15. October 2021

Citrix Virtual Apps and Desktops – Virtual channel security configuration for deviceTRUST

Applies to

  • Virtual Apps and Desktops (VAAD) CR 2109
  • Virtual Apps and Desktops (VAAD) LTSR 1912 CU4

With Citrix Virtual Apps and Desktops CR 2109 and LTSR 1912 CU4, Citrix configures the so called “Virtual channel allow list” to the default value of “enabled”. With this default setting, only the Citrix-internal virtual channels are allowed inside the ICA/HDX protocol.

deviceTRUST relies on a virtual channel for communication between Host and Client. With the default setting in this latest release of Citrix, deviceTRUST will become non-functional.

This blogpost shows how to configure the virtual channel allow list in a way to allow deviceTRUST to work as designed.

Configuration

There are two options how to configure the virtual channel allow list for enabling deviceTRUST in a Citrix Virtual Apps and Desktops 2109 environment: Allowing all Citrix channels plus the desired channel for deviceTRUST or allowing all channels. The first is the suggested solution, as it complies with Citrix’s idea of virtual channel security. Both approaches are described here, though.

Both Settings need to be set on VDA level. The required configuration can be found in the Citrix farm policies. The setting’s name is “Virtual channel allow list”. In the default configuration, it’s set to “enabled”, which means only Citrix’s virtual channels are allowed.

 

Allowing all Citrix channels plus the desired channel for deviceTRUST

We suggest configuring the deviceTRUST virtual channel explicitly. Doing so will comply with Citrix’s concept of securing the virtual channel feature whilst allowing deviceTRUST to establish its connection between Host and Client. Doing so requires the following steps:

  • Explicitly enable the “Virtual channel allow list” policy setting
  • Adding the deviceTRUST channel and host process name to the allow list
  • “DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe”

Please note: If you use additional virtual channels for other functions, these need to be added explicitly as well!

Allowing all channels

A fallback option would be to simply allow all virtual channels to be established. This will absolutely work from a technical perspective. It will, though, work around the security measures Citrix introduced with the 2109 release.

Conclusion

With the most recent releases of Citrix Virtual Apps and Desktops, Citrix now requires you to take a good look at virtual channel security. deviceTRUST is 100% compatible with Citrix’s virtual channel security. Simply make sure to apply the settings shown here.

Read more on the config change for VAAD CR 2019 at Virtual channel security | Citrix Virtual Apps and Desktops 7 2109

Read more on the config change for VAAD LTSR 1912 CU4 at Virtual channel security | Citrix Virtual Apps and Desktops 7 1912 LTSR

General information on Citrix virtual channels can be found at Citrix ICA virtual channels | Citrix Virtual Apps and Desktops 7 2109.

 

by Sven Jansen – Pre-Sales Manager DACH