Browser Content Redirection: whitelisting websites

Browser Content Redirection is a technology built around a URL whitelisting mechanism. Two policies are exposed in Studio for that purpose:

i. Browser content redirection Access Control List (ACL) policy settings (a.k.a the ACL policy)

ii. Browser content redirection authentication sites (a.k.a the authentication sites policy)

While the description in edocs tries to cover the general cases, there are some websites using intrinsic redirection mechanisms that make the whitelisting process more difficult.

As an example we will look into Microsoft Teams.

It is essential that the Developer Tools is used to understand the website’s behavior before configuring any policy.

The ‘Preserve Log’ check-box should be ticked, otherwise entries are cleared automatically.

User-added image

Microsoft Teams

A user typing http://teams.microsoft.com will get an HTTP 307 response from the webserver, repointing the browser to https://teams.microsoft.com

(Hence it is critical that the right syntax is used when whitelisting a website, like http or https, with or without www, etc – otherwise redirection might fail).

From that URL, the resource https://teams.microsoft.com/auth/prelogin is contacted by the browser, which eventually ends up being redirected to:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fgo&state=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&&client-request-id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&x-client-SKU=Js&x-client-Ver=1.0.9&nonce=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1&domain_hint=


Once the browser loads this page, it ‘rests’ and waits for user input. These redirections occured very fast, and the HdxVideo.js javascript that the Browser Content Redirection Chrome Extension needs to inject is not done in time.

In this case, the url https://login.microsoftonline.com/* needs to be whitelisted in the ACL policy in Studio.

Since the Admin might not want to redirect the entire domain, better granularity can be achieved by leveraging a common parameter in OAuth 2.0 (redirect_uri, where the App name is embedded in the URL).

Whitelisting the following URL in the ACL policy in Studio will achieve the objective, thanks to wildcards:

https://login.microsoftonline.com/*teams*

The Chrome Extension will now be able to inject HdxVideo.js, and redirection happens. The user will end up being redirected to an Office 365 Authentication website that is linked to Teams (see screenshot above), but this time the website will be running locally on the endpoint’s overlay browser that is part of Workspace app (HdxBrowserCef.exe).

After a successful authentication, the overlay browser HdxBrowserCef.exe is pointed back to https://teams.microsoft.com

This URL (https://teams.microsoft.com/*) should now be whitelisted also in the ‘Authentication Sites’ policy in Studio.

Note: This might be somehow counter intuitive as the Authentication site is login.microsoftonline.com, not teams.microsoft.com – yet the problem in Teams is that the Chrome Extension is not loaded fast enough by the Browser and therefore injection fails on teams.microsoft.com.

Browser Content Redirection treats websites whitelisted under the Authentication sites policy as child websites that must remain redirected if the parent website was in the ACL whitelist policy. In the Teams case then, teams.microsoft.com is the child website of the parent login.microsoftonline.com


GoToMeeting

First thing to notice is that navigating to https://gotomeet.me/mymeetingID redirects to https://www.gotomeet.me/mymeetingID

Whitelisting without the ‘www’ will result in failure. So whitelisting https://www.gotomeet.me/* is the solution (in the ACL policy).

Note the use of the wildcard ‘*’ – this allows you to whitelist any path for that URL.

After the webpage is redirected, the user can click ‘Join meeting in browser’, which points to:

https://app.gotomeeting.com/index.html?meetingId=xxxxxxxxxx

User-added image

Note that this is a different FQDN. So if the user clicks on that link, he will fall back to server-side.

The solution is to whitelist https://app.gotomeeting.com/*

You can either add this to the ACL policy or to the Authentication Sites policy (or both).

The difference is that if you add it only to the ACL policy, if the user clicks on the link it will trigger a re-processing of the URL by the VDA (look up of that URL in the ACL entries), resulting in a few extra redirection steps.

If you add it to the Authentication Sites policy, then since the parent website is https://www.gotomeet.me/* and that is already whitelisted in the ACL policy, a re-processing of the URL by the VDA is not required and the experience is smoother (see last paragraph under the Teams section).

Of course there could be a scenario where the user types https://app.gotomeeting.com/index.html?meetingId=xxxxxxxxxx directly as the first URL in Chrome’s navigation bar. Browser Content Redirection will only kick-in if that URL is on the ACL policy (that is because the Authentication Sites policy is only processed after an ACL match). So in order to prevent this exact scenario from failing, you can add the URL to the ACL and Authentication Sites policies (and hence the reference to ‘both’ in the paragraph above).

Related:

  • No Related Posts

Configuring Store on Workspace app/Receiver using Group Policy

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

How to Troubleshoot Browser Content Redirection

Browser Content Redirection feature description and details

Browser content redirection (BCR) allows the redirection of VDA-side browser viewports to the client-side. The benefits of BCR are achieved when offloading network utilization, page processing, graphics rendering to the endpoint, and improving end-user experience when browsing demanding webpages; especially those incorporating HTML5 or WebRTC video.

Currently there are two browsers supported:

  • Internet Explorer 11: The VDA-side IE11 browser viewport is redirected and rendered on the client-side using the client-side installed IE11 and the Citrix Workspace app for Windows process HdxBrowser.exe.
  • Google Chrome: The VDA-side Chrome browser viewport is redirected and rendered on the client-side using the Citrix Workspace app for Windows embedded Chrome engine and the HdxBrowserCef.exe process. Note that the Browser Content Redirection Extension must be installed and enabled on the VDA before using BCR with Chrome. The Browser Content Redirection Extension is available from the Chrome Web Store.


For further information, including BCR system requirements, please read the Browser content redirection section of the Citrix Virtual Apps and Desktops 7 Product Documentation.

Browser Content Redirection configuration for specific use cases

Server fetch and server render

No VDA-side viewport redirection to the client occurs. This could be due to the desired behavior as configured through BCR policies, or server fallback may have occurred unintentionally due to a client redirection failure.

To configure for this use case:

Browser content redirection policy: If set to Prohibited, BCR is disabled.

Alternatively, if “server fetch and server render” is to be applied for some websites, while permitting BCR for others, use the Browser content redirection Access Control List (ACL) policy settings policy to whitelist sites and/or the Browser content redirection blacklist setting policy to blacklist sites.

In this alternative scenario, the Browser content redirection policy needs to be unconfigured or set to Allowed. [Default value Allowed]

Server fetch and client render

This scenario is useful when the client does not have direct access to the internet.

To configure for this use case:

When the Browser content redirection proxy setting policy has been configured with a proxy server IP:Port address, the client connects to the proxy server on the VDA’s network over the Port Forwarding virtual channel and renders the content locally.

TCPView running on the endpoint will show that HdxBrowser attempts to connect to a few localhost TCP ports (the aforementioned client-side Port Forwarding virtual channel):

User-added image

The TCP Port Forwarding service on the VDA is called CtxSvcHost.exe, and is the one making the final outbound connection to the Proxy Server (in the screenshot below it is 10.108.7.8:8888). This is how it looks on TCPView:

User-added image

If CtxSvcHost.exe is not seen in TCPView, please restart the service “Citrix HDX Port Forwarding Service” on the VDA.

Client fetch and client render

This use case affords the maximum benefits for bandwidth efficiency and VDA resource usage.

To configure for this use case:

Browser content redirection policy: No need to configure but Allowed can be set. [Default value Allowed]

Browser content redirection Access Control List (ACL) policy settings policy: Acts as whitelist. Add any websites (wildcard * can be used) that you want to be redirected.

[Default value: https://www.youtube.com/*]

Other BCR configuration options

To support whitelisted websites that navigate away to a 3rd-party site for authentication before redirecting back to the whitelisted site, configure the Browser content redirection authentication sites policy.

We’ll use YouTube as an example:

The Browser content redirection policy will include the value: https://www.youtube.com/* [note that this entry exists by default in the policy]

The Sign In button on the YouTube site navigates to https://accounts.google.com/… (the protocol/domain part will be consistent but the full path will vary).

To support the authentication-related navigation from https://www.youtube.com/ to https://accounts.google.com/ and back to https://www.youtube.com/, configure as follows:

In the Browser content redirection authentication sites policy, add the entry: https://accounts.google.com/* (note the wildcard * to accommodate variations in URL sub-folder values).

More info can be found in CTX238236.

Browser Content Redirection feature limitations

  • For websites with media content, only the following list of codecs are supported when the site is redirected:
  • User-added image
  • Due to the limitation of CEF(Chromium Embedded Framework), client endpoint GPU needs to be disabled if DPI scaling factor is set to a number other than 100% in order for BCR feature to work. To disable:
    • HKLMSOFTWARECitrixHdxMediastream

      For 64-bit:

      HKLMSOFTWAREWow6432NodeCitrixHdxMediastream

      Key: GPU (DWORD)

      Value: 0
  • Currently, copying text from redirected webpages is only possible with Chrome browser content redirection. Use Ctrl-C / Crtl-V to copy and paste.
  • Currently printing from redirected webpages is not possible from Internet Explorer 11 and Chrome.
  • Currently downloads are not enabled on redirected websites when using Chrome browser on the VDA (therefore files cannot be saved to the endpoint).

Browser Content Redirection Troubleshooting

Before proceeding, please review the “Browser Content Redirection feature limitations” section.

General troubleshooting steps

Step May clear problem in
Close the browser, re-open, and navigate to a whitelisted site. Browser Add-On and HdxVideo.js file
Disconnect and reconnect the session. Citrix Workspace app, HdxBrowser.exe, HdxVideoCef.exe, WebsocketAgent, and services
Logoff and logon to a new session. Citrix Workspace app, HdxBrowser.exe, HdxBrowserCef.exe, WebsocketAgent, and services
Stop the services: 1. Browser redirection service, 2. HTML5 redirection service, and 3. Port forwarding service. Restart them in reverse order listed. Logoff and logon the session. All components


Data to collect for troubleshooting

CDF modules to trace:

VDA Side Citrix Workspace app (client) Side
HDX_Multimedia_BrowserService
HDX_Multimedia_HdxjsInjector
HDX_Multimedia_PortForwardLibrary
HDX_Multimedia_PortForwardService
HDX_Multimedia_WebSocketAgent
HDX_Multimedia_WebSocketPipe
HDX_Multimedia_WebSocketService
PE_Library_GvchBase
IcaClient_Multimedia_HdxBrowser_CtlGuid
IcaClient_DriversVd_BrowserRedir_CtlGuid
IcaClient_DriversVd_PortForward_CtlGuid

For Internet Explorer 11, ensure HdxBrowser.exe is running with Citrix Workspace app (use Task Manager) while you are on a whitelisted site.

For Google Chrome, ensure HdxBrowserCef.exe is running with Citrix Workspace app (use Task Manager) while you are on a whitelisted site.

This is how it looks on Process Explorer:

User-added image

Browser JavaScript log live debugging in IE11:

  1. Open %programfiles%CitrixHdxVideo.js

    (or depending on your VDA version, the Javascript can also be located inside a folder called %programfiles%CitrixICASERVICE)

    You might need to do this running Notepad as an Admin and opening the .js file from the Open menu

  2. Change the line var DEBUG_ONLY = false; to var DEBUG_ONLY = true;

    Save the file and close your Editor.

  3. Close Internet Explorer and reopen it, hit F12, and go to the Console tab in Developer tools. Browse to a whitelisted site, e.g. https://www.youtube.com

  4. You should see traces from [HdxVideo.js] (example below). Collect the entire log.

    Key messages to look for are highlighted in bold, with additional comments inside brackets [ ]:

    [HdxVideo.js] OnUnload (window): [object Window]

    [HdxVideo.js] DocumentBodySuppressor.start()

    [HdxVideo.js Events] interceptEventListeners()

    [HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer

    [HdxVideo.js] OnLoad (window): [object HTMLDocument]

    [HdxVideo.js] Unredirected video count: 0

    [HdxVideo.js] HDX_DO_PAGE_REDIRECTION: true [if false, redirection is not even attempted. Problem with policies or browser Extension?]

    [HdxVideo.js] infallback: undefined

    [HdxVideo.js] Installing event listeners.

    [HdxVideo.js] msexitFullscreen – Found!

    [HdxVideo.js] onWSOpen: [Websocket opening to WebsocketAgent.exe 127.0.0.1:9001 succeeded. If failed, check your IE Security Settings]

    [HdxVideo.js] >>> {“v”:”pageurl”,”url”:”https://www.google.de/”}

    [HdxVideo.js] onVisibilityChange:

    [HdxVideo.js] >>> {“v”:”vis”,”vis”:true}

    [HdxVideo.js] onResize:

    [HdxVideo.js] >>> {“v”:”pageredir”}

    [HdxVideo.js] sendClientSize: w: 1316 h: 755

    [HdxVideo.js] >>> {“v”:”clisz”,”w”:1316,”h”:755}

    CSI/tbsd_: 15.599,072ms

    CSI/_tbnd: 15.658,128ms

    [HdxVideo.js] <<< {“v”:”winid”,”title”:”CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}”}

    [HdxVideo.js] onWSMessage: winid: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}

    [HdxVideo.js] setWindowTitle: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}

    [HdxVideo.js] documentTitleMutator.start()

    [HdxVideo.js] >>> {“v”:”winid”}

    [HdxVideo.js] <<< {“v”:”pageredir”} [VDA is instructing Receiver to start the redirection process]

    [HdxVideo.js] onWSMessage: pageredir

    [HdxVideo.js] Redirecting page — 화이팅! https://www.google.de/ [Korean characters means the redirection was successful]

A common error is:

[HdxVideo.js] OnUnload (window): [object Window]

Navigation Event Separator HTML1300: Navigation occurred.
www.youtube.com

[HdxVideo.js] DocumentBodySuppressor.start()

[HdxVideo.js Events] interceptEventListeners()

[HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer

[HdxVideo.js] OnLoad (window): [object HTMLDocument]

[HdxVideo.js] Installing event listeners.

[HdxVideo.js] msexitFullscreen – Found!


[HdxVideo.js] doRedirection(): exception connecting to WebSocket: SecurityError

[HdxVideo.js] onWSError:

[HdxVideo.js] Showing content — suspendRedirection.

In the Developer Tools console this can be seen as:

User-added image

This is caused by security configurations in IE11’s Security Zones.

Internet Explorer automatically assigns all websites to a security zone: Internet, Local intranet, Trusted sites, or Restricted sites. Each zone has a different default security level that determines what kind of content might be blocked for that site. Depending on the security level of a site, some content might be blocked until you choose to allow it.

Please add the following entry to to the Trusted Zone in IE11 (Internet Options -> Security)

  • wss://127.0.0.1:9001

You can verify if websockets are opened by going to Developer Tools -> Console and type:

var exampleSocket = new WebSocket(‘wss://127.0.0.1:9001’); exampleSocket.onmessage = function(messageEvent) { console.log(JSON.stringify(messageEvent)); };

wait a few seconds and then type:

exampleSocket.readyState

The expected output from the 2nd line, is ‘1’, which indicates that the WebSocket connection was successfully formed.

0 (CONNECTING) The connection is not yet open | 1 (OPEN) The connection is open and ready to communicate.

2 (CLOSING) The connection is in the process of closing | 3 (CLOSED) The connection is closed or couldn’t be opened


User-added image

Pac files

If you are using pac files with IE11, make sure your script returns DIRECT for 127.0.0.1:9001 because that connection is intended for WebSocketService.exe which is running locally on the VDA itself.

In addition, you must configure Internet Properties –> Security –> Local Intranet –> Sites, and uncheck “Include all sites that bypass the proxy server”

User-added image

The equivalent configuration can be made by setting these regkeys:

HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapAutoDetect – Reg_Dword value 0

HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap IntranetName – Reg Dword value 1

HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap UNCAsIntranet – Reg Dword value 1


Content Security Policy

Another possible error is that some websites use a technology called CSP (Content Security Policy) which prevents any outside resource (like the Javascript used in BCR) from being executed in the trusted webpage context. Therefore Browsers prevent the injection of HdxVideo.js and BCR fails, falling back to server-side rendering.

User-added image

This can be overcome if you have a Proxy server in your network (like Bluecoat) and you are able to apply HTTP Rewrites.

wss://127.0.0.1:9001 needs to be added to connect-src


Browser Helper Object (BHO for IE11)

The BHO is explicitly enabled upon install time. If you want to disable it, please check the registry key created for the CLSID of the extension in the following path:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExtCLSID

There should be a key created with the CLSID of the extension ie {CA076BDE-8E41-44EE-B775-E791F26D0483}

The value of the key is set to 1. This means the extension is enabled and users cannot change it.

If changed to 0 , the extension will be disabled and users cannot change it.

If changed to 2 , the extension will be enabled and users can enable or disable it in the browser’s “Manage add-ons”.


How to verify the webpage is redirected

Method #1: Drag the IE11 window quickly. You will notice a ‘delay’ or ‘out of frame’ between the viewport and the User Interface.

Also you will notice a quick change in the title on the Tab (CitrixVideoId) before the original title is placed back

User-added image


Method #2: When the right mouse button is clicked on window area, a customized context menu is displayed. Back/Forward menu items are currently disabled for the initial releases. The remaining menu items perform the following tasks:

  • Refresh: refreshes current client side web page.
  • Open: if the mouse point is focused on a hyper link, the link will be opened; otherwise, nothing will happen.
  • Open in New Tab: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance.)
  • Open in New Window: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance and the link is opened in a new Tab rather than in a new Window)
  • About HDX Browser Redirection: Browse to Citrix support site in a new Tab
User-added image


Known issues:

1. In IE11, after starting a YouTube video using the YouTube HTML5 video player, full-screen mode might not work. You click the icon in the lower-right corner of the video, and the video doesn’t resize leaving the black background in the full area of the page. As a workaround, click the full screen button, and then select theater mode.

This issue is not seen on Chrome.

Related:

  • No Related Posts

When refreshing the WEM Agent, existing Start Menu items not defined through a WEM application assignment are not being deleted automatically.

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Unable to launch applications/Desktop – Disappearing immediately after launch

When launching published resources, Receiver progress bar will complete but resource will not launch or disappear immediately.

In event viewer we can find

CitrixCseEngine Event ID 8,9;

Citrix Desktop Service Event ID 1027, 1030;

Winlogon Event ID 6005, 6006.

It will also show Citrix Desktop Service detected that a user session has ended.

User-added image

Related:

  • No Related Posts

Updates to Management Agent – For XenServer 7.0 and later


Who Should Read This Article?

This information is for customers using XenServer 7.0 and later who have the Management Agent installed on their Windows VMs.

Latest version

The following version of Management Agent is the latest that is available:

Version Release Date Applicable Windows versions Contains the following driver versions:
7.1.0.1305 16 Oct 2018 All supported Windows VMs

For information about how to update the Management Agent on your Windows VM, see the XenServer Product Documentation.

Version history

Note: History is only available for versions released since the start of 2018.

Version Release Date Applicable Windows versions Contains the following driver versions:
7.0.1.1270 06 Sep 2018 All supported Windows VMs
  • xenbus 8.2.1.124
  • xeniface 8.2.1.110
  • xennet 8.2.1.102
  • xenvbd 8.2.1.203
  • xenvif 8.2.1.170
7.0.1.272 21 Jun 2018 All supported Windows VMs
  • xenbus 8.2.1.124
  • xeniface 8.2.1.102
  • xennet 8.2.1.102
  • xenvbd 8.2.1.203
  • xenvif 8.2.1.155
7.0.1.261 04 Apr 2018 All supported Windows VMs
  • xenbus 8.2.1.117
  • xeniface 8.2.1.102
  • xennet 8.2.1.102
  • xenvbd 8.2.1.203
  • xenvif 8.2.1.155

Related:

  • No Related Posts

Updates to XenIface Windows I/O driver – For XenServer 7.0 and later


Who Should Read This Article?

This information is for customers using XenServer 7.0 and later who are entitled to receive automatic Windows I/O driver updates on their Windows VMs.

Latest version

The following version of XenIface is the latest that is available through Windows Automatic Updates:

For information about how to install these drivers on your Windows VM, see How to get Windows I/O driver updates on XenServer 7.0 and later.

Version Release Date Applicable Windows versions Catalogue Link Fixed Issues Included in:
8.2.1.111 16 Oct 2018 All supported Windows VMs XenIface 8.2.1.111 in Microsoft Update Catalog
  • General improvements
  • N/A

Version history

Note: History is only available for versions available since October 2017.

Version Release Date Applicable Windows versions Catalogue Link Fixed Issues Included in:
8.2.1.110 06 Sep 2018 All supported Windows VMs XenIface 8.2.1.110 in Microsoft Update Catalog
  • General improvements
8.2.1.102 03 Oct 2017 All supported Windows VMs XenIface 8.2.1.102 in Microsoft Update Catalog
  • General improvements

Related:

  • No Related Posts

Upgrading Workload Balancing with Internet Access

Upgrading with the Internet requires that you download GNU wget, an HTTP retrieval utility. You also need to download a Python script that configures a repository (add-repo.py) on your virtual appliance.

To upgrade Workload Balancing in environments with Internet access

1. If you have not done so already, log in to the Workload Balancing appliance you want to upgrade as described in Section 8.1.1, “Logging in to the Workload Balancing Virtual Appliance”

2. Install GNU wget so you can retrieve the upgrade repository installation script using HTTP:

a. From the bash prompt, run the following command:

yum install wget

b. During installation, wget Setup asks you to accept various prompts, such as the size of the download package and the CentOS key. Type y when prompted.

3. When the wget installation is complete, download “add-repo” script by running the following command:

wget http://updates.xensource.com/XenServer/WLB/6.5/add-repo.py

When this command finishes running, a message appears stating the ‘add-repo.py’ script is saved.

4. At the bash prompt, run the following command to create the upgrade repository on the Workload Balancing appliance:

python add-repo.py

After the script finishes, the output states “Done.”

5. Do one of the following to upgrade your Workload Balancing virtual appliance:

• To upgrade both CentOS and Workload Balancing, run:

yum update

• To upgrade Workload Balancing only, run:

yum update citrix-wlb

• To upgrade CentOS only, run:

yum update –disablerepo=citrix-wlb

6. After upgrading either CentOS or Workload Balancing or both, restart the Workload Balancing virtual appliance.

Note:

After upgrading CentOS, the operating-system time changes from Coordinated Universal Time (UTC) to the local time zone. One side effect of this change is that the timestamps in the Workload Balancing log file (LogFile.log) also change from UTC time to local time. If you want to change the system time back to UTC time, run the following command in the Workload Balancing virtual appliance: rm -rf /etc/localtime.

Related:

  • No Related Posts