Configuring Citrix Virtual Channel Security

With Citrix Virtual Apps and Desktops, the Virtual Channel Allow List must be configured to allow the deviceTRUST virtual channel.

Citrix Virtual Apps and Desktops contains a policy titled Virtual channel allow list which controls the processes which are able to open a virtual channel. When enabled, all processes except the Citrix internal virtual channels must be declared. Additional entries are required for the deviceTRUST Agent to be able to connect to the deviceTRUST Client Extension.

  • With Citrix Virtual Apps and Desktops 2109 or later, the Virtual channel allow list is enabled by default. These default settings will deny access to the deviceTRUST virtual channel as the allow list does not include the deviceTRUST process names.
  • With Citrix Virtual Apps and Desktops 1912 LTSR to 2106, the Virtual channel allow list is disabled by default. These default settings will allow access to the deviceTRUST virtual channel.
  • With previous releases of Citrix Virtual Apps and Desktops, the Virtual channel allow list is unavailable.

Configuration

There are two options to configure the virtual channel allow list for enabling deviceTRUST in a Citrix Virtual Apps and Desktops environment:

The first is the recommended solution, as it complies with Citrix’s idea of virtual channel security. However both approaches are described here.

Both settings need to be set on the VDA level. The required configuration can be found in the Citrix farm policies. The setting’s name is Virtual channel allow list.

edit_virtual_channel_allow_list_1

edit_virtual_channel_allow_list_2

Allowing all Citrix virtual channels plus the deviceTRUST virtual channel

We recommend configuring the deviceTRUST virtual channel explicitly. Doing so will comply with Citrix’s concept of securing the virtual channel feature whilst allowing deviceTRUST to establish its connection between the deviceTRUST Agent and Client. Doing so requires the following steps:

  • Explicitly enable the Virtual channel allow list policy setting
  • Add the following deviceTRUST virtual channel and process names to the allow list
    • DEVTRST,C:\Program Files\deviceTRUST\Agent\Bin\dtagent.exe
    • DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe

edit_virtual_channel_allow_list_3

Note:
  • If you use additional virtual channels for other functions, these need to be added explicitly as well.
  • If you are using only deviceTRUST 21.1 or later then you can remove the entry 'DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe'.

Allowing all virtual channels

A fallback option would be to simply allow all virtual channels to be established. This will work from a technical perspective. It will however work around the security measures Citrix introduced with the 2109 release.

disable_virtual_channel_allow_list