Gateway

NetScaler Gateway Windows VPN client registry keys

August 1, 2025

Contributed by:

C H

The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the NetScaler Gateway VPN client registry keys, values, and a brief description of each value.

Registry key	Registry type	Registry control	Values and description	Default value
addedRoutes/modifiedRoutes	REG_SZ	Managed by Citrix Secure Access client.	Created for internal plug-in communication. Users must not modify this key.	This registry does not have a default value.
AlwaysOnService	REG_DWORD	Admin can deploy this registry through Group Policy Object (GPO) using Group Policy Management Console (GPMC) or System Center Configuration Manager (SCCM) push.	1 => Establish a machine level tunnel but not a user level tunnel. 2 => Establish either a machine level tunnel or user level tunnel at any given time. 3 => Establish both machine level tunnel and user level tunnel to enable multi-session OS in Citrix Secure Private Access for domain joined machines. Note: Multi-session OS feature support is in preview.	This registry does not have a default value.



AlwaysOnURL	REG_SZ	You can control this registry by one of the following two ways. Admin can deploy this registry through GPO using GPMC or SCCM push (or) Using CLI. For more information, see note*.	URL of the NetScaler Gateway virtual server the user wants to connect to. Example: `https://xyz.companyDomain.com`	This registry does not have a default value as it is configured for a custom solution.


AlwaysOn	REG_DWORD	Using CLI. For more information, see note*.	1 => Allow network access on VPN failure. 2=> Block network access on VPN failure.	This registry does not have a default value.
AlwaysOn	REG_DWORD	Using CLI. For more information, see note*.		This registry does not have a default value.
AlwaysOnAllowlist	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Semicolon separated list of FQDNs, IP address ranges, or IP addresses allowed by the driver in Always On strict mode. Examples: `example.citrix.com;192.0.2.0;192.0.2.100-192.0.2.255`	empty or NULL
ClientControl	REG_DWORD	Using CLI. For more information, see note*.	1 => Allows users to log out or connect to other gateways. 0 => Blocks users to log out or connect to other gateways.	1
ClientControl	REG_DWORD	Using CLI. For more information, see note*.		1
ConfigSize	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push. This registry is used only for Citrix Secure Private Access.	Windows client supports 64 KB configuration file size by default. Use this registry to increase configuration file size. If the configuration file size exceeds the default value of 64 KB, set the `ConfigSize` registry value to 5 times 64 KB (in bytes) for each additional 64 KB. For example, if you are adding an additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.	64 KB


Connected	REG_DWORD	Managed by Citrix Secure Access client.	On successful connection this key is set to 1, if not, it is set to 0. This key is used internally. Users must not modify this key.	This registry does not have a default value.
DisableCredProv	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	When AlwaysOn VPN before Windows Logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1.	0
DisableIconHide	REG_DWORD	Using CLI: `set vpn parameter iconWithReceiver ON`	1 => The Citrix Workspace app and the NetScaler Gateway plug-in are displayed on the taskbar. 0 => The NetScaler Gateway plug-in icon is integrated with Citrix Workspace app for Windows. The NetScaler Gateway plug-in is not visible on the taskbar when the full VPN session is running.	0
DisableIconHide	REG_DWORD	Using CLI: `set vpn parameter iconWithReceiver ON`		0
DisableDNSRoutes	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Default value. The VPN plug-in adds routes for DNS servers if they are different from the default gateway for a physical interface. However, based on the Windows client machine network topology, DNS server routes might not be always required. 1 => The VPN plug-in does not add explicit routes for the DNS servers.	0
DisableDNSRoutes	REG_DWORD			0
DisallowCaptivePortals	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	1 => VPN plug-in checks for captive portals by trying to connect to the Microsoft Connect test page before starting a VPN session. 0 => VPN plug-in skips the captive portals check.	0
DisallowCaptivePortals	REG_DWORD			0
DisableIntuneDeviceEnrollment	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	If set to 1, Intune device enrollment is not performed.	0
EnableAutoUpdate	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	Used to control plug-in update functionality from the client side. 0 => Disable auto-update functionality. 1 => Enable auto-update functionality. Note: This registry key is available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\AutoUpdate.	1




EnableEdgeWebview	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Disable Microsoft Edge WebView. 1 => Enable Microsoft Edge WebView.	1
EnableEdgeWebview	REG_DWORD			1
EnableKerberosAuth	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Default value. 1 => VPN client uses the Kerberos authentication method for auto-logon.	0
EnableKerberosAuth	REG_DWORD			0
EnableMultiSessionFlow	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Disable access to multi-session OS in Citrix Secure Private Access 1 => Enable access to multi-session OS in Citrix Secure Private Access	This registry does not have a default value as it is configured for a custom solution.
EnableMultiSessionFlow	REG_DWORD
EnableTCPDNS	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Disables split DNS support for TCP based DNS requests. 1 => Enables split DNS support for TCP based DNS requests.	1
EnableTCPDNS	REG_DWORD			1
EnableVA	REG_DWORD	Managed by Citrix Secure Access client.	This key is used internally, if the Citrix Virtual adapter must be enabled when IIP is present. Users must not modify this key.	1
EnableWFP	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push or through feature flag.	1 => VPN plug-in uses WFP. Starting from the Citrix Secure Access client for Windows release 25.1.1.27, WFP is enabled by default. 0 => VPN plug-in uses DNE.	1
EnableWFP	REG_DWORD			1
ExcludeDomainsFromRemoteDns	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Excludes DNS resolution from being performed by Citrix Secure Access client through a remote DNS server. If `example.com` is an intranet domain and you want to exclude specific applications like `sshhost.example.com`, `rdphost.example.com`, or `.ftphost.example.com`, use this registry. `.ftphost.example.com` is a wildcard pattern that matches any subdomain under `ftphost.example.com`. Ensure to adjust the domain names and patterns according to your requirements. Once you have made the changes, restart Citrix Secure Access or the system for the settings to take effect.	This registry does not have a default value as it is configured for a custom solution.


ExcludeDomainsFromTunnel (Preview)	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Excludes traffic of specific domains from being tunneled via the Citrix Secure Access client. If `example.com` is an intranet domain and you want to exclude specific applications like `sshhost.example.com`, `rdphost.example.com`, or `*.ftphost.example.com`, use this registry. Ensure to set the registry value to a comma-separated list of domain names or patterns.	This registry does not have a default value as it is configured for a custom solution.
HttpTimeout	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards.	100 seconds
InstallDir	REG_SZ	Managed by Citrix Secure Access client.	Location where the Citrix Secure Access client is installed.	“C:\Program Files\Citrix\Secure Access Client”
locationDetection	REG_DWORD	Using CLI. For more information, see note*.	1 => To enable location detection. 0 => To disable location detection.	This registry does not have a default value and is configured only when Always On mode is enabled.
locationDetection	REG_DWORD	Using CLI. For more information, see note*.
NoDHCPRoute	REG_DWORD	From the NetScaler appliance, create a new file named `pluginCustomization.json` with the value `\{ "NoDHCPRoute" : true }`. Place the `pluginCustomization.json` file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.	If set to 1, the DHCP server route is not added.	This registry has no default value as it is customized based on the network topology.
NoDHCPRoute	REG_DWORD		If set to 1, the DHCP server route is not added.
overrideIPV6DnsDrop	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	1 => Allow IPv6 DNS traffic to flow over VPN. 0 => Restrict IPv6 DNS traffic flow.	This registry has no default value as it is customized based on the network topology.
overrideIPV6DnsDrop	REG_DWORD
ProductVersion	REG_SZ	Managed by Citrix Secure Access client.	Currently installed version of Citrix Secure Access client.	Product version information
ProductCode	REG_SZ	Managed by Citrix Secure Access client.	This key is used internally. Users must not modify this key.	{B04137FF-B5C9-4058-ACEB-04118790118D}
secureDNSUpdate	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => The VPN plug-in tries only the unsecure DNS update. 1 => The VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in then tries the secure DNS update. This is the default behavior starting from the 21.3.1.2 Windows plug-in build. 2 => The VPN plug-in tries only the secure DNS update.	1


SecureChannelResetTimeoutSeconds	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	By default, this registry value is not set or added. When the value of `SecureChannelResetTimeoutSeconds` is `0xFFFFFFFF` or not present in the registry, the VPN plug-in waits for the `SecureChannelReset()` API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete.	This registry does not have a default value as it is configured for a custom solution.
SecureAccessLogInScript	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.	This registry does not have a default value as it is configured for a custom solution.
SecureAccessLogOutScript	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.	This registry does not have a default value as it is configured for a custom solution.
suffixList	REG_SZ	Using CLI: `add dns suffix`	Semicolon list of intranet domains. Used when location detection is enabled.	Retrieves the value from the DNS suffix configured on the server.
SicBeginPort	REG_DWORD	From the NetScaler appliance, create a new file named `pluginCustomization.json` with the value `\{"SicBeginPort" : 51000}`. Place the `pluginCustomization.json` file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.	Avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. The allowed range is 49152–64535 (C000 to FC17 in hexadecimal format). The VPN client uses up to 1000 ports starting from `SicBeginPort` only if `EnableWFP` is also set to `1`.	This registry does not have a default value as it is configured for a custom solution.
SicBeginPort	REG_DWORD
userCertCAList	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from.	This registry does not have a default value as it is configured for a custom solution.

Note:

*Use the following command to apply AlwaysOnURL, AlwaysOn, ClientControl, and locationDetection registry keys using CLI:

add alwaysONProfile <alwaysONProfileName>-clientControl ( ALLOW | DENY )-locationBasedVPN ( Remote | Everywhere )-networkAccessOnVPNFailure ( onlyToGateway | fullAccess )

Important:

You can apply registry keys based on your deployments. For example, the AlwaysOnService registry key is applicable only to the Always on service whereas the ClientControl registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details.
secureDNSUpdate is applicable only for domain joined client devices.
For Citrix Secure Access client for Windows 23.1.1.8 and later versions, the registry key name is overrideIPV6DnsDrop. For Citrix Secure Access client for Windows 22.10.1.9 and prior versions, the registry key name is overrideIP6DnsDrop.
From Citrix Secure Access client for Windows 24.8.1.15, the registry keys DisableGA, ForcedLogging, and OverrideSpoofIPRange are deprecated.
From Citrix Secure Access client for Windows 24.8.1.19, admin can enable cloud-hosted multi-session VDI in Secure Private Access using the EnableMultiSessionFlow registry for contextual access to resources based on their location, device, and other factors. For domain-joined machines, use both EnableMultiSessionFlow and AlwaysOnService registries.
For the Citrix Secure Access client for Windows versions prior to 24.8.1.19, admin can enable Microsoft Edge WebView using the EnableEdgeWebview registry.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

NetScaler Secure Deployment Guide

NetScaler Gateway Windows VPN client registry keys

August 1, 2025

Contributed by:

C H

August 1, 2025

Contributed by:

C H

NetScaler Gateway Windows VPN client registry keys

In this article