This article provides details of the design, functionality, and usage of the Citrix ICA Virtual Channels and focuses on the Citrix XenApp Plug-ins/Receiver for Windows

Target Audience

Application developers, Citrix server administrators, and help desk personnel.

What are ICA Virtual Channels?

A large portion of the functionality and communication between the XenApp Plugin/Receiver and XenApp Server takes place over virtual channels. Whether for graphics, disks, COM ports, LPT ports, printers, audio, video, smart card or even third-party custom virtual channels, virtual channels are an integral part of the Remote Computing experience with XenApp Server.

From time to time, new virtual channels are released with a new version of the XenApp Server and Receiver products to provide additional functionality.

A virtual channel consists of a client-side virtual driver that communicates with a server-side application. XenApp products ship with various included virtual channels and are designed to allow customers and third-party vendors to create their own virtual channels by using one of the provided Software Development Kits (SDKs).

Virtual channels provide a secure way to accomplish a variety of tasks, for example, an application running on a XenApp Server communicating with a client-side device or an application communicating with the client-side environment.

Description of ICA Virtual Channels

On the client side, virtual channels correspond to virtual drivers; each providing a specific function. Some are required for normal operation, and others are optional.
Virtual drivers operate at the presentation layer protocol level. There can be a number of these protocols active at any given time by multiplexing channels that are provided by the WinStation protocol layer.

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

The list of functions below are contained in the VirtualDriver Registry Key under the following Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA
Client\Engine\Configuration\Advanced\Modules\ICA 3.0

• Thinwire3.0, (Required)
• ClientDrive, 
• ClientPrinterQueue, 
• ClientPrinterPort, 
• Clipboard, 
• ClientComm, 
• ClientAudio, 
• LicenseHandler, (Required)
• TWI, (Required)
• SmartCard,
• Multimedia,
• ICACTL, (Required)
• SSPI,
• TwainRdr,
• UserExperience,
• Vd3d

Note: It is possible to disable specific client functionality by removing one or more of these values. For example, if you wanted to remove Client Clipboard functionality, edit the above registry key, and remove the word, Clipboard.

The following lists the client virtual driver files and their respective function as used by the XenApp Plugins/Receiver for Windows. They are in the form of Dynamic Link Libraries (user mode) and not Windows drivers (Kernel Mode) except for Generic USB as described below.

vd3dn.dll – Direct3D Virtual Channel used for Desktop Composition Redirection
vdcamN.dll – Bi-directional Audio
vdcdm30n.dll – Client Drive Mapping
vdcom30N.dll - Client COM Port Mapping
vdcpm30N.dll – Client Printer Mapping
vdctln.dll – ICA Controls Channel
vddvc0n.dll – Dynamic virtual channel
vdeuemn.dll - End User Experience Monitoring
vdflash2.dll (vdflash.dll) – Flash virtual channel
vdgusbn.dll – Generic USB Virtual channel
vdkbhook.dll – Transparent Key Pass-Through
vdlfpn.dll – Framehawk Display channel over UDP like transport
vdmmn.dll – Multimedia Support
vdmrvc.dll – Mobile Receiver Virtual channel
vdmtchn.dll - Multi-Touch support
vdscardn.dll – Smartcard support
vdsens.dll – Sensors virtual channel
vdspl30n.dll – Client UPD
vdsspin.dll – Kerberos
vdtuin.dll – Transparent UI
vdtw30n.dll – Client ThinWire
vdtwin.dll – Seamless
vdtwn.dll – Twain

Note: Some virtual channels are compiled into other files, for example Clipboard Mapping is available in wfica32.exe.

64-bit Compatibility

XenApp Plugin/Receiver for Windows is 64-bit compatible. With most of the binaries compiled for 32 bit, following client files have 64-bit compiled equivalents:

brapi64.dll
confmgr.dll
ctxlogging.dll
ctxmui.dll
icaconf.exe
icaconfs.dll
icafile.dll
pnipcn64.dll
pnsson.dll
ssoncom.exe
ssonstub.dll
vdkbhook64.dll

Generic USB virtual channel

Generic USB virtual channel implementation uses 2 kernel mode drivers: ctxusbm.sys and ctxusbr.sys along with virtual channel driver vdgusbn.dll.

How ICA Virtual Channels Work

The user mode virtual channel support on the server side is loaded by Wfshell.exe, for example: EUEM, Twain, Time Zone, Clipboard, Multimedia and Seamless Session Sharing.

Others are loaded as Kernel mode, for example:

CtxDvcs.sys – Dynamic Virtual Channel
Icausbb.sys – Generic USB Redirection
Icardd.dll (vdtw30.dll legacy) – Graphics redirection driver for Terminal Sever based session
Picadm.sys – client drive mapping
Vd3dk.sys – Direct 3D Virtual channel and WDD Display driver for workstation based session
Picaser.sys – COM port redirection
Picapar.sys – LPT port redirection

Graphics Virtual Channel on Server side

Starting with XA 7.0 and XD7.0 Graphics virtual channel is hosted in ctxgfx.exe for both workstation and terminal server based sessions. Ctxgfx hosts platform specific modules which interact with corresponding driver (Icardd.dll for RDSH and vd3dk.sys for Workstation).

For XenDesktop 3D Pro deployments an OEM graphics driver is installed for the corresponding GPU on the VDA. Ctxgfx loads specialized adaptor modules to interact with the OEM graphics driver.

Hosting specialized channels in windows Service

On XenApp/XenDesktop server variety of channels are hosted as Windows service. Such hosting provide one-to-many semantics for multiple applications in a session as well as multiple sessions on the server. Examples of such services include:

• Citrix Device Redirector Service
• Citrix Dynamic Virtual Channel Service
• Citrix End User Experience Monitoring Service
• Citrix HDX Media Stream for Flash Service
• Citrix Location and Sensor Virtual Channel Service
• Citrix MultiTouch Redirection Service
• Citrix Print Manager Service
• Citrix Smartcard Service
• Citrix Audio Redirection Service (XenDesktop only)

Audio virtual channel on XenApp is hosted via Windows Audio service.

All client virtual channels are routed through the WinStation Driver, Wdica.sys on the server side and are polled on the client side by the corresponding WinStation Driver, built into wfica32.exe. The following image illustrates the virtual channel client-server connection.

Following is an overview of client-server data exchange using a virtual channel.

1. The client connects to the XenApp/XenDesktop Server. The client passes information about the virtual channels it supports to the server.
2. The server-side application starts, obtains a handle to the virtual channel, and optionally queries for additional information about the channel.
3. The client virtual driver and server-side application pass data using the following two methods:

• If the server application has data to send to the client, the data is sent to the client immediately. When the data is received by the client, the WinStation driver de-multiplexes the virtual channel data from the ICA stream and immediately passes it to the client virtual driver.
• If the client virtual driver has data to send to the server, the data is sent the next time the WinStation driver polls it. When the data is received by the server, it is queued until the virtual channel application reads it. There is no way to alert the server virtual channel application that data was received.

1. When the server virtual channel application is completed, it closes the virtual channel and frees any allocated resources.

Creating your own Virtual Channel using the Virtual Channel SDK

Creating a virtual channel using the Virtual Channel SDK requires intermediate programming knowledge.
It is best to use this method when it is necessary to provide a major communication path between the client and the server. For example, if you are implementing usage of a device on the client side, such as a scanner, to be used with a process in the session.

Note 1: The Virtual Channel SDK requires the WFAPI SDK to write the server side of the virtual channel.

Note 2: Because of enhanced security for XenApp Plugin/Receiver for Windows, it is necessary to take an additional step when installing a custom virtual channel.

See “Installing a Virtual Driver on a Client”. For more information, see ICA Virtual Channel SDK.

Creating your own Virtual Channel using the ICO SDK

Creating a virtual channel using the ICA Client Object (ICO) is simpler than using the Virtual Channel SDK, and can be done by creating a named object in your program using the CreateChannels method.

Note: Because of enhanced security starting with the 10.00 version of the XenApp Plug-in/Receiver for Windows and later, it is necessary to take an additional step when creating an ICO Virtual Channel.

See CTX113279 - How to Allow Custom Virtual Channels Created with ICO in Version 10.00 of the Windows Client for more details.

For more information, see Client Object API Specification Programmer’s Guide 

Pass-through Functionality of Virtual Channels

While the majority of Citrix provided Virtual Channels operate unmodified when the XenApp Plug-in/Receiver for Windows is used within an ICA session, or more commonly known as a Pass-through session, there are some items to be aware of when using the client in additional hops.

The following functions operate the same way in single or multiple hops:

Client Drive Mapping, Client COM Port Mapping, Client Printer Mapping, Smartcard support, Kerberos, Twain, Transparent Key Pass-Through, Multimedia Support, Client UPD, Generic USB and End User Experience Monitoring.

As the inherent nature of latency and other factors such as compression and decompression and rendering being performed at each hop, some areas of functionality might be affected slightly in terms of performance with each additional hop that the client undergoes. These areas are:

Seamless, ThinWire, Bi-directional Audio, Generic USB Redirection and File Transfers.

Note: By default, the client drives mapped by an instance of the client running in a Pass-through session are restricted to Client drives of the connecting client.

For more information see CTX113756 - Pass-through Client for Cannot Launch Application on Network Drive Through DesktopSession

Pass-through Functionality of Virtual Channels between a XenDesktop Session and a XenApp Hosted Session

Although some specific scenarios have not been tested, the majority of Citrix provided Virtual Channels operate unmodified when the XenApp Plug-in/Receiver for Windows is used within an ICA session on a XenDesktop server, or more commonly known as a Pass-through session.

Specifically, on the XenDesktop server, there is a VDA Hook that runs, named, picaPassthruHook, whose sole purpose is to make the client believe it is running on a CPS server, thus placing the client into its traditional Pass-through mode.

The following traditional Virtual Channels and their functionality are supported:

SSON, Client Drive Mapping, Client COM Port Mapping, Client Printer Mapping, Smartcard support, Kerberos, Transparent Key Pass-Through, Multimedia Support, Client UPD and Generic USB (limited due to performance).

Security and ICA Virtual Channels

Securing usage is an important part of planning, developing and implementing virtual channels. There are several references to specific areas of security located throughout this document.

Best Practices

The following are some pointers to keep in mind when using virtual channels:

Virtual Channels should be opened at Connect and Reconnect time, and closed at logoff and Disconnect time.

Keep the following guidelines in mind when you create scripts that use virtual channel functions:

Naming the Virtual Channels

You can create a maximum of 32 virtual channels. Seventeen of these are reserved for special purposes.

• Virtual channel names must not be more than seven characters in length.
• The first three characters are reserved for the vendor name, and the next four for the channel type. For example, CTXAUD represents the Citrix audio virtual channel.

Virtual channels are referred to by a seven-character (or shorter) ASCII name. In some previous versions of the ICA protocol, virtual channels were numbered; the numbers are now assigned dynamically based on the ASCII name, making implementation easier. Users developing virtual channel code for internal use only can use any seven-character name that does not conflict with existing virtual channels. You can use only upper and lowercase ASCII letters and numbers. Follow the existing naming convention when adding your own virtual channels. There are several predefined channels. All begin with the OEM identifier CTX and are for use only by Citrix.

Double-Hop Support

• ICA Virtual Channel SDK Guide

• The Citrix Developer Network is the home for all technical resources and discussions involving the use of Citrix SDKs. In this network, you can find access to SDKs, sample code and scripts, extensions and plug-ins, and SDK documentation. Also included are the Citrix Developer Network forums, where technical discussions take place around each of the Citrix SDKs.

• CTX202153 - How to Disable Citrix Virtual Channels in XenApp 6.x
• Refer the following article for updated changes - Virtual Chanel allow list policy settings