Product Documentation

USB and client drive considerations

Sep 29, 2015

Using HDX USB device redirection, a user can connect a flash drive to a local computer and access it remotely from within a virtual desktop or a desktop hosted application. During a session, users can use plug and play devices, including Picture Transfer Protocol (PTP) devices such as digital cameras, Media Transfer Protocol (MTP) devices such as digital audio players or portable media players, and point-of-sale (POS) devices.

Double-hop USB is not supported for desktop hosted application sessions.

USB redirection is available for the Receiver for Windows and the Receiver for Linux.

By default, USB redirection is allowed for certain classes of USB devices, and denied for others; see the Receiver documentation for details. You can restrict the types of USB devices made available to a virtual desktop by updating the list of USB devices supported for redirection.

Important

In environments where security separation between the user device and server is needed, provide guidance to users about the types of USB devices to avoid.

Optimized virtual channels are available to redirect most popular USB devices, and provide performance and bandwidth efficiency over a WAN. The level of support provided depends on the Receiver installed on the user device. Optimized virtual channels are usually the best option, especially in high latency environments.

For USB redirection purposes, the product handles a SMART board the same as a mouse.

The product supports optimized virtual channels with USB 3.0 devices and USB 3.0 ports, such as a CDM virtual channel used to view files on a camera or to provide audio to a headset). The product also supports Generic USB Redirection of USB 3.0 devices connected to a USB 2.0 port.

Specialty devices for which there is no optimized virtual channel are supported by falling back to a Generic USB virtual channel that provides raw USB redirection. For information on USB devices tested with XenDesktop, see CTX123569.

Some advanced device-specific features, such as Human Interface Device (HID) buttons on a webcam, may not work as expected with the optimized virtual channel; if this is an issue, use the Generic USB virtual channel.

Certain devices are not redirected by default, and are available only to the local session. For example, it would not be appropriate to redirect a network interface card that is attached to the user device's system board by internal USB.

The following Citrix policy settings control USB support:
  • Client USB device optimization rules. Available in 7.6 FP3 using GPMC. The optimization mode is supported for input devices for class=03, for example, signature devices and drawing tablets. If no rule is specified, then the device is handled as Interactive mode (02). Capture mode (04) is the recommended mode for signature devices.
  • Client USB device redirection. The default is Prohibited.
  • Client USB device redirection rules. Rules only apply to devices using Generic USB redirection; therefore, the rules do not apply to devices using specialized or optimized redirection, such as CDM.
  • Client USB Plug and Play device redirection. The default is Allowed, to permit plug-and-play of PTP, MTP, and POS devices in a user session.
  • Client USB device redirection bandwidth limit. The default is 0 (no maximum).
  • Client USB device redirection bandwidth limit percent. The default is 0 (no maximum).

About USB Generic Redirection

Generic USB Redirection is for specialty USB devices for which there is no optimized virtual channel. This functionality redirects arbitrary USB devices from client machines to virtual desktops; with this feature, end users have the ability to interact with a wide selection of generic USB devices in the desktop session as if the devices were physically attached.

With Generic USB Redirection:

  • users do not need to install device drivers on the user device
  • USB client drivers are installed on the VDA machine

This feature is supported for desktop sessions from VDA for Desktop OS 7.6.

This feature is also supported for desktop sessions from VDA for Server OS 7.6, with these restrictions:

  • The VDA machine must be running Windows Server 2012 R2
  • Only single-hop scenarios are supported
  • The USB client drivers must be compatible with RDSH for Windows 2012 R2
  • USB storage devices, audio devices, smartcard reader, and devices that are not fully virtualized are not supported

For more information on configuring Generic USB Redirection, see CTX137939.

Enable USB support

  1. Add the Client USB device redirection setting to a policy and set its value to Allowed.
  2. (Optional) To update the list of USB devices available for remoting, add the Client USB device redirection rules setting to a policy and specify the USB policy rules.
  3. Enable USB support when you install Receiver on user devices. If you specified USB policy rules for the Virtual Delivery Agent in the previous step, specify those same policy rules for Receiver. For thin clients, consult the manufacturer for details of USB support and any required configuration.

Update the list of USB devices available for remoting (Receiver for Windows 4.2)

USB devices are automatically redirected when USB support is enabled and the USB user preference settings are set to automatically connect USB devices. USB devices are also automatically redirected when operating in Desktop Appliance mode and the connection bar is not present. In some instances, however, you might not want to automatically redirect all USB devices. For more information, see CTX123015.

Users can explicitly redirect devices that are not automatically redirected by selecting them from the USB device list. To prevent USB devices from ever being listed or redirected, you can specify device rules on the client and the VDA, as explained below.

You can update the range of USB devices available for remoting by specifying USB device redirection rules for both Receiver and the VDA to override the default USB policy rules.
  • Edit the user device registry. An Administrative template (ADM file) is included on the installation media so you can change the user device through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm.
  • Edit the administrator override rules for the Server OS machines through group policy rules. The Group Policy Management Console is included on the installation media:
    • For x64: dvd root \os\lang\x64\Citrix Policy\ CitrixGroupPolicyManagement_x64.msi
    • For x86: dvd root \os\lang\x86\Citrix Policy\ CitrixGroupPolicyManagement_x86.msi

Warning

Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The product default rules are stored in HKLM\SOFTWARE\Citrix\PortICA\GenericUSB\DeviceRules. Do not edit these product default rules. Instead, use them as a guide for creating administrator override rules as explained below. The GPO overrides are evaluated before the product default rules.

The administrator override rules are stored in HKLM\SOFTWARE\Policies\Citrix\PortICA\GenericUSB\DeviceRules. GPO policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by white space. The following tags are supported:

Tag Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor; see the USB Web site at http://www.usb.org/ for available USB Class Codes
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor
When creating new policy rules, note the following:
  • Rules are case-insensitive.
  • Rules may have an optional comment at the end, introduced by #. A delimiter is not required, and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • White space is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule, but Deny: Class=0 Sub Class=05 is not.
  • Tags must use the matching operator =. For example, VID=1230.
  • Each rule must start on a new line or form part of a semicolon-separated list.

Important

If you are using the ADM template file, you must create rules on a single line, as a semicolon-separated list.

When working with optimized devices such as mass storage, you usually redirect the device using the specialized CDM channel rather than with policy rules. However, you can override this behavior in one of the following ways:

  • Manually redirect optimized device using Generic USB redirection, choose Switch to Generic from the Devices tab of the Preferences dialog box.
  • Automatically redirect optimized device using Generic USB redirection, set auto-redirection for storage device (for example, AutoRedirectStorage = 1) and set USB user preference settings to automatically connect USB devices; for more information, see CTX123015.
Examples:
  • The following example shows an administrator-defined USB policy rule for vendor and product identifiers:
    Allow: VID=046D PID=C626 # Allow Logitech SpaceNavigator 3D Mouse 
                   Deny: VID=046D # Deny all Logitech products 
    
  • The following example shows an administrator-defined USB policy rule for a defined class, sub-class, and protocol:
     Deny: Class=EF SubClass=01 Prot=01 # Deny MS Active Sync devices 
             Allow: Class=EF SubClass=01 # Allow Sync devices 
             Allow: Class=EF # Allow all USB-Miscellaneous devices 
           
    

Update the list of USB devices available for remoting

By default, USB devices are automatically redirected when USB support is enabled and the USB user preference settings are set to automatically connect USB devices. USB devices are also automatically redirected for Desktop Appliance sites or desktop hosted applications. In some instances, however, you might not want to automatically redirect all USB devices. For more information, see CTX123015.

Desktop Viewer users can redirect devices that are not automatically redirected by selecting them from the USB device list. To prevent USB devices from being listed or redirected, specify device rules on the user device and the VDA.

You can update the range of USB devices available for remoting by specifying USB device redirection rules for both Receiver and the VDA to override the default USB policy rules. Device rules are enforced for both Receiver and the VDA. Be sure to change both so that device remoting works as you intend.
  • Edit the user device registry (or the .ini files in the case of the Receiver for Linux). An Administrative template (ADM file) is included on the installation media so you can change the user device through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm.
  • Edit the administrator override rules in the VDA registry on the Server OS machines. An ADM file is included on the installation media so you can change the VDA through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\vda_usb.adm.

Warning

Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The product default rules are stored in HKLM\SOFTWARE\Citrix\PortICA\GenericUSB\DeviceRules. Do not edit these product default rules. Instead, use them as a guide for creating administrator override rules as explained below. The GPO overrides are evaluated before the product default rules.

The administrator override rules are stored in HKLM\SOFTWARE\Policies\Citrix\PortICA\GenericUSB\DeviceRules. GPO policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by white space. The following tags are supported:

Tag Description
VID Vendor ID from the device descriptor
PID Product ID from the device descriptor
REL Release ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor; see the USB Web site at http://www.usb.org/ for available USB Class Codes
SubClass Subclass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor
When creating new policy rules, note the following:
  • Rules are case-insensitive.
  • Rules may have an optional comment at the end, introduced by #. A delimiter is not required, and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • White space is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule, but Deny: Class=0 Sub Class=05 is not.
  • Tags must use the matching operator =. For example, VID=1230.
  • Each rule must start on a new line or form part of a semicolon-separated list.

Important

If you are using the ADM template file, you must create rules on a single line, as a semicolon-separated list.

When working with optimized devices such as mass storage, you usually redirect the device using the specialized CDM channel rather than with policy rules. However, you can override this behavior in one of the following ways:

  • Manually redirect optimized device using Generic USB redirection, choose Switch to Generic from the Devices tab of the Preferences dialog box.
  • Automatically redirect optimized device using Generic USB redirection, set auto-redirection for storage device (for example, AutoRedirectStorage = 1) and set USB user preference settings to automatically connect USB devices; for more information, see CTX123015.
Examples:
  • The following example shows an administrator-defined USB policy rule for vendor and product identifiers:
    Allow: VID=046D PID=C626 # Allow Logitech SpaceNavigator 3D Mouse 
                   Deny: VID=046D # Deny all Logitech products 
    
  • The following example shows an administrator-defined USB policy rule for a defined class, sub-class, and protocol:
     Deny: Class=EF SubClass=01 Prot=01 # Deny MS Active Sync devices 
             Allow: Class=EF SubClass=01 # Allow Sync devices 
             Allow: Class=EF # Allow all USB-Miscellaneous devices 
           
    

Use and remove USB devices

Users can connect a USB device before or after starting a virtual session.

When using Receiver for Windows, the following apply:
  • Devices connected after a session starts appear immediately in the USB menu of the Desktop Viewer.
  • If a USB device is not redirecting properly, you can try to resolve the problem by waiting to connect the device until after the virtual session starts.
  • To avoid data loss, use the Windows "Safely Remove Hardware" icon before removing the USB device.

USB mass storage devices

For mass storage devices only, remote access is also available through client drive mapping, where the drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders with mapped drive letters. To configure client drive mapping, use the Client removable drives setting in the File Redirection Policy Settings section of the ICA Policy Settings.

The main differences between the two types of remoting policy are:
Feature Client drive mapping Generic USB redirection
Enabled by default Yes No
Read-only access configurable Yes No
Safe to remove device during a session No Yes, provided users follow operating system recommendations for safe removal

If both Generic USB and the client drive mapping policies are enabled and a mass storage device is inserted either before or after a session starts, it will be redirected using client drive mapping. When both Generic USB and the client drive mapping policies are enabled and a device is configured for automatic redirection (see http://support.citrix.com/article/CTX123015) and a mass storage device is inserted either before or after a session starts, it will be redirected using Generic USB.

Note

USB redirection is supported over lower bandwidth connections, for example 50 Kbps, however copying large files will not work.

File access for mapped client drives

You can control whether users can copy files from their virtual environments to their user devices. By default, files and folders on mapped client-drives are available in read/write mode from within the session.

To prevent users from adding or modifying files and folders on mapped client-devices, enable the Read-only client drive access policy setting. When adding this setting to a policy, make sure the Client drive redirection setting is set to Allowed and is also added to the policy.