Citrix 1912
Uploaded by
prabhakar prabhaCitrix 1912
Uploaded by
prabhakar prabhaTable of Contents
Module 0 - Course Overview..........................................................................................................2
Module 1 - Architecture Overview................................................................................................23
Introduction to XenApp and XenDesktop..........................................................................25
Architecture Overview.......................................................................................................27
FlexCast Models...............................................................................................................37
Connection Flow Process.................................................................................................59
Layered Approach Methodology.......................................................................................72
Hosting Platform Considerations......................................................................................80
Module 2 - Initial Requirements and Lab......................................................................................95
Citrix Consulting Methodology..........................................................................................97
N
Supporting Infrastructure Requirements.........................................................................108
ot
Supporting Infrastructure Licensing Considerations.......................................................138
fo
Preparing for Windows 10 and Server 2016 with AppDNA............................................148
rr
Lab Environment.............................................................................................................160
Module 3 - Installing and Configuring a XenApp and XenDesktop Site.....................................173
es
Licensing Considerations................................................................................................175
al
Installation and Management..........................................................................................187
e
Basic License Server Review.........................................................................................207
Delivery Controller Role..................................................................................................216
or
XenApp and XenDesktop Site........................................................................................227
di
Databases and Local Host Cache..................................................................................236
st
Module 4 - Provision and Deliver App and Desktops Resources...............................................255
ri
Virtual Delivery Agent (VDA)..........................................................................................258
bu
Machine Catalogs and Delivery Groups.........................................................................267
Provisioning Methods and Considerations.....................................................................286
tio
Provisioning Methods: MCS in Detail.............................................................................307
n
MCS Environment Considerations..................................................................................329
Three Core Steps To Create Resources........................................................................338
Module 5 - Providing Access with StoreFront and Receiver......................................................347
StoreFront Architecture...................................................................................................350
Define the Self Service Password Reset feature...........................................................382
Receiver..........................................................................................................................391
Receiver Configuration...................................................................................................406
Module 6 - Understanding and Configuring Citrix Policies.........................................................433
Policies Introduction........................................................................................................435
Policies for Session Management..................................................................................466
Module 7 - Application Presentation and Management..............................................................479
Application Properties.....................................................................................................482
File-type Association (FTA)............................................................................................470
Application Presentation.................................................................................................520
Application groups..........................................................................................................534
Module 8 - Printing with XenApp and XenDesktop.....................................................................543
Printing Introduction........................................................................................................545
Print job routing...............................................................................................................559
Print drivers.....................................................................................................................566
Module 9 - Citrix Profile Management........................................................................................591
User Profiles...................................................................................................................593
Configuring Citrix Profile Management...........................................................................607
Module 10 - Managing the XenApp and XenDesktop Site.........................................................625
Delegated Administration................................................................................................627
N
Logging and Reporting...................................................................................................648
ot
Introduction to Zones......................................................................................................659
Introduction to PowerShell..............................................................................................668
fo
Reboot Schedules for Server VDA.................................................................................678
rr
Module 11 - XenApp and XenDesktop Site Redundancy Considerations..................................689
es
Preface to Redundancy..................................................................................................691
Methods of Redundancy.................................................................................................712
al
Module 12 - XenApp and XenDesktop Basic Security Considerations......................................736
e
Citrix Admin Security Considerations.............................................................................738
or
Certificate Authority........................................................................................................744
XML Service Security Considerations............................................................................750
di
XML Traffic Security.......................................................................................................759
st
External HDX Connection Security.................................................................................767
ri
Module 13 - Monitoring the XenApp and XenDesktop Site........................................................789
bu
Introduction to Citrix Director..........................................................................................791
Navigating Director.........................................................................................................800
tio
Using Director to Monitor a Session...............................................................................814
n
Using Director to Interact with a session........................................................................825
Using Director and HDX Insight to Proactively Monitor the Site.....................................837
Integrating SCOM & Director to Monitor and Troubleshoot the Site...............................848
Module 14 - Introduction to Supporting and Troubleshooting XenApp and
XenDesktop................................................................................................................................859
Introduction to Supporting XenApp and XenDesktop Site..............................................861
Known Issue Awareness................................................................................................870
XenApp and XenDesktop Hotfixes & LTSR....................................................................877
A List of Common Tools.................................................................................................888
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
1 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
2 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
3 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
4 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
5 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
6 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
7 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
8 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
9 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
10 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
11 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
12 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
13 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Remote Desktop Connection Manager is the primary method of connecting to and
di
interacting with the lab environment virtual machines.
st
ri bu
tio
n
14 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
XenCenter is used to manage the lab environment virtual machines specifically to perform
di
tasks such as mounting/un-mounting an ISO and managing the power state.
st
Although XenCenter can be used to connect to the console of a virtual machine and log in,
ri bu
this method of access should only take priority above the Remote Desktop Connection
Manager in the event that the lab guide exercise says to do so.
tio
n
15 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
16 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
17 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
18 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
19 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
20 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
21 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
22 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
23 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
24 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This access requires software on the user device called the Citrix Receiver.
di
st
Citrix Receiver can be downloaded both using www.citrix.com/receiver and mobile
AppStores.
ri bu
Receiver uses the Citrix connection protocol called HDX to access these apps and
desktops.
tio
n
25 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
26 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Layer Presentation:
di
• External users connect through NetScaler Gateway, located in a DMZ, and
st
then are directed to StoreFront (explain that NetScaler is not covered in
ri bu
this course, but is covered in CNS-222 “Citrix NetScaler Essentials and
Unified Gateway”).
tio
• Internal users connect directly to StoreFront.
n
• StoreFront presents the resources that are available to users.
• Resources include the desktops and apps made available through the
different FlexCast models:
• Hosted Shared Desktop/Published Apps – Server OS
• Assigned Desktop OS – Hosted VDI (static/persistent)
• Random Desktop OS – Hosted VDI (random/non-persistent)
• Delivery Controller brokers connections to desktop and app resources.
• Receiver must be installed on endpoint to supply connection to resource.
27 © 2017 Citrix Authorized Content
• Hypervisor – optional component.
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The User Layer is the grouping presentation of endpoint device architecture that
di
users use to make connections to the XenApp and XenDesktop Environment.
st
In this layer the endpoint choices can range from small mobile devices to
ri bu
specialized thin clients and multifunctional devices like notebooks or PCs.
For devices where admins/users are unable to install Receiver, Receiver for HTML5
tio
can be leveraged. Remember Receiver for HTML5 provides a connection through
n
an HTML5 compatible Web browser; however, it does not have all functionality that
Receiver has.
Additional Resources:
Receiver download - https://www.citrix.com/go/receiver.html
Receiver Client Feature Matrix - http://support.citrix.com/article/CTX104182
Citrix Virtual Desktop Handbook 7.x Page 27 -
http://support.citrix.com/article/CTX139331
28 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Access Layer is the presentation of the technical component(s) middle-man
di
between the users with their endpoints and the XenApp and XenDesktop Site with
st
its apps and desktops.
ri bu
Typical deployments require external users to make secure encrypted connections
through an SSL VPN that supports the HDX protocol, such as a NetScaler Gateway.
tio
Internal users may bypass the NetScaler Gateway to directly access the StoreFront
n
server.
These two access methods are typically determined by several factors, such as the
location of the users, the types of devices and company policy.
Additional Resources:
Citrix Virtual Desktop Handbook 7.x Page 34 -
http://support.citrix.com/article/CTX139331
29 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Control Layer is used to group and present the core components of the XenApp
di
and XenDesktop implementation.
st
The Delivery Controller is the central broker that handles all requests for all user
ri bu
sessions; both apps and desktops, across Server OS and Desktop OS.
The Delivery Controller also performs load balancing on user requests for apps and
tio
desktops on Server OS.
n
The XenApp and XenDesktop deployment relies on the SQL platform to host the
Site database.
The Citrix License Server centrally manages and disburses licenses for user
connections.
Additional Resources:
Citrix Virtual Desktop Handbook 7.x Page 91 -
http://support.citrix.com/article/CTX139331
30 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Resource Layer is a presentation of all resources that authorized users can
di
gain access to, such as:
st
• Apps
ri bu
• Desktops
• User data, like Profiles and documents
tio
The Resource Layer is also the architectural orientation where administrators
n
consider how best to manage and control these above resources, such as through
creating policies to grant or restrict features.
Additional Resources:
Citrix Virtual Desktop Handbook 7.x Page 55 -
http://support.citrix.com/article/CTX139331
31 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Compute Layer is where the Access, Control and Resource Layers pool their
di
virtual computing from.
st
It’s by no accident that the Compute layer is presented beneath those three layers,
ri bu
as Compute layer is the “supply channel” for the environment.
We will expand upon the Compute Layer in a later lesson in this module.
tio
n
Additional Resources:
Citrix Virtual Desktop Handbook 7.x Page 140 -
http://support.citrix.com/article/CTX139331
32 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
33 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
• What is the role of StoreFront?
di
• Enumerating, Aggregating, and Presenting Desktops and Applications
st
ri
• Which Citrix infrastructure component brokers end user connections to
bu
application and desktop resources?
tio
• Delivery Controller
n
34 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
35 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
XenApp and XenDesktop share a unified architecture called FlexCast Management
di
Architecture (FMA).
st
FMA's key features are the ability to run multiple versions of XenApp or XenDesktop
ri bu
from a single Site and integrated provisioning.
The FMA architecture underlying the 7.x platform enables the administrator to
tio
deliver desktops/applications to users (Server OS and Desktop OS) from a single
n
console.
The variety of delivery methods are referred to as FlexCast models, such as those
depicted above. Although not a comprehensive list, they are the most common.
One of the advantages of using this FMA platform is that it enables administrators to
tailor the delivery method to the business and technical requirements of the end
user.
Additional Resources:
FlexCast Concepts and Components - https://docs.citrix.com/en-us/xenapp-and-
36 © 2017 Citrix Authorized Content
xendesktop/7-12/technical-overview.html#par_anchortitle_a32c
Technical overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html#par_anchortitle_2039
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Server OS machines can run multiple desktop or application sessions from a single
di
machine. It is considered an inexpensive server-based delivery mechanism that
st
minimizes the cost of delivering applications to a large number of users, while
ri
providing a secure, high-definition user experience.
bu
tio
Additional Resources:
n
XenApp published apps and desktops: http://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/technical-overview/delivery-methods/published-apps-
desktops.html
37 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Published applications are managed centrally and users cannot modify the
di
application, providing a user experience that is consistent, safe, and reliable.
st
Benefits and Considerations:
ri bu
• Manageable and scalable solution within your datacenter.
tio
• Most cost effective application delivery solution.
• Users must be online to access their applications.
n
Additional Resources:
XenApp published apps and desktops: http://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/technical-overview/delivery-methods/published-apps-
desktops.html
38 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Use Desktop OS machines to deliver VDI desktops.
di
st
VDI desktops are hosted on virtual machines and provide each user with a desktop
operating system.
ri bu
VDI desktops require more resources than XenApp published desktops, but do not
require that applications installed on them support server-based operating systems.
tio
In additional, depending on the type of VDI desktop you choose, these desktop can
n
be assigned to individual users and allow these users a high degree of
personalization.
Considerations:
• 1:1 ratio of users to desktop; at logon, user is randomly assigned a
desktop. After logging off, changes are discarded and VM returns to pool
for another user.
• A user’s resource consumption or action is less likely to affect other users,
making it a good use case for those who require a higher level of
performance due to resource intensive application work.
• The overhead of running a complete operating system per user requires
39 © 2017 Citrix Authorized Content
more resources on hypervisors.
• Hosted VDI models also offer the option of dramatically accelerating graphic
intensive applications by providing GPUs (or vGPUs) to the VM.
Additional Resources:
VDI Desktops - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/technical-
overview/delivery-methods/vdi-desktops.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The first time a user logs on to use one of these desktops, the user is assigned a
di
desktop from a pool of desktops based on a single master image. After the first use,
st
each time a user logs in to use one of these desktops, the user connects to the
ri
same desktop they were assigned on first use. Changes to the desktop are not lost
bu
when the machine reboots.
tio
Considerations:
n
• 1:1 ratio of users to desktop; user is assigned the same desktop on each
subsequent logon; changes persist and are not discarded on logoff.
• A user’s resource consumption or actions is less likely to affect other
users, making it a good use case for those who require a higher level of
performance due to resource intensive application work.
Additional Resources:
VDI Desktops - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/technical-
overview/delivery-methods/vdi-desktops.html
40 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Remote PC Access allows an end user to log on remotely from virtually anywhere to
di
the physical Windows PC in the office. The Virtual Delivery Agent (VDA) is installed
st
on the office PC; it registers with the Delivery Controller and manages the HDX
ri
connection between the PC and the end user client devices.
bu
Remote PC Access supports a self-service model; after you set up the whitelist of
tio
machines that users are permitted to access, those users can join their office PC’s
to a Site themselves, without administrator intervention. The Citrix Receiver running
n
on their client device enables access to the applications and data on the office PC
from the Remote PC Access desktop session.
Remote PC is a great solution for customers that have a great workstation design
with a backup solution already in place. These customers would not need to build
out additional server infrastructure to get many of the same benefits.
Remote PC can be a great stop-gap where customers can get benefits quickly while
the XenApp and XenDesktop solution is being developed.
Additional Resources:
41 © 2017 Citrix Authorized Content
Remote PC Access - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
configure/remote-pc-access.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Applications and desktops on the master image are securely managed, hosted, and
di
run on machines within your datacenter, providing a more cost effective application
st
delivery solution.
ri bu
Considerations:
• 1:1 ratio of users to desktop for user to access a hosted Desktop OS
tio
application.
n
• It is not highly scalable as it requires a desktop for each user for a single
application
Additional Resources:
VM Hosted Applications - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview/delivery-methods/vm-hosted-apps.html
42 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The diagram depicts the assessment and segmentation of users into groups based
di
on the following criteria: graphic intensive apps, CPU-intensive application work,
st
high security requirements, and printing requirements.
ri bu
It is important to the success of the deployment to understand the user
requirements and tailor the solution to their specific needs, as this can impact user
tio
acceptance and project costs.
n
You need to define user groups based on shared common characteristics in order to
assign the FlexCast model that effectively addresses the requirements of the user
group.
Mobility – understand where user is connecting from (network speeds, network
security, etc.) and how frequently the user is roaming.
Personalization – assess if user requires additional personalization that cannot be
provided by roaming profiles. Determine if user needs the ability to install apps
themselves, or if the admin should install any additional apps required by user.
Security - lockdown, audit requirements.
Application set/application usage – common applications required; how resource
43 © 2017 Citrix Authorized Content
intensive the application work is that users are doing.
• Have to have an understanding of how users are using applications; not
always a clear mapping between app and workload.
• E.g. Excel for one user may be a light workload, but may have another user
who is running reports with thousands of data sets and who therefore is a
heavy workload.
Desktop loss criticality – understand impact to revenue, projects, and product if user
is unable to access resources.
User segmentation is also important for understanding policies that may need to be
applied.
N
Additional Resources:
ot
Citrix Project Accelerator - http://project.citrix.com/
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
As with physical desktops, it is not possible to meet every user requirement with a
di
single virtual desktop type. Different types of users need different types of desktops.
st
Some users may require simplicity and standardization, while others may require
ri
high levels of performance and personalization. Implementing a single desktop
bu
virtualization model across an entire organization will inevitably lead to user
frustration and reduced productivity.
tio
Citrix FlexCast offers a complete set of application and desktop virtualization
n
technologies that have been combined into a single integrated solution. Because
each FlexCast model has different advantages and disadvantages, it is important
that the right model is chosen for each user group within the organization.
There are five FlexCast models available, the advantages and disadvantages of
each model are described below:
• Hosted shared – With the hosted shared FlexCast model, multiple user
desktops are hosted on a single server-based operating system and
provisioned using Machine Creation Services or Provisioning Services.
The hosted shared desktop model provides a low-cost, high-density
solution, however applications must be compatible with a multi-user server
44 © 2017 Citrix Authorized Content
based operating system. In addition, because multiple users are sharing a
single operating system, users are restricted from performing actions that
negatively affect other users, for example installing applications, changing
system settings and restarting the operating system. There is also the
potential that a single user could consume an unfair share of resources,
which may negatively affect other users. The hosted shared FlexCast model
is provided by Citrix XenDesktop in combination with Microsoft Remote
Desktop Services (RDS).
• Hosted VDI – The hosted VDI FlexCast model provides each user with a
desktop operating system.
• Hosted VDI desktops are less scalable than hosted shared desktops
because each user requires their own operating system. However, hosted
N
VDI desktops remove the requirement that applications must be multi-user
ot
aware and support server based operating systems. In addition, the hosted
VDI model provides administrators with a granular level of control over the
fo
number of virtual processors and memory assigned to each desktop. The
rr
hosted VDI model is provided by Citrix XenDesktop, and offers the following
es
sub categories:
al
• Random / Non-Persistent – Desktops are based on a single master image
and provisioned using Machine Creation Services or Provisioning Services.
e
Users are dynamically connected to one of the desktops in the pool each
or
time they logon. Changes to the desktop image are lost upon reboot.
di
• Static / Non-Persistent – Desktops are based on a single master image and
st
provisioned using Machine Creation Services or Provisioning Services.
ri
Users are allocated a virtual desktop on first access. Once assigned, users
bu
will always be connected to the same virtual desktop. Changes to the
desktop image are lost upon reboot.
tio
• Static Persistent – Desktops are based on a single master image and
n
provisioned using Machine Creation Services or Provisioning Services.
Users are allocated a virtual desktop on first access. Once assigned, users
will always be connected to the same virtual desktop. Changes to the
desktop are stored in a personal vDisk and retained between reboots.
Desktops with a personal vDisk cannot be shared between multiple users;
each user requires their own desktop. If high availability is required, the
personal vDisk must be stored on shared storage.
• Remote PC – Physical desktops that have already been deployed. These
desktops must be managed manually or with 3rd party desktop
management tools.
• Streamed VHD – Desktops are based on a single master image.
‹#› © 2017 Citrix Authorized Content
Additional Resources:
Citrix Virtual Desktop Handbook 7.x - http://support.citrix.com/article/CTX139331
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
45 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
46 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
47 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
48 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
49 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
50 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
51 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The previous few slides presented Architecture as layered by layered approach.
di
st
The next few slides will target specific components from all of those layers and
group them together.
ri bu
This grouping is used to present the basic concepts in one of 4 Flow Processes:
tio
• Connection
• Authentication
n
• Enumeration
• Session Launch.
Additional Resources:
XenDesktop Connection Process and Communication Flow -
http://support.citrix.com/article/CTX128909
Citrix Virtual Desktop Handbook 7.x Page 34 -
http://support.citrix.com/article/CTX139331
52 © 2017 Citrix Authorized Content
Technical Overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html#par_anchortitle_2039
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Authentication is the process in which user identity is verified.
di
st
There are two methods for authentication with StoreFront:
ri
• Direct: StoreFront validates credentials against Active Directory. Direct
bu
authentication is the default behavior of StoreFront.
tio
• XML service-based authentication: StoreFront passes credentials to
Delivery Controller, which validates credentials against Active Directory.
n
Both methods are acceptable, and may simply be a choice of preference.
However some companies don’t have the choice. For example, if the StoreFront
server is not in the same domain as XenApp and XenDesktop, or if it is not possible
to put an Active Director trust in place, then the only method you can configure is to
require the Delivery Controller to Authenticate to Active Directory on behalf of
StoreFront.
• In order to support this, you have to delegate authentication to the XML
server using PowerShell
53 © 2017 Citrix Authorized Content
Additional Resources:
Configuring XML Service based authentication - http://docs.citrix.com/en-
us/storefront/3-8/configure-authentication-and-delegation/xml-authentication.html
Configure authentication and delegation: http://docs.citrix.com/en-us/storefront/3-
8/configure-authentication-and-delegation.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
The authentication type for a user group is often determined based on security
requirements as well as the authentication point used.
ri bu
To start a XenApp or XenDesktop session, the user connects either via Citrix
Receiver, which is installed on the user's device, or via Receiver for Web (RFW).
tio
Within Receiver, the user selects the physical or virtual desktop or virtual application
n
that is needed.
The user's credentials move through this pathway to access the Controller, which
determines what resources are needed by communicating with a Broker Service. It
is recommended for administrators to put a SSL certificate on StoreFront to encrypt
the credentials coming from Receiver.
Additional Resources:
XenDesktop Connection Process and Communication Flow -
http://support.citrix.com/article/CTX128909
54 © 2017 Citrix Authorized Content
Citrix Virtual Desktop Handbook 7.x Page 34 -
http://support.citrix.com/article/CTX139331
Technical Overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html#par_anchortitle_2039
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Broker Service determines which desktops and applications the user is allowed
di
to access.
st
Once the credentials are verified, the information about available apps or desktops
ri bu
is sent back to the user through the StoreFront-Receiver pathway. When the user
selects applications or desktops from this list, that information goes back down the
tio
pathway to the Controller, which determines the proper VDA to host the specific
applications or desktop.
n
Additional Resources:
XenDesktop Connection Process and Communication Flow -
http://support.citrix.com/article/CTX128909
Technical Overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html#par_anchortitle_2039
55 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When the user selects applications or desktops from this list, that information goes
di
back down the pathway to the Controller, which determines the proper VDA to host
st
the specific applications or desktop.
ri bu
The Controller sends a message to the VDA with the user's credentials and sends
all the data about the user and the connection to the VDA. The VDA accepts the
tio
connection and sends the information back through the same pathways all the way
to Receiver. Receiver bundles up all the information that has been generated in the
n
session to create Independent Computing Architecture (ICA). file on the user's
device, if Receiver is installed locally or on RFW if accessed through the web. As
long as the Site was properly set up, the credentials remain encrypted throughout
this process.
The ICA file is copied to the user's device and establishes a direct connection
between the device and the ICA stack running on the VDA. This connection
bypasses the management infrastructure: Receiver, StoreFront, and Controller.
The connection between Receiver and the VDA uses the Citrix Gateway Protocol
(CGP). If a connection is lost, the Session Reliability feature enables the user to
reconnect to the VDA rather than having to re-launch through the management
56 © 2017 Citrix Authorized Content
infrastructure. Session Reliability can be enabled or disabled in Studio.
Once the client connects to the VDA, the VDA notifies the Controller that the user is
logged on, and the Controller sends this information to the Site database and starts
logging data in the Monitoring database.
Additional Resources:
XenDesktop Connection Process and Communication Flow -
http://support.citrix.com/article/CTX128909
Technical Overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html#par_anchortitle_2039
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In this diagram, the differences between IMA and FMA are apparent. For example,
di
under IMA architecture, each worker was responsible for obtaining the license file.
st
In FMA architecture, this is now centralized and the Delivery Controller checks out
ri
the licenses.
bu
This provides greater flexibility in segmenting the network and also means that the
tio
redirection of the license cache on non-persistent machines is no longer needed.
n
Additional Resources:
XenDesktop Connection Process and Communication Flow -
http://support.citrix.com/article/CTX128909
57 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
58 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Direct: StoreFront validates credentials against Active Directory.
di
st
XML service-based authentication: StoreFront passes credentials to Delivery
Controller, which validates credentials against Active Directory. This is the method
ri bu
depicted in the diagram (explicit credentials).
What software should be installed on an endpoint device to enable user access to
tio
their applications and desktops?
n
• Citrix Receiver
59 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
60 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Layered Approach Methodology was created by Citrix Consulting to provided a
di
standardized approach method for assessments, designs and builds for Citrix
st
environments.
ri bu
This approach is structured, organized and consistent; and can be flexibly adapted
for various scenarios.
tio
Citrix recommends this approach, because it help’s to minimize the chance of a
n
missing component or requirement for consideration.
This approach is flexible, because as you can see above, users/user groups can
have different or shared access to resources on one central compute layer.
User Layer – what are the user groups and their specific requirements?
• The top layer of the design methodology is the user layer, which is defined
for each unique user group.
• The user layer appropriately sets the overall direction for each user
group’s virtualized environment. This layer incorporates the assessment
61 © 2017 Citrix Authorized Content
criteria for business priorities and user group requirements in order to define
effective strategies for endpoints and Citrix Receiver. These design
decisions impact the flexibility and functionality for each user group.
Access Layer – how will users access their resources?
• The second layer of the design methodology is the access layer, which is
defined for each user group.
• Creating an appropriate design for the access layer is an important part of
the desktop virtualization process. This layer handles user validation
through authentication and orchestrates access to all components
necessary to establish a secure virtual desktop connection.
• The access layer design decisions are based on the mobility requirements
of each user group as well as the endpoint devices used.
N
ot
Resource Layer – what is being delivered to users?
• The Resource Layer contains not only provided desktops and applications
fo
for the users, but also their data like user profiles, emails and documents
rr
and policies granting or restricting use of features.
es
• The resource layer is the third layer of the design methodology and the final
al
layer focused specifically on the user groups.
e
• The overall user acceptance of the solution is defined by the decisions
or
made within the resource layer. Personalization, applications and overall
desktop image design play a pivotal role in how well the desktop is aligned
di
with the user group’s requirements, which were identified within the user
st
data capture and application data capture sections of the assess phase.
ri
Control Layer – what are the components/configurations necessary to manage the
bu
solution?
tio
• The control layer is the fourth layer of the design methodology.
n
• Every major design decision made for all user groups in the upper three
layers are used as a whole to help design the control components of the
overall solution.
• The design decisions for each user group are met by incorporating the
correct control layer components, which includes access controllers,
desktop controllers and infrastructure controllers.
• Determining capacity, configuration, topology and redundancy for the
respective components creates a control environment capable of supporting
the user requirements.
Compute Layer – what is needed to support the above layers?
• The hardware layer is responsible for the physical devices required to
‹#› © 2017 Citrix Authorized Content
support the entire solution including servers, processors, memory and
storage devices.
• This layer is broken into three groups focused on providing the necessary
resources for specific parts of the entire solution. One group of servers will
support the XenApp (shared) components (if applicable). A second group of
servers will support the XenDesktop (VDI) components (if applicable). A final
group of servers will support the underlying infrastructure for the entire
environment, which is identified as the Control Layer.
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
User Layer – Receiver version, Receiver deployment method, endpoint devices,
di
peripherals, use cases, business priorities.
st
Access Layer – authentication point (StoreFront, NetScaler), authentication policy,
ri bu
security point, resource presentation, access controllers.
Resource Layer – personalization (user profile solution, folder redirection, policies,
tio
printing), applications, desktop image design (OS, delivery, resource allocation).
n
Control Layer – delivery controllers, infrastructure controllers, Active Directory,
databases, image controllers, licensing (Citrix and Microsoft).
Compute Layer – hardware or cloud deployment infrastructure required to support
solution (sizing), host configuration, CPU, RAM, storage, hypervisor, networking.
The following layers are defined for each user group: User, Access, and Resource
layers.
62 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
63 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
64 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
65 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
66 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In 1990’s and up to mid 2000’s Citrix was typically hardware deployed
di
st
Mid 2000’s the focus shifted towards virtual Citrix environments
ri
Today the focus is on cloud deployments, either full or hybrid.
bu
tio
n
67 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix Workspace Cloud simplifies the management of virtual applications, desktops,
di
mobile devices, and data sharing with its cloud-based management platform. You
st
can choose whether you put your resources (hypervisors, VDAs, and StoreFront
ri
servers, for example) on premises or in a private or public cloud.
bu
The biggest drivers for moving to the cloud is flexibility, redundancy and scalability.
tio
XenApp and XenDesktop supports on premises, hybrid cloud solutions and full
n
cloud deployments.
Additional Resources:
Citrix Workspace Cloud Apps and Desktop Services for New Customers Reference
Architecture - http://docs.citrix.com/content/dam/docs/en-us/workspace-
cloud/downloads/workspace-cloud-apps-desktop-services-for-new-customers-
reference-architecture.pdf
68 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
69 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This model offers complete control over every aspect of the deployment, including
di
choice of hardware manufacturer. It also comes with complete responsibility for
st
designing and operating security, climate control, backup, maintenance and
ri
updates.
bu
A typical on-premises configuration consists of one or more XD broker systems. For
tio
customers looking to use Citrix Workspace Cloud and have Citrix host the XD
broker, consider the following needs:
n
All current XD broker systems that are on premises need to use the “ListOfDDCs”
option for those VDAs to remain on premises. Otherwise, move the VDAs you want
to use with Workspace Cloud into a different OU and change the “ListOfDDCs”
option. Currently, there is no support for adding both an on-premises XD broker and
Workspace Cloud Connector system to the “ListOfDDCs” in the same OU.
You need to configure one or more systems with Internet access that are used to
host the Workspace Cloud Connector that gets installed on these systems to host
multiple services.
Workspace Cloud Connector requires Windows Server 2012 R2 or newer.
70 © 2017 Citrix Authorized Content
Port 443 outbound is required to be open and used by the Workspace Cloud
Connector system. The Workspace Cloud Connector system will also support the use
of IE proxy settings configured for outbound connections. For proxy support, see
http://docs.citrix.com/en-us/workspace- cloud/what-is-a-workspace-cloud-connector-
/workspace-cloud-connector-technical-details.html
The Workspace Cloud Connector enables access to:
• On premises Active Directory and provides Protocol Proxy for all STA\NFuse
connectivity .
• Other services such as XenMobile, ShareFile, Networking, Monitoring, and
Lifecycle Management, which can be added at a later time.
• The Workspace Cloud Connector supports multiple AD forests. Windows 2003 and
later are supported for AD forest.
N
ot
Additional Resources:
fo
Citrix Workspace Cloud Apps and Desktop Service with an on-Premises Resource
rr
Reference Architecture - http://docs.citrix.com/content/dam/docs/en-us/workspace-
es
cloud/downloads/workspace-cloud-apps-desktop-service-on-premises-resource-
reference-architecture.pdf
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Simplify cloud adoption:
di
• Ensure a smooth and secure transition when migrating environments to
st
the public cloud.
ri bu
• Expand capacity quickly and with less capital cost.
tio
Manage hybrid and multi-cloud environments:
• Leverage a common management plane across all Citrix environments.
n
• Use multiple disaster recovery locations or manage multiple sites and/or
clouds.
Speed time-to-value:
• Quickly establish new sites and offices.
• Rapidly set up test environments and proof-of-concepts.
Starting with version 7.11 Azure ARM is now supported.
Additional Resources:
71 © 2017 Citrix Authorized Content
Citrix Cloud Overview - https://www.citrix.com/products/citrix-cloud/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Explain that new versions of the software in use will automatically be provided for
di
Citrix-managed machines, while on premise machines need to be maintained and
st
updated manually.
ri bu
Choice - Host your apps and data on any cloud or virtualization platform as well as
across multiple locations.
tio
Security - Citrix Cloud doesn’t handle your apps and data – you control where they
n
reside.
Experience - An intuitive admin experience keeps management simple, while
award-winning Citrix HDX technology delights end users.
Additional Resources:
Citrix Cloud Overview - https://www.citrix.com/products/citrix-cloud/
72 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
73 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
74 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources:
How to Prevent Browser-Borne Malware -
di
https://www.citrix.com/blogs/2016/07/19/how-to-prevent-browser-borne-malware/
st
ri bu
tio
n
75 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
76 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
77 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
78 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
79 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
80 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
81 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
With years of successful project implementation experience, Citrix Consulting can
di
help you achieve the highest levels of efficiency, manageability and agility for all of
st
your strategic IT services – from enabling mobile workstyles to delivering cloud
ri
services.
bu
tio
Additional Resources:
n
Consulting Service - https://www.citrix.com/support/consulting/
82 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
First step: define the objectives and determine the business goals.
di
st
Develop roadmap and strategic plan to fulfill objectives.
ri
Citrix Consulting can assist in the definition of the strategy that will help your
bu
business take full advantage of these technologies, including solution development,
roadmap initiatives and strategic planning, hardware and storage estimation and
tio
prioritization.
n
Additional Resources:
Consulting Service - https://www.citrix.com/support/consulting/
83 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
After objectives are defined, need to assess the existing environment to understand
di
requirements.
st
Prioritize business objectives and work streams accordingly.
ri bu
Determine use cases and requirements.
tio
During the Assess phase, Citrix Consulting reviews your current environment,
identifies use cases and gathers detailed requirements for the project. This
n
information allows us to define the project success criteria and set the direction for
your proposed Citrix deployment, upgrade, or expansion.
Additional Resources:
Consulting Service - https://www.citrix.com/support/consulting/
84 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Design in accordance with leading practices and take into account environment
di
scalability, redundancy, and high availability.
st
The design phase defines the architecture and operational processes required to
ri bu
implement and maintain the production environment that will satisfy your success
criteria. Topics such as environment scalability, redundancy and high availability are
tio
addressed. Citrix Consulting will apply best practices for performance tuning to help
your environment perform at its best.
n
Additional Resources:
Consulting Service - https://www.citrix.com/support/consulting/
85 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Build the virtualization environment or integrate components/use cases into existing
di
virtualization environment.
st
Integrate testing steps into deploy stage to verify build.
ri bu
Stress importance of having a completely separate test environment, where the
deployment can be tested prior to production implementation. However, it is still
tio
important to integrate testing into the production build as well.
n
During the Deploy phase, Citrix Consulting creates and configures the environment
to meet the specifications from the Design phase. This includes supporting the
integration of any applications that have been identified in the design and
performing thorough testing of all infrastructure components. Citrix Consulting will
also guide you through a phased rollout approach to mitigate risk and ensure a
successful deployment.
Additional Resources:
Consulting Service - https://www.citrix.com/support/consulting/
86 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Implement monitoring processes and maintenance tasks to maintain and stabilize
di
the production environment.
st
For the long-term health of your Citrix environment, Citrix Consulting can be
ri bu
engaged to perform the continued monitoring and administrative tasks in several
different capacities. With onsite and remote delivery capabilities, Citrix Consulting
tio
has the experience to keep your environment stable and your users happy.
n
Additional Resources:
Consulting Service - https://www.citrix.com/support/consulting/
87 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Realize that the assess -> design -> deploy phases are iterative. For example,
di
these phases can be completed to roll out prioritized user groups to production first
st
(most impact to business and/or quick wins) and the administrator can then later
ri
begin the assess -> design -> deploy phases for the next user groups/FlexCast
bu
models at a later point in time.
tio
n
88 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
89 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
90 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
91 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
92 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Hypervisor is an optional component, as the environment could be entirely physical
di
if only using Remote PC or PVS in certain cases. If leveraging MCS, then a
st
hypervisor will be required.
ri
• Deployments are also supported in Azure, Amazon Web Services (AWS)
bu
and Citrix CloudPlatform.
tio
Active Directory is required for XenApp and XenDesktop.
n
• Kerberos infrastructure ensures authentication of Delivery Controller
communication and time synchronization between servers.
• Time synchronization is particularly important for VDA registration.
Create a DHCP scope for VMs provisioned via PVS or MCS; DNS dynamic updates
are required for VM’s that receive addresses dynamically via DHCP (including
provisioned VMs).
Infrastructure servers should be assigned static IP addresses.
Additional Resources:
93 © 2017 Citrix Authorized Content
Supported Hypervisors for XenDesktop and Provisioning Services:
http://support.citrix.com/article/CTX131239
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
RDS licensing is required for hosted shared desktops and published apps, so
di
admins will need to verify that the number of RDS licenses is sufficient for the
st
Server OS workloads delivered.
ri bu
Additional Resources:
tio
Supported Databases for Citrix Products:
n
http://support.citrix.com/article/CTX114501
94 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When you create a Site, a corresponding Organizational Unit (OU) must be created
di
in Active Directory if you want desktops to discover the Controllers in the Site
st
through Active Directory. The OU can be created in any domain in the forest that
ri
contains your computers. As best practice, the OU should also contain the
bu
Controllers in the Site, but this is not enforced or required. A domain administrator
with appropriate privileges can create the OU as an empty container, then delegate
tio
administrative authority over the OU to a Citrix administrator.
n
During normal operations, Controllers and VDAs need read rights to all objects in
the OU and below. VDAs access the OU as their own machine identity; that
machine identity needs at least read rights in the OU to be able to discover
Controllers. A Controller also needs the rights to set properties on its own SCP
object in the container.
Consider the following:
• Separate Citrix OUs to block inheritance for the Citrix OU and thereby
prevent other policies from affecting the Citrix environment.
• Separate infrastructure servers from resources delivered (VDAs) to
95 © 2017 Citrix Authorized Content
prevent VDA policies from affecting infrastructure servers.
• Further separate out VDAs according to OS, application set, delivery type,
etc. where necessary in order to apply more granular group policies to
specific machines based on their role in the environment:
• E.g. Optimization polices based on OS.
• E.g. Security restrictions for particular resources.
• If there is a separate AD infrastructure for the test environment, the test OU
in the production environment can be leveraged for user acceptance testing
(pre-production).
• If there is no separate AD infrastructure for the test environment, then the
test OU can be used to enable administrators to test policies without
N
affecting the production XenApp and XenDesktop deployment.
ot
• The test OU should mimic the production OU as closely as possible.
fo
rr
Additional Resources:
es
Active Directory OU-based Controller discovery - http://docs.citrix.com/en-us/xenapp-
and-xendesktop/7-6/xad-controller-intro/xad-controller-ou-dscvr.html
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
DNS is a critical component in Microsoft Windows Domains and should be given
di
extra considerations to guarantee availability of the service.
st
Most Citrix components need name resolution to function properly. Especially the
ri bu
VDA registration process can fail if duplicate entries or stale records exist in DNS,
so consider enabling “aging and scavenging” on related DNS zones.
tio
For added security, the HDX connection between Receiver and VDA can be
n
encrypted using SSL. This requires certificates to be present on VDAs and since
Certificates are normally issued to names rather than IP addresses, the “XML DNS
Address resolution” needs to be turned on.
A reverse DNS Lookup Zone might also be required, especially if the DNS
namespace differs from Active Directory Domain names.
Additional Resources:
XD Ping Tool - http://support.citrix.com/article/CTX123278
How to Enable DNS Address Resolution in XenDesktop -
96 © 2017 Citrix Authorized Content
http://support.citrix.com/article/CTX135250
Understanding Aging and Scavenging - https://technet.microsoft.com/en-
us/library/cc771677(v=ws.11).aspx
N
ot
fo
rr
es
al
e
or
di
st
ri
bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
DHCP is a service responsible for issuing unique IP Addresses (and other
di
information like Gateway servers, Routing information, DNS server location etc.) to
st
devices within a local network. DHCP allocates theses IP Addresses from a
ri
specified range of addresses for a limited time (before these addresses are either
bu
returned to the pool or their return date is extended). Sometimes these ranges
(scopes) are not large enough or do allocated addresses are not returned fast
tio
enough to be available to others.
n
The main two dependencies for DHCP are Machine Creation Services (MCS) and
Provisioning Services (PVS). While MCS will be covered in an upcoming module,
PVS is explained in a different course.
DHCP normally falls not into the responsibilities of the Citrix Administration Team,
but needs to be monitored / checked because of the dependencies.
Servers built manually are often using static IP addresses.
DHCP as a central service can become a single point of failure if no high availability
solution is set up.
Many deployments install the role of DHCP server on their domain controllers.
97 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Leading practice: have a database service account for each Citrix product/each
di
purpose.
st
A proper password management procedure should be implemented for service
ri bu
accounts.
Consider the following:
tio
• Security accounts reduce impact if there is an issue with an individual
n
administrator’s account.
• Increases security because limits privileges of individual administrator
accounts. If an account is compromised, then it will not provide access to
the entire environment. Important to note that the service account should
not have domain admin privileges, in accordance with the principle of least
privilege.
• The service account permissions for the XA/XD SQL account are required
during the initial setup of the database, removing/adding controllers, and
updating database schema. During the initial setup, the correct security
roles are configured for the services (read, write, and execute only) for
98 © 2017 Citrix Authorized Content
runtime. The FMA services utilize the controller's AD machine account for
accessing SQL during runtime, so user accounts are not leveraged.
• Studio is the XenDesktop management console for students who may not
know.
• If want to configure database automatically during site creation through
Studio, then sysadmin privileges for the service account are required during
the initial configuration. However, these can be removed after the initial
setup/configuration if dictated by security. More specifics covered during
Module 3.
• Exact permissions required for hypervisor account vary according to
hypervisor. Refer to vSphere link below for vSphere permissions and
SCVMM link below for SCVMM permissions.
N
ot
Additional Resources:
fo
vSphere: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
rr
configure/install-prepare/vmware.html
es
SCVMM: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
al
configure/install-prepare/msscvmm.html
e
Azure: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
or
configure/install-prepare/azure.html
ARM: http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
di
configure/install-prepare/azure-resource-manager.html
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Consider
di
• Avoid naming components POC, test, etc. that will eventually be moved
st
into production to avoid confusion and minimize potential issues with
ri bu
changing names, or situations where cannot change name.
• The naming convention should convey important information so that admin
tio
can quickly identify components (helps streamline management).
n
• When creating a naming convention, take into account future expansion.
Make sure the naming convention is something that can be built upon so
that it can continue to be used if the environment grows.
Remember renaming components can cause issues, so it is important to delineate
naming conventions during the design phase.
You could include special characters (a hyphen or a dot) used for filtering /
tokenizing in scripts later, like “Site-Function-Name-Number”. If special characters
cannot be used, a fixed number of characters and abbreviations can serve the
same purpose, like “SitFunNamNum”.
99 © 2017 Citrix Authorized Content
Additional Resources:
Naming conventions in Active Directory for computers, domains, sites, and OUs -
https://support.microsoft.com/en-us/kb/909264
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Configuring a XenApp or XenDesktop Site to use the Secure Sockets Layer (SSL)
di
security protocol includes the following procedures: Obtain, install, and register a
st
server certificate on all Delivery Controllers, and configure a port with the SSL
ri
certificate. Optionally, you can change the ports the Controller uses to listen for
bu
HTTP and HTTPS traffic.
tio
n
Additional Resources:
SSL - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6-long-term-service-
release/xad-security-article/xad-ssl.html
100 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Leading practice is to install certificates to secure communication for the
di
connections (#1-3) outlined in the diagram.
st
Administrators should be aware that they may need to request these in advance or
ri bu
work with the security team beforehand so they can be provided with the certificates
when needed for building.
tio
Consider:
n
• If using the native Receiver to connect directly to StoreFront using the
manual configuration of the StoreFront store or email-based account
discovery, SSL encryption is required.
We will have several hands on lab exercises in this course addressing certificates.
101 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This certificate this is optional, but consider:
di
• It is recommended to prevent XML data from being sent in clear text
st
(passwords obfuscated).
buri
• It is also less of a security risk because the components are typically on
the internal network.
tio
n
Additional Resources:
How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic:
http://support.citrix.com/article/CTX200415
102 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Installing a certificate is not required for Hyper-V because XenDesktop leverages
di
WCF to automatically to secure communications.
st
ri bu
Additional Resources:
tio
Prepare the virtualization environment: Vmware - http://docs.citrix.com/en-
us/xenapp-and-xendesktop/7-12/install-configure/install-prepare/vmware.html
n
How to Use IIS to Acquire SSL Certificates for XenServer -
http://support.citrix.com/article/CTX128617
103 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In some companies the Citrix Admin has no permissions to manage group policies.
di
st
It is a leading practice to separate all Citrix components into OUs underneath a
common Citrix-OU.
ri bu
• This OU can than be delegated for management to the Citrix Admin team
tio
n
104 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This is a succinct overview of the ports required for XenDesktop and the full list of
di
required ports can be found in article under Additional Resources.
st
You may need to work with your security or firewall team to determine how the ports
ri bu
will be opened (manually vs. automatically) and that these decisions should be
made during the design phase to prevent impact to build timelines.
tio
Port 1494 is for the HDX connection, where port 2598 is used if Session Reliability
n
is enabled.
Ports 80/443 depends on if the communication has been secured.
The VDA stands for Virtual Delivery Agent, and refers to the application and desktop
resources being made available to users.
Additional Resources:
Communication Ports Used by Citrix Technologies -
http://support.citrix.com/article/CTX101810
105 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Keep all machines in your environment up to date with security patches. One
di
advantage is that you can use thin clients as terminals, which simplifies this task.
st
Protect all machines in your environment with antivirus software.
ri bu
Protect all machines in your environment with perimeter firewalls, including at
enclave boundaries as appropriate.
tio
If you are migrating a conventional environment to this release, you may need to
n
reposition an existing perimeter firewall or add new perimeter firewalls. For
example, suppose there is a perimeter firewall between a conventional client and
database server in the data center. When this release is used, that perimeter
firewall must instead be placed so that the virtual desktop and user device are on
one side, and the database servers and Delivery Controllers in the data center are
on the other side. You should therefore consider creating an enclave within your
data center to contain the database servers and Controllers. You should also
consider having protection between the user device and the virtual desktop.
All machines in your environment should be protected by a personal firewall. When
you install core components and Virtual Delivery Agents (VDAs), you can choose to
have the ports required for component and feature communication opened
106 © 2017 Citrix Authorized Content
automatically if the Windows Firewall Service is detected (even if the firewall is not
enabled). You can also choose to configure those firewall ports manually. If you use a
different firewall, you must configure the firewall manually.
Additional Resources:
Security Best Practices - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/best-practices.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Some XenApp and XenDesktop management tasks performed within Citrix Studio
di
may require several different steps performed on the hypervisor (like creating
st
machines). Such complex tasks are normally combined into a single workflow that
ri
Citrix Studio will track an monitor during execution.
bu
Each Hypervisor needs different commands to perform similar tasks – using the
tio
abstraction layer from Citrix Studio, the three industry standard hypervisors can be
managed using common commands from the same GUI.
n
Hypervisors in this context can also be cloud vendors such as Azure and AWS.
Explain that for the purpose of running VDAs XenApp and XenDesktop does not
require special abilities from the hypervisor.
While differences may exist in performance, cost, scalability or personal interest, the
administrative team can freely choose amongst several hypervisors.
107 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Misconception: enterprise companies should use only shared storage.
di
• Reality: Enterprise XA\XD implementations are also using local storage.
st
ri
• Local storage is typically cheaper and allows for decentralized execution,
bu
which makes it easier to guarantee a certain level of performance. Very
large environments are aiming for centralized configuration and
tio
management with decentralized execution. Local storage based on SSD
n
drives can outperform cheaper SAN and cost only a fraction.
• Requirements should be reviewed (as well as the existing infrastructure)
and a storage solution should be selected based on those needs.
There are additional storage considerations when determining the supporting
storage solution:
• RAID levels
• Disk type and tiered storage
• IOPS requirements
• Storage bandwidth
108 © 2017 Citrix Authorized Content
Consider: Local Storage versus Shared Storage:
• Local storage –stored on the machine and only accessible from a single
machine.
• DAS – block-level, storage sub-system directly attached to server via
cable.
• Shared storage –stored on a separate storage system that is accessible
from multiple machines.
• NAS – file level-storage connected via Ethernet or network file sharing
protocol.
• SAN – dedicated storage network for block-level storage connected via
HBA.
N
For local storage, will have to copy master images and updates to each server if
ot
using MCS (will be covered in later module).
fo
There is not a one size fits all, the choice of storage type depends on the design of
the solution.
rr
es
Additional Resources:
al
Connections and resources - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
e
12/manage-deployment/connections.html#par_anchortitle_f4be
or
Information about connection types: http://docs.citrix.com/en-us/xenapp-and-
di
xendesktop/7-12/manage-deployment/connections.html#par_anchortitle_ba4
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
VLANs can reduce broadcast traffic, enhance security, and enable complex network
di
configurations.
st
ri bu
tio
n
109 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
There are different Citrix Components that use databases for different purposes –
di
each one may have different requirements for the version or features of its
st
database.
ri bu
In previous versions of XenApp and XenDesktop, the database required for XenApp
and XenDesktop would be created as one database by the installer; after install the
tio
admin could split it into different databases to enhance performance or comply with
backup/security guidelines.
n
With the later releases of the product the installer now suggests to deploy 3
separate databases, it is still possible to deploy using a single database. However
this is not recommended. This will be covered in detail in a later module.
Additional Resources:
Supported Databases for XenApp and XenDesktop Components -
http://support.citrix.com/article/CTX114501
110 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This table serves as a reference and ONLY contains data for the Site Database.
di
The Monitoring and Logging database are not included. Refer below to the
st
XenDesktop 7.x Database Sizing guide for more information.
ri bu
Most databases grow but normally do not shrink. So, it is best to plan ahead in
terms of free space on the volume that the database resides on.
tio
Log files, depending on database setting, can fill up the disk of the database system
n
if they are not truncated (which usually happens after a backup of the database).
Solid Microsoft SQL knowledge is recommended in order to change settings
concerning the database server.
Additional Resources:
XenDesktop 7.x Database Sizing - http://support.citrix.com/article/CTX139508
Database Sizing Tool for XenDesktop 7 - http://support.citrix.com/article/CTX209080
111 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
112 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
113 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
114 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
115 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
An Enterprise-level product license to XenServer is included with XenApp and
di
XenDesktop, including unlimited CPU-sockets (XenServer 6.5 onwards is licensed
st
based on the number of CPU sockets, if bought separately).
ri bu
Explain that the In-memory read caching feature is available only if XenApp or
XenDesktop Platinum edition is licensed.
tio
n
Additional Resources:
XenServer 7.0: Licensing FAQ - https://docs.citrix.com/content/dam/docs/en-
us/xenserver/xenserver-7-0/downloads/xenserver-7-0-licensing-faq.pdf
116 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Microsoft licenses exist in many flavors and a professional consultation of the
di
different license models (OEM, Retail, Volume) and Editions should be done during
st
the conception phase.
ri bu
A Key Management Server is a special role that can be added to most Microsoft
Windows servers to serve the activation requests for other servers, but requires a
tio
volume license model.
n
Additional Resources:
Windows Server 2012 R2 Licensing Datasheet:
http://download.microsoft.com/download/F/3/9/F39124F7-0177-463C-8A08-
582463F96C9D/Windows_Server_2012_R2_Licensing_Datasheet.pdf
Windows Server 2016 Licensing Datasheet:
http://download.microsoft.com/download/7/2/9/7290EA05-DC56-4BED-9400-
138C5701F174/WS2016LicensingDatasheet.pdf
Licensing brief: Licensing Windows Server 2012 R2 for use with virtualization
technologies: https://www.microsoft.com/en-us/Licensing/learn-more/brief-windows-
117 © 2017 Citrix Authorized Content
server-virtualization.aspx
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The VDA install on a Windows Server adds the role of Remote Desktop Services
di
(RDS).
st
• A RDS server requires connecting to a separate Microsoft license server
ri bu
that needs to be activated, configured and holding appropriate RDS
licenses to issue.
tio
• Each client/user connection to a RDS host requires a separate license to
n
be checked out from the RDS license server to connect.
• RDS licenses are based on client OR user.
• Mention that as additional benefit the RDS license covers the use of App-
V.
The VDA on a Windows Desktop OS does not require contact to the RDS license
server.
Additional Resources:
RDS Licensing Configuration on Windows Server 2012 -
118 © 2017 Citrix Authorized Content
https://blogs.technet.microsoft.com/askperf/2013/09/20/rd-licensing-configuration-on-
windows-server-2012/
Remote Desktop Services Client Access Licenses (RDS CALs) -
https://technet.microsoft.com/en-us/library/cc753650(v=ws.11).aspx
Specify a License Server for an RD Session Host Server to Use -
https://technet.microsoft.com/en-us/library/cc770585(v=ws.11).aspx
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When accessing Windows Server systems, the RDS license is used, while
di
Client/Desktop systems require different licensing.
st
Depending on Software Assurance (a Microsoft license model) status, the access to
ri bu
virtualized client systems may already been covered without the need to buy
additional VDA licenses from Microsoft. The same can apply to existing Windows
tio
InTune licenses.
n
Additional Resources:
Using Microsoft VDI to Enable New Workstyles -
https://channel9.msdn.com/series/using-microsoft-vdi-to-enable-new-
workstyles/using-microsoft-vdi-to-enable-new-workstyles-07-microsoft-vdi-licensing
119 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Most software requires a license per device it is installed on (for example Microsoft
di
Office).
st
Some software requires extra licensing to run on multi-user systems or prohibit
ri bu
concurrent use altogether.
Some software uses hardware components (dongle) to verify license compliance –
tio
which can pose problems in virtualized deployments.
n
Some software requires its own license server in the backend, but may fail if
multiple users access the license server with the same IP (from the same system).
License requirements are most specific to the software and license terms as well as
technical aspects should be clarified before going into production.
120 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
121 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
122 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
123 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
AppDNA 7.12 helps accelerate application migrations to Windows 10 and Windows
di
Server 2016 by predicting potential issues and showing a clear path to application
st
compatibility on the new operating system.
ri bu
AppDNA can be used to analyze application DNA against an image from the specific
OS family you are migrating from, and the one you are migrating to. The resulting
tio
analysis shows the effects of changes when applications are migrated between OS
platforms.
n
AppDNA provides a set of default Operating System images for each relevant OS
family. You can also import your own custom OS images.
124 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
AppDNA is included with XenApp and XenDesktop platinum edition.
di
st
AppDNA provides insight into the effect of application issues and proposed
implementations on users, workgroups and devices; to help make more informed
ri bu
decisions about their environment.
AppDNA can help an organization complete application deployment or migration
tio
projects more quickly, saving enterprises time, labor and cost while reducing risk.
n
AppDNA application management software provides administrators with ongoing
application evolution, long after platform migration has been completed.
Administrators can use AppDNA to help reduce the risk of deploying new
applications, patches and service packs to their enterprise infrastructure.
Administrators can also automate application remediation and packaging processes
to help manage ongoing change.
Customers have reported that using AppDNA cuts their application testing,
remediation and migration time by as much as 90%.
125 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
126 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Application analysis is a dedicated SQL Server database process that combines all
di
of the information AppDNA has about the application, analyzes it against each
st
selected target technology, and generates the report data.
ri bu
Import - When applications are imported they are analyzed by AppDNA and each
application's files, registry entries, and API usage are exposed- revealing their
tio
application "DNA". This data is then loaded to the SQL server database.
n
Analyze - When AppDNA starts the analysis process, it uses the reports that
correspond to the platforms against which the application is being tested. AppDNA
combines all of the information it has about the application portfolio and runs the
report algorithms against the application DNA. It then produces and stores the
reporting data.
Report - After the import and analysis process completes, AppDNA presents the
results of the analysis in a set of report views. This information can then be used to
help plan, fix, and test your application portfolio
Additional Resources:
127 © 2017 Citrix Authorized Content
Importing Apps - https://docs.citrix.com/en-us/dna/7-12/importing-apps.html
Analyzing Apps - https://docs.citrix.com/en-us/dna/7-12/analyzing-apps.html
Reports - https://docs.citrix.com/en-us/dna/7-12/reporting.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
RAG icons can sometimes display 2 outputs: one from the default AppDNA RAG
di
(displayed in the lower right side) of the icon, and an external data source
st
(displayed on the upper left side). The external source is gathered from compatibility
ri
lists provided by Microsoft and other IT professionals.
bu
Red output indicates that some substantial issues were found from the application
tio
analysis, and thus the application may experience severe limitations (or not work at
all) within the new platform it was tested for.
n
Amber output indicates a stronger potential for application capability issues within
the new platform it was tested for, and additional application testing may be
required.
Green output indicates that the application it is most likely to be fine within the new
platform it was tested for. However, it
does not mean all is perfect with a given application, and some minor issues could
be encountered.
128 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Overview Summary report view
di
• is a dashboard that provides a high-level view of the state of your
st
application portfolio. For each of the selected applications, it shows the
ri bu
overall RAG (red, amber, green) status for each of the active reports. You
can click the RAG icons to go to the Remediation report views for that
tio
application. These give the full details of the remediation required along
n
with an MST fix where applicable.
The Estate View
• available for evaluation and trial installations only, provides a high-level
overview of the consolidated status of the entire application portfolio for a
target technology. This report is useful when you are evaluating AppDNA,
because it does not rely on individual application licenses. The Estate View
starts with a pie chart summary of the standard, custom, and after action
RAG status of the applications in the portfolio. (AppDNA does not show the
custom RAG pie chart if the custom RAGs are the same as the standard
RAGs for all of the report’s algorithms.)
129 © 2017 Citrix Authorized Content
The Application Issues report view
• provides a summary of the issues found in the selected applications. The
view starts with pie chart summaries of the standard and custom RAG
status of the items included in the report.
The Application Actions report view
• starts with a pie chart summary of the RAG status of the selected
applications before and after the remediation actions.
The Issue View
• provides a breakdown of the number of applications that triggered each
algorithm within the report. This view starts with a pie chart summary of the
standard, custom, and after action RAG status of the applications included
N
in the report. (AppDNA does not show the custom RAG pie chart if the
ot
custom RAGs are the same as the standard RAGs for all of the report's
algorithms.) Below the pie charts there is a bar chart that shows the number
fo
of applications that have triggered one or more algorithms in each algorithm
rr
group. The number of applications is shown as a count and a percentage of
es
the portfolio (which here means the applications included in the report).
The Action View
al
e
• provides a breakdown of the prevalence of the actions required to remediate
the applications in your portfolio. This view starts with a pie chart summary
or
of the standard, custom, and after action RAG status of the applications
di
included in the report. (AppDNA does not show the custom RAG pie chart if
st
the custom RAGs are the same as the standard RAGs for all of the report's
ri
algorithms.) Below the pie charts there is a bar chart that shows the number
bu
of applications that require each type of remediation. The number of
applications is shown as a count and a percentage of the portfolio (which
tio
here means the applications included in the report).
n
Use the AppDNA Effort Calculator
• to estimate the time, cost, and effort associated with migrating a portfolio to
a new platform – for example, that it will take five people six months and
cost $500,000. Effort Calculator uses a number of variables that define, for
example, the cost of a tester per day, the number of working hours in the
day, and the time to test an application of a given complexity. You can
configure the variables to reflect the specifics of your organization. AppDNA
produces a detailed breakdown of the cost and how much time it will take to
remediate the applications as well as the potential savings that AppDNA can
provide.
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Overview Summary report view is a dashboard that provides a high-level view
di
of the state of your application portfolio. For each of the selected applications, it
st
shows the overall RAG (red, amber, green) status for each of the active reports. You
ri
can click the RAG icons to go to the Remediation report views for that application.
bu
These give the full details of the remediation required along with an MST fix where
applicable.
tio
n
Additional Resources:
Understanding RAG Icons - https://docs.citrix.com/en-us/dna/7-12/reporting/rag-
icons.html
130 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
131 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
132 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
133 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
134 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
135 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
NYC-POC-PC1 is the virtual machine that is used as the endpoint device for our
testing in this POC Deployment.
ri bu
NYC-W10-MST is the virtual machine that is used as a Master for a Desktop OS
Catalog.
tio
NYC-DVDA-001 is the virtual machine that will be created in a Desktop OS Catalog.
n
NYC-DSGN-001 is a simulated (virtual) machine used to create a Remote PC
Catalog.
136 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
NYC-STF-001 is the virtual machine that is used to install the Citrix StoreFront
di
component and host the Store for access to the XenApp and XenDesktop
st
resources.
ri bu
NYC-XDC-001 is the virtual machine that is used to install the Citrix XenApp and
XenDesktop Delivery Controller component and create from this machine the Site.
tio
NYC-AD-001 is the virtual machine that is a Domain Controller and hosts Active
n
Directory for this environment.
NYC-SQL-001 is the virtual machine running Microsoft SQL and will be used to host
the XenApp and XenDesktop Site Databases.
NYC-FSR-001 is the virtual machine that is a shared roles servers:
• Hosting the File Shares used in the environment: Such as User Profiles
• The location the Citrix License Server is installed and configured
• The location the Citrix Director is installed and configured
• The Citrix Universal Print Server Component
NYC-SVDA-MST is the virtual machine that is used as a Master for a Server OS
137 © 2017 Citrix Authorized Content
Catalog.
NYC-SVDA-001 is the virtual machines that will be created in a Server OS Catalog.
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The VDA for Desktop OS will be installed on NYC-W10-MST as the final step in
di
turning this machine into a Master for a Desktop OS Catalog.
st
The VDA for Desktop OS will be running on the NYC-DVDA-001 because this
ri bu
machine will be created in a Desktop OS Catalog using NYC-W10-MST as the
master.
tio
The VDA for Server OS will be installed on NYC-SVDA-MST as the final step in
n
turning this machine into a Master for a Server OS Catalog.
The VDA for Server OS will be running on the NYC-SVDA-001 because this
machine will be created in a Server OS Catalog using NYC-SVDA-MST as the
master.
The VDA for Desktop OS will be installed on NYC-DSGN-001 as the final step in
configuring a Remote PC Catalog.
138 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
139 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
140 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
141 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
142 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Which console do you use within the lab to power on VMs?
di
• The XenCenter console.
st
ri bu
tio
n
143 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
144 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources:
Create a XenApp and XenDesktop Site - http://docs.citrix.com/en-us/xenapp-and-
di
xendesktop/7-12/install-configure/site-create.html
st
ri bu
tio
n
145 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
146 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
147 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
User Licensing – the license is assigned to a user ID, so the user can launch their
di
resources from multiple devices, and consume only one license. License is
st
assigned to user ID and not able to be re-assigned until 90 days of inactivity lapses.
ri bu
Device Licensing – the license is assigned to a device ID, so multiple users can
launch their resources from one device, and consume only one license. License is
tio
assigned to device ID and not able to be re-assigned until 90 days of inactivity
lapses.
n
• Use case: shared workstations in classrooms and hospitals.
Concurrent Licensing – a license is assigned to an anonymous user and is assigned
to each established connection. On disconnection / logoff the license is returned to
the pool and available for another user.
It’s the customer that chooses either (1) User/Device or (2) concurrent when
purchasing licenses and that for user/device the License Server assigns either user
or device license optimally based on usage.
XenDesktop – user/device or concurrent model is available.
XenApp – only concurrent model is available, except for Secure Browser edition
148 © 2017 Citrix Authorized Content
(user/device).
Can release a license assigned to a user ID or device ID using the “udadmin” utility if
a user or device is no longer part of a customer’s organization/environment.
License Overdraft feature – only available with user/device licensed deployments.
Automatically provides 10% user/device overdraft licenses on allocation of licenses
so customer can leverage those licenses if number of licenses utilized exceeds
license count. Can see overdraft usage in Studio or License Administration Console,
but there are currently no alerts configured. Overdraft license subject to 90 day
assignment period.
If exceed license count with concurrent licenses – there is a 15-day grace period.
Formula to determine number of user/device licenses to buy:
• (Number of total users) – (number of users that only access via shared
N
devices) + (number shared devices) = total number of licenses to buy
ot
fo
Additional Resources:
rr
FAQ: XenApp and XenDesktop 7.x Licensing -
es
http://support.citrix.com/article/CTX128013
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Concurrent licenses are not tied to a specific user. When a user launches a product,
di
the product requests the license and it is checked out to the specific computer or
st
device that the user is using. When the user logs off or disconnects from the
ri
session, the license is checked back in and is available for another user.
bu
Per user licenses: A licensed user requires a unique user ID, such as an Active
tio
Directory entry. When assigned to a user, the license allows the user to connect to
their desktops and applications with multiple devices, such as desktop computer,
n
laptop, netbook, smartphone, or thin client. A licensed user can connect to multiple
instances of a product concurrently. When users connect to an application or
desktop, they consume a license for the 90 day license assignment period.
Per device licenses: A licensed device requires a unique device ID and is
authorized for use by any individuals to access instances of a product. Use this type
of license for shared devices, such as classroom or hospital. It allows an unlimited
number of users per device. When devices connect to an application or desktop,
they consume a license for the 90 day license assignment period. The assignment
period begins when a connection is made, is renewed to the full 90 days during the
life of the connection, and expires (allowing reassignment) 90 days after the last
149 © 2017 Citrix Authorized Content
connection terminates (logs off or disconnects).
Explain that for some companies it might be advisable to upgrade existing XenApp
licenses to a XenDesktop edition just to benefit from the user/device licensing model
available for XenDesktop.
Note that it does not matter which or how many VDAs a user is connecting to
(sequentially or concurrent) as long as they use the same license server in the
backend.
Additional Resources:
Types of Licenses - https://docs.citrix.com/en-us/licensing/11-12-1/lic-license-
types.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You should always verify that desired features are part of the edition of XD or XA
di
that they are deploying. Licensing restricts/enables available features.
st
The arrows indicate that all of the features in the preceding edition are also
ri bu
available in the higher edition.
Some key features by product/edition:
tio
• XenDesktop Platinum: AppDNA, SmartAccess, SCOM Bundle, Citrix
n
Connector for SCCM, Enhanced Director Monitoring.
• XenDesktop Enterprise: Remote PC, Linux Dedicated VDI Desktops, PVS
for Desktops and Servers, DesktopPlayer, support for 16-, 32-, 64-bit apps,
Microsoft App-V integration.
• XenDesktop VDI: VDI desktops, PVS available for all XD desktops (except
physical desktop).
• XenApp Platinum: AppDNA, SCOM Bundle, SmartAccess, PVS available
for all XenApp servers, Enhanced Director Monitoring, Citrix Connector for
SCCM, PVS available for all XA servers.
150 © 2017 Citrix Authorized Content
• XenApp Enterprise: Linux hosted shared desktop, VM hosted apps, HDX
RealTime Optimization, PVS only for VM hosted app instances, Microsoft
System Center integration, and Hybrid cloud provisioning.
• XenApp Advanced: hosted shared desktops, unified Communications
optimization, Support for 16-, 32-, 64-bit apps, FIPS compliant, Microsoft
App-V integration.
One license server can contain licenses for multiple editions of a Citrix product. The
type of license checked out corresponds to the edition that is configured on the
product server. A product server is configured to consume an edition of a license and
therefore will check out that edition of a license.
For example:
• ProductServerA is configured to checkout Enterprise licenses.
N
• ProductServerB is configured to checkout Platinum licenses.
ot
• LicenseServer1 contains both Enterprise and Platinum licenses.
fo
• Users who connect to LicenseServer1 from ProductServerA will check out
rr
Enterprise licenses only. Once the number of Enterprise licenses on
es
LicenseServer1 is exceeded, new requests from ProductServerA users
will be denied until existing Enterprise connection licenses are released.
al
e
• Users who connect to LicenseServer1 from ProductServerB will check out
Platinum licenses only. Once again, if the number of Platinum licenses on
or
LicenseServer1 is exceeded, new requests from ProductServerB users
di
will be denied until Platinum connection licenses are released.
st
ri
Additional Resources:
bu
XenApp and XenDesktop Features:
tio
https://www.citrix.com/go/products/xendesktop/feature-matrix.html
n
Frequently Asked Questions for Licensing - http://docs.citrix.com/en-us/licensing/11-
14/frequently-asked-questions.html
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
XenDesktop offers two license models (concurrent / user-device) while XenApp
di
uses the concurrent model.
st
Server VDI refers to using Windows Server OS VDAs without Remote Desktop
ri bu
Session host capability, as mere 1-user-1-server VDAs.
Linux Desktops are supported for RedHat and SUSE Distributions in multi-user
tio
mode (much like Remote Desktop Session host) only.
n
The Citrix License Server manages the following features of XenDesktop: Delivery
Controller, Provisioning Services, on-demand application delivery, SCOM Bundle,
AppDNA, Session Recording, and enhanced Director monitoring.
The Citrix License Server manages the following features of XenApp: Delivery
Controller, Provisioning Services, on-demand application delivery, SCOM Bundle,
AppDNA, Session Recording, and enhanced Director monitoring.
Secure access (NetScaler Gateway), WAN optimization features (CloudBridge) and
Desktop Player are licensed individually because licenses can be deployed on an
integrated license server on the appliance or on a shared license server in a
datacenter.
151 © 2017 Citrix Authorized Content
Additional Resources:
XenApp and XenDesktop Features -
https://www.citrix.com/go/products/xendesktop/feature-matrix.html
FAQ: XenApp and XenDesktop 7.x Licensing -
http://support.citrix.com/article/CTX128013
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
152 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
153 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
154 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
155 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Leading practice: install/upgrade to latest version of license server when
di
implementing new product because new products typically need the latest license
st
server in order to correctly check out licenses. License servers are backwards
ri
compatible. If they are not installing the latest version, that it is imperative to verify
bu
the minimum supported version for a product.
tio
Determine if going to leverage Citrix License Server for Windows or License Server
VPX. VPX does not offer the same functionality, so review the applicable features
n
prior to making a design decision.
Licensing components can either be installed on a separate, dedicated server or on
a server they share with another application. Alternatively, you can use a Web or
application server; however, the locations mentioned below are less resource
intensive. If you are running fewer than 50 servers or 10,000 licenses, you can
install the License Server on the same server as your product. You can monitor
CPU and Memory load using Performance Monitor to determine if you should
relocate the License Server to another system.
156 © 2017 Citrix Authorized Content
Additional Resources:
Licensing 11.13.1 Technical overview: http://docs.citrix.com/en-us/licensing/11-13-
1/lic-architecture.html
Licensing 11.13.1 Get started: http://docs.citrix.com/en-us/licensing/11-13-1/lic-
getting-started.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
157 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix recommends that you upgrade the license server to the latest version when
di
you upgrade or install new Citrix products. New license servers are backward
st
compatible and work with older products and license files. New products often
ri
require the newest license server to check out licenses correctly.
bu
Citrix does not provide hotfixes for license server components and does not support
tio
older license servers with newer products. The latest versions of the license server
often contain resolutions to issues appearing in earlier versions.
n
Citrix also recommends the following security considerations when you configure
your environment or use the Licensing Administration Console:
• Configure the license server environment so that only authorized
administrators on a trusted network are permitted to access the Licensing
Administration Console port. You achieve this with an appropriately
configured network or host-based firewall.
• When using the Licensing Administration Console, avoid visiting untrusted
websites or clicking on untrusted URLs.
158 © 2017 Citrix Authorized Content
Additional Resources:
Frequently Asked Questions for Licensing - https://docs.citrix.com/pt-br/licensing/11-
13-1/lic-faq.html
Get started - http://docs.citrix.com/en-us/licensing/11-13-1/lic-getting-started.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
Determine if you need to place a firewall between the license server and any
product servers. Citrix recommends that you determine if your products will
ri bu
communicate with the license server through a firewall before installing licensing.
Where you install the license server can be impacted by firewall considerations.
tio
Licensing installation sets several port numbers for communications. After
n
installation you can use the License Administration Console to change port
numbers.
• Console Web Server Port: The HTTPS TCP/IP port that the Web server
uses to listen for communication with clients connecting to the License
Administration Console. By default, the port is set to 8082. If you are
already using that port number for another application, you can change it
to a range between 1 and 65535. If you are upgrading, you will maintain
your previous configuration and might not get HTTPS by default. If you
change the port, you must stop and restart the Citrix Licensing service.
• License Server Manager Port: This port number is used by the license
159 © 2017 Citrix Authorized Content
server manager, which handles the initial communication between the
products, starts the vendor daemon, and relays check out and check in
requests to the vendor daemon. By default, this port number is 27000. Tip:
You can verify which port number is being used from the System Information
tab in the Administration area.
• Vendor Daemon Port: This port number is used by the Citrix vendor
daemon, which is responsible for the core operations of the license server,
including license allocation. By default, this port number is 7279; however,
you may need to change it if you have a firewall or if the number is already
in use.
• PowerShell: port 8083 is used to programmatically access the license
server from PowerShell, Studio and Director.
N
• You can verify which port number is being used from the Vendor Daemon
ot
Configuration tab in the Administration area.
fo
rr
Additional Resources:
es
Technical Overview - https://docs.citrix.com/en-us/licensing/11-13-1/lic-
architecture.html
al
e
Get started - http://docs.citrix.com/en-us/licensing/11-13-1/lic-getting-started.html
or
Change port numbers - http://docs.citrix.com/en-us/licensing/11-13-1/lic-lmadmin-
overview/lic-lmadmin-ports-change.html
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The main service is “Citrix Licensing” (lmadmin.exe) which launches the vendor
di
daemon (citrix.exe).
st
ri bu
tio
n
160 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A customer’s license pool can be issued to a single file or split to multiple license
di
files.
st
• Each license file must be issued to the actual license server’s hostname.
ri bu
Citrix stores the licenses & license files in a database system so they can be
downloaded again if needed.
tio
n
161 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
162 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Remember that the License Administration Console is accessible using a browser
di
via port 8082 by default.
st
The default administrator with permissions to login to the Administration page is the
ri bu
account that performed the Citrix License Server installation.
The traffic to the License Administration Console can be secured using a certificate
tio
(SSL) manually, which it is generally considered a leading practice since credentials
n
are exchanged over this connection.
163 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The thresholds for Warnings and Alerts can be configured on the administration
di
page; for example, when evaluation licenses or subscription advantage periods
st
expire.
ri bu
An expired subscription advantage date does not invalidate the license, just the
option to use newer products/features.
tio
The Dashboard page is per default accessible without authentication, but can be
n
made to require a logon first using a setting from the administration page.
164 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Users and groups can be added from Active Directory to delegate administration
di
permission to the license server. Only two permissions exist: “read only” and “full
st
administration”.
ri bu
The thresholds for Warnings and Alerts can be configured on the administration
page; for example, when evaluation licenses or subscription advantage periods
tio
expire.
n
The license import is essentially an upload of the license file to a specific directory
monitored by the license server.
The License Administration Console can use License Administration users, local
Windows users and groups, and Active Directory users and groups. The Citrix
Licensing Manager can use local Windows users and groups and Active Directory
users and groups. The License Administration Console manages them all. These
users are not connected to the computer's local users.
The Active Directory users and groups are part of an Active Directory/network
authentication system. To support Active Directory users and groups, the Windows
license server must be a member of a Microsoft Active Directory domain and must
be running the License Administration Console. Windows NT domains are not
165 © 2017 Citrix Authorized Content
supported.
You can view system information about the license server and the system running the
license server. Administration information is available by clicking the Administration
option in the top right corner of the License Administration Console, followed by the
System Information tab.
Additional Resources:
Configure console users - http://docs.citrix.com/en-us/licensing/11-13-1/lic-lmadmin-
overview/lic-lmadmin-users.html
View System Info - http://docs.citrix.com/en-us/licensing/11-13-1/lic-lmadmin-
overview/lic-lmadmin-systeminfo.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
If multiple license files need to be applied (after restoring a license server etc.) it
di
might be easier to copy them to the license directory (“C:\Program Files
st
(x86)\Citrix\licensing\myfiles” by default) and trigger a reread of the licenses
ri
manually by restarting the license server service.
bu
Adding licenses or viewing licenses in use and delegating permissions can also be
tio
achieved by using the Licensing-Node from Citrix Studio.
n
After you have imported your license files, they are administered by the Citrix
vendor daemon (CITRIX). The Citrix vendor daemon is responsible for the core
operations of the license server, such as tracking how many licenses are checked
out and who has them. The vendor daemon can manage all of your Citrix license
files and is fully backward compatible with any license files you have. Set properties
for the vendor daemon on the Vendor Daemon Configuration page of the console.
The Vendor Daemon Configuration page allows you to import license files, configure
the vendor daemon, and view logs about license activity. Only users with
Administrator privileges can view this page.
166 © 2017 Citrix Authorized Content
Additional Resources:
License Administration - http://docs.citrix.com/en-us/licensing/11-13-1/lic-lmadmin-
overview/lic-lmadmin-vendor-daemon.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
167 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
168 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Will any license file function on every license server?
di
• No. The license file is allocated to the hostname of the license server.
st
ri
• The hostname specified in the license file needs to be identical
bu
(cApiTAlizaTiON) to the hostname of the license server (not FQDN).
tio
• Some license files use newer attributes that cannot be interpreted by older
license server versions, so the newest license server should be used.
n
169 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
170 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Log files are stored in:
di
• C:\Program Files\Citrix\Licensing\LS\Logs on a 32-bit server
st
ri
• C:\Program Files(x86)\Citrix\Licensing\LS\Logs on a 64-bit server
bu
• C:\Program Files (x86)\Citrix\Licensing\WebServicesForLicensing\Logs on
tio
a 64-bit server
• /opt/citrix/licensing/LS/logs for VPX
n
Additional Resources:
Logs - http://docs.citrix.com/en-us/licensing/11-13-1/lic-lmadmin-overview/lic-
lmadmin-logging.html
171 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
There are many different options to obtain the computer name / hostname of the
di
license server, including powershell (gci Env:\COMPUTERNAME) and several gui &
st
registry related options. Be careful that the hostname within the license file is
ri
matched case-sensitive against the hostname of the license server.
bu
The license files are protected against manipulation by a checksum, so they should
tio
not be edited to prevent license file corruption.
n
172 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Most license files contain multiple INCREMENT-blocks and the translation of the
di
“product_edition_licensemodel-tag” is given in several languages. The screenshot
st
has been modified for instructional purposes.
ri bu
tio
n
173 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The nslookup.exe can be used to validate the delivery controller can resolve the
di
hostname of the license server to a valid ip address.
st
The netstat –bano can be used on the license server to find listening ports and their
ri bu
corresponding processes.
It’s a good idea to check the windows firewall settings on the delivery controller
tio
(outbound) and on the license server (inbound) as well as any external firewall
n
system that might be blocking traffic.
174 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
On a Delivery Controller the PowerShell cmdlet “Get-BrokerSite” returns the
di
currently configured license server and product edition & license model. The
st
PowerShell cmdlet “Test-BrokerLicenseServer” can be used to check accessibility
ri
and compatibility of a license server.
bu
Within the Citrix product manual the required version of the license server is
tio
specified; while it is considered a leading practice to use the latest license server
whenever possible.
n
175 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
176 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
177 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Scenario: The administrator imported the license file using the License
di
Administration Console. Switching to the Dashboard Page does not show the new
st
licenses. What should the administrator do?
ri
• Reboot the license server (might conflict with shared use of the license
bu
server or monitoring systems causing alerts).
tio
• Restart the “Citrix Licensing” service (might also conflict with monitoring
n
systems).
• Logon to the administration page of the License server Administration
Console and click “Vendor Daemon Configuration”. Then click the Vendor
Daemon named “Citrix” and click the button labeled “Reread license files”.
178 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
179 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Unless otherwise noted, the component installer deploys software prerequisites
di
automatically (such as .NET and C++ packages) if they are not detected on the
st
machine. The Citrix installation media also contains some of this prerequisite
ri
software.
bu
The installation media contains several third-party components. Before using the
tio
Citrix software, check for security updates from the third party, and install them.
n
The disk space values are estimates only, and are in addition to space needed for
the product image, operating system, and other software.
Standard, Enterprise and Datacenter editions are supported where applicable.
Additional Resources:
System Requirements - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/system-requirements.html#par_anchortitle_42d4
Install using the command line – http://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/install-configure/install-command.html
180 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Delivery Controller is the core component of a XenApp and XenDesktop
di
deployment and describe the functions it performs.
st
The Delivery Controller only manages the power state of the machines for
ri bu
virtualized environments, as it needs to communicate with the hypervisor.
In a deployment, the Delivery Controller is the server-side component that is
tio
responsible for managing user access, plus brokering and optimizing connections.
n
Controllers also provide the Machine Creation Services that create desktop and
server images.
A Site must have at least one Delivery Controller. After you install the initial
Controller and create a Site, you can add additional Controllers. There are two
primary benefits from having more than one Controller in a Site.
• Redundancy — As best practice, a production Site should always have at
least two Controllers on different physical servers. If one Controller fails,
the others can manage connections and administer the Site.
• Scalability — As Site activity grows, so does CPU utilization on the
Controller and SQL Server database activity. Additional Controllers provide
181 © 2017 Citrix Authorized Content
the ability to handle more users and more applications and desktop
requests, and can improve overall responsiveness.
Supported operating systems:
• Windows Server 2016, Standard and Datacenter Editions
• Windows Server 2012 R2, Standard and Datacenter Editions
• Windows Server 2012, Standard and Datacenter Editions
• Windows Server 2008 R2 SP1, Standard, Enterprise, and Datacenter
Editions
Requirements:
• Disk space: 100 MB. Connection leasing (which is enabled by default) and
Local Host Cache (not enabled by default) adds to this requirement; sizing
N
depends on the number of users, applications, and mode (RDS or VDI). For
ot
example, 100,000 RDS users with 100 recently-used applications require
fo
approximately 3 GB of space for connection leases; deployments with more
applications may require more space. For dedicated VDI desktops, 40,000
rr
desktops require at least 400-500 MB. In any instance, providing several
es
GBs of additional space is suggested.
al
• Microsoft .NET Framework 3.5.1 (Windows Server 2008 R2 only).
e
• Microsoft .NET Framework 4.5.2, 4.6, 4.6.1
or
• Windows PowerShell 2.0 (included with Windows Server 2008 R2) or 3.0
di
(included with Windows Server 2012 R2 and Windows Server 2012).
st
• Visual C++ 2005, 2008 SP1, and 2010 Redistributable packages.
ri bu
Additional Resources:
tio
Delivery Controller environment - https://docs.citrix.com/en-us/xenapp-and-
n
xendesktop/7-12/manage-deployment/delivery-controllers.html
System Requirements - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/system-requirements.html#par_anchortitle_42d4
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Delivery Controller is comprised of FMA 20 services that are responsible for
di
authenticating users, querying for a user’s assigned apps/desktops, brokering
st
connections between end users and their resources, optimizing and load-balancing
ri
the connections, and communicating with hypervisor to determine and manage the
bu
power state of the desktops.
tio
These FMA Services (Controller) are – Broker Service, Machine Creation Service,
Configuration Service, AD Identity Service, Hosting Service, Delegated
n
Administration Service, Monitoring Service, Environment Test Service, Configuration
Logging Service, Analytics Service, App Library, Configuration Synchronizer
Service, High Availability Service, Orchestration Service, Remote Broker Provider,
Telemetry Service, Trust Service, StoreFront Privileged Service and StoreFront
Service.
Each of these services has an independent connection to the site database.
Whether the administrator selects XenApp or XenDesktop during the installation
process for the Delivery Controller, the same binaries are installed, because
XenApp and XenDesktop now share an architecture, FlexCast Management
Architecture (FMA). The licenses purchased restrict the FlexCast methods and
182 © 2017 Citrix Authorized Content
features that can be leveraged.
Leading practice: install the Delivery Controller role on a dedicated server so that
resources are not dedicated to other tasks, as this could impact brokering times,
thereby decreasing performance/end user experience.
• This minimizes the risk of a scenario where the other role of server causes a
failure, which could cause end users to be unable to access their resources.
• This installation will also install Studio (unless deselected); which is the
management console for XenApp and XenDesktop deployments, on the
Delivery Controller.
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
Supported Microsoft SQL Server versions for the Site Configuration Database
(which initially includes the Configuration Logging Database and the Monitoring
ri bu
Database):
• SQL Server 2016, Express, Standard, and Enterprise Editions.
tio
• SQL Server 2014 through SP2, Express, Standard, and Enterprise
n
Editions.
• SQL Server 2012 through SP3, Express, Standard, and Enterprise
Editions. By default, SQL Server 2012 SP1 Express is installed when
installing the Controller, if an existing supported SQL Server installation is
not detected.
• SQL Server 2008 R2 SP2 and SP3, Express, Standard, Enterprise, and
Datacenter Editions.
The following database features are supported (except for SQL Server Express,
which supports only standalone mode):
183 © 2017 Citrix Authorized Content
• SQL Server Clustered Instances
• SQL Server Mirroring
• SQL Server AlwaysOn Availability Groups
• Windows authentication is required for connections between the Controller
and the SQL Server database.
Additional Resources:
Database - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/system-
requirements.html#par_anchortitle_384a
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
184 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
185 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
186 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
187 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Site is the name given to a XenApp and XenDesktop deployment that can be
di
managed as a single architectural entity.
st
Typically maps to a datacenter/geographical location, but not necessarily.
ri bu
After install, the first Delivery Controller can then create a Site.
tio
A Site is the name you give to a product deployment. It comprises the Delivery
Controllers and the other core components, VDAs, virtual resource connections (if
n
used), plus the Machine Catalogs and Delivery Groups you create and manage. A
Site does not necessarily correspond to a geographical location, although it can.
You create the Site after you install the components and before creating Machine
Catalogs and Delivery Groups.
Site creation includes creating the Site Configuration databases. Make sure the
SQL Server software is installed before you create a Site.
Additional Resources:
Create a site - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
188 © 2017 Citrix Authorized Content
configure/site-create.html
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
If required, explain FMA stands for the FlexCast Management Architecture, which is
di
the architecture of XenApp and XenDesktop 7.x.
st
Data for the Site from the FMA services is stored in the site databases – explain this
ri bu
is part of the SQL server requirement covered in Module 2.
Leveraging the Delivery Controller’s computer AD account for authentication to SQL
tio
enhances security by preventing the service account password from being stored
n
and by having the machine password change every 30 days.
If you chose during Controller installation to have the default SQL Server Express
database installed, some information is already provided. If you use a database
server that is installed on a different server, enter the database server and name
Additional Resources:
Create a site - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
configure/site-create.html
189 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
There are two options for configuring the connection to the databases during Site
di
creation to address the fact that not every database team will allow Citrix
st
administrators to have elevated rights to the SQL server.
ri
• Option 1: user account requires sysadmin privileges to enable Studio to
bu
create the databases automatically. The elevated SQL permissions are not
tio
required during runtime, and can be removed after
installation/configuration if necessitated by security team.
n
• Option 2: in cases where security team prohibits the service account from
having elevated SQL privileges, during Site creation, can click Generate
database script and provide the scripts to the SQL team/appropriate
contact to create the databases manually (generates two scripts – second
one is for a mirrored database instances). Create the databases, make
sure that the collation is correct, and run the script with SQLCMD. After it is
created, can select Test Connection to validate that Delivery Controller can
connect to the databases created.
If you do not have permission to edit the SQL databases, use the Generate
190 © 2017 Citrix Authorized Content
database script option. The scripts must be run before you can finish creating the
Site.
Additional Resources:
Create a site - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
configure/site-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
191 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
192 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
193 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
194 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
Site Database stores the running Site configuration, plus the current session state
and connection information.
ri bu
Configuration Logging Database stores information about Site configuration
changes and administrative activities. This database is used when the Configuring
tio
Logging feature is enabled.
n
The Monitoring Database is used by the Director; which is a monitoring tool that is
included with XenApp and XenDesktop that displays metrics regarding sessions and
enables admins/help desk to perform basic troubleshooting steps (end processes,
reset profile, etc.).
Additional Resources:
Manage Configuration Logging - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/monitor/configuration-logging.html
195 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
XenApp and XenDesktop 7.12 introduces a feature called Local Host Cache. This
feature will allow users to continuously launch and run most resources even during
ri bu
a database failure. However, it is still recommended to have a SQL fault tolerance in
place for production environments.
tio
The failure impact is different for each database, and that the site database is the
n
most critical, as it can cause a production outage because users would not be able
to start new sessions to access their resources (connection leasing mitigates some
of the impact, but certain new sessions cannot be launched).
• Logging/Monitoring – primarily affects administrative activities, and does
not have an immediate/direct impact on production users.
Citrix recommends that you back up the databases regularly so that you can restore
from the backup if the database server fails. In addition, there are several high
availability solutions to consider for ensuring automatic failover:
• SQL Mirroring — This is the recommended solution. Mirroring the
database makes sure that, should you lose the active database server, the
196 © 2017 Citrix Authorized Content
automatic failover process happens in a matter of seconds, so that users
are generally unaffected. This method, however, is more expensive than
other solutions because full SQL Server licenses are required on each
database server; you cannot use SQL Server Express edition for a mirrored
environment.
• Using the hypervisor's high availability features — With this method, you
deploy the database as a virtual machine and use your hypervisor's high
availability features. This solution is less expensive than mirroring as it uses
your existing hypervisor software and you can also use SQL Express.
However, the automatic failover process is slower, as it can take time for a
new machine to start for the database, which may interrupt the service to
users.
N
• SQL Clustering — The Microsoft SQL clustering technology can be used to
ot
automatically allow one server to take over the tasks and responsibilities of
another server that has failed. However, setting up this solution is more
fo
complicated, and the automatic failover process is typically slower than with
rr
alternatives such as SQL Mirroring.
es
• AlwaysOn Availability Groups is an enterprise-level high-availability and
al
disaster recovery solution introduced in SQL Server 2012 to enable you to
maximize availability for one or more user databases. AlwaysOn Availability
e
Groups requires that the SQL Server instances reside on Windows Server
or
Failover Clustering (WSFC) nodes.
di
st
Additional Resources:
ri bu
High availability- https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/technical-
overview/databases.html
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
With the release of 7.12 we have two options to support a Site during a database
di
outage: Local Host Cache and Connection Leasing. These two solutions cannot be
st
used at the same time.
ri bu
To enable Local Host Cache, enter: Set-BrokerSite -LocalHostCacheEnabled $true -
ConnectionLeasingEnabled $false; this cmdlet also disables the connection leasing
tio
feature. Do not enable both Local Host Cache and Connection Leasing.
n
Local Host Cache retains a copy of the site data in a local SQLExpress on every
Delivery Controller and relies on this data during a database outage, to continuously
support VDA registrations and session brokering requests.
Connection Leasing was a feature released with 7.6 and is enabled by default. To
disable, run PowerShell command: Set-BrokerSite -ConnectionLeasingEnabled
$false.
Retains the local data in a XML file while updating the Site database with
information periodically for synchronization amongst Delivery Controllers.
Delivery Controllers check for new leases every 10 seconds and sync that
information into the XML file, if a new lease exists.
197 © 2017 Citrix Authorized Content
The lease expiration period can be changed via PowerShell or the registry, but need
to factor in increased storage requirements for longer time periods.
With connection leasing, a Controller will cache user connections to resources to its
local disk (default location: C:\Program Data\Citrix\Broker\Cache) and that the lease
generated for the connection is valid for 2 weeks.
Connection Leasing has limitations; it is still a Best Practice to require a highly
available SQL solution, as Connection Leasing has limitations.
Additional Resources:
FAQ: Connection Leasing in XenApp and XenDesktop 7.6:
http://support.citrix.com/article/CTX205169
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
With the release of 7.12 we have two options to support a Site during a database
di
outage: Local Host Cache and Connection Leasing. These two solutions cannot be
st
used at the same time.
ri bu
To enable Local Host Cache, enter: Set-BrokerSite -LocalHostCacheEnabled $true -
ConnectionLeasingEnabled $false; this cmdlet also disables the Connection
tio
Leasing feature. Do not enable both Local Host Cache and connection leasing.
n
Local Host Cache retains a copy of the site data in a local SQLExpress on every
Delivery Controller and relies on this data during a database outage, to continuously
support VDA registrations and session brokering requests.
Connection Leasing was a feature released with 7.6 and is enabled by default. To
disable, run PowerShell command: Set-BrokerSite -ConnectionLeasingEnabled
$false.
Retains the local data in a XML file while updating the Site database with
information periodically for synchronization amongst delivery controllers.
Delivery Controllers check for new leases every 10 seconds and sync that
information into the XML file, if a new lease exists.
198 © 2017 Citrix Authorized Content
The lease expiration period can be changed via PowerShell or the registry, but need
to factor in increased storage requirements for longer time periods.
With Connection Leasing, a controller will cache user connections to resources to its
local disk (default location: C:\Program Data\Citrix\Broker\Cache) and that the lease
generated for the connection is valid for 2 weeks.
Connection Leasing has limitations, it is still a Best Practice to require a highly
available SQL solution, as Connection Leasing has limitations.
Additional Resources:
FAQ: Connection Leasing in XenApp and XenDesktop 7.6:
http://support.citrix.com/article/CTX205169
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
What is unavailable or changes during an outage:
di
• You cannot use Studio or run PowerShell cmdlets.
st
ri
• Hypervisor credentials cannot be obtained from the Host Service. All
bu
machines are in the unknown power state, and no power operations can
be issued. However, VMs on the host that are powered-on can be used for
tio
connection requests.
n
• Machines with VDAs in pooled Delivery Groups that are configured with
"Shut down after use" are placed into maintenance mode.
• Anonymous session launch requests are rejected.
• An assigned machine can be used only if the assignment occurred during
normal operations. New assignments cannot be made during an outage.
• Automatic enrollment and configuration of Remote PC Access machines is
not possible. However, machines that were enrolled and configured during
normal operation are usable.
• Server-hosted applications and desktop users may use more sessions
199 © 2017 Citrix Authorized Content
than their configured session limits, if the resources are in different zones.
New install: After a new XenApp or XenDesktop installation, Local Host Cache is
disabled and Connection Leasing is enabled by default.
Upgrade: The number of VDAs in a Site affects the default Local Host Cache setting
after an upgrade. The Connection Leasing setting does not change because of the
upgrade.
If your Site has fewer than 5,000 VDAs:
• Local Host Cache is enabled if Connection Leasing was disabled before the
upgrade. Connection Leasing remains disabled.
• Local Host Cache is disabled if Connection Leasing was enabled before the
upgrade. Connection Leasing remains enabled.
N
• If your site has 5,000 or more VDAs:
ot
• Local Host Cache is disabled (regardless of the Connection Leasing
setting), and Connection Leasing retains the same setting it had before the
fo
upgrade.
rr
Additional Resources:
es
Local Host Cache: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
al
12/manage-deployment/local-host-cache.html
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
What is unavailable or changes during an outage:
di
• You cannot use Studio or run PowerShell cmdlets.
st
ri
• Hypervisor credentials cannot be obtained from the Host Service. All
bu
machines are in the unknown power state, and no power operations can
be issued. However, VMs on the host that are powered-on can be used for
tio
connection requests.
n
• Machines with VDAs in pooled Delivery Groups that are configured with
"Shut down after use" are placed into maintenance mode.
• Anonymous session launch requests are rejected.
• An assigned machine can be used only if the assignment occurred during
normal operations. New assignments cannot be made during an outage.
• Automatic enrollment and configuration of Remote PC Access machines is
not possible. However, machines that were enrolled and configured during
normal operation are usable.
• Server-hosted applications and desktop users may use more sessions
200 © 2017 Citrix Authorized Content
than their configured session limits, if the resources are in different zones.
New install: After a new XenApp or XenDesktop installation, Local Host Cache is
disabled and Connection Leasing is enabled by default.
Upgrade: The number of VDAs in a Site affects the default Local Host Cache setting
after an upgrade. The Connection Leasing setting does not change because of the
upgrade.
If your site has fewer than 5,000 VDAs:
• Local Host Cache is enabled if Connection Leasing was disabled before the
upgrade. Connection Leasing remains disabled.
• Local Host Cache is disabled if Connection Leasing was enabled before the
upgrade. Connection Leasing remains enabled.
N
If your site has 5,000 or more VDAs:
ot
Local Host Cache is disabled (regardless of the Connection Leasing setting), and
fo
Connection Leasing retains the same setting it had before the upgrade.
rr
es
Additional Resources:
Local Host Cache: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
al
12/manage-deployment/local-host-cache.html
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
The principal broker (Citrix Broker Service) on a Controller accepts connection
requests from StoreFront, and communicates with the Site database to connect
ri bu
users with VDAs that are registered with the Controller.
A check is made every two minutes to determine whether changes have been made
tio
to the principal broker's configuration. Those changes could have been initiated by
n
PowerShell/Studio actions (such as changing a Delivery Group property) or system
actions (such as machine assignments).
If a change has been made since the last check, the principal broker uses the Citrix
Config Synchronizer Service (CSS) to synchronize (copy) information to
a secondary broker (Citrix High Availability Service) on the Controller. All broker
configuration data is copied, not just items that have changed since the previous
check. The secondary broker imports the data into a Microsoft SQL Server Express
LocalDB database on the Controller. The CSS ensures that the information in the
secondary broker's LocalDB database matches the information in the Site database.
The LocalDB database is re-created each time synchronization occurs.
201 © 2017 Citrix Authorized Content
If no changes have occurred since the last check, no data is copied.
To ensure that the Site database is always available, Citrix recommends starting with
a fault-tolerant SQL Server deployment by following high availability best practices
from Microsoft. However, network issues and interruptions may prevent Delivery
Controllers from accessing the database, resulting in users not being able to connect
to their applications or desktop.
The Local Host Cache feature supplements the SQL Server high availability best
practices by enabling users to connect and reconnect to their applications and
assigned desktops, even when the Site database is not available.
Additional Resources:
Local Host Cache: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
N
12/manage-deployment/local-host-cache.html
ot
Fault tolerance: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/technical-
fo
overview/databases.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
When an outage begins:
ri
The principal broker can no longer communicate with the Site database, and stops
bu
listening for StoreFront and VDA information (marked X in the graphic). The
principal broker then instructs the secondary broker (High Availability Service) to
tio
start listening for and processing connection requests (marked with a red dashed
n
line in the graphic).
When the outage begins, the secondary broker has no current VDA registration
data, but as soon as a VDA communicates with it, a re-registration process is
triggered. During that process, the secondary broker also gets current session
information about that VDA.
While the secondary broker is handling connections, the principal broker continues
to monitor the connection to the Site database. When the connection is restored,
the principal broker instructs the secondary broker to stop listening for connection
information, and the principal broker resumes brokering operations. The next time a
VDA communicates with the principal broker, a re-registration process is triggered.
The secondary broker removes any remaining VDA registrations from the previous
202 © 2017 Citrix Authorized Content
outage, and resumes updating the LocalDB database with configuration changes
received from the CSS.
In the unlikely event that an outage begins during a synchronization, the current
import is discarded and the last known configuration is used.
Among its other tasks, the CSS routinely provides the secondary broker with
information about all Controllers in the zone. (If your deployment does not contain
multiple zones, this action affects all Controllers in the Site.) Having that information,
each secondary broker knows about all peer secondary brokers.
The secondary brokers communicate with each other on a separate channel. They
use an alphabetical list of FQDN names of the machines they're running on to
determine (elect) which secondary broker will be in charge of brokering operations in
the zone if an outage occurs. During the outage, all VDAs re-register with the elected
secondary broker. The non-elected secondary brokers in the zone will actively reject
N
incoming connection and VDA registration requests.
ot
If an elected secondary broker fails during an outage, another secondary broker is
fo
elected to take over, and VDAs will re-register with the newly-elected secondary
rr
broker.
es
al
Additional Resources:
e
Local Host Cache: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
or
12/manage-deployment/local-host-cache.html
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
203 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
204 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
205 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
206 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
207 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
208 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
209 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Communication flow between Delivery Controllers, resource with VDA installed, and
di
endpoint device.
st
The VDA is the intermediary between the Delivery Controller and the user’s device
ri bu
(Receiver, specifically), as the Delivery Controller will send information regarding the
connection to the VDA, and the VDA will send the information to Receiver.
tio
Note that delivered resources may be referred to as VDA or the VDA machine
n
going forward.
VDA is an agent that is installed on machines running Windows Server or Windows
desktop operating systems that allows these machines and the resources they host
to be made available to users. The VDA-installed machines running Windows
Server OS allow the machine to host multiple connections for multiple users and are
connected to users on one of the following ports:
• TCP port 80 or port 443 if SSL is enabled
• TCP port 2598, if Citrix Gateway Protocol (CGP) is enabled, which enables
session reliability
• TCP port 1494 if CGP is disabled or if the user is connecting with a legacy
210 © 2017 Citrix Authorized Content
client
Additional Resources:
Technical overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The VDA software is required to be installed on each resource (virtual or physical)
di
that will be delivered to users otherwise the Delivery Controller cannot communicate
st
with or direct connections to the resource. If a VDA does not register, it cannot be
ri
used.
bu
Desktop Service: Handles the registration process and the communication with the
tio
Controller. Also handles the exchange of pre-logon ticket data and user credentials
during the authentication verification process.
n
PortICA Service: Handles accepting the initial connection and locking the
workstation. Also manages the communication with the display manager for
Thinwire display mode changes and manages the communication with the Desktop
Service.
On a Server OS we do not utilize PortICA but leverage the RDS subsystem instead.
211 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The configuration options are in order of priority and the Delivery Controller checks
di
each applicable location for the options in order until it locates the Delivery
st
Controller
ri bu
tio
n
212 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
VDA failed registration with the Delivery Controller, results in the Delivery Controller
di
being unable to broker any connection to this resource.
st
• In other words, if the VDA on a machine fails, then none of the resources
ri bu
on that machine can be accessed.
VDA registration failure is the most common issue in XenApp and XenDesktop
tio
deployments, therefore it is important to note some basic troubleshooting steps:
n
• Make sure that the VDA is attempting to register with the correct controller
(spelling, etc.).
• Verify that the firewall is not blocking the registration communication by
telnetting over the registration port (Delivery Controller -> VDA and VDA ->
Delivery Controller).
• Compare time between the Controllers and the VDAs (max acceptable
difference is 5 minutes).
• Check the domain membership of the VDA and test removing and rejoining
the VDA to the domain.
213 © 2017 Citrix Authorized Content
• Check forward DNS lookups for Delivery Controllers and VDAs. Reverse
DNS lookups are only required in specific scenarios with multiple trusted
forests.
• Inspect the VDA’s computer account to verify that the servicePrincipalName
attribute includes the computer’s fully qualified domain name.
• If the virtual machine has multiple network adapters, can also test disabling
additional network adapters (do not disable the adapter used to
communicate with the Controller).
Additional Resources:
Virtual Desktop Agent Registration with Controllers in XenDesktop:
N
http://support.citrix.com/article/CTX126992
ot
Virtual Delivery Agent (VDA) Registration Troubleshooting Tips and Flowchart:
http://support.citrix.com/article/CTX136668
fo
rr
Troubleshooting XenDesktop brokering process:
https://www.citrix.com/blogs/2012/07/23/troubleshooting-xendesktop-brokering-
es
process-2/
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
214 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This port can be changed to a custom port if needed.
di
st
This can be done either through a Citrix computer policy using the “control
registration port” setting or through cmd-line using Program
ri bu
Files\Citrix\Broker\Service\BrokerService.exe /VDAPort <port>
tio
Additional Resources:
n
Change VDA Registration port - https://support.citrix.com/article/CTX130002
215 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
216 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The machine type maps to the different FlexCast delivery methods described in
di
Module 1 (e.g. Windows Server OS could be for hosted shared desktops and/or
st
Server OS published apps).
ri bu
All VMs in a catalog will have the same VDA version and the same apps/desktops.
Typically, there is a master image that is used to create all VMs in a machine
tio
catalog.
n
The existing machines option and that it is for machines that have already been
prepared using a non-Citrix technology.
Since machine catalogs can span hypervisor hosts, it is important to make sure that
where applicable, master images are accessible from all hosts.
During machine catalog creation, will also specify
• (1) power management of machines (power managed only permitted if a
hypervisor or cloud connection has already been configured)
• (2) desktop experience if select Desktop OS as machine type (connect to
same or random desktop). If users will connect to the same desktop, select
217 © 2017 Citrix Authorized Content
if changes will persist.
For catalogs containing physical machines or existing machines, select or import
existing accounts and assign each machine to both an Active Directory computer
account and to a user account.
For machines created with Provisioning Services, computer accounts for target
devices are managed differently; see the Provisioning Services documentation.
Additional Resources:
Create a machine catalog - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/install-configure/machine-catalogs-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Windows Server OS and Windows Desktop OS can serve as Master Image for a
di
catalog, but each catalog can only be based on one image at a time.
st
Depending on the catalog type it is possible to update all machines from time to
ri bu
time in order to reflect changes done to a Master Image (like updates,
added/removed applications).
tio
The amount of generalization necessary depends on the application being
n
deployed. While some applications do not require any modification, other
applications might need custom settings to avoid conflicts caused by identical
settings.If you will use Citrix tools (Machine Creation Services or Provisioning
Services) to create VMs for your deployment, prepare a master image or template
on your host hypervisor. Then, create the machine catalog.
Make sure the host has sufficient processors, memory, and storage to
accommodate the number of machines you will create.
The master image contains the operating system, non-virtualized applications, VDA,
and other software. VMs are created in a machine catalog, based on a master
image you created earlier and specify when you create the catalog.
218 © 2017 Citrix Authorized Content
Additional Resources:
Create a machine catalog - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/install-configure/machine-catalogs-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
the only necessary differences are usually settings that would otherwise lead to a
di
conflict (like name, AD computer account, SID and IP Address). Machine Creation
st
Services and Provisioning Services take care of this, the Master Image does not
ri
need to be “sysprepped”.
bu
If you are using Provisioning Services or Machine Creation Services, do not run
tio
Sysprep on master images.
n
Master image is also known as clone image, golden image, or base image.
When using Provisioning Services, you can use a master image or a physical
computer as the master target device.
Update a master image to apply changes to all the desktops and applications in a
machine catalog that were created with that master image. Managing common
aspects through a single master image lets you deploy system-wide changes such
as Windows updates or configuration changes to a large number of machines
quickly.
Additional Resources:
219 © 2017 Citrix Authorized Content
Create a machine catalog - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/install-configure/machine-catalogs-create.html
Manage Machine catalogs - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/install-configure/machine-catalogs-manage.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Remote PC Access allows an end user to log on remotely from virtually anywhere to
di
the physical Windows PC in the office. The Virtual Delivery Agent (VDA) is installed
st
on the office PC; it registers with the Delivery Controller and manages the HDX
ri
connection between the PC and the end user client devices. Remote PC Access
bu
supports a self-service model; after you set up the whitelist of machines that users
are permitted to access, those users can join their office PCs to a Site themselves,
tio
without administrator intervention. The Citrix Receiver running on their client device
n
enables access to the applications and data on the office PC from the Remote PC
Access desktop session.
Remote PC Access is a feature of XenDesktop and can be used as an interim stage
during migration of physical office PCs to virtual machines.
Remote PC Access can be a solution for employees to access their documents and
applications during roadblocks, quarantine or bad weather.
Additional Resources:
Create a machine catalog - Create a machine catalog - https://docs.citrix.com/en-
220 © 2017 Citrix Authorized Content
us/xenapp-and-xendesktop/7-12/install-configure/machine-catalogs-create.html
Remote PC Access - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/install-configure/remote-pc-access.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The value in Remote PC is the access by the HDX protocol
di
st
The following XenDesktop features are not supported for Remote PC Access
deployments:
ri bu
• Creating master images and virtual machines
tio
• Delivering hosted applications
• Personal vDisks
n
• Client folder redirection
Additional Resources:
Remote Access Design Guide -
https://www.citrix.com/content/dam/citrix/en_us/documents/products-
solutions/remote-access-to-enterprise-pc-xendesktop-75-desktop-guide.pdf (this
content is based on 7.5 but the design guidelines are still relevant)
Remote PC Access - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/install-configure/remote-pc-access.html
221 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
222 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A Delivery group is a collection of machines selected from one or more machine
di
catalogs. The Delivery group specifies which users can use those machines, and
st
the applications available to those users.
ri bu
A machine can only be in one delivery group.
The Desktops and applications option for delivery type is not available with static
tio
Desktop OS desktops.
n
Leading practice: assign Active Directory groups (rather than individual AD
accounts) to delivery groups because it can be easier to add a user to the
appropriate AD groups to gain access to the necessary resources when onboarding
a user to the environment. This can also reduce the operational complexity involved
with removing user access.
For Delivery Groups containing Server OS machines, you can select a check box
that will allow users to access applications and desktops without presenting
credentials to StoreFront or Citrix Receiver. For example, when users access
applications through kiosks, the application might require credentials, but the Citrix
access portal and tools do not. An Anonymous Users Group is created when you
223 © 2017 Citrix Authorized Content
install the VDA
Additional Resources:
Delivery Groups - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
configure/delivery-groups-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A list displays the applications that were discovered on a machine created from the
di
master image, a template in the machine catalog, or on the App-V management
st
server. Choose one or more applications to add to the Delivery group.
ri bu
You can also add (create) applications manually. You’ll need to provide the path to
the executable, working directory, optional command line arguments, and display
tio
names for administrators and users.
n
There are more options for publishing applications that can be accessed by clicking
Application properties, including command line parameters, application names, and
limiting the visibility of apps. Also, can change the application folder that the
application is displayed in by clicking Change under the Place the selected
application in folder title. More detail regarding this will be discussed in later module.
Application Groups will be covered in module 7
Application Groups let you manage collections of applications. You can create
Application Groups for applications shared across different Delivery Groups or used
by a subset of users within Delivery Groups. Application Groups are optional; they
offer an alternative to adding the same applications to multiple Delivery Groups.
Delivery Groups can be associated with more than one Application Group, and an
224 © 2017 Citrix Authorized Content
Application Group can be associated with more than one Delivery Group.
Additional Resources:
Delivery Groups - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
configure/delivery-groups-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Select a Machine Catalog and specify the number of machines you want to use
di
from the catalog.
st
• At least one machine must remain unused in the selected Machine
ri bu
Catalog.
• A Machine Catalog can be specified in more than one Delivery Group;
tio
however, a machine can be used in only one Delivery Group.
n
• A Delivery group can use more than one machine catalog; however, those
catalogs must contain the same machine types (Server OS, Desktop OS,
or Remote PC Access). In other words, you cannot mix machine types in a
Delivery group or in a machine catalog.
• Similarly, you cannot create a Delivery Group containing Desktop OS
machines from a Machine Catalog configured for static desktops and
machines from a Machine Catalog configured for random desktops.
• Each machine in a Remote PC Access machine catalog is automatically
associated with a Delivery Group.
225 © 2017 Citrix Authorized Content
Application Groups are optional; they offer an alternative to adding the same
applications to multiple Delivery Groups. Delivery Groups can be associated with
more than one Application Group, and an Application Group can be associated with
more than one Delivery Group. Application Groups will be covered in detail in Module
7.
Additional Resources:
Delivery Groups - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-
configure/delivery-groups-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
226 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Need to install the VDA on the resource that it can register with Delivery Controller
di
and can accept user connections.
st
Need to create a machine catalog and add the machines so that the resources are
ri bu
defined and are ready to be allocated.
Need to create a delivery group and add desktops/assign users so that users have
tio
permission to access the resources.
n
227 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
228 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Machine Creation services is a very simple way of enabling single image
di
management.
st
MCS will allow you to create a number of unique machines from one single master
ri bu
machine by utilizing storage level cloning and a number of mechanisms, that will
individualize these machines after cloning.
tio
n
229 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Provisioning Services is a little more complex to install and configure.
di
st
It will, like MCS, allow you to deploy a number of VDA’s all from a single image.
ri
PVS is typically for more larger and more complex environments.
bu
• Remember our deployment in this course for WW Labs addresses a more
tio
simple Proof of Concept.
• The focus of our deployment is MCS.
n
Provisioning Services is an optional component of XenApp and XenDesktop
available with some editions. It provides an alternative to MCS for provisioning
virtual machines. Whereas MCS creates copies of a master image, Provisioning
Services streams the master image to user device. Provisioning Services doesn’t
require a hypervisor to do this, so you can use it to host physical machines. When
Provisioning Services is included in a Site, it communicates with the Controller to
provide users with resources.
Additional Resources:
230 © 2017 Citrix Authorized Content
Concepts and components - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html#par_anchortitle_a32c
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
There are two Citrix technologies for provisioning virtual machines that will be
di
discussed in this module.
st
This course only covers MCS in Depth.
ri bu
tio
n
231 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A vDisk consists of a VHD base image file, a properties file (.pvp), and may also
di
contain a chain of referenced VHD differencing disks (.avhd). Every time a vDisk is
st
updated using the Provisioning Services versioning method, a new differencing disk
ri
file is created.
bu
You can manually adjust the automatic resizing algorithm that determines the size of
tio
the VHD relative to the P: drive, by setting the initial size of the VHD. This can be
useful if, for example, you know users will install a number of applications that are
n
too big to fit on the VHD even after it is resized by the algorithm. In this case, you
can increase the initial size of the application space to accommodate the user-
installed applications.
Note that the machines that the PVS server streams the vDisk to are referred to as
target devices.
Brief PVS Explanation:
• Administrator creates a master VM that contains the OS, applications, and
other configurations desired.
• The OS/applications are then captured to a vDisk via the Imaging Wizard.
232 © 2017 Citrix Authorized Content
• The vDisk is stored in a vDisk store to which the PVS server has access.
• The PVS server streams the vDisk to the target devices (typically virtual
machines), streaming only the bits and bytes necessary for the machine’s
operation.
• The vDisk provides the OS for the machine (represented in the diagram by
the fact that the vDisk provides the C:\ contents for the target device).
• Because the vDisk is in read-only mode when available to multiple devices,
it is necessary for each target device to have a write cache that handles the
writes for the machine (represented in this diagram by a disk attached to the
target device).
N
Additional Resources:
ot
PVS 7.11 overview - http://docs.citrix.com/en-us/provisioning/7-11/overview.html
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In previous versions it was easier to chose between MCS and PVS, but the feature
di
gap is much smaller today.
st
MCS does not require administrator to build out additional infrastructure or to learn
ri bu
another product, decreasing time and build requirements.
MCS Provides administrators with a quick way to deploy multiple VMs from single
tio
shared image, decreasing time to production rollout.
n
MCS has added RAM based caching to put performance on par with PVS.
MCS can now utilize full clones to accommodate backup and storage replication of
virtual machines.
PVS has a unique versioning feature that allows for fast and easy update and roll
back of updates.
PVS can work with physical machines as well as virtual machines.
PVS can host the images on local storage reducing the need to plan for SAN
capacity.
PVS maintains the image in a VHDx file, so if we have multiple datacenters, we can
233 © 2017 Citrix Authorized Content
simply copy the image between using any preferred file sharing mechanism.
Additional Resources:
Provisioning Services or Machine Creation Services 2016 Edition -
https://www.citrix.com/blogs/2016/06/28/provisioning-services-or-machine-creation-
services-2016-edition/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
MCS:
di
• A copy of the master image needs to be stored in each storage repository
st
configured for the host connection for MCS, increasing storage
ri bu
requirements.
• MCS does not include a versioning feature that enables the same steady
tio
promotion from maintenance -> test -> production as PVS does.
n
• MCS cannot be used with physical machines.
PVS:
• PVS relies on the networking infrastructure in place, as it streams the
image over the network.
• PVS requires additional infrastructure to be installed and configured for
high availability and redundancy. Also, administrators will need to learn
how to build, configure, and manage the technology.
• PVS does not have built in cloud deployment features, to use PVS on AWS
or Azure, a separate PVS environment has to be created in the cloud.
234 © 2017 Citrix Authorized Content
Additional Resources:
Provisioning Services or Machine Creation Services 2016 Edition -
https://www.citrix.com/blogs/2016/06/28/provisioning-services-or-machine-creation-
services-2016-edition/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
235 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The diagram is showing MCS with PvD and explain the flow, as well as the fact that
di
PvD can be leveraged with PVS too. In the case of PVS, the PvDs would be
st
attached to the target devices.
ri bu
With PvD, users can install applications and have all their changes persist.
PvD is not the same as a differencing disk, as differencing disks store changes as
tio
block-based differences. PvD stores changes at the object level, enabling files,
n
folders, and registry settings to persist.
The Personal vDisk has a P:\, which stores the user profile (user data, documents,
and user profile) and a UserDatav2.vhd that stores all apps installed on C:\Program
Files, etc.
A PvD is assigned to a pooled static virtual machine (desktop in a machine catalog),
which is then assigned to a user on first login. Explain the pooled, static machine
catalog.
The lab will not be covering PvD since it is limited use case.
You can manually adjust the automatic resizing algorithm that determines the size of
the VHD relative to the P: drive, by setting the initial size of the VHD. This can be
236 © 2017 Citrix Authorized Content
useful if, for example, you know users will install a number of applications that are too
big to fit on the VHD even after it is resized by the algorithm. In this case, you can
increase the initial size of the application space to accommodate the user-installed
applications.
Preferably, adjust the initial size of the VHD on a master image. Alternatively, you can
adjust the size of the VHD on a virtual desktop when a user does not have sufficient
space to install an application. However, you must repeat that operation on each
affected virtual desktop; you cannot adjust the VHD initial size in a catalog that is
already created.
Ensure the VHD is big enough to store antivirus definition files, which are typically
large.
N
Additional Resources:
ot
Personal vDisk intro - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
fo
12/install-configure/personal-vdisk.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
PvD is not a solution for every user, it is for a particular niche use case.
di
• An example use case would be when a roaming profile does not provide
st
the necessary personalization for a user group and the users require the
ri bu
ability to install applications that administrators do not want to be part of
base image or do not want to install/publish.
tio
You need to determine the applications that have to be installed on the base image
n
due to the fact that they will conflict with the reconciliation process if installed on the
PvD. Applications that need to be installed on the master image include applications
that modify the Windows network stack or early-boot drivers, agents and clients,
and VM tools.
An administrator uninstalling/updating an application on the base image could cause
an issue if a user has installed an add-on for the application onto the PvD or an
application that has a dependency on the previous application.
Because each Personal vDisk is different, administering and managing the solution
requires additional time/processes.
PvD is excluded from LTSR Support because it is still a feature in development.
237 © 2017 Citrix Authorized Content
Some software might conflict with the way that PvD composites the user's
environment, so you must install it on the master image (rather than on the individual
machine) to avoid these conflicts. In addition, although some other software might not
conflict with the operation of PvD, Citrix recommends installing it on the master
image.
PvD is excluded from extended LTSR Support.
Applications that must be installed on the master image:
• Agents and clients (for example, System Center Configuration Manager
Agent, App-V client, Citrix Receiver)
• Applications that install or modify early-boot drivers
• Applications that install printer or scanner software or drivers
N
• Applications that modify the Windows network stack
ot
• VM tools such as VMware Tools and XenServer Tools
fo
rr
Additional Resources:
es
Personal vDisk 7.x Tools - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/install-configure/personal-vdisk/personal-vdisk-tools.html
al
Configuration and management - https://docs.citrix.com/en-us/xenapp-and-
e
xendesktop/7-12/install-configure/personal-vdisk/personal-vdisk-configure-
or
manage.html
di
Personal vDisk intro - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
st
12/install-configure/personal-vdisk.html
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
238 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The graphic demonstrates one server (blue) being inconsistent because it is
di
provisioned manually.
st
Manual Provisioning is not the Citrix preferred method.
ri bu
Some customers are forced to provision VDAs manually, such as for examples:
tio
• The Citrix Admin Team does not have appropriate permissions to use MCS
on the Hypervisor or Storage.
n
• Some applications may need special installation procedures and cannot be
installed and cloned via MCS.
Currently 55% of Citrix Customers are using Manual Creation methods. Although
fully supported, manual provisioning has some potential drawbacks:
• Does not create a central place for updates
• Does not address and minimize the storage footprint of a catalog
• Does not address any storage I/O optimization
• takes far longer to create larger catalogs
239 © 2017 Citrix Authorized Content
• creates potential inconsistencies for the machine within a catalog
Additional Resources:
XenApp and XenDesktop MCS Full Clone Support -
https://www.citrix.com/blogs/2016/10/12/xenapp-and-xendesktop-7-11-mcs-full-clone-
support/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
240 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
MCS relies on snapshots and the whole catalog must be updated at once, PVS has
di
the ability to move a vDisk between 3 stages, Maintenance, Test and Production as
st
well as the versioning feature allows a single machine to boot on any version
ri
without updating the whole catalog.
bu
tio
n
241 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
242 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
MCS leverages a linked-clone approach to provisioning, with virtual machines
di
reading from a read-only master image that has been de-personalized. Each virtual
st
machine is assigned an identity disk that gives the machine a unique identity and a
ri
differencing disk that handles the writes for the virtual machine
bu
tio
n
243 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In this step, the administrator is creating a virtual machine that has the necessary
di
configurations and applications required for the targeted use case.
st
Note that deleting, moving, or renaming master images will prevent administrators
ri bu
from being able to revert a machine catalog if necessary.
tio
n
244 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
There are two options:
di
• Manual: the administrator takes a snapshot of the master VM. This option
st
is considered leading practice because it enables the administrator to
ri bu
determine a desired, meaningful naming convention.
• Automatic: if a snapshot is not taken, when the administrator selects the
tio
master VM in the MCS wizard, Studio will automatically take a thin
n
snapshot of the VM using an automatic naming scheme and will provide
that snapshot to MCS.
245 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
MCS is creating a full copy of the snapshot that was provided so that all machines
di
that will be provisioned will have the same desired properties and configurations
st
from the master VM.
ri bu
MCS creates a full copy of the snapshot and stores it so that it can be updated in
order to provision multiple VMs, and so that there is no impact if the administrator
tio
deletes the original snapshot.
n
246 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A temporary virtual machine is created from the snapshot so that an image
di
preparation process can be run to depersonalize the VM.
st
The Preparation VM is created with the network disconnected to prevent any issues
ri bu
with the operation of the original master image.
tio
n
247 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Instruction Disk will tell the Preparation VM the steps that need to be run in
di
order to depersonalize the VM.
st
ri bu
tio
n
248 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
249 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The PvD inventory step is only applicable if the Personal vDisk feature is being
di
used, which will be discussed later in the module.
st
The image preparation process is where the Preparation VM runs through the list of
ri bu
instructions that it obtained from the Instruction Disk. It is depersonalizing the copy
of the snapshot to change the base OS so that it can be used to provision multiple
tio
machines. This is why sysprep does not need to be run manually when creating a
master image with MCS, because the image preparation process automatically
n
performs the necessary de-personalization.
Additional Resources:
Machine Creation Service: Image Preparation Overview and Fault-Finding:
https://www.citrix.com/blogs/2016/04/04/machine-creation-service-image-
preparation-overview-and-fault-finding/
250 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The preparation VM updates the copy of the snapshot following the image update
di
process, represented in the diagram by the copy of the snapshot being updated
st
from A’ to A’’.
ri bu
tio
n
251 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
252 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The instruction disk reports the success/failure of the steps run during the image
di
preparation process and only moves on with the MCS process if the steps were
st
successfully completed. After reading the report back to MCS, the instruction disk is
ri
then deleted.
bu
tio
Additional Resources:
n
Machine Creation Service: Image Preparation Overview and Fault-Finding:
https://www.citrix.com/blogs/2016/04/04/machine-creation-service-image-
preparation-overview-and-fault-finding/
253 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
254 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Now that the copy of the snapshot has been updated and prepared for use with
di
multiple VMs, the copy can be replicated to each storage repository configured for
st
the host connection. The copy of the snapshot is read-only, and the virtual machines
ri
will reference the copy of the snapshot in the applicable storage repository.
bu
Important to note that because the snapshot copy needs to be placed in each
tio
storage repository, the number of storage repositories will affect storage
requirements.
n
255 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The identity disks for each VM are created in memory.
di
st
ri bu
tio
n
256 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
MCS creates each VM by attaching the identity disk and creating and attaching a
di
differencing disk. This is done for each VM that needs to be created.
st
Since each virtual machine is pointing to the read-only snapshot copy, the virtual
ri bu
machines need a unique identity (provided by the identity disk) and a disk to handle
its writes (provided by the differencing disk).
tio
n
257 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
With the release of version 7.9 through 7.12 we have 3 new features that brings the
di
performance of MCS on par with Provisioning services.
st
• We can specify several Storage Repositories per hosting connections,
ri bu
allowing administrators to utilize less expensive local storage, rather than
expensive SAN solutions.
tio
• We can configure Machine Catalog to use RAM to optimize the temporary
n
writes (similar to PVS option “write cache in memory with offload to disk”)
• We can configure the latest release of XenServer to cache the common
Shared OS disk in memory to further minimize central I/O load. (This
feature is not supported on any other hypervisor)
• Additional Resources:
• Introducing MCS Storage Optimization -
https://www.citrix.com/blogs/2016/08/03/introducing-mcs-storage-
optimisation/
258 © 2017 Citrix Authorized Content
• IntelliCache and In-memory Read Caching -
https://support.citrix.com/article/CTX201887
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
259 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
260 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
261 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
MCS will generate an Identity Disk for each cloned VM, this disk is always 16 MB.
di
st
MCS will also generate a Difference Disk for each VM, the size of this depends on
the size of the Master VM disk.
ri bu
tio
n
262 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
263 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The differencing disks are discarded because the user changes do not persist for
di
random/non-persistent desktops.
st
Since the differencing disks are queued for deletion, this increases the storage
ri bu
consumption and should be taken into account when determining the storage
requirements.
tio
Hypervisors supporting clone on boot include:
n
• VMware hypervisors
• XenServer 6.1 and up
• Pre XenServer 6.1 supported for local and ISCSI storage repositories, but
not for NFS storage repositories
• Pre XenServer 5.6 not supported
264 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The differencing disk is not deleted following reboot as user changes are required to
di
persist for the static/persistent desktop.
st
ri bu
tio
n
265 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When the administrator updates the master VM and goes into the machine catalog
di
and selects Update Catalog option, this creates a new full copy of the snapshot,
st
which is then updated via the image preparation process.
ri bu
The VMs are then instructed on reboot to point to the latest updated image. VMs
that have not been rebooted will continue to point to the original image snapshot.
tio
A2 indicates the new version of the master VM.
n
It is leading practice to take snapshots or copies of master image for rollback
purposes in the event there is an issue with the update.
266 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Static/persistent desktops can not be instructed to read from an updated master
di
image on reboot due to the fact that the persistent differencing disks are tied to the
st
original master image.
ri bu
Only newly created Catalogs can be instructed to read from an updated master
image.
tio
Updates for existing machines can be done either manually on an individual basis,
n
or collectively through the use of a third party software distribution tools.
Adding Personal vDisk to the Catalog will enable you to deploy image updates using
MCS, however this approach should be tested as it may incur performance and
management overhead.
267 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
268 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
269 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
270 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
271 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
272 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
There are three high level concepts involved in making a resource available to end
di
users that will be covered in this module:
st
(1) the machine needs to be defined (this involves the process of determining user
ri bu
experience, sizing and available resources such as GPU, CPU and RAM, as well as
creating the Master Image )
tio
(2) the correct number of machines need to be provisioned into a Catalog from a
n
master image (typically done through Machine Creation Services or Provisioning
Services).
(3) the resource needs to be assigned to the right users (done through a Delivery
Group)
273 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Step 1 starts with research and documentation.
di
st
Each group of users has its own requirements in terms of mobility, security, updates
& flexibility, provided applications, resource impact, level of personalization, high-
ri bu
availability and other factors. Grouping users with common requirements together
enables them to share a FlexCast model, an image or even a VDA and allows for
tio
more accurate planning.
n
Once the research is done, a master image must be defined.
Additional Resources:
User Assessment for Desktop Transformation -
https://www.citrix.com/static/dta/project-accelerator-guide-define-user-groups-
master.pdf
274 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
During Step 2 the actual resources (and maybe their infrastructure) will be created.
di
The resources can be grouped into Machine Catalogs at this time.
st
Choosing the “best” delivery model refers to the “most appropriate” for any given
ri bu
company or resource group. Some companies benefit largely by choosing just one
single model to address all requirements, while other prefer to have two different
tio
models within the same company for different purposes.
n
275 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
During Step 3 the actual Delivery Groups are created, providing access for users
di
and groups to their desktops and applications.
st
ri bu
tio
n
276 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
277 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
di
st
Can a user access resources from more than one delivery group?
ri
• Yes, one user can have access to resources from several delivery groups
bu
and catalogs.
tio
• It is common to have different Delivery Groups for a single user group,
based on different machine catalogs. While one Delivery Group provides
n
access to generic applications like MS Office, another Delivery Group adds
applications specific to the department (financial, marketing etc.).
Applications from both (or more) Delivery Groups are visually aggregated
in StoreFront / Receiver.
• Another question: Can a Delivery Group consist of machines from different
machine catalogs? Yes – but the type of machine catalog has to be the
same.
• Another one? Can machines from a single machine catalog be part of
278 © 2017 Citrix Authorized Content
different Delivery Groups? Yes, given that each machine can only be
associated with one Delivery Group at a time.
N
ot
fo
rr
es
al
e
or
di
st
ribu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
279 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
280 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Learning Objectives explain what the students can expect to learn and how to
di
learn the concepts presented in this module.
st
ri bu
tio
n
281 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
282 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
283 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The function of StoreFront is to authenticate users, then enumerate and aggregate
di
resources for them and provide them with access to these resources.
st
StoreFront can be used in parallel to existing Web Interface installations, but both
ri bu
products should not be installed on the same server. NetScaler can be used to
divert clients to the appropriate product if necessary.
tio
StoreFront is the interface that authenticates users, manages applications and
n
desktops, and hosts the application store. StoreFront communicates with the
Delivery Controller using XML.
Additional Resources:
Technical Overview - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview.html
284 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The respective Datacenter, Enterprise and Standard Editions are supported for the
di
OS.
st
StoreFront installer will install and enable required Windows Roles and Features
ri bu
automatically.
StoreFront can be setup without a Certificate but doing so puts user credentials at
tio
risk and requires additional configuration in Receiver.
n
Most deployments are setup using two StoreFront servers and two Load Balancers
(e.g. NetScaler) to provide high availability. Special procedures apply and will be
taught in a different Citrix Training.
Depending on the size and load of the deployment, up to five StoreFront servers
can be grouped together.
Additional Resources:
StoreFront System Requirements - https://docs.citrix.com/en-us/storefront/3-
8/system-requirements.html
285 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
286 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Stores are used to retrieve published resources for the user from one or more
di
Controllers via their XML Service.
st
There are several settings like authentication methods or XML Services are
ri bu
configured per store.
Receiver for Web Sites are normally used to provide a GUI for the store in the
tio
user’s browser, while the “native” Receiver can use its own GUI and access stores
n
directly to query for published resources or to authenticate.
Receiver for Web Sites can deliver the HTML5 Receiver (embedded into the
webpage) and are therefore called “Receiver for Web”
Multiple stores are often used during migration of sites / farms in the backend, or to
separate externally accessible stores from internal-only accessible stores. Different
websites might be used to incorporate different visual guidelines for users, maybe
belonging to different companies within an organization.
StoreFront stores aggregate desktops and applications, making them available to
users. Store names appear in Citrix Receiver under users' accounts, so choose a
name that gives users information about the content of the store.
287 © 2017 Citrix Authorized Content
You can configure stores to provide resources from any mixture of XenDesktop,
XenApp, App Controller, and VDI-in-a-Box deployments.
If you require both authenticated and un-authenticated users to login, then you have
to create two separate Stores.
Additional Resources:
Create new deployment - https://docs.citrix.com/en-us/storefront/3-8/install-
standard/create-new-deployment.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Stores are used to retrieve published resources for the user from one or more
di
Controllers via their XML Service.
st
There are several settings like authentication methods or XML Services are
ri bu
configured per store.
Receiver for Web Sites are normally used to provide a GUI for the store in the
tio
user’s browser, while the “native” Receiver can use its own GUI and access stores
n
directly to query for published resources or to authenticate.
Receiver for Web Sites can deliver the HTML5 Receiver (embedded into the
webpage) and are therefore called “Receiver for Web”
Multiple stores are often used during migration of sites / farms in the backend, or to
separate externally accessible stores from internal-only accessible stores. Different
websites might be used to incorporate different visual guidelines for users, maybe
belonging to different companies within an organization.
StoreFront stores aggregate desktops and applications, making them available to
users. Store names appear in Citrix Receiver under users' accounts, so choose a
name that gives users information about the content of the store.
288 © 2017 Citrix Authorized Content
You can configure stores to provide resources from any mixture of XenDesktop,
XenApp, App Controller, and VDI-in-a-Box deployments.
Additional Resources:
Configure and manage stores - https://docs.citrix.com/en-us/storefront/3-8/configure-
manage-stores.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Authentication: the process in which user identity is verified.
di
st
Two methods for authentication with StoreFront:
ri
• Direct: StoreFront validates credentials against Active Directory.
bu
• XML service-based authentication: explained on the next slide.
tio
Explain that two Windows services are responsible for performing authentication
tasks:
n
• Default Domain Services = provides AD based account operations
(password change, authentication etc.)
• Credential Wallet Service = stores encrypted passwords in memory
Use the Create Authentication Service task to configure the StoreFront
authentication service. The authentication service authenticates users to Microsoft
Active Directory, ensuring that users do not need to log on again to access their
desktops and applications.
You can only configure one authentication service per StoreFront deployment. This
task is only available when the authentication service has not yet been configured.
289 © 2017 Citrix Authorized Content
Additional Resources:
XML service-based authentication - https://docs.citrix.com/en-us/storefront/3-
8/configure-authentication-and-delegation/xml-authentication.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Authentication: the process in which user identity is verified.
di
st
Two methods for authentication with StoreFront:
ri
• Direct: StoreFront validates credentials against Active Directory.
bu
• Indirect: explained on the next slide.
tio
Explain that two Windows services are responsible for performing authentication
tasks:
n
• Default Domain Services = provides AD based account operations
(password change, authentication etc)
• Credential Wallet Service = stores encrypted passwords in memory
Use the Create Authentication Service task to configure the StoreFront
authentication service. The authentication service authenticates users to Microsoft
Active Directory, ensuring that users do not need to log on again to access their
desktops and applications.
You can only configure one authentication service per StoreFront deployment. This
task is only available when the authentication service has not yet been configured.
290 © 2017 Citrix Authorized Content
Additional Resources:
XML service-based authentication - https://docs.citrix.com/en-us/storefront/3-
8/configure-authentication-and-delegation/xml-authentication.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
• Indirect: StoreFront passes credentials to Delivery Controller, which
di
validates credentials against Active Directory.
st
The authentication service authenticates users to Microsoft Active Directory,
ri bu
ensuring that users do not need to log on again to access their desktops and
applications. You can only configure one authentication service per StoreFront
tio
deployment.
n
You can enable or disable user authentication methods set up when the
authentication service was created by selecting an authentication method in the
results pane of the Citrix StoreFront management console and, in the Actions pane,
clicking Enable Method or Disable Method, as appropriate. To remove an
authentication method from the authentication service or to add a new one, use the
Add/Remove Methods task.
Additional Resources:
Create and configure the authentication service - https://docs.citrix.com/en-
us/storefront/3-8/configure-authentication-and-delegation/configure-authentication-
291 © 2017 Citrix Authorized Content
service.html
XML service-based authentication - http://docs.citrix.com/en-
us/storefront/3/configure-authentication-and-delegation/sf-configure-auth-service.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
With the Store Centric paradigm, each store can be configured to have a separate
di
authentication service.
st
When upgrading a StoreFront deployment, where multiple stores are configured, all
ri bu
migrated stores will be configured to share the same authentication service located
at /Citrix/Authentication.
tio
If you would like to configure a separate authentication service per store, select the
n
Advanced option to access the shared authentication service settings.
This will open a dialog box where you can clear the check box to use the shared
authentication service. An information message is displayed explaining what steps
will be performed, and a new authentication service will be created for the store.
• Additional Resources:
• Create and configure the authentication service -
https://docs.citrix.com/en-us/storefront/3-8/configure-authentication-and-
delegation/configure-authentication-service.html
292 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
If you enable Citrix Receiver for Web site users to change their passwords at any
di
time, local users whose passwords are about to expire are shown a warning when
st
they log on.
ri bu
By default, the notification period for a user is determined by the applicable
Windows policy setting.
tio
To set a custom notification period for all users, you edit the configuration file for the
n
authentication service.
StoreFront does not support Fine Grained Password Policies in Active Directory
• If you enable Citrix Receiver for Web site users to change their passwords
at any time, ensure that there is sufficient disk space on your StoreFront
servers to store profiles for all your users. To check whether a user's
password is about to expire, StoreFront creates a local profile for that user
on the server. StoreFront must be able to contact the domain controller to
change users' passwords.
293 © 2017 Citrix Authorized Content
• Additional Resources:
• Disable Desktop Auto-launch - https://docs.citrix.com/en-us/storefront/3-
8/configure-authentication-and-delegation/configure-authentication-
service.html#par_richtext_5
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
Prior to StoreFront 3.6, you could install StoreFront only on servers that were joined
di
to an Active Directory domain.
st
StoreFront 3.6 and later supports installation and configuration of StoreFront on
ri bu
non-domain joined servers.
Note that in a non-domain joined server deployment, you must delegate
tio
authentication to Delivery Controllers and server groups are not supported.
n
294 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
295 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Microsoft Extensible Storage Engine (ESE) is used as database backend.
di
st
The database is located in
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\Subscriptions
ri bu
Store\<#_Store Name>\PersistentDictionary.edb
The database should be backed up routinely to save the users’ subscriptions.
tio
“Add to Favorites” is used to subscribe to an application.
n
The entries in the database are not lost if administrator temporarily disables the
subscription feature of the store
Keywords like “auto” or “mandatory” can be used to put published applications
automatically in the users’ favorite apps.
The database should be included in a backup routine – otherwise all users might
lose their subscribed apps and have to subscribe to them again. Also, make sure
your antivirus solution does not interfere with database operations on the EDB file.
The subscription data for each Store is located in:
• C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\Subs
296 © 2017 Citrix Authorized Content
criptionsStore\1__Citrix_<StoreName>
For two stores to share a subscription datastore, you need only point one store to the
subscription service end point of the other store. In the case of a server group
deployment, all servers have identical pairs of stores defined and identical copies of
the shared datastore they both share.
The XenApp, XenDesktop and AppC controllers configured on each store must match
exactly; otherwise, an inconsistent set of resource subscriptions on one store
compared to another might occur. Sharing a datastore is supported only when the
two stores reside on the same StoreFront server or server group deployment.
Additional Resources:
Backup / Restore the database: http://support.citrix.com/article/CTX139343
N
ot
Configure two StoreFront stores to share a common subscription datastore -
https://docs.citrix.com/en-us/storefront/3-8/configure-manage-stores/configure-two-
fo
stores-share-datastore.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The main reason for grouping StoreFront servers is to provide high availability.
di
st
Port 808 is used to keep the database containing the user subscriptions in sync
between the StoreFront servers of a group.
ri bu
Remember each store usually has its own database.
tio
Propagating servers means “adding” as well as “deleting” objects like stores &
Receiver for Web sites from other servers of a group.
n
Although not a technical limit, StoreFront performs best when the number of the
participating servers in a group is kept to or below five.
Port 808 is used to keep the database containing the user subscriptions in sync
between the StoreFront servers of a group
To manage a multiple-server deployment, use only one server at a time to make
changes to the configuration of the server group. Ensure that the Citrix StoreFront
management console is not running on any of the other servers in the deployment.
Any configuration changes you make must be propagated to the other servers in the
group to ensure a consistent configuration across the deployment.
297 © 2017 Citrix Authorized Content
Additional Resources:
Storefront Scalability: https://www.citrix.com/blogs/2015/06/30/storefront-scalability-
update/
Configure server groups - https://docs.citrix.com/en-us/storefront/3-8/configure-
server-group.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
For internal addresses like “training.lab” or “somewhat.local” only certificates from
di
local / private Certificate Authorities can be used since these domain addresses
st
cannot be validated.
ri bu
For external access a two-factor authentication raises security even more.
Certificates are prone to expire (depending on their setting 1-10 years, shorter
tio
validity periods mean more security),
n
Authentication services and stores each require certificates for token management.
StoreFront generates a self-signed certificate when an authentication service or
store is created. Self-signed certificates generated by StoreFront should not be
used for any other purpose.
If your users configure their accounts by entering store URLs directly into Citrix
Receiver and do not use email-based account discovery, the certificate on the
StoreFront server need only be valid for that server and have a valid chain to the
root certificate.
Citrix recommends securing communications between StoreFront and users'
devices using NetScaler Gateway and HTTPS. To use HTTPS, StoreFront requires
298 © 2017 Citrix Authorized Content
that the Microsoft Internet Information Services (IIS) instance hosting the
authentication service and associated stores is configured for HTTPS. In the absence
of the appropriate IIS configuration, StoreFront uses HTTP for communications. Citrix
strongly recommends that you do not enable unsecured user connections to
StoreFront in a production environment.
Additional Resources:
Secure your StoreFront deployment - https://docs.citrix.com/en-us/storefront/3-
8/secure.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
299 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Most options can be configured in the StoreFront Console starting with version 3.5.
di
Direct interested students to CXD-230 covering the current release versions of
st
XenDesktop.
ri bu
Use caution when editing these files – a single missing character can render the
complete website unusable!
tio
Citrix recommends to backup every file before editing it.
n
It is advisables to use a syntax highlighting editor like Notepad++ to manage the
XML structure of the file.
Remember that the edited file need to be propagated like configuration changes as
well.
When you edit the files, be sure to close the StoreFront Management Console.
• …\Store\web.config contains the primary Store functional settings
• List of Controllers
• Advanced XML settings (socket pooling, failure timeouts, etc)
• Authentication settings
300 © 2017 Citrix Authorized Content
• Gateway settings
• …\StoreWeb\web.config contains website settings
• Admin-defined shortcut URL settings
• Plugin assistant and Receiver download settings
• App vs Desktop views
• Desktop auto-launch, workspace control, auto-reconnect
Additional Resources:
How to Disable Desktop Auto Launch in StoreFront:
http://support.citrix.com/article/CTX139058
N
How to Enable/Disable Workspace Control in StoreFront:
ot
http://support.citrix.com/article/CTX200828
Advanced store settings: https://docs.citrix.com/en-us/storefront/3-8/configure-
fo
manage-stores/advanced-store-settings.html
rr
Configure using configuration files: https://docs.citrix.com/en-us/storefront/3-
es
8/configure-using-configuration-files.html
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
301 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
302 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
303 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
304 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
305 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
• Self-Service Password Reset enables end users to have greater control
di
over their user accounts. Once Self-Service Password Reset is configured,
st
if end users have problems logging on to their systems, they can unlock
ri
their accounts or reset their passwords to something new by correctly
bu
answering several security questions.
tio
• Resetting user passwords is an inherently security sensitive process. We
n
recommend that you refer to the Secure configuration article to ensure that
your deployment is correctly configured.
• Self-Service Password Reset contains three components:
• Self-Service Password Reset configuration console
• Self-Service Password Reset Service
• Security question enrollment in StoreFront
Feature is not supported via NetScaler gateway.
SSPR does not support UPN logons example username@domain.com
Feature is only available for Receiver for web with unified experience enabled.
306 © 2017 Citrix Authorized Content
Feature works only with secure websites (using https)
• Additional Resources:
• About Self-Service Password Reset: Http://docs.citrix.com/en-us/self-
service-password-reset/1-1/about.html
• SSPR System requirements: http://docs.citrix.com/en-us/self-service-
password-reset/1-1/system-requirements.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
Until 3.5 version of StoreFront, SSPR was supported only up to XA 6.5. The 3.7 and
di
later version of StoreFront extends this feature to all versions of XA 7.x
st
Users can change their passwords from the StoreFront site. This is supported by all
ri bu
versions.
Functions of each component:
tio
• SSPR Configuration Console
n
• Configures the IIS based SSPR service to read from central store
using data proxy account.
• Configures the IIS based SSPR service to communicate with Active
directory using the self service account.
• Configures which users can use SSPR and points the service to
validate license server version and edition.
• SSPR Service
• IIS based Service
307 © 2017 Citrix Authorized Content
• Talks to AD for unlocking / Resetting user account passwords.
• End users’ requests are sent to this service via StoreFront.
• Security Questions
• Storefront provides an enrollment mechanism allowing users to answer
their security questions.
Before you install the Self-Service Password Reset Service, ensure that the
appropriate accounts and components are available to support the service. Also,
because the service uses secure HTTP (HTTPS), it requires a server authentication
certificate for Transport Layer Security (TLS) communication with StoreFront.
• Server Authentication Requirement:
• Before you install the service, obtain a server authentication certificate for
N
TLS communication from a Certificate Authority (CA) or your internal
ot
Public Key Infrastructure (PKI), if available.
• Accounts Required for Service Modules:
fo
• Note: Ensure both accounts does not expire in Active Directory.
rr
• The Self-Service Password Reset Service requires these account types to
es
read and write data as it operates in your environment:
al
• Data proxy account
e
• Self-service account
or
• When different modules require the same type of account, you can use the
di
same account for multiple modules, or you can specify different customized
st
accounts for each module.
ri
• Data proxy account
bu
• Requires read and write access to the central store. For more
tio
information, see Create a central store.
n
• Self-service account
• Requires sufficient privileges to unlock and reset the password of the
relevant users in User Configuration. For more information, Secure
configuration.
• Additional Resources:
Configure Self-Service Password Reset: http://docs.citrix.com/en-us/self-service-
password-reset/1-1/install-configure.html
About Self-Service Password Reset: http://docs.citrix.com/en-us/self-service-
password-reset/1-1/about.html
‹#› © 2017 Citrix Authorized Content
Configure StoreFront 3.8 for SSPR: http://docs.citrix.com/en-us/storefront/3-
8/configure-authentication-and-delegation/configure-authentication-
service.html#par_anchortitle_719b
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
308 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Additional Resources:
XenApp and XenDesktop Features by edition:
di
https://www.citrix.com/go/products/xendesktop/feature-matrix.html
st
ri bu
tio
n
309 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Additional Resources:
• XenApp and XenDesktop Features by edition:
di
https://www.citrix.com/go/products/xendesktop/feature-matrix.html
st
ri bu
tio
n
310 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
311 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Receiver exists for all major OS platforms and that it can be used to launch a
di
connection to a VDA after the user has used a browser to enumerate the published
st
resources, but also as a standalone program that authenticates the user,
ri
enumerates the resources and launches them.
bu
tio
Additional Resources:
n
Citrix Receiver Client Feature Matrix: http://support.citrix.com/article/CTX104182
312 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix Receiver for Web sites enable users to access stores through a webpage. The
di
tasks below enable you to modify settings for your Citrix Receiver for Web sites.
st
Some advanced settings can only be changed by editing the site configuration files.
ri bu
Use the Deploy Citrix Receiver task to configure the behavior of a Citrix Receiver
for Web site when a Windows or Mac OS X user without Citrix Receiver installed
tio
accesses the site. By default, Citrix Receiver for Web sites automatically attempt to
determine whether Citrix Receiver is installed when accessed from computers
n
running Windows or Mac OS X.
If Citrix Receiver cannot be detected, the user is prompted to download and install
the appropriate Citrix Receiver for their platform. The default download location is
the Citrix website, but you can also copy the installation files to the StoreFront
server and provide users with these local files instead.
Connecting via Receiver for Web is comparable to the former WebInterface
technology.
This way of connecting can also apply to mobile devices, where a Receiver app is
installed, but the user starts application enumeration with the installed browser (for
example Safari on iOS devices) and chooses to open the downloaded launch.ica file
313 © 2017 Citrix Authorized Content
with the Receiver app.
This setup can be used to deploy the Receiver Application
A benefit of this setup is that almost any device can be used, since it requires no
configuration – the launch.ica file transmits most session relevant parameters to the
client.
Requirement for Clients:
• User needs to enter the URL manually & authenticate
SingleSign On / Password passthrough can be established between domain-joined
clients and StoreFront Websites
PreLaunch session are not supported.
N
Additional Resources:
ot
Configure Citrix Receiver for Web sites - http://docs.citrix.com/en-us/storefront/3-
fo
8/manage-citrix-receiver-for-web-site/configure-receiver-for-web-sites.html
rr
Citrix Receiver Client Feature Matrix -
es
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-
receiver-feature-matrix.pdf
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Native Receiver setup requires the user to install the Receiver or to have the
di
Receiver pre-installed.
st
The native Receiver requires configuration, either manually by the user or by the IT
ri bu
staff.
This setup can be used together with single sign-on and prelaunch session support,
tio
it offers the most rich feature set available.
n
Citrix Receiver attempts to contact beacon points and uses the responses to
determine whether users are connected to local or public networks. When a user
accesses a desktop or application, the location information is passed to the server
providing the resource so that appropriate connection details can be returned to
Citrix Receiver. This ensures that users are not prompted to log on again when they
access a desktop or application.
The CitrixReceiver.exe installation package can be installed in the following
methods:
• By a user from Citrix.com or your own download site
• A first-time Receiver user who obtains Receiver from Citrix.com or your
314 © 2017 Citrix Authorized Content
own download site can set up an account by entering an email address
instead of a server URL. Receiver determines the NetScaler Gateway (or
Access Gateway) or StoreFront Server associated with the email address
and then prompts the user to log on and continue the installation. This
feature is referred to as "email-based account discovery."Note: A first-time
user is one who does not have Receiver installed on the device.
• Email-based account discovery for a first-time user does not apply if
Receiver is downloaded from a location other than Citrix.com (such as a
Receiver for Web site).
• If your site requires configuration of Receiver, use an alternate
deployment method.
• Automatically from Receiver for Web or from a Web Interface logon screen.
N
• A first-time Receiver user can set up an account by entering a server URL
ot
or downloading a provisioning (CR) file.
fo
• Using an Electronic Software Distribution (ESD) tool
rr
• A first-time Receiver user must enter a server URL or open a provisioning
es
file to set up an account.
al
• Receiver does not require administrator rights to install unless it will use
pass-through authentication.
e
or
Additional Resources:
di
st
Citrix Receiver Client Feature Matrix -
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-
ri bu
receiver-feature-matrix.pdf
Create a single Fully Qualified Domain Name (FQDN) to access a store internally and
tio
externally - https://docs.citrix.com/en-us/storefront/3-8/advanced-
n
configurations/configure-single-fqdn.html
Receiver Install - http://docs.citrix.com/en-us/receiver/windows/4-5/install.html
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This setup does not require to install anything on the client device since the HTML5
di
receiver will be downloaded to the client as part of the website, much like an image
st
or flash plugin.
ri bu
The HTML5 misses a lot of features compared to the native Receiver (no file
redirection, no bi-directional audio) and other features are implemented using
tio
“workarounds” due to platform limitations (clipboard sync, printing)
n
The HTML5-Receiver only supports SSL/TLS connections,
This setup can also be used to provide additional security, but comes with loss of
functionality. Also, if incompatible versions of Receiver are installed on the client
side, a website can be configured to override the client detection and instead always
use the HTML5 receiver.
Additional Resources:
Citrix Receiver Client Feature Matrix -
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-
receiver-feature-matrix.pdf
315 © 2017 Citrix Authorized Content
Receiver Internals: How Receiver for HTML5 & Chrome Connections Work -
https://www.citrix.com/blogs/2015/07/08/receiver-internals-how-receiver-for-html5-
chrome-connections-work/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
316 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Consider the implications of Domain passthrough: requires domain joined
di
computers. Does not work with HTML5 receiver. Requires IE if browser is to be
st
used.
ri
bu
The trusted domains setting also restricts other logon methods to adhere to the
provided list of trusted domains.
tio
In short the different authentication methods:
n
• Unauthenticated: Useful for providing access to resources that use their
own authentication system or where authentication is generally not
required.
• Username and Password: Users logon entering their domain username
and the password. This method is enabled by default.
• Passthrough from NetScaler Gateway: If NetScaler Gateway is used,
Storefront just validates that the user has been authenticated and does not
authenticate the user itself.
• Domain Passthrough: Seamlessly passes through the users’
317 © 2017 Citrix Authorized Content
authentication from a domain joined windows computer.
• SmartCard: Enables the use of SmartCards together with the appropriate
PKI infrastructure in the backend. Users need to provide the SmartCard and
their PIN to logon.
• HTTP Basic: Provides an interface for 3rd party applications to single-sign-
on to Storefront using the underlying IIS. Useful when integrating Storefront
into portal solutions.
There are also two options relevant to the authentication methods:
• Trusted Domains: Restricting all logons to a list of known domains raises
security – can also be used to provide a list of domains to choose from to
users.
N
• Change Password: Provide users the option to electively change a
ot
password or change a password on expiry.
fo
rr
Additional Resources:
es
StoreFront 3.8 User Authentication - https://docs.citrix.com/en-us/storefront/3-
8/plan/user-authentication.html
al
Manage authentication methods - https://docs.citrix.com/en-us/storefront/3-
e
8/configure-authentication-and-delegation/configure-authentication-
or
service.html#par_richtext_3
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
318 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
319 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
320 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
321 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
322 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When delivering applications with XenDesktop or XenApp, consider the following
di
options to enhance the experience for users when they access their applications:
st
• Web Access Mode - Without any configuration, Citrix Receiver for
ri bu
Windows provides browser-based access to applications and desktops.
Users simply open a browser to a Receiver for Web or Web Interface site
tio
to select and use the applications that they want. In this mode, no
shortcuts are placed on the user's desktop.
n
• Self Service Mode - By simply adding a StoreFront account to Citrix
Receiver for Windows or configuring Citrix Receiver for Windows to point
to a StoreFront site, you can configure self-service mode, which allows
users to subscribe to applications from the Citrix Receiver for Windows
user interface. This enhanced user experience is similar to that of a mobile
app store. In self-service mode you can configure mandatory, auto-
provisioned and featured app keyword settings as needed.
By default, Citrix Receiver for Windows allows users to select the applications they
want to display in their Start menu.
323 © 2017 Citrix Authorized Content
Include meaningful descriptions for applications in a Delivery Group. Descriptions are
visible to Citrix Receiver for Windows users when using Web access or self-service
mode.
Hiding a store does not prevent access to it.
Use the screenshot showing a provisioning file from StoreFront to explain, that the
most important part is the address section pointing to a store on a StoreFront server.
Most other options pertain to remote access.
Receiver can access up to 10 different stores.
Additional Resources:
Configuring application delivery - http://docs.citrix.com/en-us/receiver/windows/4-
N
5/configure/receiver-windows-configure-app-delivery-wrapper.html
ot
fo
rr
es
al
e
or
di
st
ribu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix recommends using the Group Policy Object and provides template file
di
receiver.adm or receiver.admx\receiver.adml (depending on OS) to configure
st
settings related to Citrix Receiver for Windows.
ri bu
Additional Resources:
tio
Configuring Citrix Receiver for Windows with the Group Policy Object template -
n
http://docs.citrix.com/en-us/receiver/windows/4-5/configure/ica-import-icaclient-
template-v2.html
324 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
If Citrix Receiver for Windows is configured via VDA installation, admx/adml files is
di
found in the Citrix Receiver for Windows installation directory. For example:
st
<installation directory>\online plugin\Configuration.
ri bu
You can use adm template files to configure Local GPO and/or Domain-Based
GPO.
tio
Citrix recommends you to use the template files provided with the latest Citrix
n
Receiver for Windows. While importing the latest files, the previous settings are
retained.
One of the main benefits of using the new ADMX files is the central store. This
option is available to you when you are administering domain-based GPOs,
although the central store is not used by default. Unlike the case we discussed
earlier with ADM files, the Group Policy Object Editor will not copy ADMX files to
each edited GPO but will provide the ability to read from either a single domain-level
location on the domain controller sysvol (not user configurable) or from the local
administrative workstation when the central store is unavailable. You can share a
custom ADMX file by copying the file to the central store, which makes it available
automatically to all Group Policy administrators in a domain. This capability
325 © 2017 Citrix Authorized Content
simplifies policy administration and improves storage optimization for GPO files.
ADMX files are divided into language-neutral (ADMX) and language-specific (ADML)
resources, available to all Group Policy administrators. These factors allow Group
Policy tools to adjust their UI according to the administrator's configured language.
ADMX file should be used for all managed endpoints. It is the fastest and easiest way
of configuring multiple machines in a consistent manner.
Additional Resources:
Configure Receiver with the Group Policy Object Template - http://docs.citrix.com/en-
us/receiver/windows/4-5/configure/ica-import-icaclient-template-v2.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You can configure NetScaler Gateway to accept user connections by using an email
di
address to discover the StoreFront or NetScaler Gateway URL. The process for
st
user connections is:
ri
• When users connect from inside your network or a remote location and
bu
install Receiver for the first time, they enter their email address or the
tio
StoreFront URL.
n
• Receiver then queries the appropriate DNS server, which responds with
the StoreFront or NetScaler Gateway URL. The URL depends on whether
users connect from the internal network or they connect from a remote
location.
• Users then log on to Receiver with their user name, password, and
domain.
• If users connect from a remote location, NetScaler Gateway provides the
StoreFront URL to Receiver.
• Receiver gets the account information from StoreFront. If users connect
through NetScaler Gateway, the appliance performs SSO to StoreFront. If
326 © 2017 Citrix Authorized Content
more than one account is available, users receive a list of accounts from
which to choose.
• When users log on to an account, a list of applications appear in Receiver.
Users can then select an app to open.
End Users cannot be expected to know the load balanced address of the StoreFront
server and the site path. The only way they will know this is if they read onboarding
documentation or somebody walks them through the process.
All users know their email address. This provides a much better user experience.
Additional resources:
Configuring Email-Based Account Discovery for Receiver -
N
http://blogs.citrix.com/2013/04/01/configuring-email-based-account-discovery-for-
ot
citrix-receiver/
fo
Connecting to StoreFront by Using Email-Based Discovery - http://docs.citrix.com/en-
us/netscaler-gateway/11/storefront-integration/ng-clg-session-policies-overview-
rr
con/ng-clg-storefront-policies-con/ng-clg-storefront-email-discovery-tsk.html
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
User logs on to StoreFront and uses the Activate feature to configure Receiver.
di
st
This method is not very intuitive. End-users may miss this feature altogether. The
are more likely to find it after using the system for a while.
ribu
Recommended as another option for configuring unmanaged endpoints. Email-
based discovery provides a better end-user experience.
tio
n
Additional Resources:
Overview of StoreFront’s provisioning file -
http://support.citrix.com/article/CTX135919
327 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Advanced users can use command-line parameters during installation of Receiver.
di
st
Also used when deploying Receiver with a script (which is how an ESD works too).
ri
• Essentially pre-configuring Receiver as part of the installation process.
bu
tio
Additional resources:
n
Configure and Install Receiver for Windows Using Command Line Parameters -
http://docs.citrix.com/en-us/receiver/windows/4-5/install/receiver-windows-cfg-
command-line-42.html
328 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix Receiver attempts to contact beacon points and uses the responses to
di
determine whether users are connected to local or public networks. When a user
st
accesses a desktop or application, the location information is passed to the server
ri
providing the resource so that appropriate connection details can be returned to
bu
Citrix Receiver. This ensures that users are not prompted to log on again when they
access a desktop or application.
tio
n
Additional Resources:
Documentation on Beacon Points - https://docs.citrix.com/en-us/storefront/3-
8/integrate-with-netscaler-and-netscaler-gateway/configure-beacon.html
329 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Since StoreFront 2.6, it is supported to use the same internal and external logon
di
point URL but this is out of scope for this class.
st
ri bu
Additional Resources:
tio
Configure StoreFront Beacons: https://docs.citrix.com/en-us/storefront/3-8/integrate-
with-netscaler-and-netscaler-gateway/configure-beacon.html
n
330 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Internal beacons: You can configure one internal beacon and zero to many external
di
beacons. The default setting for the internal beacon is to use the StoreFront. To use
st
your own beacon, you clear the default setting and then enter the URL in the text
ri
box. The internal beacon accepts a valid URL format only. You can use one URL
bu
and it allows a maximum of 256 characters.
tio
n
331 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
External beacons: The default setting for external beacons uses the web address
di
you configure on the Deployment tab, which is typically the NetScaler Gateway
st
FQDN. To use your own beacon, you clear the default setting and enter the URL in
ri
the text box. The external beacon accepts comma-separated URLs without spaces
bu
after the comma. For example, you can enter
https://ng1.company.com,https://ng2.company.com,https://ng3.company.com. The
tio
maximum length allowed is 1,024 characters.
n
332 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Use the Manage Beacons task to specify URLs inside and outside your internal
di
network to be used as beacon points. Beacons are web addresses, typically to
st
StoreFront, XenMobile, or NetScaler Gateway. You can configure the following:
ri
• Internal beacons. You can configure one internal beacon and zero to many
bu
external beacons. The default setting for the internal beacon is to use the
tio
StoreFront or XenMobile FQDN. If you have earlier editions of XenMobile,
use the App Controller FQDN. If you keep the default setting for the
n
internal beacon, XenMobile disables the text box. To use your own
beacon, you clear the default setting and then enter the URL in the text
box. The internal beacon accepts a valid URL format only. You can use
one URL and it allows a maximum of 256 characters.
• External beacons. The default setting for external beacons uses the web
address you configure on the Deployment tab, which is typically the
NetScaler Gateway FQDN. To use your own beacon, you clear the default
setting and enter the URL in the text box. The external beacon accepts
comma-separated URLs without spaces after the comma. For example,
you can enter https://ng1.com,https://ng2.com,https://ng3.com. The
333 © 2017 Citrix Authorized Content
maximum length allowed is 1,024 characters.
There is even an additional conclusion for Receiver: If all beacons resolve to the
same content, Receiver assumes that it is behind a paywall (catchall-portal / captive
portal / a proxy solution commonly found in public / guest Wifi networks redirecting all
request to the same website – either to acknowledge terms of service or to buy
internet access).
Storefront sets the default internal beacon to the configured SF address – which
should NOT be resolvable outside the LAN.
Additional Resources:
How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop
Session - http://support.citrix.com/article/CTX132037
N
ot
StoreFront Planning Guide - http://support.citrix.com/article/CTX136547
Configure beacon points - https://docs.citrix.com/en-us/storefront/3-8/integrate-with-
fo
netscaler-and-netscaler-gateway/configure-beacon.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Use the Manage Beacons task to specify URLs inside and outside your internal
di
network to be used as beacon points. Beacons are web addresses, typically to
st
StoreFront, XenMobile, or NetScaler Gateway. You can configure the following:
ri
• Internal beacons. You can configure one internal beacon and zero to many
bu
external beacons. The default setting for the internal beacon is to use the
tio
StoreFront or XenMobile FQDN. If you have earlier editions of XenMobile,
use the App Controller FQDN. If you keep the default setting for the
n
internal beacon, XenMobile disables the text box. To use your own
beacon, you clear the default setting and then enter the URL in the text
box. The internal beacon accepts a valid URL format only. You can use
one URL and it allows a maximum of 256 characters.
• External beacons. The default setting for external beacons uses the web
address you configure on the Deployment tab, which is typically the
NetScaler Gateway FQDN. To use your own beacon, you clear the default
setting and enter the URL in the text box. The external beacon accepts
comma-separated URLs without spaces after the comma. For example,
you can enter https://ng1.com,https://ng2.com,https://ng3.com. The
334 © 2017 Citrix Authorized Content
maximum length allowed is 1,024 characters.
There is even an additional conclusion for Receiver: If all beacons resolve to the
same content, Receiver assumes that it is behind a paywall (catchall-portal / captive
portal / a proxy solution commonly found in public / guest Wifi networks redirecting all
request to the same website – either to acknowledge terms of service or to buy
internet access).
Storefront sets the default internal beacon to the configured SF address – which
should NOT be resolvable outside the LAN.
Additional Resources:
How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop
Session - http://support.citrix.com/article/CTX132037
N
ot
StoreFront Planning Guide - http://support.citrix.com/article/CTX136547
Configure beacon points - https://docs.citrix.com/en-us/storefront/3-8/integrate-with-
fo
netscaler-and-netscaler-gateway/configure-beacon.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Use the Manage Beacons task to specify URLs inside and outside your internal
di
network to be used as beacon points. Beacons are web addresses, typically to
st
StoreFront, XenMobile, or NetScaler Gateway. You can configure the following:
ri
• Internal beacons. You can configure one internal beacon and zero to many
bu
external beacons. The default setting for the internal beacon is to use the
tio
StoreFront or XenMobile FQDN. If you have earlier editions of XenMobile,
use the App Controller FQDN. If you keep the default setting for the
n
internal beacon, XenMobile disables the text box. To use your own
beacon, you clear the default setting and then enter the URL in the text
box. The internal beacon accepts a valid URL format only. You can use
one URL and it allows a maximum of 256 characters.
• External beacons. The default setting for external beacons uses the web
address you configure on the Deployment tab, which is typically the
NetScaler Gateway FQDN. To use your own beacon, you clear the default
setting and enter the URL in the text box. The external beacon accepts
comma-separated URLs without spaces after the comma. For example,
you can enter https://ng1.com,https://ng2.com,https://ng3.com. The
335 © 2017 Citrix Authorized Content
maximum length allowed is 1,024 characters.
Additional Resources:
How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop
Session - http://support.citrix.com/article/CTX132037
StoreFront Planning Guide - http://support.citrix.com/article/CTX136547
Configure beacon points - https://docs.citrix.com/en-us/storefront/3-8/integrate-with-
netscaler-and-netscaler-gateway/configure-beacon.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Use the Manage Beacons task to specify URLs inside and outside your internal
di
network to be used as beacon points. Beacons are web addresses, typically to
st
StoreFront, XenMobile, or NetScaler Gateway. You can configure the following:
ri
• Internal beacons. You can configure one internal beacon and zero to many
bu
external beacons. The default setting for the internal beacon is to use the
tio
StoreFront or XenMobile FQDN. If you have earlier editions of XenMobile,
use the App Controller FQDN. If you keep the default setting for the
n
internal beacon, XenMobile disables the text box. To use your own
beacon, you clear the default setting and then enter the URL in the text
box. The internal beacon accepts a valid URL format only. You can use
one URL and it allows a maximum of 256 characters.
• External beacons. The default setting for external beacons uses the web
address you configure on the Deployment tab, which is typically the
NetScaler Gateway FQDN. To use your own beacon, you clear the default
setting and enter the URL in the text box. The external beacon accepts
comma-separated URLs without spaces after the comma. For example,
you can enter https://ng1.com,https://ng2.com,https://ng3.com. The
336 © 2017 Citrix Authorized Content
maximum length allowed is 1,024 characters.
Additional Resources:
How to Successfully Test Citrix StoreFront Beacons Inside a Remote Desktop
Session - http://support.citrix.com/article/CTX132037
StoreFront Planning Guide - http://support.citrix.com/article/CTX136547
Configure beacon points - https://docs.citrix.com/en-us/storefront/3-8/integrate-with-
netscaler-and-netscaler-gateway/configure-beacon.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
337 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
338 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
339 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Scenario: You are the Citrix Admin and you have recently configured Beacons in the
di
StoreFront servers. When testing this from the outside network you are unable to
st
log on with Receiver. What could be wrong?
ri
• The internal Beacon could be registered on the external DNS server,
bu
causing external Receivers to attempt direct connections to StoreFront.
tio
• The internal Beacon is resolved first and if this can be resolved in DNS,
n
Receiver will assume that it is internal.
• Beacons will only do DNS lookup and not actually verify that the service
behind the name works.
340 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
341 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
342 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
343 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
344 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Policies are a collection of settings that define how sessions, bandwidth, and
di
security are managed for a group of users, devices, or connection types.
st
You can apply policy settings to physical and virtual machines, or to users. You can
ri bu
apply settings to individual users at the local level or in security groups in Active
Directory. The configurations define specific criteria and rules, and if you do not
tio
specifically assign the policies, the settings are applied to all connections.
n
Additional Resources:
Policies - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/policies.html
345 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
All Citrix Local Policies are created and managed in the Citrix Studio console and
di
stored in the Site Database; whereas, Group Policies are created and managed with
st
the Microsoft Group Policy Management Console (GPMC) and stored in Active
ri
Directory. Microsoft Local Policies are created in the Windows Operating System
bu
and are stored in the registry.
tio
Studio uses a Modeling Wizard to help administrators compare configuration
settings within templates and policies to help eliminate conflicting and redundant
n
settings. Administrators can set GPOs using the GPMC to configure settings and
apply them to a target set of users at different levels of the network.
These GPOs are saved in Active Directory, and access to the management of these
settings is generally restricted for most of IT for security.
Settings are merged according to priority and their condition. Any disabled setting
overrides a lower-ranked enabled setting. Un-configured policy settings are ignored
and do not override lower-ranked settings.
Local policies can also have conflicts with group policies in the Active Directory,
which could override each other depending on the situation.
346 © 2017 Citrix Authorized Content
Additional Resources:
Policies - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/policies.html
Group Policy Loopback mode explanation -
https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Consider that the permissions to create / modify GPOs are required for Site,
di
Domain and OU based policies. Therefore, Site Database policies can be used by
st
Citrix Administrators that have no such permissions to still be able to configure all
ri
VDAs.
bu
tio
n
347 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
According to leading practices, polices should be created either in Active Directory
di
or the Site Database, but not both at the same time.
st
The Citrix Group Policy management extension is required to actually see and edit
ri bu
the Citrix policies “inside” the Microsoft GPOs.
These extensions can be installed silently together with Citrix Studio or explicit from
tio
a directory on the XA/XD installation media – both x64/x86 versions exist in
n
separate directories.
These extensions are only needed on systems that will be used to create or modify
the Citrix policies.
348 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
349 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Group policy settings are processed in the following order:
di
• Local GPO
st
ri
• XenApp or XenDesktop Site GPO (stored in the Site database)
bu
• Site-level GPOs
tio
• Domain-level GPOs
n
• Organizational Units
However, if a conflict occurs, policy settings that are processed last can overwrite
those that are processed earlier. This means that policy settings take precedence in
the following order:
• Organizational Units
• Domain-level GPOs
• Site-level GPOs
• XenApp or XenDesktop Site GPO (stored in the Site database)
• Local GPO
350 © 2017 Citrix Authorized Content
Explain that policies from the Site database are transferred to the VDA and written to
the registry upon registration of the VDA and on logon of a user.
Explain that Site database policies can not modify settings on VDAs that have not
(yet) registered to the Site or register to a different Site.
Additional Resources:
Work with Policies - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/policies.html
Group Policy processing and precedence - https://technet.microsoft.com/en-
us/library/cc785665(v=ws.10).aspx
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Because it’s possible (and even likely) that you may have multiple GPOs to apply,
di
there is always the possibility that these GPOs will have conflicting settings. In this
st
case, how do we know which GPO will win and have its settings applied? The
ri
simple rule to remember is that the last GPO applied will overwrite any settings
bu
applied earlier. And the GPOs closest to the client location in the directory structure
will be applied last. The order goes as follows:
tio
• Local
n
• Site
• Domain
• Organizational Unit
In both Citrix and Microsoft Policies, lower number means higher precedence. Still
the Local, Site, Domain, OU order applies – the link order system is used only for
conflict resolution inside a single OU, while the Priority system is used for conflict
resolution inside a GPO.
New Citrix Polices are added to the priority list with a higher number – so they would
not have much effect and need to be repositioned to their correct rank.
351 © 2017 Citrix Authorized Content
The priority numbers will be re-numbered automatically, if needed, so no gaps will
exist.
Additional Resources:
Group Policy Basics – Part 2: Understanding Which GPOs to Apply -
https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-
policy-basics-part-2-understanding-which-gpos-to-apply/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Group Policy loopback is a computer configuration setting that enables different
di
Group Policy user settings to apply based upon the computer from which logon
st
occurs.
ri bu
Administrators use loopback processing in kiosk, lab, and Terminal Server
environments to provide a consistent user experience across all computers,
tio
regardless of the GPOs linked to user’s OU.
n
Loopback mode has to be enabled for a machine, it is a computer setting.
The screenshot explains the order of policy application and how the computer
“loops back” to re-evaluate all User settings from the GPOs that apply to the
computer object.
Loopback mode is useful when permissions restrict attaching a GPO to the users’
OU, or more often specific settings for users are required depending on the
machine they logon to.
Additional Resources:
352 © 2017 Citrix Authorized Content
Group Policy Loopback mode explanation -
https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When you enable loopback processing, you also have to select the desired
di
mode. There are two modes for loopback processing: Merge or Replace.
st
During loopback processing in merge mode, user GPOs process first (exactly as
ri bu
they do during normal policy processing), but with an additional step. Following
normal user policy processing the Group Policy engine applies user settings from
tio
GPOs linked to the computer’s OU. The result– the user receives all user settings
from GPOs applied to the user and all user settings from GPOs applied to the
n
computer. The user settings from the computer’s GPOs win any conflicts since they
apply last.
During loopback processing in Replace Mode, the user settings applied to the
computer “replace” those applied to the user. In actuality, the Group Policy service
skips the GPOs linked to the user’s OU. Group Policy effectively processes as if
user object was in the OU of the computer rather than its current OU.
“Replace” might mean that necessary settings from other GPOs for the user will be
missing, like Folder Redirection etc.
“Merge wins conflicts (1 vs A)”, but settings without conflict will apply. Replace
353 © 2017 Citrix Authorized Content
eliminates conflicts by discarding ABC completely”.
Additional Resources:
Group Policy Loopback mode explanation -
https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In Studio, policies and templates are displayed in a single list regardless of whether
di
they contain user, computer or both types of settings and can be applied using both
st
user and computer filters.
ri bu
Studio Policy Filters summary overview:
• Access Control – use NetScaler EPA scans to detect client scenarios
tio
• Citrix CloudBridge – detect the presence of the bandwidth saving
n
appliance
• Client IP address – filter on ranges or specific addresses
• Client name – filter on client names
• Delivery Group – apply policies to named Delivery Groups
• Delivery Group type – apply policies to certain types of Delivery Groups
(like shared or private VDAs)
• Tag – filter policies based on tags from Citrix Studio
• User or Group – apply the policy to specific domain users or groups
354 © 2017 Citrix Authorized Content
• Organizational Unit (only within Studio) – filter the policy on the OU of the
VDAs
If multiple Filters are set, they will be AND-combined. Only if each Filter result is true,
the policy will apply. (Think of “the more you filter, the less you target”). Example:
Filter A set to domain\nurse-group, Filter B set to 192.168.10.20 would only match for
specific nurses logging on from a specific address.
The right screenshot shows a combination of two Filter expressions: While all
members of the nurse-group are allowed to apply the settings in the policy (it does
not matter, if the actual setting is a restriction or allowance), Nurse2 is denied access
to the policy. Human-readable expression would be “all nurses except nurse2”.
• Another way to reach the same result was to create two policies: one for
nurse-group, another one for Nurse2 specifically, but ranked higher than the
N
generic nurse-group policy.
ot
fo
Additional Resources:
rr
Work with Policies - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
es
12/policies/policies-processes.html
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Assign policies to groups rather than individual users. If you assign policies to
di
groups, assignments are updated automatically when you add or remove users from
st
the group.
ri bu
Do not enable conflicting or overlapping settings in Remote Desktop Session Host
Configuration. In some cases, Remote Desktop Session Host Configuration
tio
provides similar functionality to Citrix Policy settings. When possible, keep all
settings consistent (enabled or disabled) for ease of troubleshooting.
n
Disable unused policies. Policies with no settings added create unnecessary
processing.
An unfiltered, lowest-ranking policy with custom settings is basically “a new system
default” more suitable for the company.
Exceptions from the baseline can be defined on a per user / per scenario basis in
higher ranking policies that are filtered to specific needs.
Additional Resources:
355 © 2017 Citrix Authorized Content
Create Policies - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/policies/policies-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
356 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
“Not configured” enables lower ranking policies to get applied for that specific
di
setting.
st
Some features have dependencies – Audio quality will be meaningless if the Audio
ri bu
channel is disabled altogether.
Policy Example:
tio
• A Marketing User (Jimmy) works from home today – the policy system
n
uses the filters to find policies that apply, in addition to the System default
settings, that always apply at a fixed lowest rank but can be modified with
higher ranking policies. For Jimmy, the “Marketing homeoffice” and
“Baseline” Policy apply (Jimmy is not member of the accounting group,
Jimmy does not connect from an external IP address).
Next, setting by setting is processed, where conflicts will be resolved by
taking the respective setting’s value from the highest ranking (lowest
number) policy.
So for “Audio channel” this means “enabled” (since Prio 1 wins over Prio
4), for “Audio quality” this means “High quality” (since the highest ranking
357 © 2017 Citrix Authorized Content
policy is not configured, the lower ranking polices are also not configured,
the system default applies. Note that audio quality could be degraded if a
future policy introduces a setting of “low quality” for marketing users.
Use the Citrix Group Policy Modeling Wizard to simulate a connection scenario and
discern how Citrix policies might be applied. You can specify conditions for a
connection scenario such as Domain Controller, users, Citrix policy assignment
evidence values, and simulated environment settings-such as slow network
connection. The report that the wizard produces lists the Citrix Policies that would
likely take effect in the scenario. If you are logged on to the Controller as a domain
user, the wizard calculates the Resultant Set of Policy using both Site policy settings
and Active Directory Group Policy Objects (GPOs).
Use Group Policy Results to produce a report describing the Citrix Policies in effect
for a given user and controller. The Group Policy Results tool helps you evaluate the
N
current state of GPOs in your environment and generates a report that describes how
ot
these objects, including Citrix Policies, are currently being applied to a particular user
fo
and Controller.
rr
es
Additional Resources:
Compare, prioritize, model, and troubleshoot policies - https://docs.citrix.com/en-
al
us/xenapp-and-xendesktop/7-12/policies/policies-compare-model.html
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You can launch the Citrix Group Policy Modeling Wizard from the Actions pane in
di
Studio. You can launch either tool from the Group Policy Management Console in
st
Windows.
ri bu
If you run the Citrix Group Policy Modeling Wizard or Group Policy Results tool from
the Group Policy Management Console, Site policy settings created using Studio
tio
are not included in the Resultant Set of Policy.
n
To ensure you obtain the most comprehensive Resultant Set of Policy, Citrix
recommends launching the Citrix Group Policy Modeling wizard from Studio, unless
you create policies using only the Group Policy Management Console.
The same Wizard can be started from AD based GPMC or Citrix Studio (a tab in the
policies node).
Policies created in Studio cannot be reported on with the AD based GPMC – but the
Citrix Studio based Wizard will include policies created or stored in GPOs within AD.
The reports can be viewed, printed or saved as HTML files.
358 © 2017 Citrix Authorized Content
Additional Resources:
Compare, prioritize, model, and troubleshoot policies - https://docs.citrix.com/en-
us/xenapp-and-xendesktop/7-12/policies/policies-compare-model.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Templates are a source for creating policies from a pre-defined starting point. Built-
di
in Citrix templates, optimized for specific environments or network conditions, can
st
be used as:
ri
• A source for creating your own policies and templates to share between
bu
Sites.
tio
• A reference for easier comparison of results between deployments as you
n
will be able to quote the results, for example, "..when using Citrix template
x or y..".
• A method for communicating policies with Citrix Support or trusted third
parties by importing or exporting templates.
The import / export function uses Microsoft Group policy template (GPT) as file
format.
The template functionality exists in the GPMC add-on as well as in Citrix Studio.
To transfer policies from AD to Site Database (or vice versa), transform the policy to
a template which can then be exported / imported.
359 © 2017 Citrix Authorized Content
Remember that templates do not have Filters – so saving (copying) a policy as
template means that the Filters will get lost for the template (the policy itself keeps
the Filters).
Additional Resources:
Policy Templates - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/policies/policies-templates.html
Group Policy Management Template Updates for XenApp and XenDesktop -
http://support.citrix.com/article/CTX202000
Whitepaper: HDX Policy Templates - http://support.citrix.com/article/CTX202330
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
360 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You can compare settings in a policy or template with those in other policies or
di
templates. For example, you might need to verify setting values to ensure
st
compliance with best practices. You might also want to compare settings in a policy
ri
or template with the default settings provided by Citrix.
bu
• Select Policies in the Studio navigation pane.
tio
• Click the Comparison tab, and then click Select.
n
• Choose the policies or templates to compare. To include default values in
the comparison, select the Compare to default settings check box.
• After you click Compare, the configured settings are displayed in columns.
• To see all settings, select Show All Settings. To return to the default view,
select Show Common Settings.
Additional Resources:
Compare, prioritize, model, and troubleshoot policies - https://docs.citrix.com/en-
us/xenapp-and-xendesktop/7-12/policies/policies-compare-model.html
361 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Answer 1: No, since only three policies are applied: Prio 3, Prio 4, System default.
di
Since Prio 3 Policy does not configure the Drive Mapping setting, the next Baseline
st
policy’s setting is used (any value ranks higher than system default).
ri bu
Answer 2: The following unwanted situation could emerge: Accounting users will
have access to their local drives. Reason: A change in the baseline policy or a new
tio
policy that is also mapped to the Accounting users, but ranks higher than the
Baseline policy enables Drive Mapping.
n
362 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
363 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
364 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
365 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Any value higher than 10000 is usually some warning or error message within the
di
load balancing system (like 20000 = feature not licensed).
st
Multiple criteria can be combined to evaluate load on VDAs (memory, CPU etc.), but
ri bu
only the highest value will be reported as load value for this server.
For Example:
tio
• A machine is running a task that is consuming 100% of the CPU capacity
n
and reports a load value of 10000. After the administrator ends the task,
the load drops to 7000 although the CPU is only 20% loaded. The reason
might be, that now a different configured value (memory?) is the “highest
value” and thus gets reported as load value.
Load balancing normally only applies to NEW sessions, so it is best practice to have
some spare resources for existing sessions left on the VDA.
The counters that can be used to report load values:
• Concurrent logons tolerance
• CPU usage
366 © 2017 Citrix Authorized Content
• CPU usage excluded process priority
• Disk usage
• Maximum number of sessions (default value of 250)
• Memory usage
• Memory usage base load
Use PowerShell Command “Get-BrokerMachine -SessionSupport Multisession |
select machinename,loadindex” to get an overview of the load values.
Use “select columns” in Studio within the search pane to display “Load index”.
Use the Load Evaluator Index tab within the Trends section of Citrix Director to
display the load values for specific delivery groups. In contrast to PowerShell and
N
Studio, Director can display recorded load values from the past.
ot
Concurrent logon tolerance:
fo
• This setting specifies the maximum number of concurrent logons a server
rr
can accept.
es
• By default, this is set to 2.
al
CPU usage:
e
• This setting specifies the level of CPU usage, as a percentage, at which the
or
server reports a full load. When enabled, the default value at which the
server reports a full load is 90%.
di
• By default, this setting is disabled and CPU usage is excluded from load
st
calculations.
ri bu
CPU usage excluded process priority:
tio
• This setting specifies the priority level at which a process' CPU usage is
excluded from the CPU Usage load index.
n
• By default, this is set to Below Normal or Low.
Disk usage:
• This setting specifies the disk queue length at which the server reports a
75% full load. When enabled, the default value for disk queue length is 8.
• By default, this setting is disabled and disk usage is excluded from load
calculations.
Maximum number of sessions:
• This setting specifies the maximum number of sessions a server can host.
When enabled, the default setting for maximum number of sessions a
server can host is 250.
‹#› © 2017 Citrix Authorized Content
• By default, this setting is enabled.
Memory usage:
• This setting specifies the level of memory usage, as a percentage, at which
the server reports a full load. When enabled, the default value at which the
server reports a full load is 90%.
• By default, this setting is disabled and memory usage is excluded from load
calculations.
Memory usage base load:
• This setting specifies an approximation of the base operating system's
memory usage and defines, in MB, the memory usage below which a server
is considered to have zero load.
N
• By default, this is set to 768 MB.
ot
fo
Additional Resources:
rr
How to Calculate the Load Evaluator Index on XDC -
es
http://support.citrix.com/article/CTX202150
al
Load Management settings- https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/policies/reference/load-management-policy-settings.html
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
367 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
By default, Session Reliability is allowed.
di
st
Session Reliability keeps sessions active and on the user's screen when network
connectivity is interrupted. Users continue to see the application they are using until
ri bu
network connectivity resumes.
With Session Reliability, the session remains active on the server. To indicate that
tio
connectivity is lost, the user's display freezes and the cursor changes to a spinning
n
hourglass until connectivity is restored. The user continues to access the display
during the interruption and can resume interacting with the application when the
network connection is restored. Session Reliability re-connects users without re-
authentication prompts. If you do not want users to be able to re-connect to
interrupted sessions without having to re-authenticate, configure the Auto client re-
connect authentication setting to require authentication. Users are then prompted to
re-authenticate when reconnecting to interrupted sessions.
The default of 180 seconds is configurable (should not be set to high to compromise
security, because re-connects do not require re-authentication).
Seeing a spinning hourglass icon attached to the mouse pointer within a session is
normally is an indicator that the session is currently reconnected in the background.
368 © 2017 Citrix Authorized Content
Users often describe this behavior as “the session being stuck for a moment” which
might be better than having to start a new session again. If this happens a lot, the
underlying network connection should be checked.
This feature is most useful for connections that drop packets frequently or disconnect
often (mobile networks, roaming Wi-Fi).
Takes precedence over Auto Client Reconnect feature (explained some slides later).
Some users MUST NOT have still images of their sessions displayed (monitoring
systems, healthcare, intraday trading & brokerage), since their decisions would rely
on outdated information. This feature can be disabled in a Computer based GPO, but
will disable Session Reliability for a complete machine (not for a user or group).
Additional Resources:
N
ot
Session reliability policy settings - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/policies/reference/ica-policy-settings/session-reliability-policy-
fo
settings.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
If you use both Session Reliability and auto client reconnect, the two features work
di
in sequence. Session Reliability closes (or disconnects) the user session after the
st
amount of time specified in the Session Reliability timeout setting. After that, the
ri
auto client reconnect settings take effect, attempting to reconnect the user to the
bu
disconnected session.
tio
n
Additional Resources:
Session Reliability policy settings - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/policies/reference/ica-policy-settings/auto-client-reconnect-policy-
settings.html
369 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
ICA Keep-Alive is not used for Sessions running CGP / Session Reliability (Port
di
2598), but only for “plain” ICA Sessions (Port 1494) since Session Reliability uses a
st
similar mechanism by itself.
ri
• ICA keep-alive does not work if you are using Session Reliability.
bu
Configure ICA keep-alive only for connections that are not using Session
tio
Reliability.
n
By default, the interval between keep-alive messages is 60 seconds.
Specify an interval between 1-3600 seconds in which to send ICA keep-alive
messages. Do not configure this setting if your network monitoring software is
responsible for closing inactive connections.
Normally the server does not send packets to the client (to save bandwidth). If in a
desktop session, the clock is visible, you already have a keep-alive because the
updated bitmap needs to be sent to the client every minute.
If the server does not send packets to the client, network disruptions can go
unnoticed – the server might keep the session of the client open and reconnection
might fail (the client would have to wait for the session to become disconnected to
370 © 2017 Citrix Authorized Content
reconnect again).
Normally most clients today support automatic reconnection even to sessions that are
not (yet) marked as disconnected.
Ultimately if Session Reliability is configured ICA Keep-Alive is ignored and remember
Session Reliability is configured by default.
Additional Resources:
Keep alive policy settings - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/policies/reference/ica-policy-settings/keep-alive-policy-settings.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
371 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
If a task consumes 100% of all CPUs on a VDA - when will the server report “full
di
load”?
st
• This counter is evaluated every 30 seconds but the last 10 samples (300
ri bu
seconds worth of data) are used to build a mean value.
• Only if a task consumes 100% CPU resources for long enough the VDA
tio
will report full load.
n
• This inertia is built in to avoid having servers reporting full load whenever a
task “spikes”.
• For example, when starting Excel or Word 100% CPU resources are
consumed, but for a very short amount of time.
372 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
373 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
374 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
375 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
376 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
377 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
• From version 7.8 the Applications node has been exposed directly in
di
Studio, previously the applications were hidden under the Delivery Group
st
portion of Studio.
ri bu
tio
n
378 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Each app can use two different names (for user / Admin) – this makes it possible to
di
offer a program with the same name but different command line parameters or
st
originating from different Delivery Groups to users.
ri bu
Within each application folder, the Application Name (for administrator) must be
unique.
tio
To change the properties of an application:
n
• Select Delivery Groups in the Studio navigation pane.
• Select the Applications tab in the middle pane and then select the
application.
• Select Properties in the Actions pane.
Additional Resources:
Applications - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-
deployment/applications-manage.html
379 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
What are Keywords? Keywords are a method that the Citrix Administration can use
di
to control or direct how an application is displayed to the user, when that user
st
connects to the Storefront store. The Specific Keywords, as mentioned above are
ri
used to provide this level of control.
bu
A description and multiple Keywords can be combined in the single field, the
tio
screenshot is showing this usage. Everything after “KEYWORDS:” is considered to
be a Keyword.
n
Multiple Keywords are separated using blanks.
Using Auto or Mandatory does not really subscribe users to applications (no
database entry will be made in the storefront based subscription store). Using these
Keywords just makes it look as if the user was subscribed to an app. As soon as the
Keyword is removed, the user will no longer see the app icon within his favorites in
StoreFront & Receiver (or the start menu).
Append Keywords to the descriptions you provide for delivery group applications:
• To make an individual app mandatory, so that it cannot be removed from
Citrix Receiver for Windows, append the string KEYWORDS:Mandatory to
380 © 2017 Citrix Authorized Content
the application description. There is no Remove option for users to
unsubscribe to mandatory apps.
• To automatically subscribe all users of a store to an application, append the
string KEYWORDS:Auto to the description. When users log on to the store,
the application is automatically provisioned without users needing to
manually subscribe to the application.
• To advertise applications to users or to make commonly used applications
easier to find by listing them in the Citrix Receiver Featured list, append the
string KEYWORDS:Featured to the application description.
Additional Resources:
N
Configuring application delivery - https://docs.citrix.com/en-us/receiver/windows/4-
ot
5/configure/receiver-windows-configure-app-delivery-wrapper.html
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Doctor A is using an old PC in the counselling room and Citrix Receiver will start a
di
remote session for Word, Excel and Outlook since the software is not installed on
st
the old PC due to memory limitations.
ri bu
When using his new laptop, Citrix Receiver starts the local installed version of Word,
Excel and Outlook, because the preference was set using a Keyword for these
tio
three applications.
n
381 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In the Application category field, optionally specify the category in Receiver where
di
the application appears. For example, if you are adding shortcuts to Microsoft Office
st
applications, enter Microsoft Office.
ri bu
If you want applications displayed in specific folders use the following options:
• If you want the application shortcuts Citrix Receiver places in the start
tio
menu to be shown in their associated category (folder) - configure Citrix
n
Receiver with UseCategoryAsStartMenuPath=True.
• Note: Windows 8/8.1 does not allow the creation of nested folders within
the Start Menu. Applications will be displayed individually or under the
root folder but not within Category sub folders defined with XenApp.
• If you want the applications that Citrix Receiver puts in the Start menu to
be in a specific folder.. - configure Citrix Receiver with StartMenuDir=the
name of the Start Menu folder name.
• Backslash serves as delimiter to create a hierarchical structure
382 © 2017 Citrix Authorized Content
Additional Resources:
Configuring application delivery - https://docs.citrix.com/en-us/receiver/windows/4-
5/configure/receiver-windows-configure-app-delivery-wrapper.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Mapped drive letters are mapped on a per user basis and might not be available to
di
the FMA subsystem upon launch of the app. It is therefore leading practice to use
st
UNC paths instead.
ri bu
Most programs do not evaluate the working directory any more but instead use
different directories for specific functions, usually configurable in the programs menu
tio
or via policies.
n
The screenshot shows the Internet Explorer being called with two command line
arguments, the first argument (-k) instructs the browser to operate in kiosk-mode
(fullscreen, reduced GUI), the second argument opens the specified web page.
Additional Resources:
Applications - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-
deployment/applications-manage.html
383 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This feature functions like a whitelist.
di
st
Every group (or member of the group) needs to be able to access the Delivery
Group itself, so allowing access on the delivery group to “doctors” and later
ri bu
specifying the “nurses” group for access to an application hosted from this Delivery
Group does not enable the nurses to start the program.
tio
By default, all applications are accessible to anyone having permissions to access
n
the Delivery Group.
Starting with XenDesktop 7.7, permissions to access the desktop of a Delivery
Group can also be set in Studio (previous to this version, PoSh has to be used).
This does not prevent access to the app in general for other users – they might still
be able to access the app from another app that they are able to launch (for
example, starting WinZip by clicking the ZIP-File-Attachment from within Outlook).
384 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
We had this in XenApp version 6.5 and earlier, within both the Publishing wizard
di
and the Application Properties Advanced settings.
st
ri bu
tio
n
385 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Workspace Control lets desktops and applications follow a user from one device to
di
another. This ability to roam enables a user to access all desktops or open
st
applications from anywhere simply by logging on, without having to restart the
ri
desktops or applications on each device. For example, Workspace Control can
bu
assist health-care workers in a hospital who need to move quickly among different
workstations and access the same set of applications each time they log on. If you
tio
configure Workspace Control options to allow it, these workers can disconnect from
n
multiple applications at one client device and then reconnect to open the same
applications at a different client device.
Workspace Control affects the following activities:
• Logging on – By default, Workspace Control enables users to reconnect
automatically to all running desktops and applications when logging on, by-
passing the need to re-open them manually. Through Workspace Control,
users can open disconnected desktops or applications, as well as any that
are active on another client device. Disconnecting from a desktop or
application leaves it running on the server. If you have roaming users who
need to keep some desktops or applications running on one client device
386 © 2017 Citrix Authorized Content
while they reconnect to a subset of their desktops or applications on another
client device, you can configure the logon reconnection behavior to open
only the desktops or applications that the user disconnected from
previously.
• Reconnecting – After logging on to the server, users can reconnect to all of
their desktops or applications at any time by clicking Reconnect. By default,
Reconnect opens desktops or applications that are disconnected, plus any
that are currently running on another client device. You can configure
Reconnect to open only those desktops or applications that the user
disconnected from previously.
• Logging off – For users opening desktops or applications through
StoreFront, you can configure the Log Off command to log the user off from
N
StoreFront and all active sessions together, or log off from StoreFront only.
ot
• Disconnecting – Users can disconnect from all running desktops and
applications at once, without needing to disconnect from each individually.
fo
rr
es
Additional Resources:
• Workspace control - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
al
12/manage-deployment/sessions.html#par_anchortitle_24f8
e
• Session roaming - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
or
12/manage-deployment/sessions.html#par_anchortitle_d65d
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The session pre-launch and Session Linger features help specified users access
di
applications quickly, by starting sessions before they are requested (session
st
prelaunch) and keeping application sessions active after a user closes all
ri
applications (Session Linger).
bu
By default, session pre-launch and Session Linger are not used: a session starts
tio
(launches) when a user starts an application, and remains active until the last open
application in the session closes.
n
Session pre-launch requires Windows Receiver on the endpoint system.
Sessions can only be pre-launched for published applications, not published
desktops.
The launch of the session itself is not faster, it just happens in the background
before the user is actually requesting a session. When the user requests a session
to run a certain application, this application is started almost instantly within the
existing session without the need to wait for the session to be fully negotiated
between the endpoint and the VDA.
Administrators can specify an idle time after which unused blank sessions are
387 © 2017 Citrix Authorized Content
terminated to conserve resources on the VDA. Mention that pre-launched sessions
consume a license.
Session Pre-launch only works with server hosted applications, not desktop sessions
or applications hosted on Workstation OS VDAs.
Additional Resources:
Configure session prelaunch and session linger in a Delivery Group -
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-configure/delivery-
groups-manage.html#par_anchortitle_e049
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Delivery Group must support applications, and the machines must be running a
di
VDA for Server OS, minimum version 7.6.
st
Session pre-launch is supported only when using Citrix Receiver for Windows.
ribu
Session Linger is supported when using Citrix Receiver for Windows and Receiver
for Web. Additional Receiver configuration is required.
tio
Note: Receiver for HTML5 is not supported.
n
When using session pre-launch:
• Regardless of the admin-side settings, if an end user’s machine is put into
"suspend" or "hibernate" mode, pre-launch will not work.
• Pre-launch will work as long as the end user locks their machine/session,
but if the end user logs off from Citrix Receiver, the session is ended and
pre-launch no longer applies.
Pre-launched and lingering sessions consume a license, but only when connected.
Unused pre-launched and lingering sessions disconnect after 15 minutes by default.
This value can be configured in PowerShell (New/Set-BrokerSessionPreLaunch
388 © 2017 Citrix Authorized Content
cmdlet).
Careful planning and monitoring of your users’ activity patterns are essential to
tailoring these features to complement each other. Optimal configuration balances the
benefits of earlier application availability for users against the cost of keeping licenses
in use and resources allocated.
You can also configure session pre-launch for a scheduled time of day in Receiver.
Roaming of profiles is delayed until the lingering session is finally closed.
A session can linger connected and disconnected and that an administrator can set
timers to terminate lingering sessions that are not being used.
Session Linger is only supported with server hosted applications.
N
Additional Resources:
ot
Configure session pre-launch and Session Linger in a Delivery Group -
fo
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-configure/delivery-
rr
groups-manage.html#par_anchortitle_e049
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Will a member of the Accounting-Group have access to Excel? If not, why?
di
• The Accounting-Group will not have Access to Excel since it has no access
st
to the Delivery Group itself.
ri bu
What will happen, if a new Group is given access to the Delivery Group “Office”?
What applications will they see?
tio
• If the Accounting-Group (or any other group) would be added to the
n
Delivery Group, they would instantly see all applications that are not
currently restricted (Outlook, Word) in addition to any App they are entitled
to use (Excel).
In the above example, Nurses and Doctors cannot start Excel, even though the
Accounting-Group does not have access to the program either. This is because they
are not explicitly included in the Limit Visibility setting.
389 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Will a member of the Accounting-Group have access to Excel? If not, why?
di
• The Accounting-Group will not have Access to Excel since it has no access
st
to the Delivery Group itself.
ri bu
What will happen, if a new Group is given access to the Delivery Group “Office”?
What applications will they see?
tio
• If the Accounting-Group (or any other group) would be added to the
n
Delivery Group, they would instantly see all applications that are not
currently restricted (Outlook, Word) in addition to any App they are entitled
to use (Excel).
In the above example, Nurses and Doctors cannot start Excel, even though the
Accounting-Group does not have access to the program either. This is because they
are not explicitly included in the Limit Visibility setting.
390 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Will a member of the Accounting-Group have access to Excel? If not, why?
di
• The Accounting-Group will not have Access to Excel since it has no access
st
to the Delivery Group itself.
ri bu
What will happen if a new Group is given access to the Delivery Group “Office”?
What applications will they see?
tio
• If the Accounting-Group (or any other group) would be added to the
n
Delivery Group, they would instantly see all applications that are not
currently restricted (Outlook, Word) in addition to any App they are entitled
to use (Excel).
In the above example, Nurses and Doctors cannot start Excel, even though the
Accounting-Group does not have access to the program either. This is because they
are not explicitly included in the Limit Visibility setting.
391 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Will a member of the Accounting-Group have access to Excel? If not, why?
di
• The Accounting-Group will not have Access to Excel since it has no access
st
to the Delivery Group itself.
ri bu
What will happen, if a new Group is given access to the Delivery Group “Office”?
What applications will they see?
tio
• If the Accounting-Group (or any other group) would be added to the
n
Delivery Group, they would instantly see all applications that are not
currently restricted (Outlook, Word) in addition to any App they are entitled
to use (Excel)
In the above example, Nurses and Doctors cannot start Excel, even though the
Accounting-Group does not have access to the program either. This is because they
are not explicitly included in the Limit Visibility setting.
392 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Although application folders are technically not a part of application properties it is
di
very helpful to know about the feature.
st
These Folders are only visible inside the administrative Console – not on the client
ri bu
side. They are meant as a means for the administrator to structure the delivered
applications for simpler management.
tio
These folders often get confused with the “Categories” which are defined in the
n
Application properties (upcoming slide). Categories can be made visible on the
client side in the web GUI, native receiver or Start Menu of the endpoint.
Each application can only be in one application folder at a time.
By default, applications you add are placed in a folder named Applications. You can:
• Create additional folders and then move applications into those new
folders.
• Folders can be nested up to five levels.
• Folders do not have to contain applications; empty folders are allowed.
• Folders are listed alphabetically unless you move them or specify a
393 © 2017 Citrix Authorized Content
different location when you create them.
• You can have more than one folder with the same name, as long as each
has a different parent folder. Similarly, you can have more than one
application with the same name, as long as each is in a different folder.
• Move a folder to the same or a different level. Moving is easiest using drag-
and-drop.
• You cannot rename or delete the Applications folder, but you can move all
the applications it contains to other folders you create.
Additional Resources:
Applications - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-
N
deployment/applications-manage.html
ot
Citrix XenApp and XenDesktop 7.6 - Studio Application folders -
fo
https://www.youtube.com/watch?v=9ktLbPAoT7k&feature=youtu.be
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
394 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
395 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Example: If a user is connected to Outlook as a delivered application receives an
di
email with a Publisher document attached, opening this document would cause the
st
server to launch Publisher inside the session disregarding the Limit Visibility setting.
ri bu
tio
n
396 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
397 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
FTA launches local applications when a file is encountered in the session. If the
di
local app is launched, it must have access to the file to open it. Therefore, you can
st
only open files that reside on network shares or on client drives (using client drive
ri
mapping) using local applications. For example, when opening a PDF file, if a PDF
bu
reader is a local app, then the file opens using that PDF reader. Because the local
app can access the file directly, there is no network transfer of the file through ICA
tio
to open the file.
n
Additional Resources:
Local App Access and URL redirection - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/install-configure/laa-url-redirect.html
Host to client redirection - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/hdx/host-to-client-redirection.html
398 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This feature is also known as FTA (abbreviation) and “Client to Server Content
di
redirection”.
st
This feature is currently available in Windows (native Receiver) and Chrome OS
ri bu
according to the Receiver client feature matrix.
tio
Additional Resources:
n
Receiver Client Feature Matrix -
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-
receiver-feature-matrix.pdf?_ga=1.117297542.1892301207.1409852248
399 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Content redirection allows you to control whether users access information with
di
applications published on servers or with applications running locally on user
st
devices.
ri bu
Receiver saves the original File-Type Association and restores it if the user de-
favorites the program.
tio
The files can be on local media or a network share (local or accessible to both VDA
n
and endpoint system).
Host to client redirection is one kind of content redirection. It is supported only on
server OS VDAs (not desktop OS VDAs).
• When host to client redirection is enabled, URLs are intercepted at the
server VDA and sent to the user device. The web browser or multimedia
player on the user device opens these URLs.
• If you enable Host to Client redirection and the user device fails to connect
to a URL, the URL is redirected back to the server VDA.
• When Host to Client redirection is disabled, users open the URLs with web
400 © 2017 Citrix Authorized Content
browsers or multimedia players located on the server VDA.
• When Host to Client redirection is enabled, users cannot disable it.
Host to Client redirection was previously known as Server to Client redirection.
Additional Resources:
Host to Client redirection - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6-
long-term-service-release/xad-hdx-landing/host-to-client-redirection.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The client drive mapping virtual channel is necessary to open local files on the
di
endpoint. The VDA can only access the file on the endpoint if this channel has not
st
been restricted (via policy).
ri bu
With this feature it is not necessary to have applications installed on the endpoint in
order to open the file / if an application supporting the file type is installed, Receiver
tio
can override the default File-Type Association for this program since it is usually
loaded later (last writer wins).
n
401 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This is essentially the same situation as the previous slide, however, in this case the
di
user opens a file saved on a network share that is reachable from the session.
st
Instead of opening the file through Client Drive Mapping, the session will pick up the
ri
file from a network share.
bu
You can use host to client redirection for performance, so that whenever an
tio
application is installed on the user device, it is used in preference to an application
on the VDA.
n
Keep in mind that Host to Client redirection will improve performance only under
specific conditions, because the VDA already optimizes Adobe Flash and other
types of multimedia content. First, consider using the other approaches (policy
settings) noted in the tables below, rather than Host to Client redirection; they offer
more flexibility and usually give a better user experience, particularly for less-
powerful user devices.
Additional Resources:
Host to client redirection - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6-
402 © 2017 Citrix Authorized Content
long-term-service-release/xad-hdx-landing/host-to-client-redirection.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
403 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
404 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
What would happen, if a user in a remote location would open a large document
di
from his local desktop using FTA?
st
• The file will be uploaded to the server through client drive mapping, so if
ri bu
bandwidth is limited it may fail.
• This is why FTA is normally only used in:
tio
• a) managed environments and
n
• b) where ample bandwidth is available.
405 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
406 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Featured App Groups are a visual emphasis and a grouping mechanism in addition
di
to the categories.
st
Each app can be part of multiple Featured App Groups.
ri bu
All applications of a Featured App Group can be favorited / subscribed to at once.
tio
n
Additional Resources:
How to display the Featured apps group under the "Category" view than the "All"
view on storefront website - http://support.citrix.com/article/CTX217236
407 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
408 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Start menu integration and desktop shortcut only mode lets you bring published
di
application shortcuts into the Windows Start menu and onto the desktop. In this
st
way, users do not have to subscribe to applications from the Receiver user
ri
interface. Start menu integration and desktop shortcut management provides a
bu
seamless desktop experience for groups of users, who need access to a core set of
applications in a consistent way.
tio
As a Receiver administrator, you use a command-line install flags, GPOs, account
n
services, or registry settings to disable the usual "self service" Receiver interface
and replace it with a pre-configured Start Menu. The flag is called SelfServiceMode
and is set to true by default. When the administrator sets the SelfServiceMode flag
to false, the user no longer has access to the self service Receiver user interface.
Instead, they can access subscribed apps from the Start Menu and via desktop
shortcuts - referred to here as shortcut-only mode.
Additional Resources:
Configuring application delivery - http://docs.citrix.com/en-us/receiver/windows/4-
409 © 2017 Citrix Authorized Content
5/configure/receiver-windows-configure-app-delivery-wrapper.html
How to Customize App Shortcuts with Receiver for Windows -
http://support.citrix.com/article/CTX200924
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The screenshot shows the different settings available in the Receiver Group Policy
di
Template to manage the shortcut integration for native Receiver.
st
If no folder is specified and Desktop Shortcut creation is enabled, the icons are
ri bu
placed directly on the desktop.
Web access mode - Without any configuration, Citrix Receiver for Windows
tio
provides web access mode; browser-based access to applications and desktops.
n
Users simply open a browser to a Receiver for Web or Web Interface site and select
and use the applications that they want. In web access mode, no app shortcuts are
placed in the App Folder on your user's device.
Self-service mode - By adding a StoreFront or a Web Interface Services Site
account to Receiver for Windows, you can configure self-service mode, which
enables your users to subscribe to applications through Receiver. This enhanced
user experience is similar to that of a mobile app store. In self-service mode you
can configure mandatory, auto-provisioned, and featured app keyword settings as
needed. When one of your users selects an application, a shortcut to that
application is placed in the App Folder on the user device.
410 © 2017 Citrix Authorized Content
Additional Resources:
How to Customize App Shortcuts with Receiver for Windows -
http://support.citrix.com/article/CTX200924
App Shortcuts Where You Want Them - https://www.citrix.com/blogs/2015/04/29/app-
shortcuts-where-you-want-them/
Configure Receiver with the Group Policy Object template - http://docs.citrix.com/en-
us/receiver/windows/4-5/configure/ica-import-icaclient-template-v2.html
Configure Receiver for Windows - http://docs.citrix.com/en-us/receiver/windows/4-
5/configure.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
411 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Self-Service Mode can be configured using Registry, GPO or Web.Config file on
di
Storefront.
st
By adding a StoreFront account to Receiver or configuring Receiver to point to a
ri bu
site, you can configure self-service mode, which allows users to subscribe to
applications from the Receiver user interface. This enhanced user experience is
tio
similar to that of a mobile app store.
n
In self-service mode you can configure mandatory, auto-provisioned and featured
app keyword settings as needed:
• To automatically subscribe all users of a store to an application, append
the string KEYWORDS:Auto to the description you provide when you
publish the application in XenApp. When users log on to the store, the
application is automatically provisioned without the need for users to
manually subscribe to the application.
• To advertise applications to users or make commonly used applications
easier to find by listing them in the Receiver Featured list, append the
string KEYWORDS:Featured to the application description.
412 © 2017 Citrix Authorized Content
Disabling subscriptions on a StoreFront store has a similar effect, but will affect also
the WebGUI and other variants of Receiver accessing the store.
Additional Resources:
How to Customize App Shortcuts with Receiver for Windows -
http://support.citrix.com/article/CTX200924
Configure Receiver for Windows - http://docs.citrix.com/en-us/receiver/windows/4-
5/configure.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
413 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
414 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
415 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
There is a difference between the Receiver policies and the policies covered in the
di
previous module.
st
Receiver policies are not using the Citrix Policy engine.
ri bu
Receiver policies rely on traditional MS policy templates.
tio
n
416 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
417 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
Application Groups is a 7.9 feature that allows admins to group all or some
di
applications from several Delivery Groups to manage and configure them as a
st
single entity.
ri bu
Citrix recommends adding applications to either Application Groups or Delivery
Groups, but not both at the same time.
tio
By default, application session sharing between Application Groups is enabled.
n
• If needed explain Session Sharing: Subsequent application launches on
the same server OS, launches within the existing session.
Unauthenticated users is available only in Delivery Groups, not in Application
Groups.
• Additional Resources:
• Introducing Application Groups in XenApp -
https://www.citrix.com/blogs/2016/07/20/xenapp-xendesktop-7-9-
introducing-application-groups/
418 © 2017 Citrix Authorized Content
• Create Application Groups - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/install-configure/application-groups-create.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Using both Applications Groups and Delivery Groups at the same time will work, but
di
the administrator will potentially lose track of where application are configured as
st
the environment grows.
ri bu
Additional Resources:
Create Application Groups - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
tio
12/install-configure/application-groups-create.html
n
419 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A tag restriction involves several steps:
di
• Create the tag and then add (apply) it to machines.
st
ri
• Create or edit a group with the tag restriction (in other words, "restrict
bu
launches to machines with tag x").
tio
A tag restriction extends the broker's machine selection process. The broker selects
n
a machine from an associated Delivery Group subject to access policy, configured
user lists, zone preference, and launch readiness, plus the tag restriction (if
present). For applications, the broker falls back to other Delivery Groups in priority
order, applying the same machine selection rules for each considered Delivery
Group.
Additional Resources:
Tag restrictions for a desktop or an Application Group - https://docs.citrix.com/en-
us/xenapp-and-xendesktop/7-12/manage-deployment/tags.html
420 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
421 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
422 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
423 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
424 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
425 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
426 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
427 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Use the diagram to learn the different ways of printing. To understand the different
di
printing topologies, the following descriptive names will be used throughout the slide
st
deck :
ri
• Printer A: External Endpoint attached printer
bu
• Printer B: External Endpoint mapped local printer
tio
• Printer C: Internal Endpoint attached printer
n
• Printer D: Internal Endpoint mapped printer
Every “attached” printer has to use a driver (OS- or manufacturer-provided), in order
to be able to print.
All shown printers can be used from within the session (e.g. Word 2013 hosted
app).
Additional Resources:
Printing - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/printing.html
428 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Using this mapping method, the print does not flow inside the HDX protocol, but
di
instead the print is sent directly from the VDA to the print server.
st
Printer B: accessed by VDA through site-to-site-VPN or MPLS: VDA mapped
ri bu
remote printer
Printer C: VDA attached printer (uncommon) (can be used to enable a PDF printer
tio
for all sessions)
n
Printer D: VDA mapped local printer
Additional Resources:
XenDesktop Printing chapter - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/printing.html
429 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This scenario does not require a print server. For this printer type it is assumed that
di
Endpoints are connected to the printer either with a cable or over the network, but
st
without a print server.
ri bu
Usually the Endpoint has the model specific printer driver installed to print on this
printer.
tio
Some printers have network interfaces (cable / wireless) and can be addressed via
n
TCP/IP directly. Although these printers are often advertised as network printers by
their manufacturers, they are directly attached to an endpoint, just using a different
method.
430 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A direct connection from the endpoint to the printer is not necessary. The endpoint
di
hands over the print job to the print server, which transfers the print job to the printer
st
or queues it if the printer is busy.
ri bu
Print servers offer a central management of printing devices and can also enforce
permissions on printers.
tio
Print servers are typically used when users need to share a printer.
n
431 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Avoid using this method on a large scale with server VDA’s. Attaching several
di
printer objects to every VDA is difficult to manage and can cause extra resource
st
usage. Essentially turning the VDA in to a print server.
ri bu
Use mapped printers instead, these can be controlled through policies and login
scripts and will cause less resource usage because they offload the print processing
tio
to the print server.
n
432 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Network Printers (or session printers) usually are connected from the VDA by using
di
a print server.
st
These types of printers can be mapped via a logon script, using policies or manually
ri bu
by the user.
tio
n
433 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The process that makes printers available in a session is known as provisioning.
di
Printer provisioning is typically handled dynamically. That is, the printers that appear
st
in a session are not predetermined and stored. Instead, the printers are assembled,
ri
based on policies, as the session is built during log on and re-connection. As a
bu
result, the printers can change according to policy, user location, and network
changes, provided they are reflected in policies. Thus, users who roam to a different
tio
location might see changes to their workspace.
n
The system also monitors client-side printers and dynamically adjusts in-session
auto-created printers based on additions, deletions, and changes to the client-side
printers. This dynamic printer discovery benefits mobile users as they connect from
various devices.
Creating all printers is time consuming and induces load for the VDA.
Different options are available to select the printers made available:
• Create all printers per default.
• Create only default printer.
• All directly attached printers, but no print server based printers.
434 © 2017 Citrix Authorized Content
• No automatic creation.
“Do not create client printers” does not block users from manually creating printers in
their session. To effectively prevent this, the “Client Printer Redirection” Policy has to
be set to “Prohibited”, as this will prevent the printing virtual channel within the HDX
protocol to get created.
Additional Resources:
Printing - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/printing.html
Provision printers - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/printing/printing-provision-printers.html
Auto-created client printers - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
N
12/printing/printing-provision-printers.html#par_anchortitle_179f
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
All session printer policies for a connection will add up to a resultant set of printers
di
that will be mapped into the session. Example: User A is given access to a printer
st
depending on the name of the endpoint device, and in another policy which is
ri
filtered on AD-group membership, the user is given access to a different printer.
bu
Both printers would be added to the users session in this case. Note, that this is an
exception to policy processing, since normally only one policy can set a result (like
tio
audio on or audio off).
n
Unless the use the Citrix universal print server, an appropriate printer driver for each
mapped printer has to be installed on the VDA.
Instead of creating multiple session printer policies for different user groups, a single
“Printer assignments” policy can be used. If “Printer assignment” and “session
printer” policies are used, settings from both policies will be merged.
Normally the endpoint’s main printer is the default printer within the session – which
might not always be ideal. Use the Default Printer Policy to set the endpoint’s main
printer, a session printer or a different printer as the default. The last writing policy
with the highest priority effectively sets the default printer.
A similar function exists within MS AD GPOs – although lacking some of the filtering
435 © 2017 Citrix Authorized Content
options that Citrix policies provide.
“proximity printing” refers to a state of printer provisioning management that always
provides users the printer closest to their current location. Example: User A is
travelling to two remote offices today. In office A a policy filtered on the local subnet
address maps a local shared printer and sets it as default for the session. In the next
office (B), a different printer is mapped and declared default. Independent of the
current location, a printer in the main office where User A normally works is mapped
in addition to the respective printers in each location.
Proximity printing can also be used in a single location, that has multiple buildings
(campus) or floors – but only if a criteria exists, that the policies can be filtered on. A
DHCP scope/IP address range that spans an entire building or multiple floors might
need to be split first (although a filter based on endpoint names could be used for
stationary endpoints).
N
Note that policies are only applied on logon or re-connection of a session, so a user
ot
that seamlessly roams from one floor to the next floor might not have the policies re-
fo
evaluated.
rr
Universal Print Server - The Citrix Universal Print Server provides universal printing
support for network printers. The Universal Print Server uses the Universal print
es
driver. This solution enables you to use a single driver on a Server OS machine to
al
allow network printing from any device. Citrix recommends the Citrix Universal Print
e
Server for remote print server scenarios. The Universal Print Server transfers the
print job over the network in an optimized and compressed format, thus minimizing
or
network use and improving the user experience.
di
st
Additional Resources:
ri bu
Assign network printers to users - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/printing/printing-provision-printers.html#par_anchortitle_aea0
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
436 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
437 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Although the same printers could be mapped via policies, the spool data sent to the
di
branch file server could potentially consume all bandwidth and cause the user
st
experience to suffer.
ri bu
Mapping printers through the HDX session allows for more granular control of QOS
and compression of the print data.
tio
A special software has been installed on one of the companies VDAs. This software
n
installs a print driver which can directly output print jobs as PDF documents.
What would be the correct name or description for this type of Printer?
• VDA attached Printer
438 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
439 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Internal Endpoint connects to VDA, negotiates Printer-C and Printer-D. While
di
Printer-C can only be used from the VDA by sending pre-spooled print jobs over the
st
HDX protocol to the Endpoint, Printer-D is mapped to the Endpoint from Printserver-
ri
002. If the same print server can be reached from the VDA and if the users
bu
permissions grant access to the Printer-D, then per default the VDA would just map
the printer in the session (if a suitable driver can be installed / has been installed).
tio
Otherwise, Printer-D is treated like Printer-C, so the print job would be sent over the
n
HDX protocol to the Endpoint, which in turn passes the print job on to the
PrintServer-002 but has to reprocess the print job.
The term printing pathway encompasses both the path by which print jobs are
routed and the location where print jobs are spooled. Both aspects of this concept
are important. Routing affects network traffic. Spooling affects utilization of local
resources on the device that processes the job.
Locally attached printers - The system routes jobs to locally attached printers from
the Server OS machine, through the client, and then to the print device. The ICA
protocol optimizes and compresses the print job traffic. When a printing device is
attached locally to the user device, print jobs are routed over the ICA virtual
440 © 2017 Citrix Authorized Content
channel.
Network-based printers - By default, all print jobs destined for network printers route
from the Server OS machine, across the network, and directly to the print server.
However, print jobs are automatically routed over the ICA connection in the following
situations:
• If the virtual desktop or application cannot contact the print server.
• If the native printer driver is not available on the Server OS machine.
Additional Resources:
Printing configuration example - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/printing/printing-configuration-example.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Scenario: An external endpoint has Printer-B mapped from PrintServer-001 and
di
connects to a VDA. Per default, the VDA tries to connect to Printserver-001 to map
st
the Printer-B in the session of the user, but this time the Print Server is located on
ri
the remote side of a VPN. So if the Printer was mapped into the session, the print
bu
job would lose all benefits like compression and bandwidth management or caching.
Depending on the WAN load, the print job might also be blocking other traffic,
tio
causing performance issues. In this case it is recommended to set the “Direct
n
connections to print server” policy to Prohibited, so the VDA connects to the printer
only via the Endpoint – every print job will now be sent over the HDX protocol and
can be further managed with other policies to gain performance and control.
441 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
442 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
443 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
444 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
445 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The automatically installed drivers are coming from a repository which is part of the
di
OS – these are mainly stripped down drivers from different manufacturers covering
st
a broad range of common printers. They are supported by Microsoft.
ri bu
There is a policy to allow or prohibit the automatic installation of printer drivers on
the VDA.
tio
During logon peaks, installation of drivers can cause slowness/instability. Also,
n
remind them that VDAs might be provisioned to lose every change on reboot,
including the print drivers, so they would have to be automatically re-installed over
and over again.
Having multiple printer drivers on one system can slow down the logon or logoff
process, or cause printing system issues/system instability. Also, drivers can conflict
with each other. Having the least amount of printer drivers necessary is therefore
recommended.
Most printer manufacturers offer universal drivers covering multiple printer models
with a single driver – this is a good approach to limit the number of drivers to test,
implement and maintain. Leading practice: Minimize the number of printer drivers
446 © 2017 Citrix Authorized Content
installed on Server OS machines.
Leading practice: Use driver mapping to native drivers.
Leading practice: Never install untested printer drivers on a production site.
Leading practice: Avoid updating a driver. Always attempt to uninstall a driver, restart
the print server, and then install the replacement driver.
Leading practice: Uninstall unused drivers or use the Printer driver mapping and
compatibility policy to prevent printers from being created with the driver.
Leading practice: Try to avoid using version 2 kernel-mode drivers.
Additional Resources:
N
Printing - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/printing.html
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Mapping several printers to a single driver can reduce the amount of required printer
di
drivers.
st
Mapping can create cross-vendor relationships (mapping Brother Laser printers to
ri bu
HP LaserJet drivers) – if device and driver are compatible.
The driver mapping table can also be used to prevent the installation of specific
tio
drivers while allowing the automatic installation of printer drivers globally.
n
The mapping table will be consulted by the system upon session initialization first
before resorting to other mechanisms.
Map client printer drivers - Each client provides information about client-side printers
during logon, including the printer driver name. During client printer auto-creation,
Windows server printer driver names are selected that correspond to the printer
model names provided by the client. The auto-creation process then uses the
identified, available printer drivers to construct redirected client print queues.
Additional Resources:
447 © 2017 Citrix Authorized Content
Maintain the printing environment - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/printing/printing-maintain-environment.html
If the Citrix Universal print driver is not an option for all scenarios, map printer drivers
to minimize the amount of drivers installed on Server OS machines
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
448 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
UPD can be configured to produce EMF, XPS, PCL or PostScript files.
di
st
UPD is only compatible with Windows-based Endpoints where a Receiver has been
installed.
ri bu
UPD offers a consistent user experience across VDA platforms, but might not offer
all options of dedicated manufacturer’s printer driver. Special functions like stapling,
tio
cutting, punching etc. might require the original driver to be installed instead.
n
Per default, UPD is used as fallback in sessions, whenever no suitable driver for a
printer can be found.
UPD consists of two components – a driver on the VDA and a driver on the endpoint
which forwards the print job to the local printing system.
EMF is short for Enhanced Metafile Format and is a newer version of the Windows
metafile (WMF) format.
The EMF format is device-independent, meaning that the dimensions of graphics in
the print job is maintained on the printed copy, no matter which resolution the printer
uses.
449 © 2017 Citrix Authorized Content
When determining the best print solution for your environment, consider the following:
• The Universal Print Server provides features not available for the Windows
Print Provider: Image and font caching, advanced compression,
optimization, and QoS support.
• The Universal print driver supports the public device-independent settings
defined by Microsoft. If users need access to device settings that are
specific to a print driver manufacturer, the Universal Print Server paired with
a Windows-native driver might be the best solution. With that configuration,
you retain the benefits of the Universal Print Server while providing users
access to specialized printer functionality. A trade-off to consider is that
Windows-native drivers require maintenance.
• The Citrix Universal Print Server provides universal printing support for
N
network printers. The Universal Print Server uses the Universal print driver,
ot
a single driver on the Server OS machine that allows local or network
printing from any device, including thin clients and tablets.
fo
rr
To use the Universal Print Server with a Windows-native driver, enable the Universal
Print Server. By default, if the Windows-native driver is available, it is used.
es
Otherwise, the Universal print driver is used. To specify changes to that behavior,
al
such as to use only the Windows-native driver or only the Universal print driver,
update the Universal print driver usage policy setting.
e
or
Additional Resources:
di
Provision printers - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
st
12/printing/printing-provision-printers.html
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
450 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Server load can be reduced when only one printer object needs to be created on
di
session launch.
st
The Universal Printer is a generic front-end for the Universal Print Driver, so users
ri bu
will not see all their printers created in the session, but only the CUP. When they
print to the CUP, per default, they will be asked on the endpoint machine what
tio
printer to output should be sent to. This can be configured with polices to omit the
dialog and just print to the endpoint’s main printer.
n
The Citrix Universal Printer requires a Windows environment.
The Citrix Universal Printer is an auto-created printer object that uses the Citrix
Universal Print Driver and is not linked to any specific printer defined on the client.
Once implemented, Citrix Universal Printer is available in all sessions that use the
32-bit Windows client. Citrix Universal Printer is independent of any printing policies
defined in the management console hence it is possible to implement the Citrix
Universal Printer with other auto-created printers, session printers, and/or non-Citrix
defined printers. Citrix Universal Printer auto-creates in a standard name “Citrix
UNIVERSAL Printer”
451 © 2017 Citrix Authorized Content
Additional Resources:
How to Auto-Create the Generic Citrix Universal Printer in User Sessions -
http://support.citrix.com/article/CTX106812
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Universal Print Server needs to be installed on (all) print servers that VDAs map
di
printers from. The UPD can then be used to transfer EMF files to the print server,
st
essentially in the same way that UPD is used for endpoint side printing.
ri bu
Citrix Universal Print Server consists of two services that use Port 8080
(HTTP/SOAP) and 7229 (CGP) (not to be confused with License Vendor Daemon
tio
7279!) for management and data transfer. A necessary VDA side component is
installed with the VDA but can (/ needs to be) updated independently.
n
Citrix Universal Print Server functionality, per default, is disabled and has to be
enabled explicitly using a policy for the VDAs.
Some options are missing in comparison with endpoint side printing (local settings)
and only basic settings of the printer are exposed.
To use the Universal Print Server with a Windows-native driver, enable the
Universal Print Server. By default, if the Windows-native driver is available, it is
used. Otherwise, the Universal print driver is used. To specify changes to that
behavior, such as to use only the Windows-native driver or only the Universal print
driver, update the Universal print driver usage policy setting.
452 © 2017 Citrix Authorized Content
A new policy called “Universal Print Servers for load balancing” was added in 7.12.
This setting lists the Universal Print Servers to be used to load balance printer
connections established at session launch, after evaluating other Citrix printing policy
settings. To optimize printer creation time, Citrix recommends that all print servers
have the same set of shared printers.
Additional Resources:
Citrix Universal Print Server - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/printing/printing-provision-printers.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
453 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This tool can be used to simulate multiple sessions auto-creating printers using the
di
same printer driver.
st
It can also be used to compare the following among various drivers:
ri bu
• CPU load incurred while creating a printer using a particular driver
tio
• Time required to successfully create a printer using a particular driver
n
Additional Resources:
StressPrinters 1.3.2 for 32-bit and 64-bit Platforms -
http://support.citrix.com/article/CTX109374
How to Use the Stress Printer Tool - http://support.citrix.com/article/CTX129574
Print Detective Tool - http://support.citrix.com/article/CTX116474
454 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Print Detective is a tool that can enumerate all printer drivers including version
di
information.
st
Can query local or remote computers
ri bu
Save the output to log file for comparison
tio
Can be used from command line (IE. scripting or documentation purposes).
n
To install Print Detective, copy the PrintDetective.exe executable file to the desired
location, for the appropriate platform. For example, on a 32-bit system, use the
PrintDetective.exe from the x86 directory and on a 64-bit system use the one from
the x64 directory. There is no installer required as the application is contained in a
standalone executable file.
The Print Detective package includes the PrintDetective.exe file for the 32-bit and
64-bit versions of Windows (located in the x86 and x64 folders respectively), and
the PrintDetective.chm user guide.
Additional Resources:
455 © 2017 Citrix Authorized Content
Print Detective v1.2.1.5- http://support.citrix.com/article/CTX116474
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Steps to run a test and view results:
di
• Launch UpsCertTool.exe
st
ri
• Configure test users
bu
• Select printer model to test
tio
• Click Start to begin testing the print driver
n
• Test status is displayed by the tool, including Pass or Fail.
• To view a summary of the test results, click on Details.
• To save the test results, click on Save.
The Citrix UPS Print Driver Certification Tool can be used to test the compatibility of
a print driver with the Citrix Universal Print Server. The tool checks for compatibility
by using the print driver to simulate load, allowing a network administrator or print
driver manufacturer to determine the following:
• Print driver is capable of handling the load normally seen with a Citrix
456 © 2017 Citrix Authorized Content
Universal Print Server.
• Print driver meets the Citrix Universal Print Server performance
requirement.
• Identifies potential print driver issues, allowing a network administrator or
print driver manufacturer to further troubleshoot problem areas.
Additional Resources:
Citrix UPS Print Driver Certification Tool - http://support.citrix.com/article/CTX142119
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Answers:
di
st
Less number of specific drivers needed on VDA:
ri
• Resulting in speedier, more stable print system and logon
bu
• Less maintenance (updates of drivers, test of drivers)
tio
Print job compression (adjustable by policy):
n
• Faster output on slow lines
• Less volume on metered connections
Bandwidth management:
• HDX Built-in priority system slows down print jobs when concurring usage
(sound, graphics) exist.
• Throttle/cap can be configured to keep sessions responsive while printing
on saturated connections.
Caching of fonts and images on the endpoint (or universal print server):
• Faster output and less transferred volume for repetitive print jobs (even if
457 © 2017 Citrix Authorized Content
only parts are identical, like printing the same letter to different recipients).
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
458 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
459 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
460 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
461 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
462 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
463 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
464 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A profile is a set of files, including a part of the registry, that together contain all
di
system and application settings for a user.
st
Roaming profiles are the main type of profile currently in use.
ri bu
The benefit of roaming profiles:
tio
• Consistent user experience on different VDAs
• Settings follow the user (printer settings, app specific settings, desktop
n
wallpaper etc.)
Additional Resources:
About User Profiles - https://msdn.microsoft.com/en-
us/library/windows/desktop/bb776892(v=vs.85).aspx
465 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Since the release of the FMA the Citrix Profile Management components has been
di
included in the VDA installer.
st
The only two steps required to enable Citrix Profile Management is to create the
ri bu
profile store and enable CPM through policies or by editing
UPMPolicyDefaults_all.ini on the VDA.
tio
By default, Citrix Profile Management is installed silently on master images when
n
you install the Virtual Delivery Agent, but you do not have to use Profile
Management as a profile solution.
466 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
By default (if Profile Management is enabled) all users are managed and all files &
di
registry settings are included to roam.
st
Profile Management can be used on VDA as well as on Clients.
ri bu
tio
n
467 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
UPM is installed together with the VDA software, but might need to be updated
di
separately if a newer version of UPM is to be used.
st
By default, UPM does not process user profiles until it is enabled by administrators.
ri bu
tio
n
468 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Profile Management offers a smooth transition from MS roaming profiles to UPM
di
based profiles.
st
The structure in which the profile contents are saved can even be used to migrate
ri bu
back again.
Profile Management can migrate existing profiles "on the fly" during logon if a user
tio
has no profile in the user store. After this, the user store profile is used by Profile
n
Management in both the current session and any other session configured with the
path to the same user store.
• By default, both local and roaming profiles are migrated to the user store
during logon.
To specifies the types of profile migrated to the user store during logon, choose one
of the following options:
• Local and roaming profiles
• Local
• Roaming
469 © 2017 Citrix Authorized Content
• None (Disabled)
If you select None, the system uses the existing Windows mechanism to create new
profiles, as if in a environment where Profile Management is not installed.
Additional Resources:
Profile handling policy settings - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/policies/reference/profile-management/profile-handling-policy-
settings.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Variables can be used to separate users’ profile folders per platform (OS, bitness,
di
language, purpose).
st
Profile Management variables can only be used by UPM, while system and AD
ri bu
variables are accessible to other programs as well. AD variables are a good choice
to separate profiles by country or department, provided the according fields on the
tio
user object in AD have been filled in.
n
For redundancy a clustered share or DFS-R can be used.
Normally administrators should not have access to the files save in user profiles.
Path to user store specifies the path to the directory (user store) in which user
settings, such as registry settings and synchronized files, are saved.
By default, the Windows directory on the home drive is used.
If this setting is disabled, user settings are saved in the Windows subdirectory of the
home directory.
The path can be:
• A relative path. This must be relative to the home directory, typically
470 © 2017 Citrix Authorized Content
configured as the #homeDirectory# attribute for a user in Active Directory.
• An absolute UNC path. This typically specifies a server share or a DFS
namespace.
• Disabled or un-configured. In this case, a value of
#homeDirectory#\Windows is assumed.
Use the following types of variables when configuring this policy setting:
• System environment variables enclosed in percent signs (for example,
%ProfVer%). Note that system environment variables generally require
additional setup.
• Attributes of the Active Directory user object enclosed in hashes (for
example, #sAMAccountName#).
N
• Profile Management variables. For more information, see the Profile
ot
Management documentation.
fo
You can also use the %username% and %userdomain% user environment variables
and create custom attributes to fully define organizational variables such as location
rr
or users. Attributes are case-sensitive.
es
al
Additional Resources:
e
Basic policy settings - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
or
12/policies/reference/profile-management/basic-policy-settings.html
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Folder redirection is an excellent addition to most Profile Management solutions.
di
st
Redirected folders do not roam as part of the profile and therefore speed up the
logon and logoff process.
ri bu
Redirected folders normally require a file share different from the profile share.
tio
Accessing large files from redirected folders can take more time since they are
opened over the network – depending on topology.
n
Folder redirection lets you store user data on network shares other than the location
where the profiles are stored. This reduces profile size and load time, but it might
impact network bandwidth. Folder redirection does not require that Citrix user
profiles are employed. You can choose to manage user profiles on your own, and
still redirect folders.
Configure folder redirection using Citrix policies in Studio.
• Ensure that the network locations used to store the contents of redirected
folders are available and have the correct permissions. The location
properties are validated.
471 © 2017 Citrix Authorized Content
• Redirected folders are set up on the network and their contents populated
from users' virtual desktops at logon.
Note: Configure folder redirection using only Citrix Policies or Active Directory Group
Policy Objects, not both. Configuring folder redirection using both policy engines may
result in unpredictable behavior.
In Citrix Profile Management (but not in Studio), a performance enhancement allows
you to prevent folders from being processed using exclusions. If you use this feature,
do not exclude any redirected folders. The folder redirection and exclusion features
work together, so ensuring no redirected folders are excluded allows Profile
Management to move them back into the profile folder structure again, while
preserving data integrity-if you later decide not to redirect them.
Grant administrator access: This setting enables an administrator to access the
N
contents of a user's redirected folders.
ot
By default, this setting is disabled and users are granted exclusive access to the
contents of their redirected folders.
fo
rr
Additional Resources:
es
Folder redirection policy settings - https://docs.citrix.com/en-us/xenapp-and-
al
xendesktop/7-12/policies/reference/profile-management/folder-redirection-policy-
e
settings.html
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Answer: Expect one profile per user per platform (and additionally per “silo”).
di
st
ri bu
tio
n
472 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
473 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Although CPM can be configured using a local .ini file, it is recommended to secure
di
the configuration using a policy.
st
In the next learning objective we will focus on the different policy settings available.
ri bu
tio
n
474 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
475 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
By default, all users are managed.
di
• If only two groups are specified within the processed group policy setting,
st
then only these two groups are managed.
ri bu
• If a single group is specified in the excluded groups policy setting, then all
groups except this one are managed.
tio
• If both settings are used, the resulting set is merged.
n
Management of profiles can fail if groups are used for restricting Profile
Management and these groups are renamed in Active Directory since they are
matched by their name only.
On hosted personal (persistent) desktops users are possibly given local
administrator permission (sometimes to solve some software restrictions). Normally
Profile Management would not manage these users, unless the according policy is
set.
476 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
If a single entry exists in the Registry-Include-Setting (e.g
di
HKCU\SOFTWARE\Adobe) then this will be the **only** registry key that roams. All
st
other keys are implicitly considered to be black-listed and will be excluded from
ri
roaming.
bu
By default, the complete HKCU hive roams and nothing needs to be included.
tio
• This can be beneficial if designing profiles for an environment (silo) that
n
hosts a single, specialized application. Defining only the printers key and
the application keys to be included could result in a fast loading profile that
can hardly be corrupted.
In case exclusion and inclusion are defined, most specific match wins (in the above
example, the hive “BadlyCoded” would not roam, but its sub-key “important” would).
Exclusions are processed at logoff. This will not block entries to the registry or
filesystem during the session.
The Exclusions section contains policy settings for configuring which files and
directories in a users profile are excluded from the synchronization process.
Exclusion list – directories specifies a list of folders in the user profile that are
477 © 2017 Citrix Authorized Content
ignored during synchronization.
Specify folder names as paths relative to the user profile (%USERPROFILE%).
By default, this setting is disabled and all folders in the user profile are synchronized.
Additional Resources:
Exclusions policy settings - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/policies/reference/profile-management/file-system/exclusions-policy-settings.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In previous versions of Profile Management these settings were either controlled by
di
an .ini configuration file or through manual entry in a policy setting. The pre-defined
st
settings in the .ini file have now been migrated into the policy objects to make
ri
configuration and adjustments easier.
bu
Exclusion list – files : List of files that are ignored during synchronization. File
tio
names must be paths relative to the user profile (%USERPROFILE%). Wildcards
are allowed and are applied recursively.
n
Examples:
• Desktop\Desktop.ini ignores the file Desktop.ini in the Desktop folder.
• %USERPROFILE%\*.tmp ignores all files with the extension .tmp in the
entire profile.
• AppData\Roaming\MyApp\*.tmp ignores all files with the extension .tmp in
one part of the profile.
If this policy is disabled, no files are excluded. If this policy is not configured here,
the value from the .ini file is used. If this policy is not configured here or in the .ini
file, no files are excluded.
478 © 2017 Citrix Authorized Content
Exclusion list – directories: List of folders that are ignored during synchronization.
Folder names must be specified as paths relative to the user profile
(%USERPROFILE%).
Example:
Desktop ignores the Desktop folder in the user profile.
If this policy is disabled, no folders are excluded. If this policy is not configured here,
the value from the .ini file is used. If this policy is not configured here or in the .ini file,
no folders are excluded.
Enable Default Exclusion List - directories - Profile Management 5.5: Default list of
directories ignored during synchronization. Use this policy to specify GPO exclusion
directories without having to fill them in manually.
If you disable this policy, Profile Management does not exclude any directories by
N
default. If you do not configure this policy here, Profile Management uses the value
ot
from the .ini file. If you do not configure this policy here or in the .ini file, Profile
fo
Management does not exclude any directories by default.
rr
es
Additional Resources:
What's New in Profile Management 5.x - https://docs.citrix.com/en-us/profile-
al
management/5/upm-intro-wrapper-den/upm-new-features-den.html
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Stale profiles could accumulate on Hosted Shared environments where multiple
di
users logon during the day, depending on when the servers are rebooted and if they
st
are set to discard changes on reboot.
ri bu
In non-persistent Hosted Shared environments where servers are rebooted every
night, this action will clean up the cached profiles.
tio
Caching the profile and reusing it can speed up the logon process dramatically, but
n
makes sense only on machines where users are expected to return.
There is also a policy to delay the deletion – this will save storage IO load,
especially on pooled desktops where the machine will be shutdown after the user
logs off discarding any change to the machine anyway.
Additional Resources:
Blog: to cache or not to cache - https://www.citrix.com/blogs/2012/11/30/to-cache-
or-not-to-cache-that-is-the-question/?_ga=1.62125868.1497454651.1430656272
479 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A user might work on a document which is saved in a local folder on his VDA. When
di
the VDA crashes (or the user does not log off, but just disconnects…) the profile
st
changes (including the document) has not been saved on the file server and is lost.
ri
With Active Write Back, every 5 minutes the latest copy of each changed file is
bu
copied back to the file server. When a user logs on again (after crash or from
different machine), the saved version of the document will be included in the profile.
tio
For some applications a certain registry entry must match a certain file, so only
n
saving the files might cause this application’s configuration to break.
Active Write Back enables modified files and folders (but not registry settings) to be
synchronized to the user store during a session, before logoff.
By default, synchronization to the user store during a session is disabled.
Support for Active Write Back for registry entries - registry entries that are modified
on the local computer can be backed up to the user store in the middle of a session,
before logoff.
Additional Resources:
480 © 2017 Citrix Authorized Content
Basic policy settings - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/policies/reference/profile-management/basic-policy-settings.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Profile Streaming typically allows for a much faster logon as the amount of data
di
copied from the file servers will be minimized.
st
Profile Streaming can be restricted to a group. So this feature can be
ri bu
tested/enabled only for specific users.
Creating placeholder files (each 4kb in size) might be a lot faster than downloading
tio
larger files or many files from the profile share – especially if the user just logged on
n
to check emails and logs back out afterwards.
Profile Streaming will automatically be disabled if used together with Citrix Personal
vDisk feature.
Profile Streaming enables and disables the Citrix streamed user profiles feature.
When enabled, files and folders contained in a profile are fetched from the user
store to the local computer only when they are accessed by users after they have
logged on. Registry entries and files in the pending area are fetched immediately.
Additional Resources:
481 © 2017 Citrix Authorized Content
Streamed user profiles policy settings - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/policies/reference/profile-management/streamed-user-profiles-
policy-settings.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A special filter driver is used to intercept the access to the placeholder files (reparse
di
points, a special function of NTFS).
st
Enabling the “Always Cache” policy but setting the value to “0” enables background
ri bu
downloading of **all** files from the user profile.
Streamed user profile groups specifies which user profiles within an OU are
tio
streamed, based on Windows user groups.
n
When enabled, only user profiles within the specified user groups are streamed. All
other user profiles are processed normally.
Additional Resources:
Streamed user profiles policy settings - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/policies/reference/profile-management/streamed-user-profiles-
policy-settings.html
482 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Enables a backup of the last known good copy of NTUSER.DAT and rollback in
di
case of corruption.
st
If you do not configure this policy here, Profile Management uses the value from the
ri bu
.ini file. If you do not configure this policy here or in the .ini file, Profile Management
does not back up NTUSER.DAT.
tio
n
Additional Resources:
What's New in Profile Management 5.x - https://docs.citrix.com/en-us/profile-
management/5/upm-intro-wrapper-den/upm-new-features-den.html
483 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Answer: less traffic, faster logon times
di
st
ri
bu
tio
n
484 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
485 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
486 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
487 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
488 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
489 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
490 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
491 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Delegated Administration now consists of 3 elements (who gets which permissions
di
on which objects).
st
For example, we can give the Junior Admin full admin on the test Delivery Group
ri bu
and the test Catalog while he only has limited permissions of the production
resources.
tio
The Delegated Administration model offers the flexibility to match how your
n
organization wants to delegate administration activities, using Role and object-
based control. Delegated Administration accommodates deployments of all sizes,
and allows you to configure more permission granularity as your deployment grows
in complexity. Delegated Administration uses three concepts: administrators, Roles,
and Scopes.
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
492 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In this example we have 3 different types of administrators, each requiring individual
di
privileges on the same objects.
st
We use Roles to create the permission levels.
ri bu
tio
n
493 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Using the helpdesk example, explain that we can control the privileges the Helpdesk
di
group has on specific objects or all objects in the database.
st
In this example the helpdesk can only view the Delivery Group and 3 Catalogs that
ri bu
appear in the Scope.
Highlight that during install Citrix will create an “All” Scope and 6 different predefined
tio
Roles.
n
Administrators — An administrator represents an individual person or a group of
people identified by their Active Directory account. Each administrator is associated
with one or more Role and Scope pairs.
Roles — A Role represents a job function, and has defined permissions associated
with it. For example, the Delivery Group Administrator Role has permissions such
as 'Create Delivery Group' and 'Remove Desktop from Delivery Group.' An
administrator can have multiple Roles for a Site, so a person could be a Delivery
Group Administrator and a Machine Catalog Administrator. Roles can be built-in or
custom.
Scopes — A Scope represents a collection of objects. Scopes are used to group
494 © 2017 Citrix Authorized Content
objects in a way that is relevant to your organization (for example, the set of Delivery
Groups used by the Sales team). Objects can be in more than one Scope; you can
think of objects being labeled with one or more Scopes. There is one built-in Scope:
'All,' which contains all objects. The Full Administrator Role is always paired with the
All Scope.
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix Studio cannot be run using local credentials – a domain account is required!
di
st
Using domain groups is a leading practice for delegating administrative permissions
within a site
ri bu
tio
n
495 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You can create custom Roles to match the requirements of your organization, and
di
delegate permissions with more detail. You can use custom Roles to allocate
st
permissions at the granularity of an action or task in a console.
ri bu
Additional Resources:
tio
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
n
12/secure/delegated-administration.html
496 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The account that is used to create the Site is added to the Full Administrator Role
di
automatically.
st
The Full Administrator Role only applies to the All Scope
ri bu
Understand the function of the Roles and how they relate to typical job Roles:
tio
• Full Administrator
Can perform all tasks and operations.
n
• Read Only Administrator
Can see all objects in specified Scopes as well as global information, but
cannot change anything.
• Host Administrator
Can manage host connections and their associated resource settings.
• Machine Catalog Administrator
Can create and manage Machine Catalogs and provision machines.
• Delivery Group Administrator
Can deliver applications, desktops, and machines; can also manage the
497 © 2017 Citrix Authorized Content
associated sessions.
• Help Desk Administrator
Can view Delivery Groups, and manage the sessions and machines
associated with those groups.
Full Administrator - Can perform all tasks and operations. A Full Administrator is
always combined with the All Scope.
Read Only Administrator - Can see all objects in specified Scopes as well as global
information, but cannot change anything. For example, a Read Only Administrator
with Scope=London can see all global objects (such as Configuration Logging) and
any London-Scoped objects (for example, London Delivery Groups). However, that
administrator cannot see objects in the New York Scope (assuming that the London
and New York Scopes do not overlap).
N
Help Desk Administrator - Can view Delivery Groups, and manage the sessions and
ot
machines associated with those groups. Can see the Machine Catalog and host
information for the Delivery Groups being monitored; and can also perform session
fo
management and machine power management operations for the machines in those
rr
Delivery Groups.
es
Machine Catalog Administrator - Can create and manage Machine Catalogs and
provision the machines into them. Can build Machine Catalogs from the virtualization
al
infrastructure, Provisioning Services, and physical machines. This Role can manage
e
base images and install software, but cannot assign applications or desktops to
or
users.
di
Delivery Group Administrator - Can deliver applications, desktops, and machines; can
also manage the associated sessions. Can also manage application and desktop
st
configurations such as policies and power management settings.
ri bu
Host Administrator - Can manage host connections and their associated resource
settings. Cannot deliver machines, applications, or desktops to users.
tio
n
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Creating a Custom Role is very useful since the built in Roles might not meet a
di
customers specific needs.
st
It can be helpful to copy an existing Role instead of creating from scratch.
ri bu
Role names can contain up to 64 Unicode characters; they cannot contain the
following characters: \ (backslash), / (forward slash), ; (semicolon), : (colon), #
tio
(pound sign) , (comma), * (asterisk), ? (question mark), = (equal sign), < (left arrow),
n
> (right arrow), | (pipe), [ ] (left or right bracket), ( ) (left or right parenthesis), "
(quotation marks), and ' (apostrophe). Descriptions can contain up to 256 Unicode
characters.
You cannot edit or delete a built-in Role. You cannot delete a custom Role if any
administrator is using it.
Note: Only certain product editions support custom Roles. Editions that do not
support custom Roles do not have related entries in the Actions pane.
Additional Resources:
498 © 2017 Citrix Authorized Content
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
499 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A Scope is essentially just a partition inside the database that allows for grouping of
di
multiple objects into one single administrative unit.
st
Not all objects can be added to a Scope.
ri bu
When you create a Site, the only available Scope is the 'All' Scope, which cannot be
deleted.
tio
You can also create Scopes when you create an administrator; each administrator
n
must be associated with at least one Role and Scope pair. When you are creating or
editing desktops, machine catalogs, applications, or hosts, you can add them to an
existing Scope. If you do not add them to a Scope, they remain part of the 'All'
Scope.
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
500 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You cannot change the All Scope.
di
st
Each new object created in the database will be added to the All Scope.
ri
Site creation cannot be scoped, nor can Delegated Administration objects (Scopes
bu
and Roles). However, objects you cannot scope are included in the 'All' Scope. (Full
Administrators always have the All Scope.) Machines, power actions, desktops, and
tio
sessions are not directly scoped; administrators can be allocated permissions over
n
these objects through the associated machine catalogs or Delivery Groups.
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
501 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Only scopeable objects show up that have already been created.
di
st
A new Site contains no scopeable objects.
ri
Newer versions of XenDesktop have more scopeable objects.
bu
Scope names can contain up to 64 Unicode characters; they cannot include the
tio
following characters: \ (backslash), / (forward slash), ; (semicolon), : (colon), #
(pound sign) , (comma), * (asterisk), ? (question mark), = (equal sign), < (left arrow),
n
> (right arrow), | (pipe), [ ] (left or right bracket), ( ) (left or right parenthesis), "
(quotation marks), and ' (apostrophe). Descriptions can contain up to 256 Unicode
characters.
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
502 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
503 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When you create a Site as a local administrator, your user account automatically
di
becomes a Full Administrator with full permissions over all objects. After a Site is
st
created, local administrators have no special privileges.
ri bu
The Full Administrator Role always has the All Scope; you cannot change this.
By default, an administrator is enabled. Disabling an administrator might be
tio
necessary if you are creating the new administrator now, but that person will not
n
begin administration duties until later. For existing enabled administrators, you might
want to disable several of them while you are reorganizing your object/Scopes, then
re-enable them when you are ready to go live with the updated configuration. You
cannot disable a Full Administrator if it will result in there being no enabled Full
Administrator. The enable/disable check box is available when you create, copy, or
edit an administrator.
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
504 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
505 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
506 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
507 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Full Administrator: Can perform all tasks and operations. A Full Administrator is
di
always combined with the All Scope.
st
ri bu
tio
n
508 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
509 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You can create two types of Delegated Administration reports:
di
• An HTML report that lists the Role/Scope pairs associated with an
st
administrator, plus the individual permissions for each type of object (for
ri bu
example, Delivery Groups and Machine Catalogs). You generate this
report from Studio. To create this report, click Configuration >
tio
Administrators in the navigation pane. Select an administrator in the
n
middle pane and then click Create Report in the Actions pane. You can
also request this report when creating, copying, or editing an administrator.
• An HTML or CSV report that maps all built-in and custom Roles to
permissions. You generate this report by running a PowerShell script
named OutputPermissionMapping.ps1. To run this script, you must be a
Full Administrator, a Read Only Administrator, or a custom administrator
with permission to read Roles. The script is located in: Program
Files\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scrip
ts\.
510 © 2017 Citrix Authorized Content
Additional Resources:
Delegated Administration - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/delegated-administration.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The script to generate the Role to permission mapping can normally be found at the
di
following location where Citrix Studio is installed: “C:\Program
st
Files\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scripts\Output
ri
PermissionMapping.ps1”
bu
tio
The following example writes an HTML table to a file named Roles.html and opens
n
the table in a web browser.
&"$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.
V1\Scripts\OutputPermissionMapping.ps1" -Path Roles.html –Show
511 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
512 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This report will only cover changes that are saved in the database.
di
st
Both changes from the Studio and PowerShell are tracked.
ri
Changes to VDA images, such as application installations and Windows updates
bu
are not tracked.
tio
Policy changes in GPMC are not tracked, however, Studio policies are saved in the
database and thus tracked.
n
You can generate CSV and HTML reports containing configuration log data.
• The CSV report contains all the logging data from a specified time interval.
The hierarchical data in the database is flattened into a single CSV table.
No aspect of the data has precedence in the file. No formatting is used and
no human readability is assumed. The file (named MyReport) simply
contains the data in a universally consumable format. CSV files are often
used for archiving data or as a data source for a reporting or data
manipulation tool such as Microsoft Excel.
• The HTML report provides a human-readable form of the logging data for a
513 © 2017 Citrix Authorized Content
specified time interval. It provides a structured, navigable view for reviewing
changes. An HTML report comprises two files, named Summary and
Details. Summary lists high level operations: when each operation occurred,
by whom, and the outcome. Clicking a Details link next to each operation
takes you to the low level operations in the Details file, which provides
additional information.
To generate a configuration log report, select Logging in the Studio navigation pane,
and then select Create custom report in the Actions pane.
• Select the date range for the report.
• Select the report format: CSV, HTML, or both.
• Browse to the location where the report should be saved.
N
ot
Additional Resources:
fo
Manage Configuration Logging - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/monitor/configuration-logging.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
CSV is often used for archiving purposes or further processing using data
di
manipulation tools like MS Excel, while HTML Output can be included in project
st
documentations and reports.
ri bu
To create Configuration Logging reports using PowerShell, leverage the Export-
LogReportHTML and Export-LogReportCSV cmdlets.
tio
n
Additional Resources:
Generate reports - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/monitor/configuration-logging.html
514 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
515 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
516 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
What output formats does Configuration Logging support?
di
• CSV and HTML
st
ri bu
tio
n
517 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
518 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A Site always has one Primary Zone. It can also optionally have one or more
di
Satellite Zones. Satellite Zones can be used for disaster recovery, geographically-
st
distant datacenters, branch offices, a cloud, or an availability Zone in a cloud.
ri bu
Primary Zone:
• The Primary Zone has the default name "Primary," which contains the SQL
tio
Server Site database (and high availability SQL servers, if used), Studio,
n
Director, Citrix StoreFront, Citrix License Server, and NetScaler Gateway.
The Site database should always be in the Primary Zone.
• The Primary Zone should also have at least two Controllers for
redundancy, and may have one or more VDAs with applications that are
tightly-coupled with the database and infrastructure.
Satellite Zone:
• A Satellite Zone contains one or more VDAs, Controllers, StoreFront
servers, and NetScaler Gateway servers. Under normal operations,
Controllers in a Satellite Zone communicate directly with the database in
the Primary Zone.
519 © 2017 Citrix Authorized Content
• A Satellite Zone, particularly a large one, might also contain a hypervisor
that is used to provision and/or store machines for that Zone. When you
configure a satellite Zone, you can associate a hypervisor or cloud service
connection with it. (Be sure any Machine Catalogs that use that connection
are in the same Zone.)
• A Site can have different types of Satellite Zones, based on your unique
needs and environment.
Additional Resources:
Zones - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-
deployment/Zones.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
From version 7.7 we can now span a single XenApp and XenDesktop Site across
di
multiple datacenters and geographical locations.
st
The Site database should always be in the Primary Zone.
ri bu
For optimal performance, install Studio and Director only in the Primary Zone.
tio
While it is possible to have Satellite Zones without any controllers, it is
recommended to configure at least one controller for each Satellite Zone to ensure
n
fast and reliable VDA registration, and to ensure registration during WAN outages.
• Additional Resources:
XenApp and XenDesktop 7.7: Intro to Zones within FMA -
https://www.citrix.com/blogs/2015/12/29/xenapp-xendesktop-7-7-intro-to-Zones-
within-fma/
Zones - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-
deployment/Zones.html
Deep Dive: XenApp and XenDesktop 7.7 Zones -
520 © 2017 Citrix Authorized Content
https://www.citrix.com/blogs/2016/01/12/deep-dive-xenapp-and-xendesktop-7-7-
Zones/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You might not need Zone; be aware that Zones are only relevant for certain
di
customers, use the bullets to figure out whether Zones are right for you.
st
In a multi-Zone Site, the Zone Preference feature offers the administrator more
ri bu
flexibility to control which VDA is used to launch an application or desktop.
How Zone Preference works:
tio
• There are three forms of Zone Preference. You might prefer to use a VDA
n
in a particular Zone, based on:
• Where the application's data is stored. This is referred to as the
application home.
• The location of the user's home data, such as a profile or home share.
This is referred to as the user home.
• The user's current location (where the Citrix Receiver is running). This is
referred to as the user location.
Additional Resources:
521 © 2017 Citrix Authorized Content
Zones - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-
deployment/Zones.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
522 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
523 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
524 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
PowerShell is object oriented, so almost every command returns not just plain text
di
or tables, but objects with properties that can e.g. easily be filtered & manipulated.
st
ri bu
Additional Resources:
tio
PowerShell cmdlet help - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
6/cds-sdk-wrapper-rho/xad-commands.html
n
525 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Each of the FMA services has a corresponding PowerShell snap-in (DLL) that
di
contains the interfaces and objects that can be controlled from the SDK
st
Individual service .MSI Snap-in install files can be found on the installation media
ri bu
• x86\Citrix Desktop Delivery Controller
tio
• x64\Citrix Desktop Delivery Controller
n
Additional Resources:
TechEdge Orlando 2015 - Advanced Configuration of XenApp and XenDesktop 7.6
using the PowerShell SDK - http://support.citrix.com/article/CTX142511
526 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
During troubleshooting it is recommended to have a look at the command that is
di
failing since most tasks consist of several necessary cmdlets that are started in a
st
specific order. Often only one of these commands fails and the reason might be
ri
visible in the PowerShell pane inside Studio.
bu
tio
n
527 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
528 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
While typing on the PowerShell command line, commands are often abbreviated.
di
You might have seen the above command before in a shorter version like: “asnp
st
cit*”. Many cmdlets have shorter aliases that can be used instead (get-childitem =>
ri
gci, add-pssnapin => asnp).
bu
Depending on manufacturer, Snap-ins or Modules are used to extend the
tio
management capabilities of PowerShell. XenDesktop uses mostly Snap-ins.
n
To list all available Snap-ins, issue the following command: get-pssnapin –registered
To list all available modules, issue the following command: get-module -listavailable
Additional Resources:
TechEdge Orlando 2015 - Automation and troubleshooting of Citrix Group Policy for
XenApp and XenDesktop 7.x using PowerShell -
http://support.citrix.com/article/CTX142512
529 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
To demonstrate how many cmdlets are contained inside each PowerShell Snap-in,
di
use the following statement:
st
Get-PSSnapin -Registered -name Citrix* | ForEach-Object {write-host $_.name -
ri
NoNewline; write-host " contains "(get-command -module $_.name).count
bu
"cmdlets."}
tio
n
Additional Resources:
http://support.citrix.com/article/CTX139415 - XenDesktop 7.x Services Overview
530 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Get-Command and Get-Help are very important to understand if you are new to
di
PowerShell.
st
Get-command will allow you to find commands if you only remember part of the
ri bu
name and will allow you to use wildcards.
Get-Help will show you more details about a specific command once you know the
tio
name.
n
If commandline is too advanced, PS ISE can be a bit easier as it has the ability to
show inline help and formatting hints.
531 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
532 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The first part (get-brokersession) lists all current sessions regardless of user or
di
state
st
The next cmdlet (where-object) filters all sessions with the criteria (both criteria have
ri bu
to apply, they are joined by “-and”) and passes the result to the cmdlet which will
terminate these sessions (stop-brokersession)
tio
Scenario: You are the Citrix Admin and the Junior Admin asks you for help running
n
the get-brokersession cmdlet. He reports that PowerShell will not accept the
command. What did he likely forget?
• To load the Citrix PS SnapIns.
• There are 3 ways of getting Citrix functionality in PowerShell:
• Asnp citrix*
• Add-PSSnapin -Name Citrix.*
• Start a PowerShell Session from Citrix Studio (Top node, PowerShell
Tab, Button: “Launch PowerShell”)
533 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
534 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Only Server OS VDAs can be scheduled to reboot, Desktop OS VDAs can be
di
controlled through the logoff behavior to either shut down, reboot or suspend. This
st
is configured on the Delivery Group properties and is depending on the Catalog
ri
type.
bu
tio
n
535 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A restart schedule specifies when to periodically restart all the machines in a
di
Delivery Group.
st
Select Delivery Groups in the Studio navigation pane.
ri bu
Select a group and then select Edit Delivery Group in the Actions pane.
tio
On the Restart Schedule page, if you do not want to restart machines in the
Delivery Group automatically, select the No radio button and skip to the last step in
n
this procedure. No restart schedule or rollout strategy will be configured. If a
schedule was previously configured, this selection cancels it.
If you do want to restart machines in the Delivery Group automatically, select
the Yes radio button.
For Restart frequency, choose either Daily or the day of the week the restarts will
occur.
For Begin restart at, using a 24-hour clock, specify the time of day to begin the
restart.
For Restart duration, choose whether all machines should be started at the same
536 © 2017 Citrix Authorized Content
time, or the total length of time to begin restarting all machines in the Delivery Group.
An internal algorithm determines when each machine is restarted during that interval.
In the left Notification drop-down, choose whether to display a notification message
on the affected machines before a restart begins. By default, no message is
displayed. If you choose to display a message 15 minutes before the restart begins,
you can choose (in the Repeat notification dropdown) to repeat the message every
five minutes after the initial message. By default, the message is not repeated.
Enter the notification text in the Notification message box; there is no default text. If
you want the message to include the number of minutes before restart, include the
variable %m% (for example: Warning: Your computer will be automatically restarted
in %m% minutes.) If you select a repeat notification interval and your message
includes the %m% placeholder, the value decrements by five minutes in each
repeated message. Unless you chose to restart all machines at the same time, the
N
notification message displays on each machine in the Delivery Group at the
ot
appropriate time before the restart, calculated by the internal algorithm.
fo
Click Apply to apply any changes you made and keep the window open, or
click OK to apply changes and close the window.
rr
You cannot perform an automated power-on or shutdown from Studio, only a restart.
es
al
Additional Resources:
e
or
Create a restart schedule for machines in a Delivery Group -
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-configure/delivery-
di
groups-manage.html#par_anchortitle_4612
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You can use PowerShell cmdlets to create multiple restart schedules for machines
di
in a Delivery Group. Each schedule can be configured to affect only those machines
st
in the group that have a specified tag. This tag restriction functionality allows you to
ri
easily create different restart schedules for different subsets of machines in one
bu
Delivery Group.
tio
For example, let's say you use one Delivery Group for all machines in the company.
You want to restart every machine at least once every week (on Sunday night), but
n
the machines used by the accounting team should be restarted daily. You can set up
a weekly schedule for all machines, and a daily schedule for just the machines used
by the accounting team.
Schedule overlap.
Multiple schedules might overlap. In the example above, the machines used by
accounting are affected by both schedules, and might be restarted twice on Sunday.
The scheduling code is designed to avoid restarting the same machine more often
than needed, but it cannot be guaranteed. If both schedules coincide precisely in
start and duration times, it is more likely that the machines will be restarted only
once. However, the more the schedules differ in start and/or duration times, the
537 © 2017 Citrix Authorized Content
more likely two restarts will occur. Also, the number of machines affected by the
schedules can also influence the chances of an overlap. In the example, the weekly
schedule that restarts all machines could initiate restarts significantly faster than the
daily schedule (depending on the configured duration for each).
Additional Resources:
Create multiple restart schedules for machines in a Delivery Group -
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-configure/delivery-
groups-manage.html#par_anchortitle_ceb9
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
You can use PowerShell cmdlets to create multiple restart schedules for machines
di
in a Delivery Group. Each schedule can be configured to affect only those machines
st
in the group that have a specified tag. This tag restriction functionality allows you to
ri
easily create different restart schedules for different subsets of machines in one
bu
Delivery Group.
tio
For example, let's say you use one Delivery Group for all machines in the company.
You want to restart every machine at least once every week (on Sunday night), but
n
the machines used by the accounting team should be restarted daily. You can set up
a weekly schedule for all machines, and a daily schedule for just the machines used
by the accounting team.
Schedule overlap.
Multiple schedules might overlap. In the example above, the machines used by
accounting are affected by both schedules, and might be restarted twice on Sunday.
The scheduling code is designed to avoid restarting the same machine more often
than needed, but it cannot be guaranteed. If both schedules coincide precisely in
start and duration times, it is more likely that the machines will be restarted only
once. However, the more the schedules differ in start and/or duration times, the
538 © 2017 Citrix Authorized Content
more likely two restarts will occur. Also, the number of machines affected by the
schedules can also influence the chances of an overlap. In the example, the weekly
schedule that restarts all machines could initiate restarts significantly faster than the
daily schedule (depending on the configured duration for each).
New-BrokerRebootScheduleV2 -Name NYC-DG-ServerOS-DailyReboot -
DesktopGroupName NYC-DG-ServerOS-Apps-Desktops -Frequency Daily -
StartTime "03:00" -Enabled $true -RebootDuration 120 -WarningMessage "Rebooting
in %m% minutes." -WarningDuration 15 -WarningRepeatInterval 5 -RestrictToTag
'Daily Reboot'
Additional Resources:
Create multiple restart schedules for machines in a Delivery Group -
N
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/install-configure/delivery-
ot
groups-manage.html#par_anchortitle_ceb9
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
539 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
540 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
541 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
542 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
543 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
544 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
545 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Other licensing components could also fail: Microsoft KMS Server, Microsoft
di
Remote Desktop Licensing Server, AV solution license system etc.
st
Failure of the license server can have different reasons:
ri bu
• The license server machine or the software crashed / is broken.
tio
• The license server machine is unable to communicate on the network.
• All licenses of the requested type are already checked out – in certain
n
scenarios a supplemental grace period can apply, check
https://docs.citrix.com/en-us/licensing/11-12-1/lic-architecture.html
• The licenses have not been updated to reflect a new subscription
advantage date before the site was updated – and now requires a newer
SA date.
Customers are granted a grace period of 90 calendar days post transaction to
remove rescinded license file(s) from their license server in order to remain in
compliance with Citrix licensing terms and conditions. Please note, at the point of
version upgrade, edition upgrade, or Trade-up transaction access to licenses
identified for rescission is immediately removed from the secure My Account portal
546 © 2017 Citrix Authorized Content
via www.citrix.com. Customers are advised to make a backup copy in case of license
server failure during the 90 day grace period.
Additional Resources:
XenDesktop Licensing: Frequently Asked Questions -
https://support.citrix.com/servlet/KbServlet/download/26153-102-
649709/XenDesktop%20FAQ.pdf
Citrix License Check Utility - http://support.citrix.com/article/CTX123935
Citrix Director 7.6 Deep Dive Part 1: License Monitoring -
https://www.citrix.com/blogs/2014/10/10/citrix-director-7-6-deep-dive-part-1-license-
monitoring/
N
License Server Technical overview - https://docs.citrix.com/en-us/licensing/11-
ot
14/technical-overview.html
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Customers who virtualize the Citrix License Server are provided with a redundant
di
solution that allows for mobility between multiple physical servers without the need
st
for down time.
ri bu
tio
n
547 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
All information is stored in the Site configuration database; Delivery Controllers
di
communicate only with the database and not with each other. A Controller can be
st
unplugged or turned off without affecting other Controllers in the Site. This means,
ri
however, that the Site configuration database forms a single point of failure. If the
bu
database server fails, existing connections to virtual desktops will continue to
function until a user either logs off or disconnects from a virtual desktop. New
tio
connections can only be established if connection leasing or Local Host Cache is
n
enabled.
The Local Host Cache (LHC) feature allows connection brokering operations in a
XenApp or XenDesktop Site to continue when an outage occurs. An outage occurs
when:
• The connection between a Delivery Controller and the Site database fails
in an on-premises Citrix environment.
• The WAN link between the Site and the Citrix control plane fails in a Citrix
Cloud environment.
Local Host Cache is the most comprehensive high availability feature in XenApp
and XenDesktop. It is a more powerful alternative to the connection leasing feature
548 © 2017 Citrix Authorized Content
that was introduced in XenApp 7.6.
Local Host Cache has certain limitations when active, when the site database is
inaccessible or otherwise in a failed state:
• You cannot use Studio or run PowerShell cmdlets.
• Hypervisor credentials cannot be obtained from the Host Service. All
machines are in the unknown power state, and no power operations can be
issued. However, VMs on the host that are powered-on can be used for
connection requests.
• Machines with VDAs in pooled Delivery Groups that are configured with
"Shut down after use" are placed into maintenance mode.
• Anonymous session launch requests are rejected.
N
• An assigned machine can be used only if the assignment occurred during
ot
normal operations. New assignments cannot be made during an outage.
• Automatic enrollment and configuration of Remote PC Access machines is
fo
not possible. However, machines that were enrolled and configured during
rr
normal operation are usable.
es
• Server-hosted applications and desktop users may use more sessions than
al
their configured session limits, if the resources are in different zones.
e
Connection Leasing has certain limitations when active, when the site database is
or
inaccessible or otherwise in a failed state:
• Desktop Studio and Desktop Director operations are unavailable.
di
• Citrix PowerShell cmdlets requiring database access will not work.
st
ri
• No VDA load balancing will occur.
bu
• Users can only connect to the last host they connected to when the site
tio
database was available.
• There is a small window (2 minutes) during which no sessions will be
n
brokered when the site database becomes unavailable or is restored. This is
to allow for environments with SQL HA enabled to fail over, such that leasing
does not become enabled when there is only a short window where site
database connectivity is interrupted.
• Users must have logged on to the resources within the default 14 day
period. This can be configured via a registry setting.
• Anonymous users are not supported by Connection Leasing.
Additional Resources:
High availability - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
‹#› © 2017 Citrix Authorized Content
12/technical-overview/databases.html
N
ot
fo
rr
es
al
e
or
di
st
ri
bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix recommends that you back up the database regularly so that you can restore
di
from the backup if the database server fails. In addition, there are several high
st
availability solutions to consider for ensuring automatic failover:
ri
• SQL Mirroring — This is the recommended solution. Mirroring the
bu
database makes sure that, should you lose the active database server, the
tio
automatic failover process happens in a matter of seconds, so that users
are generally unaffected. This method, however, is more expensive than
n
other solutions because full SQL Server licenses are required on each
database server; you cannot use SQL Server Express edition for a
mirrored environment.
• Using the hypervisor's high availability features — With this method, you
deploy the database as a virtual machine and use your hypervisor's high
availability features. This solution is less expensive than mirroring as it
uses your existing hypervisor software and you can also use SQL Express.
However, the automatic failover process is slower, as it can take time for a
new machine to start for the database, which may interrupt the service to
549 © 2017 Citrix Authorized Content
users.
• SQL Clustering — The Microsoft SQL clustering technology can be used to
automatically allow one server to take over the tasks and responsibilities of
another server that has failed. However, setting up this solution is more
complicated, and the automatic failover process is typically slower than with
alternatives such as SQL Mirroring.
• AlwaysOn Availability Groups is an enterprise-level high-availability and
disaster recovery solution introduced in SQL Server 2012 to enable you to
maximize availability for one or more user databases. AlwaysOn Availability
Groups requires that the SQL Server instances reside on Windows Server
Failover Clustering (WSFC) nodes. For more information, see AlwaysOn
Availability Groups (SQL Server).
N
ot
Additional Resources:
fo
High Availability - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
rr
12/technical-overview/databases.html
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When the last Delivery Controller in a site fails, no new user connections or
di
reconnections can be made.
st
ri bu
Additional Resources:
tio
High Availability - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/technical-overview/databases.html
n
How to Implement Disaster Recovery in XenDesktop and XenApp -
https://docs.citrix.com/content/dam/docs/en-
us/solutions/assess/downloads/XAXD_Disaster_Recovery.pdf
550 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
When the no operational Delivery Controllers are left in the site, the only way to
di
recover the site is to manually add a Delivery Controller through PowerShell.
st
ri bu
tio
n
551 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Although it is likely that a single StoreFront instance could support your XenApp and
di
XenDesktop workload, failover and redundancy are still crucial to maintaining on-
st
demand access. If XenApp/XenDesktop session traffic is routing through a single
ri
StoreFront server that suddenly fails, any new connections to the
bu
XenApp/XenDesktop applications and desktops will be unavailable. However, it
should be mentioned that a StoreFront failure will not impact any existing active
tio
XenApp/XenDesktop sessions. Thus, Citrix highly recommends deploying two
n
StoreFront servers, either Windows 2008 R2, Server 2012 or Server 2016, to
eliminate any possibilities of a single point of failure that may disrupt productivity
and configuring the IP address or DNS name of one controller in each farm. To
streamline the management of multiple StoreFront servers, Citrix has provided a
single admin interface from which you can manage all the servers in your
StoreFront cluster.
To make implementation even more robust, Citrix NetScaler appliance can be
configured to load balance user requests between the multiple StoreFront instances
as well as monitor their availability.
552 © 2017 Citrix Authorized Content
Additional Resources:
Design considerations for Citrix StoreFront: Responding to challenges in the mobile
age - https://www.citrix.com/content/dam/citrix/en_us/documents/oth/design-
considerations-for-citrix-storefront.pdf
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
553 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Redundancy can come in different forms, but mostly means duplicated systems,
di
connections etc. so that the loss of a single component can be compensated
st
without threatening the performance of the complete site.
ri bu
tio
n
554 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Most Load Balancing systems (like Citrix NetScaler) offer many different load
di
balancing mechanisms as well as some performance gains by eliminating overhead,
st
caching requests etc.
ri bu
The diagram shows only one Load Balancer, which is a single point of failure. This
is done to keep the diagram focused on a certain message.
tio
Adding even more redundant systems can offer even more speed but only add
n
lesser value to redundancy with each additional machine.
555 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
556 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The controllers will either enter Connection Leasing mode or fail over to Local Host
di
Cache, depending on what is configured.
st
For Connection Leasing: Only users that have previously launched resources within
ri bu
the last 14 days can successfully be brokered. Pooled VDI is not supported.
For Local Host Cache: All brokering will be handled by one single Delivery
tio
Controller.
n
For both: Studio and Director cannot start and the PowerShell API cannot be used.
557 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
558 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
StoreFront has scalability built in to the architecture and does not rely on clustering
di
technologies.
st
However, StoreFront is relying on NetScaler to distribute the incoming client
ri bu
connections and mitigate in case of failures.
tio
n
559 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
560 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
561 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources:
Clustered license servers: https://docs.citrix.com/en-us/licensing/11-12-1/lic-cl-citrix-
di
environment-c.html
st
ri bu
tio
n
562 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This might cause problems with the AD account of the “cloned” server. The first
di
server might have changed the AD computer account password in the meantime.
st
Two machines claiming the same name or ID will cause a conflict and have to be
ri bu
separated at all times. So, additional caution needs to be applied to ensure the
failed machine does not try to resume it’s original role.
tio
n
563 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Both license servers must not be issuing licenses at the same time because of
di
EULA restrictions.
st
ri bu
Additional Resources:
tio
https://www.citrix.com/blogs/2015/02/12/making-the-citrix-license-server-truly-highly-
available/ - Making the Citrix License Server (Truly) Highly Available
n
564 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
565 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This slide is to show all 3 database redundancy options side by side, the next three
di
slides will go into detail about each solution.
st
ri bu
Additional Resources:
tio
http://support.citrix.com/article/CTX114501 - Supported Databases for XenApp and
XenDesktop Components
n
566 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Replica servers have been called mirror servers – some administrators might be
di
more familiar with this term.
st
The replica servers can be used to speed up read access to the database, while all
ri bu
write actions have to be performed on the
tio
Additional Resources:
n
Always On Availability Groups (SQL Server) - https://msdn.microsoft.com/en-
us/library/hh510230.aspx
567 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Witness server can be a different SQL Server edition than the principal and
di
mirror server.
st
SQL Server 2016 and the next version still officially support this feature, but since
ri bu
Microsoft deemed the technology depreciated, it will most likely be removed in a
future SQL Server version.
tio
n
Additional Resources:
Features in SQL Server 2016: https://msdn.microsoft.com/en-
us/library/ms143729.aspx - Deprecated Database Engine
568 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The shared storage architecture requires management and redundancy as well –
di
which might make this solution more costly than others.
st
ri bu
tio
n
569 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
570 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
571 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
572 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
573 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
574 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix recommends NetScaler as the load balancing solution for StoreFront
di
st
ri
Additional Resources:
bu
StoreFront high availability - https://docs.citrix.com/en-us/storefront/3-8/plan/high-
tio
availability-and-multi-site-configuration.html
n
Configure server groups - https://docs.citrix.com/en-us/storefront/3-8/configure-
server-group.html
Load balancing with NetScaler - https://docs.citrix.com/en-us/storefront/3-
8/integrate-with-netscaler-and-netscaler-gateway/load-balancing-with-netscaler.html
575 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Whenever a configuration change has been done on a StoreFront server within a
di
server group, the changes must be propagated to the other servers in the group.
st
It is recommended to designate one server to making changes and keep the rest of
ri bu
the StoreFront servers “passive partners”.
Synchronizing changes back and forth might corrupt the configuration.
tio
n
Additional Resources:
StoreFront high availability - https://docs.citrix.com/en-us/storefront/3-8/plan/high-
availability-and-multi-site-configuration.html
Configure server groups - https://docs.citrix.com/en-us/storefront/3-8/configure-
server-group.html
576 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Based on simulated activity where users log on, enumerate 100 published
di
applications, and start one resource, expect a single StoreFront server with the
st
minimum recommended specification of two virtual CPUs running on an underlying
ri
dual Intel Xeon L5520 2.27Ghz processor server to enable up to 30,000 user
bu
connections per hour.
tio
n
Expect a server group with two similarly configured servers in the group to enable
up to 60,000 user connections per hour; three nodes up to 90,000 connections per
hour; four nodes up to 120,000 connections per hour; five nodes up to 150,000
connections per hour; six nodes up to 175,000 connections per hour.
Additional Resources:
StoreFront high availability - https://docs.citrix.com/en-us/storefront/3-8/plan/high-
availability-and-multi-site-configuration.html
Configure server groups - https://docs.citrix.com/en-us/storefront/3-8/configure-
server-group.html
577 © 2017 Citrix Authorized Content
Load balancing with NetScaler - https://docs.citrix.com/en-us/storefront/3-8/integrate-
with-netscaler-and-netscaler-gateway/load-balancing-with-netscaler.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Mail System, File server (profiles), telephony, web gateway, remote access, proxy,
di
AV controller, storage, hypervisor, domain controller, backend databases used for
st
line of business applications, print server, etc.
ri bu
tio
n
578 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
579 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
580 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
XenApp and XenDesktop offers to install SQL Express during install.
di
st
This version does not support any form of SQL HA.
ri bu
tio
n
581 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
582 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
583 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
584 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
585 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
While large organizations has a dedicated security team in charge of all security
di
concerns, smaller companies might leave some of these concerns with the
st
individual Citrix Admin.
ri bu
As a Citrix Admin it is important to be aware of the expectations from the
organization as well as being aware of the different security mechanisms that can
tio
be implemented in the Citrix environment.
n
586 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The diagram serves as a high level overview;use it to investigate all the possibilities
di
of creating an insecure solution.
st
Some companies allow internal access only, so securing internal components also
ri bu
requires blocking external access.
Some companies require security for all external facing components while only
tio
using basic security for internal components.
n
587 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
This slide presents the same view as the previous one, but with security measures
di
implemented.
st
ri bu
tio
n
588 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
589 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Typically in larger organizations the Citrix Admin does not have permission to create
di
and obtain certificates needed to secure a deployment.
st
ri bu
tio
n
590 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
591 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Using certificates from public CAs often does not require additional management on
di
client devices, since the public CAs are already included in their built in list of
st
trusted certificate authorities.
ri bu
tio
n
592 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Private (or internal) CAs are often used for domains that cannot be verified
di
(company.local or company.intranet) and can reduce the cost compared to
st
certificates from public CAs.
ri bu
An additional benefit for hosting a private CA is the complete control over certificate
management – but this also comes with the responsibility for protecting the CA
tio
against attacks or compromise.
n
Self-signed certificates do not require a CA. In fact, the certificate is signed using its
own private key. By design, such certificates cannot be revoked if compromised
which is a large drawback. For use in larger enterprises self-signed certificates are
also lacking required central management.
593 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The most common parts of the solution has been assigned certificates within the
di
lab.
st
More components could be secured in a production environment.
ri bu
tio
n
594 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
595 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Domain joined PC’s will trust a domain CA by their membership of the domain.
di
st
Mac computers will need to trust the CA manually or by use of a management
system.
ri bu
Using a public signed certificate for StoreFront may be a better solution in order to
support various device types.
tio
n
596 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
597 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The BrokerService also hosts the Secure Ticket Authority (STA) required for remote
di
access.
st
ri bu
Additional Resources:
tio
Securing the XenApp/XenDesktop XML Service:
https://www.citrix.com/blogs/2016/11/03/securing-the-xenappxendesktop-xml-
n
service-important-steps-to-prevent-theft-of-user-passwords/
598 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
599 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
600 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The slide only covers the first part of the of the Pass-through authentication
di
process.
st
At this point we are only presenting the feature and how it ties in to the XML trust
ri bu
feature.
tio
Additional Resources:
n
How to Configure Desktop Pass-Through with Storefront and Receiver:
http://support.citrix.com/article/CTX133855
A Comprehensive Guide to Enabling Pass-Through Authentication with
XenDesktop: https://www.citrix.com/blogs/2014/04/11/a-comprehensive-guide-to-
enabling-pass-through-authentication-with-xendesktop-7-5/
601 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
602 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Prior to entering the command, the appropriate Citrix PowerShell Snap-In needs to
di
be loaded.
st
Use IPsec, firewalls, or any technology that ensures that only trusted services
ri bu
communicate with the XML Service.
Enable this setting only on servers that are contacted by the StoreFront.
tio
Restrict access to the XML Service to only the servers running the StoreFront.
n
603 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
604 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Using the XML trust policy with FMA will not work.
di
st
XML Trust must be configured with the use of PowerShell in FMA.
ri bu
What is the purpose of configuring an XML Service Trust?
tio
• To enable Pass-through authentication, Smart Card Authentication or
SmartAccess.
n
605 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
606 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
By using HTTP as the transport type, information is sent in clear text, with
di
passwords obfuscated, posing a security risk.
st
By default, the XML Service on the Controller listens on port 80 for HTTP traffic and
ri bu
port 443 for HTTPS traffic. Although you can use non-default ports, be aware of the
security risks of exposing a Controller to untrusted networks.
tio
To change the default HTTP or HTTPS ports used by the Controller, run the
n
following command from Studio: BrokerService.exe -WIPORT <http-port> -
WISSLPORT <https-port> - where <http-port> is the port number for HTTP traffic
and <https-port> is the port number for HTTPS traffic.
Additional Resources:
SSL - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6-long-term-service-
release/xad-security-article/xad-ssl.html
How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic:
http://support.citrix.com/article/CTX200415
607 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
While it is leading practice to secure XML traffic, unsecured XML traffic does not
di
present the same security risk as an unsecured connection to StoreFront, because
st
the XML traffic between StoreFront and Delivery Controller is typically internal with
ri
both servers on the same VLAN- unlike a browser connection to StoreFront where
bu
the user could be coming in from untrusted/public Wi-Fi connections.
tio
Steps for configuring SSL/TLS for XML traffic:
n
• Install server certificate on each Delivery Controller (private certificate
should be used because it is only accessed by StoreFront).
• Configure correct port (default:443) with SSL certificate created in above
step.
• Disable the port 80 listener on the Delivery Controller.
• Later will also have to configure StoreFront to leverage https as the
transport type for the Delivery Controller.
On top of securing the XML traffic, the VDA registration traffic and HDX traffic can
608 © 2017 Citrix Authorized Content
also be secured by using the following procedures:
• Obtain, install, and register a server certificate on all Delivery Controllers,
and configure a port with the SSL certificate. For details, see Install
SSL/TLS server certificates on Controllers. Optionally, you can change the
ports the Controller uses to listen for HTTP and HTTPS traffic.
Enable SSL/TLS connections between users and Virtual Delivery Agents (VDAs) by
completing the following tasks:
• Configure SSL/TLS on the machines where the VDAs are installed. (For
convenience, further references to machines where VDAs are installed are
simply called "VDAs.") You can use a PowerShell script supplied by Citrix, or
configure it manually. For general information, see About SSL settings on
VDAs. For details, see Configure SSL on a VDA using the PowerShell script
N
and Manually configure SSL/TLS on a VDA.
ot
• Configure SSL/TLS in the Delivery Groups containing the VDAs by running
fo
a set of PowerShell cmdlets in Studio. For details, see Configure SSL/TLS
on Delivery Groups.
rr
• Requirements and considerations:
es
• Enabling SSL/TLS connections between users and VDAs is valid only for
al
XenApp 7.6 and XenDesktop 7.6 Sites, plus later supported releases.
e
• Configure SSL/TLS in the Delivery Groups and on the VDAs after you
or
install components, create a Site, create Machine Catalogs, and create
di
Delivery Groups.
st
• To configure SSL/TLS in the Delivery Groups, you must have permission
ri
to change Controller access rules; a Full Administrator has this
bu
permission.
tio
• To configure SSL/TLS on the VDAs, you must be a Windows
administrator on the machine where the VDA is installed.
n
• If you intend to configure SSL/TLS on VDAs that have been upgraded
from earlier versions, uninstall any SSL relay software on those machines
before upgrading them.
• The PowerShell script configures SSL/TLS on static VDAs; it does not
configure SSL/TLS on pooled VDAs that are provisioned by Machine
Creation Services or Provisioning Services, where the machine image
resets on each restart.
Additional Resources:
Transport Layer Security (TLS) - https://docs.citrix.com/en-us/xenapp-and-
‹#› © 2017 Citrix Authorized Content
xendesktop/7-12/secure/tls.html
How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic:
http://support.citrix.com/article/CTX200415
Securing the XenApp/XenDesktop XML Service:
https://www.citrix.com/blogs/2016/11/03/securing-the-xenappxendesktop-xml-service-
important-steps-to-prevent-theft-of-user-passwords/
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
609 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
610 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
What are the high level steps for configuring a XenApp and XenDesktop Site?
di
• Answers:
st
ri
• Step 1: Install Delivery Controller Role
bu
• Step 2: Create XenApp and XenDesktop Site
tio
• Step 3: Secure XML traffic
n
611 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
612 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
HDX is the name used for ICA and CGP “Common Gateway Protocol” connections.
di
st
While this module focuses on enabling secure access from external networks using
the NetScaler, the HDX protocol can also be encrypted internally using SSL/TLS.
ri bu
For more information on internal encryption refer to the links below.
tio
n
Additional Resources:
HDX technologies for optimizing application and desktop delivery -
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-
hdx-technologies.pdf
TLS settings on VDAs - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/secure/tls.html#par_anchortitle_53b7
Configure TLS on a VDA using the PowerShell script - https://docs.citrix.com/en-
us/xenapp-and-xendesktop/7-12/secure/tls.html#par_richtext_5
613 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
NetScaler has a huge feature set; this is just a small percentage of what NetScaler
di
can do.
st
Where a proxy server is typically hosted internal to allow users to browse externally
ri bu
hosted websites without actually having a tcp session to the webservers.
Reverse web proxy uses the same idea, however, instead it allows external users to
tio
browse internal resources without enabling tcp access to the webservers itself
n
(many customers may be familiar with Microsoft ISA or TMG servers which has
similar functionalities).
HDX proxy is similar to reverse web proxy, however, instead of protecting
webservers, it protects the internal VDA’s and converts port 1494 & 2598 data to
encrypted SSL data in real time.
614 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The STA service is like the XML service a sub-service within BrokerService.
di
st
STA is like XML reachable on port 80 by default.
ri
This service should be secured using SSL and certificates.
bu
Think of the STA like a parking valet desk, you turn in your car and receive a
tio
randomized number, this number can be used to authorize you to pick up your car
later without presenting your credentials. The problem with this, much like the STA,
n
is you don’t want anyone to intercept your randomized number and pick up your car.
615 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
At the point where this analogy starts, authentication, application browsing, request
di
to start an application and load balancing decisions have already taken place.
st
The next step would be NetScaler launching the session on the users behalf.
ri bu
tio
n
616 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
617 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources:
Establishing a Secure Connection to the Server Farm - https://docs.citrix.com/en-
di
us/netscaler-gateway/11-1/integrate-web-interface-apps/ng-wi-integrate-apps-
st
secure-connection.html (this document talks about Web Interface but the STA
ri
exchange is similar for StoreFront).
bu
tio
n
618 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
While there are other products on the market that can do “HDX proxy”, NetScaler
di
Gateway is the only product supported by Citrix.
st
When new features are added to the HDX protocol, they are immediately supported
ri bu
on NetScaler Gateway.
Competition does not have the same knowledge about the HDX protocol as Citrix
tio
does.
n
Additional Resources:
How to Configure NetScaler Gateway Session Policies for StoreFront -
https://support.citrix.com/article/CTX139963
619 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The next slides will highlight the connection flow step by step in more detail, this
di
slide serves only as an introduction and overview of the connection process as
st
such.
ri bu
All ports can be changed but this might complicate troubleshooting and monitoring,
deviating from default ports should be only be done with careful planning.
tio
n
620 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
621 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
622 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
623 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
624 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
625 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
626 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
627 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
628 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Possible Answers:
di
• Only one port needs to be opened on the firewall (443). Single vendor to
st
address for support (Citrix). Scalability options (more bandwidth, HA, more
ri bu
processing power, more features (SmartAccess, VPN etc.)
tio
n
629 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
630 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
631 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
StoreFront has scalability built in to the architecture and does not rely on clustering
di
technologies.
st
However, StoreFront is relying on NetScaler to distribute the incoming client
ri bu
connections and mitigate in case of failures.
StoreFront checks out a Secure Ticket for the users session and passes this
tio
information back through the NetScaler to the user’s device in the form of a ICA
n
launch file. When the Receiver opens the ICA launch file, the Secure Ticket is
presented to the NetScaler. The NetScaler will then attempt to validate this ticket
with the STA, if this operation fails resources cannot be launched.
632 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
633 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
634 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
635 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
636 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Director can access:
di
st
Real-time data from the Broker Agent using a unified console integrated with
Analytics, Performance Manager, and Network Inspector.
ri bu
• Analytics includes performance management for health and capacity
assurance, and historical trending and network analysis, powered by
tio
NetScaler Insight Center or NetScaler MAS, to identify bottlenecks due
n
to the network in your XenApp or XenDesktop environment.
Historical data stored in the Monitor database to access the Configuration Logging
database.
ICA data from the NetScaler Gateway using NetScaler Insight Center or NetScaler
MAS.
• Gain visibility into end-user experience for virtual applications, desktops,
and users for XenApp or XenDesktop.
• Correlate network data with application data and real-time metrics for
effective troubleshooting.
637 © 2017 Citrix Authorized Content
• Integrate with XenDesktop 7 Director monitoring tool.
Personal vDisk data that allows for runtime monitoring showing base allocation and
gives help-desk IT the ability to reset the Personal vDisk (to be used only as a last
resort).
Director is an on-premise component, typically hosted on Delivery Controllers or
separate servers depending on scale and use case.
HDX insight is an appliance that can deliver data from the ICA sessions flowing
through NetScaler like latency, bandwidth consumption and packet loss.
Additional Resources:
About Director - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
N
12/director.html
ot
HDX Insight at a glance -
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/hdx-
fo
insight-powered-by-citrix-netscaler-insight-center.pdf
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
By default, Citrix Director is installed on a Delivery Controller.
di
st
Install Director using the installer, which checks for prerequisites, installs any
missing components, and sets up the Director website and performs basic
ri bu
configuration.
Installer handles typical deployments. If Director was not included during
tio
installation, use the installer to add Director. To add any additional components, re-
n
run the installer and select the components to Install.
For information on using the installer, see the Installation documentation. Citrix
recommends that you install using the product installer only, not the .MSI file.
Additional Resources:
Citrix Director Documentation: About Director - https://docs.citrix.com/en-us/xenapp-
and-xendesktop/7-12/director.html
Citrix Director Requirements: https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/system-requirements.html#par_anchortitle_5d4a
638 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In smaller environments the Delivery Controller should have capacity to run Director.
di
st
However, as load starts to increase Director can take away resources from the
Delivery Controller.
ri bu
To ensure optimal performance inside Director, and ensure proper session brokering
performance, separate the Director role away from Delivery Controller.
tio
To ensure a highly available Director solution, and to spread load between Director
n
servers, use NetScaler to load balance between multiple servers.
Additional Resources:
Load Balancing Director with NetScaler:
https://www.citrix.com/blogs/2016/09/06/using-netscaler-to-load-balance-director/
639 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
640 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
641 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
642 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Delivery Controllers ability to process XML queries from StoreFront has a
di
significant impact in the perceived performance of StoreFront.
st
The StoreFront servers might have plenty of available resources, but if the delay is
ri bu
down the stack, then StoreFront performance will suffer.
tio
n
643 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
644 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The default view when logging on to Director as an administrator is the dashboard.
di
The dashboard contains alerts and a number of clickable graphs. If there are active
st
alerts, the alerts pane will drop-down.
ri bu
tio
n
645 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The lower part of the dashboard contains operational status for hypervisors,
di
databases and the License Server.
st
ri bu
tio
n
646 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
• Dashboard – overview of performance and failures for the last hour – This
di
self-updating view can be left open, so Citrix administrators can quickly
st
see a change in performance of their site and react accordingly.
ri bu
• Trends – provides access to recorded site metrics for up to a year –
Administrators can create historical report on how many users have used
tio
resources from the site and which applications are used the most.
n
• Filters – function much like database queries to find specific information
about machines, sessions or connections – Administrators can produce a
filtered list of all users with a specific Receiver version or running a certain
application from specific networks.
• Alerts – interface to define rules for alert conditions – Administrators of
specified delivery groups can be notified via email when logon
performance drops or a predefined load threshold is exceeded.
• Search – search for sessions by specifying username, vda name or
endpoint – HelpDesk users can interactively search for sessions to offer
remote assistance or begin troubleshooting.
647 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Administrators can report on recorded performance metrics of a site reaching up to
di
a year in the past (depending on the Product edition).
st
The data can also be exported in PDF, CSV or XLSX-Format for later processing or
ri bu
archival.
The different reports available include:
tio
• Sessions: shows the number of peak concurrent sessions for any delivery
n
group. Also displays session start times and duration for selected users.
• Failures: displays errors relating to VDAs and connections in association
with administrative changes made to the site database.
• Logon Performance: provides an overview of the duration of each logon for
specific delivery groups in a set timespan with a breakdown on how many
time is spent in different phases of the logon process, like group policy
application or running logon scripts.
• Load Evaluator Index: shows the load management values used to
determine session placement on server OS VDAs and breaks them down.
648 © 2017 Citrix Authorized Content
• Capacity Management: reveals how many concurrent instances of any
published application were running in a set time period.
• Machine Usage: shows how many VDAs are available and which delivery
groups they are assigned to.
• Resource Utilization: Graphs show data for Average CPU, Average Memory,
and Peak Concurrent Sessions. The administrator can drill down to the
machine, and view data and charts for the top 10 processes consuming
CPU.
• Customized reports: The Custom Reports tab provides a user interface to
generate Custom Reports containing real-time and historical data from the
Monitoring database in tabular format.
• Network: provides deeper insight into HDX performance metrics, like how
N
many times a client automatically reconnected, or what latency applied to
ot
what session (and when).
fo
rr
Additional Resources:
es
Citrix Director: Trends explained - https://www.citrix.com/blogs/2014/09/22/citrix-
al
director-trends-explained/
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The filtered views can be filtered by many different criteria. These filters can also be
di
saved for easier access.
st
• Example: I want to find all sessions that are connected from a Receiver
ri bu
less than version 4.0.
Pre-defined filters cannot be edited, but you can save a pre-defined filter as a
tio
custom filter and then modify it. Additionally, you can create custom filtered views of
n
machines, connections, and sessions across all Delivery Groups.
Additional Resources
Citrix Director 7.6: Filters explained - https://www.citrix.com/blogs/2014/12/17/citrix-
director-7-6-filters-explained/
Filter data to troubleshoot failures - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/director/monitor-deployments.html#par_anchortitle
649 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
• Citrix alerts are alerts monitored in Director that originate from Citrix
di
components. You can configure Citrix alerts within Director in Alerts > Citrix
st
Alerts Policy. As part of the configuration, you can set notifications to be
ri
sent by email to individuals and groups when alerts exceed the thresholds
bu
you have set up. Configure the notification as emails to individuals and
tio
groups, Octoblu webhooks, and SNMP traps.
n
• Additional Resources:
• Alerts and notifications - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/director/alerts-notifications.html
• Configure alerts policies with SNMP traps - https://docs.citrix.com/en-
us/xenapp-and-xendesktop/7-12/director/alerts-
notifications.html#par_anchortitle_6b0f
650 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
• Key Notes:
SCOM integration with Director lets you view alert information from Microsoft
di
System Center 2012 Operations Manager (SCOM) on the Dashboard and in other
st
high level views in Director.
ri bu
SCOM alerts are displayed on-screen alongside Citrix alerts. You can access and
drill down into SCOM alerts from SCOM tab in the side bar.
tio
You can view historical alerts up to one month old, sort, filter, and export the filtered
n
information to CSV, Excel, and PDF report formats.
The requirements for SCOM integration are:
• Windows Server 2012 R2
• System Center 2012 R2 Operations Manager
• PowerShell 3.0 or higher (PowerShell version on Director and the SCOM
server must match)
• Quad Core CPU with 16 GB RAM (recommended)
• A primary Management Server for SCOM must be configured in the
Director web.config file. You can do this using the DirectorConfig tool.
651 © 2017 Citrix Authorized Content
• Citrix recommends that the Director administrator account is configured as a
SCOM Operator role so that they can retrieve full alert information in
Director. If this is not possible, a SCOM administrator account can be
configured in the web.config file using the DirectorConfig tool, however, it is
not recommended.
• Citrix recommends that you do not configure more than 10 Director
administrators per SCOM Management Server. This is to ensure that the
SCOM Management Server is moderately loaded for optimal performance.
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Filters work almost like a SQL “Select * from”
di
st
Can be utilized to quickly find the relevant resources or sessions.
ri
Can be saved for later usage.
bu
tio
n
652 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
653 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
654 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Using the Trends section of Director will give you access to a vast amount of
di
historical data hosted in the Site Database.
st
ri bu
tio
n
655 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
656 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
For every administrator that has access to the Dashboard view, the Search-View is
di
located in the upper right corner.
st
ri bu
tio
n
657 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
For all administrators that do not have access to the Dashboard view (or Trends and
di
Filters), but have access to certain Director functions (view Client/Machine/User
st
details page), the Search-View automatically becomes the homepage.
ri bu
tio
n
658 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The beginning of given name, last name or logon name can be used to query active
di
directory while typing. So the first few characters from a user’s name are sometimes
st
sufficient to receive a suggestions from Active Directory.
ri bu
Suggestions while typing are also available for the machine and endpoint search.
Matching is always done from left to right, so entering “Tata” would match
tio
“Tatarinov”, but “tari” would not.
n
659 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
660 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Applications are normally running visible in the session of a user, while processes
di
contain tasks running in the background (normally not visible to the user).
st
ri bu
tio
n
661 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Session view and Detailed Session view are self-updating, but can be updated
di
on demand as well to reflect recent changes to a user’s session.
st
Meaningful names can help a lot while troubleshooting an issue, as the full name of
ri bu
a policy is displayed in the session details windows.
tio
n
662 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
663 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Desktop sessions each require their own session, while published applications
di
might run in the same session (depending on configuration). Also mention that in
st
some deployments users start off with a single desktop session and start multiple
ri
sessions from there to access their published applications.
bu
Selecting the correct session is key in troubleshooting performance issues, when for
tio
example an application performs poorly, while other applications from different
sessions expose no issues.
n
664 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
665 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
To change this behavior, the full admin could copy the helpdesk role and change the
di
permissions accordingly.
st
What are the parameters I can use to search for a session?
ri bu
• Possible Answer:
tio
• Username (any of the following: given name, last name, logon name)
• Machinename
n
• Name of the endpoint device
666 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
667 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
During log off and closure of applications, depending on the OS & application
di
setting, unsaved content might get lost.
st
Tasks currently consuming CPU and memory will continue to do so when a session
ri bu
is disconnected.
tio
n
668 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Depending on local data and privacy laws using this feature requires consent of the
di
user.
st
Some companies consider shadowing a security vulnerability or an invasion of
ri bu
privacy.
Shadowing uses Microsoft’s Remote Control feature.
tio
Shadowing requires some configuration before it can be used :
n
• The VDA needs to be accessible from the HelpDesk Agent’s machine via
the Remote Control port (default: 3389).
• The person or group accessing a session needs according permission to
do so.
• The remote control feature needs to be enabled during setup of Director.
669 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The VDA needs to be running, but the user will be logged out during the reset
di
procedure.
st
Personal vDisks are a very special solution to some problems/scenarios and adds
ri bu
an additional layer of management and overhead to the system. Therefore they
should be used only where appropriate requirements exist.
tio
Any data on the personal vDisk will be lost if they are not saved elsewhere or
n
backed up. This function should be used with caution.
If a Delegated Admin does not have permissions to reset the Personal vDisk, the
menu item will be gray in Director. This administrative permission can be found in
the delegated role under Director.
Caution: When you reset the disk, the settings revert back to their factory default
values and all data on it is deleted, including applications. The profile data is
retained unless you modified the Personal vDisk default (of redirecting profiles from
the C: drive), or you are not using a third-party profile solution.
Additional Resources
670 © 2017 Citrix Authorized Content
FAQ: Personal vDisk in XenDesktop - http://support.citrix.com/article/CTX131553
Reset Personal vDisk: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-
monitor-article/xad-monitor-director-wrapper/xad-help-desk-wrapper/xad-help-reset-
pvd.html
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The profile reset function is available only for user profiles managed by Citrix User
di
Profile Management or Microsoft roaming profiles.
st
It is a leading practice to separate user application settings from user generated
ri bu
data by using folder redirection.
Citrix Profile Management retains and copies folders like My Documents or Pictures
tio
to the user profile after resetting the application settings in the profile. In addition,
n
the original profile is not deleted but just renamed; so, data from this profile can be
recovered if needed.
Folder Redirection is important when resetting a Microsoft roaming profile, without
folder redirection enabled the user will lose access to: My Documents, Pictures,
Download etc., and it will be a manual process of copying them from the renamed
profile into the new profile.
Additional Resources
Reset a user Profile - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-
monitor-article/xad-monitor-director-wrapper/xad-help-desk-wrapper/xad-help-reset-
671 © 2017 Citrix Authorized Content
user-profile.html
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The option to kill processes is not new, but it is much more accessible since the
di
feature has been exposed to Director.
st
Ensure that all Delegated Admins that has access to Director are aware of the
ri bu
consequences of killing a process.
tio
Additional Resources
n
Restore sessions - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/director/troubleshoot/restore-session.html
Resolve application failures - https://docs.citrix.com/en-us/xenapp-and-
xendesktop/7-12/director/troubleshoot/application-failures.html
672 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Sending a message to users is extremely helpful when doing maintenance on Citrix
di
environments, it allows us to quickly notify active users of pending actions.
st
ri bu
Additional Resources
tio
Send messages to users - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-
12/director/troubleshoot/send-messages.html
n
673 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
674 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
675 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
We are integrating with remote assist to do shadowing.
di
st
Remote assist must be allowed in firewall rules and GPO’s
ri
Which types of profiles can be reset using Citrix Director?
bu
• Only profiles managed by User Profile Management or Microsoft Roaming
tio
profiles can be reset using Director.
n
676 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
677 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
HDX Insight is part of the NetScaler Insight Center™ and is based on the popular
di
industry standard AppFlow™. NetScaler Insight Center leverages the NetScaler
st
Application Deliver Controller (ADC) and the CloudBridge WAN optimization solution
ri
that are uniquely situated in the application ‘line of sight’ both in the data center and
bu
the branch to provide a 360-degree view for applications, including virtual desktop
traffic.
tio
Fast Failure Analysis: HDX Insight allows administrators to dissect the network data
n
from various angles including desktop, application, user groups and at the individual
user level. This results in a fast root-cause-analysis for customer issues.
Real-time Client/Server Latency Measurements: In addition to TCP level jitter and
latency information, HDX Insight provides detailed breakdown of ICA Session
latency by client, ICA RTT, and by server. These are viewed in real-time or
historically on simple dashboards.
Powerful data correlation between application and network data enables reporting
and analysis on applications, the network and users.
When deployed in-line, NetScaler and CloudBridge detect and dissect ICA
678 © 2017 Citrix Authorized Content
connections to provide complete visibility into the protocol.
HDX Insight provides the ability to drill down to provide visibility and troubleshooting
at the user level. Moreover, HDX Insight can sort issues by a specific application or
server that might be impacting a group of users.
Additional Resources
HDX Insight at a glance -
https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/hdx-
insight-powered-by-citrix-netscaler-insight-center.pdf
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Remember HDX/CGP/ICA is a proprietary protocol, based on virtual channels.
di
st
Part of the virtual appliance is a database to store performance data.
ri
The appliance can be hosted on XenServer, VMWare ESX, Microsoft Hyper-V and
bu
KVM.
tio
The Blue line between the Director Server and the NetScaler Insight Center is the
Director querying the NetScaler Insight Server.
n
679 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In the Lab, a preconfigured appliance will be used.
di
st
Step 1: encompasses assigning an IP, subnet mask, gateway and DNS address to
the appliance.
ri bu
Step 2: can be performed in the Web GUI of the HDX Insight appliance.
tio
Step 3: requires execution of “C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe
/confignetscaler” on the Director server.
n
Without step 3 admins would need to pull reports directly from NetScaler Insight
center and this would not offer the same flexibility as integrating with Director.
680 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
AppFlow is a UDP based protocol (similar to NetFlow) for transmitting monitoring
di
data related to so called Collectors. The HDX Insight Box is such a collector.
st
ri bu
Additional Resources
tio
How AppFlow works - https://docs.citrix.com/en-us/netscaler/11-1/ns-ag-appflow-
intro-wrapper-con.html
n
681 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
In addition to Director, most statistics are also available from the dashboard within
di
the WebGUI of HDX Insight.
st
ri bu
Additional Resources
tio
HDX Insight Reports - http://docs.citrix.com/en-us/netscaler-insight/11-0/viewing-
reports/ni-viewing-hdx-reports-ref.html
n
682 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
683 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
684 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
685 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
686 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
687 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Management packs are available for XenApp and XenDesktop (for 7.x versions with
di
FMA architecture), XenApp 6.x, XenServer, StoreFront, Web Interface, Provisioning
st
Services, License Server, NetScaler and CloudBridge.
ri bu
SCOM management packs are only available with Platinum licenses.
tio
Additional Resources
n
Citrix SCOM Management Bundle Now Available for Platinum Customers:
https://www.citrix.com/blogs/2016/03/17/citrix-scom-management-bundle-now-
available-for-platinum-customers/
Reference SCOM Packs: http://docs.citrix.com/en-us/scom-management-
packs/scom-management-pack-for-xenapp-and-xendesktop.html
688 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources
Citrix SCOM Management Bundle Now Available for Platinum Customers -
di
https://www.citrix.com/blogs/2016/03/17/citrix-scom-management-bundle-now-
st
available-for-platinum-customers/
ri bu
tio
n
689 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix SCOM Management Packs does not ship with a specific release of XenApp
di
and XenDesktop.
st
Citrix SCOM Management Packs are backwards compatible, so you can deploy the
ri bu
latest version although you want to monitor an older XenApp and XenDesktop
environment.
tio
The SCOM Management Packs can be updated to the latest supported release
n
while retaining LTSR status.
Additional Resources
Citrix SCOM Management Pack for XenApp and XenDesktop version 3.9 -
https://docs.citrix.com/en-us/scom-management-packs/xenapp-xendesktop/3-
9/whats-new.html
690 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Testing with 10,000 users have proven the following:
di
• Increasing the session count does not impact the CPU usage of
st
MPXAXDAgent
ri bu
• Increasing the session count does not impact the CPU usage of
HealthService
tio
• Average CPU usage of MPXAXDAgent was ~ 24%
n
• Average CPU usage of HealthService was ~ 0.2%.
• Average Memory usage of MPXAXDAgent was ~ 2 GB
• Average Memory usage of HealthService was ~ 100 MB
Computers that will host Citrix SCOM Management Pack Machine Agent for
XenApp and XenDesktop must meet the following minimum hardware requirements:
• One physical CPU with two cores (for physical systems), two virtual CPUs
(for virtual systems); CPU clock speed of 2.3 GHz
• 4 GB of RAM (excluding the paging file size)
691 © 2017 Citrix Authorized Content
• 1 GB of free local storage space
Additional Resources:
XenApp & XenDesktop Management Packs for SCOM Explained -
https://www.citrix.com/blogs/2016/07/11/scale-and-performance-of-citrix-xenapp-and-
xendesktops-management-packs-for-scom-explained-tadej-razborsek/
Citrix SCOM Management Pack for XenApp and XenDesktop Performance Overview
-http://docs.citrix.com/content/dam/docs/en-us/scom-management-pack/xenapp-and-
xendesktop-management-pack/3-
8/downloads/Citrix_MPXAXD_PerformanceOverview.pdf
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
692 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
693 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
694 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
695 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
696 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
697 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
698 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
699 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
700 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
701 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
CXD-302 XenApp and XenDesktop Advanced Concepts – Troubleshooting is a two
di
day course that focuses on troubleshooting.
st
ribu
tio
n
702 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Most IT companies have troubleshooting methodology in place even if it’s not
di
formally defined.
st
Issue identification is the first step in the troubleshooting methodology. Issues are
ri bu
typically reported through either helpdesk tickets, monitoring tools or observations
by admins.
tio
Understanding the problem is all about understanding the symptoms. This is
n
especially important if you cannot easily reproduce the problem and you need to
understand the circumstances under which the problem appears. It is important to
determine the difference between the expected behavior and the actual behavior.
Recovering the service can potentially be one of the firsts steps in troubleshooting
methodology. Sometimes, one part of the team can work on the recovery while the
other part of the team tries to identify and fix the issue.
Isolation of the problem is helpful to narrow the amount of components to
troubleshoot. Is the problem related to specific servers or components? Specific
times of day? Specific networks? etc.
The methodology that is commonly used (even if not defined formally) is called
703 © 2017 Citrix Authorized Content
DTAP (Development -> Test -> Acceptable -> Production). In most environments, this
is spread across two environments, test and production; but some environments can
include even more environments.
After resolving a problem it is a good practice to ensure the problem does not happen
again; this can be done using monitoring tools, by implementing scheduled
maintenance or by revisiting the HA and Disaster Recovery plan.
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
704 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
705 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Taking pro-active steps is more important than troubleshooting.
di
st
If the admin had taken pro-active steps in the first place, he would never have faced
the issue in the example.
ri bu
tio
n
706 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
707 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
708 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources:
XenApp and XenDesktop 7.12 Fixed issues - https://docs.citrix.com/en-us/xenapp-
di
and-xendesktop/7-12/whats-new/fixed-issues.html
st
XenApp and XenDesktop 7.12 Known issues - https://docs.citrix.com/en-us/xenapp-
ri bu
and-xendesktop/7-12/whats-new/known-issues.html
tio
n
709 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
All Citrix webpages are fully indexed by Google and it is a great search tool towards
di
Citrix resources.
st
Use site: Citrix.com followed by what you are searching for to get Citrix only hits.
ri bu
tio
Additional Resources:
n
Support Knowledge Center: http://support.citrix.com/en/products/xendesktop
710 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
711 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
712 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources:
XenApp and XenDesktop 7.12 Fixed issues - https://docs.citrix.com/en-us/xenapp-
di
and-xendesktop/7-12/whats-new/fixed-issues.html
st
ri bu
tio
n
713 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
714 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Hotfixes on the FMA platform are typically prefixed with a name to identify which
di
component they are designed for; following is a list of some of the names being
st
used and what they are designed for:
ri
• ICATS - For Server VDA Core Services
bu
• ICAWS - For Workstation VDA Core Services
tio
• XDPoshModule - For XenApp & XenDesktop PowerShell Module
n
• GPMx - For Group Policy Management Console for Windows
• DStudio - For Citrix Studio
• HDXWMIPROV - For HDX WMI Provider
• UpsServer - For Universal Print Server
• MISA - For Machine Identity Service Agent
• GPCSExt - For Group Policy Client side Extension
• DDirector - For Citrix Director
715 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Installing a hotfix that is in general release is typically “safer” since it has gone
di
through a more strict release process.
st
When installing any type of hotfix you should always read the release notes as they
ri bu
contain important information on any adverse effects the hotfix may have, or if the
hotfix has any requirements.
tio
n
Additional Resources:
Lifecycle Maintenance Hotfixes - Definitions and Examples
http://support.citrix.com/article/CTX130337
716 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
A Limited Release hotfix should only be installed if they experience the exact same
di
issue as the hotfix mitigates.
st
A Limited Release hotfix should never be part of routine patch management of the
ri bu
Citrix environment, it should always be tested separately in a test environment
before released to the production environment.
tio
Implementing a Limited Release may have unforeseen side effects.
n
Ensure to read the release notes.
717 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Some MyCitrix accounts may not have permission to download all limited hotfixes
di
typically partner accounts have more extensive download permissions.
st
ri bu
Additional Resources:
tio
Citrix Knowledge Center - http://support.citrix.com/
n
718 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
LTSR was created to allow customers to stay on a specific Citrix platform for an
di
extended period of time.
st
The support entitlements of the Current Release program states that to be
ri bu
compliant you must continuously keep your platform updated to the latest product
release.
tio
Issue example: Pharma CustomerA has regulations that states that any new
n
environment must undergo regression testing for 18 months before the environment
can go into production. After 4 months of testing XenApp & XenDesktop 7.9 Citrix
releases a new version thus effectively forcing CustomerA to update the
environment and reset the test phase.
Long Term Service Releases (LTSR) of XenApp and XenDesktop are ideal for large
enterprise production environments where you would prefer to retain the same base
version for an extended period. With LTSR, you will have regular access to fixes
typically void of new functionality for predictable on-going maintenance. With each
LTSR comes new extended support timelines that let you plan ahead for upgrades
at a pace that’s right for you and your organization.
Extended Lifecycle with support for 10 years. Citrix typically announces a five year
719 © 2017 Citrix Authorized Content
mainstream support lifecycle for each major release, but with LTSR the clock restarts.
For a Long Term Service Release, you will have 5 years of mainstream support and 5
years of extended support (separate contract required).
Predictable maintenance thanks to scheduled cumulative updates. Citrix will regularly
release LTSR cumulative updates – typically containing only fixes devoid of new
features – making it easier to schedule on-going site maintenance and lowering risk
to your deployments.
Reduced IT costs with simplified management. Opting to implement a Long Term
Service Release of XenApp or XenDesktop will give you access to the highest quality
product releases with the most predictable maintenance schedule to streamline your
management efforts, reduce uncertainties and mitigate risks, thereby lowering your
total cost of ownership.
N
ot
Additional Resources:
fo
Explanation of LTSR: https://www.citrix.com/support/programs/software-
maintenance/xenapp-and-xendesktop-servicing-options.html
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Current Releases (CR) of XenApp and XenDesktop deliver the latest, most
di
innovative app and desktop virtualization features and functionality allowing you to
st
stay on the cutting edge of technology and ahead of your competition. Ideal for
ri
agile environments where you can rapidly deliver the newest app and desktop
bu
virtualization features, including both production and test environments. On-going
support and maintenance for Current Releases is aligned with the frequent release
tio
cycles. Instead of managing new releases and patches independently, with Current
n
Releases you can simply upgrade to the latest release which includes fixes and new
functionality side-by-side.
Additional Resources:
Explanation of CR - https://www.citrix.com/support/programs/software-
maintenance/xenapp-and-xendesktop-servicing-options.html
720 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
721 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
722 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
LSTR is currently in extended support until January 2026.
di
st
ri
Additional Resources:
bu
Lifecycle Product Matrix table - https://www.citrix.com/support/product-
tio
lifecycle/product-matrix.html
n
723 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
724 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
725 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Many problems can be addressed by utilizing the StoreFront event log.
di
st
ri bu
tio
n
726 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
727 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
728 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
729 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
730 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Director has a built-in feature to address profile resets.
di
st
ri bu
tio
n
731 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Citrix Supportability Pack is downloaded as a zip file; the zip file contains an
di
updater function and a web view to get an overview of all the tools. Each section
st
has a link to the online product documentation.
ri bu
A sub-folder for each tool is available under the tools folder.
The Supportability Pack is a collection of popular tools (53 in total as of v1.2.4)
tio
written by Citrix engineers to help diagnose and troubleshoot XenDesktop/XenApp
n
products. The tools are cataloged by features and components to make it easier to
find and use, and the addition of Supportability Pack Updater since v1.2.0 makes
the Pack self-updatable. Early versions of the Pack serves as a launch pad for
efforts to raise awareness, improve accessibility, and promote use of internal
troubleshooting tools. In subsequent updates of this pack the spotlight will shift to
creation of new tools based on prevalent customer scenarios and your feedback.
Additional Resources:
Citrix Supportability Pack v1.2.4 - http://support.citrix.com/article/CTX203082
732 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Installing Supportability Pack
di
st
1. If you have an older version of Supportability Pack on your system, e.g. v1.1.x,
we recommend you completely remove the existing Supportability Pack including all
ri bu
tools and files before downloading the new v1.2.x version. Since v1.2.x provides a
new Updater utility, you can use it to keep all tools up to date in the future.
tio
2. Unzip the Supportability Pack v1.2.x zip package into a local folder of your
n
choice.
3. Open the README.HTML file with any web browser and begin exploring the
tools catalog.
4. Each tool is in its individual folder inside the local directory Tools.
5. The Updater SupportabilityPackUpdater.exe is in the same directory as
README.HTML. Use "SupportabilityPackUpdater.exe /help" to get more info about
how to use it.
733 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The VDA Clean-Up Utility can be run in unattended mode if desired using the /silent
di
command line option. C:\> VDACleanupUtility.exe /silent
st
In silent mode, the tool will reboot system automatically. After the reboot, logon to
ri bu
the machine with the same admin user, the tool will run again automatically.
Automatic reboot of the system can be suppressed by using /NoReboot command
tio
line option. Though it is highly recommended to reboot the machine before
n
attempting to re-install VDA.
C:\> VDACleanupUtility.exe /noreboot
C:\> VDACleanupUtility.exe /silent /noreboot
Log files for VDA Cleanup Utility are created in %TEMP%\Citrix\VdaCleanup folder
and can be used to track all uninstall actions and results.
Additional Resources:
VDA Cleanup Utility - https://support.citrix.com/article/CTX209255
734 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
HDX Monitor is a free tool provided for download on the Citrix Insight Services
di
Website. Users can run the tool inside a session or admins can use the tool to
st
monitor a session remotely within the domain.
ri bu
Explain that HDX Monitor does not change the properties of a session and cannot
interfere with the session (disconnect, logoff etc.).
tio
HDX Monitor can export the data to an XML file for later processing.
n
Citrix HDX includes a broad set of technologies that provide a high-definition user
experience.
HDX provides a superior graphics and video experience for most users by default,
with no configuration required. Citrix policy settings that provide the best out-of-the-
box experience for the majority of use cases are enabled by default.
Use the HDX Monitor tool (which replaces the Health Check tool) to validate the
operation and configuration of HDX visualization technologies and to diagnose and
troubleshoot HDX issues.
735 © 2017 Citrix Authorized Content
Additional Resources:
HDX Monitor Tool - https://cis.citrix.com/hdx/download/
HDX - https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/hdx.html
HDX 3D Pro - http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-7/hdx/hdx-3d-
pro.html
HDX Monitor 3.x - https://support.citrix.com/article/CTX135817
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Print detective is a support tool that can scan a local or remote computer for
di
installed print drivers; the tool can list details either in the console or output the data
st
to a log file.
ri bu
The tool can be very helpful in analyzing driver versions across different VDA’s
Example: UserA can print when he is logged on to one ServerA, but not when he is
tio
logged on to ServerB; use the tool to get a list of print drivers on both servers and
n
compare these.
Also, it has the ability to delete specific drivers, but this requires admin rights on the
specific computer.
Print Detective is an information gathering utility that can be used for
troubleshooting problems related to print drivers. It enumerates all printer drivers
from the specified Windows machine, including driver specific information. It can
also be used to delete specified print drivers. It allows for log file capabilities and
provides a command-line interface as well.
Additional Resources:
736 © 2017 Citrix Authorized Content
Print Detective v1.2.1.5: http://support.citrix.com/article/CTX116474
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
The Receiver Clean-Up Utility can be run in unattended mode if desired using the
di
/silent command line option.
st
ReceiverLogs folder is created in the location where the utility is run and tracks all
ri bu
uninstall actions and results.
C:/> ReceiverCleanupUtility.exe /silent
tio
Although the Receiver Clean-Up Utility will backup Receiver registry keys before
n
deleting them, it is recommended to back up the registry before running this tool.
Additional Resources:
Receiver Clean-Up Utility - http://support.citrix.com/article/CTX137494
737 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Most print driver issues are related to mapping and deleting the printer multiple
di
times in a shared environment.
st
Stress printers will simulate this action, use the drop-down selectors to chose how
ri bu
many tests to run.
This should never be performed on a production environment, as it may cause
tio
performance degradation or stability issues.
n
Many printer driver problems in Terminal Services/Remote Desktop Services
environments revolve around poor multi-threaded performance, which in turn can
cause print spooler instability. Problematic multi-threaded performance is usually
exposed when multiple users connect to a Terminal Server simultaneously using the
same printer driver. Symptoms include the failure to auto-create client printers,
increased thread count of the printer spooler and/or Citrix Print Manager services,
and possibly the unresponsiveness and/or unexpected termination of these services
(stop responding).
This tool can be used to simulate multiple sessions auto-creating printers using the
same printer driver.
738 © 2017 Citrix Authorized Content
Additional Resources:
StressPrinters Version 1.3.2 - http://support.citrix.com/article/CTX109374
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
XDPing is an essential tool to troubleshoot registration and brokering issues in
di
XenApp & XenDesktop.
st
It will verify network settings, DNS lookup, time sync, user information, firewall
ri bu
information etc.
The XDPing tool is a command-line based application which automates the process
tio
of checking for the causes of common configuration issues in a XenDesktop
n
environment. The tool can be used to verify configuration settings on both the
XenDesktop Broker and VDA machines, both from the console and remotely.
Depending on how the tool is run, and from where, the following checks and
information can be displayed:
• Information and status of Network Interfaces and Network settings.
(Console Only)
• Performs DNS lookup and reverse lookup on the IP address of the device.
• Information on Time synchronization and time check for Kerberos
Authentication. (Console Only)
739 © 2017 Citrix Authorized Content
• User information for login User. (Console Only)
• Including User details, Authentication type used, Group Membership.
• Machine information. (Console Only)
• Environment information. (Computer Name, operating system version,
Domain)
• Domain membership verification (Membership = Verified, SID:S-X-X-XX-
XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX [OK]).
• Information on XenDesktop Services (Windows Communication Foundation
Endpoints) installed and confirms if each installed service is responsive.
(Console Only)
• Displays information on the Windows Firewall installed on the VDA and
N
checks if the important ports are configured correctly.
ot
• Queries the local event log to check for known events that are related to
XenDekstop.
fo
rr
• Provides client bandwidth and response time information from the VDA to
the client.
es
al
Additional Resources:
e
or
XDPing Tool - http://support.citrix.com/article/CTX123278
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Various Citrix components contain built in debug trace statements, which leverage
di
the Microsoft Event Tracing for Windows (ETW) technology. This means that these
st
components are registered as ETW providers, and can be configured by ETW
ri
controllers to start logging their trace statements to a log file.
bu
CDFControl has been crafted to gather critical troubleshooting data (such as CDF
tio
trace and performance data) that should help when troubleshooting complex Citrix
related issues. This guide will help you become familiar with all the new features
n
and techniques available to help you maximize your use of this application.
Additional Resources:
CDFControl v3.2.1.8 - http://support.citrix.com/article/CTX111961
740 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Scout is a data collection tool that can be used to capture environment data and
di
CDF traces from environments running XenDesktop 5.x, XenApp 6.x and XenApp
st
and XenDesktop 7.x.
ri bu
Scout is pre-installed on all controllers running 7.5 upwards, and can be found in the
Citrix Folder on the start menu.
tio
Scout must run on a Citrix Delivery Controller machine when capturing product
n
information.
Additional Resources:
Scout v2.23.0.0s - https://support.citrix.com/article/CTX130147
741 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
742 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
743 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Citrix Insight Services (formerly known as TaaS) is an initiative from Citrix focused
di
on making the support of Citrix environment as easy as possible. Citrix has
st
developed tools and online analysis capabilities to help collect environment
ri
information, analyze that information and receive tailored recommendations based
bu
on Citrix environment and configuration. The tools are focused on a single mission
(data collection), and their impact
tio
n
Additional Resources:
Citrix Insight Services - https://cis.citrix.com/
Citrix Insight Services FAQ - http://support.citrix.com/article/CTX131233.
744 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Call Home is optional and can be turned off using PowerShell if enabled during
di
install.
st
ri bu
Additional Resources:
tio
About Call Home - https://www.citrix.com/community/cx/call-home.html
n
Call Home - https://www.citrix.com/blogs/2015/12/15/citrix-call-home-technology/
745 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
746 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
747 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Additional Resources:
Sysinternals Suite - https://technet.microsoft.com/en-us/sysinternals/bb842062
di
st
ri bu
tio
n
748 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Process Explorer can be used to analyze processes and applications.
di
st
Especially helpful for tracking down DLL version issues and handle leaks.
ri
Example: You have an application running in your environment that you suspect of
bu
memory leaking, use Process Explorer to compare a freshly started application
against a same application that has been running for a while; compare the amount
tio
of handles and memory consumed by the process.
n
Additional Resources:
Process Explorer v16.12 - https://technet.microsoft.com/en-
us/sysinternals/processexplorer
The Case of the Unexplained, 2010: Troubleshooting with Mark Russinovich -
https://channel9.msdn.com/events/teched/northamerica/2010/wcl315
749 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Process Monitor is the combination of two older tools from Sysinternals, Regmon
di
and Filemon.
st
Process Monitor will monitor and trace any I/O or registry based activity and allow
ri bu
the admin to search for session ID or username, using filters.
Example: An application is reporting a file system permission issue for a user, and
tio
you want to find out where the application is trying to write and which write operation
n
gets denied.
Process Monitor is an advanced monitoring tool for Windows that shows real-time
file system, Registry and process/thread activity. It combines the features of two
legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of
enhancements, including rich and non-destructive filtering, comprehensive event
properties such as session IDs and user names, reliable process information, full
thread stacks with integrated symbol support for each operation, simultaneous
logging to a file, and much more. Its uniquely powerful features will make Process
Monitor a core utility in your system troubleshooting and malware hunting toolkit.
750 © 2017 Citrix Authorized Content
Additional Resources:
Process Monitor v3.31 - https://technet.microsoft.com/en-
us/sysinternals/processmonitor
N
ot
fo
rr
es
al
e
or
di
st
ri bu
tio
n
‹#› © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Example: You have implemented a new application that spikes to 100% CPU
di
resources every 15 minutes.
st
Use ProcDump to create an automated rule for crash dumping the process when it
ri bu
goes to 100%, analyze the dump with the developers to determine the root cause of
the CPU spike.
tio
Write up to 3 mini dumps of a process named 'consume' when it exceeds 20% CPU
n
usage for five seconds:
• C:\>procdump -c 20 -s 5 -n 3 consume
Additional Resources:
ProcDump v8.0 - https://technet.microsoft.com/en-us/sysinternals/dd996900
751 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
752 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
753 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
Key Notes:
Example: Users on a specific network gets randomly disconnected from their
di
sessions, use WireShark to trace the network traffic, apply filter to look for dropped
st
packets or reset connections.
ri bu
Additional Resources:
tio
Wireshark webpage - https://www.wireshark.org/
n
754 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
755 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
756 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
757 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
758 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
759 © 2017 Citrix Authorized Content
N
ot
fo
rr
es
al
e
or
di
st
buri
tio
n
760 © 2017 Citrix Authorized Content
You might also like
- CWS 315 2I en StudentManual 1 3 Days v03No ratings yetCWS 315 2I en StudentManual 1 3 Days v03455 pages
- CWS 315 2I en StudentManual 4 5 Days v02No ratings yetCWS 315 2I en StudentManual 4 5 Days v02600 pages
- Citrix XenApp and XenDesktop Fast TrackNo ratings yetCitrix XenApp and XenDesktop Fast Track13 pages
- Citrix Xenapp: Introducing Basic Administration For Citrix Xenapp 6 Configuring PrintingNo ratings yetCitrix Xenapp: Introducing Basic Administration For Citrix Xenapp 6 Configuring Printing4 pages
- XenApp and XenDesktop Migration - Questionnaire &checklist - FMANo ratings yetXenApp and XenDesktop Migration - Questionnaire &checklist - FMA21 pages
- Cxa-206-1I Citrix Xenapp 6.5 Administration: AudienceNo ratings yetCxa-206-1I Citrix Xenapp 6.5 Administration: Audience8 pages
- Eibel, Goeran - Citrix XenDesktop & XenApp 7.7_7.8_ Plan-Build-Run Reference Guide (2016, Books on Demand) - Libgen.liNo ratings yetEibel, Goeran - Citrix XenDesktop & XenApp 7.7_7.8_ Plan-Build-Run Reference Guide (2016, Books on Demand) - Libgen.li1,039 pages
- Mastering Citrix® XenDesktop® - Sample ChapterNo ratings yetMastering Citrix® XenDesktop® - Sample Chapter63 pages
- Citrix Xenapp 6.5 Administration: 5 DaysNo ratings yetCitrix Xenapp 6.5 Administration: 5 Days9 pages
- XenApp & XenDesktop Pre-Sales Technical WorkshopNo ratings yetXenApp & XenDesktop Pre-Sales Technical Workshop307 pages
- Citrix XenDesktop® Cookbook - Third Edition - Sample ChapterNo ratings yetCitrix XenDesktop® Cookbook - Third Edition - Sample Chapter58 pages
- Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsFrom EverandSecuring ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsNo ratings yet
- En - Xenapp Xendesktop - Xad Xenapp Xendesktop 76 LandingNo ratings yetEn - Xenapp Xendesktop - Xad Xenapp Xendesktop 76 Landing3,067 pages
- Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficFrom EverandBlog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficNo ratings yet
- Citrix Xenapp 75 Desktop Virtualization Solutions Andy Paul pdf download100% (1)Citrix Xenapp 75 Desktop Virtualization Solutions Andy Paul pdf download88 pages
- Cybersecurity for Executives: A Guide to Protecting Your BusinessFrom EverandCybersecurity for Executives: A Guide to Protecting Your BusinessNo ratings yet
- Administrator'S Guide: Citrix Metaframe XP Application Server For WindowsNo ratings yetAdministrator'S Guide: Citrix Metaframe XP Application Server For Windows270 pages
- CXD 105 1I en StudentExerciseWorkbook Softlayer v01 PDF100% (1)CXD 105 1I en StudentExerciseWorkbook Softlayer v01 PDF98 pages
- Citrix Xenapp-7.8 Administration Training: CourseNo ratings yetCitrix Xenapp-7.8 Administration Training: Course5 pages
- Citrix MetaFrame XP Enterprise Administrators GuideNo ratings yetCitrix MetaFrame XP Enterprise Administrators Guide372 pages
- Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576instant download100% (7)Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576instant download79 pages
- Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 - Own the ebook now with all fully detailed chapters100% (7)Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 - Own the ebook now with all fully detailed chapters76 pages
- Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 - Download the ebook today to explore every detail100% (5)Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 - Download the ebook today to explore every detail80 pages
- Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 instant downloadNo ratings yetAdministrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 instant download89 pages
- Citrix Virtual Apps AND Desktops 7 Administration On-Premises and in Citrix CloudNo ratings yetCitrix Virtual Apps AND Desktops 7 Administration On-Premises and in Citrix Cloud3 pages
- Citrix Desktop Server Administrator's Guide PDFNo ratings yetCitrix Desktop Server Administrator's Guide PDF68 pages
- Citrix WHITEPAPER XD Enterprise Design White PaperNo ratings yetCitrix WHITEPAPER XD Enterprise Design White Paper42 pages
- Morpheus Documentation Hpevm Docs Morpheusdata Com en LatestNo ratings yetMorpheus Documentation Hpevm Docs Morpheusdata Com en Latest180 pages
- Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 - Download the ebook now for the best reading experience100% (7)Administrator Guide Citrix MetaFrame XP application server for Windows 1st Edition by Brad Price, John Price ISBN 0782140572 9780782140576 - Download the ebook now for the best reading experience86 pages
- The Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionFrom EverandThe Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionNo ratings yet
- CXD 203 6I en StudentManual SoftLayer v06No ratings yetCXD 203 6I en StudentManual SoftLayer v06242 pages
- Citr-1 - Cxd-210 - Citrix Xenapp and Xendesktop 7.1X AdministrationNo ratings yetCitr-1 - Cxd-210 - Citrix Xenapp and Xendesktop 7.1X Administration3 pages
- Aquaponics Design Plans, Construction, Operation, and Income: Organic FoodFrom EverandAquaponics Design Plans, Construction, Operation, and Income: Organic FoodNo ratings yet
- Citr-2 - Cxd-310 - Citrix Xenapp and Xendesktop 7.1X Advanced AdministrationNo ratings yetCitr-2 - Cxd-310 - Citrix Xenapp and Xendesktop 7.1X Advanced Administration3 pages
- The Components in This Illustration - Detailed ReviewNo ratings yetThe Components in This Illustration - Detailed Review28 pages
- Azure Secure VDI Deployment & Hardening Guide for AVD SMEsNo ratings yetAzure Secure VDI Deployment & Hardening Guide for AVD SMEs119 pages
- Iapps Template Authoring Tutorial 1: Part 0: What Is This?No ratings yetIapps Template Authoring Tutorial 1: Part 0: What Is This?21 pages
- Fundamentals of Computer Programming Languages UPTNo ratings yetFundamentals of Computer Programming Languages UPT29 pages
- How To Install PFSense Via PXE - Super User Fallida Pero Info Del Menu PDFNo ratings yetHow To Install PFSense Via PXE - Super User Fallida Pero Info Del Menu PDF9 pages
- Rediwatch Point of Sale Software: User ManualNo ratings yetRediwatch Point of Sale Software: User Manual51 pages
- Prerequisites For Using The ROM MonitorNo ratings yetPrerequisites For Using The ROM Monitor28 pages
- Installation Instructions C1B L Win7 H-2011-0221No ratings yetInstallation Instructions C1B L Win7 H-2011-022110 pages
- Comprehensive Digital Forensics Analysis of Smart Home EnvironmentNo ratings yetComprehensive Digital Forensics Analysis of Smart Home Environment79 pages
- MTK Platform Flashing Guide V14: Info SummarizeNo ratings yetMTK Platform Flashing Guide V14: Info Summarize6 pages
- Tools For Analyzing SQL Server Trace Files: Ramblings of A SQL DBA Mind..No ratings yetTools For Analyzing SQL Server Trace Files: Ramblings of A SQL DBA Mind..2 pages
- T.S.R.T.C.: Telangana State Road Transport CorporationNo ratings yetT.S.R.T.C.: Telangana State Road Transport Corporation37 pages
- Logitech vs. Rapoo: Submitted By: Aditi Shruti Mayuri Shalini GunjanNo ratings yetLogitech vs. Rapoo: Submitted By: Aditi Shruti Mayuri Shalini Gunjan4 pages
- Database Connectivity To Mysql: Informatics Practices Class Xii By-Deepak Bhinde PGT Comp. SCNo ratings yetDatabase Connectivity To Mysql: Informatics Practices Class Xii By-Deepak Bhinde PGT Comp. SC27 pages
- 090624-Russ Tront-Slides-Excel For BI Using Oracle OLAPNo ratings yet090624-Russ Tront-Slides-Excel For BI Using Oracle OLAP43 pages
- Office Credential & OS Activation ProcessNo ratings yetOffice Credential & OS Activation Process8 pages
- CATIA V5 Tutorial Improve Performance For Managing Large AssembliesNo ratings yetCATIA V5 Tutorial Improve Performance For Managing Large Assemblies3 pages