Product Documentation

Configure USB support

May 10, 2015

HDX USB device redirection enables redirection of USB devices to and from a user device. For example, a user can connect a flash drive to a local computer and access it remotely from within a virtual desktop or a desktop hosted application. During a session, users can plug and play devices, including Picture Transfer Protocol (PTP) devices such as digital cameras, Media Transfer Protocol (MTP) devices such as digital audio players or portable media players, and point-of-sale (POS) devices.

Double-hop USB is not supported for desktop hosted application sessions.

USB redirection is available for the following Receivers:
  • Receiver for Windows
  • Receiver for Linux
By default, USB redirection is allowed for certain classes of USB devices, and denied for others. See the Receiver documentation for a list. You can restrict the types of USB devices made available to a virtual desktop by updating the list of USB devices supported for redirection, as described later in this topic.
Important: In environments where security separation between the user device and server is needed, provide guidance to users about the types of USB devices to avoid.

Optimized virtual channels are available to redirect most popular USB devices, and provide superior performance and bandwidth efficiency over a WAN. The level of support provided depends on the Receiver installed on the user device; see the Receiver documentation for support information. Optimized virtual channels are usually the best option, especially in high latency environments.

Note: For USB redirection purposes, the product handles a SMART board the same as a mouse.

There is no support Generic USB Redirection of devices connected to USB 3.0 ports. The product supports optimized virtual channels with USB 3.0 devices and USB 3.0 ports, such as a CDM virtual channel used to view files on a camera or to provide audio to a headset). The product also supports Generic USB Redirection of USB 3.0 devices connected to a USB 2.0 port.

Specialty devices for which there is no optimized virtual channel are supported by falling back to a Generic USB virtual channel that provides raw USB redirection. For information on USB devices tested with XenDesktop, see http://support.citrix.com/article/ctx123569.

Generic USB Redirection is supported Desktop OS VDAs, but not Server OS VDAs. 

Some advanced device-specific features, such as Human Interface Device (HID) buttons on a webcam, may not work as expected with the optimized virtual channel; if this is an issue, use the Generic USB virtual channel.

Certain devices are not redirected by default, and are only available to the local session. For example, it would not be appropriate to redirect a network interface card that is attached to the user device's system board by internal USB.

The following Citrix policy settings control USB support:

  • Client USB device redirection — The default is Prohibited.
  • Client USB device redirection rules — Rules only apply to devices using Generic USB redirection. Therefore, rules do not apply to devices using specialized or optimized redirection, such as CDM.
  • Client USB Plug and Play device redirection — The default is Allowed, to permit plug-and-play of PTP, MTP, and POS devices in a user session.
  • Client USB device redirection bandwidth limit — The default is 0 (zero, which means no maximum).
  • Client USB device redirection bandwidth limit percent — The default is 0 (zero, which means no maximum).

To enable USB support

  1. Add the Client USB device redirection setting to a policy and set its value to Allowed.
  2. (Optional) To update the list of USB devices available for remoting, add the Client USB device redirection rules setting to a policy and specify the USB policy rules, as explained later in this topic.
  3. Enable USB support when you install Receiver on user devices. For configuration information, refer to the Receiver documentation. If you specified USB policy rules for the Virtual Delivery Agent in the previous step, specify those same policy rules for Receiver.
    Note: For thin clients, consult the manufacturer for details of USB support and any required configuration.

Update the list of USB devices available for remoting (Receiver for Windows 4.2)

USB devices are automatically redirected when USB support is enabled and the USB user preference settings are set to automatically connect USB devices. USB devices are also automatically redirected when operating in Desktop Appliance mode and the connection bar is not present. In some instances, however, you might not want to automatically redirect all USB devices. For more information, see CTX123015.

Users can explicitly redirect devices that are not automatically redirected by selecting them from the USB device list. To prevent USB devices from ever being listed or redirected, you can specify device rules on the client and the VDA, as explained below.

You can update the range of USB devices available for remoting by specifying USB device redirection rules for both Receiver and the VDA to override the default USB policy rules.
  • Edit the user device registry. An Administrative template (ADM file) is included on the installation media so you can change the user device through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm.
  • Edit the administrator override rules in the VDA registry on the Server OS machines. An ADM file is included on the installation media so you can change the VDA through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\vda_usb.adm.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The product default rules are stored in HKLM\SOFTWARE\Citrix\PortICA\GenericUSB\DeviceRules. Do not edit these product default rules. Instead, use them as a guide for creating administrator override rules as explained below. The GPO overrides are evaluated before the product default rules.

The administrator override rules are stored in HKLM\SOFTWARE\Policies\Citrix\PortICA\GenericUSB\DeviceRules. GPO policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by white space. The following tags are supported:

Tag Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor; see the USB Web site at http://www.usb.org/ for available USB Class Codes
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor
When creating new policy rules, note the following:
  • Rules are case-insensitive.
  • Rules may have an optional comment at the end, introduced by #. A delimiter is not required, and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • White space is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule, but Deny: Class=0 Sub Class=05 is not.
  • Tags must use the matching operator =. For example, VID=1230.
  • Each rule must start on a new line or form part of a semicolon-separated list.
    Important: If you are using the ADM template file, you must create rules on a single line, as a semicolon-separated list.
When working with optimized devices such as mass storage, you usually redirect the device using the specialized CDM channel rather than with policy rules. However, if either of the following conditions exist, the optimized device is available in the device list in the desktop viewer for Generic USB redirection:
  • Auto redirection for storage device is set (for example, AutoRedirectStorage = 1); for more information, see CTX123015.
  • Simplify device connections for me is not selected; for more information, see CTX136716.
Examples:
  • The following example shows an administrator-defined USB policy rule for vendor and product identifiers:
    Allow: VID=046D PID=C626 # Allow Logitech SpaceNavigator 3D Mouse 
                   Deny: VID=046D # Deny all Logitech products 
    
  • The following example shows an administrator-defined USB policy rule for a defined class, sub-class, and protocol:
     Deny: Class=EF SubClass=01 Prot=01 # Deny MS Active Sync devices 
             Allow: Class=EF SubClass=01 # Allow Sync devices 
             Allow: Class=EF # Allow all USB-Miscellaneous devices 
           
    

To update the list of USB devices available for remoting

By default, USB devices are automatically redirected when USB support is enabled and the USB user preference settings are set to automatically connect USB devices. USB devices are also automatically redirected for Desktop Appliance sites or desktop hosted applications. In some instances, however, you may not want to automatically redirect all USB devices. For more information, see http://support.citrix.com/article/CTX123015.

Desktop Viewer users can redirect devices that are not automatically redirected by selecting them from the USB device list. To prevent USB devices from being listed or redirected, you can specify device rules on the user device and the VDA, as explained below.

You can update the range of USB devices available for remoting by specifying USB device redirection rules for both Receiver and the VDA to override the default USB policy rules. Device rules are enforced for both Receiver and the VDA. Be sure to change both so that device remoting works as you intend.
  • Edit the user device registry (or the .ini files in the case of the Receiver for Linux). For information about how to do this, see the Receiver documentation in eDocs. An Administrative template (ADM file) is included on the installation media so you can change the user device through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm.
  • Edit the administrator override rules in the VDA registry on the Server OS Machine(s). Information about how to do this is included in the rest of this section. An ADM file is included on the installation media so you can change the VDA through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\vda_usb.adm.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The product default rules are stored in HKLM\SOFTWARE\Citrix\PortICA\GenericUSB\DeviceRules.

Note: Do not edit these product default rules. Instead, use them as a guide for creating administrator override rules as explained below. The GPO overrides are evaluated before the product default rules.

The administrator override rules are stored in HKLM\SOFTWARE\Policies\Citrix\PortICA\GenericUSB\DeviceRules.

GPO policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by white space. The following tags are supported:

Tag Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor; see the USB Web site at http://www.usb.org/ for available USB Class Codes
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor
When creating new policy rules, note the following:
  • Rules are case-insensitive.
  • Rules may have an optional comment at the end, introduced by #. A delimiter is not required, and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • White space is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule, but Deny: Class=0 Sub Class=05 is not.
  • Tags must use the matching operator =. For example, VID=1230.
  • Each rule must start on a new line or form part of a semicolon-separated list.
    Important: If you are using the ADM template file, you must create rules on a single line, as a semicolon-separated list.

Use rules with optimized devices

When working with optimized devices, such as mass storage, you usually redirect the device using the specialized CDM channel, rather than with policy rules. However, if either of the following conditions exist, the optimized device is available in the device list in the desktop viewer for Generic USB redirection:

Examples

This example shows an administrator-defined USB policy rule for vendor and product identifiers:

Allow: VID=046D PID=C626 # Allow Logitech SpaceNavigator 3D Mouse 
               Deny: VID=046D # Deny all Logitech products 

This example shows an administrator-defined USB policy rule for a defined class, sub-class, and protocol:

 Deny: Class=EF SubClass=01 Prot=01 # Deny MS Active Sync devices 
         Allow: Class=EF SubClass=01 # Allow Sync devices 
         Allow: Class=EF # Allow all USB-Miscellaneous devices 
       

Use and remove USB devices

Users can connect a USB device before or after starting a virtual session.

When using Receiver for Windows, the following apply:
  • Devices connected after a session starts immediately appear in the USB menu of the Desktop Viewer.
  • If a USB device is not redirecting properly, sometimes you can resolve the problem by waiting to connect the device until after the virtual session has started.
  • To avoid data loss, use the Windows Safe removal menu before removing the USB device.

Support for USB mass storage devices

For mass storage devices only, remote access is also available through client drive mapping, where the drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders with mapped drive letters. To configure client drive mapping, use the Client removable drives setting in the File Redirection Policy Settings section of the ICA Policy Settings.

The main differences between the two types of remoting policy are:

Feature

Client drive mapping

Generic USB redirection

Enabled by default Yes No
Read-only access configurable Yes No
Safe to remove device during a session No Yes, provided users follow operating system recommendations for safe removal

If both Generic USB and the client drive mapping policies are enabled and a mass storage device is inserted either before or after a session starts, it will be redirected using client drive mapping. When both Generic USB and the client drive mapping policies are enabled and a device is configured for automatic redirection (see http://support.citrix.com/article/CTX123015) and a mass storage device is inserted either before or after a session starts, it will be redirected using Generic USB.