Gateway

NetScaler Gateway Windows VPN client registry keys

October 11, 2024

Contributed by:

C H C

The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the NetScaler Gateway VPN client registry keys, values, and a brief description of each value.

Registry key	Registry type	Registry control	Values and description
addedRoutes/modifiedRoutes	REG_SZ	Managed by Citrix Secure Access client.	Created for internal plug-in communication. Users must not modify this key.
AlwaysOnService	REG_DWORD	Admin can deploy this registry through Group Policy Object (GPO) using Group Policy Management Console (GPMC) or System Center Configuration Manager (SCCM) push.	1 => Establish a machine level tunnel but not a user level tunnel. 2 => Establish either a machine level tunnel or user level tunnel at any given time. 3 => Establish both machine level tunnel and user level tunnel to enable multi-session OS in Secure Private Access for domain joined machines. Note: Multi-session OS feature support is in preview.



AlwaysOnURL	REG_SZ	You can control this registry by one of the following two ways. Admin can deploy this registry through GPO using GPMC or SCCM push (or) Using CLI. For more information, see note*.	URL of the NetScaler Gateway virtual server the user wants to connect to. Example: `https://xyz.companyDomain.com`


AlwaysOn	REG_DWORD	Using CLI. For more information, see note*.	1 => Allow network access on VPN failure. 2=> Block network access on VPN failure.
AlwaysOn	REG_DWORD	Using CLI. For more information, see note*.
AlwaysOnAllowlist	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Semicolon separated list of IP addresses or FQDNs allowed by the driver in Always On strict mode. Examples: `*.microsoft.com`, `groupinfra.com`
ClientControl	REG_DWORD	Using CLI. For more information, see note*.	1 => Allows users to log out or connect to other gateways. 0 => Blocks users to log out or connect to other gateways.
ClientControl	REG_DWORD	Using CLI. For more information, see note*.
ConfigSize	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push. This registry is used only for Citrix Secure Private Access (SPA).	Windows client supports 64 KB configuration file size by default. Use this registry to increase configuration file size. If the configuration file size exceeds the default value of 64 KB, set the `ConfigSize` registry value to 5 times 64 KB (in bytes) for each additional 64 KB. For example, if you are adding an additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.


Connected	REG_DWORD	Managed by Citrix Secure Access client.	On successful connection this key is set to 1, if not, it is set to 0. This key is used internally. Users must not modify this key.
DisableCredProv	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	When AlwaysOn VPN before Windows Logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1.
DisableIconHide	REG_DWORD	Using CLI: `set vpn parameter iconWithReceiver ON`	1 => The Citrix Workspace app and the NetScaler Gateway plug-in are displayed on the taskbar. 0 => The NetScaler Gateway plug-in icon is integrated with Citrix Workspace app for Windows. The NetScaler Gateway plug-in is not visible on the taskbar when the full VPN session is running.
DisableIconHide	REG_DWORD	Using CLI: `set vpn parameter iconWithReceiver ON`
DisableDNSRoutes	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Default value. The VPN plug-in adds routes for DNS servers if they are different from the default gateway for a physical interface. However, based on the Windows client machine topology, DNS server routes might not be always required. 1 => The VPN plug-in does not add explicit routes for the DNS servers.
DisableDNSRoutes	REG_DWORD
DisallowCaptivePortals	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	1 => VPN plug-in checks for captive portals by trying to connect to the Microsoft Connect test page before starting a VPN session. 0 => VPN plug-in skips the captive portals check.
DisallowCaptivePortals	REG_DWORD
DisableIntuneDeviceEnrollment	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	If set to 1, Intune device enrollment is not performed.
EnableAutoUpdate	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	Used to control plug-in update functionality from the client side. 0 => Disable auto-update functionality. 1 => Respect ADC configuration.


EnableKerberosAuth	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Default value. 1 => VPN client uses the Kerberos authentication method for auto-logon.
EnableKerberosAuth	REG_DWORD
EnableMultiSessionFlow	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Disable access to multi-session OS in Secure Private Access 1 => Enable access to multi-session OS in Secure Private Access
EnableMultiSessionFlow	REG_DWORD
EnableTCPDNS	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => Disables split DNS support for TCP based DNS requests. 1 => Enables split DNS support for TCP based DNS requests.
EnableTCPDNS	REG_DWORD
EnableVA	REG_DWORD	Managed by Citrix Secure Access client.	This key is used internally, if the Citrix Virtual adapter must be enabled when IIP is present. Users must not modify this key.
EnableWFP	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push or through feature flag.	The default value is 0 and by default, DNE is enabled. 1 => VPN plug-in uses WFP. 0 => VPN plug-in uses DNE.


ExcludeDomainsFromRemoteDns	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Excludes DNS resolution from being performed by Citrix Secure Access client through a remote DNS server. If `example.com` is an intranet domain and you want to exclude specific applications like `sshhost.example.com`, `rdphost.example.com`, or `.ftphost.example.com`, use this registry. `.ftphost.example.com` is a wildcard pattern that matches any subdomain under `ftphost.example.com`. Ensure to adjust the domain names and patterns according to your requirements. Once you have made the changes, restart Citrix Secure Access or the system for the settings to take effect.


ExcludeDomainsFromTunnel (Preview)	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Excludes traffic of specific domains from being tunneled via the Citrix Secure Access client. If `example.com` is an intranet domain and you want to exclude specific applications like `sshhost.example.com`, `rdphost.example.com`, or `*.ftphost.example.com`, use this registry. Ensure to set the registry value to a comma-separated list of domain names or patterns.
HttpTimeout	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards.
InstallDir	REG_SZ	Managed by Citrix Secure Access client.	Location where the Citrix Secure Access client is installed.
locationDetection	REG_DWORD	Using CLI. For more information, see note*.	1 => To enable location detection. 0 => To disable location detection.
locationDetection	REG_DWORD	Using CLI. For more information, see note*.
NoDHCPRoute	REG_DWORD	From the NetScaler appliance, create a new file named `pluginCustomization.json` with the value `\{ "NoDHCPRoute" : true }`. Place the `pluginCustomization.json` file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.	If set to 1, the DHCP server route is not added.
NoDHCPRoute	REG_DWORD		If set to 1, the DHCP server route is not added.
overrideIPV6DnsDrop	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	1 => Allow IPv6 DNS traffic to flow over VPN. 0 => Restrict IPv6 DNS traffic flow.
overrideIPV6DnsDrop	REG_DWORD
ProductVersion	REG_SZ	Managed by Citrix Secure Access client.	Currently installed version of Citrix Secure Access client.
ProductCode	REG_SZ	Managed by Citrix Secure Access client.	This key is used internally. Users must not modify this key.
secureDNSUpdate	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	0 => The VPN plug-in tries only the unsecure DNS update. 1 => The VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in then tries the secure DNS update. This is the default behavior starting from the 21.3.1.2 Windows plug-in build. 2 => The VPN plug-in tries only the secure DNS update.


SecureChannelResetTimeoutSeconds	REG_DWORD	Admin can deploy this registry through GPO using GPMC or SCCM push.	By default, this registry value is not set or added. When the value of `SecureChannelResetTimeoutSeconds` is `0xFFFFFFFF` or not present in the registry, the VPN plug-in waits for the `SecureChannelReset()` API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete.
SecureAccessLogInScript	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.
SecureAccessLogOutScript	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries.
suffixList	REG_SZ	Using CLI: `add dns suffix`	Semicolon list of intranet domains. Used when location detection is enabled.
SicBeginPort	REG_DWORD	From the NetScaler appliance, create a new file named `pluginCustomization.json` with the value `\{"SicBeginPort" : 51000}`. Place the `pluginCustomization.json` file in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.	Avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. The allowed range is 49152–64535 (C000 to FC17 in hexadecimal format). The VPN client uses up to 1000 ports starting from `SicBeginPort` only if `EnableWFP` is also set to `1`.
SicBeginPort	REG_DWORD
userCertCAList	REG_SZ	Admin can deploy this registry through GPO using GPMC or SCCM push.	Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from.

Note:

*Use the following command to apply AlwaysOnURL, AlwaysOn, ClientControl, and locationDetection registry keys using CLI:

add alwaysONProfile <alwaysONProfileName>-clientControl ( ALLOW | DENY )-locationBasedVPN ( Remote | Everywhere )-networkAccessOnVPNFailure ( onlyToGateway | fullAccess )

Important:

You can apply registry keys based on your deployments. For example, the AlwaysOnService registry key is applicable only to the Always on service whereas the ClientControl registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details.
secureDNSUpdate is applicable only for domain joined client devices.
For Citrix Secure Access client for Windows 23.1.1.8 and later versions, the registry key name is overrideIPV6DnsDrop. For Citrix Secure Access client for Windows 22.10.1.9 and prior versions, the registry key name is overrideIP6DnsDrop.
From Citrix Secure Access client for Windows 24.8.1.15, the registry keys DisableGA, ForcedLogging, and OverrideSpoofIPRange are deprecated.
From Citrix Secure Access client for Windows 24.8.1.19, admin can enable cloud-hosted multi-session VDI in Secure Private Access using the EnableMultiSessionFlow registry for contextual access to resources based on their location, device, and other factors. For domain-joined machines, use both EnableMultiSessionFlow and AlwaysOnService registries.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

NetScaler Gateway Windows VPN client registry keys

October 11, 2024

Contributed by:

C H C

October 11, 2024

Contributed by:

C H C

NetScaler Gateway Windows VPN client registry keys

In this article