I have clients on an internal untrusted Wifi network (guest) when they try to open citrix it appears that HDX Direct wants to be enabled and send traffic to internal DNS names which failes. Is there a way to tell HDX direct to not apply on a certain IP

I may be totally off-base, since I don't have any experience with HDX Direct, but from reading about HDX Direct this doesn't sound like how it should work. "HDX Direct allows clients to establish a direct connection to the session host when direct communication is available." This sounds to me more like a Beacon issue where the the guest WiFi can access the internal beacons, but aren't allow to make direct connections to VDAs. Could you block access to the beacon addresses from the guest WiFi?

Thanks, it was HDX Directs smaller brother Direct Workload Connection. I had the network IP defined in the trusted locations.