HDX Direct not working

[Mike_B]

Has anyone had any success with the new (and admittedly in tech preview) feature 'HDX Direct'?    The idea is that if the Workspace app can see the VDA, then it connects directly to it rather than via the Cloud Gateway - much like Direct Workload Connection, but without having to specify which are your internal networks.

 

I've followed the docs but the Citrix certificate service on the VDAs isn't being started, despite the policy being in place to allow HDX Direct.   And if I start it manually on the VDA before connecting, it still doesn't seem to work anyway, it connects OK, but seems to be via the Cloud gateway rather than direct.

[jochen]

Same here. The Citrix Certificate Service is running in my case, but I cannot find a generated certificate in the Windows certificate store. We have Direct Workload Connection configured in Citrix Cloud. Maybe this breaks it?

[Yevhen Shepetukhin1709162827]

Same problem - connection always goes via the gateway and never tries direct path.  Direct Workload Connection is enabled...

[Mike_B]

I had an hour long call with a Citrix engineering guy on this last week, so both of us could try and understand what was going on in a real-life environment.

 

Regarding the certificate service, it turns out that it relies on the VDA being told that HDX Direct is enabled by the Cloud Connector, ie that the policy applies to it.  Because the machine has to first register in the delivery group before the policy applies, you can get a timing error - the service has started up and turned itself off again before the policy applies and sets the necessary reg key.  So, I tried setting the service to Automatic (Delayed) - which solved that problem at least.  I do also get a certificate showing up, which I can see above some people aren't, so I guess that must be a separate issue.

 

He also explained a bit more about how it works, something which isn't mentioned in the docs.   The actual process is the initial connection is always established via the Gateway, and only once the session is running does it try and negotiate an HDX Direct connection.  So, when testing, you may need to give it a couple of minutes before running the 'ctxsession -v' command, to give that process time to complete.

 

We took some CDF traces from both the endpoint and the VDA, which are now with Engineering for analysis.  Hopefully they'll spot something

[Yevhen Shepetukhin1709162827]

According to my testing HDX Direct starts working after successful authentication to the VDA which means Gateway Connection must be successful in the first place. That prevents HDX Direct from working when Citrix Gateway normally is not accessible (on-prem)

[Mike_B]

On 5/29/2023 at 11:15 AM, Yevhen Shepetukhin1709162827 said:

According to my testing HDX Direct starts working after successful authentication to the VDA which means Gateway Connection must be successful in the first place. That prevents HDX Direct from working when Citrix Gateway normally is not accessible (on-prem)

 

You're correct in that HDX should start working after the initial connection is made, but I don't follow the bit about 'prevents HDX Direct from working when Citrix Gateway normally is not accessible'.   The Citrix Gateway is accessible from on-prem, and is how the sessions are being launched initially.  The problem we are having isn't that sessions don't connect, but that they remain hairpinned via the cloud gateway instead of changing to use HDX Direct.

 

I tried upgrading the VDA on the test catalog to the newer 2305 today, but still no luck.

[Mike_B]

Minor update to this - I have found that with 2305 (and 2305.1) VDAs, HDX Direct will work OK if your Citrix Workspace app is new enough.  I'm using 2307 Workspace now and it seems to always connect OK.   However, I tested with a set of 2019 Server OS machines, running published desktops, and unfortunately if the HDX Direct policy is enabled then I get several failures a week across the catalog - not good at all as we are losing dozens of active sessions a week.   After setting the policy for HDX Direct to Disabled, that behaviour stops and all 30 servers make it through the week without any failures.

 

I have also found that if I update the VDA to 2308, it then doesn't work at all.   There has obviously been some work done for HDX Direct in the latest VDA, because when you run ctxsession -v command to check the status, it is specifically mentioned in the resulting output as being in use or not - you don't have to check the local and remote IP addresses match.  Unfortunately, it never is!

 

Good that Citrix are still working on this, but definitely a long way short of 'ready' still.  I guess the feature is still in preview though, so can't complain too much.

[jochen]

Working now with VDA 2308. Older CWA versions seem to randomly disconnect but 2309 looks good.

 

EDIT: Seems like there are still problems when using the HTML5 Client. Disabled for now. Let's try with the next release ?

Edited December 11, 2023 by jochen