Citrix Browser Content Redirection – Part 1

RodyKossen's Blog

Citrix Browser Content Redirection – Part 1

Recently I worked with a customer, in the education, which had issues with video playback in their Citrix sessions. They used several platforms to watch videos as they use it during their student lessons. The different platforms were :

  • Locally, utilizing VLC player
  • YouTube / Vimeo or other video streaming service

One of their biggest complaints was the low frame rate and the incorrect lip-sync. After taking a quick look at the environment (which was not build by me) I noticed a few things:

  • No GPUs available to offload the decoding of the video playback (and the Encoding of Citrix HDX).
  • High CPU usage during video playback which made the entire session sometimes unresponsive. ICA Latency would be around 1,5 seconds at those times. This introduced the Lip-Sync issues as the video was rendered to slow to get in sync.
  • Low clock speed CPUs (2.1 – 2.4 Ghz) which made the lack of GPU power even more visible.

To give the users a good User Experience we had to come up with a solution. Luckily for us the customer had quite new endpoints (Intel i3 & Windows 10, managed with Citrix UEM ) so the idea to offload the videos directly came in to our minds. Offloading resource intensive task to local hardware is one of the oldest tricks you can use in a Citrix environment. In the past several years many different type of offloading options came and went:

  • DirectX Command Remoting (DCR) ( Depricated in 7.12 )
  • HDX Flash redirection ( Depricated in 7.15 LTSR )
  • Windows Media redirection
  • HTML5 multimedia redirection
  • Browser Content Redirection

As we see more and more usage of online video platforms like YouTube and Vimeo the option to offload HTML5 multimedia is a very interesting one. There is only one big caveat to this solution, it needs a custom JavaScript injection to work and it doesn’t work with Adaptive Bitrate Streaming. So long story short, it only works internally ( where you have control of the websites hosted ) and it doesn’t even support YouTube due to the Adaptive Bitrate Streaming.

Browser Content Redirection

Citrix found a way around this issue and introduced Browser Content Redirection ( further referenced to as BCR ) with XenDesktop 7.16 which solves the issues described above. With BCR you can redirect the complete Browser viewport to the local endpoint without the need of custom JavaScript injections.

viewport example
The browser Viewport

In the initial release of BCR only Internet Explorer 11 redirection was supported, but with the release of Citrix Virtual Apps and Desktops 1808 support for Chrome was also added. Here are some facts for BCR:

  • Support Internet Explorer 11, no plugin needed, since 7.16
  • Supports Google Chrome (V66 or higher), with a plugin, since CVAD 1808
  • Needs the Citrix Workspace App 1808 or higher
  • Works on Windows and Linux endpoints
  • Redirected websites are controlled by User Policies
  • Enabled by default for YouTube

BCR is a relative easy feature to configure, it only contains of a few policies:

Policy NameValueDescription
Browser Content Redirection
Allow / Prohibited
Enables / Disables the BCR feature
Browser Content Redirection ACL Configuration
List of URLs
Defines which websites should be redirected to the local client. Wildcards are permitted but not in the protocol or domain part. So only https://www.test.com/* or https://www.test.com/*videos*
Browser Content Redirection Authentication Sites
List of URLs
Defines which websites can be used to authenticate the users on the websites listed in the ACL Configuration policy
Browser Content Redirection Blacklist Configuration
List of URLs
Defines which websites are not allowed to be redirected to the local client.
Browser Content Redirection Proxy Configuration
Enabled / Disabled + Proxy URL
Enables or Disables the Proxy Configuration for BCR server side fetching.

Content Fetching and Rendering scenarios

With BCR enabled, there are 3 ways to fetch the content. It depends on the situation or security policy which scenario suits the best.

Overview of the different fetching and rendering scenarios
  1. Server Fetch & Server Render, in this scenario there is no redirection. This can happen due to different reasons:
    • BCR is not enabled
    • The website is not whitelisted or is on the blacklist
    • An error occurred while trying to perform BCR
  2. Server Fetch & Client Render, in this scenario the server fetches the webpage but the rendering is redirected to the client. The data is transported from the VDA to the endpoint through a virtual channel (CTXPFWD). This scenario is usefull when you use ThinClients that don’t have internet access. It is simply activated by setting the Proxy Configuration Policy.
  3. Client Fetch & Client Render, in this scenario the client utilizes the built-in Chromium browser in the Workspace App to contact the website directly. This means no CPU usage or network traffic on the VDA.

When option 2 or 3 fails it automatically falls back to option 1, where it will fetch and render on the VDA. In some scenarios this could be unwanted, luckily there is a policy to disable this fallback behavior. To disable the fallback you should configure the “Windows media fallback prevention” policy and set it to “Play all content only on client” or “Play only client-accessible content” on client.

Redirection workflow

As stated earlier you don’t need to create manual JavaScript injections on your websites like it was the case with HTLM5 Video redirection. When the Chrome extension or Internet Explorer BHO (Browser Helper Object) detects a whitelisted BCR website it injects the HdxVideo.js file. This file is used to redirect the DOM to the Client. On the VDA side it just “simply” blanks out the page and on the Client side the Workspace App places an overlay on top of the blanked DOM and renders the website with the HDXBrowser engine. This gives the user the perception that the website is displayed in the VDA. This workflow can be visualized in the following diagram:

BCR Workflow

Simple test configuration of BCR

To test BCR it is best to start simple by configuring it for YouTube and Vimeo. To do this we can create a simple user policy with only 2 settings:

  • BCR set to Allowed
  • BCR ACL Configuration with the following URLs:
    • https://vimeo.com/*
    • https://youtube.com/*
    • https://youtube.nl/*

As you can see I also added youtube.nl to the list as I’m living in The Netherlands and so I’m redirected to this website and it is very likely a user uses this domain to connect to YouTube instead of using the .com domain.

The next step is to install the Chrome Plugin if utilizing the Chrome Browser:

  • Go to: https://chrome.google.com/webstore/category/extensions
  • Search for Citrix
  • Select the Browser Content Redirection plugin and click Add to Chrome
The Chrome Web Store

If the extension is installed and loaded you will notice a small green dot in the upper right corner of your Chrome browser:

The loaded BCR extension

For Enterprise scenarios you might want to push this automatically to the users by utilizing Group Policies. This is described in the Citrix Docs.

To check if our policy applies correctly and BCR is engaged we can simply start our WebBrowser and browse to the configured URLs. After the website has loaded just right-click somewhere in the DOM. If the redirection is working correctly you should see the following menu

Simple check to see if BCR is working

If you open the Task Manager in the VDA you should also see no CPU usage by the browser when accessing these websites. On the Client side you will see a HDX Browser Overlay( HDXBrowserCEF.exe) process. Also when moving the browser around on the screen in the VDA you will see a slight delay.

Conclusion

In my opinion the “new” Browser Content Redirection feature is a big step in enhancing the User eXperience in scenarios where you don’t have the luxury of high powered hardware on the VDA side. With the different options to fetch the content you can even make sure that your security policies on the content are still applied and no web-data is fetched by the client, even in a remote scenario.

I hope to write a Part 2 soon where I will dig deeper in BCR and give some examples how to configure it for websites like Office 365 or Microsoft Stream.

Used sources & images:

  • https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/browser-content-redirection.html
  • https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/browser-content-redirection-policy-settings.html


 

Comments: 2

  1. Ferry Stelte says:

    Hi Rody,

    Great piece of information contained in this blog! Thanks for the write up!

    Ferry

  2. Ray says:

    Good stuff man.

Add your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.