Gateway

NetScaler Gateway Windows VPN client registry keys

The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the NetScaler Gateway VPN client registry keys, values, and a brief description of each value.

Registry key Registry type Registry control Values and description Default value
addedRoutes/modifiedRoutes REG_SZ Managed by Citrix Secure Access client. Created for internal plug-in communication. Users must not modify this key. This registry does not have a default value.
AlwaysOnService


REG_DWORD


Admin can deploy this registry through Group Policy Object (GPO) using Group Policy Management Console (GPMC) or System Center Configuration Manager (SCCM) push.


  • 1 => Establish a machine level tunnel but not a user level tunnel.
  • 2 => Establish either a machine level tunnel or user level tunnel at any given time.
  • 3 => Establish both machine level tunnel and user level tunnel to enable multi-session OS in Citrix Secure Private Access for domain joined machines.
    Note: Multi-session OS feature support is in preview.
This registry does not have a default value.


AlwaysOnURL

REG_SZ

You can control this registry by one of the following two ways.
  • Admin can deploy this registry through GPO using GPMC or SCCM push (or)
  • Using CLI. For more information, see note*.
  • URL of the NetScaler Gateway virtual server the user wants to connect to. Example: https://xyz.companyDomain.com

    This registry does not have a default value as it is configured for a custom solution.

    AlwaysOn
    REG_DWORD
    Using CLI. For more information, see note*.
    • 1 => Allow network access on VPN failure.
    • 2=> Block network access on VPN failure.
    This registry does not have a default value.
    AlwaysOnAllowlist REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Semicolon separated list of FQDNs, IP address ranges, or IP addresses allowed by the driver in Always On strict mode. Examples: example.citrix.com;192.0.2.0;192.0.2.100-192.0.2.255 empty or NULL
    ClientControl
    REG_DWORD
    Using CLI. For more information, see note*.
    • 1 => Allows users to log out or connect to other gateways.
    • 0 => Blocks users to log out or connect to other gateways.
    1
    ConfigSize

    REG_DWORD

    Admin can deploy this registry through GPO using GPMC or SCCM push. This registry is used only for Citrix Secure Private Access.

    Windows client supports 64 KB configuration file size by default. Use this registry to increase configuration file size.
    If the configuration file size exceeds the default value of 64 KB, set the ConfigSize registry value to 5 times 64 KB (in bytes) for each additional 64 KB.
    For example, if you are adding an additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.
    64 KB

    Connected REG_DWORD Managed by Citrix Secure Access client. On successful connection this key is set to 1, if not, it is set to 0. This key is used internally. Users must not modify this key. This registry does not have a default value.
    DisableCredProv REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. When AlwaysOn VPN before Windows Logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1. 0
    DisableIconHide
    REG_DWORD
    Using CLI: set vpn parameter iconWithReceiver ON
    • 1 => The Citrix Workspace app and the NetScaler Gateway plug-in are displayed on the taskbar.
    • 0 => The NetScaler Gateway plug-in icon is integrated with Citrix Workspace app for Windows. The NetScaler Gateway plug-in is not visible on the taskbar when the full VPN session is running.
    0
    DisableDNSRoutes
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Default value. The VPN plug-in adds routes for DNS servers if they are different from the default gateway for a physical interface. However, based on the Windows client machine network topology, DNS server routes might not be always required.
    • 1 => The VPN plug-in does not add explicit routes for the DNS servers.
    0
    DisallowCaptivePortals
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 1 => VPN plug-in checks for captive portals by trying to connect to the Microsoft Connect test page before starting a VPN session.
    • 0 => VPN plug-in skips the captive portals check.
    0
    DisableIntuneDeviceEnrollment REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. If set to 1, Intune device enrollment is not performed. 0
    EnableAutoUpdate



    REG_DWORD



    Admin can deploy this registry through GPO using GPMC or SCCM push.



    Used to control plug-in update functionality from the client side.
  • 0 => Disable auto-update functionality.
  • 1 => Enable auto-update functionality.
    Note:
    This registry key is available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\AutoUpdate.
  • 1



    EnableEdgeWebview
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Disable Microsoft Edge WebView.
    • 1 => Enable Microsoft Edge WebView.
    1
    EnableKerberosAuth
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Default value.
    • 1 => VPN client uses the Kerberos authentication method for auto-logon.
    0
    EnableMultiSessionFlow
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Disable access to multi-session OS in Citrix Secure Private Access
    • 1 => Enable access to multi-session OS in Citrix Secure Private Access
    This registry does not have a default value as it is configured for a custom solution.
    EnableTCPDNS
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Disables split DNS support for TCP based DNS requests.
    • 1 => Enables split DNS support for TCP based DNS requests.
    1
    EnableVA REG_DWORD Managed by Citrix Secure Access client. This key is used internally, if the Citrix Virtual adapter must be enabled when IIP is present. Users must not modify this key. 1
    EnableWFP
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push or through feature flag.
    • 1 => VPN plug-in uses WFP. Starting from the Citrix Secure Access client for Windows release 25.1.1.27, WFP is enabled by default.
    • 0 => VPN plug-in uses DNE.
    1
    ExcludeDomainsFromRemoteDns

    REG_SZ

    Admin can deploy this registry through GPO using GPMC or SCCM push.

    Excludes DNS resolution from being performed by Citrix Secure Access client through a remote DNS server.
    If example.com is an intranet domain and you want to exclude specific applications like sshhost.example.com, rdphost.example.com, or *.ftphost.example.com, use this registry. *.ftphost.example.com is a wildcard pattern that matches any subdomain under ftphost.example.com.
    Ensure to adjust the domain names and patterns according to your requirements. Once you have made the changes, restart Citrix Secure Access or the system for the settings to take effect.
    This registry does not have a default value as it is configured for a custom solution.

    ExcludeDomainsFromTunnel (Preview) REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Excludes traffic of specific domains from being tunneled via the Citrix Secure Access client. If example.com is an intranet domain and you want to exclude specific applications like sshhost.example.com, rdphost.example.com, or *.ftphost.example.com, use this registry. Ensure to set the registry value to a comma-separated list of domain names or patterns. This registry does not have a default value as it is configured for a custom solution.
    HttpTimeout REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards. 100 seconds
    InstallDir REG_SZ Managed by Citrix Secure Access client. Location where the Citrix Secure Access client is installed. “C:\Program Files\Citrix\Secure Access Client”
    locationDetection
    REG_DWORD
    Using CLI. For more information, see note*.
    • 1 => To enable location detection.
    • 0 => To disable location detection.
    This registry does not have a default value and is configured only when Always On mode is enabled.
    NoDHCPRoute
    REG_DWORD
    1. From the NetScaler appliance, create a new file named pluginCustomization.json with the value \{ "NoDHCPRoute" : true }.
    2. Place the pluginCustomization.json file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.
    If set to 1, the DHCP server route is not added.
    This registry has no default value as it is customized based on the network topology.
    overrideIPV6DnsDrop
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 1 => Allow IPv6 DNS traffic to flow over VPN.
    • 0 => Restrict IPv6 DNS traffic flow.
    This registry has no default value as it is customized based on the network topology.
    ProductVersion REG_SZ Managed by Citrix Secure Access client. Currently installed version of Citrix Secure Access client. Product version information
    ProductCode REG_SZ Managed by Citrix Secure Access client. This key is used internally. Users must not modify this key. {B04137FF-B5C9-4058-ACEB-04118790118D}
    secureDNSUpdate

    REG_DWORD

    Admin can deploy this registry through GPO using GPMC or SCCM push.

    • 0 => The VPN plug-in tries only the unsecure DNS update.
    • 1 => The VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in then tries the secure DNS update. This is the default behavior starting from the 21.3.1.2 Windows plug-in build.
    • 2 => The VPN plug-in tries only the secure DNS update.
    1

    SecureChannelResetTimeoutSeconds REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. By default, this registry value is not set or added. When the value of SecureChannelResetTimeoutSeconds is 0xFFFFFFFF or not present in the registry, the VPN plug-in waits for the SecureChannelReset() API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete. This registry does not have a default value as it is configured for a custom solution.
    SecureAccessLogInScript REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries. This registry does not have a default value as it is configured for a custom solution.
    SecureAccessLogOutScript REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries. This registry does not have a default value as it is configured for a custom solution.
    suffixList REG_SZ Using CLI: add dns suffix Semicolon list of intranet domains. Used when location detection is enabled. Retrieves the value from the DNS suffix configured on the server.
    SicBeginPort
    REG_DWORD
    1. From the NetScaler appliance, create a new file named pluginCustomization.json with the value \{"SicBeginPort" : 51000}.
    2. Place the pluginCustomization.json file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.
    Avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. The allowed range is 49152–64535 (C000 to FC17 in hexadecimal format). The VPN client uses up to 1000 ports starting from SicBeginPort only if EnableWFP is also set to 1.
    This registry does not have a default value as it is configured for a custom solution.
    userCertCAList REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from. This registry does not have a default value as it is configured for a custom solution.

    Note:

    *Use the following command to apply AlwaysOnURL, AlwaysOn, ClientControl, and locationDetection registry keys using CLI:

    add alwaysONProfile <alwaysONProfileName>-clientControl ( ALLOW | DENY )-locationBasedVPN ( Remote | Everywhere )-networkAccessOnVPNFailure ( onlyToGateway | fullAccess )

    Important:

    • You can apply registry keys based on your deployments. For example, the AlwaysOnService registry key is applicable only to the Always on service whereas the ClientControl registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details.

    • secureDNSUpdate is applicable only for domain joined client devices.

    • For Citrix Secure Access client for Windows 23.1.1.8 and later versions, the registry key name is overrideIPV6DnsDrop. For Citrix Secure Access client for Windows 22.10.1.9 and prior versions, the registry key name is overrideIP6DnsDrop.

    • From Citrix Secure Access client for Windows 24.8.1.15, the registry keys DisableGA, ForcedLogging, and OverrideSpoofIPRange are deprecated.

    • From Citrix Secure Access client for Windows 24.8.1.19, admin can enable cloud-hosted multi-session VDI in Secure Private Access using the EnableMultiSessionFlow registry for contextual access to resources based on their location, device, and other factors. For domain-joined machines, use both EnableMultiSessionFlow and AlwaysOnService registries.

    • For the Citrix Secure Access client for Windows versions prior to 24.8.1.19, admin can enable Microsoft Edge WebView using the EnableEdgeWebview registry.

    NetScaler Gateway Windows VPN client registry keys