Citrix Browser Content Redirection – Part 1
Recently I worked with a customer, in the education, which had issues with video playback in their Citrix sessions. They used several platforms to watch videos as they use it during their student lessons. The different platforms were :
- Locally, utilizing VLC player
- YouTube / Vimeo or other video streaming service
One of their biggest complaints was the low frame rate and the incorrect lip-sync. After taking a quick look at the environment (which was not build by me) I noticed a few things:
- No GPUs available to offload the decoding of the video playback (and the Encoding of Citrix HDX).
- High CPU usage during video playback which made the entire session sometimes unresponsive. ICA Latency would be around 1,5 seconds at those times. This introduced the Lip-Sync issues as the video was rendered to slow to get in sync.
- Low clock speed CPUs (2.1 – 2.4 Ghz) which made the lack of GPU power even more visible.
To give the users a good User Experience we had to come up with a solution. Luckily for us the customer had quite new endpoints (Intel i3 & Windows 10, managed with Citrix UEM ) so the idea to offload the videos directly came in to our minds. Offloading resource intensive task to local hardware is one of the oldest tricks you can use in a Citrix environment. In the past several years many different type of offloading options came and went:
- DirectX Command Remoting (DCR) ( Depricated in 7.12 )
- HDX Flash redirection ( Depricated in 7.15 LTSR )
- Windows Media redirection
- HTML5 multimedia redirection
- Browser Content Redirection
Browser Content Redirection
In the initial release of BCR only Internet Explorer 11 redirection was supported, but with the release of Citrix Virtual Apps and Desktops 1808 support for Chrome was also added. Here are some facts for BCR:
- Support Internet Explorer 11, no plugin needed, since 7.16
- Supports Google Chrome (V66 or higher), with a plugin, since CVAD 1808
- Needs the Citrix Workspace App 1808 or higher
- Works on Windows and Linux endpoints
- Redirected websites are controlled by User Policies
- Enabled by default for YouTube
BCR is a relative easy feature to configure, it only contains of a few policies:
|Browser Content Redirection||Allow / Prohibited||Enables / Disables the BCR feature|
|Browser Content Redirection ACL Configuration||List of URLs||Defines which websites should be redirected to the local client. Wildcards are permitted but not in the protocol or domain part. So only https://www.test.com/* or https://www.test.com/*videos*|
|Browser Content Redirection Authentication Sites||List of URLs||Defines which websites can be used to authenticate the users on the websites listed in the ACL Configuration policy|
|Browser Content Redirection Blacklist Configuration||List of URLs||Defines which websites are not allowed to be redirected to the local client.|
|Browser Content Redirection Proxy Configuration||Enabled / Disabled + Proxy URL||Enables or Disables the Proxy Configuration for BCR server side fetching.|
Content Fetching and Rendering scenarios
With BCR enabled, there are 3 ways to fetch the content. It depends on the situation or security policy which scenario suits the best.
- Server Fetch & Server Render, in this scenario there is no redirection. This can happen due to different reasons:
- BCR is not enabled
- The website is not whitelisted or is on the blacklist
- An error occurred while trying to perform BCR
- Server Fetch & Client Render, in this scenario the server fetches the webpage but the rendering is redirected to the client. The data is transported from the VDA to the endpoint through a virtual channel (CTXPFWD). This scenario is usefull when you use ThinClients that don’t have internet access. It is simply activated by setting the Proxy Configuration Policy.
- Client Fetch & Client Render, in this scenario the client utilizes the built-in Chromium browser in the Workspace App to contact the website directly. This means no CPU usage or network traffic on the VDA.
When option 2 or 3 fails it automatically falls back to option 1, where it will fetch and render on the VDA. In some scenarios this could be unwanted, luckily there is a policy to disable this fallback behavior. To disable the fallback you should configure the “Windows media fallback prevention” policy and set it to “Play all content only on client” or “Play only client-accessible content” on client.
Simple test configuration of BCR
To test BCR it is best to start simple by configuring it for YouTube and Vimeo. To do this we can create a simple user policy with only 2 settings:
- BCR set to Allowed
- BCR ACL Configuration with the following URLs:
As you can see I also added youtube.nl to the list as I’m living in The Netherlands and so I’m redirected to this website and it is very likely a user uses this domain to connect to YouTube instead of using the .com domain.
The next step is to install the Chrome Plugin if utilizing the Chrome Browser:
- Go to: https://chrome.google.com/webstore/category/extensions
- Search for Citrix
- Select the Browser Content Redirection plugin and click Add to Chrome
If the extension is installed and loaded you will notice a small green dot in the upper right corner of your Chrome browser:
For Enterprise scenarios you might want to push this automatically to the users by utilizing Group Policies. This is described in the Citrix Docs.
To check if our policy applies correctly and BCR is engaged we can simply start our WebBrowser and browse to the configured URLs. After the website has loaded just right-click somewhere in the DOM. If the redirection is working correctly you should see the following menu
If you open the Task Manager in the VDA you should also see no CPU usage by the browser when accessing these websites. On the Client side you will see a HDX Browser Overlay( HDXBrowserCEF.exe) process. Also when moving the browser around on the screen in the VDA you will see a slight delay.
In my opinion the “new” Browser Content Redirection feature is a big step in enhancing the User eXperience in scenarios where you don’t have the luxury of high powered hardware on the VDA side. With the different options to fetch the content you can even make sure that your security policies on the content are still applied and no web-data is fetched by the client, even in a remote scenario.
I hope to write a Part 2 soon where I will dig deeper in BCR and give some examples how to configure it for websites like Office 365 or Microsoft Stream.
Used sources & images: