Should Citrix allow standalone ICA connections to desktops without a broker?

Last week, Citrix's Chris Fleck started a conversation over at the Citrix blog site where he asked whether there's value in Citrix enabling ICA connections (with full HDX capabilities) to desktop OSes directly instead of forcing users to connect through the XenDesktop connection broker.

Last week, Citrix’s Chris Fleck started a conversation over at the Citrix blog site where he asked whether there’s value in Citrix enabling ICA connections (with full HDX capabilities) to desktop OSes directly instead of forcing users to connect through the XenDesktop connection broker. Specifically, Chris wrote:

We have been discussing ways to make HDX more pervasive and useful to IT pros and users. HDX has significant benefits and we want the broader industry to try it out and get a taste of XenDesktop.

This is potentially a huge deal, so I’d like to bring this conversation to the audience since not everyone is probably aware of Chris’s post.

So let’s dig into it. First of all:

What is a standalone connection?

Simply put, a standalone connection means that Citrix would provide a standalone MSI package that could be installed onto Windows XP / Vista / Win7 desktops that would let ICA clients establish connections directly to the host desktop directly via the computer name or IP address. From a technical standpoint this would have nothing to do with XenDesktop. It’s just an ICA/HDX connection to a desktop instead of a terminal server.

If you haven’t used Citrix’s XenDesktop product, you might be surprised to learn that this capability actually isn’t possible today! Current versions of XenDesktop require that users first connect to a Citrix Web Interface / desktop broker to be routed to the desktop (physical/virtual/blade) where their ICA/HDX connection is established. So even if you downloaded the Citrix Virtual Desktop Agent (VDA) software and installed it onto a regular desktop, the agent only starts listening for incoming ICA connections after it’s been contacted by the central connection broker, so attempting a connection to 1494 or 2598 to a desktop with the VDA installed but without XenDesktop will just run you into a closed port.

Interestingly, Citrix XenApp has always allowed standalone connections (although in recent versions they’re disabled by default). So this capability would not be new to Citrix, just new to desktops.

Why would anyone want a standalone connection?

There are a lot of reasons that people might want to connect via ICA/HDX to a desktop outside of a proper XenDesktop environment. (And by the way, Citrix is interested in knowing your reasons, so feel free to leave a comment here or vote in the poll embedded in Chris’s original post on Possible use cases include:

  • Creating simple proofs-of-concept. (Show users the concept and experience of connecting to their own images via ICA/HDX without having to go through all the trouble of setting up XenDesktop.)
  • Smaller or simpler VDI deployments where all users would be using private (a.k.a. “one-to-one” or “persistent”) images.
  • Using VDI where you don’t trust the HA capabilities of the connection broker, or where you don’t want to add the complexity of a broker.
  • Using VDI where you want to use another VDI framework (VMware View, Microsoft VDI Suite, etc.) but you still want ICA/HDX
  • As a method for users to connect to their own corporate desktops. (Kind of like a private in-house GoToMyPC.)
  • Cloud-based desktops where you want ICA/HDX.
  • Dev / testing of remote desktop VMs where you just want full ICA/HDX instead of just RDP.
  • Troubleshooting XenDesktop. e.g. if a user can’t connect to his or her desktop, you could try connecting directly via ICA/HDX to verify that the core components are online, working, and not being blocked by a firewall or policy or something. (Thanks to Shawn Bass for that suggestion.)
  • An easy way to configure multiple "tiers" of users. e.g. Let high value users get their own dedicated machines while the riff-raff share overloaded VMs. (Thanks to App Detective for that suggestion.)

How would Citrix release this standalone ICA connections?

Assuming that Citrix believes this is a good capability to have, how do you think they’ll release it?

  • Will it be built into the XenDesktop product? So when you buy XenDesktop, you also get the capability to connect via ICA/HDX directly to desktops?
  • Will it be released as a standalone product, like for $50 per user you can buy an ICA/HDX standalone license.

My gut reaction would be that Citrix would make this a option for XenDesktop customers. Then again, Chris’s blog post talks about wanting to expose people to the benefits of ICA/HDX, so maybe that’s a hint that they’re thinking about this as a standalone release? On the one hand, that might hurt their XenDesktop sales. But on the other, they’ve always been saying that XenDesktop is more than ICA, so why not make this a standalone capability?

That said, the cheapest XenDesktop is only $75 per concurrent user. (Not counting the free 10-user Express Edition.) Heck, if Citrix added standalone ICA to the $75 edition of XenDesktop, I’ll bet people who are using other VDI products would buy that edition just for ICA and not even use the rest! (Which I think would be fine, right? I mean there’s no reason for Citrix to limit this standalone ICA thing to Platinum or Enterprise editions, is there?

How likely is this to happen?

So now that we’ve looked into all the details of this ICA/HDX standalone capability, how likely is this to happen? (Because Chris’s blog post makes it clear that they’re just thinking about this—they’re not committed to anything.)

My personal feeling is that this is fairly likely. In addition to all the reasons listed above, Citrix already has a marketing-friendly name picked out: HDX Connect. If this was just some project they were toying around with, it’d have a codename like “Project Flecktacular.”

And from a complexity standpoint, I can’t imagine that there’s too many code changes that need to happen to convert the existing VDA software agent into a standalone non-XenDesktop-requiring mode. Really it just depends on how they decide to license it. (And on that note, how cool would it be if Citrix just made this available for free, or super cheap, like $10 a user. Then everyone would use it. Microsoft would love it. And VMware would be caught in their own “we’re protocol agnostic” shtick and be forced to support it, which would make their blood boil since every View project on the planet would be enabled by Citrix. And Citrix would just sit back and look cool, knowing they were the reason that VDI was so popular.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I can't think of a reason that they wouldn't (or shouldn't) do this, to be honest.  I wonder if there can even be a free single-use thing, just to get it out there even more.  It would have to include some way to prevent organizations from using it for everything, but I'd imagine they can come up with it.  


But really, why not just open it up for free to the whole world? I mean they do that for XenServer, and they make money with add-ons. Wouldn't free ICA/HDX for all be the ultimate? (Do it for TS and desktops too), and imagine the good will and how they could really drive their brand into every environment.


I think the smart thing would be to make it cheaply available to 'fight' VMWare in this space.

I think Citrix will make it part of a 'platinum' version of XenDesktop making you pay top dollar.

Their choice of the two above options would actually reflect their view of themselves in this space. Option 1 would make them underdog in de VDI space. Option 2 would mean they see thenselves as almighty.

Reasons to use it are more blended that just one option. For instance:

- As a method for users to connect to their own corporate desktops but without the hassle of providing a full fledged XenApp farm (with app compatibility issues).

An other one would be making use of your desktop investments. No need to toss out those investments anymore in favour of big iron in the MER.


Citrix are retiring the full PN client. At present this is the only client that allows these "direct ICA" connections. How will you make these direct ICA connections in the future?

Without PN, we're left with the Receiver client, PNAgent and the web client. None of these allow direct ICA sessions to be initiated.

I can see a "Receiver plugin for direct connections" being required if this goes ahead.


@Neil: As Brian said, standalone MSI packages that contain bits & information could be useful for distributing this functionality, just like APP-V does today.

My opinion from different perspectives:

User: It's quite interesting to have the capabilities of ICA with a "mstsc-like" more direct approach of using it. However, are there significant advantages? As a user, can I expect better support in case of problems with this solution? Advantages over other solutions should be pointed out better since most IT organizations are driven by "business" (which here may be simplyfied as "User") demands...

Admin: my first thought: Ok, so far IT organizations struggled to centralize and streamline things as much as possible, gaining control and transparency. I wonder how much those standalone ICA connections will contribute to the manageability of the infrastructure in terms of reducing complexity and overhead... hmmm... does this question matter anyway?

Basically, I think it's important to keep control over the assignment of desktops to users as well as over the usage (apart from licensing) to ensure that support and maintanance don't exceed service levels. Maybe some monitoring capabilities can be built into the agent.

Beyond question, it's logical to discuss this idea now and Citrix has good reasons to do this. However, I think that (must I already say "traditional"? ;-)) broker technology addresses many of Brian's use cases adequately well, too...


Brian, so glad you are giving this one attention on your site, thanks dude. Look if Citrix starts by offering this as an XD feature so enterprise customers can implement XD while connection brokers mature, then I think this would be a fantastic start.

If I were them, I would not give this away for free it makes no sense since there is so much IP here. Sure allow a trial version or something to get it into the hands of admins etc.

I think this is a huge deal. XD team PLEASE PLEASE PLEASE do this, it's really important to drive adoption. I will use your brokers for management in time once it gets there. Today the value is HDX with ICA not the broker.


Brian, thanks for highlighting the topic and the concept elaboration. Also thank you to Gabe, Charlie, Neil, Andreas, Shawn and Appdetective. We do value your feedback and ideas.

So regarding a trial version ( aside from

an XD feature ) how long would it need to be in order to make it useful, but still drive adoption of production XenDesktop ?  


@Neil, who says that Citrix is retiring the full PN client? Sure, some functionality requires a broker, which means you need the PN Agent or Web Interface clients, but Citrix has been pretty adamant about the fact that they are NOT retiring the traditional PN client.

Even if they did retire it, I'll bet it wouldn't be too hard to modify the command-line parameters for wfica32.exe so that you could specify a host to connect to.


@Brian Full PN Retirement has been officially announced :

"Citrix is announcing the end of support for Program Neighborhood in all

future online plug-in releases. The Citrix online plug-in v11.0 is the last

version to use Program Neighborhood. Classic Program Neighborhood will be

supported through the second quarter of 2010"


Another Comment, now related to the main subject :)

Having such a feature for free would push ICA adoption, demonstrating protocol capabilities and helping ICA go to the mass market.

It'd also be helpful for remote admins on slow links or XenDesktop debug.

However in a real world, either in a datacenter or within a cloud you can't work only with IP adresses or FQDN to connect your desktop, you need a broker and a central management system along with a user friendly interface.

You can also need central secure access with AGE (for example) to control who is connecting to your datacenter (and how).

In that way, making the "limited" functionnalities free and leaving the enterprise features within a packaged product really makes sense.


Speaking from experience, I agree with both, there is no reason why a One-to-One connection cannot and doesnt exist, espeically from a troubleshooting perspective. However, we have to have the brokering and advanced capabilities as well to scale and manage the product. Have done this before, managing the one-to-one aspect is a nightmare, and if you are going to invest time and money into eloborate vm tracking data bases and web front ends then you might as well use a broker..

Great point:

"However in a real world, either in a datacenter or within a cloud you can't work only with IP adresses or FQDN to connect your desktop, you need a broker and a central management system along with a user friendly interface."


I can use AD to make a connection and hold the user to VM information there. For the 1-1 scenario it's that simple is broker is needed. When I want brokers it will be all about single image mgmt which will take time to mature. So this is about implementing now not 2012 when brokers are ready at scale.



Hmm, why do I feel this overwhelming déjà vu?

Anyway, AD huh? I like it! That could be done very easily. Great Idea.

Now what do I do when “I” don’t want to manage that anymore? Do I give the guy who resets passwords this task too? That could work. So then I am hoping that I have delegated his rights in AD correctly and if you are using the built AD Delegation model you had better hope it is clean and working well because you do not want to elevate a guy to Domain Admin just to manipulate an AD Field. But then you could use a proxy rule based authentication product like NetIQ DRA and create custom rules based on role. That could work as well. Could mean extra work but it is doable. Once again, not a bad idea...


One of the issues that hasn't been mentioned is that the model of the VDA only listening for ICA connections from a broker server is that it's inherently secure - by opening up the ICA listener to any port, there's a potential hole to plug.

Not that it's a massive issue, but I guess it's one of the reasons why the VDA doesn't listen on 1494 today.




I think it would be a smart move to get their brand in peoples faces but I don't see Citrix giving this away for free to your average user for personal use as it would interfere with GoToMyPC sales.

Using it in the enterprise without a broker for end users does not really enhance the usability from an end to end standpoint.

While this is out of scope of what the original article asked, how great would it be to have ICA connectivity on ALL of your servers for administration?!  And this would obviously taking a redesign but how fantastic would it be to replace iLO with an ICA connection to the console?!

The ICA protocol is the kid on the block to beat and if they could license it to companies (HP,Dell) who would not compete with their bread and butter (XenApp) I think it would take them to the next level, get their product to be a household name AND bring in revenue.  Or at least create a service to install on any machine for remote administration over the WAN with fantastic performance.

I went way off topic there but I have yet to see a protocol that performs as well as ICA under all circumstances..


I see this from a different perspective.  Forget about the business  trying to do desktop virtualization. What about the home user?  How  many PCs do you have in your house for you/family?  What happens  when they get old? You gotta buy new ones. Just like a business, but  our budgets aren't as large.  So, let me keep using my desktop that  i bought in 2000. But now, I'll pay Amazon a few bucks a month for a  virtual machine where I install Windows 7 and all the latest/ greatest software. Install the Citrix ICA/HDX thing and bingo, I'm  now using Win 7 on my 9 year old PC.  If it is only a few bucks, I’ll rent out VMs for all my kids as well and just go buy cheap NetBooks.

Of course this all assumes VECD licensing wasn't an issue :)

Follow me on Twitter @djfeller



>I can see a "Receiver plugin for direct connections" being required if this goes ahead.

It's not as if we haven't made it very clear that this is a huge hole in the current model.  A direct connect plugin is exactly what we need, but I've not had any hints (yet) that the message is getting through.

More on this topic @


Believe it or not, this is not a "New" topic at Citrix.  I know that this has been floated repeatedly by various partners of Citrix since their entry into the VDI fray.  Initially it was rejected outright because ICA is Citrix's "Crown Jewel" (their words) and it would devalue the protocol.  I am just wondering what has "really" moved Citrix to float this publicly.  When they have ALWAYS rejected the concept outright in the past, even though there partners used basically all the above arguments.


@Glenda Canfield Perhaps Citrix finally listening to what partners want as well as customers. It's interesting you say partners are asking for it, do you if this is common ask by partners?


I know of at least two partners who have asked.  I am sure you have heard the "rumors" that HP is EOLing RGS which is basically a stand alone protocol with no Broker dependancy, though it has been qualified to work with HP SAM.  Citrix already has the ability to do this.  It would not require a significant amount of labor to roll this out as a new product to their VDI audience.


Just curious... Did this ever happen?

I just tried installing Citrix XenDesktop Virtual Desktop Agent (v3.1.x) which installs ~10 Citrix services including ICA, Desktop Service, CGP Server).  Then I tried using a Citrix client like Receiver from a Windows PC & even iPhone but it just won't connect.

So no luck on my end but then again it could just be PEBKAC.


Just happened to stumble across Doug's recent question on this.  In short, you still need a full XenDesktop installation for connections to work.  The agent requires connections to be brokered by an XD DDC in order to turn on the ICA ports.

Still wishing...