Citrix Browser Content Redirection – Part 1

1. Citrix For Chrome Os
2. Citrix Receiver Chrome Web Store

Type Citrix Workspace for Chrome in the search box of Google Chrome. Click the search icon. Among the search results, click the URL to the Chrome Web Store where Citrix Workspace app is available. Click Add to Chrome to add Citrix Workspace app to Google Chrome.

The Citrix Files for Gmail Chrome Extension allows you to bypass file size restrictions and add security to your attachments. Chrome Web Store. Sort by: Recommended. Today, Citrix Receiver from chrome web store can be configured using.cr files. The.cr file exported from Storefront doesn't have rfweb entry and admin needs to add the entry and distribute the file to various users. Receiver for Chrome can be configured using.cr file using Deploy Receiver for Chrome to your users.

Recently I worked with a customer, in the education, which had issues with video playback in their Citrix sessions. They used several platforms to watch videos as they use it during their student lessons. The different platforms were :

• Locally, utilizing VLC player
• YouTube / Vimeo or other video streaming service

One of their biggest complaints was the low frame rate and the incorrect lip-sync. After taking a quick look at the environment (which was not build by me) I noticed a few things:

• No GPUs available to offload the decoding of the video playback (and the Encoding of Citrix HDX).
• High CPU usage during video playback which made the entire session sometimes unresponsive. ICA Latency would be around 1,5 seconds at those times. This introduced the Lip-Sync issues as the video was rendered to slow to get in sync.
• Low clock speed CPUs (2.1 – 2.4 GHz) which made the lack of GPU power even more visible.

To give the users a good User Experience we had to come up with a solution. Luckily for us, the customer had quite new endpoints (Intel i3 & Windows 10, managed with Citrix UEM ) so the idea to offload the videos directly came into our minds. Offloading resource-intensive tasks to local hardware is one of the oldest tricks you can use in a Citrix environment. In the past several years many different types of offloading options came and went:

• DirectX Command Remoting (DCR) ( Deprecated in 7.12 )
  
• HDX Flash redirection ( Deprecated in 7.15 LTSR )
  
• Windows Media redirection
• HTML5 multimedia redirection
  
• Browser Content Redirection
  

As we see more and more usage of online video platforms like YouTube and Vimeo the option to offload HTML5 multimedia is a very interesting one. There is only one big caveat to this solution, it needs a custom JavaScript injection to work and it doesn’t work with Adaptive Bitrate Streaming. So long story short, it only works internally ( where you have control of the websites hosted ) and it doesn’t even support YouTube due to the Adaptive Bitrate Streaming.

Citrix found a way around this issue and introduced Browser Content Redirection ( further referenced to as BCR ) with XenDesktop 7.16 which solves the issues described above. With BCR you can redirect the complete Browser viewport to the local endpoint without the need of custom JavaScript injections.

In the initial release of BCR only Internet Explorer 11 redirection was supported, but with the release of Citrix Virtual Apps and Desktops 1808 support for Chrome was also added. Here are some facts for BCR:

• Support Internet Explorer 11, no plugin needed, since 7.16
• Supports Google Chrome (V66 or higher), with a plugin, since CVAD 1808
• Needs the Citrix Workspace App 1808 or higher
• Works on Windows and Linux endpoints
• Redirected websites are controlled by User Policies
• Enabled by default for YouTube

BCR is a relatively easy feature to configure, it only contains a few policies:

Content Fetching and Rendering scenarios

With BCR enabled, there are 3 ways to fetch the content. It depends on the situation or security policy which scenario suits the best.

1. Server Fetch & Server Render, in this scenario there is no redirection. This can happen due to different reasons:
   • BCR is not enabled
   • The website is not whitelisted or is on the blacklist
   • An error occurred while trying to perform BCR
2. Server Fetch & Client Render, in this scenario the server fetches the webpage but the rendering is redirected to the client. The data is transported from the VDA to the endpoint through a virtual channel (CTXPFWD). This scenario is useful when you use ThinClients that don’t have internet access. It is simply activated by setting the Proxy Configuration Policy.
3. Client Fetch & Client Render, in this scenario the client utilizes the built-in Chromium browser in the Workspace App to contact the website directly. This means no CPU usage or network traffic on the VDA.

When option 2 or 3 fails it automatically falls back to option 1, where it will fetch and render on the VDA. In some scenarios this could be unwanted, luckily there is a policy to disable this fallback behavior. To disable the fallback you should configure the “Windows media fallback prevention” policy and set it to “Play all content only on client” or “Play only client-accessible content” on client.

As stated earlier you don’t need to create manual JavaScript injections on your websites like it was the case with HTLM5 Video redirection. When the Chrome extension or Internet Explorer BHO (Browser Helper Object) detects a whitelisted BCR website it injects the HdxVideo.js file. This file is used to redirect the DOM to the Client. On the VDA side it just “simply” blanks out the page and on the Client side the Workspace App places an overlay on top of the blanked DOM and renders the website with the HDXBrowser engine. This gives the user the perception that the website is displayed in the VDA. This workflow can be visualized in the following diagram:

Simple test configuration of BCR

To test BCR it is best to start simple by configuring it for YouTube and Vimeo. To do this we can create a simple user policy with only 2 settings:

• BCR set to Allowed
• BCR ACL Configuration with the following URLs:
  • https://vimeo.com/*
  • https://youtube.com/*
  • https://youtube.nl/*

As you can see I also added youtube.nl to the list as I’m living in The Netherlands and so I’m redirected to this website and it is very likely a user uses this domain to connect to YouTube instead of using the .com domain.

The next step is to install the Chrome Plugin if utilizing the Chrome Browser:

• Go to: https://chrome.google.com/webstore/category/extensions
• Search for Citrix
• Select the Browser Content Redirection plugin and click Add to Chrome

If the extension is installed and loaded you will notice a small green dot in the upper right corner of your Chrome browser:

For Enterprise scenarios, you might want to push this automatically to the users by utilizing Group Policies. This is described in the Citrix Docs.

To check if our policy applies correctly and BCR is engaged we can simply start our web browser and browse to the configured URLs. After the website has loaded just right-click somewhere in the DOM. If the redirection is working correctly you should see the following menu

If you open the Task Manager in the VDA you should also see no CPU usage by the browser when accessing these websites. On the Client side, you will see a HDX Browser Overlay( HDXBrowserCEF.exe) process. Also when moving the browser around on the screen in the VDA you will see a slight delay.

In my opinion the “new” Browser Content Redirection feature is a big step in enhancing the User eXperience in scenarios where you don’t have the luxury of high powered hardware on the VDA side. With the different options to fetch the content you can even make sure that your security policies on the content are still applied and no web-data is fetched by the client, even in a remote scenario.

I hope to write a Part 2 soon where I will dig deeper in BCR and give some examples how to configure it for websites like Office 365 or Microsoft Stream.

• https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/browser-content-redirection.html
• https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/browser-content-redirection-policy-settings.html

1. Hi Rody,

   Great piece of information contained in this blog! Thanks for the write up!

   Ferry

2. Good stuff man.

3. I followed this doc, and everything worked 100%. Thank you .

4. Hi Rody,
   Goed artikel over BCR.
   Wanneer zou Microsoft Edge worden ondersteund?

   Groet Piet

5. Hi Rody, weet je al wanneer Microsoft Edge wordt ondersteund?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We have a new internet browser! Microsoft Edge based on Chromium, available and supported on Windows 7, 8 and 10 and most importantly in Windows Server 2008 R2, 2012/2012 R2, 2016 and 2019. This means that we now have a modern and secure browser that can be managed via Group Policy and is supported by Microsoft in a server operating system.

I have been using this browser for quite some time now and it is awesome. One of the really great features is that you are able to install browser extensions from the Google Chrome Web Store, as Google Chrome has been available for a very long time, there are a lot of available extensions.

However with that said Microsoft now finds themselves in a situation where they offer a browser based on Chromium, which is an open-source project, which then again means that Microsoft does not control the entire code in the Edge browser. I am really excited about how Microsoft will handle this in the future.

Get the Edge Installer

So, how do we get the browser up and running in a Citrix VDA? We’ll start with downloading the enterprise MSI file here:

Edge administrative templates

And while there, we’ll also grab the administrative templates which enables us to configure around 200 different settings in the browser. Remember to copy the administrative templates to your Central Store.

Edge security baseline GPO

Microsoft has also created a security baseline GPO which can be found here:

With this, we are now ready to install and configure the new Microsoft Edge browser.

Installing the Microsoft Edge browser

Before installing the browser, be aware that you will have to prevent the Citrix API hooks from latching themselves onto the Microsoft Edge process. Citrix has an article on how to disable Citrix API hooks on a per-application basis. Two options are described in the article, I am using the option for XenApp and XenDesktop 7.9 or later. So your UviProcessExcludes value name should look like this:

What you need to do is to add the msedge.exe to any existing value data. This change requires a reboot, so you will have to apply this when installing the browser.

I have created a small PowerShell script which will add the msedge.exe value to any existing value data:

The Microsoft Edge browser also creates a shortcut on the public desktop (C:UsersPublicDesktop). I always recommend deleting application shortcuts on the public desktop, as I prefer to control which application shortcuts appear on the user’s desktop. Unfortunately deleting the shortcut on the public desktop is not enough, a shortcut is also created on the user’s desktop (C:Users%username%Desktop) during first logon, even though we deleted the shortcut on the public desktop.

This behavior is not new to me, it is also seen with the Google Chrome browser .

To prevent the shortcut from being created on the user’s desktop, a “master_preferences” file has to be copied to the C:Program Files (x86)MicrosoftEdgeApplication folder, overwriting any existing master_preferences file.

UPDATE – 21-04-2020 (April 21st 2020): As of v81.x stable build it is now possible to use an install parameter, to prevent the creation of a desktop shortcutduring user logon, a desktop shortcut is still created in the Public user desktop folder!

The parameter is: DONOTCREATEDESKTOPSHORTCUT=TRUE

Which means an install string could look like this:
MSIEXEC /I MicrosoftEdgeEnterpriseX64.msi REBOOT=ReallySuppress /qn DONOTCREATEDESKTOPSHORTCUT=TRUE

UPDATE – 22-09-2020 (September 22nd 2020): As of v84.x stable build it is now possible to prevent the pinned Edge shortcut creation during the first launch of Edge. Like the desktop shortcut, this i achieved via a install parameter.

The parameter is: DONOTCREATETASKBARSHORTCUT=TRUE

Which means in install string could look like this:
MSIEXEC /I MicrosoftEdgeEnterpriseX64.msi REBOOT=ReallySuppress /qn DONOTCREATEDESKTOPSHORTCUT=TRUE DONOTCREATETASKBARSHORTCUT=TRUE

The last thing we need to do, is to disable the services and delete the scheduled tasks that are responsible for doing automatic updates of the Edge browser. As with any other application in a non-persistent setup, we will have to disable any auto-update feature.

Here is a small post-install PowerShell script which will do the shortcut cleanup and disable the services and delete the scheduled tasks responsible for the auto-update feature in Edge:
UPDATE – 21-04-2020 (april 21 2020): I have removed the edgeupdatem service from the script below, as it triggered an error in Edge and an accompanied UAC prompt, when automatic update is disabled via GPO. The master_preferences file copy is also removed.
If you have en earlier version of the script, please update it with the new information.

The update error received, when the edgeupdatem service is disabled:

UPDATE – 28-05-2020 (may 28 2020): I have added Remove-Item -Path “HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{9459C573-B17A-45AE-9F64-1857B5D58CEE}” -Force to the install script. This prevents a pinned Edge shortcut in the taskbar from being created. There are other solutions to this issue, which I have described in this article.

Now with the Edge browser installed we can move on to some basic configuration of the browser.

Group Policy Configuration

As mentioned earlier Microsoft has a baseline security GPO, and I would recommend to import this in your current environment, obviously you will have to do some testing, but from what I have seen, the current settings shouldn’t be “destructive” meaning, that nothing is broken in the browser. I will bring one additional group policy settings to the table, which are not found in the security baseline GPO. Any additional configurations should be added to another (new) GPO which should be linked to the same OU as the baseline GPO, but with a higher link order.

So in short, you end out with two GPOs. One GPO with the Microsoft security baseline settings, and one with any additional settings you configure.

Here is what a GPO configuration and link order could look like:

If you are unfamiliar with importing GPO settings, I would recommend looking at this guide:

Citrix For Chrome Os

The benefit of doing it this way, is that when Microsoft eventually release updates to their security baseline GPO, your can safely import these updated settings to the baseline GPO or a new GPO, and still have your own custom settings apply, as they are in another GPO.

The Microsoft Edge v79.x Security Baseline GPO contains the security baseline settings from Microsoft, and as mentioned this GPO shouldn’t be modified, as it will complicate any future updates of the GPO settings.

The Microsoft Edge v79.x Additional Configuration GPO should contain whatever policy configurations that applies to your setup. In here I have configured the “Update policy override” the reason for this is that if the user manually triggers the update of Edge, the user is prompted by UAC asking for an administrative username and password, not good,

Citrix Receiver Chrome Web Store

This concludes the guide and you are ready to start testing the Microsoft Edge browser in your Citrix environment and eventually releasing it to production.