Objective
本文概述了浏览器的content redirection (BCR) feature and use cases before providing general troubleshooting guidelines. It is highly recommended that you first read through theBrowser content redirectionandBrowser content redirection policy settingssections of theCitrix Virtual Apps and Desktops 7 Product Documentationbefore using this troubleshooting article.
Instructions
Browser content redirection (BCR) allows the redirection of VDA-side browser viewports to the client-side. The benefits of BCR are achieved when offloading network utilization, page processing, graphics rendering to the endpoint, and improving end-user experience when browsing demanding webpages; especially those incorporating HTML5 or WebRTC video.
For BCR to work, the VDA must have access to the website you are trying to redirect - in other words, a navigation event must occur in the browser for BCR code to kick in. The webpage would then be uninstantiated , and immediately redirected.
Currently there are two browsers supported:
- Internet Explorer 11: The VDA-side IE11 browser viewport is redirected and rendered on the client-side using the client-side installed IE11 and the Citrix Workspace app for Windows process HdxBrowser.exe. A BHO (Browser Helper Object) called CitrixHDXJsInjector is added by the VDA installer to IE11 on the VDA. This BHO injects HdxVideo.js into whitelisted webpages. This Javascript's main goal is to connect via secure web sockets to a service called WebsocketService.exe running on the VDA.
- Google Chrome/Microsoft Edge: The VDA-side Chrome browser viewport is redirected and rendered on the client-side using the Citrix Workspace app for Windows embedded Chromium engine and the HdxBrowserCef.exe process. Note that theBrowser Content Redirection Extension(which injects HdxVideo.js) must be installed and enabled on the VDA before using BCR with Chrome. The Browser Content Redirection Extension is available from theChrome Web Store.
- Please note that Chrome support requires CWA 1809 or higher and VDA 1808 or higher.
- HTML5 video redirection policy must be disabled when Browser Content Redirection is in use.
For further information, including BCR system requirements, please read theBrowser content redirectionsection of theCitrix Virtual Apps and Desktops 7 Product Documentation.
2. Browser Content Redirection configuration for specific use cases
2.1 Server fetch and server render
Default behavior when BCR is disabled. No VDA-side viewport redirection to the client occurs. This could be due to the desired behavior as configured through BCR policies, or server fallback may have occurred unintentionally due to a client redirection failure. To configure for this use case:
Browser content redirectionpolicy: If set toProhibited, BCR is disabled.
Alternatively, if “server fetch and server render” is to be applied for some websites, while permitting BCR for others, use theBrowser content redirection Access Control List (ACL) policy settingspolicy to whitelist sites and/or theBrowser content redirection blacklist settingpolicy to blacklist sites.
In this alternative scenario, theBrowser content redirectionpolicy needs to be unconfigured [since the default value isAllowed] or set explicitely toAllowed.
Note that in this mode, server-side rendering uses ICA Thinwire to remote the graphics to Workspace app, the same way it is done for any application running in the virtual desktop.
2.2 Server fetch and client render
This mode allows endpoints with no direct access to the website (e.g. Intranet) to be able to proxy the HTTP traffic through the VDA, which then relays to the web server. A service in the VDA called "Citrix Port Forwarding" is in charge of this.
To configure for this use case:
When theBrowser content redirection proxy settingpolicy has been configured with a proxy server IP:Port address, the client connects to the proxy server on the VDA’s network over the Port Forwarding virtual channel and renders the content locally.
Proxies that require explicit authentication are supported with CWA for Windows 1907 or higher.
TCPView running on the endpoint will show thatHdxBrowserattempts to connect to a few localhost TCP ports (the aforementioned client-side Port Forwarding virtual channel):
For Linux endpoints, running netstat will showWebKitNetworkProcessestablishing connections to localhost:
On a Linux client, also check if vdbrowser.dll and vdportfoward.dll (used for server fetch client render) have been loaded.
If they are not loaded, the redirection will fail and fallback to server-side rendering.
You can use the following command "cat /proc/
The TCP Port Forwarding service on the VDA is called CtxSvcHost.exe, and is the one making the final outbound connection to your Proxy Server (in the screenshot below it is 10.108.7.8:8888). This is how it looks on Process Explorer:
Be aware that there are many Citrix Virtual Channels that can run under CtxSvcHost (Smart Card, Audio, Flash, etc).
一个使用的服务器获取Client Render in Browser Content Redirection uses the "PortFwdSvcs" flag, as seen above.
You can also use TCPView - but make sure you are tracking the right CtxSvcHost. You can use the PID value from Process Explorer (9196 in the screenshot above) to correctly identify it, or look at the Remote Address and identify your Proxy.
If CtxSvcHost.exe is not seen, please restart the service "Citrix HDX Port Forwarding Service" on the VDA.
2.3客户端获取和客户端渲染
这个用例提供了最大的以ts for bandwidth efficiency and VDA resource usage.
To configure for this use case:
Browser content redirectionpolicy: No need to configure butAllowedcan be set. [Default valueAllowed]
Browser content redirection Access Control List (ACL) policy settingspolicy: Acts as whitelist. Add any websites (wildcard * can be used) that you want to be redirected.
[Default value: https://www.youtube.com/*]
When this mode is configured, HdxBrowserCef.exe (Windows) or WebKitNetworkProcess (Linux) will contact a website directly:
2.4 Other BCR configuration options
To support whitelisted websites that navigate away to a 3rd-party site for authentication before redirecting back to the whitelisted site, configure theBrowser content redirection authentication sitespolicy.
We'll use YouTube as an example:
TheBrowser content redirectionpolicy will include the value: https://www.youtube.com/* [note that this entry exists by default in the policy]
The Sign In button on the YouTube site navigates to https://accounts.google.com/... (the protocol/domain part will be consistent but the full path will vary).
To support the authentication-related navigation from https://www.youtube.com/ to https://accounts.google.com/ and back to https://www.youtube.com/, configure as follows:
In theBrowser content redirection authentication sitespolicy, add the entry: https://accounts.google.com/* (note the wildcard * to accommodate variations in URL sub-folder values).
More info can be found inCTX238236.
3. Browser Content Redirection feature limitations
- For websites with media content, only the following list of codecs are supported when the site is redirected:
| Container | Audio Codecs | Video Codecs |
| MP4 (QuickTime / MOV / MPEG4) Ogg WebM WAV |
FLAC MP3 Opus PCM |
VP8 VP9 Theora H264 |
- In CWA 1905 for Windows or older versions, or with CWA for Linux, Websites that use Integrated Windows Authentication (IWA) might break BCR. Currently BCR is not able to handle and display the pop-up "Windows Security" dialog box (or any dialog box), and the user might end up in a blank page. Keep in mind that since now the endpoint is loading the website, the endpoint and website (running on IIS for example) might not be in the same domain (while VDA and IIS might). Hence IWA fails, a pop-up window should be displayed prompting the user for credentials but it is not, because of the aforementioned limitation in BCR. This issue has been fixed in CWA for Windows 1907 or higher.
- When using Server Fetch Client Render (thispolicy in Studio), only a single Proxy FQDN / IP is supported. PAC files (for automatic proxy configuration) are now supported with Server Fetch Client Render when the VDAs are 2003 or higher (seehere), or 1912 CU1 (seehere).
- When freshly installing CVAD 1811 (only), there is a known issue with BCR_x64.msi where it is not installed on the VM if the Admin selected "Enable brokered connections to a server" or "Enable Remote PC Access". The workaround is to mount the .iso of CVAD, find the BCR_x64.msi in Image-Full\x64\Virtual Desktop Components and run it. SeeCTX240182.
- The Desktop OS Core Services Virtual Delivery Agent stand alone .exe (VDAWorkstationCoreSetup) does not include BCR_x64.msi. Same workaroundCTX240182fixes this.
- Due to the limitation of CEF(Chromium Embedded Framework), client endpoint GPU needs to be disabled if DPI scaling factor is set to a number other than 100% in order for BCR feature to work. Otherwise BCR displays the website in a corrupted fashion (like zoomed in and cropped). To disable, configure on the Client:
- HKLM \ SOFTWARE \ Citrix\HdxMediastream\
For 64-bit:
HKLM\SOFTWARE\Wow6432Node\Citrix\HdxMediastream\
Key: GPU (DWORD)
Value: 0
- HKLM \ SOFTWARE \ Citrix\HdxMediastream\
- Currently, with Windows CWA, copying text from redirected webpages is only possible with Chrome browser content redirection. Use Ctrl-C / Crtl-V to copy and paste. Linux CWA support copy/paste for both IE11 and Chrome.
- Currently printing from redirected webpages is not possible from Internet Explorer 11 and Chrome.
- Currently, screensharing functionality will not work if the BCR user tries to initiate screensharing. Incoming sreensharing does work (HDX-16273).
- Upgrades to Receiver 4.11 or 4.10 from any version might break BCR virtual channels. See CTX235183.
- If Local App Access is Allowed then BCR will not work. You must set LAA to Prohibited (Default) for BCR to work.
- Currently downloads aren't enabled on redirected websites when using Chrome on the VDA (therefore files cannot be saved to the endpoint).
- In IE11, after starting a YouTube video using the YouTube HTML5 video player, full-screen mode might not work. You click the icon in the lower-right corner of the video, and the video doesn’t resize leaving the black background in the full area of the page. As a workaround, click the full screen button, and then select theater mode.
This issue is not seen on Chrome.
4. Browser Content Redirection Troubleshooting
Before proceeding, please review the “Browser Content Redirection feature limitations” section.4.1 General troubleshooting steps
| Step | May clear problem in |
| Close the browser, re-open, and navigate to a whitelisted site. | Browser Add-On and HdxVideo.js file |
| Disconnect and reconnect the session. | Citrix Workspace app, HdxBrowser.exe, HdxBrowserCef.exe, WebSocketAgent.exe, and services |
| Logoff and logon to a new session. | Citrix Workspace app, HdxBrowser.exe, HdxBrowserCef.exe, WebsocketAgent.exe, and services |
| Stop the services: 1. Browser redirection service, 2. HTML5 redirection service, and 3. Port forwarding service. Restart them in reverse order listed. Logoff and logon the session. | All components |
4.2 Data to collect for troubleshooting
CDF modules to trace:
| VDA Side | Citrix Workspace app (client) Side | ||||||||||||
|
|
4.3 HdxBrowser and Webcontainer (a.k.a Overlay Browser)
When using BCR with Internet Explorer 11, ensureHdxBrowser.exeis running with Citrix Workspace app for Windows (use Task Manager) while you are on a whitelisted site.
When using Google Chrome, the process is calledHdxBrowserCef.exe.
Note: Chrome support requires CWA 1809 or higher, and VDA 1808 or higher.
This is how it looks on Process Explorer on the endpoint:
ForLinux endpoints(Fat Clients, or Thin Client minimum versions: Unicon eLux RP 6.2.3 CR, HP ThinPro 7.1 or higher only, iGEL OS 10.05 or higher) the process used iswebcontainer(placed in ICAROOT /util folder. ICAROOT generally is /opt/Citrix/ICAClient for root user).
Dell Wyse ThinOS Version 9.0supports BCR.
i. Please check ifwebcontainerprocess is starting in your Linux client by running:
Sample output:
ii. If it fails then you have to install WebKitGTK+ version greater than2.16.6for Browser Content redirection to work.
WebKitGTK +是一个功能齐全的港口的WebKit rendering engine (WebKit2 API with GTK3).
(This is not part of Citrix Receiver / Workspace app, so you will need to download the proper package for your Linux distribution and processor architecture, or contact your Thin Client vendor).
Therefore,libwebkit2gtk-4.0.so.37system library will be required forwebcontainerto link against:
Note that glibcxx 3.4.20 or later isalso required for BCR(#locate libstdc++.so.6and then run#strings /
iii. You can then check ifwebcontainerprocess can render the video content locally by running:
./webcontainer --urlhttps://www.youtube.com/html5
./webcontainer --urlhttps://www.youtube.com
This test verifies if the endpoint has the proper codecs available (specially the 'ugly' ones like H264). The test does not invoke any Citrix VDA components, it is a purely local test. Webcontainer (WebKitWebProcess) will in turn make calls to GStreamer1.x- if H264 is not loaded, VP8 will be used instead (if the website supports WebM).
In order to check your GStreamer version, run 'dpkg -l | grep gstreamer'.
More info on GStreamer requirements inCTX224988.
Note: Currently, if WebKitGTK+ version is below 2.22.3, then Media Source Extensions (MSE) arenotsupported so YouTube videos will only play up to 720p (with H264).
If H264 is not available or licensed, YouTube will attempt to use WebM container format (VP8/VP9 video codecs fromgst-plugins-goodand Opus audio codec fromgst-plugins-base).
YouTube now requires MSE to play videos in WebM format, so a proper WebKitGTK+ version has to be present.
WebKitGTK+ version 2.22.5 or higher and GStreamer 1.14.4 or higher are recommended for YouTube.
iv. Running the top command while BCR is active will show:
Whilewebcontaineris in use, there are 2 associated WebKit processes that run:WebKitNetworkProcessandWebKitWebProcess. The actual network outbound connections are made byWebKitNetworkProcess).
4.4 Browser JavaScript log live debugging in IE11 and Chrome:
If you want to debug in IE11, Open%programfiles%\Citrix\HdxVideo.js
(or depending on your VDA version, the Javascript can also be located inside a folder called %programfiles%\Citrix\ICASERVICE)
You might need to do this running Notepad as an Admin and opening the .js file from the Open menu
Change the linevar DEBUG_ONLY = false;tovar DEBUG_ONLY = true;
Save the file and close your Editor.If you want to debug on Chrome, skip step #1. Make sure your Extension is at version 2.0. Right click on the icon, select Options and tick "Activate debug logging'.
Close Internet Explorer / Chrome and reopen it, hitF12 or Ctrl+Shift+I, and go to theConsoletab in Developer tools.Browse to a whitelisted site, e.g. https://www.youtube.com
You should see traces from [HdxVideo.js] (example below). Collect the entire log.
Key messages to look for are highlighted in bold, with additional comments inside brackets [ ]:[HdxVideo.js] OnUnload (window): [object Window]
[HdxVideo.js] DocumentBodySuppressor.start()
[HdxVideo.js Events] interceptEventListeners()
[HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer
[HdxVideo.js] OnLoad (window): [object HTMLDocument]
[HdxVideo.js] Unredirected video count: 0
[HdxVideo.js] HDX_DO_PAGE_REDIRECTION: true[if false, redirection is not even attempted. Problem with policies or browser Extension?]
[HdxVideo.js] infallback: undefined
[HdxVideo.js] Installing event listeners.
[HdxVideo.js] msexitFullscreen - Found!
[HdxVideo.js] onWSOpen:[Websocket opening to WebsocketAgent.exe 127.0.0.1:9001 succeeded. If failed, check your IE Security Settings]
[HdxVideo.js] >>> {"v":"pageurl","url":"https://www.google.de/"}
[HdxVideo.js] onVisibilityChange:
[HdxVideo.js] >>> {"v":"vis","vis":true}
[HdxVideo.js] onResize:
[HdxVideo.js] >>> {"v":"pageredir"}
[HdxVideo.js] sendClientSize: w: 1316 h: 755
[HdxVideo.js] >>> {"v":"clisz","w":1316,"h":755}
CSI/tbsd_: 15.599,072ms
CSI/_tbnd: 15.658,128ms
[HdxVideo.js] <<< {"v":"winid","title":"CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}"}
[HdxVideo.js] onWSMessage: winid: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}
[HdxVideo.js] setWindowTitle: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}
[HdxVideo.js] documentTitleMutator.start()
[HdxVideo.js] >>> {"v":"winid"}
[HdxVideo.js] <<< {"v":"pageredir"}[VDA is instructing Receiver to start the redirection process]
[HdxVideo.js] onWSMessage: pageredir
[HdxVideo.js] Redirecting page -- 화이팅!https://www.google.de/[Korean characters means the redirection was successful]
A common error is:
| [HdxVideo.js] OnUnload (window): [object Window] Navigation Event Separator HTML1300: Navigation occurred.www.youtube.com [HdxVideo.js] DocumentBodySuppressor.start() [HdxVideo.js Events] interceptEventListeners() [HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer [HdxVideo.js] OnLoad (window): [object HTMLDocument] [HdxVideo.js] Installing event listeners. [HdxVideo.js] msexitFullscreen - Found! [HdxVideo.js] doRedirection(): exception connecting to WebSocket: SecurityError [HdxVideo.js] onWSError: [HdxVideo.js] Showing content -- suspendRedirection. |
In the Developer Tools console this can be seen as:
This is caused by security configurations in IE11’sSecurity Zones, and the root of the issue is127.0.0.1 being classified under theintranet zonewhile the redirected whitelisted site is in theinternet zone.
重定向可能在Chrome (sinc正常运行e it has no concept of Zones).
Internet Explorer automatically assigns all websites to a security zone: Internet, Local intranet, Trusted sites, or Restricted sites.
Important: 127.0.0.1 will be classified as either Intranet or Internet zone, depending on your IE11 Proxy configuration in Tools > Internet Options > Connections > LAN Settings (eitherPAC files - WPAD Proxy Script-,orExplicit Proxy -manual-). More infohere.
If 127.0.0.1 ends up being classified as Intranet, then Zone elevation restrictions prevent connections fromInternet zoneto本地内部网区, and BCR will fail.
TheLocal intranetoption"Include all sites that bypass the proxy server"should be unchecked (disabled).
Rationale : If"Include all sites that bypass the proxy server" isenabled, 127.0.0.1 connections are considered to be in the Intranet zone.Zone elevation restrictions prevent connections fromInternet zoneto 本地内部网区.Most of the external redirected sites like Youtube will be in theInternet zoneand the injected script HdxVideo.js will attempt a connection to 127.0.0.1:9001 in theIntranet zonewhich will be blocked. So,"Include all sites that bypass the proxy server" should be unchecked.Internet Properties --> Security --> Local Intranet --> Sites, and uncheck "Include all sites that bypass the proxy server"
The equivalent configuration can be made by setting these regkeys via GPOs (ADM Computer template):
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect [REG_DWORDvalue 0]
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IntranetName [REG_DWORDvalue 1]
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass [REG_DWORDvalue 0]
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UNCAsIntranet [REG_DWORDvalue 1]
Each zone has a different default security level that determines what kind of content might be blocked for that site.
| Zone | Description | Default Setting |
| Internet | Contains all websites that are not assigned to any other zone | Medium-high |
| Local intranet | Contains all websites and content that is stored on a corporate intranet and don't require a Proxy Server | Medium-low |
| Trusted Sites | Contains all Internet sites that you have specifically indicated to be ones that you trust not to damage your computer or information | Medium |
| Restricted Sites | Contains all the sites that might potentially damage your computer or your information | High |
(Depending on the security level of a site, some content might be blocked until you choose to allow it).
You can check the Zone a website is assigned to by navigating to it and then right clicking --> Properties
 |
If the website you are trying to redirect is in your Internet Zone (see example above), then please try to add the following entry to the Trusted Zone Sites in IE11 (Internet Options -> Security)
|
You can verify if websockets are opened by going to Developer Tools -> Console and type:
| var exampleSocket = new WebSocket('wss://127.0.0.1:9001'); exampleSocket.onmessage = function(messageEvent) { console.log(JSON.stringify(messageEvent)); }; |
wait a few seconds and then type: exampleSocket.readyState |
| The expected output from the 2nd line, is '1', which indicates that the WebSocket connection was successfully formed. 0 ( CONNECTING) The connection is not yet open | 1 (OPEN) The connection is open and ready to communicate.2 ( CLOSING)The connection is in the process of closing | 3 (CLOSED) The connection is closed or couldn't be opened |
 |
4.5 Pac files
The PAC file does not need to return DIRECT for 127.0.0.1:9001 (WebSocketService.exe on the VDA), IE11 makes direct connections for localhost/127.0.0.1 by default.
Zone elevations restrictions might, again, prevent HdxVideo.js to connect to 127.0.0.1:9001, so make sure it is classified as Internet Zone (see 4.4).
4.6 Content Security Policy
Another possible error is that some websites use a technology called CSP (Content Security Policy) which prevents any outside resource (like the Javascript used in BCR) from being executed in the trusted webpage context. Therefore Browsers prevent the injection of HdxVideo.js and BCR fails, falling back to server-side rendering.
This can be overcome if you have a Proxy server in your network (like Bluecoat) and you are able to apply HTTP Rewrites.
wss://127.0.0.1:9001 needs to be added toconnect-src
4.7 Browser Helper Object (BHO for IE11)
The BHO is not currently compatible with Enhanced Protected Mode in IE11.
BHO is explicitly enabled upon install time of Citrix Virtual Apps and Desktops. If you want to disable it, please check the registry key created for the CLSID of the extension in the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
There should be a key created with the CLSID of the extension ie {CA076BDE-8E41-44EE-B775-E791F26D0483}
The value of the key is set to 1. This means the extension is enabled and users cannot change it.
If changed to 0 , the extension will be disabled and users cannot change it.
If changed to 2 , the extension will be enabled and users can enable or disable it in the browser's "Manage add-ons".
4.8 How to verify the webpage is redirected
Method #1: Drag the IE11 or Chrome window quickly. You will notice a ‘delay’ or ‘out of frame’ between the viewport and the User Interface.
Also you will notice a quick change in the title on the Tab (CitrixVideoId) before the original title is placed back
Method #2: When the right mouse button is clicked on window area, a customized context menu is displayed. Back/Forward menu items are currently disabled for the initial releases. The remaining menu items perform the following tasks:
- Refresh: refreshes current client side web page.
- Open: if the mouse point is focused on a hyper link, the link will be opened; otherwise, nothing will happen.
- Open in New Tab: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance.)
- Open in New Window: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance and the link is opened in a new Tab rather than in a new Window)
- About HDX Browser Redirection: Browse to Citrix support site in a new Tab
Event Viewer:
Troubleshooting: If you end up on a different page, or the Authentication flow seems to be not working and the HdxBrowserCef.exe gets stuck in an authentication loop or falls back to the VDA-side browser, it means you missed some URLs in your Organization's authentication flow, and an intermediate page was not added to the Authentication Sites Studio policy.
In such cases, the VDA-side Event Viewer will have an entry that tells you exactly what website URL caused BCR to fail. Add it to the Authentication Sites Studio policy and re-test.
