Product documentation
Session Recording
Current Release 2411 2407 2402 LTSR 2311 2308 2305 2303 2212 2210 2209 2207 2206 2204 2203 LTSR 2201 2112 2110 2109 2107 2106 2104 2103 1912 LTSR 7.15 Service
View PDF

Session Recording for Endpoint Devices (preview)

June 9, 2025
Contributed by: 
C

In addition to recording activities within virtual app and desktop sessions (VDI), Citrix Session Recording also captures user actions on endpoint devices accessing Citrix-delivered web apps.

Citrix session recording for web apps relies on web apps being delivered through a Citrix infrastructure. The following are the fundamental on-premises Citrix components required for delivering web apps and using session recording for endpoint devices, ensuring that end users can see and launch the configured web apps successfully through Citrix Workspace app through NetScaler Gateway.

  • Citrix Workspace app for Windows: To use session recording for endpoint devices, ensure that Citrix Workspace app for Windows is installed, version 2503 or later.
  • Secure Private Access: Secure Private Access enables secure delivery of web apps. Installing this component is a foundational step for making web apps available for recording.
  • StoreFront: The application store that users access to launch their web and SaaS apps.
  • NetScaler (ADC/Gateway): This component provides secure remote access, load balancing, and traffic management for StoreFront and the web apps.

  • StoreFront and NetScaler (ADC/Gateway) integration: The integration is key for session recording for endpoint devices to capture remote web app sessions. If the integration is misconfigured or not set up, users can’t launch web apps remotely, leaving no session to record. Refer to the following documentation for integration:

The procedure for configuring the session recording for endpoint devices feature involves the following steps.

Step 1: Generate scripts for integration with StoreFront and NetScaler

On the Session Recording server, generate configuration scripts for integrating the Session Recording server with StoreFront and NetScaler. To achieve this purpose, use the SsRecUtils.exe command-line tool in the Session Recording server installation folder. By default, the Session Recording server is installed under C:\Program Files\Citrix\SessionRecording\Server\Bin.

  • For integration with StoreFront

    • To generate a configuration script for integrating the Session Recording server with StoreFront, run SsRecUtils.exe -AddEndpointStorefront [StoreFront store URL] [Session Recording server address] in the Session Recording server installation folder. This command adds the specified StoreFront configuration to the Session Recording server database. The Session Recording server address must be the load balancer address if multiple Session Recording servers are deployed.

    • To delete a StoreFront configuration from the Session Recording server database, run SsRecUtils.exe -DeleteEndpointStorefront. This command lists all existing StoreFront configurations in the Session Recording server database. You will then be prompted to select the configuration you want to delete.

  • For integration with Netscaler

    • To generate a configuration script for integrating the Session Recording server with NetScaler, run SsRecUtils.exe -AddEndpointGateway [gateway_url] in the Session Recording server installation folder. This command adds the specified gateway configuration to the Session Recording server database.

    • To delete a NetScaler configuration from the Session Recording server database, run SsRecUtils.exe -DeleteEndpointGateway. This command lists all existing gateway configurations in the Session Recording server database. You will then be prompted to select the configuration you want to delete.

    Note

    To change the Session Recording server addresses (FQDNs), run the following commands in the Session Recording server installation folder. Changing the Session Recording server address requires re-performing the integration procedures.

    • SsRecUtils.exe -AddServerConfigure [Session Recording server address]: This command lists all Session Recording server configurations. You will then be prompted to select the configuration you want to add.

    • SsRecUtils.exe -DeleteServerConfigure: This command lists all existing Session Recording server configurations in the Session Recording server database. You will then be prompted to select the configuration you want to delete.

Step 2: Integrate the Session Recording server with StoreFront

  1. On the Session Recording server, run the following command in the Session Recording server installation folder to download the generated scripts from the Session Recording server.

    SsRecUtils.exe -DownloadEndpointStorefrontScript [Output path]
<!--NeedCopy-->

    This command downloads a ZIP file containing two scripts:

    • A configuration script (ConfigureStorefront.ps1).
    • A configuration cleanup script. This cleanup script can be used to remove the integration between StoreFront and the Session Recording server.

  2. On the StoreFront machine, run the configuration script as an administrator in a PowerShell 64-bit instance by using the command ./ConfigureStorefront.ps1 without other parameters.

Step 3: Integrate the Session Recording server with NetScaler

  1. On the Session Recording server, run the SsRecUtils.exe -DownloadEndpointGateway [Output Path] command in the Session Recording server installation folder to download the generated NetScaler configuration script from the Session Recording server.

  2. Upload the script to the NetScaler appliance. You can use tools such as WinSCP or a scp command similar to the following:

    scp ns_gateway_sessionrecording.sh root@NetScaler:/var/tmp
<!--NeedCopy-->

    (Replace NetScaler with the actual host name or IP address.)

    Ensure that the script is saved with LF (Line Feed) line endings. FreeBSD (which NetScaler OS is based on) does not support CRLF (Carriage Return Line Feed) line endings. If you encounter the error -bash: /var/tmp/ns_gateway_sessionrecording.sh: /bin/sh^M: bad interpreter: No such file or directory, it indicates incorrect line endings. Convert the script using a text editor such as Notepad++ and ensure that it’s saved with LF line endings.

  3. Connect to the NetScaler appliance through SSH and switch to the NetScaler shell by typing shell in the NetScaler CLI.

  4. Make the uploaded script executable using the chmod command:

    Chmod +x  /var/tmp/ns_gateway_sessionrecording.sh
<!--NeedCopy-->

  5. Run the uploaded script in the NetScaler shell.

    Run the integration script in NetScaler shell

  6. Provide the required parameters. The script prompts you for the following:

    • The name of the virtual server in NetScaler Gateway, which can be found in the NetScaler console.
    • The Fully Qualified Domain Name (FQDN) of the Session Recording server (or load balancer if applicable).

    • The script generates a new file, /var/tmp/ns_gateway_sessionrecording, containing multiple NetScaler commands. You can review the input parameters using the cat /var/tmp/ns_gateway_sessionrecording command.

      Use the cat command to review NetScaler command parameters

  7. Return to the NetScaler CLI and run the generated commands using a batch command similar to the following:

    batch -fileName /var/tmp/ns_gateway_sessionrecording -outfile /var/tmp/ns_gateway_sessionrecording_output
<!--NeedCopy-->

    NetScaler executes the commands sequentially. If a command fails, it proceeds to the next.

  8. Ensure that all commands were successfully completed.

    Ensure that NetScaler executed all the commands successfully

Step 4: Configure endpoint recording policies

System-defined endpoint recording policy

Session Recording provides a system-defined endpoint recording policy:

System-defined endpoint recording policy

  • Do not record endpoint sessions. The default policy. When it’s active, Session Recording does not capture user actions on endpoint devices accessing Citrix-delivered web apps.

You can’t modify or delete the system-defined endpoint recording policy.

Create a custom endpoint recording policy

You can enable endpoint recording for specific users or groups. A wizard within the Session Recording policy console helps you create rules. For each rule you create, you specify a recording action and rule criteria. The recording action applies to sessions that meet the rule criteria.

For each rule, choose one recording action:

Action for an endpoint recording policy

  • Enable endpoint recording with notification. This option records user actions on endpoint devices accessing Citrix-delivered web apps. Users receive recording notifications in advance.
  • Enable endpoint recording without notification. This option records user actions on endpoint devices accessing Citrix-delivered web apps. Users do not receive recording notifications.
  • Disable endpoint recording. This option means that no user actions on endpoint devices are recorded.
  • Citrix Delivered Web Apps. This option lets you specify particular Citrix-delivered web apps for recording user actions on endpoint devices accessing these apps.
  • Extend to full-screen recording. This option lets you record the entire screen space, including any extended displays, of the endpoint devices accessing the specified Citrix-delivered web apps.

For each rule, create a list of users or groups to which the action of the rule applies:

Rule criteria for an endpoint recording policy

When you create more than one rule in an endpoint recording policy, some sessions might match the criteria for more than one rule. In these cases, the rule with the highest priority is applied to the sessions.

The recording action of a rule determines its priority:

  • Rules with the Disable endpoint recording action have the highest priority.
  • Rules with the Enable endpoint recording with notification action have the second-to-highest priority.
  • Rules with the Enable endpoint recording without notification action have the lowest priority.

Some sessions might not meet any rule criteria in an endpoint recording policy. For these sessions, the action of the policy fallback rule applies. The action of the fallback rule is always Disable endpoint recording. You can’t modify or delete the fallback rule.

Step 5: Install the Citrix session recording for endpoint devices agent

To enable session recording for endpoint devices, install the session recording agent for endpoint devices on each client where you install the Citrix Workspace app. To install the session recording agent for endpoint devices, follow these steps:

  1. Ensure that Citrix Workspace app for Windows is installed, version 2503 or later.

  2. Install the session recording agent for endpoint devices using either the GUI or the command prompt.

    Install the Citrix endpoint recording agent

  3. Exit Citrix Workspace app for Windows from the system tray, and then reopen it.

Note:

Session Recording for Endpoint Devices (preview)
June 9, 2025
Contributed by: 
C
June 9, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.