Citrix Browser Content Redirection – Part 2

RodyKossen's Blog

Citrix Browser Content Redirection – Part 2

In Part 2 (Part 1 can be found here) of this series we will dig deeper into BCR and take a look how to configure it for more complex scenarios like Microsoft Teams or Stream.

Before we begin we need a few things:

  • Basic knowledge of how to use the Developer tools in your browser
  • Set your Developer Tools to preserve data on redirect
  • (Optional) Install Fiddler, this can be used to debug BCR

Authentication workflows

To understand how to configure BCR later on we must first understand how the authentication is working on the website you want to redirect. This can simply be done with the Developer Tools of the most common browsers like Chrome or Firefox.

Let’s first take a look at Microsoft Teams. Activate your Developer Tools by pressing F12 and browse to https://teams.microsoft.com/

First steps of Microsoft Teams flow

You can see that you will first hit the Teams website but then you are immediately redirected to the Microsoft Login page. If you look closer at the login URL you will notice it will also have the URL we were redirected from in it. This is essential information we will use later on.

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fgo&state=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&&client-request-id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&x-client-SKU=Js&x-client-Ver=1.0.9&nonce=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&domain_hint=

After you fill in your e-mail address 2 things can happen:

  • You will be authenticated by Microsoft
  • You will be redirected to your ADFS server (like https://adfs.company.com)

After successful authentication you will be redirected back to the Teams website.

The full flow of https://teams.microsoft.com

Now it’s all about the policies

To get Microsoft Teams working correctly we must set some BCR policies to tell BCR which website to redirect. For Microsoft Teams this is a bit different than other websites as Microsoft Teams directly redirects us to the Microsoft Login page. This redirect is happening so fast (within milliseconds) that the BCR extension can’t inject the HdxVideo.js in time. Due to this fact it is best to start BCR on the login page, this can be done by adding the following website to the BCR Whitelist:

https://login.microsoftonline.com /*

But the issue with adding this website to the BCR whitelist is that ALL Microsoft login pages will be redirected with BCR. So it is better to just redirect it for Teams, which will bring us back to the original login URL which had the redirect_uri=https%3A%2F%2Fteams.microsoft.com part in it. To match BCR only to the Teams login page we simply change the BCR Whitelist URL to:

https://login.microsoftonline.com/*teams*

The next step is to add your ADFS server to the policies as a Authentication Site. With this policy you tell BCR to remain active (redirected to the Client) for the redirect to your ADFS. So, in general, a Authentication Site must always be a Child site (redirect) of a Whitelisted URL.

The last part of our flow is the redirect back to https://teams.microsoft.com/. Due to the fact that this is also a website, we also must add this website to our Authentication Site policy.

This results in the following Policies:

Policy nameValues
Browser Content Redirection Allow
Browser Content Redirection ACL Configuration https://login.microsoftonline.com/*teams*
Browser Content Redirection Authentication Sites https://adfs.company.com/*
https://teams.microsoft.com/*

Redirecting Microsoft Stream

As I mentioned in Part 1 of this series I recently had a customer which used a lot of local media. Due to the lack of GPU power the playback experience was terrible. As this customer had an Office 365 subscription, an alternative for them was to switch to Microsoft Stream which is included in most O365 subscriptions (source). Microsoft Stream gave the customer 500 GB of storage + 0.5 GB per user. So with 500 users they could store 750 GB of video content, which was more than sufficient. The only trick which had to be done is configure BCR to redirect Stream to the local endpoint.

So by following the same steps as Teams we can see the following flow:

  1. User browses to: https://stream.microsoft.com
  2. User clicks login
  3. Redirected to: https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fstream.microsoft.com%2Fgo&state=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&&client-request-id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&x-client-SKU=Js&x-client-Ver=1.0.9&nonce=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&domain_hint=
  4. Redirected to: https://adfs.company.com
  5. After Authentication redirected to: https://web.microsoftstream.com/

This results in the following Policies:

Policy nameValues
Browser Content Redirection Allow
Browser Content Redirection ACL Configurationhttps://stream.microsoft.com *
Browser Content Redirection Authentication Sites https://login.microsoftonline.com/*stream*
https://adfs.company.com/*
https://web.microsoftstream.com/*

Tips & Tricks

With BCR you can almost redirect any website you can think of to the local endpoint. The only trick is finding the correct flow, especially the Authentication and Redirects, and setting the correct BCR policies.
Sometimes the built-in developer tools of your browser are just not enough to find the correct flow, in those cases just use a tool like Fiddler to capture all the web traffic (and even look into https streams).

Current Limitations

Currently, with Citrix Virtual Apps and Desktops 1811 there are a few limitations with BCR:

  • No support (yet?) for Firefox or Microsoft Edge.
  • Different DPI scaling on Endpoint / VDA can lead to bad scaling of BCR. So for example Endpoint 100% VDA on 200%. To fix this you must set the following registry key on the Endpoint:
        HKLM\SOFTWARE\Citrix\HdxMediastream\
        For 64-bit:
        HKLM\SOFTWARE\Wow6432Node\Citrix\HdxMediastream\
        Key: GPU (DWORD)
        Value: 0
  • 401-Authentication is not supported / working. This results in a completely white page as BCR is unable to capture the Authentication popup. ( I have lost quite some time with this issue as I had trouble finding out why I got a “blank” page).
  • Copying & Pasting text on redirected pages is only supported on Chrome and can only be done with CTRL+C / CTRL+V.
  • Printing on redirected pages is not possible.
  • Downloads are disabled on redirected pages.
  • Complete full-screen is not easily achieved, this requires pressing F11 in Chrome.
  • In IE11 while redirection YouTube full-screen might not work. Use the Theater mode instead ( or use Chrome).
  • For media content only the following containers and codecs are supported:
Containers and Codecs supported

Conclusion

Browser Content Redirection is not a very complex product but it requires some basic knowledge to determine which policies must be set. But after having done a few websites you will learn the trick.

Citrix does a good job by keeping a support article up-to-date with the most commonly redirected websites, so if you want to start with BCR it is a smart starting point. The article can be found here.

I want to thank Fernando Klurfan (Product Manager @ Citrix ) for reaching out to me (through a support case) and helping with my BCR journey (like Microsoft Stream). I hope Citrix will make BCR even a greater tool in the (near) feature by resolving some of the known limitations and adding support for all the 4 major browsers (Chrome / Firefox / IE11 / Edge).

Used sources & images:

https://support.citrix.com/article/CTX238236

 

Comments: 5

  1. Ricky says:

    Does this definitely work on 7.15 LTSR CU3? I can’t get this to work at all. Here’s what I know:

    – Citrix HDX Browser Redirection Service running
    – Citrix HDX HTML5 Video Redirection Service running
    – VDA was on 7.15 LTSR CU1. Upgraded to CU3 via the command prompt parameters.
    – Citrix Browser Content Redirection addon installed on the VDA.
    – Endpoint device running the latest Citrix Workspace.
    – ADMX loaded into Central Store, GPO created:
    a) Browser Content Redirection = enabled
    b) Browser Content Redirection ACL Configuration enabled and set to * (also tried setting to https://youtube.com/*)

    – Also tried adding the following reg keys:
    a) (REG_DWORD) – WebBrowserRedirection = 1
    b) (REG_MULTI_SZ) – WebBrowserRedirectionACL = *

    Restarted VDA and still can’t get the redirection to work. What am I missing?

    • Ricky says:

      Forgot to mention, but I have already installed the Chrome BCR extension.

      I’ve also tested this in IE and it’s not working for me.

      “Enable Enhanced Protected Mode” is unticked
      “Enable third-party browser extensions” is ticked
      “Citrix HDXJsInjector” addon is enabled in Internet Explorer – confirmed this on both the VDA and also in the Citrix session itself.

      Client device has direct internet access. Can definitely load the same Youtube video.

    • Rody Kossen says:

      Hi Ricky,

      When upgrading the VDA to CU3 you must use the: /FEATURE_HTML5_DISABLE flag to remove HTML5 redirection. Afterwards you need to install the BCR.MSI (which brings back the newer HTML5 redirection feature with BCR).

      See: https://www.citrix.com/blogs/2018/12/12/browser-content-redirection-2-0-will-help-you-maximize-your-multimedia/ for more details

  2. Kai says:

    @Ricky

    run into the same Issue with 7.15 CU3 and IE 11. Ive also had enabled all requiered settings / policies but it want not work.

    But using wildcard is not allowed = -> WebBrowserRedirectionACL = * https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/browser-content-redirection-policy-settings.html

  3. Internet says:

    Can you post update for Teams with Chrome? Above does not work.

    Also, show Office 365 Sharepoint example too, we cannot get that to work with BCR at all.

Add your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.