Citrix For Chrome Web Store

Posted on  by admin

Citrix Workspace app is here to replace Citrix Receiver with a new UI and capabilities (primarily for Citrix Cloud customers). Here’s how to deploy it across various supported platforms in a modern management capacity with Microsoft Intune.

Windows 10

Office 365 Webmail Remote/Citrix (VDIs and Web Enabled Applications) Click HERE to download Citrix Receiver for mobile devices, download via App Store, Blackberry World, Chrome Web Store, Google Play. Users install Citrix Workspace app for Chrome OS from the Chrome Web Store by searching for Citrix Workspace and clicking Add to Chrome. Once installed, Citrix Workspace app for Chrome OS must be configured with connection details for Citrix Gateway and the Citrix Receiver for Web site providing that provides users’ desktops and apps. The Citrix Receiver Tech Preview for Chrome OS, available on the Chrome Web Store, is a free client app for businesses that use Citrix virtualization to host desktops and applications in the data. Subject: Using Citrix on a Chromebook The SRS Citrix team does not officially support Chromebooks but we will try to help you if we can. We only officially support Windows 10 because other non-Microsoft Operating Systems can be very fussy and online documentation and support is limited. Chromebooks should function but they are a buyer.

There are multiple deployment options for Workspace app on Windows via Microsoft Intune:

  • Workspace app from the Microsoft Store. This version has some feature limitations but requires the least amount of effort to deploy
  • The full Workspace app that provides the best compatibility, but doesn’t ship as a Windows Installer file and therefore requires custom solutions to deploy

Microsoft Store

Adding the Workspace app from the Microsoft Store is well documented and should take only 5 minutes to get the app from the Store, synchronise to Intune and assign the app to your users. How’s that for done and dusted? - I’m sure you’ve got better things to do than package and maintain applications.

Citrix Workspace in the Microsoft Store

The Workspace app can be assigned as available for end-users to install via the Intune Company Portal or required for automatic deployment. Once deployed, the Store will take care of updates, thus there is no further action required by the administrator.

Citrix Workspace app in the Microsoft Intune Company Portal

If you have already deployed Citrix Receiver from the Microsoft Store via Intune, it should be automatically updated to Citrix Workspace. One they key feature limitations of the Microsoft Store version is pass-through authentication, so you might need to consider alternative deployment options


The Workspace app installer is a single executable just it has been with Citrix Receiver. This presents a challenge to deploy Workspace app as a line-of-business application with Intune which requires Win32 applications to be packaged as a single Windows Installer file. PowerShell scripts are a simple alternative, but deploying applications via PowerShell has two key considerations:

  • PowerShell scripts can’t be applied to computer groups
  • PowerShell scripts are executed on devices only when an Azure Active Directory user is signed in to the device

Deploying this way also means that the Workspace app will be deployed regardless of user choice and of course does not support deployment via the Intune Company Portal.

Like we’ve done previously with Citrix Receiver, the Workspace app can be deployed to Windows 10 machines via Intune with PowerShell without requiring custom packaging. We need a consistent URL that will always download the latest version of Workspace app and a command line to perform a silent installation. Your command line options might differ depending on your target environment, but the example script below will download and install the Workspace app.

Once deployed, devices must then rely on auto-updates to ensure that Workspace app is kept up-to-date.

Re-package Citrix Workspace app for Windows Installer

With the right tools and a bit of effort, Citrix Workspace app can be re-packaged into a single Windows Installer file. Once you’ve packaged the app with this method you’ll need to maintain the package and update it regularly. As with the PowerShell method though, auto-updates will keep Workspace app up-to-date once deployed.

Is this approach right for you? This requires maintaining and deploying a custom package and is dependent on how the environment is managed and available skillsets. Only you can answer that for your projects or environments. A custom package isn’t ideal and I recommend using the Microsoft Store version as the default approach instead.

Citrix Workspace app extracted Windows Installer files

HDX RealTime Media Engine

The Citrix HDX RealTime Media Engine - required for optimising Skype for Business under XenApp and XenDesktop, does come as a single Windows Installer file. This makes it easy then to deploy the engine to Windows PCs as a Required line-of-business application without modification or custom packaging. This will ensure that no user interaction is required to install the engine since most users are unlikely to know what it does anyway.

Bonus: Citrix Workspace app for Chrome

If you have Google Chrome deployed in your environment and you’d like to deploy the Citrix Workspace app for Chrome, this can be achieved with a PowerShell script that will either deploy it as a preference that users must approve or as a policy that will be automatically pushed out and users will be unable to remove from Chrome.

Google provides detailed documentation on deploying Chrome extensions on Windows.

Here’s a basic script to deploy Workspace app for Chrome via PowerShell that uses the app’s Chrome Web Store identifier (haiffjcadagjlijoggckpgfnoeiflnem) to tell Chrome to install the app on next launch. This shows both approaches - deploy as a preference or enforced.

Add the script to the Intune portal and assign to a user group to deploy. Ensure the script runs in the system context because it needs to write to HKLM.


The Citrix Workspace app can be deployed as a line-of-business application with Microsoft Intune. The Workspace app download comes as an Installer package (inside an Apple Disk Image) that can be converted into suitable file format with the Microsoft Intune App Wrapping Tool, ready to deploy with Intune.

The Citrix Workspace app disk image

Convert the Installer

Instructions for converting a .pkg file to a .intunemac file are outlined in the documentation, and the basic process I have followed to convert the Citrix Workspace app installer file is:

  1. Download the Intune App Wrapping Tool for Mac executable - IntuneAppUtil - to a local folder. I’ve downloaded it to ~/bin.
  2. Mark the file as executable. In my example, I’ve done this with:
  1. Optionally copy the Install Citrix Workspace.pkg file to a local folder. You should also be able to run the converter against the copy stored in the disk image. In my example, I’ve copied the installer to ~/Projects/Intune-Apps. Rename the installer to remove spaces, so rename the file to InstallCitrixWorkspace.pkg.

Note: Removing the spaces from the installer name before converting is important, otherwise when installing the application, macOS will report the following error and the installing will fail to download and install:

  1. Convert the .pkg file into the required .intunemac format with a command similar to the following example - note that the -o switch should include a directory path only.

If successful the command line will look similar to the following screenshot:

Converting the Citrix Workspace app with IntuneAppUtil

The Workspace app installer will have been converted into a .intunemac format ready to import into the Intune portal for distributing to users.

The converted Citrix Workspace app

Distribute with Intune

Citrix For Chrome Web Store

With the prepared package, create a new line-of-business app in the Intune portal, select the .intunemac file and enter application information as follows:

  • Name - Citrix Workspace
  • Description - copy and paste the description from Workspace app on the Microsoft Store
  • Publisher - Citrix
  • Ignore app version - Yes
  • Category - Business or Productivity
  • Information URL -
  • Privacy URL -
  • Logo - download the Workspace app icon in PNG format here
Citrix receiver chrome web store

Once the details have been added, click OK to create the application. I initially had issues with uploading the application on Chrome on macOS. I was successful on Internet Explorer.

Adding the Citrix Workspace app as a line-of-business app in Microsoft Intune

Once the application has been created and assigned to users, it will be available for install in the Intune Company Portal. The application can also be set to required for automatic deployment.

Citrix Workspace available in the Intune Company Portal on macOS*

Just as on Windows, updates to the Citrix Workspace app can be managed with the inbuilt updater, post-deployment.

HDX RealTime Media Engine

The Citrix HDX RealTime Media Engine is also available as an installer package that can be converted and deployed the same way as Workspace itself. Citrix Workspace app is now a 64-bit macOS application and will, therefore, require a 64-bit version of the HDX RealTime Media Engine. Right now, a 64-bit HDX RealTime Media Engine is in tech preview that can be downloaded, packaged, uploaded as a line-of-business application and assigned.


As at the time of writing, Citrix Receiver is still available on the iOS App Store and we should see it updated to Citrix Workspace app soon. Adding an iOS application in Microsoft Intune is, fortunately, a simple process:

  1. Add an application and choose ‘Store app - iOS’, then search the app store
  2. Search for ‘Citrix’, ‘Citrix Receiver’ or ‘Citrix Workspace’
  3. Choose ‘Citrix Receiver’ or ‘Citrix Workspace’ depending on what is returned
  4. Save the change and Add the application
  5. Assign the application as required

The application will be available in the Intune Company Portal:

Citrix Workspace for iOS available in the Intune Company Portal

For existing deployments of Citrix Receiver, they should be updated to Citrix Workspace app automatically.


Android Store app

At the time of writing, the Workspace app for Android is not available in the Google Play Store, but a tech preview is available for download as an APK. I would recommend deploying Citrix Receiver via the Google Play Store, but with access to an APK file, you can deploy Android applications directly to enrolled devices as a line-of-business application with Intune.

The process for deploying Citrix Workspace app or Citrix Receiver on Android follows the standard Android store app deployment steps:

  1. Add an application and choose ‘Store app - Android’, then search the app store
  2. Name - ‘Citrix Workspace’ or ‘Citrix Receiver’
  3. Description - copy and paste the description from Workspace app on the Microsoft Store
  4. Publisher - Citrix
  5. Appstore URL -
  6. Minimum operating system - Android 4.4 (Kitkat)
  7. Category - Business or Productivity
  8. Privacy URL -
  9. Logo - download the Workspace app icon in PNG format here

Assign the application and it will be available to users in the Intune Company Portal.

Android Work Profile app

Citrix For Chrome Web Storefront

In the future, it’s more likely that organisations will leverage the Android enterprise capabilities, previously known as Android for Work. This also simplifies Android app deployment with a connection between Microsoft Intune and the Google Play store. Once configured, browse the Google Play store, approve a list of desired apps and these will then appear for assignment in the Mobile Apps node in Intune.

Here’s Citrix Receiver in the Google Play store.

Approving Citrix Receiver in the Google Play store*

Once approved, you must choose how new permissions will be approved:

  • Keep approved when app requests new permissions - Users will be able to install the updated app. (Default)
  • Revoke app approval when this app requests new permissions - App will be removed from the store until it is reapproved.

You can approve and deploy Citrix Receiver today, which should be automatically updated to Citrix Workspace app once it is released.


In this article, I’ve covered the high-level steps required for deployment of the Citrix Workspace app across the various major platforms supported by Microsoft Intune. Mobile platforms, including the Microsoft Store on Windows 10, will require the least amount of administrative effort to configure, deploy and update. For most organisations supporting Windows as their primary platform, even with Microsoft Intune, the choice of deployment solution will depend on Workpace app feature requirements.

downloadWhy can't I download this file?
  • Google Chrome: The VDA-side Chrome browser viewport is redirected and rendered on the client-side using the Citrix Workspace app for Windows embedded Chromium engine and the HdxBrowserCef.exe process. Note that the Browser Content Redirection Extension (which injects HdxVideo.js) must be installed and enabled on the VDA before using BCR with Chrome. The Browser Content Redirection Extension is available from the Chrome Web Store.
  • Please note that Chrome support requires CWA 1809 or higher and VDA 1808 or higher.

  • For further information, including BCR system requirements, please read the Browser content redirection section of the Citrix Virtual Apps and Desktops 7 Product Documentation.
    2. Browser Content Redirection configuration for specific use cases
    2.1 Server fetch and server render
    Default behavior when BCR is disabled. No VDA-side viewport redirection to the client occurs. This could be due to the desired behavior as configured through BCR policies, or server fallback may have occurred unintentionally due to a client redirection failure. To configure for this use case:
    Browser content redirection policy: If set to Prohibited, BCR is disabled.
    Alternatively, if “server fetch and server render” is to be applied for some websites, while permitting BCR for others, use the Browser content redirection Access Control List (ACL) policy settings policy to whitelist sites and/or the Browser content redirection blacklist setting policy to blacklist sites.
    In this alternative scenario, the Browser content redirection policy needs to be unconfigured [since the default value is Allowed] or set explicitely to Allowed.
    Note that in this mode, server-side rendering uses ICA Thinwire to remote the graphics to Workspace app, the same way it is done for any application running in the virtual desktop.
    2.2 Server fetch and client render
    This mode allows endpoints with no direct access to the website (e.g. Intranet) to be able to proxy the HTTP traffic through the VDA, which then relays to the web server. A service in the VDA called 'Citrix Port Forwarding' is in charge of this.
    To configure for this use case:
    When the Browser content redirection proxy setting policy has been configured with a proxy server IP:Port address, the client connects to the proxy server on the VDA’s network over the Port Forwarding virtual channel and renders the content locally.
    Proxies that require explicit authentication are supported with CWA for Windows 1907 or higher.
    TCPView running on the endpoint will show that HdxBrowser attempts to connect to a few localhost TCP ports (the aforementioned client-side Port Forwarding virtual channel):
    For Linux endpoints, running netstat will show WebKitNetworkProcess establishing connections to localhost:
    On a Linux client, also check if vdbrowser.dll and vdportfoward.dll (used for server fetch client render) have been loaded.
    If they are not loaded, the redirection will fail and fallback to server-side rendering.
    You can use the following command 'cat /proc/<PID of wfica>/maps' to check:
    The TCP Port Forwarding service on the VDA is called CtxSvcHost.exe, and is the one making the final outbound connection to your Proxy Server (in the screenshot below it is This is how it looks on Process Explorer:

    Be aware that there are many Citrix Virtual Channels that can run under CtxSvcHost (Smart Card, Audio, Flash, etc).
    The one used by Server Fetch Client Render in Browser Content Redirection uses the 'PortFwdSvcs' flag, as seen above.
    You can also use TCPView - but make sure you are tracking the right CtxSvcHost. You can use the PID value from Process Explorer (9196 in the screenshot above) to correctly identify it, or look at the Remote Address and identify your Proxy.
    If CtxSvcHost.exe is not seen, please restart the service 'Citrix HDX Port Forwarding Service' on the VDA.
    2.3 Client fetch and client render
    This use case affords the maximum benefits for bandwidth efficiency and VDA resource usage.
    To configure for this use case:
    Browser content redirection policy: No need to configure but Allowed can be set. [Default value Allowed]
    Browser content redirection Access Control List (ACL) policy settings policy: Acts as whitelist. Add any websites (wildcard * can be used) that you want to be redirected.
    [Default value:*]
    When this mode is configured, HdxBrowser.exe (Windows) or WebKitNetworkProcess (Linux) will contact a website directly:
    2.4 Other BCR configuration options
    To support whitelisted websites that navigate away to a 3rd-party site for authentication before redirecting back to the whitelisted site, configure the Browser content redirection authentication sites policy.
    We'll use YouTube as an example:
    The Browser content redirection policy will include the value:* [note that this entry exists by default in the policy]
    The Sign In button on the YouTube site navigates to (the protocol/domain part will be consistent but the full path will vary).
    To support the authentication-related navigation from to and back to, configure as follows:
    In the Browser content redirection authentication sites policy, add the entry:* (note the wildcard * to accommodate variations in URL sub-folder values).
    More info can be found in CTX238236.
    3. Browser Content Redirection feature limitations

    • For websites with media content, only the following list of codecs are supported when the site is redirected:
    ContainerAudio CodecsVideo Codecs
    MP4 (QuickTime / MOV / MPEG4)
    • In CWA 1905 for Windows or older versions, or with CWA for Linux, Websites that use Integrated Windows Authentication (IWA) might break BCR. Currently BCR is not able to handle and display the pop-up 'Windows Security' dialog box (or any dialog box), and the user might end up in a blank page. Keep in mind that since now the endpoint is loading the website, the endpoint and website (running on IIS for example) might not be in the same domain (while VDA and IIS might). Hence IWA fails, a pop-up window should be displayed prompting the user for credentials but it is not, because of the aforementioned limitation in BCR. This issue has been fixed in CWA for Windows 1907 or higher.
    • When using Server Fetch Client Render (this policy in Studio), only a single Proxy FQDN / IP is supported. PAC files (for automatic proxy configuration) are now supported with Server Fetch Client Render when the VDAs are 2003 or higher (see here), or 1912 CU1 (see here).
    • When freshly installing CVAD 1811 (only), there is a known issue with BCR_x64.msi where it is not installed on the VM if the Admin selected 'Enable brokered connections to a server' or 'Enable Remote PC Access'. The workaround is to mount the .iso of CVAD, find the BCR_x64.msi in Image-Fullx64Virtual Desktop Components and run it. See CTX240182.
    • The Desktop OS Core Services Virtual Delivery Agent stand alone .exe (VDAWorkstationCoreSetup) does not include BCR_x64.msi. Same workaround CTX240182 fixes this.
    • Due to the limitation of CEF(Chromium Embedded Framework), client endpoint GPU needs to be disabled if DPI scaling factor is set to a number other than 100% in order for BCR feature to work. Otherwise BCR displays the website in a corrupted fashion (like zoomed in and cropped). To disable, configure on the Client:
      • HKLMSOFTWARECitrixHdxMediastream
        For 64-bit:
        Key: GPU (DWORD)
        Value: 0
    • Currently, with Windows CWA, copying text from redirected webpages is only possible with Chrome browser content redirection. Use Ctrl-C / Crtl-V to copy and paste. Linux CWA support copy/paste for both IE11 and Chrome.
    • Currently printing from redirected webpages is not possible from Internet Explorer 11 and Chrome.
    • Currently, screensharing functionality will not work if the BCR user tries to initiate screensharing. Incoming sreensharing does work (HDX-16273).
    • Upgrades to Receiver 4.11 or 4.10 from any version might break BCR virtual channels. See CTX235183.
    • If Local App Access is Allowed then BCR will not work. You must set LAA to Prohibited (Default) for BCR to work.
    • Currently downloads aren't enabled on redirected websites when using Chrome on the VDA (therefore files cannot be saved to the endpoint).
    • In IE11, after starting a YouTube video using the YouTube HTML5 video player, full-screen mode might not work. You click the icon in the lower-right corner of the video, and the video doesn’t resize leaving the black background in the full area of the page. As a workaround, click the full screen button, and then select theater mode.
      This issue is not seen on Chrome.

    4. Browser Content Redirection Troubleshooting

    Before proceeding, please review the “Browser Content Redirection feature limitations” section.

    4.1 General troubleshooting steps

    StepMay clear problem in
    Close the browser, re-open, and navigate to a whitelisted site.Browser Add-On and HdxVideo.js file
    Disconnect and reconnect the session.Citrix Workspace app, HdxBrowser.exe, HdxBrowserCef.exe, WebSocketAgent.exe, and services
    Logoff and logon to a new session.Citrix Workspace app, HdxBrowser.exe, HdxBrowserCef.exe, WebsocketAgent.exe, and services
    Stop the services: 1. Browser redirection service, 2. HTML5 redirection service, and 3. Port forwarding service. Restart them in reverse order listed. Logoff and logon the session.All components

    4.2 Data to collect for troubleshooting

    CDF modules to trace:

    VDA SideCitrix Workspace app (client) Side

    4.3 HdxBrowser and Webcontainer (a.k.a Overlay Browser)
    When using BCR with Internet Explorer 11, ensure HdxBrowser.exe is running with Citrix Workspace app for Windows (use Task Manager) while you are on a whitelisted site.
    When using Google Chrome, the process is called HdxBrowserCef.exe.
    Note: Chrome support requires CWA 1809 or higher, and VDA 1808 or higher.
    This is how it looks on Process Explorer on the endpoint:
    For Linux endpoints (Fat Clients, or Thin Client minimum versions: Unicon eLux RP 6.2.3 CR, HP ThinPro 7.1 or higher only, iGEL OS 10.05 or higher) the process used is webcontainer (placed in ICAROOT /util folder. ICAROOT generally is /opt/Citrix/ICAClient for root user).
    Dell Wyse ThinOS Version 9.0 supports BCR.
    i. Please check if webcontainer process is starting in your Linux client by running:
    <ICAROOT>/util/webcontainer --version.
    Sample output:

    ii. If it fails then you have to install WebKitGTK+ version greater than 2.16.6 for Browser Content redirection to work.
    WebKitGTK+ is a full-featured port of the WebKit rendering engine (WebKit2 API with GTK3).
    (This is not part of Citrix Receiver / Workspace app, so you will need to download the proper package for your Linux distribution and processor architecture, or contact your Thin Client vendor).
    Therefore, system library will be required for webcontainer to link against:
    Note that glibcxx 3.4.20 or later is also required for BCR (#locate and then run #strings /<add the found location>/ grep GLIBCXX):

    iii. You can then check if webcontainer process can render the video content locally by running:
    ./webcontainer --url
    ./webcontainer --url
    This test verifies if the endpoint has the proper codecs available (specially the 'ugly' ones like H264). The test does not invoke any Citrix VDA components, it is a purely local test. Webcontainer (WebKitWebProcess) will in turn make calls to GStreamer 1.x - if H264 is not loaded, VP8 will be used instead (if the website supports WebM).
    In order to check your GStreamer version, run 'dpkg -l grep gstreamer'.
    More info on GStreamer requirements in CTX224988.
    Note: Currently, if WebKitGTK+ version is below 2.22.3, then Media Source Extensions (MSE) are not supported so YouTube videos will only play up to 720p (with H264).
    If H264 is not available or licensed, YouTube will attempt to use WebM container format (VP8/VP9 video codecs from gst-plugins-good and Opus audio codec from gst-plugins-base).
    YouTube now requires MSE to play videos in WebM format, so a proper WebKitGTK+ version has to be present.
    WebKitGTK+ version 2.22.5 or higher and GStreamer 1.14.4 or higher are recommended for YouTube.
    iv. Running the top command while BCR is active will show:
    While webcontainer is in use, there are 2 associated WebKit processes that run: WebKitNetworkProcess and WebKitWebProcess. The actual network outbound connections are made by WebKitNetworkProcess).
    4.4 Browser JavaScript log live debugging in IE11 and Chrome:

    1. If you want to debug in IE11, Open %programfiles%CitrixHdxVideo.js
      (or depending on your VDA version, the Javascript can also be located inside a folder called %programfiles%CitrixICASERVICE)
      You might need to do this running Notepad as an Admin and opening the .js file from the Open menu
      Change the line var DEBUG_ONLY = false; to var DEBUG_ONLY = true;
      Save the file and close your Editor.

    2. If you want to debug on Chrome, skip step #1. Make sure your Extension is at version 2.0. Right click on the icon, select Options and tick 'Activate debug logging'.

    3. Close Internet Explorer / Chrome and reopen it, hit F12 or Ctrl+Shift+I, and go to the Console tab in Developer tools. Browse to a whitelisted site, e.g.

    4. You should see traces from [HdxVideo.js] (example below). Collect the entire log.
      Key messages to look for are highlighted in bold, with additional comments inside brackets [ ]:

      [HdxVideo.js] OnUnload (window): [object Window]
      [HdxVideo.js] DocumentBodySuppressor.start()
      [HdxVideo.js Events] interceptEventListeners()
      [HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer
      [HdxVideo.js] OnLoad (window): [object HTMLDocument]
      [HdxVideo.js] Unredirected video count: 0
      [HdxVideo.js] HDX_DO_PAGE_REDIRECTION: true [if false, redirection is not even attempted. Problem with policies or browser Extension?]
      [HdxVideo.js] infallback: undefined
      [HdxVideo.js] Installing event listeners.
      [HdxVideo.js] msexitFullscreen - Found!
      [HdxVideo.js] onWSOpen: [Websocket opening to WebsocketAgent.exe succeeded. If failed, check your IE Security Settings]
      [HdxVideo.js] >>> {'v':'pageurl','url':''}
      [HdxVideo.js] onVisibilityChange:
      [HdxVideo.js] >>> {'v':'vis','vis':true}
      [HdxVideo.js] onResize:
      [HdxVideo.js] >>> {'v':'pageredir'}
      [HdxVideo.js] sendClientSize: w: 1316 h: 755
      [HdxVideo.js] >>> {'v':'clisz','w':1316,'h':755}
      CSI/tbsd_: 15.599,072ms
      CSI/_tbnd: 15.658,128ms
      [HdxVideo.js] <<< {'v':'winid','title':'CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}'}
      [HdxVideo.js] onWSMessage: winid: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}
      [HdxVideo.js] setWindowTitle: CitrixVideo:{1b83a2dc-39ae-4455-ad7d-d56e71fbb45d}
      [HdxVideo.js] documentTitleMutator.start()
      [HdxVideo.js] >>> {'v':'winid'}
      [HdxVideo.js] <<< {'v':'pageredir'} [VDA is instructing Receiver to start the redirection process]
      [HdxVideo.js] onWSMessage: pageredir
      [HdxVideo.js] Redirecting page -- 화이팅! [Korean characters means the redirection was successful]

      A common error is:

    [HdxVideo.js] OnUnload (window): [object Window]
    Navigation Event Separator HTML1300: Navigation occurred.
    [HdxVideo.js] DocumentBodySuppressor.start()
    [HdxVideo.js Events] interceptEventListeners()
    [HdxVideo.js] DocumentBodySuppressor.trySetBodyStyle(): stopping observer
    [HdxVideo.js] OnLoad (window): [object HTMLDocument]
    [HdxVideo.js] Installing event listeners.
    [HdxVideo.js] msexitFullscreen - Found!

    [HdxVideo.js] doRedirection(): exception connecting to WebSocket: SecurityError
    [HdxVideo.js] onWSError:
    [HdxVideo.js] Showing content -- suspendRedirection.

    In the Developer Tools console this can be seen as:

    This is caused by security configurations in IE11’s Security Zones, and the root of the issue is being classified under the intranet zonewhile the redirected whitelisted site is in the internet zone.
    Redirection might work as intended on Chrome (since it has no concept of Zones).
    Internet Explorer automatically assigns all websites to a security zone: Internet, Local intranet, Trusted sites, or Restricted sites.
    Important: will be classified as either Intranet or Internet zone, depending on your IE11 Proxy configuration in Tools > Internet Options > Connections > LAN Settings (either PAC files - WPAD Proxy Script-, or Explicit Proxy -manual-). More info here.

    If ends up being classified as Intranet, then Zone elevation restrictions prevent connections from Internet zone to Local intranet zone, and BCR will fail.

    The Local intranet option 'Include all sites that bypass the proxy server' should be unchecked (disabled).

    Rationale : If 'Include all sites that bypass the proxy server' is enabled, connections are considered to be in the Intranet zone. Zone elevation restrictions prevent connections from Internet zone to Local intranet zone. Most of the external redirected sites like Youtube will be in the Internet zone and the injected script HdxVideo.js will attempt a connection to in the Intranet zone which will be blocked. So, 'Include all sites that bypass the proxy server' should be unchecked.

    Internet Properties --> Security --> Local Intranet --> Sites, and uncheck 'Include all sites that bypass the proxy server'
    The equivalent configuration can be made by setting these regkeys via GPOs (ADM Computer template):
    HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapAutoDetect [REG_DWORD value 0]
    HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap IntranetName [
    REG_DWORD value 1]
    HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapProxyByPass [
    REG_DWORD value 0]
    HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMap UNCAsIntranet [
    REG_DWORD value 1]

    Each zone has a different default security level that determines what kind of content might be blocked for that site.

    ZoneDescriptionDefault Setting
    InternetContains all websites that are not assigned to any other zoneMedium-high
    Local intranet Contains all websites and content that is stored on a corporate intranet and don't require a Proxy ServerMedium-low
    Trusted SitesContains all Internet sites that you have specifically indicated to be ones that you trust not to damage your computer or informationMedium
    Restricted SitesContains all the sites that might potentially damage your computer or your informationHigh

    Citrix Workspace App For Chrome


    (Depending on the security level of a site, some content might be blocked until you choose to allow it).
    You can check the Zone a website is assigned to by navigating to it and then right clicking --> Properties

    If the website you are trying to redirect is in your Internet Zone (see example above), then please try to add the following entry to the Trusted Zone Sites in IE11

    (Internet Options -> Security)


    You can verify if websockets are opened by going to Developer Tools -> Console and type:

    var exampleSocket = new WebSocket('wss://'); exampleSocket.onmessage = function(messageEvent) { console.log(JSON.stringify(messageEvent)); };

    wait a few seconds and then type:


    The expected output from the 2nd line, is '1', which indicates that the WebSocket connection was successfully formed.
    0 (CONNECTING) The connection is not yet open 1 (OPEN) The connection is open and ready to communicate.
    2 (CLOSING) The connection is in the process of closing 3 (CLOSED) The connection is closed or couldn't be opened
    Citrix receiver for chrome

    4.5 Pac files
    The PAC file does not need to return DIRECT for (WebSocketService.exe on the VDA), IE11 makes direct connections for localhost/ by default.
    Zone elevations restrictions might, again, prevent HdxVideo.js to connect to, so make sure it is classified as Internet Zone (see 4.4).
    4.6 Content Security Policy
    Another possible error is that some websites use a technology called CSP (Content Security Policy) which prevents any outside resource (like the Javascript used in BCR) from being executed in the trusted webpage context. Therefore Browsers prevent the injection of HdxVideo.js and BCR fails, falling back to server-side rendering.
    This can be overcome if you have a Proxy server in your network (like Bluecoat) and you are able to apply HTTP Rewrites.
    wss:// needs to be added to connect-src
    4.7 Browser Helper Object (BHO for IE11)
    The BHO is not currently compatible with Enhanced Protected Mode in IE11.
    BHO is explicitly enabled upon install time of Citrix Virtual Apps and Desktops. If you want to disable it, please check the registry key created for the CLSID of the extension in the following path:
    There should be a key created with the CLSID of the extension ie {CA076BDE-8E41-44EE-B775-E791F26D0483}
    The value of the key is set to 1. This means the extension is enabled and users cannot change it.
    If changed to 0 , the extension will be disabled and users cannot change it.
    If changed to 2 , the extension will be enabled and users can enable or disable it in the browser's 'Manage add-ons'.

    4.8 How to verify the webpage is redirected
    Method #1: Drag the IE11 or Chrome window quickly. You will notice a ‘delay’ or ‘out of frame’ between the viewport and the User Interface.

    Also you will notice a quick change in the title on the Tab (CitrixVideoId) before the original title is placed back
    Method #2: When the right mouse button is clicked on window area, a customized context menu is displayed. Back/Forward menu items are currently disabled for the initial releases. The remaining menu items perform the following tasks:

    Citrix For Chrome Web Store

    • Refresh: refreshes current client side web page.
    • Open: if the mouse point is focused on a hyper link, the link will be opened; otherwise, nothing will happen.
    • Open in New Tab: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance.)
    • Open in New Window: if the mouse point is focused on a hyper link, the link will be opened in a new Tab; otherwise, nothing will happen. (Note: for the initial release, this works only when pop-up is enabled on VDA side IE instance and the link is opened in a new Tab rather than in a new Window)
    • About HDX Browser Redirection: Browse to Citrix support site in a new Tab

    Additional Resources

    Browser Content Redirection: whitelisting websites​
    Browser Content Redirection Not Working
    Citrix Blogs: HTML5 Multimedia Redirection: State of the Union
    Citrix Blogs: Citrix and Microsoft are teaming up for Teams
    Dell Wyse ThinOS Version 9.0

    Citrix Receiver Chrome Web Store


    Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.