Citrix Gateway Windows VPN client registry keys
The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the Citrix Gateway VPN client registry keys, values, and a brief description of each value.
Registry key | Registry type | Registry control | Values and description |
---|---|---|---|
addedRoutes/modifiedRoutes | REG_SZ | Managed by Citrix Secure Access client. | Created for internal plug-in communication. Users must not modify this key. |
AlwaysOnService
|
REG_DWORD
|
Admin can deploy this registry through Group Policy Object (GPO) using Group Policy Management Console (GPMC) or System Center Configuration Manager (SCCM) push.
|
|
AlwaysOnURL
|
REG_SZ
|
You can control this registry by one of the following two ways.
|
URL of the NetScaler Gateway virtual server the user wants to connect to. Example: https://xyz.companyDomain.com
|
AlwaysOn
|
REG_DWORD
|
Using CLI. For more information, see note*.
|
|
AlwaysOnAllowlist | REG_SZ | Admin can deploy this registry through GPO using GPMC or SCCM push. | Semicolon separated list of IP addresses or FQDNs allowed by the driver in Always On strict mode. Examples: *.microsoft.com , groupinfra.com
|
ClientControl
|
REG_DWORD
|
Using CLI. For more information, see note*.
|
|
ConfigSize
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push. This registry is used only for Citrix Secure Private Access (SPA).
|
Windows client supports 64 KB configuration file size by default. Use this registry to increase configuration file size.
If the configuration file size exceeds the default value of 64 KB, set the ConfigSize registry value to 5 times 64 KB (in bytes) for each additional 64 KB.
For example, if you are adding an additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360. |
Connected | REG_DWORD | Managed by Citrix Secure Access client. | On successful connection this key is set to 1, if not, it is set to 0. This key is used internally. Users must not modify this key. |
DisableCredProv | REG_DWORD | Admin can deploy this registry through GPO using GPMC or SCCM push. | When AlwaysOn VPN before Windows Logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1. |
DisableIconHide
|
REG_DWORD
|
Using CLI: set vpn parameter iconWithReceiver ON |
|
DisableDNSRoutes
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
|
DisallowCaptivePortals
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
|
DisableIntuneDeviceEnrollment | REG_DWORD | Admin can deploy this registry through GPO using GPMC or SCCM push. | If set to 1, Intune device enrollment is not performed. |
EnableAutoUpdate
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
Used to control plug-in update functionality from the client side.
|
EnableKerberosAuth
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
|
EnableMultiSessionFlow
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
|
EnableTCPDNS
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
|
EnableVA | REG_DWORD | Managed by Citrix Secure Access client. | This key is used internally, if the Citrix Virtual adapter must be enabled when IIP is present. Users must not modify this key. |
EnableWFP
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push or through feature flag.
|
The default value is 0 and by default, DNE is enabled.
|
ExcludeDomainsFromRemoteDns
|
REG_SZ
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
Excludes DNS resolution from being performed by Citrix Secure Access client through a remote DNS server.
If example.com is an intranet domain and you want to exclude specific applications like sshhost.example.com , rdphost.example.com , or *.ftphost.example.com , use this registry. *.ftphost.example.com is a wildcard pattern that matches any subdomain under ftphost.example.com .
Ensure to adjust the domain names and patterns according to your requirements. Once you have made the changes, restart Citrix Secure Access or the system for the settings to take effect. |
ExcludeDomainsFromTunnel (Preview) | REG_SZ | Admin can deploy this registry through GPO using GPMC or SCCM push. | Excludes traffic of specific domains from being tunneled via the Citrix Secure Access client. If example.com is an intranet domain and you want to exclude specific applications like sshhost.example.com , rdphost.example.com , or *.ftphost.example.com , use this registry. Ensure to set the registry value to a comma-separated list of domain names or patterns. |
HttpTimeout | REG_DWORD | Admin can deploy this registry through GPO using GPMC or SCCM push. | HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards. |
InstallDir | REG_SZ | Managed by Citrix Secure Access client. | Location where the Citrix Secure Access client is installed. |
locationDetection
|
REG_DWORD
|
Using CLI. For more information, see note*.
|
|
NoDHCPRoute
|
REG_DWORD
|
|
If set to 1, the DHCP server route is not added.
|
overrideIPV6DnsDrop
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
|
ProductVersion | REG_SZ | Managed by Citrix Secure Access client. | Currently installed version of Citrix Secure Access client. |
ProductCode | REG_SZ | Managed by Citrix Secure Access client. | This key is used internally. Users must not modify this key. |
secureDNSUpdate
|
REG_DWORD
|
Admin can deploy this registry through GPO using GPMC or SCCM push.
|
|
SecureChannelResetTimeoutSeconds | REG_DWORD | Admin can deploy this registry through GPO using GPMC or SCCM push. | By default, this registry value is not set or added. When the value of SecureChannelResetTimeoutSeconds is 0xFFFFFFFF or not present in the registry, the VPN plug-in waits for the SecureChannelReset() API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete. |
SecureAccessLogInScript | REG_SZ | Admin can deploy this registry through GPO using GPMC or SCCM push. | Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries. |
SecureAccessLogOutScript | REG_SZ | Admin can deploy this registry through GPO using GPMC or SCCM push. | Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries. |
suffixList | REG_SZ | Using CLI: add dns suffix
|
Semicolon list of intranet domains. Used when location detection is enabled. |
SicBeginPort
|
REG_DWORD
|
|
Avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. The allowed range is 49152–64535 (C000 to FC17 in hexadecimal format). The VPN client uses up to 1000 ports starting from SicBeginPort only if EnableWFP is also set to 1 .
|
userCertCAList | REG_SZ | Admin can deploy this registry through GPO using GPMC or SCCM push. | Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from. |
Note:
*Use the following command to apply
AlwaysOnURL
,AlwaysOn
,ClientControl
, andlocationDetection
registry keys using CLI:
add alwaysONProfile <alwaysONProfileName>-clientControl ( ALLOW | DENY )-locationBasedVPN ( Remote | Everywhere )-networkAccessOnVPNFailure ( onlyToGateway | fullAccess )
Important:
-
You can apply registry keys based on your deployments. For example, the
AlwaysOnService
registry key is applicable only to the Always on service whereas theClientControl
registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details. -
secureDNSUpdate
is applicable only for domain joined client devices. -
For Citrix Secure Access client for Windows 23.1.1.8 and later versions, the registry key name is
overrideIPV6DnsDrop
. For Citrix Secure Access client for Windows 22.10.1.9 and prior versions, the registry key name isoverrideIP6DnsDrop
. -
From Citrix Secure Access client for Windows 24.8.1.15, the registry keys
DisableGA
,ForcedLogging
, andOverrideSpoofIPRange
are deprecated. -
From Citrix Secure Access client for Windows 24.8.1.19, admin can enable cloud-hosted multi-session VDI in Secure Private Access using the
EnableMultiSessionFlow
registry for contextual access to resources based on their location, device, and other factors. For domain-joined machines, use bothEnableMultiSessionFlow
andAlwaysOnService
registries.