XenApp URL Redirection Does Not Work

The multi-string value “ValidSites” when entered into the registry creates a “whitelist” of URLs to be redirected, but when the key is left in blank, with no URLs or values listed, it will prevent any URLs from redirecting to the client device.

As per http://support.citrix.com/article/CTX106094 “…When specifying sites with the valid sites registry key, all the URLs that are not in the list, open in the server….”

Related:

Redirecting Specific URLs and Protocols with Server to Client Content Redirection

To implement this enhancement, make the following value changes to the registry key using regedt32:

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

  • HKEY_LOCAL_MACHINESOFTWARECitrixSFTA

    Name: DisableServerFTA

    Type: REG_DWORD

    Data: 1

  • Name: NoRedirectClasses

    Type: REG_MULTI_SZ

    Data: Specify any combination of the following values: http, https, rtsp, rtspu, pnm, or mms

Note: The values must be line-delimited, for example:

  • http

  • https

  • rtsp

There is another enhancement that enables you to redirect specific URLs from server to client, without redirecting other URLs. Using the following registry key, you can specify URLs to be redirected from server to client:

HKEY_LOCAL_MACHINE SOFTWARECitrixSFTAValidSites

Note: When using the valid site enhancement, do not use the disableserverfta and noredirectclasses registry keys. These two enhancements do not work together. When specifying sites with the valid sites registry key, all the URLs that are not in the list, open in the server.

To implement this enhancement, make the following value changes in the registry key by using the Registry Editor Window:

HKEY_LOCAL_MACHINESOFTWARECitrixSFTA

Name: ValidSites

Type: REG_MULTI_SZ

Data: <Specify_any_Combination_of_URLs>

Note: The values for the Data field must be line-delimited.

The following is a same value for the Data field:

www.example.com

*.example.com

Note: The asterisk (*) is supported as a wildcard character. Additionally, when adding the ValidSites registry key to redirect specific URLs from server to client, ensure that you specify the URLs without http://, as specified in the preceding example.

Related:

How to Configure and Troubleshoot Browser Content Redirection

Policies

The following policies are available for the Browser Content Redirection feature in Citrix Studio:

User-added image
Note: Editing regkeys will require to close and reopen the Browser on the VDA

2.0 Browser Content Redirection policyBy default, Citrix Receiver tries client fetch and client render. If client fetch and client render fails, server-side rendering is tried. If you also enable the Browser Content Redirection proxy configuration policy, Citrix Receiver tries only server fetch and client render.

By default, the Browser Content Redirection policy is set to Allowed.

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixHdxMediastreamOrHKEY_LOCAL_MACHINESOFTWARECitrixHdxMediastreamName: WebBrowserRedirectionType: DWORD1 = Browser content redirection is Allowed.0 = Browser content redirection is Prohibited

2.1 Browser Content Redirection ACL Configuration policy

Use this policy to configure an Access Control List (ACL) of URLs that can use browser content redirection or are denied access to browser content redirection.

Authorized URLs are the whitelisted URLs whose content is redirected to the client. The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL:

  • Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*
  • Not allowed: http://*.xyz.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only the index.html page is redirected.

By default, this setting is set to https://www.youtube.com/*

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

Close and re-open the Browser for these regkeys to be honored after a change.

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixHdxMediastreamOrHKEY_LOCAL_MACHINECitrixHdxMediastreamName: WebBrowserRedirectionACLType: REG_MULTI_SZ

2.2 Browser Content Redirection Blacklist Configuration policy (7.17 and higher)

This setting works along with the Browser Content Redirection ACL Configuration policy. If URLs are present in the Browser Content Redirection ACL Configuration policy and the Browser Content Redirection Blacklist Configuration policy, the blacklist configuration takes precedence and the browser content of the URL isn’t redirected.

Policy Settings:

  • Unauthorized URLs: Specifies the blacklisted URLs whose browser content isn’t redirected to the client, but rendered on the server. The wildcard * is permitted, but it isn’t permitted within the protocol or the domain address part of the URL.
  • Allowed: http://www.xyz.com/index.html, https://www.xyz.com/*, http://www.xyz.com/*videos*
  • Not allowed: http://*.xyz.com/

You can achieve better granularity by specifying paths in the URL. For example, if you specify https://www.xyz.com/sports/index.html, only index.html is blacklisted.

By default, this list is empty.

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

HKLMSOFTWAREWow6432NodeCitrixHdxMediastreamOrHKLMSOFTWARECitrixHdxMediastreamName: WebBrowserRedirectionBlacklistType: REG_MULTI_SZ​

2.3 Browser Content Redirection Proxy Configuration policy

This policy provides configuration options for proxy settings on the VDA for Browser Content Redirection feature.

If enabled with a valid proxy address and port number, only Server Fetch Client Rendering is attempted.

Server Fetch Client Render in fact would only be attempted if this policy is enabled.

If disabled or left unconfigured with default value, Client Fetch Client Rendering is attempted.

Allowed pattern: http://<hostname/ip address>:<port>

For example, http://proxy.example.citrix.com:80

By default, this setting is prohibited in Studio.

At the moment, support for PAC files or Exceptions in IE11 LAN Settings is not possible – instead, configuration on the Proxy server itself (e.g. BlueCoat or NetScaler Secure Web Gateway) is necessary to handle the exceptions.

Optional Registry override options on the VDA for policy settings (meaning, they are not needed unless you want to override Studio policies)

(Registry path varies depending on VDA architecture):

HKLMSOFTWAREWow6432NodeCitrixHdxMediastreamOrHKLMSOFTWARECitrixHdxMediastreamName: WebBrowserRedirectionProxyAddressType: REG_SZ

2.4 Browser Content Redirection Authentication Sites policy (7.18 and higher)

This setting allows you to configure a list of URLs that sites redirected via Browser Content Redirection can use to authenticate a user.

In other words, it specifies the URLs for which Browser Content Redirection will remain active (redirected) when navigating away from a whitelisted URL.

A classic scenario is a website that relies on an Identity Provider (IdP) for authentication.

For example, website www.xyz.com needs to be redirected to the endpoint, but the authentication portion is handled by a third party IdP, like Okta (www.xyz.okta.com).

The Admin would need to use the Browser Content Redirection ACL Configuration policy to whitelist www.xyz.com, and use Browser Content Redirection Authentication Sites to whitelist www.xyz.okta.com.


Registry override options on the VDA for policy settings:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixHdxMediastreamOrHKEY_LOCAL_MACHINECitrixHdxMediastreamName: WebBrowserRedirectionAuthenticationSitesType: REG_MULTI_SZ

2.5 Client Side Optimization

There is currently a known issue when upgrading to Receivers 4.10 or higher from any version: CTX235183

Fresh installs of those Receivers do not have any known issues.

The following registry key can be set on the Client (Receiver for Windows 4.10 only, in 4.11 is already included by default) in order to enable HdxBrowser.exe (the overlay browser on the endpoint responsible for Client-side rendering) to use the GPU resources on the Client, hence reducing CPU utilization.

HKEY_LOCAL_MACHINE (and in HKEY_CURRENT_USER) SOFTWARE Microsoft Internet Explorer Main FeatureControl FEATURE_GPU_RENDERING (create if not present) HdxBrowser.exe = (DWORD) 00000001___________________________________________________________________________________________________________________________

3.0 Browser Content Redirection Troubleshooting

3.1 General troubleshooting steps

Step May clear problem in
Close Internet Explorer, re-open, and navigate to a whitelisted site. Browser Add-On and HdxVideo.js file
Disconnect and reconnect the session. Receiver, HdxBrowser.exe, WebsocketAgent, and services
Logoff and logon to a new session. Receiver, HdxBrowser.exe, WebsocketAgent, and services
Stop the services: 1. Browser redirection service, 2. HTML5 redirection service, and 3. Port forwarding service. Restart them in reverse order listed. Logoff and logon the session. All components


3.2 Data to collect for troubleshooting

CDF modules to trace:

VDA Side Receiver Side
HDX_Multimedia_BrowserService
HDX_Multimedia_HdxjsInjector
HDX_Multimedia_PortForwardLibrary
HDX_Multimedia_PortForwardService
HDX_Multimedia_WebSocketAgent
HDX_Multimedia_WebSocketPipe
HDX_Multimedia_WebSocketService
PE_Service_CtxEchoSvc
PE_Library_GvchBase
IcaClient_DriversVd_BrowserRedir
IcaClient_DriverVd_PortForward
Ica_Multimedia_HdxBrowser

Ensure HdxBrowser.exe is running on Receiver while you are on a whitelisted site.


4.0Browser JavaScript log live debugging:

  1. Open %programfiles%CitrixHTML5 Video RedirectionHdxVideo.js

    (or depending on your VDA version, the Javascript can also be located inside a folder called %programfiles%CitrixICASERVICE)

    You might need to do this running Notepad as an Admin and opening the .js file from the Open menu

  2. Change the line var DEBUG_ONLY = false; to var DEBUG_ONLY = true;

    Save the file and close your Editor.

  3. Close Internet Explorer and reopen it, hit f12, and go to the Console tab. Browse to a whitelisted site, e.g. https://www.youtube.com

  4. You should see traces from [HdxVideo.js] (example below). Collect the entire log.

    Key messages to look for are highlighted in bold, with additional comments inside brackets [ ]:

    [HdxVideo.js] OnUnload (window): [object Window]

    [HdxVideo.js] DocumentBodySuppressor.start()

    [HdxVideo.js Events] interceptEventListeners()

    [HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer

    [HdxVideo.js] OnLoad (window): [object HTMLDocument]

    [HdxVideo.js] Unredirected video count: 0

    [HdxVideo.js] HDX_DO_PAGE_REDIRECTION: true [if false, redirection is not even attempted. Problem with policies or browser Extension?]

    [HdxVideo.js] infallback: undefined

    [HdxVideo.js] Installing event listeners.

    [HdxVideo.js] msexitFullscreen – Found!

    [HdxVideo.js] onWSOpen: [Websocket opening to WebsocketAgent.exe 127.0.0.1:9001 succeeded. If failed, check your IE Security Settings]

    [HdxVideo.js] >>> {“v”:”pageurl”,”url”:”https://www.google.de/”}

    [HdxVideo.js] onVisibilityChange:

    [HdxVideo.js] >>> {“v”:”vis”,”vis”:true}

    [HdxVideo.js] onResize:

    [HdxVideo.js] >>> {“v”:”pageredir”}

    [HdxVideo.js] sendClientSize: w: 1316 h: 755

    [HdxVideo.js] >>> {“v”:”clisz”,”w”:1316,”h”:755}

    CSI/tbsd_: 15.599,072ms

    CSI/_tbnd: 15.658,128ms

    [HdxVideo.js] <<< {“v”:”winid”,”title”:”CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}”}

    [HdxVideo.js] onWSMessage: winid: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}

    [HdxVideo.js] setWindowTitle: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}

    [HdxVideo.js] documentTitleMutator.start()

    [HdxVideo.js] >>> {“v”:”winid”}

    [HdxVideo.js] <<< {“v”:”pageredir”} [VDA is instructing Receiver to start the redirection process]

    [HdxVideo.js] onWSMessage: pageredir

    [HdxVideo.js] Redirecting page — 화이팅! https://www.google.de/ [Korean characters means the redirection was successful]

A common error is:

[HdxVideo.js] OnUnload (window): [object Window]

Navigation Event Separator HTML1300: Navigation occurred.
www.youtube.com

[HdxVideo.js] DocumentBodySuppressor.start()

[HdxVideo.js Events] interceptEventListeners()

[HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer

[HdxVideo.js] OnLoad (window): [object HTMLDocument]

[HdxVideo.js] Installing event listeners.

[HdxVideo.js] msexitFullscreen – Found!


[HdxVideo.js] doRedirection(): exception connecting to WebSocket: SecurityError

[HdxVideo.js] onWSError:

[HdxVideo.js] Showing content — suspendRedirection.

In the Developer Tools console this can be seen as:

User-added image

This is caused by some security configurations in IE11’s Security Zones.

Please add the following entries to to the Trusted Zone in IE11 (Internet Options -> Security)


Another possible error is that some websites use a technology called CSP (Content Security Policy) which prevents any outside resource (like the Javascript used in BCR) from being executed in the trusted webpage context. Therefore Browsers prevent the injection of HdxVideo.js and BCR fails.

User-added image


5.0How to verify the webpage is redirected

Method #1: Drag the IE11 window quickly. You will notice a ‘delay’ or ‘out of frame’ between the viewport and the User Interface.

Also you will notice a quick change in the title on the Tab (CitrixVideoId) before the original title is placed back

User-added image


Method #2: When the right mouse button is clicked on window area, a customized context menu is displayed. Back/Forward menu items are currently disabled for the initial releases. The remaining menu items perform the following tasks:

  • Refresh: refreshes current client side web page.
  • Open: if the mouse point is focused on a hyper link, the link will be opened; otherwise, nothing will happen.
  • Open in New Tab: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance.)
  • Open in New Window: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance and the link is opened in a new Tab rather than in a new Window)
  • About HDX Browser Redirection: Browse to Citrix support site in a new Tab
User-added image


Known issue: After starting a YouTube video using the YouTube HTML5 video player, full-screen mode might not work. You click the icon in the lower-right corner of the video, and the video doesn’t resize leaving the black background in the full area of the page. As a workaround, click the full screen button, and then select theater mode.

Related:

How to allow block sites in SecureWeb

Allowed or blocked websites

Secure Web normally does not filter web links. You can use this policy to configure a specific list of allowed or blocked sites. You configure URL patterns to restrict the websites the browser can open, formatted as a comma-separated list. Each pattern in the list is preceded by a plus sign (+) or minus sign (-). The browser compared a URL against the patterns in the order listed until a match is found. When a match is found, the action taken is dictated by the prefix as follows:

  • A minus (-) prefix instructs the browser to block the URL. In this case, the URL is treated as if the web server address could not be resolved.
  • A plus (+) prefix allows the URL to be processed normally.
  • If neither + or – is provided with the pattern, + (allow) is assumed.
  • If the URL does not match any pattern in the list, the URL is allowed

To block all other URLs, end the list with a minus sign followed by an asterisk (-*). For example:

  • The policy value +http://*.mycorp.com/*,-http://*,+https://*,+ftp://*,-* permits HTTP URLs within mycorp.com domain, but blocks them elsewhere, permits HTTPS and FTP URLS anywhere, and blocks all other URLs.
  • The policy value +http://*.training.lab/*,+https://*.training.lab/*,-* allows users open any sites in Training.lab domain (intranet) via HTTP or HTTPS, but no public URLs, such as Facebook, Google, Hotmail, and so on, regardless of protocol.

Default value is empty (all URLs allowed).

Related:

ukpolitics

Rules

Reddiquette

Subscribe to participate in voting.

Headline titles should be changed only where it improves clarity. Headline changes that introduce editorialization or rhetoric will be removed. Please express your personal opinion in the comments, not the headline. The subhead or a line from the 1st paragraph are accepted as well, although the headline is preferable.

If you want to discuss a specific point of an article rather than the article itself then please use a self post for this.

Links to long form journalism/analysis that are older than 12 months should be tagged with the month and year of publishing. News articles that are older than 2 months should be submitted as part of a text post detailing why they are relevant today.

All polls submitted should be in the form of a self post, not a link.

Tweets are acceptable, so long as they are from journalists, pollsters, politicians and so forth. Tweets from random members of the public are not.

Submissions or comments complaining about the moderation, biases or users of other subreddits will be removed.

Do not use URL shorteners.

No meme posts

Submitting your own content is perfectly fine, but make it clear that it’s your own content, don’t take the piss, and read the site wide guidance on self promotion written by the admins.

Pointless “DAE hate <party name> scum!?” comments and submissions will be removed.

Flair should not contain links. Links in flair will be deleted without warning, repeat offenders will be banned.

If you see racism, please report it.

Taking issue with immigration or refugee policy is not racist by default.

If you have any questions or concerns about moderation, feel free to ask, we’ll be happy to discuss it even if we can’t reach agreement. Some issues are best handled in modmail however.

If you report something, be descriptive and state what the issue is. If it’s a serious problem, please contact the moderation team and remember to include a link.

Read the rules before reporting a post.

If your post vanishes or never shows up, please contact the moderation team and remember to include a link.

Mime artists are strictly forbidden.

These rules are not exhaustive, moderators reserve the right to moderate (or not) where it is felt to be appropriate.

Related:

The US’ cyber warfare department may be splitting from the NSA

Join the live chat on IRC

Browse categories:

Security Networking
Hardware Software
Robotics Business
Politics Biotech
Transport Space
Energy Wireless
Nanotech AI

Legacy Pure Tech Filter

Hide popular topics:

No Net NeutralityRemove Filter

/r/technology is a place to share and discuss the latest developments, happenings and curiosities in the world of technology; a broad spectrum of conversation as to the innovations, aspirations, applications and machinations that define our age and shape our future.

1. Submissions

  • Guidelines:

  • Submissions must be primarily news and developments relating to technology

  • Self posts must contribute positively to /r/technology and foster reasonable discussion.

  • Submissions relating to business and politics must be sufficiently within the context of technology in that they either view the events from a technological standpoint or analyse the repercussions in the technological world.

  • Please do not submit the following:

  • i) Submissions violating the guidelines.

  • ii) Images, audio or videos: Articles with supporting image and video content are allowed; if the text is only there to explain the media, then it is not suitable. A good rule of thumb is to look at the URL; if it’s a video hosting site, or mentions video in the URL, it’s not suitable.

  • iii) Requests for tech support, questions or help: submit to /r/techsupport, /r/AskTechnology, another relevant community or our weekly Support Saturday threads.

  • iv) Petitions, Surveys or Crowdfunding – submissions of this nature will be removed.

  • v) Submissions discussing the subreddit itself; they should be submitted to /r/TechnologyTalk, or messaged to the moderators of the subreddit.

  • vi) Submissions discussing one or more incidents of customer support.

  • vii) Mobile versions of sites, url shorteners: please directly submit the desktop version of a webpage in all cases.

2. Behaviour

  • Remember the human You are advised to abide by reddiquette; it will be enforced when user behavior is no longer deemed to be suitable for a technology forum. Remember; personal attacks, abusive language, trolling or bigotry in any form are therefore not allowed and will be removed.

3. Titles

  • Submissions must use either the articles title, or a suitable quote, either of which must:

  • adequately describe the content

  • adequately describe the content’s relation to technology

  • be free of user editorialization or alteration of meaning.

4. Flair

5. Reddit-wide rules.


Miscellanea

  • If you see a rule-breaking submission, please report it and message the moderators with your reason.

  • Want to host an AMA? Please message the moderators.

  • Our /u/AutoModerator configuration may be viewed here.

  • Removed threads will either be given a removal reason flair or comment response; please message the moderators if this did not occur.

  • All legitimate, answerable modmail inquiries or suggestions will be answered to the best of our abilities within a reasonable period of time.

  • Rule violators will be warned. Repeat offenders will be temporarily banned from one to seven days. An unheeded final warning will result in a permanent ban. This may be reversed upon evidence of suitable behavior.

Technology

PROGRAMMING

OS’s

SOFTWARE

POPULAR COMPANIES

CRYPTOCURRENCIES

Related: