A topic that pops open quite frequently in our support tickets is USB Redirection, when and how to use it. Even for many seasoned VDI/EUC professionals the area is somewhat a grey area, so I decided to write down some words to shed some light on this.
Before I go into the weeds, let me say: Calm down – it is way simpler than you think.
Do you really need USB redirection?
Ok, let’s kick this off! First of all, for many devices, like USB drives, smart cards, printers headsets, and dictation devices, you don’t need and shouldn’t use USB redirection. These devices normally have their own virtual channels developed for them, either by Citrix or the device vendor. These optimized virtual channels function and perform better than the generic USB forwarding virtual channel. This generic channel only currently supports the USB 2.0 protocol, which is quite slow, especially over longer distances. So please check this option first before resorting to USB forwarding.
Step 1: Check your server-side policies
By default, Citrix policies only allow a subset of device types to be forwarded. Thus, checking your Citrix policies controlling USB redirection is worthwhile to ensure that the type of device you want to forward is allowed from the server side. Below you see the most commonly used rules to control USB device types.
In this case, I will use for this article, I configured the last policy to be like the below:
This will allow a certain device to be forwarded that I will use as an example. For more information on how to configure this server-side policy, please check the CTX119722 kb article from Citrix.
Step 2: Find out the specifics of your device
Next, we need to find out the Vendor and Product ID (VID and PID) of your device that you would like to forward. There are a ton of different ways to do this, but I’ll share with you my way to get this done. In this example I’ll use my Polar Vantage 2 -sports watch as a USB device that I want to forward to the VDI session, so I can synch it up with the Polar Flow app.
If I try to just connect my watch and look for it in my VDI session using the Device Manager in the Desktop Viewer Toolbar I can see the watch, but it Redirect is greyed out and says Policy Restricted.
As it is allowed on the server side, we now need to configure the client. Open up a terminal on your NoTouch OS device, either directly in the console or through an SSH session. Connect the USB device and then issue the following command:
lsusb
You will get similar output as below:
My Polar Vantage 2 watch shows up in the 3rd last line. The ID is in the format VID:PID, so for my watch, the VID is 0da4 and the PID 0014. Now you can see why I configured the server-side policy in step 1.
It can sometimes be a challenge to figure out which device matches what you want to redirect as the names don’t necessarily match the brand name of your device. In that case, plug the device out and do lsusb, plug in the device and issue lsusb again. That way you can see what line was added.
Next, we take the VID and PID values to NoTouch Center and to the settings of a device (yes, device and not group settings as long as you test the configuration). Go to Services and scroll down until you see Citrix USB|Allow Devices: and enter the values you just found using the following syntax:
vid=xxxx pid=yyyy
In my case, it will be:
vid=0da4 pid=0014
like below:
Wait for the announcement to take effect (screen flicker) and reboot. After the reboot, you can see that the device shows up in the Devices list and can be redirected.
Step 3: Auto redirect
So, now I could redirect my Polar Vantage 2 to the VDI session to synch up, but this would require me to always manually redirect the device from the Device Manager. Additionally, in normal scenarios you don’t want users to fiddle around with the settings, so the best thing would be to automate this. To do this you need could either configure a CONNECT -rule that matches the ALLOW rule. Or to simplify things, you can just enable Citrix USB|Use ALLOW rules as CONNECT rules in NoTouch Center.
In addition, you need to enable the Desktop Appliance Mode for USB Devices option under the Citrix Workspace App settings in NoTouch Center.
After an announcement and a reboot my Polar Vantage 2 watch is automatically redirected to the VDI session and I can use Polar’s Flow app installed on the VDA to synch up my latest training sessions.
Next level: Composite USB Devices
The previous example was a simple scenario where the complete device was forwarded to the VDI session. But there are times when you want to forward just a few functions of the device to the session.
USB devices that have multiple functions are called composite USB devices, i.e., they consist of multiple USB devices. In these scenarios, part of the devices has their own optimized virtual channels whereas other devices/functions aren’t by default forwarded at all. One example of a very typical composite device is the modern headset. In my example below I will use my Jabra Evolve2 65 -headset.
By default, all audio devices (input and output) are forwarded using their own optimized virtual channels, so I get the headset shows up ok in my VDI session without any special configuration as can be seen below.
However, if I install the Jabra Direct tool on my VDI to control the settings of my headset, it cannot detect the headset. This is because only the audio functions of the device are forwarded, not the complete device.
As we learned previously in the simple scenario, I could use USB forwarding to change that. So I plug the device into my NoTouch OS machine, open up a console, and issue:
lsusb
to locate my device:
As mentioned previously, here the names don’t match the brand names, so I had to do a bit of unplug and re-plug to find out what device matched my Jabra headset. In my case it is the GN Netcom, so I take the vid=0b0e pid=24c7 to NoTouch Center as below:
After an announcement and reboot, I can see and redirect the headset in my VDI session and use Jabra Direct to manage it.
All good? Nope, as I can no longer use my headset as an audio device. If I look in my VDI session for audio devices, I only see the built-in speakers of my device.
This is because the complete headset is forwarded to the VDI session and the Citrix Workspace app for Linux (CWAL) no longer sees it as an audio device that is locally available on the client. So what we would like to do is to forward the control functions, while keeping the audio functions locally on the device so they could be forwarded with the optimized audio virtual channel.
To do this, return to the console in NoTouch OS and issue
lsusb -t
which will produce the following output:
In the previous lsusb output, you could see that my headset was plugged into USB Bus 3 and listed as Device 4. So, you can see that device actually exists of 4 devices – one Human Interface Device (HID) on interface 3 and 3 audio devices (interfaces 0, 1 and 2). So what we want to do is to keep the audio devices locally and only forward the HID function.
To do this we can use the composite USB support for the CWAL and amend the USB rule. We need to tell CWAL to split the USB device and only forward interface number 3. This can be achieved by adding the following to our USB rule:
split=01 intf=03
So our complete rule is now as below
Again, after an announcement and reboot I can both use Jabra Direct to configure my headset while using it as a headset in my VDI session.
Perfect? Nearly – to reach perfect we could disallow the user to redirect the audio functions and by doing that get the headset to malfunction. To that we could configure a DENY -rule, and also enable Use ALLOW rules as CONNECT rules as follows:
From our previous example, please remember to also check the Desktop Appliance Mode -setting.
Combining the rules
To add the simple USB forwarding rule together with the composite USB one, we just need to append the Allow Devices rule with the values of the Polar Vantage 2 sports watch. By doing that we get the following result:
To help you get the right syntax, I’ve added the rules here as well in the text so you can copy, paste and modify them to fit your needs.
Allow rule: vid=0b0e pid=24c7 split=01 intf=03, vid=0da4 pid=0014
Deny Rule: vid=0b0e pid=24c7 split=01 intf=00,01,02
The following versions were used:
NoTouch Center, 4.5.425
NoTouch OS, 3.4.407-EEs-k515-x64-230201
Citrix Workspace app for Linux, 23.02
There you go – it wasn’t harder than that. Happy forwarding!