Citrix Gateway VPN client registry keys
The VPN client registry keys are available under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The following table lists the Citrix Gateway VPN client registry keys, values, and a brief description of each value.
| Registry key | Registry type | Values and description |
|---|---|---|
| AlwaysOnService | REG_DWORD | 1 => Establish machine level tunnel but not user level tunnel. 2 => Establish machine level tunnel and user level tunnel. |
| AlwaysOnURL | REG_SZ | URL of the Citrix Gateway virtual server the user wants to connect to. Example: https://xyz.companyDomain.com
|
| AlwaysOn | REG_DWORD | 1 => Allow network access on VPN failure. 2=> Block network access on VPN failure. |
| locationDetection | REG_DWORD | 1 => To enable location detection. 0 => To disable location detection. |
| suffixList | REG_SZ | Semicolon list of intranet domains. Used when location detection is enabled. |
| AlwaysOnAllowlist | REG_SZ | Semicolon separated list of IP addresses or FQDNs allowed by the driver in Always On strict mode. |
| ProductVersion | REG_SZ | Current Citrix Secure Access agent installed version. |
| InstallDir | REG_SZ | Location where the Citrix Secure Access agent is installed. |
| userCertCAList | REG_SZ | Used in the context of the Always On service where a customer can specify the list of CAs to choose the client certificate from. |
| addedRoutes/modifiedRoutes | REG_SZ | Created for internal plug-in communication. Users must not modify this key. |
| ProductCode | REG_SZ | This key is used internally. Users must not modify this key |
| EnableAutoUpdate | REG_DWORD | Used to control plug-in update functionality from the client side. Set to 0 to disable auto-update functionality. Set to 1 to respect ADC configuration. |
| Connected | REG_DWORD | On successful connection this key is set to 1 and else set to 0. This key is used internally. Users must not modify this key. |
| EnableVA | REG_DWORD | If Citrix Virtual adapter must be enabled when IIP is present. This key is used internally. Users must not modify this key. |
| DisableGA | REG_DWORD | Set to 1 to disable Google analytics. |
| DisableCredProv | REG_DWORD | When Always On before user logon is enabled, the Windows VPN plug-in adds the credential provider to display the tunnel status on the logon screen. If you do not need this additional functionality, create and set this registry to 1. |
| ClientControl | REG_DWORD | 1 => Allows users to log out or connect to other gateways. 0 => Blocks users to log out or connect to other gateways. |
| ForcedLogging | REG_DWORD | Set this key to 1 to enable debug logging. |
| NoDHCPRoute | REG_DWORD | If set to 1, the DHCP server route is not added. |
| DisableIntuneDeviceEnrollment | REG_DWORD | If set to 1, Intune device enrollment is not performed. |
| HttpTimeout | REG_DWORD | HTTP timeout is configured in seconds. If timeout is not configured, the default timeout is used. The default timeout value is 100 seconds, based on Windows standards. |
| secureDNSUpdate | REG_DWORD | 0 => The VPN plug-in tries the unsecure DNS update only. 1 => The VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in then tries the secure DNS update. This is the default behavior starting from the 21.3.1.2 Windows plug-in build. 2 => The VPN plug-in tries only the secure DNS update. |
| DisableIconHide | REG_DWORD | 1 => The Citrix Workspace app and the gateway plug-in are displayed on the taskbar. 0 => The gateway plug-in icon is integrated with Citrix Workspace app for Windows. The gateway plug-in is not visible on the taskbar when running a full VPN session. |
| SecureChannelResetTimeoutSeconds | REG_DWORD | By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0xFFFFFFFF or not present in the registry, the VPN plug-in waits for the SecureChannelReset() API call to complete before starting to tunnel data traffic. This is the default behavior. Admin must set this registry on the client for the VPN plug-in to start tunneling data traffic after waiting the specified time for the API call to complete. |
| DisableDNSRoutes | REG_DWORD | Default value 0 => VPN plug-in adds routes for DNS servers if they are different from the default gateway for a physical interface. However, based on the Windows client machine topology, DNS server routes might not be always required. If set to 1, the VPN plug-in does not add explicit routes for the DNS servers. |
| overrideIP6DnsDrop | REG_DWORD | 1 => Allow IPv6 DNS traffic to flow over VPN. 0 => Restrict IPv6 DNS traffic flow. |
| DisallowCaptivePortals | REG_DWORD | 1 => VPN plug-in checks for captive portals by trying to connect to the Microsoft Connect test page before starting a VPN session. 0 => VPN plug-in skips the captive portals check. |
| EnableWFP | REG_DWORD | Default value 0 => By default, DNE is enabled. 1 => VPN plug-in uses WFP. 0 => VPN plug-in uses DNE. |
| ConfigSize | REG_DWORD | Windows client supports 64 KB configuration file size, by default. Use this registry to increase configuration file size. If the configuration file size is larger than the default value (64 KB), then the ConfigSize registry value must be set to 5 x 64 KB (after converting to bytes) for every addition of 64 KB. For example, if you are adding additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360. |
| SecureAccessLogInScript | REG_SZ | Citrix Secure Access service accesses the login script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries. |
| SecureAccessLogOutScript | REG_SZ | Citrix Secure Access service accesses the logout script configuration using this registry key when it connects to Citrix Secure Private Access service. For details, see Login and logout script configuration registries. |
Important:
You can apply registry keys based on your deployments. For example, the AlwaysOnService registry key is applicable only to the Always on service whereas the ClientControl registry key is not applicable to the Always on service. Refer to the individual deployment documentation for more details.
secureDNSUpdateis applicable only for domain joined client devices and is not common for other OS types.
Citrix Gateway VPN client registry keys
In this article
Copied!
Failed!