Optimizing the Teams web client (and streaming video) on Citrix Virtual Apps and Desktops

Using the Teams web version? Make it perform better by offloading it to the client.

The Teams full-fat installer has some issues for Citrix admins right now, mainly due to its aggressive (and bloated) way of installing into the user profile. You can use the Teams Machine-Wide Installer and even the VDI Installer to mitigate against some of this, but a lot of us (particularly those using Citrix Virtual Apps) are holding out for the server-level installer that integrates with Citrix policies. In the meantime, though, you can use Browser Content Redirection policies to optimize the performance of Teams within the web client.

This subject has already been excellently covered by fellow CTP Rody Kossen over on his blog so I’m just documenting the steps here for my own personal knowledge base, along with some bits of video which may help some of you out there to get it up and running.

The Teams web client is exactly what it says on the tin – a browser-based instance of Microsoft Teams. In my own limited experience, I don’t see an awful lot different from the full-fat application. You can make video and audio calls, and all the other functionality seems to be there, short of the close integration into the notification area. For many the web client has been a decent halfway-house solution until the application comes up to scratch for Citrix deployment.

Obviously optimizing heavy applications like Teams can be quite important. Especially in Citrix Virtual Apps environment, where a user monopolizing resources can have a heavy knock-on effect on other users on the same RDSH server. As well as looking at Teams, we will also demonstrate redirection of YouTube video so we can see the offloading in action.

I did all of my testing on fat Windows client devices which obviously are the best candidates for redirection in this way. However it is possible to achieve on thin clients, depending on the flavour of client you are using.

Setup

So firstly, make sure your VDA version is up-to-date. You can use the 7.15 LTSR (CU3 or higher) version to enable this or 7.16+ (for Internet Explorer only) or 1808+ (for Chrome and IE).

Also your client needs to be on the latest (or 1808+) version of the Workspace App.

The IE redirection relies on a Browser Helper Object (BHO). You will need to make sure that IE Enhanced Protected Mode is turned off and the policy for “Enable third-party browser extensions” is Enabled.

Set Computer Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page – Turn on Enhanced Protected Mode as above
Set Computer Config | Admin Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page – Allow third-party browser extensions as above

Once the IE BHO is loaded, you should be able to see it in the Manage Add-Ons list within Internet Explorer as below.

For Chrome, you need to also install the required redirection extension on the VDA. It is available at this link.

Policy settings

Next you need to enable the required Citrix policy settings to enable this. Here’s a quick video to show you the settings you need:-

Summary of the settings for you cut-and-pasters out there 🙂 (Note there is a slight mistake in the video, I put https://youradfs.domain.com instead of https://youradfs.domain.com/* – the correct syntax is in the summary below!)

Browser content redirection – Allowed

Browser content redirection ACL config –

  • https://www.youtube.com/*
  • https://youtube.com/*
  • others (e.g. https://vimeo.com/*)
  • https://teams.microsoft.com/*
  • https://login.microsoftonline.com/*teams*

Browser content redirection authentication sites

  • https://youradfs.domain.com/* (change to your own address as necessary)
  • https://login.microsoftonline.com/*teams*
  • https://teams.microsoft.com/*

Redirection in action (streaming video)

Now, we will do a quick demo to show you the actual offloading in action.

When you run the redirection through Chrome, you will see a number of HdxBrowserCef.exe processes active on the client machine as the redirection is passed back to the client device.

When you run the redirection through Internet Explorer, you will see a single HdxBrowser.exe process active on the client machine.

I have a quick video here showing a streaming video being played on a VDA, both with and without the content redirection (in this instance, I had enabled for Chrome only – I disabled IE redirection by disabling third-party browser extensions via GPO)

Finalizing Teams web client redirection

Now, the final bit is for us to test the Teams web client redirection. Teams (as pointed out by Aaron Parker) is built on Chromium, but it seems to have some reliance on some IE components in this configuration (even if you run the web client in a different browser, the IE BHO still needs to be allowed to run), so we need to make sure the GPO controlling it is correctly configured in order for the redirection to work.

Once we’ve done that, we can verify if Teams optimization is working in Chrome and IE by doing a quick test (video):-

…and as we can see, it seems to be working as required (Internet Explorer being a non-supported browser for Teams meetings notwithstanding).

Security issues

Now, there are two possible configurations you can run this form of redirection in. There is client-side fetch, client-side render and server-side fetch, client-side render. (You can consider server-side fetch, server-side render a third config, but this is essentially BCR turned off) The details are covered much more in-depth on Rody’s blog posts, however, if the client-side fetch, client-render is used, the client fetches and downloads the content as well as rendering it. In a server-side fetch, client-render situation, the VDA fetches and downloads the content and then passes it to the client for rendering.

Obviously the client-side fetch would give a performance benefit, but this means that potentially the internal proxy and other web security features will be being bypassed. This is not an ideal situation from a security standpoint so many enterprises may wish to use the “server-side fetch, client render” configuration. There is a small impact on performance, but not anything hugely noticeable in my testing. To enable the server-side fetch, configure the Browser Content Redirection Proxy Configuration policy with the path to your proxy server, as below.

Browser content redirection in general needs to be properly assessed and tested from a security standpoint. You are moving traffic (and potentially data) back to an endpoint that may or may not meet security standards for your environment. Obtaining proper security approval and ensuring it meets your regulatory standards is a part of this process that shouldn’t be ignored.

More resources

Some extra reading around this area (including Rody’s excellent posts)

Summary

So that’s how we can configure Teams optimization as a stopgap until the Microsoft and Citrix products come together more dynamically to enable it. Also, as I showed, we can offload video streaming sites (and anything else you may find that gives you performance issues), provided we are not introducing a security vulnerability in our estates. Happy redirection!

4 comments

  1. Hello James,

    Our company look for the BCR setting enable with Dell Wyse Terminal Client 5070 with firmware WTOS 9.1 and Citrix Workspace App Client 20.12.0.12.1. Do you know if a Linux Client is compatible with BCR?

    1. Not sure if this helps, you need but Citrix Workspace app 1808 for Linux or later, and thin client terminals must include WebKitGTK+ (whatever that is!) 🙂

  2. i added the exact same url’s but after filling in e-mailadress on teams.microsoft.com and forwarding to adfs it is not working with sso. a different (old looking) popup appears to fill in the credentials. after i manually fill in it is working though. The browser content redirection add-in is green in Google Chrome.

Leave a Reply

Your email address will not be published. Required fields are marked *