Virtual channel security 编辑

By default, the Virtual channel allow list feature is disabled. When enabled, only Citrix virtual channels are allowed to open in virtual apps and desktops sessions. If there is a need to use custom virtual channels, whether homegrown or from a third party, these need to be explicitly added to the allow list.

Adding virtual channels to the allow list

To add a virtual channel to the allow list, you need:

  1. The virtual channel name as defined in the code, which can be up to seven characters long. For example, CTXCVC1.

  2. The paths to the processes that open the virtual channel on the VDA machine. For example, C:\Program Files\Application\run.exe.

Once you have the required information, you must add the virtual channel to the allow list using the Virtual channel allow list policy setting. To add a virtual channel to the list, enter the virtual channel name followed by a comma, and then the path to the process that accesses the virtual channel. If there are multiple processes, these can be added separated by commas.

Note:

After making changes to the policy, reboot the VDA to ensure the changes take effect.

Using the previous examples, you would add the following to the list:

CTXCVC1,C:\Program Files\Application\run.exe

If there are multiple processes, you would add the following to the list:

CTXCVC1,C:\Program Files\Application\run.exe,C:\Program Files\Application\run2.exe

Citrix virtual channel considerations

All built-in Citrix virtual channels are trusted and allowed to open without further configuration. However, there are two features that require explicit entries in the allow list due to external dependencies:

  • Multimedia Redirection
  • HDX RealTime Optimization Pack for Skype for Business

Multimedia Redirection

This information is required for the allow list entry:

  • Virtual channel name: CTXMM
  • Process: Path to the media player used in your VDA machine. For example, C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  • Allow list entry: CTXMM,C:\Program Files (x86)\Windows Media Player\wmplayer.exe

HDX RealTime Optimization Pack for Skype for Business

This information is required for the allow list entry:

  • Virtual channel name: CTXRMEP
  • Process: Path to the Skype for Business executable in your VDA machine, which can vary based on the version of Skype for Business or if you used a custom installation path. For example, C:\Program Files\Microsoft Office\root\Office16\lync.exe.
  • Allow list entry: CTXRMEP,C:\Program Files\Microsoft Office\root\Office16\lync.exe

Obtaining virtual channel names and processes

The easiest way to obtain the name of the virtual channel and the process that opens it on the VDA machine is to get the information from the developer or third-party vendor that provided the virtual channel.

Alternatively, this information can be obtained by applying the feature’s logs and following these steps:

  1. Once the client and server components of the custom virtual channel are in place, launch a virtual application or virtual desktop.
  2. In the VDA machine’s System event log, look for the custom virtual channel’s name in the following event:
    • In a single-session VDA, event ID 2004 from source Picadd.
    • In a multi-session VDA, event ID 16 from source Rpm.
  3. Log off from the session.
  4. Add an entry in the Virtual channel allow list policy setting for the identified virtual channel, with just the virtual channel name.
  5. Reboot the VDA.
  6. Launch the virtual application or virtual desktop again.
  7. In the VDA machine’s System event log, look for the process that tried to open the virtual channel in the following event:
    • In a single-session VDA, event ID 2002 from source Picadd.
    • In a multi-session VDA, event ID 14 from source Rpm.
  8. Log off from the session.
  9. Edit the entry in the Virtual channel allow list policy setting to include the identified process.
  10. Reboot the VDA.
  11. Launch the virtual application or virtual desktop to validate that the custom virtual channel opens successfully.

Virtual channel allow list logging

The following events are logged in the single session VDA machine’s event log:

  
Log NameSystem
Id2001
SourcePicadd
LevelInformation
DescriptionCustom virtual channel <vcName> has been opened by process <processName>
  
Log NameSystem
Id2002
SourcePicadd
LevelWarning
DescriptionCustom virtual channel <vcName> cannot be opened by process <processName>
  
Log NameSystem
Id2003
SourcePicadd
LevelInformation
Description<username> opened custom virtual channel <vcName>
  
Log NameSystem
Id2004
SourcePicadd
LevelWarning
Description<username> tried to open custom virtual channel <vcName>

The following events are logged in the multi session VDA machine’s event log:

  
Log NameSystem
Id13
SourceRpm
LevelInformation
DescriptionCustom virtual channel <vcName> has been opened by process <processName>
  
Log NameSystem
Id14
SourceRpm
LevelWarning
DescriptionCustom virtual channel <vcName> cannot be opened by process <processName>
  
Log NameSystem
Id15
SourceRpm
LevelInformation
Description<username> opened custom virtual channel <vcName>
  
Log NameSystem
Id16
SourceRpm
LevelWarning
Description<username> tried to open custom virtual channel <vcName>

Known third-party virtual channels

The following are known third-party solutions that use custom Citrix virtual channels. This list does not include every solution that uses a custom Citrix virtual channel.

  • Cerner
  • Cisco WebEx Teams
  • Cisco WebEx Meetings Virtual Desktop Software
  • Epic Warp Drive
  • Midmark IQPath Client Extensions
  • Nuance PowerMic Client Extensions
  • Nuance Dragon Medical Network Edition 360 vSync
  • Zoom Meetings for VDI

To obtain details for adding the associated virtual channels to the allow list, reach out to the solutions’ vendors. Alternatively, follow the steps outlined in the Obtaining virtual channel names and processes section.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:84 次

字数:11513

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文