Citrix DaaS

Virtual channel allow list

The virtual channel allow list is a feature that allows you to control which non-Citrix virtual channels are allowed in your environment. By default, the virtual channel allow list feature is enabled. As a result, only Citrix virtual channels are allowed to open in Citrix Virtual Apps and Desktops sessions. If there is a need to use custom virtual channels, whether homegrown or from a third party, these need to be explicitly added to the allow list.

Configuration

The virtual channel allow list is enabled by default. You can configure this feature using the following settings in the Citrix policy:

  • Virtual channel allow list: to enable or disable the feature and to add virtual channels to the list.
  • Virtual channel allow list log throttling: sets the throttling period for the virtual channel allow list event logging.
  • Virtual channel allow list logging: sets the logging level for the virtual channel allow list.

Adding virtual channels to the allow list

To add a virtual channel to the allow list, you need the following information:

  1. The virtual channel name as defined in the code, which can be up to seven characters long. For example, CTXCVC1.

  2. The paths to the processes that open the virtual channel on the VDA machine. For example, C:\Program Files\Application\run.exe.

Once you have the required information, you must add the virtual channel to the allow list using the Virtual channel allow list policy setting. To add a virtual channel to the list, enter the virtual channel name followed by a comma, and then the path to the process that accesses the virtual channel. If there are multiple processes, you can add these processes by separating each process with commas.

For single processes

Using the previous examples, add the following entry to the list:

CTXCVC1,C:\Program Files\Application\run.exe

For multiple processes

If there are multiple processes, add the following entry to the list:

CTXCVC1,C:\Program Files\Application\run.exe,C:\Program Files\Application\run2.exe

Using wildcards

The use of wildcards (*) is supported. You can use wildcards when the names of directories or executables change based on the version of the application, or if the third-party component is installed in the users’ profiles.

You can use wildcards in the following scenarios:

  • To replace the full directory name. For example: C:\Program Files\Application\*\run1.exe
  • To replace part of the directory name. For example: C:\Program Files\Application\v*\run1.exe
  • To replace the executable’s name. For example: C:\Program Files\Application\v1.2\*.exe
  • To replace part of the executable’s name. For example: C:\Program Files\Application\v1.2\run*.exe

The following restrictions apply:

  • The wildcard can only be used to replace a single directory. For example, if the executable is located in C:\Program Files\Application\v1.2\run1.exe
    • Allowed: C:\Program Files\Application\*\run1.exe
    • Not allowed: C:\Program Files\*\run1.exe
  • Entries must contain the file name extension.
    • Allowed: C:\Program Files\Application\v1.2\*.exe
    • Not allowed: C:\Program Files\Application\v1.2\*
  • All paths must be local.

Note:

  • Network paths are not allowed.
  • Wildcard support is available from Citrix Virtual Apps and Desktops 2206.
  • Wildcard support is available in Citrix Virtual Apps and Desktops 2203 LTSR from CU2.

Using system environment variables

You can use system environment variables to simplify the definition of the trusted processes in your allow list. You can use any of the out-of-box variables, such as %programfiles%, %programfiles(x86)%, %systemdrive%, and %systemroot%.

You can also use custom environment variables as long as they are defined at the system level.

The following examples depict out-of-box environment variables:

  • %programfiles%\Application\v1.2\run.exe
  • %programfiles%\Application\*\run.exe
  • %programfiles(x86)%\Application\v1.*\run.exe

The following example depicts a custom system environment variable:

  • Custom variable name: app
  • Custom variable value: %programfiles%\Application\
  • Allow list entry: CTXCVC1,%app%\run.exe

Note:

User environment variables are not supported.

Environment variable support is available from Citrix Virtual Apps and Desktops version 2209.

Obtain virtual channel names and processes

The easiest way to obtain the name of the virtual channel and the process that opens it on the VDA machine is to get the information from the developer or a third-party vendor that provided the virtual channel.

Alternatively, you can obtain information by applying the feature’s logs and following these steps:

  1. Once the client and server components of the custom virtual channel are in place, launch a virtual application or virtual desktop.
  2. In the VDA machine’s System event log, look for the custom virtual channel’s name and the process that tried to open it. For more information on available events, see Event logs.
  3. Log out from the session.
  4. Add an entry in the virtual channel allow list policy settings for the identified virtual channel and process.
  5. Restart the machine.
  6. Once the VDA is registered, run the virtual application or virtual desktop to validate that the custom virtual channels open successfully.

Considerations for Citrix virtual channels

All built-in Citrix virtual channels are trusted and allowed to open without further configuration. However, the following two features require explicit entries in the allow list because of external dependencies:

  • Multimedia Redirection
  • HDX RealTime Optimization Pack for Skype for Business

Multimedia Redirection

If you use a media player other than Windows Media Player as your system media player, you need to add it to the allow list as a trusted process. The following information is required for the allow list entry:

  • Virtual channel name: CTXMM
  • Process: Path to the media player used in your VDA machine. For example, C:\Program Files (x86)\Windows Media Player\wmplayer.exe.
  • Allow list entry: CTXMM,C:\Program Files (x86)\Windows Media Player\wmplayer.exe

HDX RealTime Optimization Pack for Skype for Business

The following information is required for the allow list entry:

  • Virtual channel name: CTXRMEP
  • Process: Path to the Skype for Business executable in your VDA machine, which can vary based on the version of Skype for Business or if you used a custom installation path. For example, C:\Program Files\Microsoft Office\root\Office16\lync.exe.
  • Allow list entry: CTXRMEP,C:\Program Files\Microsoft Office\root\Office16\lync.exe
Virtual channel allow list