Product Documentation

ICA Policy Settings

Oct 09, 2015

The ICA section contains policy settings related to ICA listener connections, mapping to the Clipboard and custom channels, connecting to server desktops, and controlling the launch behavior of non-published programs.

ICA listener connection timeout

This setting specifies the maximum wait time for a connection using the ICA protocol to be completed. By default, the maximum wait time is 120000 milliseconds, or two minutes.

ICA listener port number

This setting specifies the TCP/IP port number used by the ICA protocol on the server.

The default port number is 1494. The port number must be in the range of 0–65535 and must not conflict with other well-known port numbers.

If you change the port number, restart the server for the new value to take effect. If you change the port number on the server, you must also change it on every plug-in that connects to the server.

Client clipboard redirection

This setting allows or prevents the Clipboard on the user device to be mapped to the Clipboard on the server. By default, clipboard redirection is allowed.

To prevent cut-and-paste data transfer between a session and the local Clipboard, select Prohibit. Users can still cut and paste data between applications running in sessions.

After allowing this setting, configure the maximum allowed bandwidth the Clipboard can consume in a client connection using the Clipboard redirection bandwidth limit or the Clipboard redirection bandwidth limit percent settings.

Related Policy Settings
  • Clipboard redirection bandwidth limit
  • Clipboard redirection bandwidth limit percent

Desktop launches

This setting allows or prevents non-administrative users to connect to a desktop session on the server.

When allowed, non-administrative users can connect. By default, non-administrative users cannot connect to desktop sessions.

Launching of non-published programs during client connection

This setting specifies whether or not to launch initial applications or published applications through ICA or RDP on the server. By default, only published applications are allowed to launch.

OEM Channels

This setting allows or prevent custom (OEM) devices attached to ports on the user device to be mapped to ports on the server. By default, mapping of custom devices is allowed.

After allowing this setting, configure the maximum amount of bandwidth the OEM’s virtual channel can consume in a client connection using the OEM channels bandwidth limit or the OEM channels bandwidth limit percent settings.

Related Policy Settings
  • OEM channels bandwidth limit
  • OEM channels bandwidth limit percent

Audio Policy Settings

The Audio section contains policy settings you can configure to permit user devices to send and receive audio in sessions without reducing performance.

Audio Quality

Use the projected figures for each level of sound quality to calculate the bandwidth potentially consumed in connections to specific servers. For example, if 25 users record at Medium on one server, the bandwidth used in the connections to that server is over 52,500 bytes per second.

Bandwidth is consumed only while audio is recording or playing. If both occur at the same time, the bandwidth consumption is doubled.

To control sound quality, choose one of the following options:
  • Select Low - for low speed connections for low-bandwidth connections. Sounds sent to the client are compressed up to 16 Kbps. This compression results in a significant decrease in the quality of the sound but allows reasonable performance for a low-bandwidth connection. With both audio playback and recording total bandwidth consumption is 22 Kbps at maximum.
  • Select Medium - optimized for speech for most LAN-based connections. Sounds sent to the client are compressed up to 64 Kbps. With both audio playback and recording total bandwidth consumption is 33.6 Kbps at maximum.
  • Select High - high definition audio for connections where bandwidth is plentiful and sound quality is important. Clients can play sound at its native rate. Sounds can use up to 1.3 Mbps of bandwidth to play clearly. Transmitting this amount of data can result in increased CPU utilization and network congestion.
Related Policy Settings
  • Audio redirection bandwidth limit
  • Audio redirection bandwidth limit percent

Client audio redirection

This setting allows or prevents applications hosted on the server to play sounds through a sound device installed on the user device. This setting also allows or prevents users from recording audio input.

After allowing this setting, you can limit the bandwidth consumed by playing or recording audio. Limiting the amount of bandwidth consumed by audio can improve application performance but may also degrade audio quality. Bandwidth is consumed only while audio is recording or playing. If both occur at the same time, the bandwidth consumption doubles.

To specify the maximum amount of bandwidth, configure the Audio redirection bandwidth limit or the Audio redirection bandwidth limit percent settings.

Related Policy Settings
  • Audio redirection bandwidth limit
  • Audio redirection bandwidth limit percent
  • Client microphone redirection

Client microphone redirection

This setting enables or disables client microphone redirection. When enabled, users can use microphones to record audio input in a session.

For security, users are alerted when servers that are not trusted by their devices try to access microphones. Users can choose to accept or not accept access. Users can disable the alert on the Citrix online plug-in.

If the Client audio redirection setting is disabled on the user device, this rule has no effect.

Related Policy Settings
  • Client audio redirection
  • Audio redirection bandwidth limit
  • Audio redirection bandwidth limit percent

Auto Client Reconnect Policy Settings

The Auto Client Reconnect section contains policy settings for controlling automatic reconnection of sessions.

Auto client reconnect

This setting allows or prevents automatic reconnection by the same client after a connection has been interrupted. By default, automatic reconnection is allowed.

Allowing automatic reconnection allows users to resume working where they were interrupted when a connection was broken. Automatic reconnection detects broken connections and then reconnects the users to their sessions.

However, automatic reconnection can result in a new session being launched (instead of reconnecting to an existing session) if a plug-in’s cookie, containing the key to the session ID and credentials, is not used. The cookie is not used if it has expired, for example, because of a delay in reconnection, or if credentials must be reentered. Auto client reconnect is not triggered if users intentionally disconnect.

Auto client reconnect authentication

This setting requires authentication for automatic client reconnections. By default, authentication is not required.

When a user initially logs on to a server farm, XenApp encrypts and stores the user credentials in memory and creates a cookie containing the encryption key which is sent to the plug-in. When this setting is added, cookies are not used. Instead, XenApp displays a dialog box to users requesting credentials when the plug-in attempts to reconnect automatically.

Auto client reconnect logging

This setting enables or disables recording of auto client reconnections in the event log. By default, logging is disabled.

When logging is enabled, the server’s System log captures information about successful and failed automatic reconnection events. The server farm does not provide a combined log of reconnection events for all servers.

Bandwidth Policy Settings

The Bandwidth section contains policy settings you can configure to avoid performance problems related to client session bandwidth use.

Audio redirection bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for playing or recording audio in a user session. If you enter a value for this setting and a value for the Audio redirection bandwidth limit percent setting, the most restrictive setting (with the lower value) is applied.

Audio redirection bandwidth limit percent

This setting specifies the maximum allowed bandwidth limit for playing or recording audio as a percent of the total session bandwidth. If you enter a value for this setting and a value for the Audio redirection bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

Clipboard redirection bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for data transfer between a session and the local Clipboard. If you enter a value for this setting and a value for the Clipboard redirection bandwidth limit percent setting, the most restrictive setting (with the lower value) is applied.

Clipboard redirection bandwidth limit percent

This setting specifies the maximum allowed bandwidth for data transfer between a session and the local Clipboard as a percent of the total session bandwidth. If you enter a value for this setting and a value for the Clipboard redirection bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

COM port redirection bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for accessing a COM port in a client connection. If you enter a value for this setting and a value for the COM port redirection bandwidth limit percent setting, the most restrictive setting (with the lower value) is applied.

COM port redirection bandwidth limit percent

This setting specifies the maximum allowed bandwidth for accessing COM ports in a client connection as a percent of the total session bandwidth. If you enter a value for this setting and a value for the COM port redirection bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

File redirection bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for accessing a client drive in a user session. If you enter a value for this setting and a value for the File redirection bandwidth limit percent setting, the most restrictive setting (with the lower value) takes effect.

File redirection bandwidth limit percent

This setting specifies the maximum allowed bandwidth limit for accessing client drives as a percent of the total session bandwidth. If you enter a value for this setting and a value for the File redirection bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

LPT port redirection bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for print jobs using an LPT port in a single user session. If you enter a value for this setting and a value for the LPT port redirection bandwidth limit percent setting, the most restrictive setting (with the lower value) is applied.

LPT port redirection bandwidth limit percent

This setting specifies the bandwidth limit for print jobs using an LPT port in a single client session as a percent of the total session bandwidth. If you enter a value for this setting and a value for the LPT port redirection bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

OEM channels bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for custom (OEM) virtual channels. If you enter a value for this setting and a value for the OEM channels bandwidth limit percent setting, the most restrictive setting (with the lower value) is applied.

OEM channels bandwidth limit percent

This setting specifies the maximum allowed bandwidth for custom (OEM) virtual channels as a percent of the total session bandwidth. If you enter a value for this setting and a value for the OEM channels bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

Overall session bandwidth limit

This setting specifies the total amount of bandwidth available in kilobits per second for user sessions. Limiting the amount of bandwidth consumed by a client connection can improve performance when other applications outside the client connection are competing for limited bandwidth.

Printer redirection bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for accessing client printers in a user session. If you enter a value for this setting and a value for the Printer redirection bandwidth limit percent setting, the most restrictive setting (with the lower value) is applied.

Printer redirection bandwidth limit percent

This setting specifies the maximum allowed bandwidth for accessing client printers as a percent of the total session bandwidth. If you enter a value for this setting and a value for the Printer redirection bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

TWAIN device redirection bandwidth limit

This setting specifies the maximum allowed bandwidth in kilobits per second for controlling TWAIN imaging devices from published applications. If you enter a value for this setting and a value for the TWAIN device redirection bandwidth limit percent setting, the most restrictive setting (with the lower value) is applied.

TWAIN device redirection bandwidth limit percent

This setting specifies the maximum allowed bandwidth for controlling TWAIN imaging devices from published applications as a percent of the total session bandwidth. If you enter a value for this setting and a value for the TWAIN device redirection bandwidth limit setting, the most restrictive setting (with the lower value) is applied.

If you configure this setting, you must also configure the Overall session bandwidth limit setting which specifies the total amount of bandwidth available for client sessions.

Desktop UI Policy Settings

The Desktop UI section contains policy settings that control visual effects, such as desktop wallpaper, menu animations, and drag-and-drop images, to manage the bandwidth used in client connections. You can improve application performance on a WAN by limiting bandwidth usage.

Desktop wallpaper

By default, user sessions can show wallpaper. To turn off desktop wallpaper and reduce the bandwidth required in user sessions, select Prohibited when adding this setting to a policy.

Menu animation

Menu animation is a Microsoft personal preference setting that causes a menu to appear after a short delay, either by scrolling or fading in. When this policy setting is set to Allowed, an arrow icon appears at the bottom of the menu. The menu appears when you mouse over that arrow.

By default, menu animation is allowed.

View window contents while dragging

This policy setting controls the display of window contents when dragging a window across the screen.

When set to Allowed, the entire window appears to move when you drag it. When set to Prohibited, only the window outline appears to move until you drop it. By default, viewing window contents is allowed.

End User Monitoring Policy Settings

The End User Monitoring section contains policy settings for measuring session traffic.

ICA round trip calculation

This setting determines whether or not ICA round trip calculations are performed for active connections. By default, calculations for active connections are enabled.

By default, each ICA roundtrip measurement initiation is delayed until some traffic occurs that indicates user interaction. This delay can be indefinite in length and is designed to prevent the ICA roundtrip measurement being the sole reason for ICA traffic.

ICA round trip calculation interval (Seconds)

This setting specifies the frequency, in seconds, at which ICA round trip calculations are performed. By default, ICA round trip is calculated every 15 seconds.

ICA round trip calculations for idle connections

This setting determines whether or not ICA round trip calculations are performed for idle connections. By default, calculations are not performed for idle connections.

By default, each ICA roundtrip measurement initiation is delayed until some traffic occurs that indicates user interaction. This delay can be indefinite in length and is designed to prevent the ICA roundtrip measurement being the sole reason for ICA traffic.

File Redirection Policy Settings

The File Redirection section contains policy settings relating to client drive mapping and client drive optimization.

Auto connect client drives

This setting allows or prevents automatic connection of client drives when users log on. By default, automatic connection is allowed. When allowing this setting, make sure to enable the settings for the drive types you want automatically connected. For example, to allow automatic connection of users' CD-ROM drives, configure this setting and the Client optical drives setting.

Related Policy Settings
  • Client drive redirection
  • Client floppy drives
  • Client optical drives
  • Client fixed drives
  • Client network drives
  • Client removable drives

Client drive redirection

This setting enables or disables drive redirection to and from the user device. When enabled, users can save files to all their client drives. When disabled, all file redirection is prevented, regardless of the state of the individual file redirection settings such as Client floppy drives and Client network drives. By default, file redirection is enabled.

Related Policy Settings
  • Client floppy drives
  • Client optical drives
  • Client fixed drives
  • Client network drives
  • Client removable drives

Client fixed drives

This setting allows or prevents users from accessing or saving files to fixed drives on the user device. By default, accessing client fixed drives is allowed.

When allowing this setting, make sure the Client drive redirection setting is present and set to Allowed. If these settings are disabled, client fixed drives are not mapped and users cannot access these drives manually, regardless of the state of the Client fixed drives setting.

To ensure fixed drives are automatically connected when users log on, configure the Auto connect client drives setting.

Related Policy Settings
  • Client drive redirection
  • Auto connect client drives

Client floppy drives

This setting allows or prevents users from accessing or saving files to floppy drives on the user device. By default, accessing client floppy drives is allowed.

When allowing this setting, make sure the Client drive redirection setting is present and set to Allowed. If these settings are disabled, client floppy drives are not mapped and users cannot access these drives manually, regardless of the state of the Client floppy drives setting.

To ensure floppy drives are automatically connected when users log on, configure the Auto connect client drives setting.

Related Policy Settings
  • Client drive redirection
  • Auto connect client drives

Client network drives

This setting allows or prevents users from accessing and saving files to network (remote) drives through the user device. By default, accessing client network drives is allowed.

When allowing this setting, make sure the Client drive redirection setting is present and set to Allowed. If these settings are disabled, client network drives are not mapped and users cannot access these drives manually, regardless of the state of the Client network drives setting.

To ensure network drives are automatically connected when users log on, configure the Auto connect client drives setting.

Related Policy Settings
  • Client drive redirection
  • Auto connect client drives

Client optical drives

This setting allows or prevents users from accessing or saving files to CD-ROM, DVD-ROM, and BD-ROM drives on the user device. By default, accessing client optical drives is allowed.

When allowing this setting, make sure the Client drive redirection setting is present and set to Allowed. If these settings are disabled, client optical drives are not mapped and users cannot access these drives manually, regardless of the state of the Client optical drives setting.

To ensure optical drives are automatically connected when users log on, configure the Auto connect client drives setting.

Related Policy Settings
  • Client drive redirection
  • Auto connect client drives

Client removable drives

This setting allows or prevents users from accessing or saving files to USB drives on the user device. By default, accessing client removable drives is allowed.

When allowing this setting, make sure the Client drive redirection setting is present and set to Allowed. If these settings are disabled, client removable drives are not mapped and users cannot access these drives manually, regardless of the state of the Client removable drives setting.

To ensure removable drives are automatically connected when users log on, configure the Auto connect client drives setting.

Related Policy Settings
  • Client drive redirection
  • Auto connect client drives

Host to client redirection

This setting enables or disables file type associations for URLs and some media content to be opened on the user device. When disabled, content opens on the server. By default, file type association is disabled.

These URL types are opened locally when you enable this setting:
  • Hypertext Transfer Protocol (HTTP)
  • Secure Hypertext Transfer Protocol (HTTPS)
  • Real Player and QuickTime (RTSP)
  • Real Player and QuickTime (RTSPU)
  • Legacy Real Player (PNM)
  • Microsoft’s Media Format (MMS)

Special folder redirection

This setting allows or prevents Citrix online plug-in and Web Interface users to see their local Documents and Desktop special folders from a session. By default, special folder redirection is allowed.

This setting prevents any objects filtered through a policy from having special folder redirection, regardless of settings that exist elsewhere. When you allow this setting, any related settings specified for the Web Interface or Citrix online plug-in are ignored.

To define which users can have special folder redirection, select Allowed and include this setting in a policy filtered on the users you want to have this feature. This setting overrides all other special folder redirection settings throughout XenApp.

Because special folder redirection must interact with the user device, policy settings that prevent users from accessing or saving files to their local hard drives also prevent special folder redirection from working. If you enable the Special folder redirection setting, make sure the Client fixed drives setting is enabled as well.

For seamless applications and seamless and published desktops, special folder redirection works for Documents and Desktops folders. Citrix does not recommend using special folder redirection with published Windows Explorer.

Related Policy Settings
  • Client fixed drives
  • Auto connect client drives

Use asynchronous writes

This setting enables or disables asynchronous disk writes. By default, asynchronous writes are disabled.

Asynchronous disk writes can improve the speed of file transfers and writing to client disks over WANs, which are typically characterized by relatively high bandwidth and high latency. However, if there is a connection or disk fault, the client file or files being written may end in an undefined state. If this happens, a pop-up window informs the user of the files affected. The user can then take remedial action, such as restarting an interrupted file transfer on reconnection or when the disk fault is corrected.

Citrix recommends enabling asynchronous disk writes only for users who need remote connectivity with good file access speed and who can easily recover files or data lost in the event of connection or disk failure. When enabling this setting, make sure that the Client drive redirection setting is present and set to Allowed. If this setting is disabled, asynchronous writes will not occur.

Related Policy Settings
Client drive redirection

Graphics Policy Settings

The Graphics section contains policy settings for controlling how images are handled in user sessions.

Display memory limit

This setting specifies the maximum video buffer size in kilobytes for the session. By default, the display memory limit is 32768 kilobytes.

Specify an amount in kilobytes from 128 to 65536. Using more color depth and higher resolution for connections requires more memory. If the memory limit is reached, the display degrades according to the Display mode degrade preference setting.

Display mode degrade preference

This setting specifies that color depth or resolution degrades first when the session display memory limit is reached.

When the session memory limit is reached, you can reduce the quality of displayed images by choosing whether color depth or resolution is degraded first. When color depth is degraded first, displayed images use fewer colors. When resolution is degraded first, displayed images use fewer pixels per inch. By default, color depth is degraded first.

To notify users when either color depth or resolution are degraded, configure the Notify user when display mode is degraded setting.

Image caching

This setting enables or disables caching of images in sessions. When needed, the images are retrieved in sections to make scrolling smoother. By default, image caching is enabled.

Maximum allowed color depth

This setting specifies the maximum color depth allowed for a session. By default, the maximum allowed color depth is 32 bits per pixel.

Setting a high color depth requires more memory. To degrade color depth when the memory limit is reached, configure the Display mode degrade preference setting. When color depth is degraded, displayed images use fewer colors.

Notify user when display mode is degraded

This setting displays a brief explanation to the user when the color depth or resolution is degraded. By default, notifying users is disabled.

Queuing and tossing

This setting discards queued images that are replaced by another image. This improves response when graphics are sent to the client. Configuring this setting can cause animations to become choppy due to dropped frames. By default, queuing and tossing is enabled.

Image Compression Policy Settings

The Image compression section contains settings that enable you to remove or alter compression. When client connections are limited in bandwidth, downloading images without compression can be slow.

Lossy compression level

This setting controls the degree of lossy compression used on images delivered over client connections that are limited in bandwidth. In such cases, displaying images without compression can be slow. By default, medium compression is selected.

For improved responsiveness with bandwidth-intensive images, use high compression. Where preserving image data is vital; for example, when displaying X-ray images where no loss of quality is acceptable, you may not want to use lossy compression.

Related Policy Settings
  • Lossy compression threshold value
  • Progressive compression level
  • Progressive heavyweight compression level

Lossy compression threshold value

This setting represents the maximum bandwidth in kilobits per second for a connection to which lossy compression is applied. By default, the threshold value is 2000 kilobits per second.

Adding the Lossy compression level setting to a policy and including no specified threshold can improve the display speed of high-detail bitmaps, such as photographs, over a LAN.

Related Policy Settings
Lossy compression level

Progressive compression level

This setting provides a less detailed but faster initial display of images. The more detailed image, defined by the normal lossy compression setting, appears when it becomes available. Use very high or ultra high compression for improved viewing of bandwidth-intensive graphics such as photographs.

For progressive compression to be effective, its compression level must be higher than the Lossy compression level setting; by default, progressive compression is not applied.
Note: The increased level of compression associated with progressive compression also enhances the interactivity of dynamic images over client connections. The quality of a dynamic image, such as a rotating three-dimensional model, is temporarily decreased until the image stops moving, at which time the normal lossy compression setting is applied.
Related Policy Settings
  • Progressive compression threshold value
  • Lossy compression level
  • Progressive heavyweight compression

Progressive compression threshold value

The maximum bandwidth in kilobits per second for a connection to which progressive compression is applied. This is applied only to client connections under this bandwidth. By default, the threshold value is 1440 kilobits per second.

Related Policy Settings
Progressive compression level

Progressive heavyweight compression

This setting enables or disables reducing bandwidth beyond progressive compression without losing image quality by using a more advanced, but more CPU-intensive, graphical algorithm. By default, progressive heavyweight compression is disabled.

If enabled, heavyweight compression applies to all lossy compression settings. It is supported on the Citrix online plug-in but has no effect on other plugins.

Related Policy Settings
  • Lossy compression level
  • Progressive compression level

Keep Alive Policy Settings

The Keep Alive section contains policy settings for managing ICA keep-alive messages.

ICA keep alive timeout

This setting specifies the number of seconds between successive ICA keep-alive messages. By default, the interval between keep-alive messages is 60 seconds.

Specify an interval between 1-3600 seconds in which to send ICA keep-alive messages. Do not configure this setting if your network monitoring software is responsible for closing inactive connections. If using Citrix Access Gateway, set keep-alive intervals on the Access Gateway to match the keep-alive intervals on XenApp.

ICA keep alives

This setting enables or disables sending ICA keep-alive messages periodically. By default, keep-alive messages are not sent.

Enabling this setting prevents broken connections from being disconnected. If XenApp detects no activity, this setting prevents Remote Desktop Services from disconnecting the session. XenApp sends keep-alive messages every few seconds to detect if the session is active. If the session is no longer active, XenApp marks the session as disconnected.

ICA Keep-Alive does not work if you are using Session Reliability. Configure ICA Keep-Alive only for connections that are not using Session Reliability.

Related Policy Settings
Session reliability connections

Multimedia Policy Settings

The Multimedia section contains policy settings for managing streaming audio and video in user sessions.

HDX MediaStream Multimedia Acceleration

This setting controls and optimizes the way XenApp servers deliver streaming audio and video to users. By default, this setting is allowed.

Allowing this setting increases the quality of audio and video rendered from the server to a level that compares with audio and video played locally on a client device. XenApp streams multimedia to the client in the original, compressed form and allows the client device to decompress and render the media.

HDX MediaStream multimedia acceleration optimizes multimedia files that are encoded with codecs that adhere to Microsoft’s DirectShow, DirectX Media Objects (DMO), and Media Foundation standards. To play back a given multimedia file, a codec compatible with the encoding format of the multimedia file must be present on the client device.

By default, audio is disabled on the Citrix online plug-in. To allow users to run multimedia applications in ICA sessions, turn on audio or give the users permission to turn on audio themselves in their plug-in interface.

Select Prohibited only if playing media using multimedia acceleration appears worse than when rendered using basic ICA compression and regular audio. This is rare but can happen under low bandwidth conditions; for example, with media in which there is a very low frequency of key frames.

HDX MediaStream Multimedia Acceleration default buffer size

This setting specifies a buffer size from 1 to 10 seconds for multimedia acceleration. By default, the buffer size is 5 seconds.

HDX MediaStream Multimedia Acceleration default buffer size use

This setting enables or disables using the buffer size specified in the HDX MediaStream Multimedia Acceleration default buffer size setting. By default, the buffer size specified is used.

Multimedia conferencing

This setting allows or prevents support for video conferencing applications. By default, video conferencing support is enabled.

When adding this setting to a policy, make sure the HDX Mediastream Multimedia Acceleration setting is present and set to Allowed.

When using multimedia conferencing, make sure the following conditions are met:
  • Manufacturer-supplied drivers for the web cam used for multimedia conferencing must be installed.
  • The web cam must be connected to the client device before initiating a video conferencing session. XenApp uses only one installed web cam at any given time. If multiple web cams are installed on the client device, XenApp attempts to use each web cam in succession until a video conferencing session is created successfully.
  • An Office Communicator server must be present in your farm environment.
  • The Office Communicator client software must be published on the server.

HDX MediaStream for Flash (client side) Policy Settings

The HDX MediaStream for Flash (client side) section contains policy settings for handling Flash content in user sessions.

Flash acceleration

This setting enables or disables Flash content rendering on user devices instead of the server. By default, client-side Flash content rendering is enabled.

When enabled, this setting reduces network and server load by rendering Flash content on the user device. Additionally, the Flash URL blacklist setting forces Flash content from specific Web sites to be rendered on the server.

When this setting is disabled, Flash content from all Web sites, regardless of URL, is rendered on the server. To allow only certain Web sites to render Flash content on the user device, configure the Flash server-side content fetching whitelist setting.

Flash event logging

This setting allows or prevents Flash events to be recorded in the Windows application event log. By default, logging is allowed.

Flash latency threshold

This setting specifies a threshold between 0-30 milliseconds to determine where Adobe Flash content is rendered. By default, the threshold is 30 milliseconds.

During startup, HDX MediaStream for Flash measures the current latency between the server and user device. If the latency is under the threshold, HDX MediaStream for Flash is used to render Flash content on the user device. If the latency is above the threshold, the network server renders the content if an Adobe Flash player is available there.

Flash server-side content fetching whitelist

This setting specifies Web sites whose Flash content is allowed to be downloaded to the server and then transferred to the user device for rendering. Flash content on unlisted Web sites is downloaded directly to the client.

When adding this setting to a policy, make sure the Flash acceleration setting is present and set to Enabled. Otherwise, Web sites listed in the whitelist are ignored.

Listed URL strings do not need the http:// or https:// prefix. These prefixes are ignored if found. Wildcards (*) are valid at the beginning and end of a URL.

Flash URL blacklist

This setting specifies Web sites whose Flash content is rendered on the server. Flash content on unlisted Web sites is rendered on the user device.

When adding this setting to a policy, make sure the Flash acceleration setting is present and set to Enabled. Otherwise, Web sites listed in the URL blacklist are ignored.

Listed URL strings do not need the http:// or https:// prefix. These prefixes are ignored if found. Wildcards (*) are valid at the beginning and end of a URL.

HDX Multimedia for Flash (server side) Policy Settings

The HDX Multimedia for Flash (server side) section contains policy settings for handling Flash content on session hosts.

Flash quality adjustment

This setting adjusts the quality of Flash content rendered on session hosts to improve performance. By default, Flash content is optimized for low bandwidth connections only.

Ports Policy Settings

The Ports section contains policy settings for client LPT and COM port mapping.

Auto connect client COM ports

This setting enables or disables automatic connection of COM ports on user devices when users log on to the farm. By default, client COM ports are not automatically connected.

Related Policy Settings
Client COM port redirection

Auto connect client LPT ports

This setting enables or disables automatic connection of LPT ports on user devices when users log on to the farm. By default, client LPT ports are not connected automatically.

Related Policy Settings
Client LPT port redirection

Client COM port redirection

This setting allows or prevents access to COM ports on the user device. By default, COM port redirection is allowed.

Related Policy Settings
  • Auto connect client COM ports
  • COM port redirection bandwidth limit
  • COM port redirection bandwith limit percent

Client LPT port redirection

This setting allows or prevents access to LPT ports on the user device. By default, LPT port redirection is allowed.

LPT ports are used only by legacy applications that send print jobs to the LPT ports and not to the print objects on the client device. Most applications today can send print jobs to printer objects. This policy setting is necessary only for servers that host legacy applications that print to LPT ports.

Related Policy Settings
  • Auto connect client LPT ports
  • LPT port redirection bandwidth limit
  • LPT port redirection bandwith limit percent

Printing Policy Settings

The Printing section contains policy settings for managing client printing.

Client printer redirection

This setting allows or prevents client printers to be mapped to a server when a user logs on to a session. By default, client printer mapping is allowed.

Related Policy Settings
Auto-create client printers

Default printer

This setting specifies how the default printer on the user device is established in a session. By default, the user's current printer is used as the default printer for the session.

To use the current Remote Desktop Services or Windows user profile setting for the default printer, select Do not adjust the user’s default printer. If you choose this option, the default printer is not saved in the profile and it does not change according to other session or client properties. The default printer in a session will be the first printer autocreated in the session, which is either:
  • The first printer added locally to the Windows server in Control Panel > Printers
  • The first autocreated printer, if there are no printers added locally to the server

You can use this option to present users with the nearest printer through profile settings (known as Proximity Printing).

Printer auto-creation event log preference

This setting specifies the events that are logged during the printer auto-creation process. You can choose to log no errors or warnings, only errors, or errors and warnings. By default, errors and warnings are logged.

An example of a warning is an event in which a printer’s native driver could not be installed and the universal printer driver is installed instead. To allow universal printer drivers to be used in this scenario, configure the Universal printing setting to Use universal printing only or Use universal printing only if requested driver is unavailable.

Related Policy Settings
Universal printing

Session printers

This setting specifies the network printers to be auto-created in a session. You can add printers to the list, edit the settings of a list entry, or remove printers from the list. You can apply customized settings for the current session at every logon.

Wait for printers to be created (desktop)

This setting allows or prevents a delay in connecting to a session so that desktop printers can be auto-created. By default, a connection delay does not occur. This setting does not apply to published applications or published desktops.

Client Printers Policy Settings

Updated: 2013-08-12

The Client Printers section contains policy settings for client printers, including settings to autocreate client printers, use legacy printer names, retain printer properties, and connect to print servers.

Auto create client printers

This setting specifies the client printers that are auto-created. This setting overrides default client printer auto-creation settings. By default, all client printers are auto-created.

This setting takes effect only if the Client printer redirection setting is present and set to Allowed.

When adding this setting to a policy, select an option:
  • Auto-create all client printers automatically creates all printers on a user device.
  • Auto-create the client’s default printer only automatically creates only the printer selected as the default printer on the user device.
  • Auto-create local (non-network) client printers only automatically creates only printers directly connected to the user device through an LPT, COM, USB, TCP/IP, or other local port.
  • Do not auto-create client printers turns off autocreate for all client printers when users log on. This causes the Remote Desktop Services settings for autocreating client printers to override this setting in lower priority policies.
Related Policy Settings
Client printer redirection

Client printer names

This setting selects the naming convention for auto-created client printers. By default, standard printer names are used.

For most configurations, select Standard printer names which are similar to those created by native Remote Desktop Services, such as “HPLaserJet 4 from clientname in session 3.”

Select Legacy printer names to use old-style client printer names and preserve backward compatibility for users or groups using MetaFrame Presentation Server 3.0 or earlier. An example of a legacy printer name is “Client/clientname#/HPLaserJet 4.” Because this option is less secure, use it only to provide backward compatibility for users or groups using MetaFrame Presentation Server 3.0 or earlier.

Direct connections to print servers

This setting enables or disables direct connections from the host to a print server for client printers hosted on an accessible network share. By default, direct connections are enabled.

Allow direct connections if the network print server is not across a WAN from the host. Direct communication results in faster printing if the network print server and host server are on the same LAN.

If this setting is disabled, print jobs are routed through the user device, where it is redirected to the network print server. Use this option if the network is across a WAN or has substantial latency or limited bandwidth. Data sent to the user device is compressed, so less bandwidth is consumed as the data travels across the WAN.

If two network printers have the same name, the printer on the same network as the user device is used.

Printer properties retention

This setting specifies whether or not to store printer properties and where to store them. By default, the system determines if printer properties are to be stored on the user device, if available, or in the user profile.

When adding this setting to a policy, select an option:
  • Held in profile only if not saved on client allows the system to determine where printer properties are stored. Printer properties are stored either on the client device, if available, or in the user profile. Although this option is the most flexible, it can also slow logon time and use extra bandwidth for system-checking.
  • Saved on the client device only is for user devices that have a mandatory or roaming profile that is not saved. Choose this option only if all the servers in your farm are running XenApp 5 and above and your users are using Citrix XenApp online plug-in versions 9.x and above.
  • Retained in user profile only is for user devices constrained by bandwidth (this option reduces network traffic) and logon speed or for users with legacy plug-ins. This option stores printer properties in the user profile on the server and prevents any properties exchange with the client device. Use this option with MetaFrame Presentation Server 3.0 or earlier and MetaFrame Presentation Server Client 8.x or earlier. Note that this is applicable only if a Remote Desktop Services roaming profile is used.

Retained and restored client printers

This setting enables or disables the retention and re-creation of printers on the user device. By default, client printers are auto-retained and auto-restored.

Retained printers are user-created printers that are created again, or remembered, at the start of the next session. When XenApp recreates a retained printer, it considers all policy settings except the Auto-create client printers setting.

Restored printers are printers fully customized by an administrator, with a saved state that is permanently attached to a client port.

Drivers Policy Settings

The Drivers section contains policy settings related to printer drivers.

Automatic installation of in-box printer drivers

This setting enables or disables the installation of Windows native drivers on the user device as needed. By default, native drivers are installed when users log on.

Printer driver mapping and compatibility

This setting specifies driver substitution rules for auto-created printers. When you define these rules, you can allow or prevent printers to be created with the specified driver. Additionally, you can allow created printers to use only universal printer drivers.

Driver substitution overrides (or maps) printer driver names the client provides, substituting an equivalent driver on the server. This gives server applications access to client printers that have the same drivers as the server but different driver names.

You can add a driver mapping, edit an existing mapping, remove a mapping, or change the order of driver entries in the list. When adding a mapping, enter the client printer driver name and then select the server driver you want to substitute.

Related Policy Settings
  • Universal printing
  • Auto-create client printers

Universal Printing Policy Settings

The Universal Printing section contains policy settings for managing universal printing.

Auto-create generic universal printer

This setting enables or disables auto-creation of the Citrix Universal Printer generic printing object. By default, generic universal printers are not auto-created.

Universal driver priority

This setting specifies the order in which XenApp attempts to use Universal Printer drivers, beginning with the first entry in the list. You can add, edit, or remove drivers, and change the order of drivers in the list.

Universal printing

This setting specifies when to use universal printing. Universal printing consists of a generic printer object (Citrix Universal Printer) and universal printer drivers that work with both Windows and non-Windows clients. By default, universal printing is used only if the requested driver is unavailable.

When adding this setting to a policy, select an option:
  • Use universal printing only if requested driver is unavailable uses native drivers for client printers if they are available. If the driver is not available on the server, the client printer is created automatically with the appropriate universal driver.
  • Use only printer model specific drivers specifies that the client printer use only the native drivers that are auto-created at logon. If the native driver of the printer is unavailable, the client printer cannot be auto-created.
  • Use universal printing only specifies that no native drivers are used.
  • Use printer model specific drivers only if universal printing is unavailable uses the universal printer driver if it is available. If the driver is not available on the server, the client printer is created automatically with the appropriate native printer driver.

Universal printing preview preference

This setting specifies whether or not to use the print preview function for auto-created or generic universal printers. By default, print preview is not used for auto-created or generic universal printers.

Security Policy Settings

The Security section contains policy settings for configuring session encryption and password requirements.

Prompt for password

This setting requires the user to enter a password for all server connections regardless of access scenario. By default, users are prompted for passwords only for specific types of connections.

SecureICA Encryption

This setting specifies the minimum level at which to encrypt session data sent between the server and a user device.

When adding this setting to a policy, select an option:
  • Basic encrypts the client connection using a non-RC5 algorithm. It protects the data stream from being read directly, but it can be decrypted. By default, the server uses Basic encryption for client-server traffic.
  • RC5 (128 bit) logon only encrypts the logon data with RC5 128-bit encryption and the client connection using Basic encryption.
  • RC5 (40 bit) encrypts the client connection with RC5 40-bit encryption.
  • RC5 (56 bit) encrypts the client connection with RC5 56-bit encryption.
  • RC5 (128 bit) encrypts the client connection with RC5 128-bit encryption.

The settings you specify for client-server encryption can interact with any other encryption settings in XenApp and your Windows operating system. If a higher priority encryption level is set on either a server or user device, settings you specify for published resources can be overridden.

You can raise encryption levels to further secure communications and message integrity for certain users. If a policy requires a higher encryption level, plug-ins using a lower encryption level are denied connection.

SecureICA does not perform authentication or check data integrity. To provide end-to-end encryption for your server farm, use SecureICA with SSL/TLS encryption.

SecureICA does not use FIPS-compliant algorithms. If this is an issue, configure the server and plug-ins to avoid using SecureICA.

Server Limits Policy Settings

The Server Limits section contains policy settings for controlling idle connections.

These policy settings are applicable to XenApp only.

Server idle timer interval

This setting determines, in milliseconds, how long an uninterrupted user session will be maintained if there is no input from the user. By default, idle connections are not disconnected (Server idle timer interval = 0). To enable, configure this policy setting.

Session Limits Policy Settings

The Session Limits section contains policy settings you can use to control the number of connections users can make and how long sessions remain connected before they are forced to log off.

Concurrent logon limit

This setting specifies the maximum number of connections a user can make to the server farm at any given time. The user’s active and disconnected sessions are counted for the user’s total number of concurrent connections. This setting reduces the number of client connection licenses in use and conserves resources. By default, there is no limit on concurrent connections.

Related Policy Settings
  • Limits on administrator sessions
  • Limit user sessions

Session Reliability Policy Settings

The Session Reliability section contains policy settings for managing session reliability connections.

Session reliability connections

This setting allows or prevents sessions to remain open during a loss of network connectivity. By default, session reliability is allowed.

Session Reliability keeps sessions active when network connectivity is interrupted. Users continue to see the application they are using until network connectivity resumes.

When connectivity is momentarily lost, the session remains active on the server. The user’s display freezes and the cursor changes to a spinning hourglass until connectivity resumes. The user continues to access the display during the interruption and can resume interacting with the application when the network connection is restored. Session Reliability reconnects users without reauthentication prompts.

If you do not want users to be able to reconnect to interrupted sessions without having to reauthenticate, configure the Auto client reconnect authentication setting to require authentication. Users are then prompted to reauthenticate when reconnecting to interrupted sessions.

If you use both Session Reliability and Auto Client Reconnect, the two features work in sequence. Session Reliability closes, or disconnects, the user session after the amount of time you specify in the Session reliability timeout setting. After that, the settings you configure for Auto Client Reconnect take effect, attempting to reconnect the user to the disconnected session.

Related Policy Settings
  • Auto client reconnect
  • Auto client reconnect authentication

Session reliability port number

This setting specifies the TCP port number for incoming session reliability connections.

Session reliability timeout

This setting specifies the length of time in seconds the session reliability proxy waits for a client to reconnect before allowing the session to be disconnected.

The default length of time is 180 seconds, or three minutes. Though you can extend the amount of time a session is kept open, this feature is designed to be convenient to the user and it does not prompt the user for reauthentication. If you extend the amount of time a session is kept open indiscriminately, chances increase that a user may get distracted and walk away from the client device, potentially leaving the session accessible to unauthorized users.

If you do not want users to be able to reconnect to interrupted sessions without having to reauthenticate, configure the Auto client reconnect authentication setting to require authentication. Users are then prompted to reauthenticate when reconnecting to interrupted sessions.

If you use both Session Reliability and Auto Client Reconnect, the two features work in sequence. Session Reliability closes, or disconnects, the user session after the amount of time you specify in the Session reliability timeout setting. After that, the settings you configure for Auto Client Reconnect take effect, attempting to reconnect the user to the disconnected session.

Related Policy Settings
  • Auto client reconnect
  • Auto client reconnect authentication

Shadowing Policy Settings

The Shadowing section contains policy settings related to user-to-user shadowing. Shadowing is useful for training purposes and for viewing presentations. You can also allow help desk personnel to shadow users so they can troubleshoot user problems.

Input from shadow connections

This setting allows or prevents shadowing users to take control of the keyboard and mouse of the user being shadowed during a shadowing session. By default, the person shadowing can send input to the session being shadowed.

Log shadow attempts

This setting allows or prevents recording of attempted shadowing sessions in the Windows event log. By default, shadowing attempts are logged.

Several different event types are recorded in the Windows Event log. These include user shadowing requests, such as when users stop shadowing, failure to launch shadowing, and access to shadowing denials.

Notify user of pending shadow connections

This setting allows or prevents shadowed users from receiving notification of shadowing requests from other users. When a user receives a shadowing request, the user can accept or deny the request. By default, users are not notified when they are being shadowed.

Shadowing

This setting allows or prevents users from shadowing other users’ sessions. By default, administrators can shadow users’ sessions. When you add this setting to a policy, specify the users allowed to shadow by configuring the Users who can shadow other users and Users who cannot shadow other users policy settings.

Session shadowing monitors and interacts with user sessions. When you shadow a user session, you can view everything that appears on the user’s session display. You can also use your keyboard and mouse to remotely interact with the user session.

Shadowing is protocol-specific. This means you can shadow ICA sessions over ICA and Remote Desktop Protocol (RDP) sessions over RDP only.

Shadowing restrictions are set at install time and are permanent. If you enable or disable shadowing, or certain shadowing features during Setup, you cannot change these restrictions later. You must reinstall XenApp on the server to change shadowing restrictions.

Any user policies you create to enable user-to-user shadowing are subject to the restrictions you place on shadowing during Setup.

Users who can shadow other users

This setting specifies the users who are allowed to shadow other users.

Users who cannot shadow other users

This setting specifies the users who are not allowed to shadow other users.

Time Zone Control Policy Settings

The Time Zone Control section contains policy settings related to using local time in sessions.

Local Time Estimation

This setting enables or disables estimating the local time zone of user devices that send inaccurate time zone information to the server. By default, the server estimates the local time zone when necessary.

Use local time of client

This setting determines the time zone setting of the user session. When enabled, the administrator can choose to default the user session’s time zone settings to that of the user’s time zone settings. By default, the server’s time zone is used for the session.

For this setting to take effect, enable the Allow time zone redirection setting in the Remote Desktop Session Host node of the Group Policy Management Editor (User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection). For more information about time zone redirection, refer to the Citrix Knowledge Center.

TWAIN Devices Policy Settings

The TWAIN devices section contains policy settings related to mapping client TWAIN devices, such as digital cameras or scanners, and optimizing image transfers from server to client.

Client TWAIN device redirection

This setting allows or prevents users from accessing TWAIN devices on the user device from published image processing applications. By default, TWAIN device redirection is allowed.

Related Policy Settings
  • TWAIN compression level
  • TWAIN device redirection bandwidth limit
  • TWAIN device redirection bandwidth limit percent

TWAIN compression level

This setting specifies the level of compression of image transfers from client to server. Use Low for best image quality, Medium for good image quality, or High for low image quality. By default, no compression applied.

USB Devices Policy Settings

The USB devices section contains policy settings for managing file redirection for USB devices.

Client USB device redirection

This setting allows or prevents redirection of USB devices to and from the client (workstation hosts only). By default, USB devices are not redirected.

Client USB device redirection rules

This setting specifies redirection rules for USB devices.

When a user plugs in a USB device, the host device checks it against each policy rule in turn until a match is found. The first match for any device is considered definitive. If the first match is an Allow rule, the device is remoted to the virtual desktop. If the first match is a Deny rule, the device is available only to the local desktop. If no match is found, default rules are used. For more information about the default policy configuration for USB devices, refer to CTX119722, “Creating USB Policy Rules,” in the Citrix Knowledge Center.

Policy rules take the format {Allow:|Deny:} followed by a set of tag= value expressions separated by whitespace. The following tags are supported:
VID
Vendor ID from the device descriptor
PID
Product ID from the device descriptor
REL
Release ID from the device descriptor
Class
Class from either the device descriptor or an interface descriptor
SubClass
Subclass from either the device descriptor or an interface descriptor
Prot
Protocol from either the device descriptor or an interface descriptor
When creating new policy rules, be aware of the following:
  • Rules are case-insensitive.
  • Rules may have an optional comment at the end, introduced by #.
  • Blank and pure comment lines are ignored.
  • Tags must use the matching operator =. For example, VID=1230.
  • Each rule must start on a new line or form part of a semicolon-separated list.
  • Refer to the USB class codes available from the USB Implementers Forum, Inc. Web site.

Examples of administrator-defined USB policy rules

Allow: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive

Deny: Class=08 subclass=05 # Mass Storage

To create a rule that denies all USB devices, use “DENY:” with no other tags.