZ" -v "ProxySettings" -d "<Proxy address or PAC file>" --force
  - Proxy type format: <http://<URL or IP>:<port> or socks5://<URL or IP>:<port>>
  - PAC file format: <http://<URL or IP>/<path>/<filename>.pac>
    
    Note:
    
    .pac is required as part of PAC file
macOS system proxy setting:
- Configure system proxy through System Settings and then Network.
- We have supported the following system proxy configurations: BYPASS, PAC, HTTP, HTTPS, SOCKS5

Control traffic proxy considerations

Only HTTP proxy type is supported through:
- VDA local registry setting
- macOS system proxy setting
Proxy Configuration Priority:
- If both proxy configurations are set, VDA local registry setting takes precedence over macOS system proxy setting.
Packet decryption and inspection are not supported. Configure an exception rule in your proxy setting, so the control traffic is not intercepted, decrypted, or inspected. Otherwise, the connection will fail.
Proxy authentication is not supported.

Refer to network requirements and Proxy Configuration Methods to configure proxy for VDA enrollment and registration.

HDX traffic proxy considerations

Note:

Proxy configuration for HDX traffic is only applied to Citrix DaaS with Citrix Gateway Service.

It is NOT recommended to configure a proxy for HDX traffic because HDX connection performance may be affected by increased network latency when using a proxy.
HTTP and SOCKS5 proxy types are supported through:
- Citrix DDC policy
- VDA local registry setting
- macOS system proxy setting
Proxy Configuration Priority:
- If Citrix DDC policy is configured, it’s the highest priority, and then VDA local registry setting takes precedence over macOS system proxy setting.
HDX Adaptive transport/EDT can only work with SOCKS5 proxies, while TCP will work as the transport protocol for HDX with HTTP and SOCKS5 proxies.
Packet decryption and inspection are not supported. Configure an exception so the HDX traffic is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
Proxy authentication is not supported.

Refer to network requirements and Proxy Configuration Methods to configure proxy for HDX session outbound traffic.

Zscaler Private Access

If using Zscaler Private Access (ZPA), it is a transparent proxy for Citrix VDA for macOS, VDA will work without proxy configurations listed above.

But it is strongly recommended that you configure bypass settings for the Gateway Service to avoid increased latency and the associated performance impact for your HDX sessions which are through Citrix Gateway Service.

To do so, you must define ZPA application segments for the Gateway Service addresses which are specified in the network requirements of HDX sessions, and set them to always bypass. For information on configuring application segments to bypass ZPA, see the Zscaler documentation.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Proxy Configuration Support

March 13, 2025

Contributed by:

March 13, 2025

Contributed by:

Proxy Configuration Support

Proxy Configuration

Proxy Configuration Methods

Control traffic proxy considerations

HDX traffic proxy considerations

Zscaler Private Access

In this article