Product documentation
Session Recording
Current Release 2511 2509 2507 LTSR 2503 2411 2407 2402 LTSR 2311 2308 2305 2303 2212 2210 2209 2207 2206 2204 2203 LTSR 2201 2112 2110 2109 2107 2106 2104 2103 1912 LTSR 7.15 Service
View PDF

Session recording for endpoint devices (preview)

April 28, 2026
Contributed by: 
C

In addition to recording activities within virtual app and desktop sessions (VDI), Citrix Session Recording also captures user actions on endpoint devices accessing Citrix-delivered web apps, virtual apps and desktops.

Citrix session recording for web apps relies on web apps being delivered through a Citrix infrastructure. The following are the fundamental on-premises Citrix components required for delivering web apps and using session recording for endpoint devices, ensuring that end users can see and launch the configured web apps successfully through Citrix Workspace™ app through NetScaler® Gateway.

  • Citrix Workspace app for Windows: To use session recording for endpoint devices, ensure that Citrix Workspace app for Windows is installed, version 2503 or later.
  • Secure Private Access: Secure Private Access enables secure delivery of web apps. Installing this component is a foundational step for making web apps available for recording.
  • StoreFront™: The application store that users access to launch their web and SaaS apps.
  • NetScaler (ADC/Gateway): This component provides secure remote access, load balancing, and traffic management for StoreFront and the web apps.

    Note:

    Use NetScaler firmware version 14.1 or later to use session recording for endpoint devices.

  • StoreFront and NetScaler (ADC/Gateway) integration: The integration is key for session recording for endpoint devices to capture remote web app sessions. If the integration is misconfigured or not set up, users can’t launch web apps remotely, leaving no session to record. Refer to the following documentation for integration:

The procedure for configuring the session recording for endpoint devices feature involves the following steps.

Step 1: Configure settings in Site Setting

  1. Open the Session Recording Web Console and navigate to Site Settings, enter the following details

    • Session Recording server address: e.g., SRServer.domain.com

    • STA server address: e.g., https://sta.domain.com

    • Gateway URL: e.g., https://gateway.domain.com

    • StoreFront server address: e.g., https://storefront.domain.com/citrix/store

  2. Test connection for STA/Gateway/Storefront input.

  3. Apply changes.

    endpoint

Step 2: Integrate the Session Recording server with StoreFront

Note:

This step can be skipped if you are using Citrix Cloud Workspace (cloud-hosted StoreFront).

Perform the following steps to configure StoreFront manually.

  1. Download the script from the Session Recording Web Console (Configuration> Site Settings-> Endpoint recording-> StoreFront areas.

  2. Click the download icon corresponding to the StoreFront entry for which the configuration changes must be made. The downloaded zip file contains a configuration script, a README file, and a configuration cleanup script. The cleanup script can be used in case integration between StoreFront and Session Recording Server is to be removed.

    The download button will be enabled when the Session Recording Server address and Storefront address are both not empty.

  3. Run the script as an admin on a PowerShell 64‑bit instance by using the command. / ConfigureStorefront.ps1.

    • No other parameters are required.

    • The PowerShell script execution policy must be set to Unrestricted or Bypass to run the StoreFront script.

    • The script also propagates the configuration to other StoreFront servers if StoreFront is configured as a cluster.

Step 3: Integrate the Session Recording server with Secure Ticket Authority

Note:

This step can be skipped if using On-prem StoreFront.

  1. STA is an XML web service that exchanges XenApp® server information for randomly generated tickets. It is used to control access for a Citrix Secure Gateway server.
  2. Use your Citrix account credentials to access the Citrix Virtual Apps and Desktops™ download page and download the product ISO file. Unzip the ISO file or burn a DVD of it.
  3. Use a local administrator account to log on to the machine in your trusted network and that is accessible by the Session Recording Server. Insert the DVD in the drive or mount the ISO file. The installer can be found in x64/Citrix Desktop Delivery Controller/Sta_Service_x64.msi.
  4. Install the secure ticket authority server. On a trusted machine, mount the CVAD product ISO and install the STA service from x64/Citrix Desktop Delivery Controller/Sta_Service_x64.msi.
  5. Configure Secure Ticket Authority service.
    1. This step is mandatory if sta service is installed in the same machine with session recording server.
      1. Update new ports for STA service: navigate to "C:\Program Files\Citrix\StaService\Service"
      2. run.\StaService.exe -StoreFrontPort 8980 -StoreFrontTlsPort 8443
    2. Update Certificate Binding for New HTTPS Port.
    3. Restart Citrix Secure Ticketing Authority Service in Windows Services Management.

Step 4: Integrate the Session Recording server with NetScaler

  1. On the Session Recording server, download the generated NetScaler configuration script from the Session Recording Web Console Configuration> Site Settings-> Endpoint recording-> Gateway areas.

  2. Upload the script to the NetScaler appliance. You can use tools such as WinSCP or a scp command similar to the following:

    scp ns_gateway_sessionrecording.sh root@NetScaler:/var/tmp
<!--NeedCopy-->

    (Replace NetScaler with the actual host name or IP address.)

    Ensure that the script is saved with LF (Line Feed) line endings. FreeBSD (which NetScaler OS is based on) does not support CRLF (Carriage Return Line Feed) line endings. If you encounter the error -bash: /var/tmp/ns_gateway_sessionrecording.sh: /bin/sh^M: bad interpreter: No such file or directory, it indicates incorrect line endings. Convert the script using a text editor such as Notepad++ and ensure that it’s saved with LF line endings.

  3. Connect to the NetScaler appliance through SSH and switch to the NetScaler shell by typing shell in the NetScaler CLI.

  4. Make the uploaded script executable using the chmod command:

    Chmod +x  /var/tmp/ns_gateway_sessionrecording.sh
<!--NeedCopy-->

  5. Run the uploaded script in the NetScaler shell.

    Run the integration script in NetScaler shell

  6. Provide the required parameters. The script prompts you for the following:

    • The name of the virtual server in NetScaler Gateway, which can be found in the NetScaler console.
    • The Fully Qualified Domain Name (FQDN) of the Session Recording server (or load balancer if applicable).

    • The script generates a new file, /var/tmp/ns_gateway_sessionrecording, containing multiple NetScaler commands. You can review the input parameters using the cat /var/tmp/ns_gateway_sessionrecording command.

      Use the cat command to review NetScaler command parameters

  7. Return to the NetScaler CLI and run the generated commands using a batch command similar to the following:

    batch -fileName /var/tmp/ns_gateway_sessionrecording -outfile /var/tmp/ns_gateway_sessionrecording_output
<!--NeedCopy-->

    NetScaler executes the commands sequentially. If a command fails, it proceeds to the next.

  8. Ensure that all commands were successfully completed.

    Ensure that NetScaler executed all the commands successfully

  9. [Optional] Add Secure Ticket Authority(STA) server address in NetScaler. For more information, see Configure NetScaler Gateway to handle the STA and ICA traffic

    Note:

    If you are using Citrix Workspace app for Windows version 2503, ensure that ICA® Proxy mode is set to OFF on the Citrix NetScaler Gateway to enable endpoint recording functionality.

    For detailed configuration steps, refer to the NetScaler command reference guide.

Step 5: Configure endpoint recording policies

System-defined endpoint recording policy

Session Recording provides a system-defined endpoint recording policy:

System-defined endpoint recording policy

  • Do not record endpoint sessions. The default policy. When it’s active, Session Recording does not capture user actions on endpoint devices accessing Citrix-delivered web apps.

You can’t modify or delete the system-defined endpoint recording policy.

Create a custom endpoint recording policy

You can enable endpoint recording for specific users or groups. A wizard within the Session Recording policy console helps you create rules. For each rule you create, you specify a recording action and rule criteria. The recording action applies to sessions that meet the rule criteria.

For each rule, choose one recording action:

Action for an endpoint recording policy

  • Enable endpoint recording with notification. This option records user actions on endpoint devices accessing Citrix-delivered web apps. Users receive recording notifications in advance.
  • Enable endpoint recording without notification. This option records user actions on endpoint devices accessing Citrix-delivered web apps. Users do not receive recording notifications.
  • Disable endpoint recording. This option means that no user actions on endpoint devices are recorded.
  • Citrix Delivered Web Apps. This option lets you specify particular Citrix-delivered web apps for recording user actions on endpoint devices accessing these apps.
  • Citrix Delivered Virtual Apps and Desktops. This option lets you specify particular Citrix-delivered virtual apps and desktops for recording user actions on endpoint devices accessing these apps.
  • Extend to full-screen recording. This option lets you record the entire screen space, including any extended displays, of the endpoint devices accessing the specified Citrix-delivered web apps.

For each rule, create a list of users or groups to which the action of the rule applies:

Rule criteria for an endpoint recording policy

When you create more than one rule in an endpoint recording policy, some sessions might match the criteria for more than one rule. In these cases, the rule with the highest priority is applied to the sessions.

The recording action of a rule determines its priority:

  • Rules with the Disable endpoint recording action have the highest priority.
  • Rules with the Enable endpoint recording with notification action have the second-to-highest priority.
  • Rules with the Enable endpoint recording without notification action have the lowest priority.

Some sessions might not meet any rule criteria in an endpoint recording policy. For these sessions, the action of the policy fallback rule applies. The action of the fallback rule is always Disable endpoint recording. You can’t modify or delete the fallback rule.

Step 6: Install the Citrix session recording for endpoint devices agent

To enable session recording for endpoint devices, install the session recording agent for endpoint devices on each client where you install the Citrix Workspace app. To install the session recording agent for endpoint devices, follow these steps:

  1. Ensure that Citrix Workspace app for Windows is installed, version 2503 or later.

  2. Install the session recording agent for endpoint devices using either the GUI or the command prompt.

    Install the Citrix endpoint recording agent

  3. Exit Citrix Workspace app for Windows from the system tray, and then reopen it.

Note:

Session recording for endpoint devices (preview)
April 28, 2026
Contributed by: 
C
April 28, 2026
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.