Rendezvous V2

When using the Citrix Gateway Service, the Rendezvous protocol allows VDAs to bypass the Citrix Cloud Connectors to connect directly and securely with the Citrix Cloud control plane.

Rendezvous V2 is supported with standard domain joined machines, Azure AD joined machines, and non-domain joined machines.

Note:

Currently, connectorless deployments are possible withAzure AD joinedandnon-domain joinedmachines only. Standard AD domain joined machines still require Cloud Connectors for VDA registration and session brokering. However, there are no DNS requirements for using Rendezvous V2.

Cloud Connector requirements for other functions not related to VDA communication, such as connecting to your on-prem AD domain, MCS provisioniong to on-prem hypervisors, etc., remain the same.

Requirements

The requirements for using Rendezvous V2 are:

• Access to the environment using Citrix Workspace and Citrix Gateway Service
• Control plane: Citrix DaaS
• VDA version 2203
• Enable the Rendezvous protocol in the Citrix policy. For more information, seeRendezvous protocol policy setting.
• Session Reliability must be enabled on the VDAs
• The VDA machines must have access to:
  • https://*.xendesktop.netonTCP 443. If you can’t allow all subdomains in that manner, you can usehttps://.xendesktop.net, where is your Citrix Cloud customer ID as shown in the Citrix Cloud administrator portal.
  • https://*.*.nssvc.netonTCP 443for the control connection with Gateway Service.
  • https://*.*.nssvc.netonTCP 443andUDP 443for HDX sessions over TCP and EDT, respectively.

  Note:

  If you can’t allow all subdomains usinghttps://*.*.nssvc.net, you can usehttps://*.c.nssvc.netandhttps://*.g.nssvc.netinstead. For more information, see Knowledge Center articleCTX270584.

Proxy configuration

The VDA supports connecting through proxies for both control traffic and HDX session traffic when using Rendezvous. The requirements and considerations for both types of traffic are different, so review them carefully.

Control traffic proxy considerations

• Only HTTP proxies are supported.
• Packet decryption and inspection are not supported. Configure an exception so the control traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
• Proxy authentication is not supported.

HDX traffic proxy considerations

• HTTP and SOCKS5 proxies are supported.
• EDT can only be used with SOCKS5 proxies.
• 默认情况下,HDX交通使用代理定义control traffic. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use theRendezvous proxy configurationpolicy setting.
• Packet decryption and inspection are not supported. Configure an exception so the HDX traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
• Machine-based authentication is supported only with HTTP proxies and if the VDA machine is AD domain joined. It can use Negotiate/Kerberos or NTLM authentication.

  Note:

  To use Kerberos, create the service principal name (SPN) for the proxy server and associate it with the proxy’s Active Directory account. The VDA generates the SPN in the formatHTTP/when establishing a session, where the proxy URL is retrieved from theRendezvous proxy configurationpolicy setting. If you don’t create an SPN, authentication falls back to NTLM. In both cases, the VDA machine’s identity is used for authentication.

• Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
• Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.

Transparent proxy

If using a transparent proxy in your network, no additional configuration is required on the VDA.

Non-transparent proxy

If using a non-transparent proxy in your network, specify the proxy during the VDA installation so that control traffic can reach the Citrix Cloud control plane. Make sure to review the control traffic proxy considerations before proceeding with the installation and configuration.

In the VDA installation wizard, selectRendezvous Proxy Configurationin theAdditional Componentspage. This option makes theRendezvous Proxy Configurationpage available later in the installation wizard. Once here, enter the proxy address or the path to the PAC file for the VDA to know which proxy to use. For example:

• Proxy address:http://:
• PAC file:http:///.pac

As stated in the HDX traffic proxy considerations, HDX traffic uses the proxy defined during the VDA installation by default. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use theRendezvous proxy configurationpolicy setting. When the setting is enabled, specify the HTTP or SOCKS5 proxy address. You can also enter the path to the PAC file so the VDA knows which proxy to use. For example:

• Proxy address:http://:orsocks5://:
• PAC file:http:///.pac

If you use the PAC file to configure the proxy, define the proxy using the syntax required by the Windows HTTP service:PROXY [=]:. For example,PROXY socks5=:.

How to configure Rendezvous

Following are the steps for configuring Rendezvous in your environment:

1. Make sure that all requirements are met.
2. If you must use a non-transparent HTTP proxy in your environment, configure it during the VDA installation. Refer to theproxy configurationsection for details.

3. After the VDA is installed, add the following registry value:

   Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent Value type: DWORD Value name: GctRegistration Value data: 1

4. Reboot the VDA machine.
5. Create a Citrix policy, or edit an existing one:
   • Set theRendezvous Protocolsetting toAllowed.
   • If you must configure an HTTP or SOCKS5 proxy for HDX traffic, configure theRendezvous proxy configurationsetting.
   • Ensure that the Citrix policy filters are set properly. The policy applies to the machines that need Rendezvous enabled.
6. Ensure that the Citrix policy has the correct priority so that it does not overwrite another one.

Rendezvous validation

If you meet all requirements and have completed the configuration, follow these steps to validate if Rendezvous is in use:

1. Within the virtual desktop, open a command prompt or PowerShell.
2. Runctxsession.exe -v.
3. The transport protocols displayed indicate the type of connection:
   • TCP Rendezvous: TCP > SSL > CGP > ICA
   • EDT Rendezvous: UDP > DTLS > CGP > ICA
   • Not Rendezvous: TCP > CGP > ICA
4. The Rendezvous version reported indicates the version in use.

Other considerations

Windows cipher suite order

If the cipher suite order has been modified in the VDA machines, make sure that you include the VDA-supported cipher suites:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

If the custom cipher suite order does not contain these cipher suites, the Rendezvous connection fails.

Zscaler Private Access

If using Zscaler Private Access (ZPA), it is recommended that you configure bypass settings for the Gateway Service to avoid increased latency and the associated performance impact. To do so, you must define application segments for the Gateway Service addresses – specified in the requirements – and set them to always bypass. For information on configuring application segments to bypass ZPA, see theZscaler documentation.

Known Issues

Rendezvous V2 does not work if Rendezvous V1 was previously in use

If you enabled the DNS resolution setting in your DaaS site to use Rendezvous V1, Rendezvous V2 connections will fail. To use Rendezvous V2, you must disable DNS resolution in your DaaS site using one of the following options:

• Navigate toFull Configuration > Settingsand turn off theEnable DNS resolutionsetting
• Use the Citrix DaaS Remote PowerShell SDK and run the commandSet-BrokerSite -DnsResolutionEnabled $false

VDA 2203 installer does not allow entering a slash ( / ) for the proxy address

As a workaround, you can configure the proxy in the registry after the VDA is installed:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent Value type: String Value name: ProxySettings Value data: Proxy address or path to pac file. For example: Proxy address: http://squidk.test.local:3128 Pac file: http://file.test.com/config/proxy.pac

Rendezvous traffic flow

下图说明了序列steps about Rendezvous traffic flow.

1. The VDA establishes a WebSocket connection with Citrix Cloud and registers.
2. The VDA registers with Citrix Gateway Service and obtains a dedicated token.
3. The VDA establishes a persistent control connection with the Gateway Service.
4. The user navigates to Citrix Workspace.
5. Workspace evaluates authentication configuration and redirects users to the appropriate IdP for authentication.
6. The user enters their credentials.
7. After successfully validating the user credentials, the user is redirected to Workspace.
8. Workspace counts resources for the user and displays them.
9. The user selects a desktop or application from Workspace. Workspace sends the request to Citrix DaaS, which brokers the connection and instructs the VDA to prepare for the session.
10. The VDA responds with the Rendezvous capability and its identity.
11. Citrix DaaS generates a launch ticket and sends it to the user device through Workspace.
12. 用户的端点连接到网关、档次e and provides the launch ticket to authenticate and identify the resource to connect to.
13. The Gateway Service sends the connection information to the VDA.
14. The VDA establishes a direct connection for the session with the Gateway Service.
15. The Gateway Service completes the connection between the endpoint and the VDA.
16. The VDA verifies licensing for the session.
17. Citrix DaaS sends applicable policies to the VDA.