Citrix DaaS

Composite Devices and Device Splitting

A composite USB device is a single device that acts like multiple independent USB devices connected to a computer. It has a single USB connector but it can expose multiple interfaces to the computer with each having its own set of functionalities. When a user plugs in a composite USB device, the host device checks for all functions (interfaces) against each policy rule. If the first match for any function(interface) is a Deny rule, the rule is considered definitive for the composite device and the device is denied. If the first match for a function (interface) is an Allow rule, the host device continues to match the rules against the next function (interface). The composite device is allowed if no function (interface) is denied by a policy rule. If definitive match for composite device is a Deny Rule, the device is available only to the local desktop otherwise the device is remoted to the virtual desktop. If no match is found, default rules are used.

Device_Splitting

We can split the composite device using the appropriate rules in the Device redirection rules (Version 2) policy to allow only specific functionality of a composite device. For instance, we may want to use just the HID functions of a FIDO2 key but not the smartcard functionality. In that case, we would set the rules as illustrated below:

  1. Connect: VID=1050 PID=0407 class=03 split=01 intf=00,01 #Yubikey series 5 allowed FIDO2 HID functions.

  2. Deny: VID=1050 PID=0407 split=01 intf=02 # Yubikey series 5 smartcard function blocked.

Tip:

When creating new policy rules, refer to the USB Class Codes, available on the USB web site.

Configuring a signature pad

  1. Install the appropriate device driver on the VDA host.

  2. Turn On the Client USB device redirection policy in Citrix Web Studio.

  3. Edit the Client USB device redirection rules (Version 2) policy.

    1. Set the VID and PID information for the signature pad that needs to be redirected and click Save. For example: Connect: VID=056A PID=00A4 #STU-430
  4. Edit the policy Client USB device optimization rules.

    1. Set the mode along with other device information. For example: Mode=00000004 VID=056A PID=00A4 class=03 #Input device operating in capture mode
  5. Edit the policy Allow existing USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  7. Edit the policy Allow newly arrived USB devices to be automatically connected.

  8. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Once these policies are set in the Studio console, subsequent session launches will have the device getting automatically redirected and will not require any additional end user action.

Note:

Replace the VID and PID with the actual VID and PID of the device to be redirected.

Configuring Bloomberg keyboard using USB redirection

  1. Turn On the Client USB device redirection policy in Citrix Web Studio.

  2. Bloomberg 5 keyboards are set by default in the Client USB device redirection rules (Version 2) policy and no additional admin action is needed.

  3. Edit the policy Allow existing USB devices to be automatically connected.

  4. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  5. Edit the policy Allow newly arrived USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Once these policies are set in the Studio console, Bloomberg keys will automatically be presented in subsequent HDX sessions and will not require any additional end user action.

Configuring a FIDO2 key using USB redirection

Citrix recommends using FIDO2 redirection for using FIDO2 keys in your HDX sessions. However, there might be situations in which you must redirect FIDO2 keys using USB redirection instead. These include scenarios where FIDO2 redirection is not available because the feature is not supported by the client, the VDA, or the operating system (e.g. Windows Server 2016).

There can also be situations in which the key has multiple modes enabled, but you only want to allow a subset of those in your HDX sessions. For example, you might want to allow FIDO2 and OTP, but block the smart card.

The following steps illustrate how you can configure a FIDO2 key using USB redirection (Yubikey vid=1050, pid=0407).

  1. turn On the Client USB device redirection policy in Citrix Web Studio.

  2. Edit the Client USB device redirection rules (Version 2) policy.

    1. Set the VID and PID information as well as the split device configuration for the FIDO2 key to be redirected in the session and click Save.

    2. Connect: VID=1050 PID=0407 class=03 split=01 intf=00,01 #Yubikey series 5 allowed FIDO2 HID functions.

    3. Deny: VID=1050 PID=0407 split=01 intf=02 # Yubikey series 5 smartcard function blocked.

  3. Edit the policy Allow existing USB devices to be automatically connected.

  4. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  5. Edit the policy Allow newly arrived USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Once these policies are set in the Studio console, FIDO2 keyboards will automatically be presented in subsequent HDX sessions and will not require any additional end user action.

Configuring a 3-d mouse using USB redirection

Today, the 3dConnexion space mouse drivers are only supported on workstation OSes (Win 10 and Win11). They do not work on server OS. The following are the steps to configure a SpaceMouse Enterprise on a workstation OS (vid=046D, pid=C016).

  1. Install the latest Windows driver on the VDA host.

  2. From Studio, turn on Client USB device redirection policy.

  3. Edit the Client USB device redirection rules (Version 2) policy.

    1. Set the VID and PID information for the signature pad that needs to be redirected and click Save. For example: Connect: VID=046D PID=C016 #SpaceMouse Enterprise
  4. Edit the policy Client USB device optimization rules.

    1. Set the mode along with other device information. For example: Mode=00000004 VID=046D PID=C016 class=03 #Input device operating in capture mode
  5. Edit the policy Allow existing USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  7. Edit the policy Allow newly arrived USB devices to be automatically connected.

  8. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Composite Devices and Device Splitting