Citrix Virtual Apps and Desktops

WebSocket communication between VDA and Delivery Controller

This article describes how to set up a WebSocket connection for communication between VDAs and Delivery Controllers as an alternative to using WCF communication. It provides the benefit that only the TLS port 443 for communication from the VDA to the Delivery Controller.

How it works

The following sections describes the workflow for the WebSocket connection between a Delivery Controller and a VDA:

During normal brokering operation

  1. Citrix Virtual Apps and Desktops admins initiate the process by provisioning VDAs using the Machine Creation Service (MCS).
  2. During the MCS provisioning process, MCS generates public-private key pairs for each VDAs and registers the public keys with the FMA trust service on the Delivery Controller. MCS saves the public-private key pair as a file under the identity disk on the VDAs.
  3. When the VDA machine boots up, the MCS agent installed on the VDA machine reads the key pair from the identity disk and writes this information to the VDA registry location.
  4. The broker agent installed on the VDA reads the key pairs from the registry and generates an SSL-enabled WebSocket request to the Delivery Controller with the service key signed by the private key.
  5. The Delivery Controller verifies the signed service key authorization header with the public key from the FMA trust service.
  6. Once the verification is complete, the system establishes the WebSocket connection between the VDA and the Delivery Controller.

When LHC mode becomes active

If you enable the Websocket support for LHC, then during the LHC mode, when a VDA tries to establish a Websocket connection with the High Availability Service, the High Availability Service verifies the signed service key authorization header with the public key from the local database. This authenticates the Websocket connection and the WebSocket connection between the VDA and Delivery Controller is successful even in LHC mode.

WebSocket support

Before you begin

  1. Configure your site. For more information, see Create a site.
  2. Install TLS certificates on the Delivery Controllers. For more information, see Install TLS server certificates on Controllers.
  3. Install root CA and intermediate CA on VDA to trust the Delivery Controller.

Procedure

Follow the instructions to set up a WebSocket connection:

  1. Enable WebSocket connection on the Delivery Controller. Run the following command on each Delivery Controller present on your site:

    New-ItemProperty "HKLM:\SOFTWARE\Citrix\DesktopServer\WorkerProxy" -Name "WebSocket_Enabled" -PropertyType "DWord" -Value 1 -Force

  2. Restart the Broker Service after enabling the WebSocket.
  3. Enable websocket support for the LHC mode. Run the following command on each Delivery Controller present on your site:

    New-ItemProperty "HKLM:\SOFTWARE\Citrix\DesktopServer\LHC" -Name "WebSocketEnabledLhc" -PropertyType "DWord" -Value 1 -Force
    <!--NeedCopy-->
    
  4. Create a machine catalog for AD-joined VDAs with MCS provisioning. For more information, see Create machine catalog.
  5. Create a delivery group and add your VDA to it. For more information, see Create delivery groups.
  6. Enable WebSocket connection on the VDA. Run the following PowerShell command on the VDA:

    New-ItemProperty "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CitrixBrokerAgent\WebSocket" -Name "Enabled" -PropertyType "DWord" -Value 1 -Force
    <!--NeedCopy-->
    
    • To check if WebSocket is enabled, check the following registry key value. The value of Enabled must be 1.

      Key:

       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CitrixBrokerAgent\WebSocket
       <!--NeedCopy-->
      

      Name: Enabled

      Type: REG_DWORD

      Value: 1

WebSocket communication between VDA and Delivery Controller