Gateway

NetScaler Gateway Windows VPN client registry keys

The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the NetScaler Gateway VPN client registry keys, values, and a brief description of each value.

Registry key Registry type Registry control Values and description
addedRoutes/modifiedRoutes REG_SZ Managed by Citrix Secure Access client. Created for internal plug-in communication. Users must not modify this key.
AlwaysOnService


REG_DWORD


Admin can deploy this registry through Group Policy Object (GPO) using Group Policy Management Console (GPMC) or System Center Configuration Manager (SCCM) push.


  • 1 => Establish a machine level tunnel but not a user level tunnel.
  • 2 => Establish either a machine level tunnel or user level tunnel at any given time.
  • 3 => Establish both machine level tunnel and user level tunnel to enable multi-session OS in Secure Private Access for domain joined machines.
    Note: Multi-session OS feature support is in preview.
AlwaysOnURL

REG_SZ

You can control this registry by one of the following two ways.
  • Admin can deploy this registry through GPO using GPMC or SCCM push (or)
  • Using CLI. For more information, see note*.
  • URL of the NetScaler Gateway virtual server the user wants to connect to. Example: https://xyz.companyDomain.com

    AlwaysOn
    REG_DWORD
    Using CLI. For more information, see note*.
    • 1 => Allow network access on VPN failure.
    • 2=> Block network access on VPN failure.
    AlwaysOnAllowlist REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Semicolon separated list of IP addresses or FQDNs allowed by the driver in Always On strict mode. Examples: *.microsoft.com, groupinfra.com
    ClientControl
    REG_DWORD
    Using CLI. For more information, see note*.
    • 1 => Allows users to log out or connect to other gateways.
    • 0 => Blocks users to log out or connect to other gateways.
    ConfigSize

    REG_DWORD

    Admin can deploy this registry through GPO using GPMC or SCCM push. This registry is used only for Citrix Secure Private Access (SPA).

    Windows client supports 64 KB configuration file size by default. Use this registry to increase configuration file size.
    If the configuration file size exceeds the default value of 64 KB, set the ConfigSize registry value to 5 times 64 KB (in bytes) for each additional 64 KB.
    For example, if you are adding an additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.
    Connected REG_DWORD Managed by Citrix Secure Access client. On successful connection this key is set to 1, if not, it is set to 0. This key is used internally. Users must not modify this key.
    DisableCredProv REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. When AlwaysOn VPN before Windows Logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1.
    DisableIconHide
    REG_DWORD
    Using CLI: set vpn parameter iconWithReceiver ON
    • 1 => The Citrix Workspace app and the NetScaler Gateway plug-in are displayed on the taskbar.
    • 0 => The NetScaler Gateway plug-in icon is integrated with Citrix Workspace app for Windows. The NetScaler Gateway plug-in is not visible on the taskbar when the full VPN session is running.
    DisableDNSRoutes
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Default value. The VPN plug-in adds routes for DNS servers if they are different from the default gateway for a physical interface. However, based on the Windows client machine topology, DNS server routes might not be always required.
    • 1 => The VPN plug-in does not add explicit routes for the DNS servers.
    DisallowCaptivePortals
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 1 => VPN plug-in checks for captive portals by trying to connect to the Microsoft Connect test page before starting a VPN session.
    • 0 => VPN plug-in skips the captive portals check.
    DisableIntuneDeviceEnrollment REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. If set to 1, Intune device enrollment is not performed.
    EnableAutoUpdate

    REG_DWORD

    Admin can deploy this registry through GPO using GPMC or SCCM push.

    Used to control plug-in update functionality from the client side.
  • 0 => Disable auto-update functionality.
  • 1 => Respect ADC configuration.
  • EnableKerberosAuth
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Default value.
    • 1 => VPN client uses the Kerberos authentication method for auto-logon.
    EnableMultiSessionFlow
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Disable access to multi-session OS in Secure Private Access
    • 1 => Enable access to multi-session OS in Secure Private Access
    EnableTCPDNS
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 0 => Disables split DNS support for TCP based DNS requests.
    • 1 => Enables split DNS support for TCP based DNS requests.
    EnableVA REG_DWORD Managed by Citrix Secure Access client. This key is used internally, if the Citrix Virtual adapter must be enabled when IIP is present. Users must not modify this key.
    EnableWFP

    REG_DWORD

    Admin can deploy this registry through GPO using GPMC or SCCM push or through feature flag.

    The default value is 0 and by default, DNE is enabled.
  • 1 => VPN plug-in uses WFP.
  • 0 => VPN plug-in uses DNE.
  • ExcludeDomainsFromRemoteDns

    REG_SZ

    Admin can deploy this registry through GPO using GPMC or SCCM push.

    Excludes DNS resolution from being performed by Citrix Secure Access client through a remote DNS server.
    If example.com is an intranet domain and you want to exclude specific applications like sshhost.example.com, rdphost.example.com, or *.ftphost.example.com, use this registry. *.ftphost.example.com is a wildcard pattern that matches any subdomain under ftphost.example.com.
    Ensure to adjust the domain names and patterns according to your requirements. Once you have made the changes, restart Citrix Secure Access or the system for the settings to take effect.
    ExcludeDomainsFromTunnel (Preview) REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Excludes traffic of specific domains from being tunneled via the Citrix Secure Access client. If example.com is an intranet domain and you want to exclude specific applications like sshhost.example.com, rdphost.example.com, or *.ftphost.example.com, use this registry. Ensure to set the registry value to a comma-separated list of domain names or patterns.
    HttpTimeout REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards.
    InstallDir REG_SZ Managed by Citrix Secure Access client. Location where the Citrix Secure Access client is installed.
    locationDetection
    REG_DWORD
    Using CLI. For more information, see note*.
    • 1 => To enable location detection.
    • 0 => To disable location detection.
    NoDHCPRoute
    REG_DWORD
    1. From the NetScaler appliance, create a new file named pluginCustomization.json with the value \{ "NoDHCPRoute" : true }.
    2. Place the pluginCustomization.json file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.
    If set to 1, the DHCP server route is not added.
    overrideIPV6DnsDrop
    REG_DWORD
    Admin can deploy this registry through GPO using GPMC or SCCM push.
    • 1 => Allow IPv6 DNS traffic to flow over VPN.
    • 0 => Restrict IPv6 DNS traffic flow.
    ProductVersion REG_SZ Managed by Citrix Secure Access client. Currently installed version of Citrix Secure Access client.
    ProductCode REG_SZ Managed by Citrix Secure Access client. This key is used internally. Users must not modify this key.
    secureDNSUpdate

    REG_DWORD

    Admin can deploy this registry through GPO using GPMC or SCCM push.

    • 0 => The VPN plug-in tries only the unsecure DNS update.
    • 1 => The VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in then tries the secure DNS update. This is the default behavior starting from the 21.3.1.2 Windows plug-in build.
    • 2 => The VPN plug-in tries only the secure DNS update.
    SecureChannelResetTimeoutSeconds REG_DWORD Admin can deploy this registry through GPO using GPMC or SCCM push. By default, this registry value is not set or added. When the value of SecureChannelResetTimeoutSeconds is 0xFFFFFFFF or not present in the registry, the VPN plug-in waits for the SecureChannelReset() API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete.
    SecureAccessLogInScript REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.
    SecureAccessLogOutScript REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.
    suffixList REG_SZ Using CLI: add dns suffix Semicolon list of intranet domains. Used when location detection is enabled.
    SicBeginPort
    REG_DWORD
    1. From the NetScaler appliance, create a new file named pluginCustomization.json with the value \{"SicBeginPort" : 51000}.
    2. Place the pluginCustomization.json file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.
    Avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. The allowed range is 49152–64535 (C000 to FC17 in hexadecimal format). The VPN client uses up to 1000 ports starting from SicBeginPort only if EnableWFP is also set to 1.
    userCertCAList REG_SZ Admin can deploy this registry through GPO using GPMC or SCCM push. Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from.

    Note:

    *Use the following command to apply AlwaysOnURL, AlwaysOn, ClientControl, and locationDetection registry keys using CLI:

    add alwaysONProfile <alwaysONProfileName>-clientControl ( ALLOW | DENY )-locationBasedVPN ( Remote | Everywhere )-networkAccessOnVPNFailure ( onlyToGateway | fullAccess )

    Important:

    • You can apply registry keys based on your deployments. For example, the AlwaysOnService registry key is applicable only to the Always on service whereas the ClientControl registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details.

    • secureDNSUpdate is applicable only for domain joined client devices.

    • For Citrix Secure Access client for Windows 23.1.1.8 and later versions, the registry key name is overrideIPV6DnsDrop. For Citrix Secure Access client for Windows 22.10.1.9 and prior versions, the registry key name is overrideIP6DnsDrop.

    • From Citrix Secure Access client for Windows 24.8.1.15, the registry keys DisableGA, ForcedLogging, and OverrideSpoofIPRange are deprecated.

    • From Citrix Secure Access client for Windows 24.8.1.19, admin can enable cloud-hosted multi-session VDI in Secure Private Access using the EnableMultiSessionFlow registry for contextual access to resources based on their location, device, and other factors. For domain-joined machines, use both EnableMultiSessionFlow and AlwaysOnService registries.

    NetScaler Gateway Windows VPN client registry keys