Citrix Browser Content Redirection

Browser Content Redirection (BCR) uses Citrix Workspace app to fetch and render web content, massively reducing CPU, GPU, RAM, and network consumption on the Desktop or Server VDA.

Article Contents

Overview

The Internet contains and delivers more multimedia content than ever before, particularly since Covid-19. A real-world example is the car sales industry whereby car dealerships are harnessing social media to sell their stock by way of videos.

Video content itself is also very much part of our daily lives whether it be watching YouTube videos, news clips, training videos, or video conferencing using Microsoft Teams.

Video content is also taxing on CPU first and foremost, so for a Citrix environment that may really impact the overall user experience for video playback amongst all the other activities.

Thankfully there is a solution which allows a business to offload that video to the endpoint itself using what we call Browser Content Redirection, which is available to all Virtual Apps and Desktops licensed customers whether on-premises or using Citrix Cloud. Simply, an extension is installed on to the VDA, and Workspace app as always will be on the client endpoint. When a website is enabled for BCR using an allow list controlled via Studio policies, and the user browses to that website:

  1. A CTXCSB virtual channel informs Workspace app that redirection is required and provides the URL.
  2. The viewport is redirected to the endpoint.
  3. The endpoint fetches the content (optional) and renders it.
  4. Then, the viewport is blended back into the virtual desktop seamlessly. The end-user will not necessarily know that it is their endpoint doing the fetching and rendering of the web content.

The viewport contains the main part of your browser window that shows the web page content itself, as shown below. The address bar etc is not redirected and remains on the VDA.

This is all achieved by the overlay browser (HdxBrowsercef.exe), a Chromium based browser built into Workspace app, and the Browser Content Redirection extension which runs on Chrome or the newer Chromium based Microsoft Edge.

BCR Scenarios

Server fetch and server render

This is basically how things work without BCR, or if you don’t add a site to the allow list. The Citrix VDA fetches and renders the webpage.

This equals to potentially high RAM and CPU consumption on the VDA, as well as network consumption.

Server fetch and client render

In this scenario, the CTXPFWD virtual channel is used by Workspace app to fetch webpage content through the VDA, and then the endpoint renders that content. This can be useful if the endpoint doesn’t have internet access, or if you want to ensure that any security policies/web filtering is still applied to those web resources.

This equals to network consumption on the VDA, but with low RAM and CPU consumption.

Client fetch and client render

Workspace app contacts the web server directly and renders the web content.

This equals to low CPU, RAM, and network consumption on the VDA for a better end-user experience.

Disabling fallback

As mentioned, the option of server fetch and server render is typically what you have whenever BCR is not used at all. However, if you have BCR configured for YouTube for example, and redirection of that URL to the endpoint fails for a reason such as internet not being available on the endpoint, you can disable fallback/prevent the VDA fetching and processing the web content by setting the Windows Media fallback prevention Citrix Studio policy to Play all content only on client or Play only client-accessible content on client.

BCR Requirements

Windows Endpoints

  • Windows 10.
  • Workspace app 1809 for Windows or later. Note that Workspace app 1912 LTSR for Windows does not support BCR.

Linux Endpoints

  • Thin client terminals must include WebKitGTK+.
  • Workspace app 1808 for Linux or later.

Citrix

  • Virtual Apps and Desktops 7 1808 or later for Current Release.
  • XenApp and XenDesktop 7.15 CU3 or later for Long Term Service Release.
  • Desktop OS VDA running Windows 10 1607 or newer.
  • Server OS VDA running 2012 R2, 2016 or 2019.
  • For Google Chrome: v66 or later running on the VDA.
  • For Microsoft Edge: v83.0.478.37 or later running on the VDA.

Citrix Virtual Apps and Desktops 7 2109

Starting with VDA 2109, Citrix have changed the way in which JavaScript is injected into a webpage for BCR, resulting in an enhanced and simplified outcome.

BCR used to inject the HdxVideo.js JavaScript into BCR enabled webpages almost on the fly as it detected the need. This could sometimes cause issues and fail redirection if the JavaScript was not being injected quickly enough. Now, when a user visits a BCR enabled URL, that URL is redirected to blank HTML document that contains the running JavaScript, which then performs redirection. With this new approach, redirection is much more successful and has fixed some issues with redirecting certain resources that were having issues in previous releases.

Enabling and configuring BCR

Browser Content Redirection is enabled for YouTube by default. The main policy that enables BCR is Browser Content Redirection.

Further to this policy, the allow list, known as Browser Content Redirection ACL Configuration, is where you specify the URLs that you wish to be redirected.

As shown in the above screenshot, you can use a wildcard but not in the protocol or the domain address part of the URL.

  • Allowed:
    • http://domain.com/index.html
    • http://domain.com/*
    • http://domani.com/*index*
  • Not allowed:
    • http://*.domain.com

There are some additional policies relating to BCR:

  • Browser Content Redirection Authentication Sites – Not all websites are the same. Some websites redirect you to other URLs, especially when authentication is required. For example, when you visit https://teams.microsoft.com, you are redirected to https://login.microsoftonline.com to authenticate. From there, you could be redirected to an IdP or back to Teams. In such scenarios, we need to tell BCR to remain active (redirected) to allow the authentication (child sites) to be handled correctly by BCR.
  • Browser Content Redirection Blacklist Configuration – The blacklist takes precedence, and the web content will be fetched and rendered on the server, even if the same URL is added to Browser Content Redirection ACL Configuration. You can also use a wildcard here with the same rules as the ACL Configuration policy.
  • Browser Content Redirection Proxy Configuration – I mentioned the BCR scenario server fetch and client render earlier in the article. It is this policy you would use to configure the server fetch piece. With this policy you can specify an explicit proxy address, PAC/WPAD file address, or specify Direct/Transparent.
    • Explicit example: http://proxy.domain.com:8080
    • PAC file example: http://proxy.domain.com/files/proxy.pac
    • WPAD file example: http://proxy.domain.com/files/wpad.dat
    • Direct/Transparent example: Type the word DIRECT into the policy text box.

XenApp and XenDesktop 7.15 Customers

Citrix backported BCR for those running with the 7.15 release of XenApp and XenDesktop. To use BCR, the following steps are required:

  1. Install the VDA software using the command line and switch /FEATURE_DISABLE_HTML5.
    1. This removes the HTML5 video redirection feature, which must be done before installing BCR.msi. BCS.msi adds the feature back during installation, along with adding the browser content redirection services.
  2. Install BCR.msi
    1. Confirm that the Citrix HDX HTML5 Video Redirection Service shows under services.msc.
  3. Citrix Studio does not contain the BCR policies. Download the ADMX template for BCR from the Downloads page over at Citrix.

Installing the BCR extension on Google Chrome – Manual

  1. Browse to https://chrome.google.com/webstore/category/extensions and in the Search box type in Citrix and then click on the Browser Redirection Extension tile.
  1. Click Add to Chrome.
  1. Click Add extension.

To confirm Browser Content Redirection is working, visit a webpage that should be redirected and right-click within the viewport. If working, you will see a menu containing About HDX Browser Redirection.

Installing the BCR extension on Google Chrome – Group Policy

  1. Firstly, download the Google Chrome ADMX files to your environment.
  2. Open Group Policy and within a GPO browse to Computer Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions and double-click policy Configure the list of force-installed apps and extensions.
  1. Click Enabled > Show and insert the following value, which makes up the BCR extension ID and auto-update URL:
hdppkjifljbdpckfajcmlblbchhledln; https://clients2.google.com/service/update2/crx

Once Group Policy processing completes and the user launches Google Chrome, the extension will be installed. Any updates to the extension are automatically installed using the update URL you specified during Group Policy configuration. Extensions also reside in the user profile under %LocalAppData%\Google\Chrome\User Data\Default\Extensions.

Installing the BCR extension on Microsoft Edge – Manual

  1. Click on the horizontal ellipsis and then Extensions.
  1. Click Allow extensions from other stores followed by Allow.
  1. Click on the Chrome Web Store hyperlink.
  1. In the search box type Citrix, click on the Browser Redirection Extension tile > Add to Chrome > Add extension.

Installing the BCR extension on Microsoft Edge – Group Policy

With the Group Policy method, there is no initial requirement to enable the Allow extensions from other stores setting as required when manually installing the BCR extension.

  1. Firstly, download the Microsoft Edge ADMX files to your environment.
  2. Open Group Policy and within a GPO browse to Computer Configuration > Policies > Administrative Templates > Microsoft Edge > Extensions and double-click policy Control which extensions are installed silently.
  1. Click Enabled > Show and insert the following value, which makes up the BCR extension ID and auto-update URL:
hdppkjifljbdpckfajcmlblbchhledln; https://clients2.google.com/service/update2/crx

Once Group Policy processing completes the extension will be installed and will appear under installed extensions within Edge. Any updates to the extension are automatically installed using the update URL you specified during Group Policy configuration.

Extensions also reside in the user profile under %LocalAppData%\Microsoft\Edge\User Data\Default\Extensions.

Google Chrome Demo

Before

Very high CPU consumption on the VDA whilst playing a 4k video.

After

Low CPU and lower RAM consumption on the VDA whilst playing a 4k video.

On the client, CPU and RAM is being used instead by the Overlay Browser.

The Overlay Browser runs under the HdxBrowserCef.exe process.

Microsoft Edge Demo

Before

Very high CPU consumption on the VDA whilst playing a 4k video.

After

Low CPU and lower RAM consumption on the VDA whilst playing a 4k video.

On the client, CPU and RAM is being used instead by the Overlay Browser.

Final Thoughts

  • Since you are offloading media now to the endpoint, BCR is dependent on the endpoint being able to fetch (optional) and render that content efficiently.
  • You cannot turn BCR on for everything, there is no policy option for that.
  • Some websites will redirect you to other places and you may have to use Debugging Tools (F12) to understand what other URLs you need to configure in the ACL Configuration and Authentication Sites policies.
  • There are some limitations with BCR. See here.
  • DPI scaling mismatch e.g. the VDA is set to 100% and endpoint set to 125%, causes the redirected browser screen to display incorrectly. If you can’t match DPI then there is a DWORD you can create on the endpoint which resolves this:
    • Key: HKLM\SOFTWARE\WOW6432Node\Citrix\HdxMediaStream
    • Value name: GPU
    • Value type: DWORD
    • Value data: 0

12 Comments

  • WH

    October 6, 2021

    Is this supported and tested with the linux workspace app connecting to a windows VDA?

    Reply
  • Bojan Salaj

    October 6, 2021

    Are all 1912 LTSR not supporting BCR? Or do any of the CU versions support it (ie: CU3)?

    Reply
  • Karsten

    October 25, 2021

    BCR is related to the Workspace App, not CVAD. WSA LTSR is generally not supporting BCR and never will (becuase the needed Chromium Engine would need regular security fixes wich a LTSR does not get).

    Also refer to the WSA Feature matrix here for details: https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf

    Reply
  • Roger G.

    November 23, 2021

    We’ve got high cpu load in our Citrix farm after Google updated BCR extension in Chrome at 19.Nov.2021. We use CVAD 1912 CU3 and Chrome 94/95.

    Reply
    • Patrick

      November 25, 2021

      We have got the exact same issue. No solution yet….

      Reply
  • Roger Gil

    December 2, 2021

    With version 5.3 (back to 5.1) is it gone…
    https://chrome.google.com/webstore/detail/browser-redirection-exten/hdppkjifljbdpckfajcmlblbchhledln?
    What’s new in version 5.3
    1) Revert to v5.1 extension codebase due to reports of high CPU usage with v5.2 extension in some configurations

    Reply
  • Roland

    December 16, 2021

    We use Edge 93.0.961.38 as standard browser.
    The browser redirection extension doesn’t work with the Edge, but it does on the same client with Chrome. So everything have to be configured correctly.
    When I log out and log back in, the extension is obviously changed. A message appears that it needs to be repaired and the following entry is made in the event log:

    [7468:9620:1213/144439.751:WARNING:chrome_content_verifier_delegate.cc(227)] Corruption detected in extension hdppkjifljbdpckfajcmlblbchhledln installed at: C:\Users\Username.Domain\AppData\Roaming\Edge\UserData\Default\Extensions\hdppkjifljbdpckfajcmlblbchhledln\5.3_0, from webstore: 1, corruption reason: 4, should be repaired: 0, extension location: kInternal

    Reply
  • berks

    January 27, 2022

    Hi George, thanks for the concise article and all your articles as always! One issue i’ve noticed with this is that this tech does not honour ad blocking. So if you have ad blocking extension added on the end point browser and/or VDA browser, youtube still displays ads. Obviously it’s running the overlay using HdxBrowserCef.exe, which i’m sure does not have any adblock inside of it. This is a show stopper for us as our users are used to not seeing any ads. Are there plans to add this functionality or do you know a way around this?

    Reply
    • Anonymous

      September 21, 2022

      Hi George, have you encountered this?

      Reply
      • Anonymous

        September 21, 2022

        Hi George, have you encountered this? re the ad blocker stuff.

        Reply
  • Anonymous

    December 20, 2022

    Unfortunate that citrix have not thought about ad blocking. One of the main reasons for using this is for youtube, but no point if the user is constantly plagued by ads that we otherwise block using native youtube without BCR. Needs work.

    Reply

Leave a Reply