Rendezvous V2

When using the Citrix Gateway Service, the Rendezvous protocol allows VDAs to bypass the Citrix Cloud Connectors to connect directly and securely with the Citrix Cloud control plane.

Rendezvous V2 is supported with standard domain joined machines, Azure AD joined machines, and non-domain joined machines.

Note:

Currently, connectorless deployments are possible with Azure AD joined and non-domain joined machines only. Standard AD domain joined machines still require Cloud Connectors for VDA registration and session brokering. However, there are no DNS requirements for using Rendezvous V2.

Cloud Connector requirements for other functions not related to VDA communication, such as connecting to your on-prem AD domain, MCS provisioniong to on-prem hypervisors, etc., remain the same.

Requirements

The requirements for using Rendezvous V2 are:

• Access to the environment using Citrix Workspace and Citrix Gateway Service
• Control plane: Citrix DaaS
• VDA version 2203
• Enable the Rendezvous protocol in the Citrix policy. For more information, see Rendezvous protocol policy setting.
• Session Reliability must be enabled on the VDAs
• The VDA machines must have access to:
  • https://*.*.nssvc.net on TCP 443 and UDP 443 for HDX sessions over TCP and EDT, respectively. If you can’t allow all subdomains in that manner, you can use https://*.c.nssvc.net and https://*.g.nssvc.net instead. For more information, see Knowledge Center article CTX270584.
  • https://*.xendesktop.net on TCP 443. If you can’t allow all subdomains in that manner, you can use https://<customer_ID>.xendesktop.net, whereis your Citrix Cloud customer ID as shown in the Citrix Cloud administrator portal.

Proxy configuration

The VDA supports connecting through proxies for both control traffic and HDX session traffic when using Rendezvous. The requirements and considerations for both types of traffic are different, so review them carefully.

Control traffic proxy considerations

• Only HTTP proxies are supported.
• Packet decryption and inspection are not supported. Configure an exception so the control traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
• Proxy authentication is not supported.

HDX traffic proxy considerations

• HTTP and SOCKS5 proxies are supported.
• EDT can only be used with SOCKS5 proxies.
• By default, HDX traffic uses the proxy defined for control traffic. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use the Rendezvous proxy configuration policy setting.
• Packet decryption and inspection are not supported. Configure an exception so the HDX traffic between the VDA and the Citrix Cloud control plane is not intercepted, decrypted, or inspected. Otherwise, the connection fails.
• Machine-based authentication is supported only with HTTP proxies and if the VDA machine is AD domain joined. It can use Negotiate/Kerberos or NTLM authentication.

  Note:

  To use Kerberos, create the service principal name (SPN) for the proxy server and associate it with the proxy’s Active Directory account. The VDA generates the SPN in the format HTTP/<proxyURL> when establishing a session, where the proxy URL is retrieved from the Rendezvous proxy configuration policy setting. If you don’t create an SPN, authentication falls back to NTLM. In both cases, the VDA machine’s identity is used for authentication.

• Authentication with a SOCKS5 proxy is not currently supported. If using a SOCKS5 proxy, configure an exception so that traffic destined to Gateway Service addresses (specified in the requirements) can bypass authentication.
• Only SOCKS5 proxies support data transport through EDT. For an HTTP proxy, use TCP as the transport protocol for ICA.

Transparent proxy

If using a transparent proxy in your network, no additional configuration is required on the VDA.

Non-transparent proxy

If using a non-transparent proxy in your network, specify the proxy during the VDA installation so that control traffic can reach the Citrix Cloud control plane. Make sure to review the control traffic proxy considerations before proceeding with the installation and configuration.

In the VDA installation wizard, select Rendezvous Proxy Configuration in the Additional Components page. This option makes the Rendezvous Proxy Configuration page available later in the installation wizard. Once here, enter the proxy address or the path to the PAC file for the VDA to know which proxy to use. For example:

• Proxy address: http://<URL or IP>:<port>
• PAC file: http://<URL or IP>/<path/<filename>.pac

As stated in the HDX traffic proxy considerations, HDX traffic uses the proxy defined during the VDA installation by default. If you must use a different proxy for HDX traffic, whether a different HTTP proxy or a SOCKS5 proxy, use the Rendezvous proxy configuration policy setting. When the setting is enabled, specify the HTTP or SOCKS5 proxy address. You can also enter the path to the PAC file so the VDA knows which proxy to use. For example:

• Proxy address: http://<URL or IP>:<port> or socks5://<URL or IP>:<port>
• PAC file: http://<URL or IP>/<path/<filename>.pac

If you use the PAC file to configure the proxy, define the proxy using the syntax required by the Windows HTTP service: PROXY [<scheme>=]<URL or IP>:<port>. For example, PROXY socks5=<URL or IP>:<port>.

How to configure Rendezvous

Following are the steps for configuring Rendezvous in your environment:

1. Make sure that all requirements are met.
2. If you must use a non-transparent HTTP proxy in your environment, configure it during the VDA installation. Refer to the proxy configuration section for details.

3. After the VDA is installed, add the following registry value:

           Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
           Value type: DWORD
           Value name: GctRegistration
           Value data: 1