Configure proxy authentication
Supported on: All Citrix Workspace supported platforms
Description
Use this policy to control the authentication mechanisms that the client uses when connecting to a proxy server. Authenticating proxy servers can be used to monitor data traffic in large network deployments. In general, authentication is handled by the operating system but in some scenarios, the user may be provided with a specific user name and password. To prevent the user from being specifically prompted for these credentials, clear the "Prompt user for credentials" check box. This will force the client to attempt an anonymous connection. Alternatively, you can configure the client to connect using credentials passed to it by the Web Interface server, or these can be explicitly specified via Group Policy using the "Explicit user name" and "Explicit password" options. Troubleshooting: In general NTLM proxy authentication will be performed under the control of the Domain Controller, and cannot be controlled by the client. Both client and proxy will need to be configured with the appropriate domain level trust relations. Proxy authentication cannot be linked to the pass-through authentication feature of the client. In general, the proxy password will be unrelated to user's passwords.
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Configure proxy authentication
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_LOCAL_MACHINE\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy]
"ProxyAuthenticationPrompt"=dword:00000001
"ProxyAuthenticationBasic"=dword:00000001
"ProxyAuthenticationNTLM"=dword:00000001
"ProxyUsername"=""
"ProxyPassword"="" PowerShell
# Exported from gporais.com
# Policy: Configure proxy authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationPrompt' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationBasic' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationNTLM' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyUsername' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'ProxyPassword' -Value '' -Type String Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Configure proxy authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyAuthenticationPrompt' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyAuthenticationBasic' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyAuthenticationNTLM' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyUsername' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyPassword' -Expected '' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Configure proxy authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationPrompt' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationBasic' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationNTLM' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyUsername' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'ProxyPassword' -Value '' -Type String SCCM CI
# Exported from gporais.com
# Policy: Configure proxy authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Configure proxy authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyAuthenticationPrompt' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyAuthenticationBasic' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyAuthenticationNTLM' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyUsername' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy' -Name 'ProxyPassword' -Expected '' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Configure proxy authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Network\Proxy'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationPrompt' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationBasic' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyAuthenticationNTLM' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'ProxyUsername' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'ProxyPassword' -Value '' -Type String