My CTP fellow James Rankin has written a very good article about the CVAD Clipboard Redidrection here , this article will share my findings and research about the clipboard redirection based on CVAD 1912 LTSR.
Out-Of-Box Installation and the Security part
If you install CVAD 1912 out of the box or updating it from earlier releases and you dont’ configured the clipboard redirection in the past, this feature is enabled by default.
From a security prospective many companies won’t allow client drive mapping, if you are connecting through a external gateway to the VDA. But with the default settings of the clipboard redirection you can copy files directly through the virtual HDX Clipboard channel, via Copy & Paste in the Windows Explorer through any HDX Connection.
Clipboard Format Citrix (CFX)
Citrix has created 4 own Clipboard formats, these are enabled by default
To copy office formatting like Headers, etc. through the HDX Channel
Clipboard redirection without CFX_RICHTEXT
Specifies the Office Drawing, or OfficeArt, binary file format. This file format exists as part of various Microsoft Office application binary file formats. The OfficeArt data represents the drawing elements and all their associated formatting in those Office applications. Typically these elements are represented as shapes contained within drawings or diagrams, but may include form controls or tables.
Microsoft Office Excel 97-2003 Binary File Format (.xls). Also known as BIFF8.
The Microsoft Excel Binary File format, with the .xls extension and referred to as XLS or MS-XLS, was the default format used for spreadsheets in Excel through Microsoft Office 2003. The format is also referred to as Binary Interchange File Format (BIFF) in Microsoft’s technical documentation. This format description is primarily for version 8 of BIFF (BIFF8), introduced with Excel 97 in 1997. Although it cannot support the latest functionality of the Excel application, BIFF8 has continued to be available as an alternative to the XLSX/OOXML format, standardized as ISO/IEC 29500, for saving spreadsheet files in Excel. As of late 2019, the documentation for File formats that are supported in Excel, from Microsoft, lists two variants of XLS format, distinguishing between “Excel 5.0/95 Binary file format” and “Excel 97-Excel 2003 Binary file format.” These correspond to BIFF5 and BIFF8, respectively.
|.xls||Excel 97 – Excel 2003 Binary file format (BIFF8).|
|.xlt||Excel 97 – Excel 2003 Binary file format (BIFF8) for an Excel template.|
Depending on your envionment you using, it can be necessary to enable.
The Excel content can be copied without this setting.
Pasting files directly from clipboard to the client or the VDA through the virtual HDX Clipboard Channel.
Note: If you have restricted the policy for Text only (CF_TEXT) and added CFX_FILE, all files can be copied and not Text only. In my opinion, if you use CFX_FILE, it’s not required to restrict the format. The user is able to copy every file in a direct way !!
With CFX_File you can copy any file with (Copy & Paste) without Client Drive Mapping, like a Powershell Script as you can see in the example as follows:
If the CFX_File is not enabled, you can’t paste the document to the local client or the HDX session. If a previous file is in the clipboard this will be pasted.
Recommend Clipboard Formats
I have created my own recommend list for a good starting point, this will give you back the most usefull clipboard content with a high level of security.
|System Defined Clipboard Formats||Recommended List|
I don’t using HTML format clipboard copy support. This will copy any scripts from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they are live only if you save the destination file as an HTML file and execute it.
The Clipboard Settings for the User are stored in the following registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\<SessionID>\User\VCPolicies
Trust Computers with 3rd Party deviceTRUST
The best way to trust a computer in a dynamic world is 3rd Party Tool deviceTRUST
Contextualize the corporate enterprise, allowing users the freedom to access their corporate workspace from any location, on any device, over any network, while giving IT departments the information and control they need to meet their governance requirements.
With its patent pending technologies, deviceTRUST delivers more than 200 hardware, software, network, security, performance and location contextual properties into the virtual and physical workspaces. deviceTRUST can easily integrate with any existing workspace management solution and requires no additional infrastructure. The context is always up-to-date and any change triggers a definable action.
The functionalities with the clipboard redirection is a very useful feature and allows you to control the content between Client/VDA in a more secure way. Adjust the out-of box settings on your requirements.