Our latest major release 21.1.100 for Microsoft Windows is now available to Download. Check out the Release Notes for more info.
×

Configuring Citrix Virtual Apps and Desktops Virtual Channel Security

Citrix Virtual Apps and Desktops contains a policy titled Virtual channel allow list which controls the processes which are able to open a virtual channel. When enabled, all processes except the Citrix internal virtual channels must be declared. Additional entries are required for the deviceTRUST Agent to be able to connect to the deviceTRUST Client.

  • With Citrix Virtual Apps and Desktops CR 2109 or LTSR 1912 CU4 or later, the default value is enabled.
  • With previous releases of Citrix Virtual Apps and Desktops, the default value was disabled.

Configuration

There are two options to configure the virtual channel allow list for enabling deviceTRUST in a Citrix Virtual Apps and Desktops environment:

The first is the recommended solution, as it complies with Citrix’s idea of virtual channel security. However both approaches are described here.

Both settings need to be set on the VDA level. The required configuration can be found in the Citrix farm policies. The setting’s name is Virtual channel allow list.

The virtual channel allow list policy
The virtual channel allow list policy
The default virtual channel allow list policy
The default virtual channel allow list policy

Allowing all Citrix virtual channels plus the deviceTRUST virtual channel

We recommend configuring the deviceTRUST virtual channel explicitly. Doing so will comply with Citrix’s concept of securing the virtual channel feature whilst allowing deviceTRUST to establish its connection between the deviceTRUST Agent and Client. Doing so requires the following steps:

  • Explicitly enable the Virtual channel allow list policy setting
  • Add the following deviceTRUST virtual channel and process names to the allow list
    • DEVTRST,C:\Program Files\deviceTRUST\Agent\Bin\dtagent.exe
    • DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe
Adding the deviceTRUST processes to the virtual channel allow list policy
Adding the deviceTRUST processes to the virtual channel allow list policy
Note:
  • If you use additional virtual channels for other functions, these need to be added explicitly as well.
  • If you are using only deviceTRUST 21.1, then you can remove the entry 'DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe'.

Allowing all virtual channels

A fallback option would be to simply allow all virtual channels to be established. This will work from a technical perspective. It will however work around the security measures Citrix introduced with the 2109 release.

Disabling the virtual channel allow list policy
Disabling the virtual channel allow list policy