Product Documentation

ICA policy settings

Jan 10, 2017

The ICA section contains policy settings related to ICA listener connections and mapping to the clipboard. 

Client clipboard redirection

This setting allows or prevents the clipboard on the user device being mapped to the clipboard on the server.

By default, clipboard redirection is allowed.

To prevent cut-and-paste data transfer between a session and the local clipboard, select Prohibit. Users can still cut and paste data between applications running in sessions.

After allowing this setting, configure the maximum allowed bandwidth the clipboard can consume in a client connection using the Clipboard redirection bandwidth limit or the Clipboard redirection bandwidth limit percent settings.

Client clipboard write allowed formats

When the Restrict client clipboard write setting is Enabled, host clipboard data cannot be shared with the client endpoint but you can use this setting to allow specific data formats to be shared with the client endpoint clipboard. To use this setting, enable it and add the specific formats to be allowed.

The following clipboard formats are system defined:
  • CF_TEXT
  • CF_BITMAP
  • CF_METAFILEPICT
  • CF_SYLK
  • CF_DIF
  • CF_TIFF
  • CF_OEMTEXT
  • CF_DIB
  • CF_PALETTE
  • CF_PENDATA
  • CF_RIFF
  • CF_WAVE
  • CF_UNICODETEXT
  • CF_ENHMETAFILE
  • CF_HDROP
  • CF_LOCALE
  • CF_DIBV5
  • CF_OWNERDISPLAY
  • CF_DSPTEXT
  • CF_DSPBITMAP
  • CF_DSPMETAFILEPICT
  • CF_DISPENHMETAFILE
The following custom formats are predefined in XenApp and XenDesktop:
  • CFX_RICHTEXT
  • CFX_OfficeDrawingShape
  • CFX_BIFF8
  • HTML Format

HTML Format is disabled by default. To enable this feature:

  • Make sure Client clipboard redirection is set to allowed.
  • Make sure Restrict client clipboard write is set to enabled.
  • Add an entry for HTML Format (and any other formats you want supported) in Client clipboard write allowed formats.

Note: Enabling HTML format clipboard copy support (HTML Format) will copy any scripts (if they exist) from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they will only be live if you save the destination file as an HTML file and execute it.

Additional custom formats can be added. The custom format name must match the formats to be registered with the system. Format names are case-sensitive.

This setting does not apply if either Client clipboard redirection or Restrict client clipboard write is set to Prohibited.

Desktop launches

This setting allows or prevents non-administrative users in a VDA's Direct Access Users group connecting to a session on that VDA using an ICA connections. 

By default, non-administrative users cannot connect to these sessions.

This setting has no effect on non-administrative users in a VDA's Direct Access Users group who are using a RDP connection; these users can connect to the VDA whether this setting is enabled or disabled. This setting has no effect on non-administrative users not in a VDA's Direct Access Users group; these users cannot connect to the VDA whether this setting is enabled or disabled. 

ICA listener connection timeout

Note: This setting applies only to Virtual Delivery Agents 5.0, 5.5, and 5.6 Feature Pack 1.

This setting specifies the maximum wait time for a connection using the ICA protocol to be completed.

By default, the maximum wait time is 120000 milliseconds, or two minutes.

ICA listener port number

This setting specifies the TCP/IP port number used by the ICA protocol on the server.

By default, the port number is set to 1494.

Valid port numbers must be in the range of 0-65535 and must not conflict with other well-known port numbers. If you change the port number, restart the server for the new value to take effect. If you change the port number on the server, you must also change it on every Citrix Receiver or plug-in that connects to the server.

Launching of non-published programs during client connection

This setting specifies whether to allow launching initial applications through RDP on the server.

By default, launching initial applications through RDP on the server is not allowed.

Restrict client clipboard write

If this setting is Allowed, host clipboard data cannot be shared with the client endpoint. You can allow specific formats by enabling the Client clipboard write allowed formats setting.

By default, this is set to Prohibited.

Restrict session clipboard write

When this setting is Allowed, client clipboard data cannot be shared within the user session. You can allow specific formats by enabling the Session clipboard write allowed formats setting.

By default, this is set to Prohibited.

Session clipboard write allowed formats

When the Restrict session clipboard write setting is Allowed, client clipboard data cannot be shared with session applications, but you can use this setting to allow specific data formats to be shared with the session clipboard.

The following clipboard formats are system defined:
  • CF_TEXT
  • CF_BITMAP
  • CF_METAFILEPICT
  • CF_SYLK
  • CF_DIF
  • CF_TIFF
  • CF_OEMTEXT
  • CF_DIB
  • CF_PALETTE
  • CF_PENDATA
  • CF_RIFF
  • CF_WAVE
  • CF_UNICODETEXT
  • CF_ENHMETAFILE
  • CF_HDROP
  • CF_LOCALE
  • CF_DIBV5
  • CF_OWNERDISPLAY
  • CF_DSPTEXT
  • CF_DSPBITMAP
  • CF_DSPMETAFILEPICT
  • CF_DISPENHMETAFILE
The following custom formats are predefined in XenApp and XenDesktop:
  • CFX_RICHTEXT
  • CFX_OfficeDrawingShape
  • CFX_BIFF8
  • HTML Format

HTML Format is disabled by default. To enable this feature:

  • Make sure Client clipboard redirection is set to allowed.
  • Make sure Restrict session clipboard write is set to enabled.
  • Add an entry for HTML Format (and any other formats you want supported) in Session clipboard write allowed formats.

Note: Enabling HTML Format clipboard copy support (HTML Format) will copy any scripts (if they exist) from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they will only be live if you save the destination file as an HTML file and execute it.

Additional custom formats can be added. The custom format name must match the formats to be registered with the system. Format names are case-sensitive.

This setting does not apply if either the Client clipboard redirection setting or Restrict session clipboard write setting is set to Prohibited.

HDX Enlightened Data Transport (for evaluation only)

Important

HDX Enlightened Data Transport is currently for evaluation purposes only and is not supported for production use. Refer to the End User Licensing Agreement for terms and conditions.

Use HDX Enlightened Data Transport to evaluate HDX virtual channel performance in challenging WAN conditions (high latency and some packet loss).

When set to Preferred, data transport over UDP is used when possible, with fallback to TCP. 

By default, Enlightened Data Transport is disabled (Off) and TCP is always used.

When set to Diagnostic mode, fallback to TCP is disabled.

Evaluation

Use the evaluation phase of this feature to test the impact of the new data transport protocol on the user experience of the display remoting technologies (Thinwire), printing, file transfer (Client Drive Mapping), multimedia redirection and any other virtual channels in use in your XenApp and XenDesktop deployment (non-production only).

The primary environment for this feature in this release is challenging WAN and internet conditions with high latency and moderate packet loss. Example conditions tested by Citrix include transoceanic WAN:

High latency:

250 ms round-trip time

Packet loss:

1% each way

You can share feedback in the Citrix discussion forum http://discussions.citrix.com/forum/1663-hdx-edt/.

Requirements

  • XenApp and XenDesktop 7.12 or higher (required to enable the feature using Studio)
  • VDA for Desktop OS 7.12 or higher
  • VDA for Server OS 7.12 or higher
  • StoreFront 3.8
  • Citrix Receiver for Windows 4.6
  • Citrix Receiver for Mac 12.4
  • Add firewall rules to allow inbound traffic on UDP ports 1494 and 2598 of the VDA.
    • Note: TCP ports 1494 and 2598 are also required, however they are opened during the installation of the VDA. In this release, 1494 and 2598 must be manually enabled for UDP.
  • IPv4 VDAs only. IPv6 and mixed IPv6 and IPv4 configurations are not supported.
  • NetScaler 11.1-51.21. For more information on NetScaler configuration, see Configuring NetScaler Gateway to support Englightened Data Transport.

Configuration

To configure a non-production deployment for the evaluation of the new data transport layer:

  1. Install XenApp and XenDesktop 7.12.
  2. Install StoreFront 3.8.
  3. Install the 7.12 VDA (for Desktop OS or Server OS)
  4. Add firewall rules to allow traffic on UDP ports 1494 and 2598 on the VDA.
  5. Install Citrix Receiver for Windows 4.6 (or Citrix Receiver for Mac 12.4).
  6. In Studio, enable the policy setting, HDX Enlightened Data Transport (it is disabled by default). It is also recommended that you do not enable this feature as a universal policy for all objects in the Site.
    • To enable the policy setting, set the value to Preferred (or Diagnostic mode), then click OK.
      • Preferred. Enlightened Data Transport over UDP is used when possible, with fallback to TCP. No additional configuration is required to optimize for LAN and WAN conditions.
      • Diagnostic mode. Enlightened Data Transport over UDP is forced on. Fall back to TCP is disabled.
      • Off. TCP is used. Setting to Off does not impact other features which use UDP (for example real-time audio transport or Framehawk.
  7. Click Next, and complete the steps in the wizard.
  8. The policy will take effect when the user reconnects to the server. Alternatively, run gpupdate /force to make the policy setting change take immediate effect.
  9. Launch a session from Citrix Receiver for Windows or Citrix Receiver for Mac.

To confirm that the policy setting has taken effect:

  • Check that the ICA UDP services are enabled on a VDA using netstat -a.
  • Check that the virtual channels are running over EDT: use the CtxSession.exe command line utility available on the VDA.

For example:

C:\Program Files\Citrix\System32>CtxSession

Session 2 Transport Protocols: UDP -> CGP -> ICA

To see verbose statistics, use the -v switch:

>CtxSession -v

Additional configuration

The following are optional configuration steps to customize your environment for the evaluation of this feature. For example, you may choose to disable the feature for a particular client for security reasons.

They also provide configuration options for evaluation of the feature if you are working with earlier versions of the Delivery Controller or StoreFront.

Configuration of Citrix Receiver for Windows through Group Policy (optional)

The new data transport layer ("EDT") is allowed by default in Citrix Receiver for Windows, however, by default, it will only attempt to use EDT if the setting in the ICA file for HDXoverUDP is Preferred or On.

If you want Citrix Receiver for Windows to override the HDXoverUDP setting in the ICA file and either permanently enable or permanently disable EDT, then follow these steps to set Group Policy:

  1. Add receiver.admx file from C:\Program Files (x86)\Citrix\Ica Client\Configuration folder to C:\Windows\PolicyDefinitions.
  2. Add receiver.adml file from C:\Program Files (x86)\Citrix\Ica Client\Configuration\en-US folder to C:\Windows\PolicyDefinitions\en-US.
  3. Restart the client machine.
  4. Open the group policy editor on the client and go to Computer Configuration > Administrative Templates > Citrix Receiver > Network Routing > Transport Protocol for Receiver.
  5. Set the policy as needed: Enabled (EDT first with fallback to TCP) or Off (TCP). 
  6. Select the Communication Protocol for Citrix Receiver for Windows as Preferred, On or Off.

The HDXoverUDP setting is also integrated with the Windows Receiver Client Selective Trust regions, but there are no specified values by default.

The order of precedence for the HDXoverUDP setting is:

  1. Group Policy (highest priority)
  2. Client Selective Trust
  3. ICA file (lowest priority)

Disable EDT in Citrix Receiver for Mac (optional)

The new data transport layer ("EDT") is allowed by default in Citrix Receiver for Mac, however it will only attempt to use EDT if the setting in the ICA file for HDXoverUDP is Preferred or On. If you do not want Citrix Receiver for Mac to use EDT, even if specified in the ICA file, then you can run the following command in Terminal:

defaults write com.citrix.receiver.nomas HDXOverUDPAllowed -bool NO

Enable the new data transport layer with a registry setting (Delivery Controller version earlier than 7.12)

This configuration step is required only if your Delivery Controller is a version earlier than 7.12. Note that this feature requires the 7.12 VDA.

On the VDA image or machine, navigate to:

HKLM\Software\Citrix\ICAPolicies, add a new registry key value for the new data transport layer (HDX Enlighted Data Transport), and enable or disable the feature:

Name: HDXoverUDP

Type: REG_DWORD

Data: 0 = Off, 2 = Preferred, 1 = Diagnostic mode

Either 2 (Preferred) or 1 (Diagnostic mode) enable the ICA UDP listeners on the VDA. This is required for Citrix Receiver to make a successful connection over EDT to the VDA.

Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Enable or disable the new data transport layer in Citrix Receiver with StoreFront versions earlier than 3.8

If you have not installed the latest version of StoreFront specified in the Requirements section, you can enable the new data transport layer in Citrix Receiver by updating the default.ica file in StoreFront to include HDXoverUDP=Preferred or HDXoverUDP=On.

Parameter=default value

Options (comma separated)

Description

HDXoverUDP=Off

Preferred, On, Off

Preferred. Try UDP first, fallback to TCP.

On. Force UDP, no fallback to TCP. (Diagnostic mode)

Off. Use TCP only.

Notes:

  • The HDXoverUDP settings in the ICA file is enforced by Citrix Receivers as the lowest priority.
  • Citrix Receiver for Windows enforces Group Policy and Client Selective Trust as higher priorities but both are not set by default.
  • Citrix Receiver for Mac enforces an application property to allow use of EDT as a higher priority but it is On by default.
  • By default, the ICA file setting controls Citrix Receivers.
  • For Citrix Receivers to successfully connect over EDT, the ICA listeners for UDP must be enabled on the VDA.