104876396 xenapp 6 0 student manual

Basic Administration for Citrix

XenApp™ 6Citrix Course CXA-204-1I

June 2010

Table of Contents

Module 1: Introduction and Course Overview..............................19Overview.........................................................................................................................................21

Course Outline................................................................................................................................23

Citrix Education...............................................................................................................................27

Course Evaluation and Completion Certificate.................................................................................30

Module 2: Introducing XenApp.......................................................33Overview.........................................................................................................................................35

XenApp 6 Editions..........................................................................................................................36

XenApp 6 Features.........................................................................................................................37

XenApp Architecture.......................................................................................................................41

XenApp Components..................................................................................................................42

Single and Multiple Farm Environments.......................................................................................43

Data Store...................................................................................................................................43

Data Store Updates and the Local Host Cache...........................................................................44

Independent Management Architecture.......................................................................................44

Data Collectors............................................................................................................................45

Data Collector Election................................................................................................................45

Zones..........................................................................................................................................46

Additional XenApp Components..................................................................................................47

Delivery Services Console...............................................................................................................49

Practice: XenApp Components.......................................................................................................51

Review............................................................................................................................................52

Module 3: Licensing XenApp..........................................................53Overview.........................................................................................................................................55

XenApp Licensing...........................................................................................................................56

Licensing Communication...........................................................................................................56

License Communication Process................................................................................................57

License Types.............................................................................................................................57

Citrix License Server....................................................................................................................58

Microsoft Remote Desktop Services............................................................................................58

Additional Licensing Considerations............................................................................................59

License Administration Console......................................................................................................61

Port Configuration.......................................................................................................................62

Delegated Administrators in the License Administration Console.................................................63

Installing Licensing..........................................................................................................................65

Manual Installation and Configuration..........................................................................................65

Uninstalling Licensing..................................................................................................................66

License Server Considerations....................................................................................................66

License File Management................................................................................................................68

Obtaining License Files................................................................................................................68

Importing License Files................................................................................................................68

Subscription Advantage..............................................................................................................69

High Availability Considerations.......................................................................................................71

Additional License Server Processes...........................................................................................71

License Server Clustering............................................................................................................72

Review............................................................................................................................................73

Module 4: Installing XenApp...........................................................75Overview.........................................................................................................................................77

XenApp Server Role Manager.........................................................................................................78

Unattended Installation and Configuration.......................................................................................79

Hardware Requirements.................................................................................................................80

Software Requirements...................................................................................................................81

Installation Decisions.......................................................................................................................83

XenApp Configuration Options........................................................................................................84

Which Farm or Zones Will Be Used in the Environment?..............................................................84

Which License Server Will Be Used for the Server Farm?............................................................84

Which Database Engine Will Be Used for the Data Store Database?...........................................85

Will Shadowing Be Enabled?.......................................................................................................85

On Which Port Will the Citrix XML Service Run?..........................................................................86

When Will Users Be Added to the Local Remote Desktop Users Group?....................................86

Which Pass-through Client Will Be Used in the Environment?......................................................87

Will Pass-through Authentication Be Used in the Environment?...................................................87

Will Information in the Data Store and Configuration Logging Databases Be Protected with IMA Encryption?.88

Web Interface Installation Decisions................................................................................................89

Review............................................................................................................................................90

Module 5: Configuring XenApp Administration............................91Overview.........................................................................................................................................93

Worker Groups...............................................................................................................................94

Publishing Applications to Worker Groups...................................................................................94

Prioritizing Worker Groups...........................................................................................................95

Filtering Policies to Worker Groups..............................................................................................95

Administrator Privilege Levels..........................................................................................................96

Creating Administrator Accounts.................................................................................................96

Configuring Administrator Permissions .....................................................................................100

Configuring Folder Permissions ................................................................................................101

Delegating Administration..........................................................................................................102

Configuration Logging...................................................................................................................105

Creating the Configuration Logging Database...........................................................................105

Configuration Logging Database Settings..................................................................................106

Enabling Configuration Logging.................................................................................................107

Review..........................................................................................................................................108

Module 6: Installing and Configuring Web Interface..................109Overview.......................................................................................................................................111

Web Interface Communications....................................................................................................112

Web Interface Communication Process.....................................................................................113

Web Interface Installation..............................................................................................................115

Installing Web Interface.............................................................................................................116

Site Creation.................................................................................................................................117

Creating a Web Interface Site....................................................................................................117

© Copyright 2010 Citrix Systems, Inc.4

Site Creation Considerations.....................................................................................................118

XenApp Web Site Configuration Options...................................................................................119

XenApp Services Site Configuration..........................................................................................122

Web Interface Site Modification.....................................................................................................124

Modifying the Web Interface Configuration File..........................................................................124

Using the Web Interface Management Console.........................................................................125

Specifying Citrix Plug-in Backup URLs..........................................................................................126

Site Appearance...........................................................................................................................127

Site Customization Options.......................................................................................................128

Practice: Site Customization......................................................................................................129

Session Preferences..................................................................................................................130

Session Options........................................................................................................................131

User Options.............................................................................................................................133

Workspace Control.......................................................................................................................135

Workspace Control Functionality...............................................................................................135

Workspace Control Configuration Options.................................................................................136

Workspace Control User Customization....................................................................................137

Configuring Workspace Control.................................................................................................138

Citrix Plug-ins and Web Interface..................................................................................................140

Plug-in Deployment Options......................................................................................................140

Automatically Detecting Plug-ins...............................................................................................141

Client Detection.........................................................................................................................141

Client for Java...........................................................................................................................145

Authentication Configuration.........................................................................................................147

Authentication Options..............................................................................................................148

Generic RADIUS Support..........................................................................................................149

Explicit Authentication...............................................................................................................149

Pass-through Authentication.....................................................................................................157

Smart Card Authentication........................................................................................................159

Citrix XML Service Trust Relationships.......................................................................................160

Practice: Authentication Configuration.......................................................................................161

Secure Access Configuration........................................................................................................163

Access Methods.......................................................................................................................163

Network Address Translation.....................................................................................................165

Network Address Translation Access Types..............................................................................166

Client-side Proxy Settings.............................................................................................................167

Configuring Client-side Proxy Settings.......................................................................................168

Server Configuration.....................................................................................................................169

Configuring Multiple Server Farms.............................................................................................169

Adding Farms............................................................................................................................170

Configuring Load Balancing.......................................................................................................171

Enabling Fault Tolerance...........................................................................................................172

Specifying the XML Communication Port...................................................................................172

Ticket Expiration Settings..........................................................................................................174

Web Interface Site Removal..........................................................................................................175

Troubleshooting Web Interface Issues...........................................................................................176

Review..........................................................................................................................................177

Module 7: Delivering Applications and Content.........................179Overview.......................................................................................................................................181

5© Copyright 2010 Citrix Systems, Inc.

Publishing Resources....................................................................................................................182

Published Resource Types........................................................................................................183

Resource Name and Location...................................................................................................184

Server Assignment....................................................................................................................185

Configured or Anonymous Accounts.........................................................................................185

Users and Groups.....................................................................................................................186

Resource Publishing Settings....................................................................................................186

Practice: Publishing Resources.................................................................................................187

VM Hosted Apps..........................................................................................................................188

Components of VM Hosted Apps..............................................................................................189

Organizing Published Resources for Users....................................................................................191

Advanced Published Resource Settings........................................................................................193

Access Control..........................................................................................................................193

Content Redirection..................................................................................................................194

Implementing Resource Limits and Client Options.....................................................................200

Configuring Resource Appearance............................................................................................202

Published Resource Configuration................................................................................................204

Managing Connections to Resources........................................................................................204

Disabling or Hiding a Published Resource.................................................................................205

Troubleshooting Application Delivery Issues..................................................................................207

Review..........................................................................................................................................208

Module 8: Streaming Applications...............................................211Overview.......................................................................................................................................213

Application Streaming...................................................................................................................214

Application Streaming Components..........................................................................................216

Application Streaming Communication Process........................................................................218

Streaming App-V Packages......................................................................................................219

Citrix Offline Plug-in.......................................................................................................................220

Citrix Offline Plug-in Cache........................................................................................................221

Citrix Offline Plug-in Installation..................................................................................................221

Citrix Streaming Profiler.................................................................................................................222

Profiling Process.......................................................................................................................222

Installing the Citrix Streaming Profiler.........................................................................................223

Creating a Profile.......................................................................................................................223

Profile Security Setting..............................................................................................................223

Targets......................................................................................................................................224

Inter-Isolation Communication...................................................................................................229

Profile Preference Settings........................................................................................................232

Profile System Requirements.....................................................................................................232

Profile Installation Types............................................................................................................233

Profile Properties.......................................................................................................................233

Known Limits for Profiling Applications......................................................................................238

Target Properties.......................................................................................................................239

Upgrading an Application in a Target.........................................................................................243

Application Delivery Methods........................................................................................................245

The Benefits of Streaming with Dazzle.......................................................................................246

The Web Delivery Method.............................................................................................................247

Streaming to Servers....................................................................................................................248

Publishing a Streamed Application................................................................................................249


Specifying an Alternate Profile for a Published Application.........................................................250

Enabling the Least-Privileged User Account..............................................................................251

Configuring Sites for Streaming Applications.................................................................................253

Support for Both Remote and Streaming Applications...............................................................254

Offline Access Management..........................................................................................................255

Indirect Membership to the Offline Access List..........................................................................255

Providing Offline Access............................................................................................................256

Offline Access Period................................................................................................................257

Renewing Offline Access Period................................................................................................257

Application Caching..................................................................................................................258

Pre-Deployment of Streaming Applications ...............................................................................259

Troubleshooting Streaming Issues................................................................................................260

Review..........................................................................................................................................261

Module 9: Configuring Policies....................................................263Overview.......................................................................................................................................265

Group Policy Integration................................................................................................................266

IMA-based Group Policies.........................................................................................................267

Group Policy Extensions............................................................................................................268

Group Policy Architecture..........................................................................................................269

Policy Evaluation...........................................................................................................................271

Policy Application Process........................................................................................................271

Policy Processing and Precedence............................................................................................272

Policy Rules..................................................................................................................................276

Policy Filtering...............................................................................................................................301

Policy Modeling and Troubleshooting............................................................................................303

Review..........................................................................................................................................304

Module 10: Configuring Load Management...............................305Overview.......................................................................................................................................307

Load Manager..............................................................................................................................308

Load Balancing.............................................................................................................................309

Load Balancing Process............................................................................................................310

Load Calculation...........................................................................................................................312

Load Calculations......................................................................................................................312

Load Evaluator Configuration........................................................................................................318

Creating Custom Load Evaluators.............................................................................................320

Thresholds for Load Management.............................................................................................321

Assigning Load Evaluators to Servers and Applications.............................................................322

Practice: Load Evaluators..........................................................................................................323

Load Balancing Policies................................................................................................................324

Creating Load Balancing Policies..............................................................................................325

Force Application Streaming......................................................................................................327

Preferential Load Balancing...........................................................................................................329

Preferential Load Balancing Considerations...............................................................................330

Troubleshooting Load Management Issues...................................................................................332

Review..........................................................................................................................................333

Module 11: Optimizing the User Experience...............................335Overview.......................................................................................................................................337


Optimizing Session Performance..................................................................................................338

Enabling Display Settings..........................................................................................................339

HDX Broadcast Session Reliability................................................................................................341

Enabling HDX Broadcast Session Reliability...............................................................................341

Understanding HDX Broadcast Session Reliability Considerations.............................................342

HDX RealTime...............................................................................................................................343

Enabling HDX RealTime.............................................................................................................344

Understanding HDX RealTime Design Considerations...............................................................345

HDX Plug-n-Play...........................................................................................................................346

Enabling HDX Plug-n-Play.........................................................................................................347

Understanding HDX Plug-n-Play Design Considerations............................................................348

HDX MediaStream Multimedia Acceleration..................................................................................349

HDX MediaStream Multimedia Acceleration Benefits.................................................................349

Enabling HDX MediaStream Multimedia Acceleration ...............................................................350

HDX MediaStream for Flash..........................................................................................................352

Enabling HDX MediaStream for Flash........................................................................................352

SpeedScreen Latency Reduction..................................................................................................355

Enabling SpeedScreen Latency Reduction................................................................................355

HDX 3D Image Acceleration..........................................................................................................357

Enabling HDX 3D Image Acceleration........................................................................................357

HDX 3D Progressive Display.........................................................................................................359

Enabling HDX 3D Progressive Display.......................................................................................360

Practice: Determining the Session Optimization Technology.........................................................362

User Profiles.................................................................................................................................363

Differentiating User Profile Types...............................................................................................363

Redirecting User Data...............................................................................................................364

Managing User Profiles..............................................................................................................364

Enabling Profile Management....................................................................................................365

Understanding the Profile Management Logon Process............................................................366

Troubleshooting User Experience Issues.......................................................................................368

Review..........................................................................................................................................369

Module 12: Configuring Self-Service Applications.....................371Overview.......................................................................................................................................373

Citrix Receiver...............................................................................................................................375

Citrix Receiver for Windows.......................................................................................................375

Citrix Receiver for Macintosh.....................................................................................................376

Citrix Merchandising Server...........................................................................................................377

Citrix Merchandising Server Architecture...................................................................................378

Citrix Dazzle..................................................................................................................................379

Citrix Dazzle Communication Process.......................................................................................380

Plug-ins........................................................................................................................................382

Plug-in Delivery..........................................................................................................................383

Citrix Online Plug-in for Windows...............................................................................................385

Citrix Online Plug-in for Mac......................................................................................................387

Client for Java...........................................................................................................................388

Citrix Receiver for Linux.............................................................................................................389

Troubleshooting Self-Service Application Issues............................................................................391

Review..........................................................................................................................................392


Module 13: Configuring Printing..................................................393Overview.......................................................................................................................................395

Printing Concepts.........................................................................................................................396

Printing Definitions.....................................................................................................................396

Printer Types.............................................................................................................................397

Printing Security........................................................................................................................398

Default Printing Behavior...............................................................................................................400

Altering the Default Printing Behavior.........................................................................................400

Printer Provisioning.......................................................................................................................402

User Self-Provisioning...............................................................................................................403

Printer Auto-Creation.................................................................................................................404

Printing Pathways.........................................................................................................................408

Network Printing Pathway.........................................................................................................408

Client Printing Pathway..............................................................................................................412

Printing Pathway Demonstration................................................................................................415

Printer Drivers...............................................................................................................................416

Printer Driver Types...................................................................................................................416

Practice: Printer Drivers.............................................................................................................421

Citrix Universal Printing.................................................................................................................422

Enhanced MetaFile Format........................................................................................................423

Print Preview.............................................................................................................................424

Citrix Universal Printer...............................................................................................................425

Configuring Citrix Universal Printing...........................................................................................426

Administrator-Assigned Network Printers......................................................................................429

Adding a Network Printer..........................................................................................................429

Editing Network Printer Settings ...............................................................................................430

Specifying the Default Printer.....................................................................................................431

Workspace Control and Proximity Printing....................................................................................432

Configuring Proximity Printing....................................................................................................434

Printing Preferences......................................................................................................................435

Printing Properties.....................................................................................................................435

Printing Preference Hierarchy....................................................................................................436

Configuring Printer Property Retention.......................................................................................437

Printing Bandwidth........................................................................................................................439

Practice: Printing Definitions..........................................................................................................441

Troubleshooting Printing Issues....................................................................................................442

Review..........................................................................................................................................444

Module 14: Securing XenApp.......................................................445Overview.......................................................................................................................................447

XenApp Security Solutions............................................................................................................448

SecureICA....................................................................................................................................450

Citrix SSL Relay............................................................................................................................451

SSL Relay Communication........................................................................................................452

Configuring SSL Relay...............................................................................................................453

Access Gateway...........................................................................................................................454

Access Gateway Deployment Scenarios...................................................................................454

Access Gateway Communications............................................................................................456

Digital Certificates......................................................................................................................457


Securing Access to Hosted Applications...................................................................................459

SmartAccess.............................................................................................................................460

Practice: Security Solutions...........................................................................................................462

Web Interface Configuration..........................................................................................................463

Access Methods.......................................................................................................................463

Access Gateway Settings..........................................................................................................464

Configuring Web Interface for Access Gateway Connections....................................................465

Security Configuration Best Practices...........................................................................................467

Troubleshooting Access Gateway with XenApp............................................................................468

Review..........................................................................................................................................471

Module 15: Monitoring..................................................................473Overview.......................................................................................................................................475

Health Monitoring and Recovery...................................................................................................476

EdgeSight Monitoring....................................................................................................................479

EdgeSight Components............................................................................................................479

EdgeSight Communication........................................................................................................482

License Usage Monitoring.............................................................................................................487

Configuring License Alerts.........................................................................................................488

Viewing License Usage..............................................................................................................488

Viewing Historical License Data.................................................................................................488

Workflow Studio Overview............................................................................................................489

Workflow Studio Architecture....................................................................................................490

Workflow Automation Use Cases..............................................................................................491

Accessing the Server Farm using PowerShell................................................................................493

Administering the Server Farm using Commands..........................................................................495

Review..........................................................................................................................................497

Module 16: Additional Components............................................499Overview.......................................................................................................................................501

SmartAuditor................................................................................................................................502

SmartAuditor Components........................................................................................................503

Session Recording Process.......................................................................................................504

Single Sign-on..............................................................................................................................505

Single Sign-on Components......................................................................................................505

Single Sign-on Process.............................................................................................................506

EasyCall Voice Services................................................................................................................507

EasyCall Components...............................................................................................................507

EasyCall Process.......................................................................................................................507

Branch Optimization.....................................................................................................................509

Branch Repeater Components..................................................................................................509

Branch Optimization Process for the Plug-in..............................................................................510

Provisioning Services....................................................................................................................512

Provisioning Services Components...........................................................................................513

Power and Capacity Management................................................................................................515

Power Management..................................................................................................................516

Load Consolidation...................................................................................................................516

Power and Capacity Management Components.......................................................................517

Power Setpoints........................................................................................................................517

XenServer.....................................................................................................................................519


XenServer Components............................................................................................................519

Review..........................................................................................................................................520

Appendix A: Review Questions and Answers.............................521Module 2 Introducing XenApp: Review Answers...........................................................................523

Module 3 Licensing XenApp: Review Answers..............................................................................524

Module 4 Installing XenApp: Review Answers...............................................................................525

Module 5 Configuring XenApp Administration: Review Answers....................................................526

Module 6 Installing and Configuring Web Interface: Review Answers............................................527

Module 7 Delivering Applications and Content: Review Answers...................................................529

Module 8 Streaming Applications: Review Answers......................................................................531

Module 9 Configuring Policies: Review Answers...........................................................................533

Module 10 Configuring Load Management: Review Answers........................................................535

Module 11 Optimizing the User Experience: Review Answers.......................................................537

Module 12 Configuring Self-Service Applications: Review Answers...............................................539

Module 13 Configuring Printing: Review Answers..........................................................................540

Module 14 Securing XenApp: Review Answers.............................................................................542

Module 15 Monitoring: Review Answers........................................................................................543

Module 16 Additional Components: Review Answers....................................................................544

Appendix B: Practice Questions and Answers...........................545Module 2 Introducing XenApp: Practice Answers..........................................................................547

Module 5 Administrative Configuration: Practice Answers.............................................................548

Module 6 Installing Web Interface: Practice Answers.....................................................................550

Module 7 Delivering Applications and Content: Practice Answers.................................................552

Module 10 Configuring Load Management: Practice Answers......................................................554

Module 11 Optimizing the User Experience: Practice Answers......................................................555

Module 13 Configuring Printing: Practice Answers........................................................................556

Module 14 Securing XenApp: Practice Answers............................................................................557

Glossary.........................................................................................559


Notices

Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content oruse of this publication. Citrix specifically disclaims any expressed or implied warranties,merchantability or fitness for any particular purpose. Citrix reserves the right to make any changesin specifications and other information contained in this publication without prior notice andwithout obligation to notify any person or entity of such revisions or changes.

© Copyright 2010 Citrix Systems, Inc. All Rights Reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronicor mechanical, including photocopying, recording or information storage and retrieval systems, forany purpose other than the purchaser’s personal use, without express written permission of:

Citrix Systems, Inc.

851 West Cypress Creek Road

Fort Lauderdale, FL 33309 USA

http://www.citrix.com

The following marks are service marks, trademarks or registered trademarks of their respectiveowners in the United States and other countries.

OwnerMark

Adobe Systems IncorporatedFlash®, Flex®, Reader®

Apple, Inc.Apple®, iPhone™, Mac®

Avaya, Inc.Avaya™

Bloomberg Finance L.P.Bloomberg™

Cisco Systems, Inc.Cisco®

Citrix Systems, Inc.Branch Repeater™, Citrix®, Citrix Access Gateway™, CitrixApplication Firewall™, Citrix Authorized Learning Center™,Citrix Certified Administrator™, Citrix Certified EnterpriseAdministrator™, Citrix Certified Integration Architect™,Citrix EasyCall™, Citrix Education™, Citrix Receiver™, Dazzle™,EdgeSight®, FlexCast™, HDX™, ICA®, NetScaler®, MyCitrix™,WANScaler™, XenApp™, XenDesktop®

GoogleAndroid™

Linus TorvaldsLinux®

OwnerMark

Microsoft CorporationActive Directory®, Internet Explorer®, Microsoft®, MicrosoftInternet Explorer®, SQL Server®, Windows®, WindowsMobile®, Windows Server®, Win32™, Access®, Excel®,InfoPath®, OneNote®, Outlook®, PowerPoint®, Project®,Publisher®, Visio®

Mozilla CorporationFirefox®

The Open GroupUNIX®

Oracle CorporationOracle®

Pearson Education, Inc.Pearson VUE®

Research In Motion LimitedBlackberry®

Skype LimitedSkype®

Sun Microsystems, Inc.Java®

Other product and company names mentioned herein might be the service marks, trademarks orregistered trademarks of their respective owners in the United States and other countries.

Course Conventions

This courseware uses the following typographic conventions to emphasize information.

UsageConvention

UPPERCASE• Commands such as DIR and COPY

• Filename extensions such as .COM and .INI

• Drive letters such as A: and C:

Case-sensitive items are the only exception to the usage listed.

lowercase• Command line parameters such as /w and -r

• URL addresses such as http://finance.yahoo.com

• Internet addresses such as www.citrix.com

• Domain names such as education.ctx

• Email addresses such as [email protected]


Bold Initial

Capitalization• Words or terms that are defined

• Interface items that are selected, deselected, clicked, double-clicked orright-clicked such as options and menu items in lab exercises


ITALIC UPPERCASE• A variable in a system name such as XenAppX and ClientX

• A variable in a user name such as UserX and AdminX

italic lowercase• Variable drive letters such as z: and x:

• Variable directory names such as %systemroot% and dir_name


This courseware uses the following icons.

The Note icon identifies additional relevant information.

The Important icon identifies prerequisite information for a given task.

The Tip icon identifies information that can save time and effort.

The Warning icon identifies information that must be heeded in order to prevent harmto systems or users.

The following table provides a list of updated Citrix product and component names used throughoutthe course.

Old NameNew Name

Access Management ConsoleDelivery Services Console

License Management ConsoleLicense Administration Console

Citrix XenApp Plugin for Hosted AppsCitrix online plug-in

Citrix XenApp Plugin for Streamed AppsCitrix offline plug-in

Credits

Jeremy Boehl, Ben Colborn, Lydia Kellman, George Komoto, BradMoczik, Meghan Myers, Adam Pallesen, Karla Stagray

Instructional Designers:

Andrew GarfieldLab Developer:

Joshua Jack, Nathan JacksonEducation Media Specialists:

Leah ThompsonEducation Project Manager:

Kathryn MorrisEditor:

Neil Alhadeff, Jenny Berger, Rob Blincoe, Ronald Brown, BlaiseCacciola, Victor Cataluna, Dave Coleman, Michael Delaguardia,

Subject Matter Experts:

Dan Feller, Jo Harder, Ann Harmison, James Hsu, Mark Ma,Abhishek Mandhana, Mike Melton, Robert Morris, SridharMullapudi, Joseph Nord, Jan Penovich, Elisabeth Reynolds, DanielRomig, Andrea Rutherford, Stacy Scott, Mark Simmons, LennySoletti, Wayne Stillson, Jay Tomlin, Danny Van Dam, Sharin Yeoh,Andy Zhu

Rob Blincoe, James Hsu, Mark SimmonsSpecial Thanks:

Module 1

Introduction and Course

Overview

Overview

This module provides you with an opportunity to become familiar with the facilities, coursematerials, Citrix offerings and to meet your fellow students.

Facilities

Use the following space to document details about the facilities, classroom policies and contactinformation:

• Parking

• Restroom and phone locations

• Class policies

• Break and lunch schedules

• Emergency information

Course Materials

The following materials are included with your student kit:

• Name card. Write your name on both sides of the name card so students in front and behindyou will know who you are.

21Module 1: Introduction and Course Overview© Copyright 2010 Citrix Systems, Inc.

• Student workbook and lab guide. Use the student workbook and lab guide to follow alongwith the instructor, to document notes and to perform the lab exercises during the class.After the class, take the courseware with you.

• Reference materials. Do not remove reference materials, such as product documentationfrom the classroom. These materials are for classroom use only.

• Online Student Resources. Access these resources after the class. The courseware includesan eLearning voucher code for accessing the Online Student Resources, which containmaterials such as answers to review and practice questions and the slide deck from themanual. For information on accessing the Online Student Resources, see the letter at theback of this book.

Course Prerequisites

To complete this course successfully, you must have the following knowledge:

• Working knowledge of Microsoft Windows Server 2008 with Terminal Services or MicrosoftWindows Server 2008 R2 with Remote Desktop Services

• Basic knowledge of installing applications

• Basic network security principles

Student Introductions

When asked by the instructor, introduce yourself to the class. Include the following informationin your introduction:

• Name and company

• Job title and responsibility

• Networking experience

• Citrix experience

• Class expectations


Course Outline

Day One

The following table provides an overview of the agenda for the first day of class.

DescriptionModule

Provides essential introductory information regarding coursematerials, prerequisite experience, course content, courseware

Module 1: Introductionand Course Overview

exercises, Citrix information and the course evaluation andcompletion certificate

Provides an introduction to Citrix XenApp

By the end of this module, you will be able to identify thecomponents included in Citrix XenApp 6, its architecture andcommunications, features and management consoles.

Module 2: IntroducingXenApp

Provides information and requirements about licensing CitrixXenApp

By the end of this module, you will be able to configure Citrixlicensing for XenApp 6 in a Windows Server 2008 R2 environment.

Module 3: LicensingXenApp

Provides information about the Citrix XenApp hardware andsoftware requirements and the decisions an administrator mustmake when installing XenApp

By the end of this module, you will be able to install XenApp in aWindows Server 2008 R2 environment.

Module 4: InstallingXenApp

Provides information about configuring administrator accountsfor the management of a XenApp 6 environment

Module 5: ConfiguringXenApp Administration

By the end of this module, you will be able to add administratorsto a server farm, delegate administration through folders andpermissions and enable and test configuration logging.

This module concludes on Day Two.


Day Two

The following table provides an overview of the agenda for the second day of class.

DescriptionModule

Provides information about the Web Interface architecture andcommunications, site creation and customization

By the end of this module, you will be able to create Web Interfacesites, customize the site appearance, workspace control settings,

Module 6: Installing andConfiguring WebInterface

authentication methods, and server settings and remove a WebInterface site.

Provides information about publishing, customizing and managingresources in a server farm

By the end of this module, you will be able to publish applications,content and server desktops, configure content redirection andmanage sessions.

Module 7: DeliveringApplications andContent

Provides information about streaming applications, includingcreating profiles, target requirements, as well as publishing, updatingand troubleshooting streamed applications

Module 8: StreamingApplications

By the end of this module, you will be able to install the StreamingProfiler and create a streaming profile for single and multiple targetoperating systems, link profiles for inter-isolation communicationand publish an App-V application.

This module concludes on Day Three.

Day Three

The following table provides an overview of the agenda for the third day of class.

DescriptionModule

Provides information on the functionality of policies, how and whento configure policies and the results of implementing policies in aXenApp 6 environment

Module 9: ConfiguringPolicies


DescriptionModule

By the end of this module, you will be able identify the policy rules,configure policies, apply policies using filters, prioritize policies andcreate a shadow policy.

Provides information on the administrative processes for managingserver load in a XenApp 6.0 environment

Module 10:Configuring LoadManagement

By the end of this module, you will be able to create and assign loadevaluators, assign CPU resource preference to servers and users andconfigure session connection failover by using load balancing policies.

Day Four

The following table provides an overview of the agenda for the fourth day of class.

DescriptionModule

Provides information on optimizations that XenApp administratorscan perform to optimize the user experience in a XenApp 6.0environment

Module 11: Optimizingthe User Experience

By the end of this module, you will be able to configure variouscomponents that optimize the user experience, including displayand HDX technology settings.

Provides information about the various plug-ins and the methodsused to install and configure them, including enabling self-serviceapplication delivery

Module 12: ConfiguringSelf-Service Applications

By the end of this module, you will be able to install the CitrixReceiver and Citrix plug-ins on a client device, and configureself-service application delivery.

Provides information on configuring printers for use in XenAppsessions

Module 13: ConfiguringPrinting

By the end of this module, you will be able to install and manageprinter drivers, configure printing policies and assign networkprinters to users.


Day Five

The following table provides an overview of the agenda for the fifth day of class.

DescriptionModule

Provides information on configuring a security solution for XenApp6, including avoiding or resolving common security configurationmissteps

Module 14: SecuringXenApp

By the end of this module, you will be able to secure XenApp usingSSL Relay and Citrix Access Gateway, and identify the componentsof a comprehensive XenApp security solution.

Provides information on monitoring XenApp license usage over timeModule 15:Monitoring XenApp

By the end of this module, you will be able to track the usage ofXenApp licenses.

Provides information on additional Citrix components that can beimplemented as part of XenApp Platinum Edition and other Citrixproducts that can be used in conjunction with XenApp

Module 16: AdditionalComponents

By the end of this module, you will be able to identify the key featuresof SmartAuditor, Single sign-on, EasyCall, Branch Optimization,Provisioning Services, Power and Capacity Management andXenServer.


Citrix Education

Citrix Training Benefits

Available as instructor-led training, 24/7 self-paced online training or a combination of both,Citrix training courses provide you with the knowledge you need to exceed your businessgoals.

Benefits to organizations include:

• Maximum Return on Investment (ROI) for Citrix products through proper implementationand support

• Improved reliability and efficiency of Citrix environments while decreasing downtime

• Increased expertise of in-house staff, reducing implementation and support costs as moreproblems can be resolved faster by internal staff

• Greater employee job satisfaction, leading to higher levels of customer satisfaction

Benefits to IT professionals include:

• Tools and knowledge that can be directly applied on the job to optimize and maintain Citrixenvironments

• Enhanced credibility by keeping skills and knowledge current with advances in technology

• Improved work performance, which increases employee value

Citrix training is essential for your organization to ensure successful product implementationand maintenance. Visit www.citrixeducation.com and navigate to the Training section toexplore the current Citrix training offerings.

Citrix Certification Benefits

Ranked among the hottest certifications in the industry, Citrix Certified Administrator (CCA)certifications and advanced certifications, including the Citrix Certified Advanced Administrator(CCAA), Citrix Certified Enterprise Engineer (CCEE) and Citrix Certified Integration Architect(CCIA), address the entire Citrix Project Lifecycle and train individuals to deliver the mostefficient solutions in the Citrix Delivery Center.

Benefits to organizations include:

• Peace of mind and assurance that certified staff have mastered the skills necessary to dotheir jobs

• Valuable credentials to offer as incentives to top performers which are sought after inprospective employees


• Competitive business advantage with staff that is trained and certified on a regular basis

Benefits to IT professionals include:

• Demonstrated competency in Citrix products to employers and clients

• The most current skills and knowledge necessary to do your job

• Enhanced marketability and competitive edge by possessing a recognized and respectedIT credential

Investing in Citrix certification will help organizations and IT professionals realize theirbusiness goals. Get started now by visiting the Certification section of thewww.citrixeducation.com web site.

Key Resources

To obtain detailed and up-to-date information on Citrix instructor-led training (ILT), self-pacedonline training, exams and certifications, visit the www.citrixeducation.com web site.

DescriptionResource

To view course descriptions, or to search schedules and register foradditional ILT courses in your area, including customized training,

Instructor-led Training(ILT) courses

visit the Training section of the www.citrixeducation.com web site.You may also contact your Citrix Authorized Learning Center(CALC) representative.

To search, view course descriptions and register for self-paced onlinetraining courses, visit the Training section of thewww.citrixeducation.com web site.

Self-paced OnlineTraining Courses

To download Exam enablement guides, visit the Exam section of thewww.citrixeducation.com web site. To register for Citrix examsadministered by Pearson VUE, contact the provider directly:

Pearson VUE

Exams

Web: www.pearsonvue.com

Telephone: 1-800-931-4084 (Americas)

For a list of phone numbers by region, visit thehttp://vue.com/citrix/contact web site.

To track your certification progress and publish your Citrixcredentials, visit the www.citrixcertmanager.com web site.

Certification Manager

The following table lists additional resources.


DescriptionResource

To access product documentation, visit thesupport.citrix.com/proddocs/index.jsp web site. provides access to

Citrix eDocs

product documentation along with links to the Citrix KnowledgeCenter, Citrix communities, blogs and forums.

To access Citrix blogs, labs, partner communities, the Citrix DeveloperNetwork, Support Forums and more, visit the community.citrix.comweb site.

Citrix Community

To view a wide variety of videos that address Citrix products andtechnology, visit the www.citrix.com/tv web site.

Citrix TV


Course Evaluation and Completion

Certificate

Course Evaluation Survey

Course evaluation is integral to developing an Education program that provides an effectivelearning environment and the skills necessary to improve job performance and enhance thereturn on investment of Citrix products. Your instructor will carefully guide you through thecourse evaluation process and ask that you submit an electronic survey at the conclusion ofthe course. This valuable feedback will assist Citrix Education in expanding our robustcurriculum of instructor-led training, self-paced online training courses and challengingcertification tracks.

Course Completion Certificate

A course completion certificate is available to those students who complete the course evaluationsurvey. Carefully review the following steps to ensure that you successfully obtain your coursecompletion certificate.

1. Midway through the final day of class, your instructor will direct you to complete anelectronic course evaluation survey. Your candid and objective feedback is essential to theadvancement of Citrix Education and allows us to ensure that the training you receive isimpactful to your job function.

2. During this time, your instructor will provide you with the URL for the web-based survey.Simply go to the link and complete the requested information. The evaluation will take nomore than five minutes to complete.

For classrooms where Internet access is not available, you may access the survey aftertraining by visiting the following link: www.metricsthatmatter.com/citrixeval. Please haveyour course number available in order to launch the survey.

3. Upon submission of your course evaluation, the system will automatically generate anelectronic version of your course completion certificate. Enter your name and select theoption to print, email or save to HTML prior to closing the page.

You may select more than one of the options provided to receive your course completioncertificate. When printing the certificate, choose "Landscape" in order to format the page


properly. If you elect to email the course completion certificate, click the Back button fromthe email page to return to the certificate and select an alternative method.

If your classroom is not equipped with a printer, we strongly recommend thatyou email or save to HTML. You will not be able to re-access your coursecompletion certificate after you close the page.


Module 2

Introducing XenApp

Overview

Citrix XenApp 6 for Windows Server 2008 R2 is an on-demand application delivery solutionthat enables any application to be virtualized, centralized and managed in the datacenter andinstantly delivered as a service to users anywhere on any device. XenApp reduces the cost ofapplication management by up to 50 percent, increases IT responsiveness when delivering anapplication to distributed users and improves application and data security.

XenApp also enables IT to centrally manage a single instance of each application and virtualizethem for delivery to users for online and offline use, while providing a high definitionexperience.

At the end of this module, you will be able to:

• Identify the features of XenApp.

• Identify the basic architecture of XenApp and the server farm components.

• Identify the functionality provided by the Delivery Services Console.

35Module 2: Introducing XenApp© Copyright 2010 Citrix Systems, Inc.

XenApp 6 Editions

Citrix XenApp 6 is available in three editions:

Provides the fundamental functionality for delivering applicationsto client devices in very basic environments

Advanced Edition

Contains all of the features of Advanced Edition and addscapabilities that help manage more complex user and applicationenvironments

Enterprise Edition

Contains all of the features of Enterprise Edition and addscapabilities that enhance security and performance management

Platinum Edition provides a comprehensive, end-to-end applicationdelivery system for instantly providing any application to any user,on any device, over any network.

Platinum Edition


XenApp 6 Features

XenApp 6 contains a robust set of features that provides administrators and users with thebest functionality possible for an end-to-end application delivery solution.

For a comprehensive list of all features, see the www.citrix.com web site. Featuresare covered in more depth throughout the course.

The features in the following table are available in all editions of XenApp.

DescriptionFeature

Provides a single client interface that automatically installs on andconfigures client devices to access applications and resources meantspecifically for authenticated users

For more information on Receiver, see the "Configuring Self-ServiceApplications" module of this course.

Citrix Receiver

Allows users to define a list of favorite or frequently used applicationsfor fast access

IT can configure featured applications for easy access to mission-criticalprograms. Users can also subscribe to the application required for workusing a simple drag and drop interface.

Citrix Dazzle

For more information on Dazzle, see the "Configuring Self-ServiceApplications" module of this course.

Streams and runs multiple online and offline applications and integratedWindows services on Windows desktops in an isolated environmentwithout system conflicts

For more information on Citrix Streaming, see the "StreamingApplications" module of this course.

Citrix Streaming

Delivers applications to Windows devices for offline access withMicrosoft App-V application virtualization technology

Support forMicrosoft App-V

Enables IT to configure application availability and delivery usingfamiliar Active Directory Group Policies and Local Group Policies

This enables fine-level control of applications and allows for easy controlof thousands of applications delivered to thousands of users onthousands of servers.

Active DirectoryGroup PolicyIntegration


DescriptionFeature

For more information, see the "Configuring Policies" module of thiscourse.

Provides a browser-based interface for accessing applications and offersbuilt-in support for two-factor authentication, simple customizationthrough the management console and multilingual support

Integration with most third-party portals is seamless.

Web Interface

For more information on Web Interface, see the "Installing andConfiguring Web Interface" module of this course.

Delivers a high performance, high definition user experience throughvirtualized applications- even those that are graphic-rich and containmultimedia content

Users have a seamless experience with zero downtime and higher overallproductivity.

Citrix HDXTechnology

For more information on specific HDX features, see the www.citrix.comweb site and the "Optimizing the User Experience" module of this course.

Uses the corporate telephony system instead of personal phone to initiatecalls from anywhere, and includes call redirection, conference calling,and helpdesk support features

EasyCall VoiceServices

Uses visual scripting to help automate common IT tasks and orchestratethe collaborative function of Citrix XenApp, XenDesktop, XenServerand NetScaler

For more information on Workflow Studio scripts, see thesupport.citrix.com web site.

Workflow StudioOrchestration

The features in the following table are only available in the Enterprise and Platinum Editionsof XenApp.

DescriptionFeature

Allows applications to run on a centralized Windows XP, Vista andWindows 7 virtual or physical system (32 or 64-bit) in the datacenter

Session virtualization technology remotely displays the applicationsto users' desktops and devices, while screen updates, keystrokes andmouse clicks traverse the network.

VM hostedapplications

Enables IT to automatically and remotely install applications acrossmultiple servers simultaneously

Installation Manager


DescriptionFeature

Auto-detects and stores modified profile settings, preventsunintentional overwriting, and loads user profile settings on-demand

Administrators can specify rules for downloading and caching largeprofile components to reduce logon time and accelerate applicationaccess.

Profile Management

For additional profile management information, see thewww.citrix.com web site and the "Optimizing the User Experience"module in this course.

Allows for creation of system policies that manage server powerconsumption and optimize server capacity

Automatically brings capacity online to maintain expected userperformance and access and retires capacity when it is no longerneeded.

Power and CapacityManagement

Performs continuous server health checks and automatically initiatesrecovery procedures, minimizing the need for administratorintervention

Health Monitoringand Recovery

The features in the following table are only available in the Platinum Edition of XenApp.

DescriptionFeature

Allows administrators to virtualize the entire XenApp farm ofapplication hosting servers, both physical and virtual, from a single,standardized server image

For more information on Provisioning Services, see the "AdditionalComponents" module of this course.

Provisioning Services

Provides granular access control policies and integrated endpointanalysis for users accessing applications using an SSL VPN

Administrators have a single point of access control for allapplications and resources, not just XenApp traffic.

SmartAccess with CitrixAccess Gateway

Powered by Citrix Branch Repeater, automatically adapts and tunesWAN communications, TCP flow and data compression foroptimal performance.

For more information on Citrix Branch Repeater and HDXBroadcast Branch Optimization, see the www.citrix.com web site.

HDX Broadcast BranchOptimization

Enables IT to quickly pinpoint and troubleshoot server, networkand application performance issues that impact the user experience

Service Monitoring withCitrix EdgeSight


DescriptionFeature

Enables administrators to prioritize a user, group and applicationbased on pre-established requirements. Ensures sessions areproperly balanced to provide an enhanced user experience

Preferential LoadBalancing

Secures application logons and enhances the security of allpassword-protected Windows, web and terminal emulatorapplications

Additional functionality exists for managing password policies,auto-application password change and self-service reset.

Single sign-on andPassword Management

Provides powerful application session recording for improvingregulatory compliance, risk mitigation and accelerated problemresolution

SmartAuditor


XenApp Architecture

A XenApp server farm is a logical group of servers that can be managed as a single entity.Applications can be made available by installing or streaming them to a server or client device.

The primary architectural components of a XenApp server farm are:

• XenApp servers

• Data collector

• Data store database

• License server

• Web Interface servers

• Worker groups

• Zones


XenApp Components

XenApp 6 is composed of several components. The primary architectural components includethe following:

XenApp servers deliver online and offline (hosted and streamed)applications on demand.

XenApp servers

Data collectors keep track of dynamic data in a zone, such as sessionand server load information. In farms with more than one zone, datacollectors also act as communication gateways between the zones.

Data collector

The data store database is a repository of persistent XenApp server farminformation, including configuration data for the farm, publishedapplications, servers, administrators and printers.

Data store

database

The license server checks out licenses to XenApp, which places therequest on behalf of connecting users. The License Administration

License server

Console is a browser-based utility that allows administrators to managelicenses.

Web Interface provides users access to resources published in one ormore server farms through a web browser or the Citrix online plug-in.

Web Interface

servers

An administrator can configure the Web Interface to download plug-insoftware to client devices and perform user authentication checks usingRSA SecurID, RADIUS or Secure Computing SafeWord.

Worker groups, which consist of servers or domain OUs, allow multipleservers to be grouped together to ease administration. They provide

Worker groups

the ability to manage published applications and policies on multipleservers at the same time. XenApp servers added to a worker groupautomatically inherit the group settings.

Zones can enhance performance in farms distributed across WANs bygrouping geographically related servers together. Zones collect data

Zones

from member servers in a hierarchical structure and efficiently distributechanges to all servers in the farm. Each zone contains a server designatedas the data collector.


Single and Multiple Farm Environments

When installing XenApp, an administrator has the option to create a new farm or join anexisting farm.

The following list details the characteristics of each environment.

Single Farm• All XenApp servers use the same data store.

• Servers can be grouped into a single zone or multiple zones.

• Applications can be load-balanced across servers in the farm.

Multiple Farms• Each farm has its own data store.

• Applications can be load balanced across all servers in a farm butcannot be load balanced across multiple farms

The business decisions for an organization can help an administrator determine which farmconfiguration is needed.

Data Store

All XenApp servers in a farm use a single, centralized database called the data store to maintainpersistent farm data. This database enables the entire farm and individual server settings tobe centrally managed.

The data store may be a Microsoft SQL Server Express database on a XenApp server or anenterprise-level database on a separate server running Microsoft SQL Server or Oracle.

The data store contains static information for the farm such as:

• Farm configuration information

• Published application configurations

• Server configurations

• Farm management security

• Printer configurations

• License server name and port

For more information on installing, maintaining, recovering and migrating a datastore, see "Data Store Database Reference" on the http://support.citrix.com web site.


Data Store Updates and the Local Host Cache

A subset of the data contained in the data store is stored in the local host cache on each XenAppserver. The local host cache contains information about:

• All servers in the farm and their basic information

• All applications published within the farm and their properties

• All Windows network domain trust relationships within the farm

This information allows the XenApp server to continue to enumerate applications and resolverequests for published resources if the server loses contact with the XenApp data store database.

The Independent Management Architecture (IMA) service polls the data store database every30 minutes or whenever a configuration change is made to the farm. If a change has beendetected, the IMA service sends only the changed information to the XenApp servers to updatetheir local host cache.

Independent Management Architecture

The Independent Management Architecture (IMA) provides the framework for allserver-to-server communication that occurs in a XenApp farm. The IMA service is a Windowsservice and the key communication component of a farm. IMA includes a collection offunctional subsystems made up of dynamic link library (.DLL) files.

The IMA service:

• Provides a centralized framework used by administrative tools for XenApp

• Delivers subsystems that collectively provide functionality to current and future Citrixproducts

• Runs on all servers with XenApp installed and is enabled by default during installation

• Communicates through messages sent over TCP port 2512, by default, for server-to-servercommunication


Data Collectors

XenApp servers must be load balanced to ensure a quality user experience. Load balancingdetermines which servers are least busy and can best run an application.

A single XenApp server in each zone, called the data collector, maintains dynamic farminformation and communicates this information to data collectors in other zones. TheIndependent Management Architecture (IMA) provides the framework for all server-to-servercommunication that occurs in a XenApp farm, including session information.

The data collector is responsible for load balancing decisions based on the following criteria:

• Server load data

• User session status

In a large XenApp farm environment, it is recommended to restrict the data collector fromdelivering applications, thereby dedicating its function. A dedicated data collector speeds upload balancing decisions and improves session logon time.

Data Collector Election

The data collector maintains dynamic data for servers in the zone. Therefore, each server mustbe able to contact the data collector for the zone. If the data collector is unavailable, an electionoccurs and another server in the zone takes over the role of the data collector.

The data collector election process automatically initiates in the event that the existing datacollector is unavailable or new servers were added to the farm. By default, XenApp uses thefollowing criteria to determine which server wins the election and becomes the data collector:


1. Highest XenApp version (also referred to as Host Record Version) - Servers with the mostrecent software, XenApp 6, will have a Host Record of 1, which is the highest.

2. XenApp server ranking - XenApp servers can be configured with the following rankingsusing the Set Election Preference menu in the Delivery Services Console:

• Most Preferred (1)

• Preferred (2)

• Default Preference (3)

• Not Preferred (4)

The Set Election Preference menu is located in the task pane of the DeliveryServices Console under XenApp > Name of Farm > Zones > Name of Zone > SetElection Preference.

When XenApp is installed, the first server in the farm is given a preference setting of MostPreferred. Each additional server added to the farm has a data collector setting of DefaultPreference.

The first server continues to be the data collector unless an administrator changes its settingfrom Most Preferred to a lower preference setting, or a server with a newer version ofXenApp joins the farm.

Mixed farms are not supported with XenApp 6.

If the primary data collector is down or unavailable, an election is held to designate anotherserver in the zone to act as the data collector. The newly-elected data collector gathers allnecessary data within 30 seconds.

As a best practice, configure one server with the Preferred ranking in the event that theserver with the Most Preferred ranking becomes unavailable. This will ensure that theproper XenApp server becomes the new data collector should an election occur.

3. Host ID number - Host ID numbers are assigned at random during installation. In theevent that all XenApp servers have the same preference setting, the election winner wouldbe determined by the highest Host ID number. An administrator can use the QUERYHRcommand line utility to view the Host ID numbers for all the servers in the farm.

For more information about the data collector election process, see CitrixKnowledge Base article CTX112525 on the http://support.citrix.com web site.

Zones

A logical group of XenApp servers communicating with a single data collector is called a zone.Zones are typically based on subnets.


During the installation of XenApp on a server, the server must join a zone. The first XenAppserver installed in a farm defines the initial zone and becomes the data collector for the zone.The default name of the first zone is Default Zone. After the installation is complete, anadministrator can create additional zones and move servers into the different zones. The firstXenApp server moved into a zone becomes the data collector for that zone. Zones can be usedto designate physical or logical groupings.

If a XenApp server is moved to another zone, a restart of the moved XenApp serveris required. The moved XenApp server will not respond to application requests untilafter the restart.

Sharing Data Across Zones

By default, the data collector for each zone in the farm shares all information. When a plug-inmakes a request for a published resource, the data collector identifies the least busy server inthe farm.

Sharing data across zones can cause an increase in bandwidth consumption. As a best practice,keep the number of zones to a practical minimum. One zone is optimal.

Additional XenApp Components

XenApp contains additional components that enhance the functionality of the solution,including the following:

Load Manager ensures that each user connects to the server that hasthe lightest load and can best handle the connection. Load Manager

Load Manager

applies load evaluators that consist of rules that govern the way LoadManager determines the resource load.

Resource Manager is based on Citrix EdgeSight functionality andprovides an administrator with the ability to monitor, report andcollect server resource metrics for all servers in a farm.

Resource Manager

(powered by

EdgeSight)

Access Gateway VPX virtual appliance provides secure access forapplications and desktops with all of the functionality of a physicalappliance on any industry standard server.

Access Gateway

VPX

For more information about the Access Gateway VPX, seethe www.citrix.com web site.


The Citrix XenApp Provider provides support for health informationsystems, such as Microsoft Systems Center Operations Manager(SCOM).

Citrix XenApp

Provider

For more information about the Citrix XenApp Provider,see the XenApp documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

The Delivery Services Console is a Microsoft Management Console(MMC) snap-in that allows administrators to configure

Delivery Services

Console

administrative permissions, server and farm properties throughpolicies, published resources and much more. It is the primaryadministrative utility for XenApp.

The License Administration Console is a browser-based utility thatallows administrators to manage licenses, track license usage andconfigure licensing alerts.

License

Administration

Console

Citrix plug-ins make it possible for users to access publishedresources regardless of the operating system installed on the clientdevice. The Citrix plug-ins related to XenApp include:

Citrix Plug-ins

• Citrix online plug-in

• Citrix offline plug-In

• Client for Java

• Citrix Receiver (versions exist for Windows, Mac, Java and Linux)

For more information on specific Citrix plug-ins,navigate to the www.citrix.com web site and selectDownloads > Clients.


Delivery Services Console

The Delivery Services Console is the primary administrative utility for XenApp. All tasks inthe Delivery Services Console can be automated using PowerShell, which replaces MFCOM.The console is organized around the tasks related to:

Add administrators and set permissionsAdministrators

Publish and organize online and offline applicationsApplications

Create and manage policiesPolicies

Manage and monitor zones and servers in zonesZones

XenApp 6 seamlessly integrates with Microsoft management tools. Administrators can manageXenApp servers and farms using Active Directory Group Policies.


The Delivery Services Console can also be used for the following tasks:

• Create and assign load evaluators to servers and published applications.

• Set the edition on the XenApp server.

• Connect to a server desktop.

• Configure and view hotfix information for Citrix products.

• View server health information.

If two administrators are using the Delivery Services Console at the same time tochange the same information in a farm, only the changes entered last aremaintained in the data store database.


Practice: XenApp Components

Match the components of XenApp in the following table with the description that best identifiesits function.

ResolutionIssue

a. Stores dynamic farm information

Worker groups

b. Makes it possible for users to access published resources

Resource Manager

c. Allows multiple servers to be grouped together to easeadministration

Load Manager

d. Provides the ability to monitor, report and collect serverresource metrics for all servers in a farm

Web Interface

e. Allows administrators to configure administrativepermissions and published resources

Data collector

f. Ensures that each user connects to the server mostcapable of handling the connection

Delivery Service Console

g. Provides users access to published resources in one ormore server farms through a web browser or the Citrixonline plug-inCitrix Plug-ins


Review

1. Which are the editions of XenApp?

a. Standard, Enterprise, Custom

b. Advanced, Essential, Platinum

c. Basic, Intermediate, Advanced

d. Advanced, Enterprise, Platinum

2. Which feature of XenApp delivers a high performance, high definition user experiencethrough virtualized applications from any device, on any network?

a. SSL Relay

b. SNMP Monitoring

c. Citrix HDX technology

d. Support for Microsoft App-V

3. Which component is not one of the primary architectural components of XenApp?

a. Data collector

b. License server

c. Data store database

d. Desktop Delivery Controller

4. Which statement about Independent Management Architecture is true?

a. Communicates with XenApp using TCP port 25000

b. Delivers crucial systems that collectively leverage additional Citrix products

c. Runs on designated XenApp servers and is enabled in the Delivery Services Console

d. Provides the framework for all server-to-server communication that occurs in a XenAppfarm


Module 3

Licensing XenApp

Overview

Citrix XenApp requires product licenses to function properly. Two major components of theCitrix licensing process are the license server and the License Administration Console. Thelicensing model applies to several products. This module provides information on the majorcomponents as well as additional relevant information for licensing XenApp.

XenApp provides organizations with the ability to install, publish and manage applicationsand content from one centralized location. These published resources can then be securelyaccessed by users from anywhere, anytime, using any device over any connection.


• Explain XenApp licensing communications and license types.

• Configure License Administration Console ports and administrators.

• Install the Citrix License Server and import license files into the console.

• Explain how the license server can be made highly available.

55Module 3: Licensing XenApp© Copyright 2010 Citrix Systems, Inc.

XenApp Licensing

Citrix XenApp requires licenses for users to connect successfully.

Licensing Process Overview

An administrator can use the following process to ensure that licensing components are setup correctly for implementation:

1. Install licensing components.

2. Obtain a license file from the www.MyCitrix.com web site.

3. Add the license file to the license server.

When a Citrix product is first installed, there is an out-of-box grace period of 96hours during which two users can run any product before an administrator installsany licenses. After a license server and licenses are installed, servers can lose contactwith the license server for up to 30 days without the loss of functionality.

Licensing Communication

The following table outlines the components that an administrator must consider whendeploying licensing.

DescriptionComponent

Stores the licensesLicense Server

License File• Keeps the license information for the product

• Contains vital information such as the product edition,number of users and any expiration dates applicable

Is stored on the license server.

Allows an administrator to maintain the license server andlicense files for XenApp servers using a web-based interface

License AdministrationConsole


Licensing Communication Overview

Citrix products depend on communication with the license server. An administrator mustperform the following tasks for a license server to accept connection and license requests:

• Add a license file to the license server.

• Configure the farm to use a specific license server.

License Communication Process

The following steps describe the licensing communication process for checking out a licensefor a client device:

1. A user connects to Farm A.

2. A server in Farm A requests a license from License Server 1.

3. License Server 1 grants the requests and checks out a license for the client device.

Additional connections from the user on the client device to a different XenAppserver in Farm A will only consume the original license if both XenApp serversuse the same XenApp product edition.

4. The same users connects to Farm B.

5. A server in Farm B requests a license from License Server 1.

6. License Server 1 grants the requests and uses the existing license for the client device.

License Types

XenApp uses concurrent user licenses, which are licenses that are not tied to specific users.When a server requests a license, it is reserved for a specific client device/user combination.When the user logs off from the session, the license is returned to the license pool and madeavailable for another user. Users connecting from multiple devices will consume multiplelicenses. In addition, if some servers in a farm are configured to connect to a different licenseserver, users opening applications from both server groups will consume a license from eachlicense server.


Citrix License Server

Citrix XenApp 6 can use any license server version 11.6.1 or above. The version can be verifiedin the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\LicenseServer\Install.

The version number appears in the format: 11.6.1 build 10007.

Any license server, version 11.x and above, can be upgraded. After the upgrade is completed,the License Server configuration tool will launch. Configuration, for settings such as theadministrator password and license server ports, is required. Additionally, after the upgradeis completed, the previous report log (REPORTLOG.RL) will be disabled because license reportingis now available only in Citrix EdgeSight.

Microsoft Remote Desktop Services

XenApp extends the functionality of Microsoft Remote Desktop Services (formerly TerminalServices), which is a presentation virtualization platform for Windows Server.

XenApp 6 leverages Windows Server 2008 R2 security enhancements and Remote DesktopServices architecture to add dimensions of flexibility, manageability, security and performance,thereby providing an end-to-end application delivery solution that is cost-effective and secure.


Microsoft requires client access licenses (CALs) and RDS CALs for each system that connectsthrough Remote Desktop Services and provides a grace period of 120 days for an administratorto acquire the proper licenses. Remote Desktop licensing must also be installed. For moreinformation on Microsoft licensing requirements, see the www.microsoft.com web site.

Remote Desktop Licensing

Remote Desktop licensing (formerly Terminal Services licensing) manages the licenses thatare required for each device or user to connect to a Remote Desktop Session (RDS) Host server(formerly a Terminal Server).

Administrators must configure a Remote Desktop Licensing server in the environment todistribute Remote Desktop licenses. To avoid adding the Remote Desktop Licensing server toeach new Remote Desktop Services server that joins the domain, administrators can configurean Active Directory group policy to automatically assign the Remote Desktop Licensing serverto each new server that joins the domain.

Additional updates and considerations include the following:

• Automatic license server discovery is no longer supported. The specific license server orservers must be specified in the RDS Host configuration utility.

• Microsoft does not recommend installing the RDS session host on a domain controller.

• License servers are registered as Service Connection Points in Active Directory to allowthem to be displayed during manual configuration.

• Administrators can configure an Active Directory group policy to automatically assign theRemote Desktop Licensing server to new RDS Hosts.

• Remote Desktop Client Access Licenses (RDS CALs) are new licenses introduced withWindows Server 2008 R2. RDS CALs are considered equivalent to Terminal Server ClientAccess licenses (TS CALs). Both will allow connections to an RDS Host server. However,as of January 2010, only RDS CAL licenses are sold and Windows Server 2008 or later isrequired. RDS CAL licenses include streaming applications to RDS servers with App-V.

For more information on Remote Desktop licensing, see the www.microsoft.comweb site.

Additional Licensing Considerations

Additional licensing considerations include:

• Different connections can consume multiple licenses.


When analyzing the number of licenses required in an environment, an administrator mustconsider whether users employ various types of clients to connect to product servers. Forexample, users connecting to XenApp using a Citrix plug-in and Remote Desktop Servicesconnection simultaneously consume multiple licenses. The license server considers RemoteDesktop Services connections as separate from the Citrix plug-in connection and eventhough the connection may be from the same user, XenApp consumes two licenses. RemoteDesktop Services connections made to a console, however, do not consume a license.

• Most application manufacturers require user licenses for their products.

An administrator must adhere to these licensing requirements whether users connectdirectly to the desktop or launch individual published applications. Licensing practicesmay vary from company to company, as well as in an RDS environment as compared witha traditional networking environment. Citrix recommends that an administrator contacteach manufacturer to verify the specifications to ensure compliance with licensingrequirements.


License Administration Console

The License Administration Console is a required, web-based interface that allows anadministrator to maintain the license server and manage license files for that license server.The License Administration Console uses an integrated Apache web server that is part of thelicense server process (LMADMIN.EXE). An administrator cannot install the LicenseAdministration Console on a server other than the license server but can launch it throughXenApp or over the Internet.

The following table provides a brief description of the features available with licensing usingthe License Administration Console.

DescriptionFeature

Tracks concurrent license informationTracking License Usage

Creates reports based on current license usageReporting

Historical reporting on license usage uses CitrixEdgeSight technology (with EdgeSight Server 5.3 andEdgeSight Agent 5.2) and is not part of the LicenseAdministration Console. EdgeSight components areavailable to all customers regardless of XenApp productedition.

Creates and displays alerts based on license usage and expirationdates

Configuring Alerts

Assigns rights to administrators to limit capabilities and ensureproper license management

Configuring DelegatedAdministrators

To open the License Administration Console from the server on which it is installed, clickStart > All Programs > Citrix > Management Consoles > License Administration Console.

To open the License Administration Console using a web browser, type:http://servername:webserviceport in the Address field of the web browser. For example, if theserver is Server1, type http://Server1:8082.

Additional considerations include the following:


• It is a best practice that administrators install and configure Secure Sockets Layer (SSL)and configure Secure HTTP(S) when accessing the License Administration Console usinga browser on a UNIX workstation or in an unsecure environment.

For more information on securing the License Administration Console with SSL,see the XenApp documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

• If the vendor daemon stops running, vendor daemon services can be restarted in the LicenseAdministration Console, which is less intrusive than restarting the server.

• It is a best practice to use a Virtual Private Network (VPN) when accessing the LicenseAdministration Console from outside the network.

• The license server does not use a Windows Server account.

The console requires authentication except to view the Dashboard. A default"Admin" account is created during installation and a password is configured forthe account after the installation. If the password is forgotten, the license servermust be reinstalled.

Port Configuration

Port configurations in the license files are no longer supported. The Citrix Licensing Supportservice searches for existing port configurations in license files and removes them.

The Citrix vender daemon port (default: 7279), license server manager port (default: 27000)and License Administration Console port (default: 8082) can all be configured using thefollowing methods:

• License Administration Console

Configuring ports in the License Administration Console requires a restart of theCitrix Licensing service.


• License Server Configuration Tool

• MSIEXEC command line argument

Delegated Administrators in the License Administration

Console

The original administrator can add delegated administrators to the License AdministrationConsole. These administrators can have full or partial control of the License AdministrationConsole, as designated by the original administrator.

An administrator can also add a domain user within the License Administration Console.When adding the new user, an administrator must choose to allow or deny them certainfeatures. Therefore, an administrator can choose to add users to perform specific tasks in theLicense Administration Console with no ability to view other areas.

Identifying Delegated Administrator Roles

Two roles are available in the License Administration Console: User and Administrator. Thefollowing table describes each right available in the License Administration Console.


DescriptionRight

The ability to view current license usage, the complete licenseinventory and any alerts concerning these areas

Current Usage

The ability to add new license files, manage files related to theLicense Administration Console and configure alert thresholds

Configuration

The ability to add new delegated administrators and assign themroles

User Administration


Installing Licensing

The installation of the license server software automatically installs the licensing prerequisiteswith the exception of the following items:

• Microsoft Visual C++ 2008 Redistributable

• Microsoft MSI utility version 3.x

Additional considerations for installing licensing include the following:

• It is a best practice to install the license server first. If licensing is installed after XenApp, apolicy must be configured to point to the license server.

• Licensing can exist on a separate server or can share a server with another component.

Manual Installation and Configuration

Installation and configuration of the license server is divided into two separate processes.Post-installation configuration is performed using the License Server Configuration tool. This


tool is used to configure the console "Admin" password and port numbers and automaticallylaunches after the initial installation or an upgrade is completed.

The tool can only be run once. Multiple attempts to run the tool will produce anerror.

Unattended installation is also supported, but only by using MSIEXEC at thecommand line. The Admin password and port numbers are also configurable usingthe MSIEXEC command during an unattended installation. Active Directory andtransform files are no longer supported for deploying licensing.

For more information about the MSIEXEC command line arguments, see the XenAppdocumentation on the http://support.citrix.com/proddocs/index.jsp web site.

Uninstalling Licensing

An administrator may need to uninstall licensing for a variety of reasons, including movingthe component to another system or renaming the system. Some of the files that are not deletedduring the uninstall process include the following:

• Options file (CITRIX.OPT)

• License file (LICENSE_NAME.LIC)

A new license server with a valid license file must be ready to accept connections from theCitrix product within a 30-day recovery period of removing the original license server. If theserver is unable to establish communication within this time frame, users cannot connect.

When the license file is moved to a server with a different name from the current hostname,the license file must be returned to Citrix and exchanged for a license file that indicates thenew server name. This process is called reallocating and is completed on the www.MyCitrix.comweb site.

License Server Considerations

XenApp does not need to be on the same system as the license server. General guidelines andconsiderations for license server deployment include the following:

• For fewer than 200 product servers, a shared license server is recommended.

• For between 200 and 5,000 product servers, a dedicated license server is recommended.

• For more than 4,000 product servers, a dedicated license server for each Citrix product isrecommended.

• The majority of transactions between the servers, published applications and the licenseserver are very small (less than 1KB); however, in environments that have a large number


of license checkouts, these transactions may tax the network bandwidth. In these cases, thelicense server should reside on the same LAN as the servers.


License File Management

Citrix requires each organization that uses Citrix products to purchase licenses for the product.The licenses allow client devices to connect to the product and use the features enabled in theproduct version. License files store the company license information in a plain text formatwith authenticated content. Each license file can store information for one or more licenses;a license server can store one or more license files. The license file is stored on a license serverin the %PROGRAMFILES%\CITRIX\LICENSING\MYFILES\ directory.

Examples of different types of license usage include the following:

• A parent company maintains the license server and license files for its child companies.Each child company must submit its own purchase order for its share of the licenses. Anadministrator can add the licenses for each child company to a single license file.

• An administrator purchases 50 licenses for XenApp. Six months later, an administratordeploys XenApp to two more company branches and purchases an additional 100 licenses.The license server now stores two license files for the same product, one for 50 licenses andthe other for 100 licenses.

Obtaining License Files

The www.MyCitrix.com web site issues the license files. An administrator can allocate someor all of the licenses to one or more license servers. Therefore, an administrator is not obligatedto allocate all licenses simultaneously and can choose where to use the remainder at a laterdate. This administration design allows companies to purchase licenses in bulk and then splitthem up as needed for various licenses servers, production farms, test farms or other schemathat fit the environment. For example, if an administrator purchases a single 100-count license,the 100-count license could be split into several license files.

To obtain a license file, an administrator must log on to the MyCitrix web site using personalizedcredentials. To create a new account, simply click on the New User link and follow theinstructions.

Importing License Files

The License Administration Console is used to import a license file. Administrators can usethe following procedure:

1. Launch the console and click Administration.

2. Log on and click the Vendor Daemon Configuration tab.

3. Click Import License.


4. Browse to the license file.

5. (Optional) Select the Overwrite License File on the License Server check box if the filehas the same name as the existing file.

6. Click Import License and then OK.

The import process copies the file from the existing location into the MyFiles directorywhere it can be read by the license server.

7. Click the Administrator link in the Citrix vendor daemon line.

8. Click Reread License Files to allow the license server to recognize the new file.

Subscription Advantage

Citrix products include a one-year membership to Subscription Advantage. This membershipprovides major releases, minor releases and product update downloads through the MyCitrixweb site. The membership includes email notifications concerning the account and new itemsavailable for members. Members can view, update and obtain benefit information and privilegeson MyCitrix at any time.

Organizations can renew Subscription Advantage at the end of a one-yearmembership.

For each major product release, Citrix issues at least one minor release; these releases areavailable free of charge with a Subscription Advantage membership. Customers who have lettheir membership lapse prior to the availability of a new product are unable to obtain theminor product releases. The license itself, however, continues to function at its current platformlevel and does not expire.

The product version date in the license file must be the same as or newer than the productversion date of the installed product, whether a major or minor release. Citrix issues newlicense files with updated Subscription Advantage expiration dates on the MyCitrix web siteafter membership renewal.

Administrators can obtain and install major and minor releases after the SubscriptionAdvantage membership expires, as long as the products were released while themembership was still valid.

The following table describes several possible scenarios and how they affect productfunctionality.

Product FunctionalityProduct Release DateSubscription

Status

Product functions properlyPrior to Subscription Advantageexpiration date

Valid


Product FunctionalityProduct Release DateSubscription

Status

Product functions properlyPrior to Subscription Advantageexpiration date

Expired

Product does not functionproperly

After Subscription Advantageexpiration date

Expired

License File Maintenance and Resources

The MyCitrix web site allows an administrator to quickly view Subscription Advantageinformation for the licenses of their organization, renew the membership and obtain newproduct releases. Administrators can find help in online documents located on the MyCitrixweb site, as well as by contacting Customer Care. Customer Care contact information is locatedon the www.citrix.com web site.


High Availability Considerations

When working in a production environment, an administrator must always plan for unexpectedcircumstances that could cause the network or license server to become unavailable. The Citrixlicensing design provides several easy-to-use solutions for disaster recovery and high availability.

Duplicate License Server

A duplicate license server is one option for creating a backup license server. The backup licenseserver must duplicate such essential information as the hostname and the server IP address.This is especially important if the farm or servers are pointing to an IP address instead of theserver name to resolve to the license server.

Creating a duplicate license server requires planning and resources to build; however, theprocess can be implemented quickly in the event that a production license server becomesunavailable.

To set up a duplicate license server, an administrator duplicates or images the productionlicense server and stores the backup license server off the network or powers off the server.Storing the backup server off the network or powering it down prevents communicationinterferences between the farm and the production license server.

When the production license server must be decommissioned or becomes unavailable,administrators can start the backup server or bring it into the network. The serverswithin the farm will automatically detect the license server and resume normalcommunication.

Additional License Server Processes

Additional processes for backing up the license server may be necessary. For example,administrators also have the following options:

• Enabling a replacement license server - Administrators shut down or remove the productionlicense server from the network and rename the second license server to the exact name asthe original production license server.

• Connecting to a different license server - The farm, or individual servers within the farm,can point to another license server at any time to retrieve licenses. Considerations includethe following:

– Configurations: An administrator must configure each farm or server to point to adifferent license server. When the original license server is available again, the


administrator must change the farm or server configurations to point to the originallicense server.

– Bandwidth: Although bandwidth consumption is minimal, network resources are aconsideration when additional servers connect to a license server.

– License availability: License availability is important because it affects financial decisionsfor the organization and ultimately, user connectivity. The license reserve diminishesfaster than it does under normal circumstances when there are additional users makinglicense requests. For this reason, an adequate number of licenses must be available forall users who typically connect to the farm, as well as the new users.

• Replacing the license server - Administrators can rebuild or replace the license server inthe event that a backup license server becomes unavailable or when the production licenseserver becomes inoperable prior to setting up a backup license server. The new licenseserver can use the same license file as long as the hostname remains the same.

If the hostname of the replacement license server is different from that of theoriginal license server, administrators must obtain a new license file from theMyCitrix web site.

License files are case sensitive; therefore, if the hostname is spelled the same butthe case is different, the license file will need to be replaced.

License Server Clustering

Licensing provides administrators with a 30 day recovery grace period. To ensure highavailability of the license server beyond the 30 day recovery grace period, licensing supportsMicrosoft clustering. Clustering the license server provides users with continuous access toapplications in failure situations.

A server cluster is a group of independent servers running as a cluster service and workingcollectively as a single system. All servers in the cluster have a single identity and the data isconsistent across nodes. Licensing supports the two-node Microsoft cluster in Active/Passiveconfiguration.

The Microsoft cluster environment must be fully functional before configuringLicensing for Microsoft Clustering. Also, the license file hostname must reflect thename of the cluster, not the name of the individual nodes in the cluster.

For more information, see Citrix Knowledge Base article CTX104878 or search thewww.microsoft.com web site for information about Microsoft Clustering.


Review

1. After a license server is installed and licenses added, servers can lose contact with the licenseserver for up to how many days without the loss of functionality?

a. 5

b. 30

c. 90

d. 96

2. Which type of licensing manages the licenses that are required for each device or user toconnect to a Remote Desktop Session (RDS) Host server?

a. Citrix licensing

b. XenApp licensing

c. Microsoft plug-in licensing

d. Remote Desktop licensing

3. Complete the following sentence. When implementing XenApp, It is a best practice toinstall the license server _______.

a. After installing XenApp

b. Before installing XenApp

c. On the same server as XenApp

d. On the same server as the Web Interface

4. What should an administrator do to obtain a license file?

a. Call Citrix Technical Support

b. Copy a file from a previous XenApp implementation

c. Log on to the MyCitrix web site using personalized credentials

d. Run the License Generation Wizard from the Delivery Services Console


Module 4

Installing XenApp

Overview

Citrix XenApp 6 installation is only supported on Microsoft Windows Server 2008 R2 operatingsystems. XenApp 6 can be installed using a wizard. When the wizard is used, the prerequisitesare automatically installed by the wizard during the installation. When XenApp 6 is installedusing a command line or an unattended installation, the administrator must manually installthe prerequisites prior to installing XenApp 6.

XenApp 6 is not supported for installation on a domain controller.


• Identify the methods that can be used to install XenApp.

• Identify the XenApp hardware and software requirements.

• Make installation decisions appropriate for an environment.

77Module 4: Installing XenApp© Copyright 2010 Citrix Systems, Inc.

XenApp Server Role Manager

The XenApp Server Role Manager can be used to install and configure XenApp 6. The XenAppServer Role Manager allows the administrator to choose what to install. Administrators canadd server roles as needed as the wizard guides the administrator through the installation.

Roles available with XenApp include the following:

• Citrix License server

• XenApp Server

The Citrix online plug-in and Citrix offline plug-in are installed automaticallywith the XenApp Server role.

• Web Interface Server

• Single sign-on services (Platinum Edition only)

• Power and Capacity Management Administration (Enterprise and Platinum Editions only)

• EdgeSight Server (Platinum Edition only)

• Provisioning Services (Platinum Edition only)


Unattended Installation and Configuration

Administrators have the option of performing an unattended, scripted installation by usingthe XENAPPSETUPCONSOLE.EXE file at the command line. Administrators can also performan unattended, scripted configuration using the XENAPPCONFIGCONSOLE.EXE file.

For more information such as specific syntax or help installing or configuring XenApp6 from the command line, see the XenApp 6 documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

Administrators can also enter "\?" in the command line interface to view the availablecommands.

Provisioning tools and disk imaging can also be leveraged for XenApp installation andconfiguration. Startup scripts can install, configure or modify a configuration of XenApp.

For more information about provisioning and imaging Citrix products, see theProvisioning Services documentation on the http://support.citrix.com web site.


Hardware Requirements

Most servers running Microsoft Windows Server 2008 R2 meet the hardware requirementsfor XenApp with ample processing power to host user sessions accessing the publishedresources. However, additional research may be needed to determine if the current hardwaremeets the requirements.

The following table details requirements for XenApp 6.

RequirementTechnology

CPU• 64-bit architecture with Intel Pentium

• Xeon family with Intel Extended Memory 64 Technology

• AMD Opteron family

• AMD Athlon 64 family

• Compatible processor

512MB RAM (minimum)Memory

32GB (minimum)Disk space

Web Interface• 6MB free disk space without the copied plug-ins

• 120MB free disk space with the copied plug-ins

• 3.5MB for each Web Interface site


Software Requirements

The components of XenApp require specific software in order to function correctly. Anadministrator can use the information in the following table to determine the softwarerequirements for the installation stages of XenApp.

RequirementsInstallation

Stage

Delivery ServicesConsole

• One of the following operating systems:

– Windows Server 2008 R2

– Windows Server 2008 x86 and x64

– Windows Server 2003 (Standard, Datacenter and EnterpriseEditions) x86 SP2, x64, R2 x86 and x64 SP2

– Windows XP Professional x86 SP3

– Windows XP Professional x64 SP2

– Windows Vista (Business, Enterprise and Ultimate Editions) x86,x64 SP1

– Windows 7 x86 and x64

• .NET Framework 3.5 SP1 (automatically installed)

• MMC 3.0

• MS Visual C++ 2005\2008 SP1 Redistributable x64 (automaticallyinstalled)

• 25MB free disk space

Web Interface• One of the following operating systems:


– Windows Server 2008 x86 and x64

– Windows Server 2003 with SP2

• Internet Information Services (IIS) (automatically installed)

• Windows Authentication

• Client Certificate Mapping Authentication

• ASP.NET 3.5

• Visual J#

• .NET Framework (automatically installed)


The following installation prerequisites are automatically enabled during the XenApp ServerRole Manager wizard-based installations:

• Microsoft .NET 3.5 SP1

• Windows Application Server Role

• Group Policy Management Console (GPMC)

The Group Policy Management Console is only installed if the Delivery ServicesConsole is selected for installation. Additionally, the Citrix Group Policy Engine,is added as a new service in XenApp 6.

• Microsoft Remote Desktop Services "Session Host" role

The following installation prerequisites are automatically installed during wizard-basedinstallation:

• Microsoft Visual C++ 2005\2008 SP1 Redistributable (and x64 edition)

• Microsoft Primary Interoperability Assemblies 2005


Installation Decisions

As a best practice, an administrator should review the configuration options available duringthe XenApp installation process prior to installing the product. By reviewing the options, theadministrator can determine in advance how to configure XenApp so that it meets the needsof the organization.

Administrators must be members of the Administrators group before installing or configuringXenApp. Individuals cannot elevate their privileges to local administrator through User AccountControl to gain membership.

Licensing should not be overlooked during the installation phase. Administrators are requiredto maintain proper licensing for:

• XenApp

• Operating system

• Remote Desktop Services (RDS)

• All applications

For more information about Windows Server 2008 R2 and RDS licensing, see thewww.microsoft.com web site.


XenApp Configuration Options

The questions and answers on the following pages describe some of the decisions that can bemade during the configuration of XenApp.

Which Farm or Zones Will Be Used in the

Environment?

Farms

A farm is a group of XenApp servers that can be managed as a single entity, can use a singledata store database and can balance the load resulting from requests for published resourcesin the farm.

During XenApp configuration, the administrator must decide whether a new farm will becreated, the server will be added to an existing farm, or the server will be removed from a farm.In general, a single farm meets the needs of most environments. However, business reasonssometimes dictate the need for multiple farms.

Zones

A zone is a logical grouping of servers within a farm. Single zones work best when all XenAppservers are located in the same geographic location. Multiple zones work best when XenAppservers are separated geographically. If the administrator does not specify a zone name duringinstallation, "Default Zone" will be used as the name of the zone. The administrator can createa custom zone name by selecting the checkbox and entering the name.

Which License Server Will Be Used for the Server

Farm?

The license server component of XenApp can be installed on a dedicated server, or functionalitycan be shared with another server.

XenApp must be aware of the location of the license server, which is specified duringconfiguration. To use an existing license server, administrators enter the license server nameor IP address. Administrators have the option to defer specifying license server information,if necessary.


The following information is required in order for XenApp to connect to the license server:

• License server name or IP address

• License server port number (default is port 27000)

• Server daemon port number (default is port 7279)

If a license server from a previous version of XenApp will be used, it must be upgradedto use the license server software included with XenApp 6 or later.

Which Database Engine Will Be Used for the Data

Store Database?

The data store database is used to store static information about the servers and publishedapplications in a farm.

When creating a farm, the Server Configuration Tool installs the Microsoft SQL Server Expressdatabase automatically, with the instance name CITRIX_METAFRAME and the databasename MF20. This database uses Windows authentication. A Microsoft SQL Server Expressdata store database can already exist on a XenApp server, but the server must be restarted priorto the installation of XenApp.

Farms can use the following databases as the data store:

• SQL 2008 SP1 (x32, x64 and Express versions)

• SQL 2008 (x32, x64 and Express versions)

• SQL 2005 SP3 (x32 and x64 versions)

• Oracle 11g R2

It is a best practice to install the database software on a non-XenApp server. The account usedto install XenApp must have db_owner permissions to the database. Additionally, if XenAppwill be configured from the command-line, the Data Source Name (DSN) file for the SQLServer database must be created prior to the XenApp configuration.

Support for Microsoft Access and IBM DB2 has been removed for XenApp 6 onWindows Server 2008 R2. For additional information about supported databasesoftware versions, see the XenApp product documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

Will Shadowing Be Enabled?

Shadowing allows authorized users to view and interact remotely with user sessions for thepurpose of diagnosis, training and technical support. The default shadowing settings whichallow shadowing are recommended for most farms.


The following table describes the options available when enabling shadowing.

DescriptionOption

Prohibits the shadower from remotely controlling auser’s keyboard and mouse during shadowing sessions

Prohibit remote control

Displays a shadowing acceptance message on the clientdevice

Force a shadow acceptance popup

Keeps a log of all shadowed sessionsLog all shadow connections

If shadowing is prohibited during XenApp installation, it can only be enabled at alater time by reinstalling XenApp.

In some regions, shadowing is forbidden by industry or government regulations. IfXenApp will be used in such a region, shadowing should be disabled during theinstallation.

On Which Port Will the Citrix XML Service Run?

The Citrix XML Service can be used to communicate the least busy server in the farm and thenames of published resources to client devices running Citrix Plug-ins for Windows. By default,port 80 is used for this communication, but an administrator can specify a different port duringor after the installation. If IIS is installed on the server, IIS and the Citrix XML Service canshare port 80.

Sharing the default port with IIS requires that XenApp has access to the virtual Scripts directoryon the server. If the security settings on the server prevent this access, the administrator canrelax the security settings during the installation. If this is not desired, a separate port shouldbe used for the Citrix XML Service.

When Will Users Be Added to the Local Remote

Desktop Users Group?

During the installation of XenApp, the existing users and groups and the anonymous useraccounts created by XenApp can be added to the local Remote Desktop Users group on theserver.

Members of the local Administrators group have a built-in right to shadow. They donot need to be a member of the local Remote Desktop Users group. All others mustbe added to the group.


The following table describes the options available when adding users to the local RemoteDesktop Users group.

DescriptionOption

Adds all authenticated usersAdd the Authenticated Users

Adds groups and users from the Users groupAdd the list of users from the Users group

Adds anonymous usersAdd Anonymous users

Which Pass-through Client Will Be Used in the

Environment?

A pass-through client gives users of older, less feature-rich clients access to the features of theCitrix online plug-in. Users open the pass-through client from a published server desktop oras a published application and then connect to their published applications from within thepass-through client.

If the Citrix online plug-in is selected for installation, it will be used as the pass-through clientand the installation program will attempt to locate the web server running the XenApp Servicessite using "localhost." If the web site is not running on the local system, the administrator mustspecify the URL of the web server during the installation using the \\servername.domain.nameformat.

Will Pass-through Authentication Be Used in the

Environment?

Pass-through authentication allows XenApp to automatically authenticate the user, based onthe credentials used to log on to Windows. When pass-through authentication is enabled, theuser does not need to explicitly log on through the plug-in software to access publishedresources.

Pass-through authentication should not be implemented in organizations with heightenedsecurity requirements.

If pass-through authentication is not enabled during the installation and is laterdesired on the server, the plug-in software must be reinstalled on the server beforepass-through authentication can be used.


Will Information in the Data Store and Configuration

Logging Databases Be Protected with IMA Encryption?

XenApp can be configured to encrypt the credentials used by IMA to send information to thedata store and configuration logging databases. This encryption can add a layer of security tothe sensitive data stored in these databases. When IMA encryption is enabled on one server,it must be enabled on each server in the farm.

IMA encryption is no longer part of the XenApp installation and must be manually configuredusing the CTXKEYTOOL command, following installation.


Web Interface Installation Decisions

The IIS Management Console is not installed during the Web Interface installation.If an administrator wants to configure IIS on the server, it can be installed bynavigating to the Server Manager > Web Server (IIS) menu and selecting "Add Role

Services."

During the installation, administrators must make decisions about how the Web Interface willbe installed. The following questions and answers address some of the decisions that must bemade.

An administrator needs to select a destination folder forinstallation of the Web Interface components. The defaultfolder is C:\PROGRAM FILES\CITRIX\WEB INTERFACE.

Where will the Web

Interface components be

installed?

Citrix plug-ins can be copied to the server for distributionto client devices through the Web Interface. Plug-ins do not

Will the Citrix plug-ins be

copied to the server?

need to be copied to the server during the installation of theWeb Interface if the administrator does not want to makethe plug-ins available for download through the WebInterface.


Review

1. True or False: An individual can elevate their privilege to local administrator through UserAccount Control to gain membership to the local administrators group.

a. True

b. False

2. Which item is not available as a role in the XenApp Server Role Manager?

a. Data collector

b. XenApp server

c. Web Interface server

d. Provisioning services

3. Complete the following sentence. When configuring XenApp, to use an existing licenseserver, administrators enter the license server name or __________.

a. IP address

b. license key

c. MAC address

d. administrator credentials

4. Complete the following sentence. If pass-through authentication is not enabled during theinstallation and is later desired on the server, the plug-in software __________.

a. cannot be configured to use pass-through authentication

b. automatically configures upon reboot for pass-through authentication

c. must be reinstalled on the server before pass-through authentication can be used

d. can be copied from another XenApp environment that contains pass-throughauthentication


Module 5

Configuring XenApp

Administration

Overview

Organizations use XenApp to provide users with the resources they need to accomplish theirjobs. Because all organizations are different, XenApp must be customized to take full advantageof its capabilities.

By the end of this module, given an environment containing XenApp, you will be able to:

• Add and configure worker groups.

• Add and configure administrative accounts and permissions.

• Identify the components required for configuration logging.

• Log administrative changes made to a XenApp farm environment.

93Module 5: Configuring XenApp Administration© Copyright 2010 Citrix Systems, Inc.

Worker Groups

XenApp servers can be organized and managed as a single unit known as a worker group.Administrators can configure a worker group to contain servers based on OU membershipwithin Active Directory or assign individual farm servers to a worker group. Worker groupscan be used to:

• Reduce the time needed to publish an application to several farm servers by organizingservers based on hosted application type

• Prioritize the groups of servers that users can access

• Filter policies to apply settings to a specific group of farm servers

Publishing Applications to Worker Groups

When publishing an application, a worker group can be used to identify the group of serversthat will host the application rather than assigning individual farm servers. Servers that are


later added to the worker group, or Active Directory OU, are automatically added to theproperties of the published applications.

An administrator must ensure that each application published to a worker group isinstalled on every server in the worker group. If the application is not installed onone or more farm servers in the worker group, the application will not launch andan error is logged to the Application event log on the data collector.

Prioritizing Worker Groups

Administrators can create a worker group preference list to prioritize the groups of serversthat users can access. When launching an application, users are first directed to the workergroup with a priority setting of 1. If the servers in the highest priority worker group havereached maximum capacity, or are offline, users will be redirected to farm servers in a lowerpriority worker group.

Users cannot be redirected to a worker group not included in the worker grouppreference list.

Filtering Policies to Worker Groups

Administrators can filter Citrix policies to worker groups and apply settings to sessions hostedon a specific set of farm servers. Servers that are later added to the worker group, or ActiveDirectory OU, automatically inherit policy settings.

Worker groups are identified as a filter by name only. If the worker group is renamedor deleted, XenApp cannot recognize the filter and the policy is not applied to thesessions.


Administrator Privilege Levels

Administrators are responsible for managing and monitoring XenApp servers and serverfarms. During the initial installation of XenApp, an administrator account is created. Thisadministrator account has full administration rights and the authority to create newadministrator accounts and grant permissions to the accounts. Each administrator accountcan be assigned one of the following privilege levels:

• Full Administration

• View Only

• Custom

Each administrator should be given a different account with permissions specific to the accessneeded to perform required tasks. Specifying permissions for each administrator providesgreater security and exact data on who made changes within the farm when configurationlogging is enabled. Restricting access to areas of farm management may not preventadministrators from running some command line utilities available with XenApp.

Creating Administrator Accounts

Administrator account management considerations include:

• Administrators with View Only and Custom privileges cannot connect to XenApp sessionsunless the license server has a valid XenApp license file.

• Groups and individual users can be granted administrator permissions.

• An administrator whose account is disabled will still be able to log on to the Delivery ServicesConsole if a group to which the administrator belongs is granted permissions to it.

• An administrator account can be deleted from the farm by right-clicking the administratorname and clicking Delete.

It is a best practice to add a group with full permissions and a group for localadministrators as soon as possible after installing XenApp.


Administrator Account Selection

An administrator can configure users from the following locations with administrativepermissions:

Adds a new administrator from the Windows users and groupswithin the domain

Citrix User Selector

Adds a new administrator from the local users and groups onthe server

Operating System User

Selector

A domain administrator can also be selected, but appropriatecredentials must be provided before permission to browse thelist of Active Directory users is granted.


Administrator Account Creation Settings

An administrator with full permissions can configure additional administrator accounts usingthe following settings:

Provides the administrator account permission to view all areas ofXenApp using the Delivery Services Console and command line

View Only

utilities, but the administrator cannot make modifications using theseconsoles or tools

Provides the administrator account full access to view and modify allareas of XenApp using the Delivery Services Console and commandline utilities

Full

Administration

The account specified during the XenApp installation becomes thedefault administrator with full administration privileges. Theseadministrators can also:


• Add and delete administrators.

• Grant permissions to other administrators.

• Create and delete server and application folders.

Provides the administrator account with limited permissions to viewand modify XenApp using the Delivery Services Console and commandline utilities

Custom

A full administrator must configure the areas of XenApp to which acustom administrator has access.

Disables the selected administrator accountDisable Citrix

Administrator

accounts If the logon permission to a console is disabled, theadministrator will not be able to perform administrative tasksusing the Delivery Services Console.

Disabling an Administrator Account Example

A senior administrator adds an account for a new junior administrator and configures it withcustom privileges. Because the new junior administrator will be attending three weeks oftraining before working at full capacity in the IT staff role, the senior administrator disablesthe administrator account for the junior administrator. This prevents the junior administratorfrom making changes to the server farm before being fully trained. After training is complete,the senior administrator can easily enable the account for the junior administrator.


Configuring Administrator Permissions

Creating an administrator account with custom privileges allows an administrator to delegatethe administration of one or more particular areas of the farm. During the creation of a customadministrator account, the privilege level and permissions for the administrator account arespecified. When the administrator uses the Delivery Services Console, only the console treenodes and folders to which the administrator has permissions to administer are displayed.

Permissions can be granted to custom administrators:

• During the creation of the custom administrator account

• Through the Administrator properties in the Delivery Services Console

• Through the Permissions option for application and server folders in the Delivery ServicesConsole

Delegated Administration Example

CompanyA has a local IT staff and a help desk. The local IT staff is responsible for managingand maintaining the server farm. The help desk is responsible for providing the first levelof support to all users. The IT staff must have full administration privileges, while the helpdesk needs the following custom privileges and permissions:


View only permissions for:

• Administrators (as well as Log on to the Management Console)

• Farm Management

• Printers and Printer Drivers

• Published Applications and Content

• Server Information

Full administration permissions for:

• Sessions (located in the Servers and Applications nodes)

• Policies

By delegating these administrative permissions for the farm, the help desk personnel areonly able to:

• View all areas of the Delivery Services Console.

• Perform session tasks and user policy tasks related to their jobs.

Configuring Folder Permissions

Folders can be created for applications and servers within the Delivery Services Console. Onlyan administrator account with full administration privileges can create folders.

By creating folders and placing resources into the folders, an administrator can:

• Easily locate the desired objects during routine administration.

• Improve browsing performance of the Delivery Services Console because only the contentsof the expanded folders are enumerated and only the folders to which an administrator hasaccess are displayed.

• Support a more granular delegated administration configuration.

Delegated administrators must have view permissions to parent folders in order to access childfolders.

The folder structure created in the Delivery Services Console is not related to orreflected in the folder structure displayed to users of self-serviced applications poweredby Dazzle, the Citrix Receiver and the Web Interface. The application folder structuredisplayed to users is dictated in the properties of the published resource.

Folder Use Example

An administrator of a large farm must configure the published applications used by the HRdepartment to meet the following criteria:

• The office users require high color depth, audio and shortcuts to the applications placedseamlessly on their existing client devices.


• The remote users require reduced color depth and no audio support in order to reducebandwidth requirements.

• The application administrator must only be allowed to manage the published applicationsand user sessions connecting to the published applications and must not have permissionsto perform any other administrative tasks in the farm.

To meet these requirements, an administrator with full administration privileges for thefarm:

• Creates folders named “OFFICE_HR” and “REMOTE_HR”

• Publishes the required applications with the appropriate settings so all office users areassigned to the applications, and the applications are placed in the OFFICE_HR folder

• Publishes the same applications with the appropriate settings so all remote users areassigned to the applications, and the applications are placed in the REMOTE_HR folder

• Modifies the permissions for the OFFICE_HR and REMOTE_HR folders to allow theapplication administrator to perform both published application and session-relatedadministrative tasks

Delegating Administration


The administration of application and server folders can be delegated to specific administratorsand groups of administrators. This delegated administration is configured through thepermissions assigned to the folders. These permissions can be:

• Copied from the parent folder to the child subfolder during the creation of the folder

By default, any permission changes to the parent folder are not automaticallycopied to the subfolders. A full administrator can select, in the permissions of theparent folder, Copy the permissions of all administrators for this folder to its

subfolders to propagate all changes to the subfolders.

• Specified or modified after the folder is created

An administrator should be aware of the following considerations when configuring delegatedadministration for a folder:

• The administration of the folders can be simplified by assigning groups of administratorsinstead of individual users. The use of groups allows the administrator to grant or denypermissions by adding administrators to or removing administrators from the groups.

• When granting session management permissions such as Disconnect Users to an applicationor server folder, remember that disconnecting the session for one application will cause allother applications within the session to disconnect.

Practice: Delegating Administration

Use your knowledge of folders and permissions to provide the answers to the followingscenarios.

Scenario 1: An administrator with full administration privileges (full administrator) grantsan administrator with custom privileges (custom administrator) access to the Applicationsnode in the Delivery Services Console. The custom administrator is given full permissions tothe following:

• Publish Applications and Edit Properties

• All Application Sessions tasks

Six months later, the full administrator creates a folder within the Applications node of theDelivery Services Console to better manage the published applications in the farm. Whencreating the new folder, the full administrator chooses to copy permissions from the parentfolder.

Which permissions does the custom administrator have to the new folder?

______________________________________________________

______________________________________________________





Six months later, the full administrator creates a folder within the Applications node of theDelivery Services Console to better manage the published applications in the farm. Whencreating the new folder, the full administrator chooses not to copy permissions from the parentfolder.


______________________________________________________

______________________________________________________

______________________________________________________

Scenario 3: CompanyA has a farm that consists of ten servers: five located in Quebec and fivelocated in Hong Kong. The administrators in each location must have permission to manageonly the servers in their geographic region. To accomplish this task, the full administratorcreates two folders under the Servers node in the Delivery Services Console (QB_Servers andHK_Servers). The full administrator then moves the servers into the respective folders.

What else must the full administrator do to ensure that administrators can only manage theservers in their geographic region?

______________________________________________________

______________________________________________________

______________________________________________________


Configuration Logging

In many organizations, a large number of administrators are responsible for configuring andadministering XenApp. It can be beneficial to know which administrators made changes, whatthe changes were and when the changes were made.

Configuration Logging provides a means for tracking administrative changes made to theXenApp farm environment, including:

• Who performed the change

• The date and time the change was made

• The object to which the change was made

• Details about whether the change was successful or not

An administrator can create configuration log reports using theGet-CtxConfigurationLogReport PowerShell command after Configuration Logging isenabled.

The most useful information is logged when each administrator has a separate account.

Creating the Configuration Logging Database

When Configuration Logging is enabled, all changes made to the farm using the DeliveryServices Console, command line utilities and tools custom built with SDKs are recorded to aConfiguration Logging database.

The Configuration Logging database can be configured to use one of the following databasesoftware versions:

• Microsoft SQL Server 2005 or 2008, with ddl_admin or db_owner permissions

• Oracle Database 11g Release 2 with Connect role, Resource role and Unlimited tablespacesystem privileges

The roles and privileges listed are necessary for the user account responsible forcreating, modifying and clearing the Configuration Logging database.

The Configuration Logging database can be protected using the IMA encryption feature, whichencrypts the credentials used to access the database. If IMA encryption will be used with theConfiguration Logging database, the database must be configured to use encryption and IMA


encryption must be enabled on all servers in the farm. Administrators will be unable to accessthe IMA-encrypted data if the encryption for the farm is later disabled.

The CTXKEYTOOL command can be used to enable and disable the IMA encryptionfeature and generate, load, replace, enable, disable and back up farm key files.

Configuration Logging Database Settings

The Delivery Services Console is used to specify the database that XenApp will use to logconfiguration changes. A Configuration Logging database must be created before ConfigurationLogging can be enabled.

A Configuration Logging database can only support information for one farm. Tostore Configuration Logging information for a second farm, a second ConfigurationLogging database must be created.

The following settings can be used to create the Configuration Logging database:

An administrator should select this setting to choose SQL Server as theConfiguration Logging database type. If SQL Server is selected, the

SQL

Server


administrator must provide the following information before proceedingwith the configuration process:

• The name of the database server which is found in the Server namedrop-down list

• The authentication mode used with the SQL Server database

An administrator should select this setting to choose Oracle as theConfiguration Logging database type. If Oracle is selected, the administratormust provide the network service name of the Oracle server.

Oracle

Enabling Configuration Logging

Administrators with permission to edit Configuration Logging settings can enable and disableConfiguration Logging for the farm and customize Configuration Logging settings.

Configuration Logging settings include:

Logs all administrative tasks to the ConfigurationLogging database

Log administrative tasks to

Configuration Logging database

Allows configuration changes to be made to the farmwhen the Configuration Logging database is notavailable

Allow changes to the farm when

logging database is disconnected

Requires database credentials when clearing theconfiguration log

Require administrators to enter

database credentials before

clearing the log

Caution should be taken when determiningwho has permission to clear theconfiguration logging database becauseimportant information logged to thedatabase might be removed.


Review

1. Which privileges can be granted to a XenApp administrator account?

a. Full, View Only, Guest

b. Read Only, Write Only, Add/Update

c. View Only, Full Administration, Custom

d. Create Accounts, Delete Accounts, Update Accounts

2. Which statement about folders in the Delivery Services Console is true?

a. All administrators can create folders.

b. Permissions can be assigned to individual applications in folders.

c. Folders can be used to delegate the administration of applications and servers.

d. Changes to permissions on a parent folder are automatically copied to all subfolders.

3. If IMA encryption is enabled, which effect will it have on the Configuration Loggingdatabase?

a. All data in the Configuration Logging database will be backed up.

b. Credentials to the Configuration Logging database will be encrypted.

c. Only an Oracle database can be used for the Configuration Logging database.

d. Only a SQL Server database can be used for the Configuration Logging database.

4. Which statement about worker groups is true?

a. The first XenApp server moved into a worker group becomes the zone data collector.

b. Farm servers in a worker group with a priority setting of 3 are considered the highestpriority.

c. A farm server added to a worker group will automatically inherit the policy configurationsfor the worker group.

d. A farm server added to a worker group does not need to have an application installedlocally to be able to inherit the published application configurations of the worker groupand host the application.


Module 6

Installing and Configuring Web

Interface

Overview

The Web Interface provides users with access to published resources and content through astandard web browser or through Citrix plug-ins.

The Web Interface employs Java and .NET technology to present users with adynamically-created HTML depiction of farm resources. An administrator can create standaloneweb sites for resource access or integrate a web site into a corporate portal. Additionally, anadministrator can configure settings for users accessing resources through the Citrix plug-ins.

• Web Interface sites are configured using the Web Interface Management console.

• The Web Interface is not a single point of failure.

• The options and configurations presented in this module pertain to Web Interface5.3.


• Describe the Web Interface communication process.

• Install and configure the Web Interface.

• Create and configure XenApp Web and XenApp Services sites.

• Configure client delivery and customizations.

• Configure explicit, pass-through and smart card authentication.

• Configure secure access settings for the Web Interface.

• Configure the Web Interface to communicate with XenApp farms.

• Remove a Web Interface site.

111Module 6: Installing and Configuring Web Interface© Copyright 2010 Citrix Systems, Inc.

Web Interface Communications

The following table describes the ports that are used in communication with the Web Interface.

DescriptionPort

This port is used by plug-ins using the TCP+HTTP protocol to communicatewith servers. This port must be opened on firewalls for inbound packets fromplug-ins to locate servers.

80

This port is used by Citrix SSL Relay to secure communications between theWeb Interface web server and the farm.

443


Web Interface Communication Process

The following process provides an overview of how a XenApp Web site communicates withclient devices and XenApp servers to initiate a session:

1. A user submits logon credentials through a Web Interface logon page.

2. The Web Interface forwards the logon credentials to the Citrix XML Service on the XenAppserver.

3. The credentials are forwarded to a domain controller for authentication.

4. The Citrix XML Service retrieves a list of applications from the IMA subsystem.

5. The Web Interface presents the applications in a web page on the client device. The userclicks an application icon on the web page.

6. The Web Interface contacts the Citrix XML Service to locate the least busy server in thefarm. The Citrix XML Service requests a secure ticket for the user from the least busy server.


7. The Citrix XML Service returns the address of the least busy server and the secure ticketfor the user to the Web Interface. The Web Interface server dynamically generates acustomized ICA file (LAUNCH.ICA) and sends it to the web browser on the client device.

If bookmarking is enabled, a LAUNCHER.HTML file will be created instead of theLAUNCH.ICA file.

8. The client device initiates a connection with the server specified in the connectioninformation of the ICA file.


Web Interface Installation

An administrator can automatically copy the plug-ins from the Citrix XenApp 6 for WindowsServer 2008 R2 DVD to the web server during the installation of the Web Interface. Copyingthe plug-ins from the Citrix Receiver and Plug-ins folder to the web server allowsfor automatic deployment of the plug-ins to client devices.

Older plug-in versions are compatible with Web Interface 5.3; however, the 12.xversion of the plug-in is required in order to take full advantage of the features inWeb Interface 5.3.

The following web browsers can be used to log on to the Web Interface:

• Internet Explorer 7.x

• Internet Explorer 8.x

• Safari 3.x

• Mozilla Firefox 3.x

• Mozilla 1.7

Not all features are supported by all browsers. For information about supported features forthe plug-ins, see Knowledge Base article CTX104182 on the www.citrix.com web site.

For security and performance, the Web Interface should not be installed on a XenAppserver. Client devices accessing XenApp Web sites must have a web browser andsupported plug-in to connect to the Web Interface site.

For additional security, the Web Interface can be installed on the internal network .If the Web Interface is placed in the demilitarized zone (DMZ), it is a best practiceto use Citrix SSL Relay to secure Citrix XML traffic. This requires the use of a digitalcertificate.


Installing Web Interface

An administrator can use the XenApp Server Roles Manager to install the Web Interface.

For more information about installing the Web Interface, see the XenAppdocumentation on the http://support.citrix.com/proddocs/index.jsp web site.


Site Creation

An administrator can create the following types of Web Interface sites using the Web InterfaceManagement console:

A XenApp Web site allows users to access remote applications,virtualized applications and content using a web browser.

XenApp Web

A XenApp Services site allows users to access remote applications,virtualized applications and content using a Citrix online plug-in.

XenApp Services

The Web Interface Management console guides an administrator through the process ofcreating each site type and allows an administrator to specify the IIS site, the configurationsource location, user authentication settings and server farm settings for the site. After the siteis created, it is added to the Web Interface Management console.

Creating a Web Interface Site


An administrator can use the Create Site option in the Web Interface Management consoleto create a XenApp Web or XenApp Services site.

Site Creation Considerations

The configuration information for a site is stored on the local server. An administrator canconfigure the site using the Web Interface Management console on the local server or byediting the WEBINTERFACE.CONF file on the local server.

When specifying the point of authentication, an administrator can choose between the followingoptions:

• At Web Interface (default), which enables built-in authentication methods such as explicit,pass-through and smart card authentication

• At Microsoft Active Directory Federation Services account partner, which enablesauthentication to take place at a client organization that wants to use the applications onthe site

• At Access Gateway, which enables authentication to take place at the Access Gateway andpass the credentials through to the web site

• At third party using Kerberos, which uses a third-party federation or single sign-on productto authenticate users and map identities to Active Directory accounts so Kerberos can beused for single sign-on to the web site

• At Web server, which enables the authentication of users using Kerberos


XenApp Web Site Configuration Options

XenApp Web sites are used to display published resources to users through a web browser.

During the configuration of a XenApp Web site, the administrator must specify:

• The farm name, XML servers, XML service port and transport type to use for the site

• Authentication settings and domain restrictions, if any

• The logon screen appearance

• The published resource types to be provided by the site

XenApp Web Site Authentication Settings

When specifying authentication settings for a XenApp Web site, an administrator can choosefrom the following options:

• Explicit (default), which requires credentials be typed

• Pass-through, which passes the credentials specified at Windows logon to the web site


• Pass-through with smart card, which passes the credentials specified at Windows logon tothe web site. If a XenApp Services site is being accessed, the smart card PIN number mustbe provided

• Smart card, which prompts for the smart card PIN number regardless of the type of website and for every application request

• Anonymous, which requires no typed credentials

When Explicit, Pass-through or Pass-through with smart card are selected, theconfiguration wizard allows the administrator to restrict access to the site to usersfrom specific domains.

Active Directory Federation Services

Users can also access published applications using Active Directory Federation Services (ADFS).ADFS extends the existing Active Directory infrastructure to provide access to resources offeredby trusted partners across the Internet.

ADFS support for the Web Interface enables the partner of an ADFS deployment to use XenAppin conjunction with the Web Interface. By enabling ADFS, the administrator in the resourcepartner's domain can create sites for users in the account partner's domain. The users in theaccount partner's domain will have single sign-on access to published applications in theresource partner’s domain.

Sites configured to use ADFS, support authentication using ADFS only. Other methods ofauthentication are not supported. After a site configured to use ADFS is created, theadministrator cannot configure that site to use built-in authentication or access through AccessGateway.

Logon Screen Appearance

During the configuration of the XenApp Web site, an administrator must specify the style touse for the Logon screens. The administrator can set the Logon screens to:

Displays only the logon fieldsMinimal

Displays the header area, navigation bar, logon fields, along withthe Preferences and Messages tabs

Full


Published Resource Types

Administrators can select the following published resource types for XenApp Web and XenAppServices sites:

• Online, which allows users to access published applications, content and desktops hostedon XenApp servers

• Offline, which allows users to access virtualized applications from their client device andopen them locally using the Citrix offline plug-in

• Dual mode, which allows users to access offline virtualized applications and online publishedapplications, content and desktops from the same web site

If Dual mode is selected as the published resource type, XenApp attempts to virtualize theapplication to the client device first. If it is unable to virtualize the application to the clientdevice, the published resource is accessed from the server.


XenApp Services Site Configuration

A XenApp Services site is used to deliver applications and resources to users through the Startmenu, the Windows desktop or through the Citrix online plug-in icon displayed in the Windowsnotification area on the client device.

The administrator can perform an initial configuration of the XenApp Services site using theCreate Site option in the Web Interface Management console to create the CONFIG.XMLconfiguration file in the \INETPUB\WWWROOT\CITRIX\PNAGENT\CONF\ directory on theWeb Interface web server.

During the configuration of a XenApp Services site, the administrator must specify:

• The farm name, XML servers, XML service port and transport type to use for the site

• The published resource types to be provided by the site

For more information, see the Published Resource Types topic in this module.


CONFIG.XML File

An administrator can also configure a XenApp Web and XenApp Services site by editing thefollowing parameters in the CONFIG.XML file:

• FolderDisplay, which specifies the location of published resource icons

• DesktopIntegration, which specifies whether or not shortcuts are added to the Start menu,Windows desktop or system tray

• ConfigurationFile, which facilitates moving published resource requests to a different serverrunning the Web Interface

• Request, which specifies where the plug-in should request published application data fromand how often to refresh the information

• Failover, which specifies a maximum of five backup server URLs to contact if the primaryURL is unavailable

• Logon, which specifies the logon method to use

• UserInterface, which specifies whether to hide or display certain groups of options to theuser as part of the online plug-in

• ReconnectOptions, which specifies whether or not workspace control functionality isavailable to users

• FileCleanup, which specifies whether or not shortcuts are deleted when a user logs off ofthe online plug-in

• ICA_Options, which specifies the display and sound options for the connections

• AppAccess, which specifies the types of applications available to users


Web Interface Site Modification

An administrator can modify a Web Interface site using one of the following methods:

• Web Interface configuration file, which allows administrators to modify the Web Interfaceparameters and settings directly in the WEBINTERFACE.CONF file stored on the local webserver

Modifying the local configuration file directly is an uncommon method. In orderto back up a Web Interface site, the WEBINTERFACE.CONF and the CONFIG.XMLfiles must be copied.

• Citrix Web Interface Management console, which allows administrators to modify thesettings stored in the local configuration file

Modifying the Web Interface Configuration File


An administrator can directly modify the Web Interface site parameters and settings by editingthe \INETPUB\WWWROOT\CITRIX\XENAPP\CONF\WEBINTERFACE.CONF file on the localweb server with a text editor.

The Web Interface uses a .NET Watcher feature that recognizes and automaticallyre-loads any changes made to the configuration file. The server running the WebInterface does not need to be restarted in order for changes to take effect.

Using the Web Interface Management Console

Administrators can use the Web Interface Management console to perform daily Web Interfaceadministration tasks quickly and easily. The right pane of the console contains the actions thatcan be used to edit the settings of the selected Web Interface site.

New administrators and administrators with limited experience modifying theWEBINTERFACE.CONF file parameters should use the Web Interface Managementconsole to configure the Web Interface.


Specifying Citrix Plug-in Backup URLs

An administrator can specify URLs of backup servers to contact if the online plug-in cannotaccess the primary XenApp Services web site. A maximum of five backup URLs can beconfigured for each site.

An administrator can use the Server Settings option in the Web Interface Management consoleto specify backup URLs for a XenApp Services site.


Site Appearance

Overall site appearance, layout, branding, application windows and the welcome area of aXenApp Web site are options that the administrator can configure through the Web InterfaceManagement console to meet the needs of an organization.

The Web Interface features a breadcrumb trail for navigation through the list of applications.The navigation bar allows users to access different screens within the Web Interface withwell-defined labels to enhance the user experience.

Users can add /m or /mobile to the end of the Web Interface URL to access available mobilepages on the site. The mobile pages also feature breadcrumb navigation, user-selectable views,a navigation bar, tabbed view and an application or resource search.


Site Customization Options

An administrator can use the Web Site Appearance option in the Web Interface Managementconsole to customize the appearance of a XenApp Web site.

The following list describes the options available for customizing the appearance of a XenAppWeb site, including the pre-logon, logon, applications and messages screens for the site.

DescriptionOption

Allows an administrator to specify:Layout

• The overall screen layout

• Display settings

• Whether or not users will be allowed to customize the layout of the site

• The number of application tabs that are displayed in the site

Allows an administrator to specify:Appearance

• View mode for the logon screen

– Minimal mode is the default view; it removes the header, ability to readmessages and ability to change user preferences.


DescriptionOption

– Full mode provides users with full functionality, including the ability toread messages and change preferences before logon.

• The color used for the background, text and overall branding

• The header image, background image or color

• Navigation bar background image or color

• Content area background image or color

Allows an administrator to specify:Content

• The default language and additional languages for the local area

– Standard language code allows an administrator to select standardlanguages from a list.

– User-defined language code allows custom language strings and requiresthe administrator to type the appropriate language code.

XenApp Web sites change language settings based on thelanguage settings of the browser.

• Custom text for the welcome message, footer, pre-logon message, logonscreen text, application screen text, message screen text and footer text onall screens

Practice: Site Customization

Match the scenarios in the following table with the customization option used to address thescenario. Choose from the three customization options to fill in the six blanks in the table.

• Layout

• Appearance

• Content

ScenarioCustomization Option

Change the number of tabs displayed in the site.

Change the standard language of the site to Spanish for usersin Mexico.


Add the company logo to the header area of the site.

Add the "Welcome to the Marketing Department" welcomemessage to the site.

Allow users to customize the screen layout on the clientdevice.

Add the company logo.

Session Preferences

An administrator can configure the following session preferences for a XenApp Web site:

• Whether kiosk mode is enabled or disabled

• Whether the Preferences button in the Web Interface site is displayed to users

• The length of time a user session can be inactive before the session is logged off

• Whether browser bookmarks can be used to access resources

• Whether bandwidth control is enabled and users can configure settings to optimize theperformance of their remote sessions

• Whether font smoothing can be used and users can control the window size in their remotesessions

• Whether users can customize local resource mappings such as key combinations, PDAsettings and special folder redirection

• Whether or not the XenApp Web site should override the user device name


Configuring Session Preferences

An administrator can use the Session Preferences option in the Web Interface Managementconsole to configure the session preferences for a XenApp Web site.

Session preferences are not available for XenApp Services sites.

Session Options

An administrator can configure the following session options for a XenApp Services site:

• The window size

• Whether font smoothing is allowed

• The color quality and sound quality allowed

• Where key combinations can be used

• Whether special folder redirection is provided and whether users are allowed to customizeit


• How workspace control is configured for the site

For more information about workspace control, see the Workspace Control topiclater in this module.

Configuring Session Options

An administrator can use the Change Session Options menu in the Web Interface Managementconsole to configure the session options for a XenApp Services site.

Session options are not available for XenApp Web sites.


User Options

When connected to a XenApp Web site, users can select the view used to display theirapplications and resources in the site. The Select view drop-down list in the right corner ofthe Applications tab allows the user to select from the following views:

• Icons

• Details

• List

• Tree

• Groups

Users are also provided with:

• Hints that appear at the bottom of the Applications tab. These hints appear below theapplications in the Applications tab and contain helpful information about using the sitemore efficiently.

• A low-end graphics mode for users with a hand-held device or bandwidth-challengedconnections. This option appears below the Applications tab when it is available for use.

• Inline help to explain possible problem areas. This information is displayed above theApplications tab.


• A search capability to assist in finding applications and resources. The Search field appearsin the upper-right corner of the screen and the search results are displayed in the SearchResults tab to the right of the Applications tab.


Workspace Control

The workspace control feature allows users to disconnect and reconnect to sessions as theymove between different client devices. For example, in a health care environment, as doctorsmove around the hospital, they may require access to the same sessions from different locations.Using workspace control, the doctors are able to quickly reconnect to application sessions.

The following requirements must be met to use workspace control:

• XenApp must be installed and configured.

• The Web Interface must be installed.

• At least one Web Interface site must be configured.

Workspace control works with both XenApp Web and XenApp Services sites butcannot be used with Remote Desktop Connection software.

Workspace Control Example

Dr. Jones has an active PowerPoint session open on Device #1. When Dr. Jones starts hisrounds, he leaves Device #1 and opens a session in the hospital patient data application onDevice #2 to record patient data. Both the PowerPoint and patient data applications areopened on Device #2. When he finishes, he clicks the Disconnect button and continues hisrounds in another location in the hospital.

Next, Dr. Jones logs on to Device #1 and decides to reconnect to both his active anddisconnected sessions. The doctor’s PowerPoint session on Device #1 is automaticallydisconnected by the Web Interface and reconnected on Device #3. The disconnected sessionon Device #2 is reconnected on Device #3.

In addition to the applications, workspace control can automatically provide the printersfor the sessions based on the client device and policy settings.

Workspace Control Functionality

Workspace control:

• Only reconnects users to existing sessions on XenApp servers. If a session is logged off,workspace control cannot reconnect to it

• Cannot reconnect anonymous users to applications after they disconnect

• Prompts smart card users for their PINs for each reconnected session if pass-throughauthentication with smart cards is enabled


• Requires that the Web Interface site be set to override the client name setting in the ManageSession Preferences task (default setting)

Workspace control functions are disabled if no trust relationship exists between the WebInterface server and the XenApp servers and pass-through or smart card authenticationmethods are used. For more information about this trust relationship, see the Citrix XMLService Trust Relationships topic later in this module.

Workspace Control Configuration Options

The following table lists the workspace control options that can be configured for a WebInterface site to allow users to reconnect to active or disconnected sessions.

DescriptionOption

Set the automatic reconnection of sessions to:Automaticallyreconnect to

• Reconnect to all sessions, which allows users to automaticallyreconnect both disconnected and active sessions

sessions when userslog in

• Reconnect only to disconnected sessions, which allows users toautomatically reconnect to disconnected sessions

• Allow user to customize, which allows users to change this setting

Sets the automatic reconnection of sessions after the user logs on andclicks the Reconnect button to:

Enable theReconnect button

• Reconnect to all sessions, which allows users to automaticallyreconnect both disconnected and active sessions

• Reconnect only to disconnected sessions, which allows users toautomatically reconnect to disconnected sessions

• Allow users to customize, which allows users to change this setting

Sets the behavior of the logoff activity to:Logoff

• Log off active sessions when users log off from the site, whichautomatically logs off the session when the user logs off the site

• Allow users to customize, which allows users to change this setting

The Logoff options are only available for XenApp Web sites.

If an organization has a strict no-disconnected-sessions policy for the farm, an administratorshould disable workspace control.


Workspace Control User Customization

After an administrator configures a XenApp Web site to allow user customizations for theworkspace control settings, the Logon options become available in the Preferences tab of theWeb Interface site. The Logon options allow a user to change the workspace control settings.


Configuring Workspace Control

An administrator can use the Workspace Control option in the Web Interface Managementconsole to configure workspace control settings for a XenApp Web site.


An administrator can use the Change Session Options menu in the Web Interface Managementconsole to configure the workspace control settings for a XenApp Services site.


Citrix Plug-ins and Web Interface

Access to resources through a Web Interface site requires that a client device has a supportedweb browser and a plug-in. A plug-in can be installed on the local client device or embeddedwithin the web browser used by the Web Interface site. In addition, the Web Interface site canbe used to deploy the required plug-in.

Administrators can configure the Web Interface site to:

• Deploy and install the appropriate plug-in to user devices through installation captions.

• Automatically deploy the native client.

• Specify which plug-ins the users can use to start an application.

• Enable users to choose how their applications are started.

• Specify the packages included in the Client for Java deployment or allow users to select therequired packages.

Plug-in Deployment Options

A Web Interface site can be used to distribute plug-ins to users. The following table identifiesthe plug-ins that can be made available to users.

DescriptionOption

By default, published resources are presented in seamless windows thatcan be resized. If users access applications through a Windows mobile

Native plug-in

device, the native plug-in must be enabled. The native plug-in may be aWindows, UNIX or Mac OS client. Both seamless and fixed window modesare available for native plug-ins.

This plug-in can be used on client devices with a web browser and JavaRuntime Environment installed.

Published resources are presented in seamless windows that can be resized.This plug-in cannot be used to access ADFS integrated sites and cannot beused on Windows CE or Windows mobile devices.

Client for Java

The Client for Java deploys automatically when a user connectsfrom a Macintosh platform using a Safari web browser.

This client can be used on 32-bit Windows systems running InternetExplorer to access their resources. If users are unable to use any other

Remote DesktopConnection


DescriptionOption

clients, the client detection and deployment process checks whether theRemote Desktop Connection software is available and helps users to enablethe Remote Desktop ActiveX Control, if necessary.

Automatically Detecting Plug-ins

If the plug-ins are copied to the server during the installation of the Web Interface or later,then a Web Interface site on that server can be configured to automatically detect and deploythe native plug-in to users running a supported web browser. The Web Interface site can alsobe configured to automatically update the plug-ins on Windows-based client devices. Inaddition, the Client for Java can be deployed automatically if a plug-in is not installed or cannotbe installed on the local client device.

If User Account Control is enabled, Windows Vista and Windows 7 will seekconfirmation of the installation and will not install without user intervention.

If users have administrative rights on their client devices, they can select whether to install anyor all of the native plug-in components. If users do not have administrative rights, the plug-inautomatically installs into the local user profile because it cannot be installed on the clientdevice.

If Prohibit User Installs is enabled in the Windows Installer option in the consoletree of the Group Policy Management Console, users will not be able to install aplug-in on their client devices.

Client Detection

The Client Detection option can be configured to check client devices during the logon to theXenApp Web site to determine if an appropriate plug-in is installed. If a plug-in is not detectedor a more appropriate plug-in is available, an installation caption can be displayed on the WebInterface screen. The installation caption provides an easy method for users to download andinstall the required plug-in software.

A display notification message can be configured to display:

• Whenever a plug-in is needed or an upgraded plug-in is available

• Only if resources cannot be accessed

• Never


Configuring Client Detection

An administrator can use the Client Deployment option in the Web Interface Managementconsole to configure the client detection settings for a XenApp Web site.


Fallback Behavior

An administrator can specify which client (plug-in) will be deployed when the native plug-insoftware is not detected on the client device. An administrator can choose from the followingoptions:

• Deploy a native client to download and deploy the appropriate native plug-in software.This is the default setting.

• Deploy a native client and allow user to choose between this and the Client for Java toallow users without a native plug-in to be offered the Client for Java and only be promptedto download and deploy a native plug-in if they cannot use the Client for Java.

• Automatically fall back to the Client for Java to allow users without a native plug-in tobe prompted to download and deploy the Client for Java.


Citrix Offline Plug-in

The Citrix offline plug-in is required on a user's client device in order for an application to beable to stream to client, even if the user is online. The offline plug-in communicates with theserver farm through a URL. An administrator can choose from the following offline plug-inconfiguration options:

This is the default settingAutomatically detect

session URL

In instances in which both HTTP and HTTPS are used toaccess the site or the domain of the web server cannot be

Specify session URL

resolved, an administrator may need to specify the URL foruse by the offline plug-in in the following format:http://servername:port/Citrix/XenApp/rade.aspx


Client for Java

The Client for Java is a cross-platform compatible applet and can be deployed using a XenAppWeb site and any Java-compatible web browser. An administrator can choose to deploy theClient for Java in low-bandwidth networks for greater security or in situations in which thepermanent installation of plug-in software is neither desired nor permitted.

An administrator can configure the Client for Java as a smaller download by removing unwantedcomponent packages or by allowing users to control which component packages they require.

The Client for Java:

• Is customizable by administrators and users

• Supports most Citrix Plug-in for Windows functionality including client drive mappingand SSL

• Has a zero footprint

Additional Packages to Include with Client for Java

Several packages can be included with the Client for Java. The size of the Client for Javadownload to memory is determined by the packages included in the download. The fewerpackages selected, the smaller the download.

The following table describes the packages available with the Client for Java.

DescriptionPackage

Enables server-based applications to play sounds through aclient-based sound device

Audio

Enables users to copy text and graphics between server-basedapplications and applications running locally on the clientdevice

Clipboard

Accelerates the display of input text on the client deviceLocal text echo

Secures communication using SSL/TLSSSL/TLS

Provides strong encryption to increase the privacy ofconnections

Encryption

Enables users to access their local drives from within a sessionClient drive mapping

Enables users to print to their local or network printers fromwithin a session

Printer mapping

Enables users to configure the Client for JavaConfiguration UI


DescriptionPackage

Allows users to control which components are requiredAllow user to select packages

Configuring the Client for Java

An administrator can use the Client Deployment option in the Web Interface Managementconsole to configure the Client for Java settings for a XenApp Web site.


Authentication Configuration

Authentication to a Web Interface site takes place when a user logs on using the Web Interfacelogon page or a Citrix online plug-in. The Web Interface passes the user's credentials to XenApp,which passes the credentials to the appropriate authentication authority. If authentication issuccessful, the Web Interface displays the application set for the user.

Users can only log on using the authentication methods made available by the administrator.If two authentication methods are made available for the site and one method fails, the usercan attempt to log on using the other authentication method.

Web Interface sites can also be configured to use anonymous logon. Anonymous logon allowsusers to access the site without supplying a user name or password. Anonymous logon shouldnot be widely used because security can be compromised.


Authentication Options

The following list identifies the authentication options that are available for XenApp Web andXenApp Services sites.

Authentication to the site requires users to supply a user name and password.

User Principal Names (UPN), Microsoft domain-based authentication andNovell Directory Service (NDS) are available for both XenApp Web andXenApp Services sites.

Explicit

In addition, RSA SecurID, RADIUS and Secure Computing SafeWordauthentication are available for XenApp Web sites.

Authentication to the site occurs using the credentials that users providedwhen they logged on to their Windows desktop. The users do not need to

Pass-through

re-enter credentials to log on to the site and their application set is displayedautomatically.

Additionally, Kerberos authentication can be used to connect to servers. IfKerberos authentication is specified and Kerberos fails, pass-throughauthentication will also fail, and users will not be able to authenticate.

This option is only available for use with the Citrix online plug-in andrequires configuration of smart cards in the environment. Authentication

Pass-through

with smart

card to Windows is accomplished by inserting a smart card into a smart cardreader attached to the client device and specifying the PIN. After the initiallogon to Windows, authentication to the site is accomplished using thesmart card and the cached PIN information.

If a XenApp Services site is also configured to use Kerberos authentication,it can be used to connect to the site. If the Kerberos authentication fails, thepass-through authentication of the cached PIN will also fail.

Kerberos Delegated Authentication or Kerberos Ticketing simplifies userauthentication by eliminating the need for client-side configuration to enablepass-through authentication.

Kerberos Ticketing also reduces logon points and ensures theintegrity of the logon chain for increased security.

Authentication to the site is accomplished by inserting a smart card into asmart card reader attached to the client device. The user is prompted for a

Smart card


PIN. Smart cards must be configured in the environment to select thisoption.

Anonymous logon allows users to access the site without supplying a username or password. Anonymous logon should not be widely used, especially

Anonymous

if Secure Gateway or Access Gateway is being used, because security can becompromised.

Generic RADIUS Support

The Web Interface supports two-factor authentication using Generic RADIUS.

RADIUS settings include:

• Additional Explicit Authentication

• RADIUS Request Timeout

• RADIUS Servers

• Bypass Failed RADIUS Server Duration

• Enable RADIUS Server Load Balancing

For more information about RADIUS support, see the XenApp documentation onthe http://support.citrix.com/proddocs/index.jsp web site.

Explicit Authentication

When explicit authentication is implemented, users authenticate by specifying a user name,password and domain.

An administrator must take into account the following considerations when enabling explicitauthentication for a Web Interface site:

• Whether or not domain restrictions will be specified

• Which authentication type will be used for explicit authentication. Valid authenticationtypes include:

– Microsoft Windows domain-based authentication

– NIS (UNIX) authentication

– Novell Directory Services authentication

• Whether or not two-factor authentication will be implemented

• What the password change and expiry notification settings will be


• Whether or not users will be allowed to reset their passwords for the Web Interface siteusing Citrix Single sign-on.

Domain Restriction Configuration

An administrator can use the domain list field in the web site properties to specify the domainsthat are authorized to access a XenApp Web or XenApp Services site.


Windows or NIS (UNIX) Authentication Configuration

An administrator can configure a Web Interface site to use Windows or NIS (UNIX)authentication with one of the following credential formats for user logons:

• Domain user name and UPN

When this credential format is selected, the administrator can specify:

– Whether or not the Domain field in the Logon page is automatically displayed so userscan type the domain name into the field

– Whether or not the Domain field is pre-populated with a list of domains from whichusers can choose

– Which domains are authorized to access the Web Interface site

These domains appear in the Domain field in the Logon page. The domain order canalso be specified by an administrator.

– Whether or not all UPN suffixes are permitted

By default, all UPN suffixes are permitted.

– The UPN suffixes that will be accepted and the suffix order


• Domain user name only


– Whether or not the Domain field in the Logon page is automatically displayed so userscan type the domain name into the field

– Whether or not the Domain field is pre-populated with a list of domains from whichusers can choose

– Which domains are authorized to access the Web Interface site

These domains appear in the Domain field in the Logon page. The domain order canalso be specified by an administrator.

• UPN only


– Whether or not all UPN suffixes are permitted

By default, all UPN suffixes are permitted.

– The UPN suffixes that will be accepted and the suffix order

A User Principal Name (UPN) is a unique name in Windows Active Directorygiven to each user. Users are identified by the UPN, which consists of a principalname and a domain name or domain alias that identifies the user. The UPNhas an email address format. For example: [email protected]


Novell Directory Services Configuration

An administrator can configure a Web Interface site to use the Novell Directory Servicesauthentication type for the explicit logon. When Novell Directory Services is selected, anadministrator must specify the tree name and context restrictions, if applicable. More thanone context name can be supplied. The order in which the names are specified determines thesequential search order.

Two-Factor Authentication Configuration

An administrator can configure a Web Interface site to use two-factor authentication withexplicit authentication. The following two-factor authentication methods are available:

This two-factor authentication method uses numbers generated by an RSASecurID token and a PIN number to create a passcode. In addition to

RSA

SecurID


providing domain credentials, users must also provide their RSA SecurIDpasscode during logon.

Prior to enabling RSA SecurID authentication, the RSA ACE/Agent forWindows version 6 or later must be installed, followed by the installation ofthe Web Interface.

This two-factor authentication method uses alpha-numeric codes generatedby a SafeWord token to create a passcode. In addition to providing domaincredentials, users must also provide their SafeWord passcode during logon.

Prior to enabling SafeWord authentication, the SafeWord Web Agent mustbe installed on the web server after the Web Interface has been installed.

SafeWord

This authentication method uses the Remote Authentication Dial-in UserService (RADIUS) authentication protocol, as opposed to proprietary agent

RADIUS

software. Both SafeWord and RSA SecurID can be installed and configuredto be presented as a RADIUS server. For Web Interface for Java ApplicationServers, RADIUS authentication is the only two-factor authentication optionavailable.


Password Settings Configuration

When explicit authentication is enabled, an administrator can configure the password settingsfor a Web Interface site that determine:

• Whether or not users are permitted to change their logon passwords

• When users are permitted to change their logon passwords

• Whether or not a message is sent to users when their password is about to expire and howfrequently the message is sent


Account Self-Service Configuration

Account Self-Service allows users to reset their network passwords and unlock their accountby answering a series of simple security questions. An administrator can configure the AccountSelf-Service settings for a Web Interface site when:

• Citrix Single sign-on is installed in the environment (Platinum Edition only).

• The site is configured to use explicit authentication.

• The site is configured to allow users direct access.

Account Self-Service is not available for sites accessed using Access Gateway withAdvanced Access Control.

• The site is configured to use only one Single sign-on service.

• The site is configured to allow users to change their password when password resetfunctionality is enabled.


Configuring Explicit Authentication

An administrator can use the Authentication Methods option in the Web Interface Managementconsole to configure explicit authentication for a XenApp Web or XenApp Services site.

Pass-through Authentication

Pass-through authentication allows users to authenticate to a Web Interface site using thecredentials provided during logon to the client device. Users do not need to re-enter theircredentials in the Web Interface logon page; their application set is automatically displayed.

The following requirements must be met prior to enabling pass-through authentication:

• All servers and client devices must be part of the same domain, trusted domain or federatedtrust.


• Client devices must run Internet Explorer 6.0 or later.

Pass-through authentication should only be enabled in environments that are secureor trusted to prevent user credentials from being misrouted to an unauthorized orcounterfeit server.

Configuring Pass-through Authentication

An administrator can use the Authentication Methods option in the Web Interface Managementconsole to configure XenApp Web and XenApp Services sites to use pass-through orpass-through with smart card authentication.

The ICACLIENT.ADM administrative template must also be configured to enable pass-throughauthentication.

XenApp Services sites can also be configured to use Kerberos in conjunction withpass-through authentication.

After the Web Interface site is configured for authentication, the administrator must enableauthentication for the plug-ins. An administrator can use the Group Policy Management


Console and the ICACLIENT.ADM file to configure plug-ins to use pass-through or pass-throughwith smart card authentication by configuring the Local user name and password setting.

For more information about using the ICACLIENT.ADM file to configure plug-ins,see the XenApp documentation on the http://support.citrix.com/proddocs/index.jspweb site.

Smart Card Authentication

Users can authenticate to the Web Interface by inserting a smart card into a smart card readerattached to the client device. Smart card authentication can be configured for use in two ways:smart card only or pass-through with smart card.

This option allows users to authenticate to a Web Interface siteusing a smart card and a PIN.

Smart card only

This option allows users to authenticate to Windows using a smartcard and a PIN. After the initial logon to Windows, authentication

Pass-through with

smart card

to the Web Interface site and published applications isaccomplished using the smart card and the cached PINinformation.

The following requirements must be met prior to enabling smart card authentication:

• The web server must have Secure Sockets Layer (SSL) enabled and a valid server certificate.

• Windows Service smart card must be enabled.

• Client devices must run Internet Explorer 5.5 or later and a Windows-based plug-in (version6.30 or later).

• The ICACLIENT.ADM administrative template must be configured

• The environment must have a cryptographic service provider.

Smart card authentication is not available on UNIX platforms.

Configuring Pass-through Authentication

An administrator can use the Authentication Methods option in the Web Interface Managementconsole to configure XenApp Web and XenApp Services sites to use pass-through orpass-through with smart card authentication.


After the Web Interface site is configured for authentication, the administrator must enableauthentication for the plug-ins. An administrator can use the Group Policy ManagementConsole and the ICACLIENT.ADM file to configure plug-ins to use pass-though or pass-throughwith smart card authentication by configuring the Local user name and password setting.

For more information about using the ICACLIENT.ADM file to configure plugins,see the XenApp documentation on the http://support.citrix.com/proddocs/index.jspweb site.

Citrix XML Service Trust Relationships

The Citrix XML Service communicates information about published applications between theWeb Interface and XenApp servers. When pass-through or smart card authentication methodsare used, Web Interface is responsible for authenticating the users.

In order for the Web Interface to authenticate users, there must be a trust relationship betweenthe Web Interface server and the XenApp servers. If pass-through or smart card authenticationmethods are not used in the environment, a Citrix XML Service trust relationship is notnecessary.

The following table lists the authentication methods that require a Citrix XML Service trustrelationship.

No Trust RequiredTrust RequiredAuthentication Method

XPass-through

XSmart card

XPass-through with smart card

XExplicit

XAnonymous


Enabling Trust Relationships

An administrator can use the Trust XML requests policy in the Group Policy ManagementConsole to configure a XenApp server to trust the requests sent to the Citrix XML Servicefrom the Web Interface.

Trust relationships must be enabled on the XenApp servers that are running the Citrix XMLService and are directly contacted by the Web Interface. Typically, a server designated as thedata collector for the zone would be the server running the Citrix XML Service. Anadministrator can view the list of the servers running the Citrix XML Service that are contactedby the Web Interface site by selecting Server Farms in the Web Interface Management console.

To avoid security risks when setting up trust relationships, IPSec, firewalls or any othertechnology that ensures that only trusted services communicate with the Citrix XML Serviceshould be used.

Practice: Authentication Configuration

Fill in the blanks to complete the following sentences.

1. A __________ Name is a unique name in Windows Active Directory given to each user asan identifier and consists of a principal name and a domain name or domain alias.

2. When __________ authentication is implemented, users do not need to enter theircredentials to access their application set.

3. A __________ card can be used to authenticate users to a Web Interface site.


4. An administrator can select __________, NDS or NIS authentication for explicit logon toa Web Interface site.

5. When Novell Directory Services is selected for explicit authentication, a __________ nameand context name must be specified.

6. Both _________ and __________ two-factor authentication methods use a token and aPIN number to create a passcode.

7. When Single sign-on is integrated with the Web Interface, the __________ feature can beenabled to allow users to reset their network password.


Secure Access Configuration

If a company is using Access Gateway, the Secure Gateway or a firewall in a deploymentcontaining XenApp, an administrator can configure a Web Interface site to include theappropriate security settings. For example, an administrator can configure a Web Interfacesite to provide an alternate address if the server is configured with an alternate address andthe firewall is configured for Network Address Translation.

Access Methods

An administrator must configure the appropriate access method in order for users to accessresources through the Web Interface. An administrator can choose from the following accessmethods if the connection will not be directed through Secure Gateway or Access Gateway:

Direct access is typically configured in situations in which internal usersconnect from trusted environments, such as corporate intranets, and there

Direct

access

is no need for address translation or for keeping the address of the XenAppserver private. Direct is the default access method and requires noconfiguration.

Alternate access is configured in situations in which the IP address of theserver running XenApp must be kept private from users. A second IP address

Alternate

access

is required. An administrator must configure XenApp to use an alternateaddress by using the ALTADDR command on each target XenApp server.

Selecting alternate access signifies that the address translation takes placeon the XenApp server.

Translated access is configured in situations in which the IP address of theserver running XenApp must be kept private from users, and multiple servers

Translated

access

in the farm are used to provide application access. With translated access,the firewall is configured to perform the address translation.

Translated access is more commonly selected than direct or alternate.However, when selecting translated access, the configuration must be donein accordance with firewall rules. If firewall rules change, the translatedaddresses must be maintained. After selecting translated access,administrators should configure the server address translation map.


Administrators should also configure the firewall for Network or PortAddress Translation.

If users will access resources in the farm through a Secure Gateway or Access Gatewayconnection, the Gateway direct, Gateway alternate or Gateway translated accessmethod should be configured for those connections. For more information aboutthese access methods, refer to the Security module in this course.

Secure Access Methods Example

An administrator can configure a XenApp Web site to support external users with alternateaddressing and still allow users on the internal subnet to use normal addressing. Whenconfiguring address translation, the XenApp Web site must be configured to define mappingsfrom internal server IP addresses to external IP addresses and ports. These mappings allowusers to open applications if the address and port of the server are translated at the internalfirewall.


Network Address Translation

An administrator should deploy the servers running the Web Interface inside the internalfirewall. By default, the Direct access method is used to connect all users to a Web Interfacesite. An administrator can configure exceptions to the Default access method by providing aspecific IP address and subnet mask to ensure that when the user connects from a client devicewith a matching subnet address the connection is made using the associated access method.

If a firewall is used with XenApp, an administrator can configure the Web Interface site toinclude the appropriate IP address in the client files. It is important to configure addressingcorrectly for the Web Interface site so that internal IP addresses are not exposed externally.Exposing internal IP addresses provides a security weakness that can be avoided byimplementing alternate addressing or translated addressing with or without Secure Gatewayor Citrix Access Gateway.


Network Address Translation Access Types

An administrator can select the following access types when mapping between an internaladdress and external address:

The plug-in uses the translated address to connect tothe server.

User device route translation

The Secure Gateway server or Citrix Access Gatewayuses the translated address to connect to the server.

Gateway route translation

Both the plug-in and the Secure Gateway server or CitrixAccess Gateway use the translated address to connectto the server.

User device and gateway route

translation


Client-side Proxy Settings

Proxy servers are used to control access into and out of a network and act as an intermediarybetween the client devices and the XenApp servers. Web Interface sites allow an administratorto configure whether or not users communicate with XenApp servers through a client-sideproxy server.

An administrator can define exceptions for controlling proxy behavior by mapping the IPaddress and subnet mask of the client device. If the web browser connects to the Web Interfacethrough a proxy server or firewall that hides the IP address of the client device, the client subnetaddress value must specify the address of the client device as the Web Interface sees it. Forexample, if a web browser connects through a proxy server, an administrator should specifythe external address of the proxy server in the IP address field. The following table lists theavailable proxy settings.

DescriptionOption

The plug-in auto-detects the proxy based on the configuration of theclient device web browser. Auto proxy detection is typically used in

User’s browser setting

organizations with multiple proxy servers. The details of the proxyserver are determined when the plug-in communicates with the localweb browser. This is the most common setting.

The plug-in auto-detects the web proxy using the Web Proxy AutoDiscovery protocol.

Web Proxy AutoDetect

The proxy setting of the plug-in is used by the Web Interface site.This option requires the proxy settings to be configured on the clientdevice.

Client defined

No proxy is used.None

No proxy server is explicitly mapped and the administrator mustprovide a proxy server address (IP address or DNS) and a proxy port.

SOCKS

The proxy server is explicitly mapped and the administrator mustprovide a proxy server address (IP address or DNS) and a proxy port.

Secure (HTTPS)


Configuring Client-side Proxy Settings

An administrator can use the Client Side Proxy option in the Web Interface Managementconsole to configure the client-side proxy settings for a Web Interface site.


Server Configuration

An administrator can configure XenApp Web and XenApp Services sites to communicatewith one or more farms. An administrator can add and edit farm names, specify the order inwhich the farms are used for load balancing, and configure communication settings andticketing settings.

Enabling multiple farms through the Web Interface is particularly useful during migration toa new farm. The migrated delivery of multiple farms is seamless and transparent to users.

Configuring Multiple Server Farms

The Manage Server Farms screen identifies the farms that communicate with the site. Whenspecifying a farm, the administrator can:

• Add a new farm entry

• Edit an existing farm entry

After a farm has been specified, an administrator can configure the settings for each farmindividually.


A Web Interface site acquires application data from all farms before displaying applications.Each farm is contacted in the order that it appears in the Farms field. As a result, a farm thatis slow to respond impacts overall responsiveness when obtaining application sets because ofthe sequential nature of this process. The impact on the response time is compounded as morefarms are specified.

Adding Farms

An administrator can use the Server Farms option in the Web Interface Management consoleto add farms that will provide published resources to the Web Interface site.

If a secure connection (SSL Relay or HTTPS) is planned between the Web Interfaceand the servers in the farm, the server name must be specified as an FQDN and mustmatch the name on the certificate exactly. The order in which the servers are specifiedis important for fault tolerance.


Configuring Load Balancing

An administrator can use the Server Farm option in the Web Interface Management consoleto specify multiple servers to be used to service XML requests for the farm.

When multiple servers are specified for a farm and the Use the server list for load balancingoption is enabled, the Web Interface site sends Citrix XML Service requests to the listed serversin a round-robin sequence.

If a listed server cannot be contacted, it is removed from the list for one hour by default or foranother period or interval as specified by the administrator.

This load balancing feature has no impact on load balancing connections to theservers in the farm.

All servers specified for a farm must be running the Citrix XML Service and use thesame port for that service.


Enabling Fault Tolerance

An administrator can use the Server Farm option in the Web Interface Management consoleto enable fault tolerance among servers running the Citrix XML Service for each farm definedfor the Web Interface site. If an error occurs while communicating with a XenApp server, thefailed server is bypassed for a specified time, and communication continues with the remainingservers that are listed in the Servers (in failover order) field.

By default, a failed server is bypassed for one hour; however, this value can be modified by anadministrator.

If a server running the Citrix XML Service fails, the Web Interface site will not attemptto communicate with the failed server until the time specified in the "Bypass anyfailed server for field" has elapsed. If all servers in the list fail to respond, the WebInterface site retries the servers every 10 seconds.

Specifying the XML Communication Port

The Web Interface communicates with the Citrix XML Service. The port number used by theCitrix XML Service is specified during the installation of XenApp. By default, that port numberis TCP/IP port 80. If Citrix XML Service is configured to port share with IIS, then the


administrator must ensure that all servers in the farm have the Citrix XML Service configuredto use the same port. An administrator can use the XML service port policy rule in the GroupPolicy Management Console or the CTXXMLSS command to change the port number for theCitrix XML Service on a server.

Protocol Transport Type

An administrator can use the Server Farm option in the Web Interface Management consoleto specify the protocol used to transport the Web Interface data between the web server andthe XenApp servers. The following table lists the protocols available.

DescriptionProtocol

This protocol sends data over a standard HTTP connection and should onlybe used when other provisions have been made for the security of the

HTTP

connection or for troubleshooting purposes. After troubleshooting iscomplete, another protocol should be selected to secure the data.

This protocol sends data over a secure HTTP connection using SSL or TLS.The Citrix XML Service must be set to share its port with IIS, and IIS mustbe configured to support HTTPS.

HTTPS

This protocol sends data over a secure connection that uses Citrix SSL Relayto perform host authentication and data encryption. SSL Relay can also secure

SSL Relay

Citrix XML traffic, which is especially important if the Web Interface islocated in the DMZ.


Ticket Expiration Settings

Ticketing provides enhanced authentication security for explicit logons by eliminating usercredentials from the client files sent from the web server to the client devices. Each WebInterface ticket has a configurable expiration time which is set to 200 seconds by default.

An administrator can use the Server Farms option in the Web Interface Management consoleto configure the ticket expiration settings for a farm.


Web Interface Site Removal

An administrator can use the Site Maintenance option in the Web Interface Managementconsole to uninstall a Web Interface site when it is no longer needed. Uninstalling a sitecompletely removes it from the system. Prior to uninstalling a Web Interface site, any customfiles used for the site should be backed up if they will be used to create other Web Interfacesites. It is also best practice to back up the CONFIG.XML and WEBINTERFACE.CONF files.


Troubleshooting Web Interface Issues

An administrator can use these solutions to address Web Interface issues.

ResolutionIssue

Add the Web Interface site to the Trusted Siteswithin Internet Explorer using the Defaultsecurity settings for the zone.

The ActiveX control required by the WebInterface is not allowed to run with thecurrent Internet Explorer settings.

Use the CTX1222207 Knowledge Base articleon the www.citrix.com web site to enableNTLMv2 on the client device.

Pass-through authentication fails afterknown good credentials are entered from aWindows XP Professional client device.

Use the CTX123836 Knowledge Base article onthe www.citrix.com web site to configure therequired server roles.

Pass-through authentication or pass-throughwith smart card fails with the message "Anauthentication error has occurred."

Upgrade to newer version of XenApp ordowngrade the version of Web Interface.

Server-side ticketing fails in mixed farmenvironments with XenApp 4 or earlier.

Use the CTX122613 Knowledge Base article onthe www.citrix.com web site to change the

An error occurs while trying to access apublished resource in the Web Interface.

address resolution type in theWEBINTERFACE.CONF file.


Review

1. Which authentication method is not recommended in secure environments?

a. Smart card

b. Anonymous

c. Single sign-on

d. Novell Directory Services

2. Which feature allows users to disconnect and reconnect to ICA sessions as they movebetween client devices?

a. Workspace control

b. Explicit authentication

c. Pass-through authentication

d. Pass-through with smart card authentication

3. Which two types of Web Interface sites can an administrator create? (Choose two.)

a. XenApp Web

b. XenApp Plug-in

c. XenApp Services

d. XenApp Advanced Configuration

4. Which three protocols can be used to transport Web Interface data between the web serverand XenApp servers? (Choose three.)

a. HTTP

b. HTTPS

c. IPX/SPX

d. SSL Relay

5. Which statement is true when using network address translation in a Web Interfacedeployment?

a. The alternate IP address of a XenApp server is included in the client files

b. The alternate IP address of a Secure Gateway server is included in client files.

c. The ALTADDR command is used to change the IP address of the Web Interface server.

d. The internal IP address of a XenApp server is mapped to the external IP address of theWeb Interface server.

6. The Client for Java should be used in which two situations? (Choose two.)

a. A web browser does not exist on the client device.

b. Permanent installation of plug-in software is desired.


c. Permanent installation of plug-in software is not permitted.

d. A Java-compatible web browser exists on the client device.

7. When the Citrix online plug-in is used to access published applications, which statementis correct?

a. A XenApp Web site is required.

b. A XenApp Services site is required.

c. Pass-through authentication cannot be used.

d. A web browser is used to communicate with the Web Interface site.


Module 7

Delivering Applications and

Content

Overview

Publishing resources gives administrators the ability to provide users with access to applications,content and desktops.

XenApp offers three, complementary options for delivering applications.

Server hosted applications are centrally stored on the server andprovide the lowest total cost of ownership, the highest level of

Server hosted

applications

security and access on any device even across low bandwidthconnections.

Local applications use application streaming to deliver the applicationinto an isolated environment on the user’s client device to eliminate

Local applications

application conflicts and provide users with a seamless experienceeven when offline.

Application streaming is covered in a separate module.

VM hosted apps are delivered from a virtual desktop to providereduced validation cycles and a faster time to market, even withproblem applications.

VM hosted apps

Administrators manage how resources are delivered to users, the configuration of theapplications and the user experience by managing and customizing settings.


• Publish applications, content and server desktops for users.

• Identify the components of VM hosted apps.

• Identify advanced published resource settings.

• Organize published resources for users.

• Disable and hide published resources.

181Module 7: Delivering Applications and Content© Copyright 2010 Citrix Systems, Inc.

Publishing Resources

The administrator can publish resources in two phases using the Publish Application wizard.These two phases include:

In this phase, the administrator:Basic

• Names the resource

• Identifies the type of resource to be published

• Specifies where the resource is located

• Identifies which servers in the farm will host the resource

• Identifies the users who will be allowed to access the resource

• (Optional) Specifies where to place the shortcut on the client device

When the Basic phase is completed, the administrator has the option to disablethe resource temporarily, publish the resource immediately or proceed to theAdvanced phase of the resource publishing process.

In this phase, the administrator:Advanced

• Specifies whether published resources can be used with Citrix Access Gateway

• Associates file types with the published resource

• Specifies the application limits and CPU priority level for the publishedresource

• Specifies options that control audio, encryption and printer initialization onthe client device

• Configures the appearance of the published resource

The configuration of the properties in the Advanced phase of resource publishingis optional.

The properties available in the Basic and Advanced phases of the resource publishingprocess change depending on the type of resource being published.



The following table describes the resource types that can be published in XenApp.

DescriptionResource

Type

Provides users access to a desktop of a XenApp server and the resources availableon the server.

ServerDesktop

Published desktops allow users unlimited access to the resources ona server which can result in configurations and settings being changed,causing server vulnerabilities. Administrators should mitigate thisrisk by setting strict policies through Active Directory.

Provides users access to applications installed on the XenApp server, streamedto the XenApp server or streamed to client devices

Application

Hosted and streamed applications are both managed from the DeliveryServices Console. VM hosted apps are hosted in a separate farm andtherefore are managed in a separate console.


DescriptionResource

Type

Provides users access to data files, such as documents, spreadsheets, media filesand other data that users access by means of a published UNC path or URL.The following examples identify the content types that can be published:

Content

• HTML web site

For example: http://www.citrix.com

• File on a web server

For example: https://www.citrix.com/edu/certification.doc

• Directory on an FTP server

For example: ftp://ftp.citrix.com/edu/

• File on an FTP server

For example: ftp://ftp.citrix.com/edu/readme.txt

• Universal Naming Convention (UNC) file path

For example: \\servername\sharename\filename

• UNC directory path

For example: \\servername\sharename

Users can open published content using either:

• An associated local application

• A published application installed on a XenApp server

• A published application streamed to a XenApp server or a client device

Resource Name and Location

During the publishing of a resource, the administrator must provide information in thefollowing fields:

The display name specifies the name by which users identify thepublished resource. The display name and the icon are visible to users

Display name

from within the Web Interface and the shortcuts provided by theCitrix online plug-in.

Special characters cannot be included in the display nameof an application.


The application description specifies additional information aboutthe published resource such as the version number or service packlevel.

Application

description

The command line identifies the location of the application on theserver. If the application will be available from multiple servers in

Command line

the farm, the application should be located in the same location oneach server.

The working directory identifies where working files created by theapplication are stored. The working directory is not used to storeusers' files created with the published application.

Working

directory

Server Assignment

The administrator must also specify which servers in the farm will host the published applicationor server desktop. The administrator can select a single server, multiple servers or a workergroup and add them to the Selected items list.

If the application is published to multiple servers, XenApp can load balance the applicationrequests across all assigned servers. If the application is published to only one server, all userswho open the application will connect to that server.

Configured or Anonymous Accounts

The administrator must decide, based on the needs in the environment, which users will beallowed to access the published resource. Published resources can be made available to thefollowing types of accounts:

This type of account requires that users authenticate with a user nameand password before accessing published resources. When the user logs

Configured

account

access off, the user session ends but the user information is persistent. Thedesktop settings, security settings and other information from the sessionare retained in the user profile for use in future sessions.

This type of account is created on the server during the installation ofXenApp. Anonymous account access eliminates the need for users to

Anonymous

user accounts

authenticate before accessing published resources. Anonymous users areconfigured with guest permissions. When the anonymous user session


ends, no user information is retained. The server does not maintain anyinformation that was configured for the session. When anonymous useraccess is enabled, administrators cannot provide access to configuredusers.

Anonymous user accounts might be warranted when a resourcecan be used by anyone and tracking is not necessary.Anonymous user accounts should not be used in a highly secureenvironment.

Users and Groups

When specifying configured account access for a published resource, an administrator cantype a list of names manually, by using the "Add List of Names" option, or by browsing thedomains and local server for user accounts and groups to add to the published resource. Bydefault, only groups are displayed for selection. To select individual users within the groups,the administrator can select "Show Users" in the Select Users or Groups screen.

When assigning users and groups to applications, consider the following:

• If a user is added to an existing group, the user automatically receives access to eachpublished resource that is configured for access by the existing group.

• Administrators can grant or revoke user or group access to any published resource at anytime by configuring the properties of the published resource. If access is changed, existingconnections to published resources are not impacted.

Published resources should be assigned to groups rather than individual users inorder to simplify ongoing administrative maintenance.

Resource Publishing Settings

The following table provides a list of settings an administrator can configure when publishinga resource.

DescriptionSetting

Provides users with access to an application installed onor streamed to a server

Accessed from a server


DescriptionSetting

Streams the application to the client device wheneverpossible

When the application cannot be streamed to the clientdevice, the application is accessed from the server.

Streamed if possible, otherwiseaccess from server

Streams the application to the client device onlyStreamed-to-client

Provides access to an application already installed on aserver

Installed application

Streams an application to a server for access by the userStreamed-to-server

Allows anonymous users to access the published resourceAllow anonymous users

Allows specific users and groups to access the publishedresource

Allow only configured users

Disables the application so users cannot access itDisable application initially

Configures advanced application settings beforepublishing the application

Configure advanced applicationsettings now

Practice: Publishing Resources

Identify which statements are true and which statements are false. Correct the false statementsto make them true.

1. ___ The display name for the published resource is auto-generated. The display name isimportant because it is the name that the plug-in uses to identify the published resource.

2. ___ An administrator can stream an application to XenApp servers and to the desktops ofclient devices using the application streaming feature in XenApp.

3. ___ After the basic settings have been configured for a published resource, an administratorcan publish the resource immediately without configuring the advanced settings.

4. ___ Installing an application on servers in a different directory on each server in the serverfarm will make accessing published applications easier for the users.

5. ___ The user profile information is persistent for configured user accounts.


VM Hosted Apps

VM hosted apps allows administrators to isolate applications and host them from virtualmachines or physical computers, including blade servers, running a Windows desktop operatingsystem. Users access these applications just as they would applications from XenApp servers.VM hosted apps allows administrators to host applications that otherwise must be installedlocally or require extensive compatibility testing on XenApp servers.

VM hosted apps uses Citrix XenDesktop technology to deliver applications hosted on desktops,but unlike XenDesktop, gives users no direct access to the desktops themselves.

To use VM hosted apps, administrators create a VM hosted apps farm and populate it withdesktop groups configured with applications they want to deliver. Then, users access thoseapplications using the Web Interface. Although VM hosted apps cannot share a farm withXenApp servers, a VM hosted apps farm can share a Web Interface site with XenApp serverfarms. Applications from both types of farms appear the same to users.


Components of VM Hosted Apps

VM hosted apps require the following components:

The Desktop Delivery Controller authenticates users, manages theassembly of user virtual desktop environments and brokers

Desktop Delivery

Controller

connections between users and their virtual desktops. It controls thestate of the desktops, starting and stopping them based on demandand administrative configuration.

VM hosted apps includes two management consoles. The followingmanagement consoles are installed on the Desktop DeliveryController:

Management

Consoles

• VM Hosted Apps Console

• Delivery Services Console


Administrators use this console to create, update and managedesktop groups in VM hosted apps farms.

This is a separate Delivery Services Console than the oneused to manage the XenApp server farm.

This agent communicates with the Desktop Delivery Controller andthe Citrix Receiver on the client device. The Virtual Desktop Agentmust be installed on each virtual machine that will host an application.

Virtual Desktop

Agent


Organizing Published Resources for Users

An administrator can organize the way published resources are presented to users by changingthe default icon, organizing the resource into a folder and deciding where to place the resourceshortcuts.

Application Set

An application set contains the permitted user resources that are published in the server farm.The process of publishing a resource automatically adds the resource to the application set forthe server farm. The published resources within an application set are available to users throughplug-ins.

An administrator can organize the published resources in an application set by placing thepublished resources in folders during the resource publishing process or afterwards by editingthe properties of the published resource.

Folders

By default, all resources are published to the root folder of the application set. An administratorcan organize the published resources into folders. This can be useful in helping users quicklylocate the applications they need.

For example, Microsoft Word, Excel and PowerPoint are published in a server farm alongwith many other applications. An administrator can place the Microsoft applications into afolder called Microsoft Office to make it easier for users to locate their published resources.

Application Icon

An application icon identifies the published resource. An administrator can change the iconusing the Change Icon button during the resource publishing process or afterwards by editingthe properties of the published resource.

An administrator may decide to change an icon to enhance a user's ability to visuallydifferentiate between published resources.

For example, published content typically uses the icon associated with the application that isused to open the content. If several published content resources use the same application, anadministrator might decide to change the icons to make it easier for users to differentiatebetween the resources.


Shortcut Presentation Placement

Users can access published resources by authenticating through the online plug-in. Someplug-ins allow shortcuts to be placed on the client device so that users can easily access thepublished resources.

The following table provides a list of settings an administrator can configure when organizinga published resource on the client device.

DescriptionSetting

Changes the icon of the published applicationChange icon

Specifies the folder location of the application in the Citrixonline plug-in and Web Interface

Client application folder

Creates a shortcut to the application in the Start menu ofthe client device

Add to the client’s Start menu*

Creates a shortcut in the Programs folder of the Startmenu on the client device

Place under Programs folder*

Creates a shortcut to the application on the desktop ofthe client device

Add shortcut to the client’sdesktop*

*Unnecessary if using Dazzle


Advanced Published Resource Settings

During the Advanced phase of the resource publishing process, the administrator can:

• Configure properties that allow the published resource to be used with Citrix AccessGateway.

• Associate file types with the published resource.

• Specify the application limits and CPU priority level for the published resource.

• Specify options that control audio, encryption and printer initialization on the client device.

• Configure the appearance of the published resource.

The configuration of the properties in the Advanced phase of resource publishing isoptional. These settings can be configured during the publishing of a resource or bymodifying the properties of an existing published resource.

Access Control

Administrators can configure the Access Control settings to further specify which sessions areallowed to connect to published resources through the Citrix Access Gateway.

Citrix Access Gateway provides users with controlled access to enterprise resources. CitrixAccess Gateway allows the administrator to control who can access resources, such as websites, file shares, email resources and published resources, and which actions they can performwith these resources.

The following table identifies and describes the settings an administrator can configure usingAccess Control.

DescriptionSetting

Allows all connections made through the AccessGateway

Any connection

Allows only connections that meet one or more of theselected Access Gateway filters

Any connection that meets any of thefollowing filters

Allows all connections other than those made throughAccess Gateway

Allow all other connections


Content Redirection

Content redirection allows an administrator to specify whether users can access publishedcontent, applications, browsers and media players from applications that are running locallyon the client device or published on a server.

The two types of content redirection are:

Occurs when a user accesses local files using apublished application

Client-to-server content

redirection

Occurs when a user accesses a URL link in a publishedapplication using an application installed on the clientdevice

Server-to-client content

redirection

File Type Association

When a user authenticates to the farm using the Citrix online plug-in, the file type associationsin the published applications of the application set are copied to the registry of the client device.This allows the user to open files with extensions that are associated with a publishedapplication. When the user logs off the Citrix online plug-in, the file type associations in theregistry of the client device for hosted published applications are no longer valid because theapplications are no longer available. However, the file type associations in the registry for thestreamed applications that are configured for offline use are still valid. When the user logs onagain to the Citrix online plug-in, the file type associations in the registry are updated for allhosted and streamed published applications.

An administrator can select a subset of the file extensions available for a publishedapplication to enable client-to-server redirection for only certain file types.

Content Redirection and Published Content

Content redirection can be used with published content. When content is published, it can beopened using:

• A published application, if a published application is configured with a file type associationfor the content type and the user is configured to access the published application


• A local application, if no published application is configured with a file type associationfor the content type or the user is not configured to access the published application

Content redirection with published content generates an ICA session and consumesserver resources.

Client-to-Server Content Redirection

The client-to-server content redirection feature allows users of the online plug-in to use apublished application to access files residing on the local client device.

If a user double-clicks a file with an extension associated with a published application, theonline plug-in starts the published application and opens the selected file in the publishedapplication. This functionality is enabled by configuring file type associations.


By default, when a published application is configured with file type associations, all users ofthe online plug-in who are configured to access the published application can use it for contentredirection. Content redirection can be implemented for a limited portion of users who accessthe published application in two ways.

The administrator can:

• Publish two instances of the same application and enable separate file type associations foreach instance.

• Publish a single instance of the application and specify file type associations.

Deploy the online plug-in to the users who require the content redirection feature.

Client-to-Server Content Redirection Example

The diagram in this section illustrates the client-to-server content redirection process whenfile type associations are configured for a published resource.

A user double-clicks an email attachment with a .DOC file extension in an email programthat is running locally on the client device. The file opens in Microsoft Word that is publishedon a XenApp server and is associated with the .DOC file type.

Configuring Client-to-Server Content Redirection

Administrators should perform the following tasks for a XenApp Services site to configurecontent redirection from client to server.

1. Enable content redirection on the Web Interface site by clicking Server Farms > Advanced

> Enable content redirection.

2. Associate file types with the application by clicking Application properties > Content

redirection > Show all available file types for this application and then selecting all desiredfile type extensions.

Client drive mapping must be enabled so that the local content can be accessed bythe application on the server. If drive mapping is not enabled, the publishedapplication opens and displays an error because the application is unable to accessthe local content that initially triggered the application to start.


Server-to-Client Content Redirection

Server-to-client content redirection allows embedded URLs in published applications to beresolved using an application installed on the client device. When a user clicks a URL in anapplication running in a XenApp session, the URL is redirected to the client device to bedisplayed by a local application. After the embedded URL is opened in the browser on theclient device, all links in the browser open on the local client device. There is no way to linkback to the XenApp session from the local client browser even though that XenApp sessionremains open and available for continued use.

Server-to-client content redirection can be configured through policies. By enablingserver-to-client content redirection, an administrator can prevent applications that are publishedon the XenApp servers from processing requests that require access to web browsers or media


players. When server-to-client content redirection is enabled, the following URL types areopened locally by the plug-ins:

• HTTP(S)

• RTSP (Real Player and QuickTime)

• RTSPU (Real Player and QuickTime)

• PNM (Legacy Real Player)

• MMS (Microsoft Media Server)

• If server-to-client content redirection is not enabled, Internet Explorer opens ina XenApp session on the server, if available, instead of on the client device.

• Server-to-client content redirection cannot be disabled by users.

Server-to-Client Content Redirection Example

The diagram in this section illustrates how server-to-client content redirection works whena user clicks a URL link in a message from inside a published email application. The URLis opened by Internet Explorer on the local client device.

Configuring Server-to-Client Content Redirection


Administrators should perform the following tasks to configure content redirection fromserver to client.

1. Create or edit a policy within User Configuration > Citrix Policies of the Group PolicyManagement Console or the Delivery Services Console.

2. Enable ICA> File Redirection > Host to client redirection.

This setting is disabled by default, which results in content being opened on theserver.

3. Apply the policy.

4. Publish the content file in the Delivery Services Console.

Practice: Content Redirection

Match each scenario in the following table with the content redirection method that shouldbe implemented. Each method is used once.

• Server-to-client content redirection

• Client-to-server content redirection

• Published content with client-to-server content redirection

ScenarioContent Redirection

Method

Once a month, a published version of a listing of employee eventsis made available to all employees. Because employees have a rangeof client devices, HR wants employees to view the document usinga published application.

Alisha wants to access a published version of a web-based accountingtool using a web browser installed locally on her client device.

The Operations team wants to view its weekly log reports (.XLSfiles) using a published version of Excel.


Implementing Resource Limits and Client Options

By default, users can run an unlimited number of instances of published applications andserver desktops. Restricting the number of instances is useful for enforcing licensingrequirements for a particular published application.

Connection controls in XenApp allow an administrator to restrict the number of instances ofa published application or server desktop:

• That are allowed to run at one time

• That specific users are allowed to run at one time

Application Importance

An administrator can improve the performance of a published resource by assigning it withadditional CPU cycles. By default, all published applications and server desktops are set to usean importance level of Normal. If an administrator sets a published resource to use animportance level of:

More CPU cycles are allotted to the resource and the performance of thepublished resource improves, but fewer CPU cycles are available for otherpublished resources and server processes

High

Fewer CPU cycles are allotted to the resource, and the performance of thepublished resource degrades, but more CPU cycles are available for otherpublished resources and server processes

Low

If Preferential Load Balancing is configured, the application importance level together withthe session policy importance level determine the resource allotment of the session. The higherthe resource allotment of the session, the higher the percentage of CPU cycles allotted to thesession.

Connection Controls Example

CompanyA has several applications installed in its environment; one application isresource-intensive. The farm is sized and configured to allow all required groups to connectto at least one instance of the resource-intensive application with satisfactory applicationperformance.

The administrator of this farm faces a challenge: users who have several client devices areopening several copies of the resource-intensive application concurrently. Although theservers are sized to support the load of the application and expected users, many userscomplain that application performance is extremely slow, not only for the resource-intensiveapplication but for all applications in the farm.


Based on this information, the administrator configures the connection controls for thefarm to allow only one instance of the application for each user. As a result, users can nolonger open several instances of the resource-intensive application, farm-wide resourceconsumption returns to expected levels and performance improves.

Resource Limits and Client Options

The following table describes the resource limits and client options that can be configured fora published resource during the Advanced phase of the Publish Application wizard or bymodifying the application properties of an existing published resource.

DescriptionOption

Specifies the maximum number of instances of the resourcethat can run concurrently in the server farm

Limit instances allowed torun in server farm

Prevents users from opening or connecting to more than oneinstance of the resource

Allow only one instance ofapplication for each user

Changes the number of CPU cycles allotted to the publishedresource

The application importance is configured by selecting a prioritylevel in the Application importance drop-down list.

Application importance

Allows audio support for applications to which HDXMediaStream Multimedia Acceleration does not apply

If the "Minimum requirement" option is enabled in the Clientaudio settings, the client system must have a sound card installed

Enable legacy audio

or the published application will fail to launch on the clientdevice.

Requests the use of the Secure Sockets Layer (SSL) and TransportLayer Security (TLS) protocols for plug-ins connecting to thepublished resource

Enable SSL and TLSprotocols

Controls which plug-ins are allowed to connect based on theirencryption level: basic (with a non-RC5 algorithm); RC5 128-bitlogon only; RC5 40-bit; RC5 56-bit or RC5 128-bit encryption

The basic encryption level should not be used in a secureenvironment.

Encryption


DescriptionOption

Controls whether published resources wait for client printersto create before opening or open immediately

Start this applicationwithout waiting for printersto be created

Configuring Resource Appearance

Administrators can configure the appearance of a published application or server desktop byconfiguring the window size, color depth and startup settings during the Advanced phase ofthe Publish Application wizard or by modifying the application properties.

Resource Appearance Considerations

An administrator can configure the following settings for published applications and serverdesktops:

Specifies the size of the window in which the published resource willbe displayed in the XenApp session

An administrator can choose from preset window sizes, a percent ofthe client desktop, full screen or specify a custom height and widthfor the window.

Session window

size

Identifies the resolution that will be used by the published resourcein the XenApp session

If the resolution specified for a published resource exceeds thecapabilities of the client device, the highest resolution supported onthe client device is used.

Maximum color

quality

Specifies whether or not the title bar for the published resource isdisplayed and the resource is maximized to encompass the entirescreen at startup

If an administrator hides the title bar and maximizes the publishedresource on startup, users are prevented from minimizing or closing

Application

startup settings

the application or server desktop because there is no title bar availablefor them to access the window controls.


Session Sharing

Session sharing is a mode in which more than one hosted application runs on a singleconnection. Session sharing occurs when a user has an open session and launches anotherapplication that is published on the same server; the result is that the two applications run inthe same session.

For session sharing to occur, both applications must be hosted on the same server with thesame published application settings. Session sharing is configured by default. If a user runsseveral applications with session sharing, the session counts as one connection.

All applications in a shared session must be published with the same settings.Inconsistent results may occur when applications are configured for differentrequirements, such as encryption or screen resolution.

Session sharing always takes precedence over load balancing. That is, if users launch anapplication that is published on the same server as an application they are already using butthe server is at capacity, XenApp still opens the second application on the server. Loadmanagement does not transfer the user's request to another server where the second applicationis published.


Published Resource Configuration

After a resource is published and made available to users, an administrator can use the DeliveryServices Console to view the following information:

Contains general information about the published resourceInformation

Contains all alerts related to the published resourceAlerts

Contains a list of the servers on which the resource is publishedServers

Contains a list of users who were granted access to thepublished resource

Configured users

Contains a list of the configured properties related to thepublished resource

Current settings

An administrator can view only information, alerts, configured users and currentsettings for published content. Connected user information is not available.

Managing Connections to Resources

When an administrator selects a session, different options become available in the DeliveryServices Console.

From the Connected Users screen, an administrator can manage each connection to thepublished resource and perform the following tasks:

• Reset the session

• Log off the session

• Disconnect the session

• Send a message to the user

• Shadow the session, if shadowing is enabled through a policy

Administrators can choose to reset a user's session to terminate all running processesin the case of a session error.


Disabling or Hiding a Published Resource

It may be necessary to temporarily disable a published resource in order to apply updates oraddress an issue with the resource. In cases in which the resource must be made unavailable(for reconfiguration or troubleshooting), an administrator can use the application propertiesin the Delivery Services Console to disable or hide the application from users.

An administrator can configure the following options for each published resource by clickingApplication properties > Name.

Prevents users from opening the published resource even though thepublished resource continues to appear in the users' application sets

When users attempt to access the disabled application, they receive thefollowing message:

Disable

application

ERROR: The application you have requested is not enabled. For moreinformation, contact your Citrix administrator.

Prevents the published resource from appearing in the users' applicationsets while the application is disabled

The administrator can notify current published resource users prior todisabling it. Any users connected to the resource before it is disabled can

Hide disabled

application


continue to use the resource. If the users log off while the resource isdisabled, they will no longer be able to access the resource until it isreenabled. If the users disconnect from the resource while it is disabled,they can still access the resource by reconnecting to the disconnectedsessions.


Troubleshooting Application Delivery

Issues

An administrator can use the solutions provided in the following table to address applicationdelivery issues.

ResolutionIssue

Verify that client drive mapping is enabled.Client-to-server content redirection opensthe published application but does not openthe local content.

Update the file type associations for the farm byclicking Action > Other Tasks > Update file

types.

File types for a published application do notappear in the Delivery Services Console.

Select Maximize application at startup in theAdvanced application properties.

Users cannot find their application after itlaunches.

Replace the special apostrophe (and any otherspecial characters) in the computer name. The

The Delivery Services Console fails toenumerate users or sessions when specificMac clients connect to XenApp servers. computer name is found in System Preferences

> Internet and Wireless > Sharing > ComputerName.


Review

1. An administrator can manage published content using which node in the Delivery ServicesConsole?

a. Content

b. Applications

c. Published Resources

d. Installation Manager

2. When an application set contains a large number of published applications, server desktopsand content, how can an administrator effectively organize the resources for users?

a. Use load-managed groups.

b. Use the Resource Manager.

c. Create client application folders.

d. Create application folders in the console.

3. What are two types of content redirection? (Choose two.)

a. Client-to-server

b. Server-to-client

c. Client-to-content

d. Application-to-server

e. Content-to-application

4. An administrator can configure the importance level of a published application using whichoption in the properties of the application?

a. Type

b. Limits

c. Client options

d. Access control

5. Which statement is true about published resource properties?

a. Published resource properties cannot be modified.

b. Published resource properties can be modified at any time.

c. Published resource properties can be modified only when the resource is disabled.

d. Published resource properties cannot be modified when users are using the resource.

6. Which two statements about session sharing are true? (Choose two.)

a. Session sharing does not take precedence over load balancing settings.

b. All applications in a shared session must be published with the same settings.


c. Session sharing is a mode in which more than one hosted application runs on a singleconnection.

d. Session sharing is a mode in which more than one user can access the same hostedapplication in a single session.


Module 8

Streaming Applications

Overview

Application streaming simplifies how administrators deliver, administer and upgradeapplications to users. With application streaming, an administrator can package and configurean application, place it on a file or web server and deliver it to servers or client devices.Upgrading or patching an application is centralized, allowing one update to be delivered tomany XenApp servers and client devices.

Application streaming offers the following benefits to enterprises:

• Cost-effective, scalable application delivery to client devices and servers

• Lowered installation and maintenance costs of applications on servers and client devicesin large server farms

• Centralized maintenance allowing users to continue using applications during an update

• Anywhere, anytime (including offline) access to any application

• Isolated environments that eliminate application conflicts

There are additional benefits when applications are streamed to the desktops of client devices:

• Optimal utilization of computing resources

• Reduction of application compatibility issues

At the end of this module, given an environment containing XenApp, you will be able to:

• Identify the components required for application streaming.

• Describe the communications that take place during application streaming.

• Install the offline plug-in on a client device.

• Configure applications for streaming to servers and the desktops of Windows client devices.

• Configure linked profiles for inter-isolation communication.

• Publish a streaming profile.

• Configure XenApp Web and XenApp Services sites to stream applications.

• Configure offline access settings.

213Module 8: Streaming Applications© Copyright 2010 Citrix Systems, Inc.

Application Streaming

Application streaming includes the following capabilities:

Runs streamed applications on the client device, consuminglocal system resources instead of those on the XenApp server

Local system resource

usage

Allows administrators to deliver upgrades or patchesefficiently and seamlessly to user devices the next time theyaccess the application

Central application

updates

Runs applications within protected isolation environmentson user devices, which reduces conflicts with otherapplications installed locally

Isolation environments

Allows the streaming of applications that require WindowsServices

Windows Services

isolation

Allows administrators to link profiles for applications thatneed to interact with each other

When streamed, these applications communicate yet runwithin an isolation environment.

Inter-Isolation

communication

Allows administrators to cache files on the user device toallow faster access the next time the application is opened

Application caching

Allows administrators to configure a backup method forapplication delivery in case user devices do not supportstreaming

Dual-mode streaming

Allows users to continue running streamed applications afterdisconnecting from the network

Offline access

Allows administrators to deploy and update the offline plug-inusing Citrix Receiver

Support for Citrix

Receiver


Allows administrators to publish and manage MicrosoftApp-V packages through the Delivery Services Console and

Extended App-V

integration

allows users to access Citrix and Microsoft streamedapplications through the online plug-in and Dazzle

Allows profiled applications to be updated with only themodified files and changed content, thus reducing the timeand bandwidth needed to complete the update

Differential

synchronization of

updated profiles

Allows profiles residing on a file share to be delivered usinga secure web protocol

HTTP and HTTPS

protocol support

Provides limited backward compatibility for Streaming Client1.1

The newer offline plug-in supports all profiles created by allversions of the Citrix Streaming Profiler. However, previous

Backward compatibility

versions of the plug-in may not support new functionalitiesreleased in XenApp 6.


Application Streaming Components

In addition to the standard components of a XenApp 6 farm, application streaming needs thefollowing components:

Used by administrators to package an application and configureits profile for streaming

Citrix Streaming

Profiler (Profiler)

Installed on a client device to allow the necessary application filesto be streamed to that device for execution

Citrix Offline

Plug-in

This plug-in is installed on the XenApp server by default, whichallows streamed-to-server functionality.


Installed on a client device to allow users to access published hostedand streamed applications

Citrix Online

Plug-in

The Citrix online plug-in is required for offline access of streamedapplications.

Used to host the application profiles created by the ProfilerFile or Web Server

Published applications can be streamed using UNC-basedcommunication from a file server or using the HTTP or HTTPSprotocol from a web server. The application profiles must beincluded in a file share that resides in the environment.

Users must have read access to the file or web serverhosting the application profiles.


Application Streaming Communication Process

The following process describes the communication that occurs when a user requests a streamedapplication from XenApp.

1. A user clicks a published application icon for an application configured for streaming. Theapplication launch request is relayed to the Web Interface.

2. The Web Interface contacts the XenApp server to obtain the information required to runthe application.

3. The Web Interface creates a .RAD file based on the information obtained from the XenAppserver and provides it to the RadeRun utility (RADERUN.EXE), which is:

• Located on the client device, if the published application is being streamed to the desktopof the client device

• Located on the XenApp server, if the published application is being streamed to a server


4. The RADERUN utility passes the .RAD file to the Citrix Streaming Service (RADESVC),which creates an isolation environment and downloads the application profile from theserver.

5. The Citrix Streaming Service opens the application executable according to the instructionsincluded in the application profile and runs the executable inside the isolation space.

6. Additional application files are downloaded from the server as needed during normalapplication usage.

Streaming App-V Packages

App-V is an application virtualization and application streaming solution from Microsoft. Itis available as part of Microsoft Desktop Optimization Pack (MDOP), Microsoft ApplicationVirtualization for Remote Desktop Services and Microsoft Development Network (MSDN).

Administrators can manage and publish App-V applications using the Delivery ServicesConsole, allowing them to support existing infrastructures based on App V. Therefore,applications already sequenced with App V do not need to be converted to or profiled as Citrixstreaming profile packages.

For more information on:

• App-V, see the http://www.microsoft.com web site

• Publishing App-V applications and distributing the App-V client, see the XenApp6 Application Streaming documentation on thehttp://support.citrix.com/proddocs/index.jsp web site



The Citrix offline plug-in is a component of application streaming that allows applications tobe streamed to servers and the desktops of client devices. The offline plug-in is installed onevery XenApp server, enabling applications to be streamed to these servers.

Users must have the offline plug-in installed on their Windows devices to stream applicationson their devices. To access a streamed application, one of the following combinations mustbe available:

When the offline plug-in and online plug-in are installed ona client device, applications can be streamed or cached to the

Citrix offline plug-in and

Citrix online plug-in

client device. Streamed applications are available from theStart menu, desktop shortcuts and the Windows notificationarea.

When only the offline plug-in is installed on the client device,published applications can be accessed by the user through a

Citrix offline plug-in

with a web browser

Web Interface site. In this configuration, applications are notavailable for offline use.

The Citrix offline plug-in provides streamed applications from a profile target on a file serveror web server to XenApp servers and the desktops of client devices.

The offline plug-in:

• Is invisible to users except for the posting of error and status messages

• Runs as a service on the client device to invoke applications the user selects using the Citrixonline plug-in or the Web Interface site

• Finds the correct profile target for the client device, creates an isolation environment onthe client device and streams the files necessary for the application to run

• Manages the cache size of the client device

User accounts must be specified in either the Group Policy Management Console orthe Delivery Services Console within the Computer > Offline app users policy toallow access to offline published applications.


Citrix Offline Plug-in Cache

When a user launches a streamed application, the offline plug-in caches application files onthe local drive of the client device in the following folder:

%PROGRAMFILES%\CITRIX\RADECACHE\

Before caching files, the plug-in checks the size of this cache. If the cache size reaches themaximum limit, the offline plug-in removes streamed application files from the cache, startingwith the least-recently accessed, until the cache size is smaller than the limit. The default cachesize limit is 1000MB (1GB) or 5% of the installation disk volume, whichever is larger.

An administrator can change the default cache location and the default maximum cache sizestored in the registry using the CLIENTCACHE.EXE tool located in the following folder on aclient device with the offline plug-in installed:

%PROGRAMFILES%\CITRIX\STREAMING CLIENT\

For more information about using the CLIENTCACHE.EXE tool, see the XenAppApplication Streaming documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

Citrix Offline Plug-in Installation

An administrator can deploy the Citrix offline plug-in to client devices using Citrix Receiverand Merchandising Server, Web Interface, or third-party utilities such as Microsoft SystemCenter Configuration Manager 2007 or Microsoft Active Directory Services. For moreinformation about using these products to deploy an application, see the documentation forthe product.

The Citrix offline plug-in can be installed manually on a client device by any user who haslocal administrator privileges on the client device using the CITRIXOFFLINEPLUGIN.EXEfile in the CITRIX RECEIVER AND PLUG-INS\WINDOWS\OFFLINE PLUG-IN folder or theXenApp Installation wizard on the Citrix XenApp 6 DVD.


Citrix Streaming Profiler

The Profiler is an independent application that allows an administrator to prepare commercialand custom Windows applications, web applications, browser plug-ins, files, folders andregistry settings for streaming. The only software applications other than the Citrix StreamingProfiler that should be installed on the Profiler system are the operating system software andutilities.

A profile consists of executable content packaged for streaming using the Citrix StreamingProfiler. A profile is created by recording the installation of applications on an independentsystem using the Profiler application. Prerequisites, such as Java Run-time Environment, canalso be profiled with the application.

It is recommended to create a single 32-bit profile for all 32-bit operating systems and test forrequired functionality. It is possible that a profile created on one operating system will notfunction properly or will not provide a complete feature set on another operating system. Forexample, certain application functionality that was programmed for Windows 7 may not beavailable if an application is profiled on Windows XP. The same principles apply to 64-bitprofiles.

In some cases, an administrator might find it necessary to profile certain applications togetherto ensure functionality among the applications or to apply a range of compatibility settings toensure profiled applications launch and run successfully.

Profiling Process

The following process describes the communications that occur when an administrator createsan application profile.

1. An administrator starts the Profiler and elects to create a new profile.

2. The administrator identifies the installation program for an application and starts theinstallation of that application from within the Profiler.

3. The Profiler creates an isolation environment and runs the installation program for theapplication in the isolation environment.

4. The Profiler records the system changes caused by the installation program.

5. The Profiler stores the application information and the details specified by the administratorduring the creation of the profile.

6. The administrator saves the profile to a file or web server so that it can be published andmade available for streaming to servers and the desktops of client devices.


Installing the Citrix Streaming Profiler

The Citrix Streaming Profiler is installed on a profiling system. An administrator shouldconfigure the profiling system run-time environment to be as close to the environment of theclient device as possible. For example:

• If applications are streamed to a XenApp server, the profiler system should also be a XenAppserver.

• If applications are streamed to both 32- and 64-bit operating system client devices, thereshould be two separate profiling systems.

• If standard programs, such as antivirus software, are part of the company image, they shouldbe installed on the profiling system.

To launch the installation wizard to install the Profiler, click Manually Install Components

> Common Components > Plug-ins, Streaming Profiler, and Documentation > Streaming

Profiler in the Citrix XenApp 6 media.

Creating a Profile

Using the Profiler, an administrator can configure applications to run in one or more targetenvironments. Individual targets in a profile represent one or more user environments. Therange of target environments in which an application can be configured to run depends onthree factors:

• The type of application being profiled

• The operating system on the profiling system

• The organizational needs

For example, some commercial applications are capable of running on multiple operatingsystems and languages, while others, such as custom applications, might be capable of runningonly on a particular operating system and language. Applications that require packaging fora variety of environments can be contained in a single profile.

To open the New Profile Wizard, click Start > All Programs > Citrix > Streaming Profiler

> Streaming Profiler and then click New Profile.

Profile Security Setting

When creating a profile, an administrator can configure how restrictive the client isolationenvironment should be. By default, profiles prevent the running of executable content thatusers download into the isolation spaces; only files that are streamed from the server can beexecuted. This setting protects against users running malicious code or spyware.


The profiling wizard allows for a more relaxed security configuration. The Enable User Updatesoption permits the running of executable content that the user downloads into the isolationspace. If this option is selected, the profile allows application files, such as .DLL applicationplug-ins, to be downloaded to the client device from the Internet. Any updates are stored aspart of the user root and are unique to that user.

It is a best practice to keep the default, more restrictive, security setting so that updatescan be evaluated by an administrator prior to being downloaded to client devices.This best practice applies to automatic updates as well.

Targets

A target is a collection of files, registry data and other information used to represent anapplication isolation environment. A target can contain many executables including theapplications that normally receive an entry on the Start menu.


An administrator can run the Profiler several times and from different environments to achievea complete set of targets. By default, a target matches the operating system and configurationof the profiling system.

Target Criteria

The offline plug-in selects a target from the profile based on the following criteria:

• Operating system version installed on the client device

• Service pack level of the operating system installed on the client device

• System drive letter on the client device

• Operating system language on the client device

The criteria associated with each target is stored in a profile manifest file (.PROFILE) that isstored with the other files that make up the profile. Overlapping definitions of targets are notpermitted by the Profiler. That is, only one target in a profile can be a correct match for anyclient device at application launch. An administrator can update a profile and target at anytime without affecting already active executions on client devices.

When a target is updated, another version of the target is saved to the profile. The drawbackof maintaining old versions of a target is the wasted disk space on the file or web server. TheProfiler cannot be used to delete old versions of targets. However, an administrator can manuallydelete the older versions of a target to reclaim disk space.

It is the administrator's responsibility to ensure that old versions of a target are notin use prior to deleting them from the file or web server.

Target Options

When a user requests access to a streamed application, the Citrix offline plug-in determineswhich target from the application profile is appropriate for the client device. The target isselected from the profile based on a variety of criteria, including the operating system, servicepack level, driver letter and operating system language.

Operating System

An administrator can configure a target for the following client operating systems:

• Windows XP (Home and Professional editions), 32-bit edition with Service Pack 3

• Windows XP (Home and Professional editions), 64-bit edition with Service Pack 2

• Windows 2003, 32- and 64-bit editions

• Windows Vista (Home, Business, Enterprise, and Ultimate editions), 32- and 64-bit editionswith Service Pack 1


• Windows 7 (Enterprise, Professional, Ultimate editions), 32- and 64-bit editions

• Windows Server 2008, 32- and 64-bit editions

• Windows Server 2008 R2

If the operating system on the client device is not supported, the streamed application will notrun on the client device.

64-bit applications are not supported for streaming; however, 32-bit applications canbe profiled on 64-bit systems and configured to be streamed to 64-bit systems.

Service Pack Level

The service pack level is an optional setting that augments the operating system version. TheProfiler stores the service pack level criteria for each operating system. An administrator canset the following rules for service pack level selections for each operating system:

The target runs on a client device regardless of the servicepack level installed, even when no service pack is installed.

Not required

The target only runs on a client device that has, at aminimum, the service pack specified.

Minimum Service Pack Level

The target only runs on a client device that has a servicepack equal to or older than the specified service pack level.

Maximum Service Pack Level

The target only runs on a client device that matches oneof the service pack levels specified.

Range of Service Pack Levels

The target only runs on a client device that matches theservice pack level specified.

One service pack level

The target only runs on a client device that does not havea service pack installed.

No service packs should be

installed

By design, future service packs are not supported. An administrator should take careto specify only the service packs identified as supported or to specify that a servicepack is not required.


System Drive Letter

The system drive letter of the profiling system must match the system drive letter of the clientdevice in order for the target to run on the client device. No provision exists for specifying avariable for the system drive letter. To facilitate target matching, an administrator shouldconfigure the target to use the primary system drive letter. If recipient devices have differentsystem drive letters, create a target for each drive letter.

Operating System Language

An administrator can create targets for all languages, including those languages not listedbelow; however, creating a target in a language that is not listed below is not fully supported.When creating a target for a language that is not listed, an administrator should select Englishas the operating system language to ensure that target matches occur.

The Profiler supports the following languages:

• English

• French

• German

• Japanese

• Spanish

An administrator should use the English version of the Profiler to create targets for the followingoperating system languages:

• Korean

• Simplified Chinese

• Traditional Chinese

By default, the operating system and language of the profiler system is included inthe profile. If necessary, the operating system and language can be deleted in thetarget.

For additional requirements, including those required when streaming MicrosoftOffice applications, see the XenApp Application Streaming documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.


Adding a Target to a Profile

An administrator can add a target to a profile to make applications available to client devicesthat match additional and unique combinations of target criteria.

For example, a profile contains targets for English, French and German language operatingsystems. A new branch located in Japan has been added to the company. The administratorcreates a new target for the Japanese language operating system so the users in the Japan officecan also use the streaming applications in the profile.

When an administrator adds a target to a profile, the Profiler ensures that the target is uniquefrom the other targets in the profile and does not permit a target to be saved if conflicts exist.

To add a target to a profile, click Edit > Add New Target.

During the creation of the target, at least one operating system and one language must beselected. Several languages can be included in a single target, but the administrator should notinclude languages that will be added to a separate target.

Creating a Specific Target for a Different Operating System

An administrator should complete the following tasks when creating a specific target for adifferent operating system:

1. Configure a target with one specified operating system and save the profile to a file share.

2. Go to a different profiling system whose operating system matches the additional operatingsystem that should be added to the profile.

3. Launch the Profiler and open the target that was saved to the file share.

4. Add a new target to that profile.

5. Repeat Steps 2 through 4 as necessary.

Deleting a Target from a Profile

An administrator may find it necessary to delete targets that are no longer needed. For example,targets for operating systems that are no longer used in the environment can be deleted.

When a target is deleted, the corresponding profile folder is deleted from the file share, andthe entries associated with the target are removed from the manifest file (.PROFILE).


To delete a target from a profile, right-click the target in the console tree and click Delete.

Inter-Isolation Communication

Inter-isolation communication allows the individual profiles in a linked profile to communicate.This feature is useful if a streamed application needs to interact with another streamedapplication but cannot detect it because both applications are running in isolation environments.

For example, when inter-isolation communication is not configured, an administrator profilesMicrosoft Outlook and Adobe Reader in two separate profiles; the applications operateindependently, and users will not be able to launch a .PDF attachment in Outlook becauseOutlook cannot detect Adobe Reader.

When an administrator configures a linked profile, the included applications launch on theclient device and can interact with each other while remaining isolated from both the systemand other streamed applications. By linking the Outlook and Reader profiles for inter-isolationcommunication, Outlook and Reader can interact as users expect, even though the individualapplications were profiled separately.

The advantage of inter-isolation communication is that applications can be maintainedseparately, and updates are automatically included in all the linked profiles in which the profileis included. This feature saves time for the administration of the profile set.

Inter-Isolation Communication Configuration

Inter-isolation communication can be configured during the profiling process. There are twotypes of inter-isolation communication configurations:

Links existing profiles only

Profiled applications are allowed to communicate but their installation isindependent of one another. Associated profiles contain only links toprofiles and do not contain executable content.

Associated


Links existing profiles and installs additional executable content.

In this profile, the installation of one application requires the presence ofanother application. Dependent, linked profiles contain applicationpackage files, isolation rules, linked profiles and hierarchy.

Dependent

When a dependent profile is used, the entire target of each linked profile isdownloaded to the profiling system to facilitate the installation step of the dependentprofile.

Considerations for Inter-Isolation Communication

Additional considerations for configuring inter-isolation communication are as follows:

• The order in which profiles are listed in the Set up Inter-Isolation Communication screendetermine the precedence of isolation rules and operations for the applications in the linkedprofile. An administrator can move the profiles up or down to affect their order. The rulesfor each profile are merged into a single list of rules, with the rules of highest priority takingprecedence. These properties include custom rules, pre-launch or post-exit scripts andpre-launch analysis.

• If an administrator chooses to associate existing profiles only, without installing a newapplication, then no additional properties can be configured for the linked profiles.

• If an administrator installs an application or content while enabling inter-isolationcommunication, then additional properties can be configured and the properties addedfor the application or content are enabled for all the linked profiles. It is useful to install anapplication while enabling inter-isolation communication when that application is dependenton the other profiles to run.

• All profile directories must be located in a single directory to link profiles together.

• Linked profiles are stored within the .PROFILE file by name rather than by the path. Atapplication launch, the Profiler service searches the INSTALLROOT locations of the linkedprofiles.

• Each profile must contain the same targets, including a target that matches the profilingsystem in the linked profile. Client devices must have a target in each of the linked profilesor they cannot launch any applications in any of the linked profiles.

An administrator should be aware of the superset of operating systems, service packsand languages contained in the linked profile and then verify that each profile containsa target for all the operating systems, service packs and languages in the superset.


Windows Services Isolation

Windows Services are applications that typically operate in the background on a system andoperate at a higher privilege level than normal user processes. The higher permissions allowservices to make requests, such as the initial application start-up requests or requests foradditional system resources, on behalf of applications.

Programmers often create services as a means to control permitted use of application software.When a user opens the application, the application contacts the service for permission toexecute. A common restriction is licensing; if a license is not available, or has already beenchecked out by the user or device, then the service will deny application execution. Isolatingthe services creates a new environment for each instance of the application launch, allowingthe application to be opened by several users from the same server while complying withlicensing requirements for each device. However, if the application requires unique deviceMAC addresses, as opposed to Windows Services, the application will not open in a multi-userenvironment.

To stream services on devices, an administrator must specify the XenApp serversand the specific services within a list on the client device registries called the whitelist. For more information about creating the white list, see the XenApp ApplicationStreaming documentation of the http://support.citrix.com/proddocs/index.jsp website.

Viewing Isolated Services

Isolated services can be identified from the:

The Services tab in the profiler menu provides a list of isolated servicesassociated with the profile.

Profiler

The Service Control Manager isolates specified streamed services anddisplays them with unique alpha-numeric prefixes. Users have the

Client Device

ability to stop and restart isolated services from within the ServiceControl Manager.


Profile Preference Settings

An administrator can save time by setting default preferences for use in future profiles. Thepreference settings for the Profiler are as follows:

These settings determine whether or not executable files outside ofthe target can run on the client device. An administrator can choose

User Profile

Security

whether or not to hide the User Profile Security Settings screen inthe New Profile and Target wizards.

This setting hides the Sign Profile step in the New Profile and Targetwizards. If the majority of future profiles will not contain a digital

Digital Signatures

signature, then an administrator can choose to hide this setting inthe profiling wizards.

An administrator can customize security and signing settings for an individual profile after itis created. During profile creation, an administrator can configure profile signing using oneof the following certificates:

• A certificate residing on a drive

• The code-signing certificate on the profiling system

Profile System Requirements

The profiling systems that create the targets in the profiles:

• Must match the primary drive letter of the client devices in use in the environment. Forexample, if the users have client devices with a main drive letter of E, the administratormust create targets on a profiling system that also has a main drive letter of E.

• Should match the operating system language of the client devices in use in the environment.For example, if the client devices in the environment have a German language operatingsystem, the profiling system should have a German language operating system.


Profile Installation Types

During the creation of a profile, the administrator must select the type of installation to perform.The administrator can select one of the following installation types:

Adds a single application or command line script to a profile

A single application is defined as one that does not require theadministrator to add files, folders or registry settings outside theapplication installation program.

Quick install

Adds multiple applications or resources, such as Internet Explorerplug-ins, command line scripts, files, folders and registry settings, outsidethe application installation program

Additional applications and command line parameters can be added tothe profile after the initial application has been added.

Advanced

install

Command line parameters apply during application launch and can be used to fine tune theapplication. In addition, placeholders can be specified in the profile and replaced by commandline arguments that are specified in the published application.

Profile Properties

An administrator can view and change the properties of a profile by clicking Edit > Profile

Properties in the Profiler. The following options are available:

Information

The General section of the Profile properties displays the following information about a profile:

The name of the manifest and the location of the profileProfile name

The description provided for the profileDescription

The location of the profileLocation

The size of the profileSize


The creation date of the profileCreated

The date of the last update to the profileLast updated

Applications

The Applications section in the Profile properties lists all the applications installed in thetargets of a profile and indicates whether or not each application is available in all targets.When an application is available, an administrator can use the Delivery Services Console topublish it on XenApp servers.

Application details are available by right-clicking an application and clicking Application

Details. The following information about the selected application is available:

The name of the targets, service pack information, the languageand the system drive letter

Targets

Whether or not the application is available in this target or theother targets in the profile

Availability


The version number of the applicationVersion

The version number displayed in this screen is set by theapplication installation program and is not the same as the targetversion number.

The simulated path in the isolation environment to theapplication in the target

Path

The working directory that the application uses in the isolationenvironment

Working Directory

The command line parameters passed to the application duringstartup

Command Line

Parameters

In addition to viewing application information about the profile from the Applications section,an administrator can delete an application from a profile from this tab.

File Types


The File Types section of the Profile properties displays information about the types of filesassociated with the application. When a file type is associated with an application during theapplication publishing process, a user can open a file of the associated file type on the clientdevice, and the offline plug-in will open the streamed application.

The File Types section displays the following information about the associated file types:

The extension of the associated file typeExtension

A description of the file typeType

The application invoked by the file typeOpens with

Whether or not the application is currently available to usersAvailability

Linked Profiles

The Linked Profiles section of the Profile properties displays the profiles available forinter-isolation communication. When profiles are linked to each other they can communicatewith each other on the client device.

Enable User Updates

The Enable User Updates section of the Profile properties specifies whether an applicationcan run executable files that are written to its working directory on the client device.

Pre-Launch Analysis

The Pre-Launch Analysis section of the Profile properties identifies the applications and registryentries that are required on the client device before the application is streamed by the profile.An administrator can use the pre-launch analysis to inspect client devices for prerequisitesbefore streaming the profiled application.

The Profiler can search for the following objects during a pre-launch analysis:

• Applications and versions (specific or a range)

• Binary files and versions (specific or a range)

• Registry entries

If the pre-launch analysis determines a client device does not have the prerequisites requiredfor the profiled application to run correctly, the profile execution stops and the user is alertedto the problem. An administrator should determine whether pre-launch analysis is required


for an entire profile or for individual targets within the profile by testing the profile on clientdevices.

The Pre-Launch Analysis section displays the following information about the applicationsand registry entries associated with the profile:

Whether or not a pre-launch analysis is enabledEnable pre-launch analysis

The applications and files required on the client deviceprior to the application being streamed

Applications and files

The registry entries required on the client device prior tothe application being streamed

Registry Entries

Pre-launch analysis is also useful when an application in a profile must interact with anapplication that cannot be profiled. In this scenario, it is a best practice to enable pre-launchanalysis for the application that cannot be profiled to ensure that it is installed on the clientdevices.

In addition to viewing pre-launch analysis information from the Pre-launch Analysis section,an administrator can enable or disable pre-launch analysis and add, delete and modify whichapplications, files and registry entries are required on the client device before an applicationis streamed by the profile.

Pre-Launch and Post-Exit Scripts

The pre-launch and post-exit scripts section in the profile properties identifies the scripts thatwill run prior to and following the execution of the applications in the profile. If anadministrator determines through testing that certain operations are required before or afterthe running of the applications in the profile, the pre-launch and post-exit scripts section canbe used to invoke the scripts written by the administrator. Pre-launch and post-exit scriptsare typically .CMD files, but can be any file that is executable by Windows, including VBScriptand .BAT files.

The pre-launch and post-exit scripts section displays the following information about thescripts associated with the profile:

The scripts that run prior to the application in the targetlaunching on the client device

Pre-launch scripts

The order in which the pre-launch scripts executeOrder

Whether or not a pre-launch script is isolatedIsolated


The scripts that run after the last application in the targetcloses

Post-exit scripts

The order in which the post-exit scripts executeOrder

Whether or not a post-exit script is isolatedIsolated

In addition to viewing pre-launch and post-exit script information from the pre-launch andpost-exit scripts section, an administrator can add and delete scripts and change the order inwhich the scripts execute.

An administrator should determine whether pre-launch or post-exit scripts arerequired for an entire profile or for the individual targets in the profile by testing theprofile on the client devices.

Known Limits for Profiling Applications

Some applications cannot be profiled, including:

• Applications that contain drivers, such as Adobe Acrobat Professional

• Microsoft Internet Explorer

• 64-bit applications

• Microsoft Data Access Components (MDAC)

• .NET Framework

.NET applications can be profiled and streamed to the client device as long as theclient device has .NET Framework installed.

It is best practice that applications that require User Access Control (UAC) rights elevationor administrator rights be published only to users and groups that have the required rights ontheir client devices.

Not all applications with services will function correctly when profiled. For example,an application that includes a software license service that ties the applicationexecution to a MAC address will not work.


Target Properties

When users experience problems running applications in a profile, an administrator can solvesome of them by editing the properties of the targets in the profile. The properties of a targetinclude:

• General

• Applications

• Target Operating System and Language

• Rules

• Pre-launch Analysis

• Pre-launch and Post-exit scripts

To edit the target properties, open the manifest file (.PROFILE) from within the Profiler,select the appropriate target and click Edit > Target Properties.

General Properties

The General section of the Target properties displays the following information about a target:

The name of the target, service pack information, the languageand the system drive letter

Target name

The description provided for the targetDescription

Information about the target operating system, target language, target boot drive, target version,target location, target creation date and last target update are also provided in the section.

In addition to viewing general information about the target from the General section, anadministrator can change the target name and description for the target.

An administrator can also view the general properties of a target by selecting theInformation tab in the profile information pane of the Profiler window.

Application Properties

The Applications section of the Target properties lists all applications installed in the targetsin the profile and indicates whether or not each application is available in all targets. When


an application is available, an administrator can use the Delivery Services Console to publishit on XenApp servers.

The Applications section displays the following information about the applications in thetargets in the profile:

The name of the applicationApplication Name

Whether or not the application is available in this target or theother targets in the profile

Availability

The version number of the applicationVersion

The version number displayed in this screen is set bythe application installation program and is not thesame as the target version number.

The simulated path in the isolation environment to theapplication in the target

Path

The working directory that the application uses in the isolationenvironment

Working Directory

The command line parameters passed to the application whenit starts

Command Line

Parameters

In addition to viewing application information about the target from the Applications section,an administrator can add, modify and delete applications from the target and recover all deletedapplications in the target from this section.

When an application is deleted from the target, the Profiler removes only theapplication data from the manifest file (.PROFILE). It does not delete the applicationfiles. When an application is added or recovered, data about the application is addedto the manifest file (.PROFILE) for the profile. An administrator can also view theapplication properties of a target by selecting the Application tab in the profileinformation pane of the Profiler window, right-clicking the target and selectingApplication Details.


Target Operating System and Language Properties

The Target Operating System and Language section of the Target properties displaysinformation about the operating systems, service packs and languages supported by the target.

The Target Operating System and Language section displays the following information aboutthe target:

The operating systems in the targetOperating System

The service pack levels associated with the operating systemsin the target

Service Pack

The languages supported by the operating systems in thetarget

Language

In addition to viewing operating system and language information about the profile from theTarget Operating System and Language section, an administrator can add operating systems,service pack levels and languages to the target, remove operating systems, service pack levelsand languages from the target and check the target for conflicts from this section.

Rules Properties

The Rules section of the Target properties displays information about how the applications inthe isolation environment of the target access system objects such as files, registry entries andnamed objects.

The Rules section displays the following information about the isolation environment rulesfor the target:

The name of the rule, the action taken by the rule and theobject affected by the rule

Rules

The command executed by the ruleRule description


In addition to viewing the information about the isolation environment rules for the target,an administrator can add, copy, modify and delete isolation environment rules in the targetfrom this section.

Pre-Launch Analysis Properties

The Pre-launch Analysis section identifies the applications and registry entries that are requiredon the client device before the application is streamed by the profile.

The Pre-launch Analysis section displays the following information about the applicationsand registry entries associated with the target:

Whether the pre-launch analysis properties in the targetor in the profile are used

Use profile settings

Whether or not a pre-launch analysis is conductedEnable pre-launch analysis

The applications and files required on the client deviceprior to the application being streamed

Applications and files

The registry entries required on the client device prior tothe application being streamed

Registry entries

It is best practice to configure pre-launch analysis to identify client devices that do not havethe appropriate software requirements.

Pre-Launch and Post-Exit Properties

The Pre-launch and Post-exit Scripts section displays the following information about thescripts associated with the target:

Whether the pre-launch and post-exit scripts in the target orin the profile are used

Use profile settings

The scripts that run prior to the application in the targetlaunching on the client device

Pre-launch scripts


The order in which the pre-launch scripts executeOrder

Whether or not a pre-launch script is isolatedIsolated

The scripts that run after the last application in the targetcloses

Post-exit scripts

The order in which the post-exit scripts executeOrder

Whether or not a post-exit script is isolatedIsolated

An administrator can also add and delete scripts and change the order in which the scriptsexecute for the target from this section.

Upgrading an Application in a Target

An administrator can upgrade an application in a target using the Profiler. A target is storedin the profile as a directory structure. When an administrator upgrades a target, the Profilersaves the target with a new, incremental version number and as a new directory structure inthe profile. The version of a directory structure in a profile is identified by a number at theend of the file name. For example, a directory structure named720EDD68-0972-49E6-AA00-80974EB81D5B_2 is the second version of the target directorystructure in the profile and is identified as version two by the _2 at the end.

Because the Profiler can maintain several versions of each target, users can continue to use theapplications in the profile while the application is being upgraded. After the upgrade iscompleted, new users logging on are streamed the upgraded version of the application whilelogged on users continue to use, uninterruptedly, the older version of the application. When


users log off the older version of the application, they can no longer access that version. Instead,they begin using the upgraded version of the application in the target when they next log on.

Differential Synchronization

Differential synchronization is beneficial when targets have been updated. For example, anadministrator updates an application with a new service pack that was recently released.

If client devices have a previous version of the target directory structure of the profile storedin the cache, such as applications enabled for offline access, the streaming service will openthe cached directory structure on the client device and compare it with the updated directorystructure in the profile.

The streaming service updates only the changed files and removes outdated files from thedirectory structure in the cache. This feature reduces the time and bandwidth needed to updateapplications on the client device.

After the profile containing the upgraded application is saved, an administratorcannot use the Profiler to delete or modify the previous versions of an upgradedapplication.

Deleting an Obsolete Version of a Target

To recover disk space on a file share or web server that hosts the streaming application profiles,an administrator can delete an older version of a target that has been updated. As targets areupdated, the version number assigned to the directory structure is updated. The directorystructure with the lowest version number is the oldest version of the file.

After a target is updated, the prior version of the updated target is no longer available throughthe Profiler. An administrator can delete the unnecessary directory structure associated withthe prior version of the target using an operating system utility.

Prior to deleting a target from a profile, the administrator must ensure that no oneis currently using the obsolete target.


Application Delivery Methods

During the publishing task, the administrator must make decisions about the applicationdelivery method to use, the alternate application delivery method to use and whether theapplication will be configured for offline use. The following delivery methods are available:

Accessed from a server

Uses the method specified in the Server application type field to determine exactly how thepublished application will be provided to users. The server application types include:

Specifies that users will access the published application that ispre-installed on the XenApp server.


Specifies that the users will access the published application thatis streamed to the XenApp server. Users access the applicationby connecting with either the online plug-in or the Web Interface.

Streamed to server

Streamed if possible, otherwise accessed from a server

Specifies a choice of how the published application will be provided to the users. By default,the published application will be streamed to the client device. If the published applicationcannot be streamed to the client device, the method specified in the Server application typefield will be used. The server application types include:

Specifies that users will access the published application that ispre-installed on the XenApp server


Specifies that users will access the published application that isstreamed to the XenApp server

This Server application type requires that the offline plug-in beinstalled on the server.

Streamed to server


Streamed to client

Specifies that the published application will be streamed to the client device. This optionrequires that both the offline plug-in and the online plug-in be installed on the client device.

Clients that do not support application streaming, such as non-Windows clients andclient devices that do not meet the aforementioned requirements, will not be able toaccess the published application.

It is possible to force the delivery of streamed to client published applications withfilters. To do this, configure the Load Balancing policy setting located in the DeliveryServices Console for Streamed App Delivery. This policy setting overrides the selectionin the Publish Application wizard. For more information, see the XenApp ApplicationStreaming documentation on the http://support.citrix.com/proddocs/index.jsp website.

The Benefits of Streaming with Dazzle

Administrators can allow users to obtain streamed applications through Dazzle. The benefitsof doing so include:

Dazzle shows the progress of currently downloading streamedapplications and displays whether the applications are availablefor offline use.

Installation Progress

Bar

The Windows Add and Remove Programs utility differentiateslocally-installed and streamed applications in the Publisher field:

Add and Remove

Programs

• Citrix Systems, Inc. indicates a locally installed application,such as the Citrix Receiver or the Citrix plug-ins.

• Delivered by Citrix indicates a streamed application deliveredby Dazzle.

Dazzle automatically notifies users of any applications that havebeen removed from the server.

Removed

Applications

The steps to adding streamed applications to Dazzle are the same as adding otherpublished applications.


The Web Delivery Method

An administrator can configure an application to be streamed using the HTTP or HTTPSprotocol delivery method. Using HTTP as a streaming protocol gives an administrator theability to deploy profiles to an externally accessible web server and then stream applicationsfrom those profiles anywhere in the world. Additionally, this protocol is faster thanUNC-path-based network communication over the internal network.

To utilize HTTP or HTTPS as a delivery method, an administrator must complete the followingtasks:

• Profile the application and save it to a file share using the UNC path. The file share can beconfigured on a web server or a file server.

• Configure a virtual directory on the web server by adding the following MIME typeinformation to the virtual directory:

– Extension: .PROFILE

– MIME type: text/xml

• Create a virtual web site that points to the file share containing the profile using the UNCpath.

– Turn on Directory Browsing on the virtual web site to test the configuration.

– Configure the binding for HTTPS.

• Publish the profiled application and specify the full URL path to the profile using a fullyqualified domain name on the Location page in the Publish Application wizard.

For more information about configuring the binding for HTTPS and configuringHTTP or HTTPS as the delivery method, see the XenApp Application Streamingdocumentation on the http://support.citrix.com/proddocs/index.jsp web site.


Streaming to Servers

An administrator can use application streaming to simplify the deployment of applications toservers in a farm. After an application is streamed to a server, users can launch and use theapplication through a XenApp session. An administrator can stream an application to a serverby completing the following tasks:

• Create an application profile on a Windows Server 2008 R2 operating system.

• Ensure that a XenApp Web or XenApp Services site is configured to run one of the followingapplication types:

– Online: This application type allows users to access applications provided by a server.

– Dual mode: This application type allows users to access applications that are streamedto the client device or provided by a XenApp server.

Both of these application types allow users to access and run applicationsinstalled on a server.

• Ensure that the application is not installed on the XenApp server to which the applicationis being streamed.

• Publish the application to stream to a XenApp server by selecting Accessed from a server

as the application type with Streamed to server as the Server application type.

While using the "Streamed if possible, otherwise access from server" delivery methodwith the "Streamed to server" application type will stream applications to servers,XenApp will first try to stream the application to the client device. If the offlineplug-in is installed on the client device and the published application is accessedthrough a Web Interface site or the plug-in installed on the client device, theapplication will stream to the client device rather than to the server.


Publishing a Streamed Application

Publishing a streamed application makes profiled applications available to users. Anadministrator publishes a streamed application using the Delivery Services Console.

Before publishing a streamed application, an administrator must use the Profiler to profile theapplication.

During the publishing process, an administrator must specify whether the profiled applicationwill be delivered from a file server or a web server. If a web server is utilized, then additionalconfiguration is required.

To start the Publish Application wizard, right-click the Applications node in the DeliveryServices Console and click Publish application.

An administrator can change the application type of a published application. To do so,right-click the application, click Other Tasks and click Change application type.

For information on publishing App-V sequenced applications, see the XenApp 6Application Streaming documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.


Specifying an Alternate Profile for a Published

Application

An administrator can specify an alternate profile for connections that come from specific IPaddresses. For example, an administrator could use an alternate profile to direct users on eitherside of a WAN to stream applications only from the file or web server on their side of theWAN. When an alternate profile is created, a duplicate of the primary profile is created andstored on a different file share, making it more accessible to the client device.

If the alternate profile is different from the primary package, the application may notwork properly on the client device.

Alternate Profile Properties

On the Alternate profiles screen of the published application properties, an administrator canview or modify the following:

The location of the profile on the network file sharePrimary application

profile location


An administrator cannot change this location on this page.

A list of existing alternate profile locations, including their clientIP ranges

Alternate profile

locations

An administrator can add, modify or remove alternate profilelocations. When specifying an alternate profile location, anadministrator must specify an IP address range by entering thelowest IP address in the Start IP field and the highest IP addressin the End IP address field. Changes take effect the next time theuser launches the application.

Enabling the Least-Privileged User Account

An administrator can configure applications that are set to stream to client devices only to runwith:

The streamed application runs on the client device using theleast-privileged user account available for the user on the client device.

Reduced user

privileges


This reduces the security risks posed by the application but may causethe application to fail if elevated privileges are required by the application.

An administrator should test the application to determine if it will runcorrectly for users who have restricted privileges on their client devicesbefore reducing the user privileges for a published application.

For example, User1 has Restricted User privileges on a client device.User2 has Administrator privileges on a client device. Because theapplication requires at least Standard User privileges to run correctly, theapplication fails when User1 attempts to use the application. Theapplication runs correctly for User2.

The streamed application runs on the client device with User rights, evenif the user has administrative privileges on the client device.

Normal user

privileges

These settings are part of the published application properties, not the profile.


Configuring Sites for Streaming

Applications

An administrator can configure the following types of Web Interface sites:

Allows users to access published resources through a webbrowser

XenApp Web

Allows users to access published resources through the Citrixonline plug-in

XenApp Services


An administrator can make the following types of published resources available for usersthrough a Web Interface site:

Grants users access to published applications installed on orstreamed to a server

Online

Grants users access to applications streamed to client devicesOffline

Grants users access to both streaming applications and applicationsinstalled on the server

Dual mode


Support for Both Remote and Streaming Applications

An administrator can configure Web Interface sites in the environment to support the deliveryof applications installed on the servers and applications streamed to servers or the desktopsof client devices in the environment. This can be accomplished in a variety of ways based onthe method used to access the applications.

• If the applications will be accessed by users through the Web Interface:

– One XenApp Web site must be configured to use the Dual mode application type, or

– Two XenApp Web sites must be configured. One site should be configured to use theOnline application type and the other site should be configured to use the Offlineapplication type.

• If the applications will be accessed by users through the online plug-in:

– One XenApp Services site must be configured to use the Dual mode application type,or

– Two XenApp Services sites must be configured. One site must be configured to use theOnline application type and the other site must be configured to use the Offlineapplication type.


Offline Access Management

Applications that are published to stream to the desktop of a client device can be accessed bya user who is disconnected from the network.

An administrator should configure the following properties to enable offline access:

• Configure the application properties for offline access.

– Enable an application for offline access.

– Configure users for streamed applications.

• Configure a XenApp Services site for Offline or Dual mode applications.

• Ensure a license is available for checkout or that the license which is already checked outhas not expired.

Indirect Membership to the Offline Access List

An administrator can give users indirect permission for offline access by making them membersof groups or subgroups that have offline access.

For example, if an administrator grants Group A permission to use a published applicationand adds Group A to the offline access list, User 1 who is a member of Group A has offlineaccess to the application.


An administrator can also specify subgroups of larger groups for indirect access. For example:

• Group A contains Subgroups B and C.

• Group A has permission to use the published application.

• Subgroup B has offline access permission.

In this example, only members of Subgroup B can access the application while either onlineor offline. Members of Subgroup C can use the application while online but not when they areoffline.

Providing Offline Access

During the publishing of a streaming application, an administrator can configure streamedapplications for offline access. This enables users to log off from the network and continue torun the applications in offline mode for a specified length of time.

When an application is configured for offline access, the offline plug-in downloads theapplication and caches it on the user’s client device. An administrator can configure theapplication to be pre-cached at logon or cached during application launch.

Users who have been given offline access permission and permission to use the publishedapplication must launch the streaming application using the online plug-in to use the offlineaccess feature. When users launch the streaming application, offline plug-in caches the streamedapplication on the hard drive of the client device.

After the streamed application is cached, the user can disconnect from the network and continueto run the application in offline mode for the period of time specified in the license. The offlineaccess feature is available only for published applications configured to use either the 'Streamedto client' or the 'Streamed if possible, otherwise accessed from a server' application type as theapplication delivery method.

Users and groups can be added for offline access in the properties of the published application.The Operating System User Selector option that is available when adding users has severallimitations. An administrator:

• Can browse only account authorities and select users and groups that are accessible fromthe server running the Delivery Services Console

• Can initially select users and groups outside the trust intersection of the farm, which causeserrors later

• Cannot add NDS users and groups or Citrix built-in users


Offline Access Period

Administrators must specify which users can access applications offline. XenApp checks outa license on behalf of each user the first time they connect and stream an application. Thelicense allows the use of the application offline for a specified number of days (21 by default)before the license must be renewed. An administrator can change the length of time permittedfor offline use before the license must be renewed by creating a Citrix policy and configuringthe Offline app license period setting.

Renewing Offline Access Period

When users with offline access permission log on to XenApp, they automatically either checkout a license or renew a license that is already checked out. Licenses are valid for the specifiedlicense period set in the Citrix policies.

When the user logs on, the license is renewed, if one is available. If a license nears its expirationdate while the user is running the application offline, a message appears reminding the userto log on to XenApp so the license can be renewed.

If the license expires while the user is offline, the user will not be able to launch the application.If no license is available when the user logs on to XenApp, the user will not be able to launchthe application while online or offline.

Offline application shortcuts are displayed when users log off of their XenApp sessions.However, the application shortcuts become unavailable if the licenses expire. Userscan view information such as the download status of an offline application, the totallicense period and the number of days before a license expires using the "OfflineApplications" option in the Citrix online plug-in.


Application Caching

When an application is configured for offline access, XenApp caches the application on users'client devices with offline access permission. An administrator can determine when this cachingof the application occurs so that its impact on the network and the user experience is minimized.The two caching options are listed below.

When a published application is configured to pre-cache at logon, XenAppstreams the application to the client device cache when the user logs on to

Pre-caching

at Logon

XenApp. This option is the default setting. A message notifies the user whenthe download begins and ends. When the download is complete, the usercan log off from XenApp and run the cached application while offline untilthe offline access license expires.

Concurrent logons by users can slow network traffic when thiscaching option is used.

When a published application is configured to cache at launch, XenAppstreams the application to the client device cache when the user launches

Caching at

Launch

the published application through XenApp. When the download is complete,


the user can log off of XenApp and run the cached application while offlineuntil the offline access license expires.

An administrator should configure a published application tocache the application at launch if the number of users logging onat the same time and, therefore, pre-caching their applications atlogon, could overload the network.

Pre-Deployment of Streaming Applications

An administrator can pre-deploy streaming applications to users to avoid the caching of theapplications on the client device at logon or at launch time. Pre-deployment pushes new orupdated published application files to the client devices before the user attempts to access theapplication. As a best practice, administrators should pre-deploy the applications used mostfrequently by users.

RADEDEPLOY.EXE is a command line utility that will advance copy the streaming contentonto the target system. It is located in the \PROGRAM FILES\CITRIX folder on the clientdevice after the offline plug-in is installed.

The first time that a user launches a large published application configured for streaming, theserver will trigger a massive data transfer. To lessen the impact to the network, an administratorcan pre-deploy new or updated published application files to the client devices during off-peakhours to help avoid overloading the file servers or networks. The administrator should use asoftware management system to control when the utility is executed so that the streamingcontent gets copied down to the client devices before users arrive in the morning and startrunning applications.

When offline applications are predeployed using the RADEDEPLOY.EXE utility, thecaching method selected in the properties of the published application is bypassedbecause applications are only cached to the client device once.

For more information about running this utility, see the XenApp 6 ApplicationStreaming documentation on the http://support.citrix.com/proddocs/index.jsp website.


Troubleshooting Streaming Issues

An administrator can use the solutions in the following table to address common streamingissues.

ResolutionIssue

Verify that the Citrix offline and online plug-ins are installed.

Verify that the client device matches the profile configurationfor:

Applications do not stream.

• Operating system type: 32-bit or 64-bit

• Operating system language

• Service pack level

• System drive letter

Verify that the white list is configured for applications thatrequire streaming Windows Services.

Verify that the application was streamed on the targetoperating system; application functionality may vary acrossoperating systems.

Applications do not have fullfunctionality.

Verify the profile is configured to allow updates. Profiles donot allow application updates, by default. However, if a more

Applications are notautomatically updated byvendor web sites. relaxed security configuration is required, select the Enable

User Updates option for the profile.

Verify that inter-isolation communication is configured.Streamed applications do notrecognize each other.

Verify that the applications are enabled for offline access andthat users are specified.

Verify that the XenApp Services site is configured for theOffline or Dual mode application type.

Applications are not availableoffline.


Review

1. In addition to the standard server farm components of XenApp 6, which Citrix componentis needed for application streaming to a desktop?

a. Citrix Receiver

b. Citrix online plug-in

c. Citrix offline plug-in

d. Citrix Access Gateway

2. Which two statements regarding the Citrix offline plug-in are accurate? (Choose two.)

a. The offline plug-in is invisible to the user.

b. The offline plug-in runs as a service on the client device.

c. The offline plug-in determines the application delivery mode.

d. The offline plug-in is displayed in the Windows notification area.

e. The offline plug-in can be used in conjunction with a XenApp Web site to accessapplications offline.

3. A profile creates a target based on which four criteria? (Choose four.)

a. Applications

b. Operating system

c. Service Pack level

d. System drive letter

e. Operating system language

f. Files, folders and registry settings

4. An administrator is creating a profile for an application and wants to include a specificInternet Explorer plug-in. Which type of installation should the administrator use?

a. Quick

b. Default

c. Standard

d. Advanced

e. Integrated

5. An administrator must publish which file type to make a streaming application availableto users?

a. .EXE

b. .MSI

c. .RAD


d. .PROFILE

6. Which two application types can be configured in a Web Interface site so that applicationsstream to the desktop of a client device? (Choose two.)

a. Online

b. Offline

c. Dual mode

d. Streamed to client

e. Streamed to server

7. An administrator wants users to be able to access applications installed on the XenAppserver through the online plug-in and access streaming applications when the users areoffline. What must the administrator configure?

a. One XenApp Web site

b. One XenApp Services site

c. One XenApp Web site and one XenApp Services site

d. Two XenApp Web sites and two XenApp Services sites


Module 9

Configuring Policies

Overview

Citrix policies provide a way for administrators to control XenApp server and farm settingsas well as the functionality available to users within XenApp sessions. For example,administrators can use Citrix policies to control session security settings, bandwidth limits,printer and device mapping, client drive access and display and graphics settings. In addition,XenApp provides the ability to apply policies to worker groups, users and user groups, clientIP addresses, client device names and sessions connecting through Access Gateway.


• Identify the types of Citrix policies that can be created.

• Identify the methods for creating policies.

• Create and configure policies.

• Apply policies using filters.

• Use policy modeling tools.

265Module 9: Configuring Policies© Copyright 2010 Citrix Systems, Inc.

Group Policy Integration

Implementing the Citrix policies correctly enables administrators to fine-tune and controlhow users connect to resources.

XenApp integrates with the Microsoft Group Policy engine, allowing organizations to leveragetheir Active Directory structure and Group Policy management tools to create and apply Citrixpolicies. Citrix policies are configured within Group Policy Objects (GPOs) using the GroupPolicy Management Console (GPMC) and linked to Active Directory domains, organizationalunits (OUs) and sites. The policy settings within those GPOs will apply to all objects withinthat OU regardless of XenApp farm membership. Objects added to the OU will have thosepolicy settings applied automatically.

Group Policy integration does not require changes to the Active Directory schema.

Group Policy Integration Benefits

Group policy integration also allows organizations to leverage the Group Policy managementfeatures for their XenApp environment. For example, the GPMC allows administrators to:

• Backup and restore policies

• Migrate policies from one domain to another

• View the resultant set of policies for a server, user or session

• Perform modeling by retrieving policy reports for any user connection scenario

• Create Active Directory delegated administration for Citrix settings and policies

Administrators with access to the Advanced Group Policy Manager (AGPM) can perform thefollowing additional tasks:

• Create granular delegated administrators and role-based administration

• Manage the Active Directory Group Policy change control process

• Edit GPOs offline

• Enable audit logging and create policy differencing reports

• Recover deleted GPOs and repair live GPOs

• Enable email notification for GPO changes

• Track version changes, capture history and quickly roll back deployed changes

The AGPM tool is included within the Microsoft Desktop Optimization Pack and isavailable only to Microsoft Software Assurance customers.


IMA-based Group Policies

Managing Citrix policies through the Group Policy Management Console (GPMC) generallyis recommended as it provides greater management flexibility and predictability. However,using Active Directory GPOs may not be possible in the following scenarios:

• Environments using directory services other than Active Directory

• XenApp farms with published applications requiring anonymous (local) accounts

• Organizations that restrict or deny Active Directory delegation to XenApp administrators

To support these environments, XenApp provides an IMA-based global Group Policy Object,which still leverages the Microsoft Group Policy engine within Windows Server, but does notrequire Active Directory. The IMA-based policies allow administrators to configurefarm-specific Citrix policies within the Policies node of the Delivery Services Console. Theinterface is similar to the interface within the Group Policy Editor; however, the Citrix policiesconfigured in the Delivery Services Console apply to all servers and users within the farmregardless of their Active Directory OU location.

The Local Group Policy Editor (GPEDIT.MSC) can be used to override farm or OUpolicy settings for a particular server. Changes made to the Local Group Policy Objectapply only to the local server and will not affect other servers within the farm or OU.Use of the Local Group Policy Editor generally should be avoided to reduce policyinconsistencies, unexpected session behavior and troubleshooting efforts. ActiveDirectory GPO settings can be used to block the use of Local Group Policy Editor to


improve security and ensure that OU policy settings are not overwritten by localserver policy settings.

IMA-based Policy Use Case

Having a change control process for all Citrix policy settings, regardless of who configuresthem or where they are configured, is recommended. However, sometimes XenAppadministrators need a quick way to apply Citrix policies. IMA-based policies can serve asa backup method for quickly changing farm policy settings as these policies will bypass allActive Directory synchronization and ownership issues and immediately will apply to allnew sessions, regardless of the Active Directory replication configuration. Note that theseIMA-based policy settings only apply to XenApp servers and will not affect non-XenAppservers within an OU. For security purposes, the IMA-based global GPO can be disabledwithin an Active Directory GPO.

Group Policy Extensions

During the XenApp and Delivery Services Console installations, Citrix client-side extensionsare installed, which allow Citrix policy integration within the Microsoft Group Policy engine.These extensions add a Citrix Policies node within the existing Computer and User nodes


within the Group Policy Object Editor. The Citrix Policies node allows administrators to createCitrix policies as either User or Computer policies within the GPO.

If the Delivery Services Console is not installed as part of the XenApp installation,the client-side extensions are still installed. However, if a system running a non-serverversion of Windows, such as Windows 7, will be used for policy management, theGroup Policy Management Console must be installed on that system in addition tothe Delivery Services Console.

Group Policy Architecture

When Citrix policies are created or edited within GPMC and the Group Policy Object Editor,the configuration is stored in the following location:\\domain\SYSVOL\domain\Policies\guid\machine or

user\Citrix\GroupPolicy\Policies.GPF. When Citrix policies are created or editedwithin the Delivery Services Console, the IMA-based policy settings are stored as metadata in


the data store database and are propagated to servers as GPF/X files stored in their localSYSVOL directory. In both instances, the settings are written to each server registry.

Each time group policies are evaluated on the XenApp server, the GPF/X files are retrievedfrom the SYSVOL and farm data store. The client-side extension evaluates the filters andmerges the results into a single Resultant Set of Policy within the HKLM\Software\Policy\Citrixregistry key. Various software components read the registry values and enforce the settings.The previous figure illustrates the conceptual architecture behind the Citrix policy system.


Policy Evaluation

Policies are evaluated on XenApp servers when one of the following events occurs:

• A user logs on

• The server is rebooted

• The policy refresh interval is reached

• A policy update is forced

By default, the policy refresh interval is 90 minutes for Active Directory GPOs. The intervaltime can be changed, although reducing it too much may overload domain controllers. Therefresh interval applies to servers as well as user sessions that were started before the policychange. New user sessions always capture the latest User configuration settings within GPOs;however, the latest Computer configuration settings will not be applied until one of the aboveevents occurs. Administrators can force a policy update using the GPUPDATE /FORCEcommand. By default, both User and Computer configuration settings are updated. However,additional switches can be used to force updates to either the User or Computer configurationsettings.

IMA-based policies are subject to the same Active Directory policy refresh cycle forComputer configuration settings. However, User configuration settings withinIMA-based policies are applied immediately.

Policy Application Process

The following process provides a high-level description of how policies are applied to XenAppsessions:

1. The user logs on to a client device in a company domain using domain credentials.

2. The credentials are sent to the domain controller.

3. Active Directory finds and applies all policies configured for the user, client device,organizational unit and domain.

4. The user logs on to XenApp and launches a published resource.

5. The Microsoft and the Citrix client-side extensions begin processing policies for the userand server.

• The Microsoft client-side extension gathers settings that are stored in Active DirectorySYSVOL.

• The Citrix client-side extension gathers directory-level settings within the ActiveDirectory SYSVOL and local server SYSVOL GPF/X files.


Local server settings automatically are propagated by IMA periodically and the Citrixclient-side extension assumes those settings are current.

The Citrix client-side extension is inserted into the process because it is aregistered .DLL in the XenApp server registry.

6. Active Directory determines precedence for the settings and applies them to the server anduser registries.

7. The user logs off of all published resources. Citrix user policies are no longer active for thisuser or client device.

8. The user logs off of the client device. GPOs are no longer active for this user.

If the client device is still powered on, GPO computer policies continue to applyto it.

Policy settings configured within Active Directory GPOs and IMA-based GPOs are bothprocessed together to create the Resultant Set of Policy. Therefore, organizations can have amixed configuration of both Active Directory GPOs and IMA-based GPOs.

As a best practice, the number of GPOs should be limited to prevent slow logonperformance due to policy processing.

Policy Processing and Precedence

The GPOs and IMA-based policies that apply to a user or computer do not all have the sameprecedence. If there are no conflicting settings configured within the policies, the settings aremerged into the Resultant Set of Policy for the computer or user. However, settings in policies


that are applied later can override earlier applied settings. Policies are processed and appliedin the following order:

1. Local GPOs

Each server has exactly one Group Policy object that is stored locally. Both Computer andUser configuration settings are processed.

2. IMA-based policies

IMA-based policies configured in the Delivery Services Console are processed after localGPOs.

3. Site GPOs

GPOs that have been linked to the site that the user or computer belongs to are processednext. Processing is in the order that is specified by the administrator within the LinkedGroup Policy Objects tab for the site in Group Policy Management Console. The GPO withthe lowest link order is processed last and, therefore, is highest in the order of precedence.

4. Domain GPOs

Multiple domain-linked GPOs are processed in the order specified by the administrator inthe Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowestlink order is processed last and, therefore, is highest in the order of precedence.

5. OU GPOs

GPOs linked to the OU highest in the Active Directory hierarchy are processed first followedby GPOs that are linked to its child OU and any OUs beneath that. Finally, the OU thatcontains the specific user or computer are processed last. Zero, one or many GPOs can belinked to each Organizational Unit level in the Active Directory hierarchy. If several GPOsare linked to an OU, they are processed in the order that is specified by the administratorin the Linked Group Policy Objects tab in the GPMC. The GPO with the lowest link orderis processed last and, therefore, is highest in the order of precedence.

Settings in the Citrix ICA Listener Configuration (CTXICACFG.EXE) tool are treatedas local GPOs and are overwritten by domain GPOs, if present. The Citrix ICAListener Configuration tool contains server-specific settings such as network adaptersettings, ICA connection limits and session limits. The tool is located in theC:\Program Files (x86)\Citrix\system32 folder on the XenApp server.

XenApp does not process RDP or ICA settings in the Remote Desktop Session HostConfiguration tool.

Policy Changes Example

Contractors working for KellCorp are prohibited from mapping their local drives whileworking in published applications. This setting was accomplished by creating a Citrix policyand applying it to the worker group that contains the Contractors OU.


Three contractors are working on a special project which requires the use of their localdrives and have received clearance for this exception. The administrator creates a new OUbelow the Contractors OU and applies a policy allowing access to local drives for thosethree contractors. The administrator sends the contractors an email to inform them of thestatus change.

The contractors immediately attempt to access their local drives from their publishedapplications and report to the administrator that they still are unable to access the drives.The contractors follow the administrator's recommendation to log off of all of their sessions,log back on and try again; this time they are able to see their local drives when the policytakes effect.

Policy Precedence Exceptions

Exceptions to the default policy processing order settings may exist under the followingconditions:

• A GPO link is enforced, or disabled, or both.

By default, a GPO link is neither enforced nor disabled.

• User, Computer or all settings are disabled in a GPO.

By default, neither User nor Computer settings are disabled in a GPO.

• Block Inheritance is set on an OU or domain.

By default, Block Inheritance is not set.

• A computer is a member of a workgroup and, therefore, processes only the local GPO.

• Loopback processing is enabled.

If loopback processing is enabled, it only affects Active Directory GPO processing.IMA-based policy settings will not be re-read and re-applied.

Shadowing and Encryption Settings

XenApp does not merge shadowing and encryption settings. Shadowing and encryption settingsfollow the same processing and precedence order as other GPO settings. For example, if anActive Directory GPO is configured to set the SecureICA minimum encryption level to 128-bitRC5, this setting cannot be overridden with an IMA-based or local server GPO.


Policy Priorities

When configuring Citrix policies, both GPOs and IMA-based, administrators can assignpriority levels for those policies. In the event that policies contain conflicting settings, thesetting within the policy with the highest priority is processed. However, this priority levelonly controls the setting that is processed during policy processing.


Policy Rules

When creating Citrix policies in a GPO or the Delivery Services Console, the policies aredesignated as either Computer or User policies. These policies contain rules for configuringthe desired farm, server and user session settings.

Computer policies contain rules for XenApp server settings and are organized into the followingcategories:

• ICA

• Licensing

• Server Settings

• Virtual IP

• XML Service

User policies contain rules for all XenApp user session settings. Administrators can use thesesettings to enable or disable features within user sessions. User policies are organized into thefollowing categories:

• ICA

– Audio


– Bandwidth

– Desktop UI

– File Redirection

– Graphics

– Multimedia

– Ports

– Printing

– Security

– Session Limits

– Shadowing

– Time Zone Control

– TWAIN devices

– USB devices

• Server Session Settings

COMPUTER POLICIES


ICA

Specifies the maximum wait time for a connection to becompleted

ICA listener connection

timeout

By default, the maximum wait time is 120,000 millisecondsor two minutes.

Specifies the TCP/IP port number used by the ICA protocolon the server

ICA listener port number

By default, the port number is 1494.

ICA\Auto Client Reconnect

Allows or prevents automatic reconnection by thesame client after a connection has been interrupted

Auto client reconnect

Specifies whether authentication is required forautomatic client reconnections

Auto client reconnect

authentication

Records or prevents recording auto clientreconnections in the event log

Auto Client Reconnect > Auto

client reconnect logging

By default, logging is disabled.

ICA\End User Monitoring

Enables or disables the calculation of ICA round tripmeasurements

ICA round trip calculation

By default, ICA round trip calculations are allowed.


Specifies the frequency, in seconds, at which ICA roundtrip calculations are performed

ICA round trip calculation

interval (Seconds)

Determines whether ICA round trip calculations areperformed for idle connections

ICA round trip calculations for

idle connections

By default, calculations are not performed for idleconnections.

ICA\Graphics

Specifies the maximum video buffer size in kilobytes forthe session

Display memory limit

By default, the display memory limit is 32,768 kilobytes.

Degrades either color depth or resolution first when thesession display memory limit is reached

Display mode degrade

preference

Specifies whether to cache images to make scrollingsmoother

Image caching

Specifies the maximum color depth allowed for a sessionMaximum allowed color

depth

By default, the maximum allowed color depth is 32 bitsfor each pixel.

Specifies whether to display a popup with an explanationto the user when the color depth or resolution is degraded

Notify user when display

mode is degraded

Discards queued images that are replaced by anotherimage

Queueing and tossing


ICA\Keep Alive

Specifies the number of seconds between successive ICAkeep-alive messages

ICA keep alive timeout

By default, the interval between keep-alive messages is 60seconds.

Sends or prevents sending ICA keep-alive messages periodicallyICA keep alives

By default, keep-alive messages are not sent.

ICA\Multimedia

Controls and optimizes the way XenApp serversdeliver streaming audio and video to users

HDX MediaStream Multimedia

Acceleration

By default, this setting is allowed.

Specifies a buffer size from 1 to 10 seconds for HDXMediaStream Multimedia Acceleration


Acceleration default buffer size

Uses the specified buffer size for HDX MediaStreamMultimedia Acceleration


Acceleration default buffer size

use

By default, the buffer size specified is not used.

Allows or prevents support for video conferencingapplications

Multimedia conferencing

By default, video conferencing support is enabled.


ICA\Security

Requires the user to enter a password for all server connectionsregardless of access scenario

Prompt for password

By default, users are prompted for passwords only for specifictypes of connections.

ICA\Server Limits

Determines, in milliseconds, how long an uninterrupted usersession will be maintained if there is no input from the user

Server idle timer

interval

By default, idle connections are not disconnected.

ICA\Session Reliability

Allows or prevents session reliability connectionsSession reliability

connections

Identifies the TCP port number for incoming sessionreliability connections

Session reliability port

number

By default, the session reliability TCP port number is 2598.

The length of time in seconds the session reliability proxywaits for a client to reconnect before allowing the sessionto be disconnected

Session reliability timeout

The default length of time is 180 seconds or three minutes.


ICA\Shadowing

Allows shadowing of ICA sessionsShadowing

Configure the Users\ICA\Shadowing\Users who can shadow

others policy to specify which users can shadow.

Licensing

Specifies the name of the server hosting XenApp licensesLicense server host name

Specifies the the port number of the server hosting XenApplicenses

License server port

By default, the license server port number is 27,000.

Server Settings

Specifies whether users can start sessions when connectingthrough Citrix Access Gateway

Connection access control

Enables or disables the server to return fully qualifieddomain names to clients using the Citrix XML Service

DNS address resolution

Enables or disables the caching of larger, high resolutionpublished application icons on servers

Full icon caching

Specifies the XenApp product editionXenApp product edition


Server Settings\Connection Limits

Specifies the maximum number of concurrent connectionsa user can establish, from none to 8192

Limit user sessions

Enables or disables connection limit enforcement for Citrixadministrators

Limits on administrator

sessions

Enables or disables the logging of events to the server eventlog about connection attempts that were denied becausethey exceeded logon limits

Logging of logon limit

events

Server Settings\Health Monitoring and Recovery

Allows or prevents running Health Monitoring and Recoverytests on the servers

Health monitoring

By default, Health Monitoring and Recovery tests are allowedto run.

Specifies which Health Monitoring tests to runHealth monitoring tests

Test configurations can be edited within this policy.

Specifies the maximum percentage of servers that HealthMonitoring and Recovery can exclude from load balancing

Maximum percent of

offline servers

Server Settings\Memory/CPU

Specifies the level of CPU utilization management onthe server

CPU management server level

Enables or disables memory optimization to improvethe ability to manage DLL allocation in both real and

Memory optimization


overall virtual memory by creating shared DLLs forapplications that are open in multiple sessions

Specifies the applications that memory optimizationshould ignore

Memory optimization

application exclusion list

Specifies the interval for running memory optimizationwhen memory optimization is enabled

Memory optimization interval

Specifies the day of the month that memory optimizationruns, within the range of 1 - 31, when memoryoptimization is enabled

Memory optimization

schedule: day of month

Specifies the day of the week that memory optimizationruns when memory optimization is enabled

Memory optimization

schedule: day of week

Specifies the time of day that memory optimization runswhen memory optimization is enabled and an intervalof "Daily," "Weekly" or "Monthly" is specified

Memory optimization

schedule: time

Server Settings\Offline Applications

Enables or disables the ability of offline application clientsto recreate sessions when reconnecting withoutauthenticating again

Offline app client trust

Enables or disables logging of offline application events tothe event log of the server

Offline app event logging

Specifies the number of days applications can work offlinebefore users must renew the license

Offline app license period

By default, the license period is 21 days, but can range from2 to 365 days.

Specifies the users who have offline access permissionOffline app users


Server Settings\Reboot Behavior

Enables or disables sending a custom warning message,in addition to the standard restart message, to users beforea scheduled server restart

Reboot custom warning

Specifies the text in the custom warning message sent tousers before a scheduled server restart

Reboot custom warning text

Specifies the number of minutes before a scheduled serverrestart that logons to the server are disabled

Reboot logon disable time

Specifies the frequency, in days, at which scheduled serverrestarts occur

Reboot schedule frequency

Specifies the date on which scheduled server restarts beginReboot schedule start date

Specifies the time of day at which scheduled server restartsoccur

Reboot schedule time

Specifies how often standard and custom warningmessages are sent to users before a scheduled restart

Reboot warning interval

Specifies the number of minutes before a scheduled serverrestart to send standard or custom warnings to users

Reboot warning start time

Enables or disables sending a standard warning messageto users before a scheduled server restart

Reboot warning to users

Enables or disables scheduled server restartsScheduled reboots

Virtual IP

Filters the list of addresses returned by the APIGetAdaptersAddresses() to only include the sessionvirtual IP address and the loopback address

Virtual IP adapter address

filtering


Adds support to Windows OS Virtual IP so that callsto gethostbyname() API within session return theassigned virtual IP address for the session

Virtual IP compatibility

programs list

Adds support to Windows OS Virtual IP so that callsto gethostbyname() API within a session return theassigned Virtual IP address for the session

Virtual IP enhanced

compatibility

Specifies the programs for the Virtual IP adapter addressfiltering rule

Virtual IP filter adapter

addresses programs list

Allows each session to have its own virtual loopbackaddress for communication

Virtual IP loopback support

Specifies the programs for the Virtual IP loopbacksupport rule

Virtual IP loopback programs

list

XML Service

Specifies whether the Citrix XML Service should trust requestsit receives

Trust XML requests

Specifies the port number to use for the Citrix XML ServiceXML service port


By default, the port is disabled. Citrix recommends using port8080.

USER POLICIES

ICA

Allows or prevents the clipboard on the client device to bemapped to the clipboard on the server

Client clipboard

redirection

By default, clipboard redirection is allowed.


Allows or prevents non-administrative users to connect toa desktop session on the server

Desktop launches

By default, non-administrative users cannot connect todesktop sessions.

Specifies whether to launch initial applications or publishedapplications on the server

Launching of

non-published programs

during client connection

By default, only published applications are allowed to launch.

Allows or prevents custom (OEM) devices attached to portson the client device to be mapped to ports on the server

OEM Channels


ICA\Audio

Specifies the sound quality as low, medium or highAudio quality

Allows or prevents applications hosted on the server to playsounds through a sound device installed on the client deviceand allows or prevents users to record audio input

Client audio redirection

The amount of bandwith consumption when playing orrecording audio can be configured within this policy.

Enables or disables client microphone redirectionClient microphone

redirection

ICA\Bandwidth

Specifies the maximum allowed bandwidth in kilobitsper second (kbps) for playing or recording audio in aclient session

Audio redirection bandwidth

limit


Specifies the maximum allowed bandwidth limit forplaying or recording audio as a percent of the totalsession bandwidth

Audio redirection bandwidth

limit percent

Specifies the maximum allowed bandwidth in kbps fordata transfer between a session and the local clipboard

Clipboard redirection

bandwidth limit

Specifies the maximum allowed bandwidth limit fordata transfer between a session and the local clipboardas a percent of the total session bandwidth

Clipboard redirection

bandwidth limit percent

Specifies the maximum allowed bandwidth in kbps foraccessing a COM port in a client connection

COM port redirection

bandwidth limit

Specifies the maximum allowed bandwidth for accessingCOM ports in a client connection as a percent of thetotal session bandwidth

COM port redirection


Specifies the maximum allowed bandwidth in kbps foraccessing a client drive in a client connection

File redirection bandwidth

limit

Specifies the maximum allowed bandwidth limit foraccessing client drives as a percent of the total sessionbandwidth

File redirection bandwidth

limit percent

Specifies the maximum allowed bandwidth in kbps forprint jobs using an LPT port in a single client session

LPT port redirection

bandwidth limit

Specifies the bandwidth limit for print jobs using anLPT port in a single client session as a percent of thetotal session bandwidth

LPT port redirection


Specifies the maximum allowed bandwidth in kbps forcustom (OEM) virtual print channels

OEM channels bandwidth limit

Specifies the bandwidth limit for custom (OEM) virtualprint channels as a percent of the total sessionbandwidth

OEM channels bandwidth limit

percent


Specifies the total amount of bandwidth available forclient sessions

Overall session bandwidth limit

Specifies the maximum allowed bandwidth in kbps foraccessing client printers in a client session

Printer redirection bandwidth

limit

Specifies the maximum allowed bandwidth for accessingclient printers as a percent of the total sessionbandwidth

Printer redirection bandwidth

limit percent

Specifies the maximum allowed bandwidth in kbps forcontrolling TWAIN imaging devices from publishedapplications

TWAIN device redirection

bandwidth limit

Specifies the maximum allowed bandwidth forcontrolling TWAIN imaging devices from publishedapplications as a percent of the total session bandwidth

TWAIN device redirection


Bandwidth Limit Percent Example

Bandwidth limit percent rules limit ICA session bandwidth based on percentage of theoverall session bandwidth specified in the Overall session bandwidth limit rule.

PART 1:

An administrator configures the Overall session bandwidth limit rule to limit bandwidthto 500 kbps and sets the Printer redirection bandwidth limit rule to limit printing to 260kbps. If the total bandwidth for the session drops to 260 kbps, all of the session bandwidthwill be consumed by the documents being printed in the session.

PART 2:

To prevent this from happening, the administrator configures the Printer redirectionbandwidth limit percent rule. In this rule, the administrator limits the amount of sessionbandwidth that can be consumed by printing to 25% of the total session bandwidth. Nowif the total bandwidth for the session drops to 260 kbps, only 65 kilobits will be consumedby the documents printed in the session.

ICA\Desktop UI

Enables or disables the desktop wallpaper in user sessionsDesktop wallpaper


By default, desktop wallpaper is allowed.

Allows or prevents menu animationMenu animation

By default, menu animation is allowed.

Controls the display of window content when dragging awindow across the screen

View window contents

while dragging

When allowed, the entire window appears to move whendragged.

When prohibited, only the window outline appears to moveuntil dragging stops and the window is dropped.

ICA\File Redirection

Allows or prevents automatic connection of client drives whenusers log on

Auto connect client

drives

By default, automatic connection is allowed.

Enables or disables file/drive redirection to and from the clientdevice

Client drive

redirection

When enabled, users can save files to all their client drives.

When disabled, all file redirection is prevented, regardless of thestate of the individual file redirection settings.

By default, file redirection is enabled.

Allows or prevents users from accessing or saving files to fixeddrives on the client device

Client fixed drives

By default, accessing client fixed drives is allowed.


Allows or prevents users from accessing or saving files to floppydrives on the client device

Client floppy drives

By default, accessing client floppy drives is allowed.

Allows or prevents users from accessing and saving files to clientnetwork/remote drives

Client network drives

By default, accessing client network drives is allowed.

Allows or prevents users from accessing or saving files toCD-ROM, DVD-ROM and BD-ROM drives on the client device

Client optical drives

By default, accessing client optical drives is allowed.

Allows or prevents users from accessing or saving files toremovable drives on the client device

Client removable

drives

By default, accessing client removable drives is allowed.

Enables or disables file type associations for URLs and somemedia content to be opened on the client device

Host to client

redirection

By default, file type association is allowed.

Enables or disables preservation of client drive lettersPreserve client drive

letters

When enabled, and client drive mapping is enabled, client drivesare mapped to the same drive letter in the session, where possible.

By default, client drive letters are not preserved.

Allows or prevents Citrix online plug-in and Web Interface usersto see their local special folders, such as Documents and Desktop,from a session

Special folder

redirection

By default, special folder redirection is allowed.


Enables or disables asynchronous disk writesUse asynchronous

writes

By default, asynchronous writes are disabled.

ICA\Graphics\Image Compression

Specifies the degree of lossy compression used on imagesLossy compression level

By default, medium compression is selected.

Specifies the maximum bandwidth in kbps for a connectionto which lossy compression is applied

Lossy compression

threshold value

By default, the threshold value is unlimited.

Provides a less detailed but faster initial display than lossycompression

Progressive compression

level

Specifies the maximum bandwidth in kbps for a connectionto which progressive compression is applied

Progressive compression

threshold value

By default, the threshold value is unlimited.

Reduces bandwidth without losing image quality by usinga more advanced and CPU-intensive graphic algorithm

Progressive heavyweight

compression

By default, progressive heavyweight compression is notused.

ICA\Multimedia\HDX MediaStream for Flash (client side)

Enables or disables Flash content rendering on client devicesinstead of the server

Flash acceleration


By default, client-side Flash content rendering is allowed.

Allows or prevents Flash events to be recorded in the Windowsapplication event log

Flash event logging

By default, logging is allowed.

Specifies a threshold between 0-5000 to determine whereAdobe Flash content is rendered

Flash latency threshold

By default, the threshold is 30.

Lists web sites whose Flash content is allowed to render on theclient device

Flash server-side

content fetching

whitelist

Flash content on unlisted web sites is rendered on the server.

Lists web sites whose Flash content is rendered on the serverFlash URL blacklist

Flash content on unlisted web sites is rendered on the clientdevice. This setting is in effect when Flash acceleration isenabled.

ICA\Multimedia\HDX MediaStream for Flash (server side)

Adjusts the quality of Flash content rendered on session hoststo improve performance

Flash quality adjustment


ICA\Ports

Connects COM ports from the client device automaticallyAuto connect client COM

ports


By default, COM ports are not automatically connected.

Connects LPT ports from the client device automaticallyAuto connect client LPT

ports

By default, LPT ports are not automatically connected.

Redirects COM ports to and from the client deviceClient COM port redirection

By default, COM port redirection is enabled.

Redirects LPT ports to the client deviceClient LPT port redirection

By default, LPT port redirection is enabled.

ICA\Printing

Allows or prevents client printers to be mapped to a serverwhen a user logs on to a session

Client printer redirection

By default, client printer mapping is allowed.

Specifies how the client's default printer is established in anICA session

Default printer

By default, the client's current printer is used as the defaultprinter for the session.

Specifies which events are logged during the printerauto-creation process

Printer auto-creation

event log preference

By default, errors and warnings are logged.

Lists the network printers to be auto-created in an ICAsession

Session printers


Allows or prevents a delay in connecting to a session so thatdesktop printers can be auto-created

Wait for printers to be

created (desktop)

This setting does not apply to published applications orpublished desktops.

By default, a connection delay does not occur.

ICA\Printing\Client Printers

Specifies which client printers are auto-createdAuto-create client printers

By default, all client printers are auto-created.

Selects the naming convention for auto-created clientprinters

Client printer names

By default, standard printer names are used.

Enables or disables direct connections from the host to aprint server for client printers hosted on an accessiblenetwork share

Direct connections to

print servers

By default, direct connections are enabled.

Specifies whether and where to store printer propertiesPrinter properties

retention

By default, the system determines whether printer propertiesare stored on the client device, if available, or in the userprofile.

Enables or disables the retention and re-creation of clientprinters

Retained and restored

client printers

By default, client printers are auto-retained andauto-restored.


ICA\Printing\Drivers

Enables or disables the installation of Windowsnative drivers as needed

Automatic installation of in-box

printer drivers

By default, native drivers are installed when userslog on.

Lists driver substitution rules for auto-createdprinters

Printer driver mapping and

compatibility

ICA\Printing\Universal Printing

Enables or disables auto-creation of the Citrix UniversalPrinter generic printing object

Auto-create generic

universal printer

By default, generic universal printers are not auto-created.

Specifies the order in which XenApp attempts to useuniversal printer drivers

Universal driver priority

Specifies when to use universal printingUniversal printing

Specifies whether to use the print preview function forauto-created or generic universal printers

Universal printing preview

preference

By default, print preview is not used for auto-created orgeneric universal printers.

ICA\Security

Specifies the minimum level at which to encrypt session datasent between the server and a client device

SecureICA minimum

encryption level


By default, the server uses Basic encryption for client-servertraffic.

ICA\Session Limits

Specifies the maximum number of connections a user can maketo the farm at any given time

Concurrent logon limit

By default, there is no limit on concurrent connections.

Additional ICA\Session Limits rules are available but apply to XenDesktop sessionsonly:

• Disconnected session timer

• Disconnected session timer interval

• Session connection timer

• Session connection timer interval

• Session idle timer

• Session idle timer interval

ICA\Shadowing

Allows or prevents shadowing users to take control ofthe keyboard and mouse of the user being shadowed

Input from shadow

connections

Allows or prevents recording of attempted shadowingsessions in the Windows event log

Log shadow attempts

Allows or prevents shadowed users to receivenotification of shadowing requests from other users

Notify user of pending shadow

connections

By default, users are notified when they are beingshadowed.

Specifies the users who can shadow other usersUsers who can shadow others


Specifies the users who cannot receive shadowingrequests from other users

Users who cannot shadow other

users

ICA\Time Zone Control

Enables or disables estimating the local time zone of clientdevices that send inaccurate time zone information to the server

Local Time Estimation

By default, the server estimates the local time zone whennecessary.

Determines the time zone setting of the user sessionUse local time of client

By default, the time zone of the server is used for the session.

ICA\TWAIN Devices

Specifies whether users can access TWAIN devices, such asdigital cameras or scanners, on the client device frompublished image processing applications

Client TWAIN device

redirection

By default, TWAIN device redirection is allowed.

Specifies the level of compression of image transfers fromclient to server

TWAIN compression

level

By default, no compression is applied.

ICA\USB Devices

Enables or disables redirection of USB devices to andfrom the client

Client USB device redirection


Lists redirection rules for USB devicesClient USB device redirection

rules

Specifies whether plug-and-play devices, such ascameras or point-of-sale (POS) devices, can be usedin a client session

Client USB Plug and Play device

redirection

By default, plug-and-play device redirection is allowed.

Server Session Settings

Specifies the importance level at which a session is runSession importance

Enables or disables the use of Single sign-on when usersconnect to servers or published applications

Single Sign-On

Specifies the UNC path of the Single sign-on central storeto which users are allowed to connect

Single Sign-On central store


Policy Filtering

During policy creation, administrators must determine whether unfiltered or filtered policieswill be created.

Unfiltered policy rules apply to all computers or users within the scope of thepolicy. For Citrix policies configured with GPMC, the scope is all computers or

Unfiltered

users that belong to the OU to which the GPO is linked. For IMA-based GPOsconfigured in the Delivery Services Console, the scope is all computers and userswithin the farm. By default, an Unfiltered policy exists in both the User andComputer nodes. The Unfiltered policy cannot be renamed or removed andanother Unfiltered policy cannot be created. By default, there are no rulesconfigured in the Unfiltered policy; an administrator must add and configurerules for the Unfiltered policy.

Unfiltered policies should be used only when granular policy controlis unnecessary. For example, an Unfiltered policy can be used to assigna Citrix License Server to an entire farm. Other use cases includesecurity or encryption settings that should be applied to all servers andusers in the farm or OU.

Filtered policies allow administrators to define conditions under which theCitrix policies are applied to users and computers within the scope of the policy.

Filtered

For example, administrators can use a filter to disable client drive mapping forcertain devices in the Finance department or enable printer auto-creation forusers connecting from a certain IP address range. Citrix policies configuredwithin the Computer node can be filtered based on Worker Groups. Citrixpolicies configured within the User node can be filtered based on the followingcriteria:

• Worker Groups

• User and user groups

• Client device name

• Client IP address range


• Access control (incoming connections from Access Gateway)

To filter policies based on OUs, the OU first must be added to a WorkerGroup and the Worker Group must be added to the filter. The policyeffectively is filtered based on the Worker Group, but because the OUis now inside the Worker Group, the filter will be applied to the OU.

There is no limit to the number of filters that can be applied to a single policy. Instead ofcreating and linking several separate GPOs, administrators can create a single GPO and usefilters to define a variety of conditions for applying the policy rules within that GPO. Filteredand unfiltered user policies remain in effect for the length of the session only. If any changesare made to the policy rules or filters while impacted users have active sessions, those userswill not be affected until the next time they initiate a new session.


Policy Modeling and Troubleshooting

Administrators can use the Citrix Group Policy Modeling wizard to simulate a user connectionin order to test the policy settings ultimately applied to a user session after processing. Withthe Citrix Group Policy Modeling wizard, administrators can specify conditions for a connectionscenario such as domain controller, users, Citrix policy filters, and simulated environmentsettings such as slow network connection. The wizard connects to the domain controller, readssettings from the SYSVOL and produces a report that lists the Citrix policies that likely wouldtake effect in the scenario.

Policy modeling also can be performed using Microsoft Group Policy Modeling.However, this tool will not reflect Citrix policy filters and, instead, assumes that allsettings within a policy will be applied. Therefore, using the Citrix Group PolicyModeling wizard is recommended.

To launch the wizard from the Group Policy Management Console, right-click the CitrixGroup Policy Modeling node and select Citrix Group Policy Modeling wizard. To launch thewizard from the Delivery Services Console, right-click the Citrix Policies node and select Run

the modeling wizard.

When running the wizard while logged on to the server as a domain user in an ActiveDirectory domain, the wizard calculates the Resultant Set of Policy by includingsettings from Active Directory GPOs. When running the wizard from the DeliveryServices Console, the modeling calculation includes the IMA-based GPO residingon the server. However, when running the wizard from the Delivery Services Consolewhile logged on to the server as a local user, the wizard calculates the Resultant Setof Policy model using only the farm GPO.

Group Policy Results

The Group Policy Results tool helps to evaluate the current state of GPOs in the environmentand generates a report that describes how these objects, including Citrix policies, are currentlybeing applied to a particular user and server. The Group Policy Results tool connects to theXenApp server and reads the applied Computer and User policy settings within the registry.As a result, the tool can be useful for troubleshooting policy settings that were already appliedto the user session.

Group Policy Results requires the user to have logged on to the server at least once.


Review

1. Citrix policies can be created using which three management tools? (Choose three.)

a. Delivery Services Console

b. Terminal Services Manager

c. Advanced Configuration Console

d. Advanced Group Policy Manager

e. Group Policy Management Console

2. When an existing Citrix user policy is changed, how long does the previous policy remainin effect?

a. For the length of the session

b. Until the user profile is changed

c. Until the user disables the policy

d. Until the user is moved to another group

3. Which filter is not valid for use with policies in XenApp?

a. Servers

b. Worker groups

c. Client device name

d. User and user groups

4. Which two events do not trigger a policy update evaluation? (Choose two.)

a. A user logs on

b. The server is rebooted

c. An OU trust is created

d. A policy update is forced

e. A print server is imported

f. The policy refresh interval is reached

5. Select the correct order in which policies are processed and applied.

a. Domain GPOs, Local GPOs, IMA-based policies, OU GPOs, Site GPOs

b. IMA-based policies, OU GPOs, Local GPOs, Site GPOs, Domain GPOs

c. Local GPOs, IMA-based policies, Site GPOs, Domain GPOs, OU GPOs

d. OU GPOs, Local GPOs, IMA-based policies, Site GPOs, Domain GPOs

e. Site GPOs, Domain GPOs, Local GPOs, OU GPOs, IMA-based policies


Module 10

Configuring Load Management

Overview

XenApp administrators configure load management in a farm to facilitate quick and efficientdelivery of applications and resources to users.


• Describe the load balancing process.

• Identify load calculation rules.

• Create and assign custom load evaluators.

• Assign CPU resource preference to servers and users.

• Configure session connection failover using load balancing policies.

307Module 10: Configuring Load Management© Copyright 2010 Citrix Systems, Inc.

Load Manager

Load Manager is used to balance the load created by connections to the server farm. By default,the load is measured and balanced by the number of user sessions on each server.

Load Manager offers the following benefits to enterprises:

• Maximizes system efficiency by balancing published application sessions across the farmbased on load limits set in load evaluators

• Provides pre-defined load evaluators that can be used as a basis for creating customizedload evaluators

• Provides a set of rules administrators can use to tailor custom load evaluators to the serverenvironment to improve server performance, as well as the performance of publishedresources

It is a best practice to examine and evaluate the XenApp servers in a farm beforecustomizing load management.


Load Balancing

Load Manager balances server load across the farm by:

• Using load evaluator rules to calculate server load

• Identifying which server is least-loaded, based on the rules in the load evaluator

• Directing client connections to the least loaded server

Load Manager calculates server load using load evaluators attached to servers or publishedapplications. When any rule in a load evaluator reports a full load or exceeds its set threshold,the load-managed server is temporarily dropped from the internal list of available servers.

The next connection request for a published application is routed to the server in the internallist with the lowest load value.

When the load on a server falls below the set threshold, the server is automatically re-addedto the internal list of available servers. Servers are continuously added to and removed fromthe internal list of available servers as server loads and user activities fluctuate.

Session sharing always takes precedence over load balancing. That is, if users launchan application that is published on the same server as an application they are alreadyusing but the server is at capacity, XenApp still opens the second application on theserver. Load management does not transfer the user's request to another server wherethe second application is published.


Load Balancing Process

Load Manager maximizes system efficiency by balancing hosted and streamed applicationsessions across the farm. The following table describes the load balancing process.

1. Each server calculates its load periodically based on evaluation criteria in the load evaluatorsassigned to the server and published applications.

2. Each server sends values for all possible load evaluation criteria to the data collector in thezone.

3. The data collector gathers the information and maintains a numeric index for eachload-balanced server in the zone.

4. A connection request for a published application is sent to the data collector.


5. The data collector uses the load information received from all of the servers to identify theleast-loaded server hosting the published application in the zone.

If a load balancing policy is enabled and filtered for a worker group, the user willbe forwarded to the least-loaded server in that policy.

6. The server IP or FQDN of the least-loaded server is forwarded to the plug-in.

7. The plug-in connects to the identified server using the supplied IP or FQDN.

If all servers hosting the published application are at a full load, as specified by the loadevaluator rules, the session request is denied.

The routing of connections to servers through load management occurs at thesession request time. If the load on a server changes after a connection isestablished, the connection is not redistributed to accommodate the new serverload.


Load Calculation

Load evaluators consist of rules that determine how load is calculated. These rules can be usedto query specific conditions and performance metrics for servers and published applications.

Each rule has a unique set of parameters that allows an administrator to specify appropriatethresholds.

Load evaluators can consist of one or more rules. When several rules exist in a load evaluator,the rules work together to determine the overall load.

Load Throttling

Load throttling artificially inflates the load value of a server during initial user connection,thereby limiting an influx of new connections to a single server. Each time a new sessionconnects there is a natural, temporary, resource surge on the server. By artificially inflating aserver load value while the connections initiate, load throttling decreases the likelihood of slowuser connections or server hangings. This is especially important when a large number of userslog on simultaneously. The true server load is reported to the data collector after a user sessionfully initiates.

There are five load throttling settings:

• Extreme

• High (Default)

• Medium High

• Medium

• Medium Low

The Extreme setting maximizes server performance, allowing one new connection at a time;all other connection requests are denied. An additional connection request is accepted afterthe first connection fully initiates. The High setting, which is the default, greatly increases theload when a few people log in simultaneously. The other load throttling settings allow moreusers to log on at the same time.

Load Calculations

The rules associated with a load evaluator are sampled during data collector updates, duringsession logons and logoffs and at 30-second intervals. The last ten samples are calculated intoa running average for each rule and the update is sent to the data collector every five minutes,by default.


The load values returned by the rules determine when a full load is reached. The Load Managerdoes not allow new connections to the server when a load evaluator reports a full load. Whenthe load is less than the maximum, the rules in the load evaluator determine the load of theserver. The server that is least-loaded receives the next connection. The load value assignedto a server depends on the rules and parameters within the load evaluator. In instances wherea load evaluator contains more than one rule, Load Manager calculates the load for each rule,then applies a complex algorithm that gives the most weight to the rule with the highest loadvalue.

All servers must have an assigned load evaluator. If one or more of the applications publishedon the server also has a load evaluator assigned to it, the load evaluator that produces thehighest load value sets the load value for that server.

If a change of +/-500 occurs to the server load, the server sends the change to thedata collector immediately.

Load evaluators can be classified in the following categories:

• Moving average

• Moving average compared to high threshold

• Incremental

• Boolean

For more information about calculating load with Load Manager, see Citrix Knowledge Basearticles CTX103653 and CTX105449 on the www.citrix.com web site.

Moving Average Rules

Load Manager calculates moving average rules based on percentage values.

If the result of a moving average rule:

• Is less than or equal to the low threshold, then Load Manager reports no load

• Is at or above the high threshold, then Load Manager reports a full load

• Is between the low and high threshold, then Load Manager determines the load as a percentmultiplied by the full load value


The rules that use the moving average method to calculate load include:

Defines the range of processor (CPU) utilization for a selected server

The default full load value is 90 percent. The default no load valueis 10 percent.

CPU Utilization

Keep in mind that CPU utilization spikes at user logon.

Defines the range of memory usage for a server

The default full load value is 90 percent. The default no load valueis 10 percent.

Memory Usage

If either the CPU Utilization or Memory Usage counter is at 100%, the server reportsa full load. The CPU Utilization and Memory Usage rules are used by the Advancedload evaluator.

Moving Average Compared to High Threshold Rules

Load Manager calculates moving average compared to high threshold rules based on themoving average as a percentage of the highest threshold value specified by an administrator.

If the result of a moving average load compared to high threshold rule:

• Is below the low threshold, then Load Manager reports no load

• Is at or above the high threshold, then Load Manager reports a full load

• Is between the low and high thresholds, then Load Manager reports a load determined bydividing the rule value by the high threshold

The default threshold values are not suitable in all XenApp environments and shouldbe set to values appropriate for the specific environment.

The rules that use the moving average compared to high threshold method to calculate loadinclude:

Defines the range of context switches per second (the number of timesthe operating system switches from one process to another) for a selectedserver

Context

Switches


Defines the range of data throughput (total disk I/O in kbps) for a selectedserver

Disk Data

I/O

The default full load value is 32,767 kilobytes per second. The default noload value is 0 kilobytes per second.

Defines the range of disk operation (read and write cycles per second) fora selected server

Disk

Operations

The default full load value is 100 operations per second. The default noload value is 0.

Defines the impact that logons have on the server loadLoad

Throttling

This rule limits the number of concurrent connection attempts a serveris expected to handle and cannot be applied to an individual publishedapplication.

The Load Throttling rule solves the issue of incorrect load values providedby servers. This issue occurs when:

• New connections are coming in faster than the servers can send theircurrent load values to the data collector.

• Servers are restarted and have not sent their load values to the datacollector yet.

The Load Throttling rule should be used in conjunction with anotherrule, as it only affects the initial logon period.

If the Load Throttling rule is included in a load evaluator, it is ignoredwhen that load evaluator is attached to a published application.

The Load Throttling rule is used by both the Default andAdvanced load evaluators.

Defines the range of page faults (attempts to access data that has beenmoved from physical memory to disk) per second for a selected server

Page Fault

The default full load value is 2000. The default no load value is 0.


Defines the range of page swaps (transfers of data between physicalmemory and the page file) per second for a selected server

Page Swap

The default full load value is 100. The default no load value is 0. The PageSwap rule is used by the Advanced load evaluator.

The threshold values for these rules must be adjusted by an administrator to reflectthe actual server capacity.

Incremental Rules

Load Manager calculates incremental rules based on the full load value that is specified by anadministrator. The actual load value is calculated by dividing the current load by the rule valueand multiplying that result by the number of concurrent connections.

The rules that use the incremental method to calculate load include:

This rule limits the number of users allowed to connect to a selectedpublished application. This rule monitors the number of active and

Application

User Load

disconnected sessions using the published application. The default fullload value is 100.

This rule does not apply to streamed to client applications.

This rule limits the number of sessions allowed to connect to a selectedserver. The default full load value is 100 and represents the maximum

Server User

Load

number of active and disconnected sessions that the server can support.The Server User Load rule is used by the Default load evaluator.

Boolean Rules

Load Manager calculates Boolean rules based on true or false conditions.


The rules that use the Boolean method to calculate load include:

Defines the range of allowed or denied client IP addresses for a publishedapplication or server

This rule controls access to a published application based on the IPaddresses of the client devices.

IP Range

Schedules the availability of selected published applications or servers

This rule can remove one or more published applications from the list ofapplications maintained by Load Manager, so server maintenance can beperformed.

Scheduling

Boolean rules must be used in conjunction with at least one other rule because theydo not return actual load values for a server.


Load Evaluator Configuration

By default, XenApp provides the following pre-configured load evaluators.

Default Load Evaluator

The Default load evaluator is attached to each server automatically after XenApp is licensed.The Default load evaluator is based on the Load Throttling and Server User Load rules andfunctions best when the server hardware in the environment is identical and can adequatelysupport as many as 100 sessions without fully consuming server resources.


Advanced Load Evaluator

The Advanced load evaluator is based on the CPU Utilization, Load Throttling, Memory Usageand Page Swap rules.

The Advanced load evaluator or a custom load evaluator should be considered for use inenvironments:

• When server resources become over-utilized before the maximum number of user sessionsspecified in the Default load evaluator on the server is reached

• When published applications are CPU- or memory-intensive

• When the server is not able to support 100 sessions because of either resource-intensiveapplications or hardware limitations

• When the server can support more than 100 sessions

The Advanced load evaluator and other load evaluators that include more than one rulecalculate their load values by first determining the individual load for each rule within the loadevaluator. Load Manager then uses an algorithm to determine the true load value of the server.This algorithm includes all applicable load values and gives the most weight to the load rulewith the highest load value.

The Default and Advanced load evaluators cannot be modified or deleted; however,an administrator can create custom load evaluators that use the same rules or differentrules entirely.


Creating Custom Load Evaluators

A custom load evaluator is any load evaluator with the exception of the Default or Advancedload evaluator. A custom load evaluator is necessary if the Default or Advanced load evaluatorsare not adequate as a result of the server hardware or application configuration in theenvironment.

An administrator can create a custom load evaluator containing one or more rules by creatinga new load evaluator or by copying an existing load evaluator and modifying it.

To create a new load evaluator, click Load Evaluators in the Delivery Services Console andclick New > Add load evaluator.

Creating Custom Load Evaluators Example

The Default load evaluator is attached to a server. The server consistently reports a full loadwhen 100 sessions are running on the server even though the server could easily handle 15additional sessions. The administrator wants the Load Manager to direct 15 additionalsessions to the server, so a custom load evaluator is created that sets the full load thresholdto 115.

Creating load evaluators based on a few rules can provide better results thancreating complex load evaluators with many rules. However, it is only possible to


attach one load evaluator to a server. As a best practice test new load evaluatorsprior to implementing them in a production environment.

Thresholds for Load Management

When an administrator creates a custom load evaluator, the full load threshold value for therule can be set. In general, the full load threshold value should be set below the value determinedas the maximum server load.

To determine the maximum server load, an administrator must first determine the baselineand peak values for key metrics on the server.

EdgeSight and Microsoft Performance Monitor are good tools for capturing baselineperformance data for use in determining the maximum load a server can handle. Basing acustom load evaluator on qualified threshold data ensures a more accurate utilization of serverresources.

Example

The AppA and AppB applications are published on the servers in the farm. After evaluatingthe application workload and performance metrics, the servers are expected to accommodate62 sessions.

The administrator creates a custom load evaluator that uses the Server User Load ruleconfigured with a full load threshold of 60 user sessions. The custom load evaluator ensuresthat a server is available for additional connections to the AppA and AppB applications aslong as fewer than 60 user sessions are running on the server.


Assigning Load Evaluators to Servers and Applications

Assigning load evaluators to servers is a solution that meets most load management needs,especially in environments where different hardware configurations exist. Assigning loadevaluators to applications can help balance the load when an application has extensive resourcerequirements. For example, a load evaluator can be assigned to an application that is memoryintensive so that users will be directed only to servers that have the necessary amount of memoryavailable for use by the application.

Only one load evaluator can be assigned to each server and each published application.

An administrator should be aware of the following considerations for assigning load evaluatorsto applications:

• If the Load Throttling rule is included in a load evaluator, it is ignored when that loadevaluator is attached to a published application.

• A published application that is installed on a single server does not need to be load managed.

• Published applications that require significant resources from servers should use loadevaluators configured to report full loads at a lower threshold than the actual limits of theserver.


• Load evaluators can be assigned to published applications that are streamed to servers butcannot be assigned to published applications that are streamed to client devices.

Applying load evaluators to applications can increase the load on the data collector,consume resources and slow performance. In addition, applying load evaluators toapplications can add complexity to the load management process and might notaccurately reflect the server load; therefore, applying load evaluators to applicationsis not a best practice for most environments.

To assign a load evaluator to a server, right click the server in the Delivery Services Consoleand click Other Tasks > Assign load evaluator.

To assign a load evaluator to an application, right-click the application in the Delivery ServicesConsole and click Other Tasks > Attach application to load evaluator.

Practice: Load Evaluators

Match the load evaluators listed below with the appropriate scenarios in the following table.Each load evaluator will be used at least once.

• Default

• Advanced

• Custom

IssueLoad

Evaluator

All servers in the server farm host the same applications and can support 100user sessions.

The administrator wants to remove one or more published applications fromthe list of applications for a period of time.

All servers in the server farm have different server hardware but host the samepublished applications.

Some servers contain published applications that require significant serverresources.


Load Balancing Policies

Load balancing policies enable XenApp administrators to optimize access to published resourcesby ensuring users connect to the most appropriate servers. The decision behind which serveris most appropriate is often based on business needs or technical limitations, such as:

• Directing users to a backup server in the event of an outage

This is the most common use for load balancing policies and is commonly referred to asconfiguring for failover.

• Directing a specific group of users to a group of dedicated servers

Users may be grouped based on their role, such as contractors or remote employees.

Servers may be dedicated based on application groupings, administrative requirements orhardware.

• Reducing WAN traffic and improving user experience by directing users to the closestregional server

In addition, load balancing policies can force applications to be streamed.


Creating Load Balancing Policies

Load balancing policies are configured in the Delivery Services Console and applied byspecifying filters and worker groups.

Filters

Filters specify to whom or to what the policy will apply. A load balancing policy will remainin an inactive state until a filter is configured. The filter types are:

• Access Control (connections made through Access Gateway)

• Client IP Address

• Client Name

• User


Worker Groups

When a worker group filter is applied to a load balancing policy, connections are made basedon worker group preference. The worker group with a priority designation of 1 is rankedhighest.

When a user opens a published application, the load balancing policy directs the connectionto servers in the highest priority worker groups first. Connections are redirected to servers inlower priority worker groups if servers in the higher priority worker groups are offline or havereached maximum capacity. Connections are not directed to servers in worker groups thatare not included in the worker group preference list. In addition, if a user attempts to open anapplication that is not installed on any servers in any of the listed worker groups, regardlessof priority, the attempt fails and an error is logged to the Application event log on the datacollector.

When creating more than one load balancing policy, consider any overlaps and prioritizeappropriately.

To create a load balancing policy, right-click the Load Balancing Policies node in the DeliveryServices Console and click Create load balancing policy.


Force Application Streaming

The Streamed App Delivery rules within the load balancing policies can override the methodfor delivering published applications; therefore, it is important to understand the availableoptions and the consequences of selecting them.

When publishing a streamed application, an administrator can choose one of the followingpublished application types:

• Streamed to client

• Accessed from a server: streamed to server

• Streamed if possible; otherwise accessed from a server: installed application

• Streamed if possible; otherwise accessed from a server: streamed to server

The load balancing policy Streamed App Delivery settings include:

• Allow applications to stream to the client or run on a Terminal Server (default)

• Force applications to stream to the client

Clients that do not support streaming or do not match the profiled operating system willnot be able to open the application.

• Do not allow applications to stream to the client


If this option is selected and server access is not allowed for an application, such as whenit is configured to stream to the client only, the application connection will fail.

If no Streamed Application Delivery policy is configured, then the application deliverymethod specified in the published application is used.


Preferential Load Balancing

Preferential Load Balancing gives administrators the ability to prioritize the allocation of CPUshares to specific users and applications and to direct important user sessions to the XenAppserver running the fewest number of important sessions. Preferential Load Balancing is availablein the Platinum Edition of XenApp only.

Administrators can use Preferential Load Balancing to assign one of the following importancelevels to specific user sessions and applications:

• Low, which has a value of 1

• Normal, which has a value of 2 (default)

• High, which has a value of 3

Administrators apply importance levels to specific user sessions based on the user's job function,position within the company or other meaningful criteria such as which application is running.Preferential Load Balancing calculates an importance index based on the resource allotmentfor each session.

The resource allotment is calculated by multiplying the importance levels of both the sessionand the published application that is running in the session. This determines how many CPUshares that session will receive in comparison with other sessions on the same XenApp server.


The optimal end result is an environment in which important sessions are prioritized, runningon servers with few other important sessions, thereby maximizing the user experience.

Resource Allotment and Session Sharing

During session sharing, the resource allotment is calculated based on the maximum applicationimportance level setting, specified in the application properties of all the published applicationsrunning in the session, multiplied by the session importance policy setting specified in theCitrix Policies node of the Group Policy Management Console (GPMC).

When an application is launched in an existing session, the importance level of the newapplication is compared with the maximum of all current application importance levels. If theimportance level of the new application is greater, the resource allotment is recalculated andthe CPU entitlement for the session is adjusted upwards. Similarly, when an application isclosed, if the maximum importance level of the remaining applications is lower, the resourceallotment is recalculated and the CPU entitlement for the session is adjusted downward.

Preferential Load Balancing Example

A hospital has several applications installed in its environment and many different typesof users accessing these applications. Recently, doctors who access an important publishedapplication for patient data have complained about poor performance. Occasionally, nursesalso need to access the patient data application, but only for review.

Based on this information, an administrator configures Preferential Load Balancing andassigns the specified doctors a High importance level, which has a value of 3 and assignsthe nurses a Normal importance level, which has a value of 2. The administrator also assignsthe patient data application a High importance level, which has a value of 3.

When a doctor connects to the XenApp server hosting the patient data application, theresource allotment for the doctor is calculated by multiplying the importance value of thesession (3) with the application value (3), returning a value of 9.

A nurse then connects to the same patient data to access the application. The resourceallotment for the nurse is calculated at 6. If the doctor and the nurse are the only two sessionson the XenApp server, then the total number of CPU shares available is 15. Because thedoctor has a resource allotment value of 9, the doctor receives 60% of the CPU shares. Thenurse receives the remaining 40%.

Preferential Load Balancing Considerations

Administrators should be aware of the following considerations when using Preferential LoadBalancing:

• Session initialization and responsiveness are improved.

• CPU priority of important sessions is dynamically adjusted.

• Preferential Load Balancing can be used with both ICA and RDP connections to XenApp.


• Load calculations are completed for both connected and disconnected sessions.


Troubleshooting Load Management

Issues

An administrator can use the solutions in the following table to address common load balancingissues.

ResolutionIssue

Verify that the load evaluators are configuredcorrectly for the environment.

Load management is not working correctly.

Review load evaluator rules and settings.

Re-establish baseline, if necessary.

Load evaluator is showing full capacity, butserver should still be able to accept additionalconnections.


Review

1. An administrator can attach load evaluators to which two components in a server farm?(Choose two.)

a. Users

b. Servers

c. Groups

d. Published applications

2. The Default load evaluator is based on which rules?

a. Page Faults, Load Throttling

b. Context Switch, Load Throttling

c. Disk Operations, Load Throttling

d. Server User Load, Load Throttling

3. The Advanced load evaluator is based on which rules?

a. CPU Utilization, Load Throttling, Memory Usage and Page Swap

b. Load Throttling, Memory Usage, Page Swap and Server User Load

c. CPU Utilization, Load Throttling, Page Swap and Server User Load

d. CPU Utilization, Load Throttling, Memory Usage and Server User Load

4. A server to which the Advanced load evaluator is assigned is dropped from the internal listof available servers when which event occurs?

a. When all the rules in the Advanced load evaluator meet their set thresholds

b. When one of the rules in the Advanced load evaluator meets its set threshold

c. When all the rules in the Advanced load evaluator exceed their set thresholds

d. When one of the rules in the Advanced load evaluator exceeds its set threshold

5. An administrator can create a custom load evaluator using which two methods? (Choosetwo.)

a. By using the Load Manager Monitor

b. By duplicating an existing load evaluator

c. By using the New > Add Load Evaluator menu option

d. By altering the rules in either the Default or Advanced load evaluator

6. An administrator can adjust load evaluator properties ____________. (Fill in the blankwith the correct answer.)

a. At any time

b. At the time of creation only


c. For the Advanced load evaluator only

d. Only when the load evaluator is not being used


Module 11

Optimizing the User

Experience

Overview

XenApp includes display and HDX features that help to improve user sessions by optimizingthe responsiveness of certain types of published applications and improving connection speedand responsiveness.


• Describe the different session optimization display settings.

• Describe the different XenApp HDX settings.

• Identify the Profile management components.

• Install and configure Profile management.

337Module 11: Optimizing the User Experience© Copyright 2010 Citrix Systems, Inc.

Optimizing Session Performance

Network latency and bandwidth can impact the actual and perceived performance of a session;minimizing the impact of these factors can contribute to a better user experience. XenAppallows an administrator to improve the user experience by configuring the following policiesin the Group Policy Management Console or the Delivery Services Console:

• Display settings

• HDX Broadcast Session Reliability

• HDX RealTime

• HDX Plug-n-Play

• HDX MediaStream Multimedia Acceleration

• HDX MediaStream for Flash

• SpeedScreen Latency Reduction

• HDX 3D Image Acceleration

• HDX 3D Progressive Display

• Profile management


Enabling Display Settings

An administrator can configure the display settings to optimize the transmission and displayof graphics on the client device.

The following display policy rules are found in the Computer Configuration node of a policy:

Specifies the maximum video buffer size (in kilobytes) for aXenApp session

Display memory limit

By default, the display memory limit is configured to32,768 kilobytes.

Specifies whether color depth or resolution degrades first whenthe session display memory limit is reached

Display mode degrade

preference

If color depth is configured to degrade first, images are displayedwith fewer colors. If resolution is configured to degrade first,the size (in pixels) of the XenApp session is reduced.


Retrieves sections of images from the client cache allowing pagesto scroll more smoothly

Image caching

Specifies the maximum color depth allowed for a XenAppsession

Maximum allowed

color depth

By default, the maximum allowed color depth is 32bits for each pixel.

Displays a message on the client device when the session isdegraded as a result of the session display memory limit being

Notify user when

display mode is

degraded exceeded or the client device being unable to support therequested parameters

Discards redundant queued images that are replaced by otherimages

Queueing and tossing

Configuring this setting can cause animations tobecome choppy due to dropped frames.


HDX Broadcast Session Reliability

Citrix online plug-in users may encounter times when their client devices lose networkconnectivity. By default, HDX Broadcast Session Reliability is configured to keep users' sessionsdisplayed on their screens even though their connection to the session has been interrupted.

HDX Broadcast Session Reliability allows a user to continue to view, but not interact with, apublished resource on the screen of the client device when the connection to the server istemporarily interrupted. When connectivity is resumed, the keystrokes and mouse clicks thatwere queued are sent to the server and the results are displayed on the client device. HDXBroadcast Session Reliability reconnects the user without a loss of data or the need tore-authenticate.

If the seconds to keep the session active setting is exceeded during the interruption, the sessionis disconnected or reset on the server.

Enabling HDX Broadcast Session Reliability


HDX Broadcast Session Reliability is enabled by default and can be configured in the ComputerConfiguration node of a policy.

HDX Broadcast Session Reliability policy rules include:

Allows or prevents active sessions while networkconnectivity is interrupted

Session reliability

connections

Specifies the TCP port number for incoming sessionreliability connections

Session reliability port

number

The default port number is 2598.

Specifies the length of time, in seconds, the sessionreliability proxy waits for a client to reconnect beforeallowing the session to be disconnected

Session reliability timeout

The default timeout is 180 seconds.

Understanding HDX Broadcast Session Reliability

Considerations

Administrators should consider the following points when configuring HDX Broadcast SessionReliability:

• Because HDX Broadcast Session Reliability does not require re-authentication, the amountof time to keep the session active while waiting for connectivity to resume should be keptto a minimum. This decreases the likelihood that the session will be accessible tounauthorized users should the user walk away from the client device.

• HDX Broadcast Session Reliability tunnels the ICA traffic through the Common GatewayProtocol (CGP) on port 2598. If port 1494 has been optimized for ICA traffic, theseoptimizations will not apply when HDX Broadcast Session Reliability is in use until theyare applied to port 2598.


HDX RealTime

HDX RealTime enhances real-time communications in a XenApp session by leveragingtechnologies at the client device and in the datacenter. HDX RealTime features include:

• Webcam support for Windows client devices

• Microsoft Office Communicator support for audio and video conferencing

• Softphone and voice chat support

HDX RealTime is only available for Windows client devices.


Enabling HDX RealTime

The HDX RealTime feature is enabled by default and can be configured in the ComputerConfiguration node of a policy.

HDX RealTime policy rules include:

Controls and optimizes the way XenApp servers deliverstreaming audio and video to users

HDX MediaStream

Multimedia

Acceleration

Enabling this setting increases the quality of audio and videorendered from the server to a level that compares with audioand video played locally on a client device.

Allows or prevents support for video conferencing applicationsMultimedia

conferencing

To use multimedia conferencing, verify that the HDXMediaStream Multimedia Acceleration policy rule isenabled.


Understanding HDX RealTime Design Considerations

Administrators must understand the following HDX RealTime design considerations:

• Only one multimedia conferencing device is supported in a XenApp session.

• The Office Communications Server (OCS) renders the incoming compressed video, whichincreases the CPU cycles on the XenApp server.

• Branch Repeater cannot be used to compress audio and video traffic.

HDX RealTime is recommended only for users in a LAN environment.

• ICA Pass-through connections are not supported. For example, users cannot connect to amultimedia-rich application through a virtual desktop and utilize HDX RealTime.

• The Client audio redirection policy rule must be enabled to allow for audio input througha microphone.


HDX Plug-n-Play

HDX Plug-n-Play allows users in a XenApp session to interact with portable USB devices thatare connected to their client device. Users can connect or disconnect a portable USB deviceto a XenApp session at any time, regardless of whether the session was started before or afterthe USB device connection. USB devices that are supported include:

• 3D Mice

• Digital cameras

• Scanners

• Headsets

• Microphones

• Point-of-sale devices


• Webcams

HDX Plug-n-Play is only available for Windows client devices.

Enabling HDX Plug-n-Play

HDX Plug-n-Play for portable USB devices is enabled by default and can be configured in theClient USB Plug and Play device redirection policy. By configuring this policy, an administratorcan specify whether USB devices, such as cameras or point-of sale (POS) devices, can be usedin a XenApp session.


Understanding HDX Plug-n-Play Design

Considerations

Administrators must understand the following HDX Plug-n-Play design considerations:

• Many USB devices will not function properly in low-bandwidth or high-latency networks.

HDX Plug-n-Play is recommended only for users in a LAN environment.

• ICA Pass-through connections are not supported. For example, users cannot connectthrough a virtual desktop and utilize a USB device.



Acceleration

HDX MediaStream Multimedia Acceleration optimizes multimedia playback on servers withpublished instances of Internet Explorer, Windows Media Player 10, RealOne Player,DirectShow-based media players and remote desktop connections to a server with theseapplications installed. When enabled, the XenApp server delivers multimedia to the client ina compressed form, which reduces bandwidth consumption. The client device thendecompresses and renders the multimedia, which reduces the CPU utilization on the server.

XenApp supports all DirectShow and Windows Media Foundation formats, including .AVI,.MPEG, .MPG, .MWV/.WMA and .ASF/.ASX.

HDX MediaStream Multimedia Acceleration does not support media files protectedwith Digital Rights Management (DRM).

To play back a multimedia file, a codec compatible with the encoding format of the multimediafile must be present on the client device. If a client device is missing a codec for a particularmultimedia file format, it can be downloaded from the web site of the file format vendor.

File formats are not the same as media types. File formats encapsulate various mediatypes. For example, an .AVI file can contain DIVX video and AC3 digital audiomedia types and would require both codecs for proper playback.

HDX MediaStream Multimedia Acceleration Benefits

Benefits of HDX MediaStream Multimedia Acceleration include:

• Improved user experience because multimedia playback in a XenApp session plays assmoothly as a local playback

• Minimized server CPU utilization because the multimedia stream is sent directly to theclient device in a compressed form, which allows the CPU on the client device to performthe decompression and rendering of multimedia content

• Decreased network bandwidth because the multimedia content sent over the network usingthe ICA protocol is in a compressed format


Enabling HDX MediaStream Multimedia Acceleration

The HDX MediaStream Multimedia Acceleration settings are enabled on all servers in theserver farm by default, while audio on the client device is disabled by default. To run multimediaapplications in a session, an administrator must enable audio on both the client device andthe server. HDX MediaStream Multimedia Acceleration settings can be configured in theComputer Configuration node of a policy.

HDX MediaStream Multimedia Acceleration policy rules include:

Controls and optimizes the way XenApp servers deliverstreaming audio and video to users

HDX MediaStream

Multimedia Acceleration

Allows the administrator to customize the buffer time basedon the capabilities of the client device and the speed of thenetwork

HDX MediaStream


default buffer size

An administrator can accept the default buffer time of fiveseconds or customize the buffer time. Increasing the buffertime creates a smoother user experience but increases


memory usage on both the client device and server. Thedefault buffer time is sufficient in most cases. Values can beset to:

• 1 to 4 to reduce the memory used for multimediaplayback on the server and the client device

• 6 to 10 to improve multimedia playback in networks withhigh latency

Uses the buffer size specified in the HDX MediaStreamMultimedia Acceleration default buffer size policy rule

HDX MediaStream


default buffer size use


HDX MediaStream for Flash

HDX MediaStream for Flash optimizes the way in which servers render and pass Adobe Flashanimations to client devices. HDX MediaStream for Flash forces the Flash Player to start in alow-quality mode instead of the default high-quality mode. The low-quality mode rendersFlash animations, videos and applications at a lower quality level, thus reducing server andnetwork load, resulting in greater scalability. In most cases, the lower quality is not noticed byusers.

Enabling HDX MediaStream for Flash

HDX MediaStream for Flash is enabled by default and can be configured in the UserConfiguration node of a policy.


HDX MediaStream for Flash policy rules include:

Enables or disables Flash content rendering on client devices insteadof the XenApp server

Flash acceleration

Allows or prevents the recording of Flash events in the Windowsapplication event log

Flash event

logging

Specifies a threshold between 0-5000 milliseconds to determinewhere Flash content is rendered

Flash latency

threshold

During startup, HDX MediaStream for Flash measures the latencybetween the server and client device. If the latency is under thethreshold, HDX MediaStream for Flash is used to render Flashcontent on the client device. If the latency is above the threshold,the XenApp server renders the Flash content.

The default threshold is set to 30 milliseconds.

Lists web sites from which Flash content is allowed to render on theclient device

Flash server-side

content fetching

whitelist

Flash content on unlisted web sites is rendered on the XenApp server.

It is not necessary to add the http:// or https:// prefix to thelisted URL strings, as they are ignored. Wildcards (*) arevalid at the beginning and end of a URL string.

Lists web sites from which Flash content is rendered on the XenAppserver

Flash URL

blacklist

Flash content on unlisted web sites is rendered on the client device.

It is not necessary to add the http:// or https:// prefix to thelisted URL strings, as they are ignored. Wildcards (*) arevalid at the beginning and end of a URL string.


Adjusts the quality of Flash content rendered on session hosts toimprove performance

Flash quality

adjustment

Setting options include:

• Do not optimize Adobe Flash animation options

• Optimize Adobe Flash animation options for all connections

• Optimize Adobe Flash animation options for low bandwidthconnections only


SpeedScreen Latency Reduction

Users who connect to the server over a high-latency network connection can experience delayswhen clicking the mouse or pressing keys on the keyboard. The delay in response can cause auser to click items several times or press keys repeatedly while waiting for feedback. SpeedScreenLatency Reduction can be configured to improve users' perceived experience by emulatingsystem processes on the client device.

Enabling SpeedScreen Latency Reduction

SpeedScreen Latency Reduction settings include:

Changes the appearance of the mouse pointer from idle to busy after auser clicks a link

Mouse Click

Feedback

This change provides the user with feedback that the system is processingthe request. By default, Mouse Click Feedback is enabled and can beconfigured at the server level using the SpeedScreen Latency ReductionManager tool.


Allows the plug-in to use fonts on the client device to display text as theuser types and the plug-in is awaiting the redrawn screen from the server

Local Text

Echo

By default, Local Text Echo is disabled and can be configured at the serverand application level using the SpeedScreen Latency Reduction Managertool. Settings made at an application level override the server settings.

Some applications that use non-standard Windows APIs fordisplaying text may not support Local Text Echo.

SpeedScreen Latency Reduction settings are configured using the SpeedScreen LatencyReduction Manager tool.


HDX 3D Image Acceleration

The size of the image affects the network traversal time of the file. Image files typically containredundant information that is not necessary for the image redrawing process on the clientdevice. HDX 3D Image Acceleration uses a lossy compression scheme to reduce the size ofthe image file by removing redundant data, which reduces the amount of bandwidth neededto transfer the file. This feature allows for quicker image transfer by reducing the quality ofthe image that appears on the client device.

The image quality loss from HDX 3D Image Acceleration is minimal in most cases; however,an administrator should use proper discretion when enabling this feature in an environmentwhere image quality is crucial, such as with medical imaging.

Enabling HDX 3D Image Acceleration

HDX 3D Image Acceleration is configured at a medium lossy compression level by defaultand can be configured in the User Configuration node of a policy.


HDX 3D Image Acceleration policy rules include:

Reduces the size of the image file by removing redundant data,which reduces the amount of bandwidth needed to transfer thefile

Lossy compression

level

The following table identifies the lossy compression levels.

Bandwidth

requirements

Image qualityLossy compression

level

LowestLowHigh

LowerGoodMedium (Default)

HigherBestLow

HighestSame as originalNone

Enables HDX 3D Image Acceleration compression when theavailable bandwidth is below the specified threshold

Lossy compression

threshold value


HDX 3D Progressive Display

HDX 3D Progressive Display is an extension of HDX 3D Image Acceleration and can beconfigured to improve user interactivity when displaying high-detail images. HDX 3DProgressive Display auto-detects the available bandwidth. If bandwidth is limited, the level ofcompression temporarily increases and the image quality when it is first transmitted over alimited bandwidth connection decreases to provide a fast (low quality) initial display. If theimage is not immediately changed or overwritten by the application, it is then improved inthe background to produce the normal quality image, as defined by the lossy compressionlevel.

The quality of the final image is controlled by the configuration of HDX 3D ImageAcceleration.


Enabling HDX 3D Progressive Display

HDX 3D Progressive Display is disabled by default and can be configured in the UserConfiguration node of a policy.

HDX 3D Progressive Display policy rules include:

Provides a less detailed, but faster initial display than lossycompression

Progressive

compression level

The following table identifies the image quality that results from theselection of each Progressive compression level.

Image qualityProgressive compression level

Ultra LowUltra High

Very LowVery High

LowHigh

MediumMedium


Image qualityProgressive compression level

HighLow

No Progressive DisplayNone (Default)

For example, if an administrator sets the Progressive compressionlevel to Very High, the resulting image quality will be Very Low.

For progressive compression to be effective, the Progressivecompression level must be set higher than the Lossy compressionlevel. If the Lossy compression level is set to "None," then theProgressive compression level field can be set to any compressionlevel. These settings should be tested in the environment to ensurethat the user is provided with satisfactory image quality.

For example, if the Lossy compression level is set to "Low," then thesetting in the Progressive compression level field must be set to"Medium" or a value that provides greater compression.

Enables HDX 3D Progressive Display compression when the availablebandwidth is below the specified threshold

Progressive

compression

threshold value

Reduces bandwidth further without losing image quality by using amore advanced, but more CPU-intensive graphic algorithm

Progressive

heavyweight

compression


Practice: Determining the Session

Optimization Technology

Match the session optimization technology listed below with the issue that each would bestresolve.

1. HDX RealTime

2. HDX Plug-n-Play

3. HDX 3D Image Acceleration

4. HDX MediaStream for Flash

5. SpeedScreen Latency Reduction

6. HDX MediaStream Multimedia Acceleration

ScenarioSession Optimization

Technology

Graphic artists experience long load times when viewing imageswith published photo imaging software.

Accounting users experience slow keyboard and mouse responsewhen using all published applications.

Users in Human Resources experience choppy playback whenviewing training videos using published Windows Media Player.

Executives request the ability to use Microsoft OfficeCommunicator as a video conferencing tool.

Graphic artists request the ability to use 3D mice within apublished application.

Marketing users experience choppy playback of all Flash mediawhen using published Internet Explorer.


User Profiles

A user profile contains information about the Windows configuration or XenApp session fora specific user. This information can include, but is not limited to, the arrangement of thedesktop, screen colors, screen savers, network connections, window size and position, printerconnections and mouse settings. Each time a user logs on to a session, the user's profile loadsand the environment is configured according to the information in the profile.

A user profile consists of the following elements:

• A registry hive

• A set of profile folders stored in the file system

Differentiating User Profile Types

Administrators must be familiar with the following user profile types to properly manage acorporate environment:

When a user logs on to a client device for the first time, a local userprofile is created and stored on the local hard disk of the client device.

Local user

profiles

Changes made to the local user profile are specific to the user and to theclient device on which the changes are made.

A roaming user profile is a copy of a local user profile that is stored ona network share. A roaming user profile allows users to experience a

Roaming user

profiles

consistent desktop experience from different client devices that arejoined to a Windows Server domain. When a user logs onto a new clientdevice, the roaming user profile downloads to the client device. Whenthe user finishes the session and logs off of the client device, any changesmade to the roaming user profile are synchronized with the copy of theprofile on the network share.

A mandatory user profile is a read-only user profile that administratorscan pre-configure for users. System administrators can specify how a

Mandatory

user profiles

user's environment will be configured at logon and configure thepreference settings for the user. Any changes made by a user to desktop


settings and files are discarded when the user logs off from the clientdevice.

Mandatory profiles can be created from local or roaming userprofiles.

A temporary user profile is issued whenever an error prevents the user'sprofile from loading properly. Temporary profiles are deleted at the end

Temporary

user profiles

of each session, and any changes made by a user to desktop settings andfiles are discarded when the user logs off from the client device.

For more information about user profiles, see the User Profile Best Practices forXenApp documentation on the http://support.citrix.com/proddocs/index.jsp website.

Redirecting User Data

Folder redirection provides administrators the ability to modify the target location of foldersfound within the user profile. Folder redirection is transparent to users and gives them aconsistent way of saving data, regardless of storage location. Configuring folder redirectionreduces the size of the user profile and decreases user logon times by storing the user-createddata in a network location and allows users access to their data, regardless of the client device.

Careful consideration should be given when redirecting the users' application datafolder. Some applications continually read from and write to the application datafolder, which can cause increased network utilization.

Managing User Profiles

Citrix Profile management allows administrators to select specific parts of a profile to be savedat logon and logoff. Profile management provides a method of saving personalized user profilesettings while decreasing the size of user profiles.

Determining which profile settings to save involves understanding the applications in use andthe user interactions with the applications within the XenApp sessions. By fully understandinga user's workflow, administrators can provide a productive environment for users whilereducing excessive profile size for better performance.

For example, if Microsoft Office is used as an enterprise application within an organization,configuring Profile management to store user changes from the Microsoft Office suite of


applications is necessary. Saving settings for other applications that are not part of the enterpriseapplication set should be avoided.

Profile management is available with the Enterprise and Platinum Editions of XenApp.

Enabling Profile Management

An administrator can use the following procedure to enable Profile management in a productionenvironment.

1. Download the Profile management package from www.citrix.com.

2. Install the Profile management software on all XenApp servers in the farm.

Administrators can install the Profile management software using a distributiontool, such as Citrix Merchandising Server, an imaging solution, streamingtechnology, manually or by performing an unattended installation.


3. Create a GPO for enabling or disabling Profile management and link it to the OU thatcontains all of the XenApp servers in the farm.

4. Apply the ADM file included in the Profile management package to the GPO.

5. Configure the ADM template or the INI files included in the Profile management packageor using Group Policy. Settings include:

• Processed groups

• Process logons of local administrators

• Path to user store

Citrix recommends configuring the ADM template using Group Policy, if possible.

6. Enable the Profile management policy using the Group Policy Management Console.

For more information about Citrix Profile management, see the Profile managementdocumentation on the http://support.citrix.com/proddocs/index.jsp web site.

Understanding the Profile Management Logon Process

The following steps describe how Profile management handles a user's profile:

1. A user starts a session on a XenApp server with Profile management enabled.

2. The Citrix Profile management service determines if the user is a member of the processedgroup defined in the Profile management ADM file. If the user is a member of the processed


group, the Citrix Profile management service attempts to load the user's profile from theuser store. If the user is not a part of the processed group, a Microsoft local or roamingprofile is assigned to the user.

3. If the user is a member of the processed group, Profile management verifies that the userstore contains the user's profile that is managed by Profile management. If the user's profileis not found in the user store, then Profile management migrates the user's local or roamingprofile to the user store or creates a new profile from the template profile defined by theadministrator.

4. A local profile that is managed by Profile management is copied or streamed from the userstore to the XenApp server.

5. Profile management monitors the user's profile and logs any changes to the user's profileby comparing the profile to the Master File Table (MFT) cache file. The MFT cache file islocated in the Profile management installation directory by default.

6. Upon user logoff, Profile management exports the changes made to the user's profile backto the user store.

• Administrators can configure the Profile management ADM file to deletelocally cached profiles upon user logoff.

• For more information about the Profile management logon and logoff process,see the Profile management documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.


Troubleshooting User Experience Issues

An administrator can use the solutions provided in the following table to address userexperience issues.

ResolutionIssue

Verify that the USB device is supported for use withHDX Plug-n-Play.

Users are unable to utilize a USBdevice during a session.

Verify that the latest version of the codec for themultimedia-rich application is installed on the clientdevice.

Users are unable to utilizemultimedia-rich applications duringa session.

Users are unable to view Adobe Flashanimations during a session.

• Verify that the latest version of Adobe Flash Playeris installed on the client device.

• Verify that the latest version of the Citrix onlineplug-in is installed on the client device.

Users are not assigned the properprofile after logging on to the clientdevice.

• Verify that the path to the profile store isconfigured correctly.

• Verify that the user is part of the processed group.

• Process the logons of local administrators, ifnecessary.


Review

1. If a client device is connected to XenApp server over a slow connection and the user isexperiencing delayed mouse clicks and keyboard response, which type of sessionoptimization technology should be implemented to address this issue?

a. HDX RealTime

b. HDX MediaStream for Flash

c. SpeedScreen Latency Reduction

d. HDX MediaStream Multimedia Acceleration

2. An administrator should publish __________ and enable __________ for users who needto watch videos and require high quality.

a. Firefox, HDX 3D Image Acceleration

b. QuickTime, HDX MediaStream for Flash

c. Outlook, SpeedScreen Latency Reduction

d. RealOne Player, HDX MediaStream Multimedia Acceleration

3. Which three statements about HDX 3D Image Acceleration are correct? (Choose three.)

a. HDX 3D Image Acceleration works best with medical imaging.

b. HDX 3D Image Acceleration can be enabled using a Citrix policy.

c. HDX 3D Image Acceleration removes redundant data from an image file.

d. HDX 3D Progressive Display works in conjunction with HDX 3D Image Acceleration.

e. HDX 3D Image Acceleration provides a high image quality when the compression levelis set to high compression.

4. Which statement about HDX MediaStream for Flash is true?

a. It auto-creates printers after the Flash Player launches.

b. It auto-creates printers before the Flash Player launches.

c. It forces the Flash Player to start in a high-quality mode instead of the default low-qualitymode.

d. It forces the Flash Player to start in a low-quality mode instead of the default high-qualitymode.

5. Which three statements are true concerning HDX Broadcast Session Reliability? (Choosethree.)

a. HDX Broadcast Session Reliability reconnects the user without the loss of data.

b. HDX Broadcast Session Reliability resets the user connection upon session interruption.

c. HDX Broadcast Session Reliability reconnects the user without requiringre-authentication.


d. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common GatewayProtocol (CGP) on port 1494.

e. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common GatewayProtocol (CGP) on port 2598.


Module 12

Configuring Self-Service

Applications

Overview

Providing self-service access to enterprise applications simplifies ongoing user maintenanceactivities. Allowing users to choose which application they need from a list of approvedapplications offloads user application management tasks from an administrator.

The following technologies make application self-service possible:

Citrix Receiver is a lightweight software client that runs on user devices,including laptops, desktop workstations and mobile devices. The Receiver

Citrix

Receiver

allows IT departments to deliver applications and desktops to users as anon-demand service regardless of the location or type of user device.

Merchandising Server is a virtual appliance located in the datacenter thatmanages the setup, distribution and updates of plug-ins for Citrix Receiver.

Citrix

Merchandising

Server After performing a simple, one-time setup for Citrix Receiver, usersautomatically receive their plug-ins from Merchandising Server.

Plug-ins are integrated into and managed by Citrix Receiver. The followingplug-ins enable users to access their applications.

Citrix

Plug-ins

Enables users to access hosted applications froma desktop or the Web Interface

Citrix Online

Plug-in

Enables users to stream applications to theirdesktops and open them locally

Citrix Offline

Plug-in

Enables users to select the applications that theyuse most frequently and place those applicationsin their Start menu

When a user clicks a selected application, theonline plug-in, offline plug-in or App-V client willlaunch the application.

Citrix Dazzle

373Module 12: Configuring Self-Service Applications© Copyright 2010 Citrix Systems, Inc.

Enables users to access App-V virtualizedapplications

Microsoft

App-V Client

The Microsoft App-V Client is not aCitrix plug-in but can be used forapplication delivery with XenApp.


• Explain the role of Citrix Receiver.

• Identify the plug-ins managed by Citrix Receiver.

• Install Citrix Receiver for Windows.

• Explain the role of Citrix Dazzle.

• Identify the components of Citrix Merchandising Server.

• Explain the Citrix online plug-in architecture and communication.


Citrix Receiver

Citrix Receiver enables users to access virtual applications and desktops on any device. WithCitrix Receiver installed on a device, IT can deliver applications and desktops as an on-demandservice with no need to manage the physical device or its location. This model enables IT toeffectively operate as a service provider with complete control over security, performance, andmost importantly, user experience.

Citrix Receiver for Windows

Citrix Receiver for Windows is a lightweight software client with an extensible browser-likeplug-in architecture. Merchandising Server provides the administrative interface for configuring,delivering and upgrading plug-ins for client devices running Citrix Receiver. After performinga simple, one-time setup for Citrix Receiver, users automatically receive their plug-ins fromthe Merchandising Server.

The first time Citrix Receiver for Windows requests a delivery from the Merchandising Server,the user enters credentials for access. As soon as the user is authenticated, a unique token isgenerated and installed on the user's client device. Subsequent requests from the Receiver to


the Merchandising Server are validated with this token, eliminating the need for repeatedlogons.

The token prevents subsequent requests for user authentication credentials. Therefore,Citrix Receiver is not recommended for shared physical systems.

Citrix Receiver for Windows has the following system requirements:

• .NET Framework version 2.0 or later

• One of the following browser versions:

– Internet Explorer 7.x or Internet Explorer 8.x

– Firefox version 2.x or 3.x

• One of the following operating systems:

– Windows XP Professional, 32-bit or 64-bit SP3

– Windows Vista, 32-bit or 64-bit SP2

– Windows 7, 32-bit or 64-bit

– Windows Server 2003, 32-bit or 64-bit SP2

– Windows Server 2008, 32-bit or 64-bit SP2


Individual plug-ins have separate system requirements which may differ from thosefor the Citrix Receiver.

Users must have administrator privileges on their client device to install Receiver for Windowssoftware from the Download page. The administrator must either grant the users administratorprivileges to perform the initial installation or push the Citrix Receiver for Windows installationto their users' client devices. Administrator privileges on the users' client devices are notrequired after installation is completed.

Citrix Receiver for Macintosh

Citrix Receiver for Macintosh is a lightweight software client with an extendable browser-likeplug-in architecture. After performing a simple, one-time setup for Citrix Receiver, usersautomatically receive their plug-ins from the Merchandising Server.

Citrix Receiver for Macintosh has the following system requirements:

• One of the following operating system versions:

– Mac OSX 10.5, 32-bit or 64-bit (Intel only)

– Mac OSX 10.6, 32-bit or 64-bit


Citrix Merchandising Server

Citrix Merchandising Server is a virtual appliance, available as a free download, which runson either Citrix XenServer or VMware ESX. Merchandising Server helps create, deliver andmanage a high quality user experience on Windows and Macintosh systems. IT can"merchandise" services in a simple way that seamlessly connects users to virtual applications,desktops and other services, much in the same way retail merchandising managers create acompelling shopping experience for their customers.

Merchandising Server provides easy management, setup and distribution of the Citrix Receiverand plug-ins. After performing a simple, one-time setup for Citrix Receiver, users automaticallyreceive their plug-ins from the Merchandising Server.


Citrix Merchandising Server Architecture

Citrix Merchandising Server connects to the following components.

ProtocolDescriptionComponent

LDAP: 389Merchandising Server connects to Active Directory toacquire user and group information, which allows the

Active Directory

administrator to grant Administrator and Auditorpermissions to specific users and create distribution listsfor plug-in deliveries.

HTTPS: 443Merchandising Server communicates with CitrixReceiver to deliver plug-ins to Windows and Macintoshsystems.

Citrix Receiver

HTTPS: 443Merchandising Server communicates with the CitrixUpdate Service to download new and updated plug-insposted by Citrix.

Citrix UpdateService

The Citrix Update Service requires an Internetconnection to contact https://citrix.com.

HTTPS: 443Administrators configure the Merchandising Server,upload plug-in installation files and schedule deliveriesusing the Merchandising Server Administrator Console.

MerchandisingServerAdministratorConsole


Citrix Dazzle

Citrix Dazzle is a self-service storefront for enterprise resources that gives users self-serviceaccess to the applications, desktops and content that they need to work productively.

Dazzle represents a XenApp Services site as a store, which contains resources that users maywant to add to their Start menu. Users can add several stores to the Dazzle storefront from theclient device. Administrators can also configure stores on the Merchandising Server, whichwill deliver the URL of the XenApp Services site to Dazzle.

When users start Dazzle, the stores contain the resources that were made available by anadministrator. Users can then choose exactly what they need, when they need it. They simplybrowse or search for the resources they require and subscribe with a single click.

Administrators can advertise XenApp published applications and services, as wellas Microsoft App-V packages for easy, on-demand access by users.


Citrix Dazzle Communication Process

Citrix Dazzle integrates with Citrix Receiver and an existing XenApp infrastructure. Thefollowing process describes the communications between Dazzle and other XenApp componentswhen delivering self-service applications to users:

1. Citrix Receiver starts automatically when the user logs on to a client device.

2. The user logs on to the stores that Dazzle is configured to contact.

If Dazzle has not been run before, or if the user has not yet subscribed to anyapplications, Dazzle starts automatically.

3. Dazzle contacts the stores on the Web Interface, which authenticates the user to the XenAppfarms that provide the applications for the stores.

4. Dazzle aggregates applications from all the stores into the same interface, displaying onlythose applications that the administrator has made available for the particular user.

5. The user selects and organizes applications using Dazzle.

6. Shortcuts to the selected applications are added to the user's Start menu.

7. Offline applications that the user subscribed to are downloaded from the XenApp farm tothe client device by the Citrix offline plug-in. After downloading is complete, the applicationsare available for use.

8. The user clicks a shortcut in the Start menu to launch an application.

• For online applications, the Citrix online plug-in initiates a session with a XenApp serverhosting the application.


• For offline applications, the application starts and runs locally in an isolationenvironment.

The Dazzle communication process is slightly different on a Macintosh system.Application shortcuts are placed in the Applications folder rather than the Startmenu.


Plug-ins

Plug-ins are the components of XenApp that users run on their client devices to access resourcespublished on XenApp servers. A published resource can be an application, content or thedesktop of a server.

Plug-ins extend the reach of Windows-based, Java-based and UNIX-based applications tovirtually any client platform or device.

XenApp supports the following plug-ins:

Allows users to select the applications that they use mostfrequently and place those applications in their Start menu

Dazzle

Enables users to access hosted applications from a desktopor the Web Interface

Online plug-in

Enables users to stream applications to their desktops(both physical and virtual) and open them locally

Offline plug-in

Enables users to access App-V virtualized applicationsMicrosoft App-V Client


Provides a single point of secure remote access to virtualdesktops and applications

Secure access plug-in

Maintains and consolidates a user's roaming profileProfile management plug-in

Provides real-time monitoring of the user experienceService monitoring plug-in

Accelerates and optimizes WAN trafficAcceleration plug-in

Enables the use of EasyCall voice services to call phonenumbers from any application using any phone

Communications plug-in

Provides password security and single sign-on access toWindows and web applications

Single sign-on plug-in

Many of these plug-ins have separate versions to support both Windows and Mac users. Thefollowing plug-ins provide additional cross-platform support:

Uses a Java applet that provides access to hostedapplications from any client device with a standard webbrowser

Client for Java

Enables users to access hosted applications from a Linuxsystem

Citrix Receiver for Linux

Enables users to access hosted applications from AppleiPhone and iPod Touch devices

Citrix Receiver for iPhone

Plug-in Delivery

Administrators have several options for delivering plug-ins to user devices.

DescriptionMethod

Citrix Merchandising Server and Citrix Receiver work together tostreamline the installation and management of application delivery

Citrix Receiver andthe MerchandisingServer to user desktops. Merchandising Server provides the administrative

interface for configuring, delivering and upgrading plug-ins for users'client devices.


DescriptionMethod

IT can "merchandise" services in a simple way that seamlessly connectsusers to virtual applications, desktops and other services.

The Web Interface provides users with access to published resourcesthrough a standard web browser or through the Citrix online plug-in.

Web Interface

When users access a Web Interface site from a Windows-based clientdevice and a plug-in is not detected or the current plug-in on the clientdevice is not up-to-date, the Web Interface site attempts toautomatically install a plug-in on the client device.

Administrators can use a group policy to distribute plug-ins based onorganizational unit, machine name or user name.

Active Directory

Administrators can use a variety of third-party software distributionproducts to automatically deploy and install plug-ins on client devices.

Electronic SoftwareDistribution (ESD)

Administrators can install individual plug-ins on users' systems orupload a plug-in to a web server and direct users to download andinstall the plug-in on their own.

Manual Installation

Users may require administrator privileges on their systemto install a plug-in.


Citrix Online Plug-in for Windows

The Citrix online plug-in for Windows allows users to access their published resources froma familiar Windows desktop environment. Users work with published resources the same waythey work with local applications and files.

By default, published resources are represented in the Start menu by icons that behave justlike local icons. Users can double-click, move and copy icons and create shortcuts in theirlocation of choice.

System Requirements

Administrators can install the Citrix online plug-in for Windows manually or through theCitrix Receiver. The online plug-in for Windows can be installed on client devices that meetthe software requirements in the following table.

RequirementComponent

Operating System• Windows Server 2008 R2


RequirementComponent

• Windows Server 2008, 32-bit edition or 64-bit edition

• Windows Server 2003, 32-bit edition or 64-bit edition

• Windows XP Professional, 32-bit edition or 64-bit edition

• Windows XP Embedded

• Windows Vista, 32-bit edition or 64-bit edition

• Windows 7, 32-bit edition or 64-bit edition

Browser• Internet Explorer version 6.x - 8.x

• Firefox version 1.x - 3.x

The online plug-in can be installed on client devices that meet the following hardwarerequirements:

• VGA or SVGA video adapter with color monitor

• Windows-compatible sound card for sound support (optional)

• A working network or Internet connection to servers

Installation Considerations

Different enterprises have different corporate needs, and the expectations and requirementsfor the way users access published resources and virtual desktops can shift as corporate needsevolve and grow.

The Citrix plug-ins differ in terms of:

• Access method

• Installation file

• Supported features

For a list of features, see the Receiver and Plug-ins documentation on thehttp://support.citrix.com/proddocs/ index.jsp web site.

The following table describes the access methods for the online plug-ins.

Access MethodInstallation FilePlug-in

Transparent integration ofpublished resources into user'sdesktop

CITRIXONLINEPLUGINFULL.EXECitrix online plug-in


Access MethodInstallation FilePlug-in

Web browser-based access topublished resources

CITRIXONLINEPLUGINWEB.EXECitrix online plug-inWeb

The Citrix online plug-in can also be installed through a command line interface,which provides additional options. For more information on command lineinstallation, see the Receiver and Plug-ins documentation on thehttp://support.citrix.com/ proddocs/index.jsp web site.

Citrix Online Plug-in for Mac

The Citrix online plug-in for Mac allows users to access published resources from a familiarMacintosh desktop environment. Users work with published resources the same way theywork with local applications and files. Published resources are represented on the local desktop,by icons that behave just like local icons, on the Dock or in the Dazzle folder available fromthe Finder.

Users can also access published resources from within a familiar browser environment, byclicking links on a web page published to the corporate intranet or the Internet.

System Requirements

Administrators can install the Citrix online plug-in for Mac manually or through the Receiver.The online plug-in supports Mac OS X, Version 10.4 and above.

Not all combinations of OS version and processor type (Intel-based or PowerPC)support installation through the Citrix Receiver. For more information, see theReceiver and Plug-ins documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

The Citrix online plug-in for Mac can be installed on client devices that meet the followinghardware requirements:

• At least 256MB of RAM

• 29MB of free disk space




Citrix online plug-in for Mac contains two installation packages. Administrators can installthese plug-in installer packages with almost no user interaction.

Complete package, with full feature supportCITRIX_ONLINE_PLUGIN.DMG

Smaller package with limited feature support thatcan be deployed from a web page

CITRIX_ONLINE_PLUGIN_WEB.DMG

The Citrix online web plug-in for Macpackage does not include Dazzle.

Client for Java

The Client for Java is a Java applet that provides access to applications running in a farm fromany client device with a standard web browser. The applet is a download-and-run, zero-installclient, optimized for use in environments where it is not possible or desirable to install softwareon the client device.

The Client for Java does not support all features supported by other plug-ins. For alist of features, see the Receiver and Plug-ins documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

Administrators do not need to install any software on the client device. Users require only aJava-compatible web browser. Setup is transparent and automatic.

Unlike other plug-ins, which are downloaded once and then saved for future use by clientsystems, the Client for Java is not stored permanently by the client device. However, Javaenvironments provide a separate cache for Java applets, which administrators can configurein the plug-in control panel.


System Requirements

The Client for Java can run on client devices that meet the following requirements:

• A web browser with Java 2, Standard Edition Version 1.4.x or 1.5.x, configured to acceptsigned Java applets

• Network access to the web server that stores the client files

Deployment Considerations

The following resources are required to deploy the Client for Java:

• A copy of the client package, which can be downloaded from the www.citrix.com web siteor copied from the Citrix XenApp 6 media

On the web site, the client package is available in the following formats:

– .ZIP, which is primarily used on Windows systems

– .TAR.GZ, which is primarily used on UNIX systems

• A means of decompressing and unpacking the .ZIP or .TAR.GZ package, if downloadedfrom the web site

• Administrator access to a web server

If deploying the client using the Web Interface, an administrator can configure clientdeployment options using the Web Interface Management console.

Citrix Receiver for Linux

The Citrix Receiver for Linux provides users with access to resources published on XenAppservers. It combines ease of deployment and use, and offers quick, secure access to applications,content and virtual desktops. Users can connect to resources published on XenApp serversusing either individual ICA connections or predefined ICA connection configurations fromservers running the Web Interface.


System Requirements

The Citrix Receiver for Linux requires Linux kernel version 2.6.18 or above, with glibc 2.3.4or above, libcap1 or libcap2 and udev support.

In addition, the native client (wfcmgr) graphical user interface depends on OpenMotif 2.3.1.However, if the client is run through the Web Interface or from the command line, thenOpenMotif is not required.

Systems running the Citrix Receiver for Linux must meet the following requirements:

• 6MB of free disk space for the installed client and up to 13MB if the installation packagewill be expanded on the disk

• 256 color video display or higher



Administrators should consider the following points when installing the Citrix Receiver forLinux:

• USB support is enabled only if an administrator is logged on as a privileged user wheninstalling and configuring the Citrix Receiver for Linux.

• Installations performed by non-privileged users will enable users to access publishedresources on the server using the Web Interface through one of the supported browsers.

• During installation, administrators will have the option of specifying that GStreamer isenabled for multimedia acceleration. This can be downloaded from thehttp://gstreamer.freedesktop.org web site.

Use of certain codecs may require a license from the manufacturer of that technology.


Troubleshooting Self-Service Application

Issues

An administrator can use the solutions provided in the following table to address self-serviceapplication issues.

ResolutionIssue

Use an IP address to identify the Active Directoryserver, rather than a Fully Qualified DomainName (FQDN).

Merchandising Server cannot sync withActive Directory.

Verify that the Merchandising Server virtualmachine has enough disk space allotted to it.

Merchandising Server stops allowingconnections to the Merchandising ServerAdministrator Console.

See Citrix Knowledge Base article CTX122987 onthe www.citrix.com web site to modify Explorerapplication compatibility settings.

The Citrix Receiver icon does not appearin the notification area after installation.


Review

1. Which plug-in provides a self-service storefront for enterprise resources to users?

a. Dazzle

b. Online plug-in

c. Offline plug-in

d. Communications plug-in

2. From which component does the Merchandising Server obtain new plug-ins to distributeto client devices?

a. XenApp farm

b. Citrix Receiver

c. The Web Interface

d. Citrix Update Service

3. Which component manages plug-ins on a client device, allowing IT to deliver applicationsand desktops as an on-demand service?

a. Dazzle

b. Citrix Receiver

c. Web Interface

d. Merchandising Server


Module 13

Configuring Printing

Overview

There are several ways to configure printers for use in a XenApp session and administratorsmust carefully consider the available options and business needs. The type of printers and theprinting environment, as well as user and administrative requirements, can dictate the mostsuitable method for configuring printers for users.

Because applications run remotely and not on local client devices, an administrator mustdetermine users’ printing needs and monitor their level of satisfaction with printing services.When a user prints from a published application, the print job originates on the XenAppserver. As a result, considering the client printers and network printers in the environmentcan help formulate the printing strategy.

XenApp provides access to enterprise-wide printing management, allowing administrators tocontrol, secure and configure printing using policies.


• Identify key printing concepts and terms.

• Explain the default printing behavior.

• Identify the methods that can be used to provision printers in a XenApp environment.

• Identify the printing pathways and recognize when each should be used.

• Configure client printer auto-creation.

• Recognize the different types of printer drivers.

• Map a client printer driver to a server printer driver.

• Recognize the different universal printing options available and configure the usage of auniversal printer driver.

• Import a network print server, add a network printer and specify the default printer for asession.

• Implement workspace control and proximity printing.

• Configure where printing preferences are stored.

• Configure printing bandwidth restrictions.

395Module 13: Configuring Printing© Copyright 2010 Citrix Systems, Inc.

Printing Concepts

In a XenApp environment, all printing is initiated on the XenApp server by a user from withina session.

When a user session ends, the user's workspace is deleted. Therefore, all settings need to berebuilt at the beginning of each session. As a result, each time a user starts a new session,XenApp must recreate or restore the printers available in the session.

When a user clicks Print in a session, XenApp:

• Determines which printers, also referred to as printer objects, to provide to the user

• Restores the user's printing preferences

• Determines which printer is the default for the session

Printing Definitions

The following table contains definitions of printing-related terms.

DefinitionTerm

A server that supports network print functionality and isaccessible by a UNC path.

Network print server

The printer entry in the Printer and Faxes folder.Printer object

The physical printer.Printing device

Software that formats a print job into native print commands.Printer driver

A printer driver process that converts device-independentgraphics into a device-ready print stream.

Rendering

A Windows service responsible for printing.Spooler

A process by which an application creates a print metafilecontaining the print job.

Spooling

The background processing of the print metafile, resulting in adevice-ready data stream being sent to a print device.

Despooling

A Citrix service that manages the creation of printers and driverusage within XenApp sessions.

Citrix Print ManagerService (CPSVC.EXE)

Disk space that holds the output designated for the printer untilthe printer can receive it.

Print queue


DefinitionTerm

Printing settings such as page orientation that are stored insidea document.

Document settings

Printing settings such as page orientation that are set throughthe properties of a printer on the client device.

Device settings

Printers that are customized by the administrator andpermanently attached to a client port.

Restored printers

Printers that are created by users and remain available at the startof the next session.

Retained printers

The first printer to be auto-created in a session. It can be basedon the user's preferred printer on the client device or a locallyinstalled printer on a server.

Default printer

A less secure printer naming convention that provides backwardcompatibility for Presentation Server 3.0 or earlier.

Legacy printer names

A feature that allows administrators to control the assignmentof network printers so that the most appropriate printer ispresented, based on the location of the client device.

Proximity printing

Printer Types

One of the first steps in determining the best method for configuring printers is to determinethe types of printers that must be supported.


In a non-XenApp environment, there are two types of printers: local printers and networkprinters. XenApp introduces a third type of printer, the redirected client printer.

When users connect to published resources, their client-side (local) printers are available tothem, by default.

The type of printer determines where the print metafile containing the print job is processed(spooled). Understanding where the job is spooled can be useful should an issue arise with thespooler service.

DescriptionPrinter Type

Local printers are connected to a client device or server and thelocal operating system directly spools the print job to a Windowsclient device or server, by default.

Local (Client and Server)

Network printers are connected to a print server and the serveroperating system directly spools the print job to the print server,by default.

Network (Client andServer)

Printers are connected to the client device using a UNC path ora cable. The server operating system spools the print job to theclient device.

Redirected client

Demonstration: Local and Network Printing

Watch as the instructor demonstrates how printing works when print jobs are directed to aprinter connected locally to a client device or server and when printers are connected acrossa network to a network print server.

Printing Security

XenApp provides default security settings that make printer ports unusable outside the sessionfor which they were created. These default security settings ensure that print jobs are routedto the correct printer. In addition, security settings stop users from redirecting another user'sclient printer to their own port.

Printer ports are private to a particular session and cannot be shared across sessions. Even ifthe client device name is not unique, printers within each XenApp session are individualizedand temporary for that session only.

For example, in an environment where every client device is assigned the name "Computer,"the client printer created within each XenApp session would still be unique because the clientprinter names are based on the session name and number, not the client device name. In


addition, after the user logs off the session, the printers that were created are likewise deleted.As a result, print jobs from client devices cannot be misdirected to the printers defined byanother ICA session even though they have the same client device name.

In addition, to increase client printing security, access to the client printers is restricted to:

• The account that the Citrix Print Manager Service (CPSVC.EXE) runs in, which isCtx_cpsvcuser, by default

• Processes running in the SYSTEM account such as the spooler

• Processes running in the user's session

Windows security blocks access to the printer from all other processes on the system.Furthermore, requests for services directed to the print manager must originate from a processin the correct session. This prevents bypassing the spooler and communicating directly withthe Citrix Print Manager Service.

Adjusting Printing Security Settings

Administrators cannot, by default, access client printers from another session. This preventsthe administrators from inadvertently printing to printers in another session. If administratorsneed to adjust the security settings of printers in other sessions, they can do so through WindowsExplorer using the printer security settings on the server.


Default Printing Behavior

By default, XenApp printing behavior is as follows:

• All printers configured on the client device are created automatically at the beginning ofeach session.

• The client devices spool all print jobs queued to locally-attached printers, reducing resourceconsumption on the XenApp servers.

• XenApp routes all print jobs queued to network printers directly from the server hostingthe published application. If XenApp cannot route the jobs over the network, it will routethem through the client device.

• XenApp retains all changes made by users to printer properties and settings on the clientdevice. If the client device does not support this operation, XenApp stores the changes inthe user profile for that user.

• XenApp uses the native Windows version of the printer driver if it is available on the serverhosting the application. If the printer driver is not available, the XenApp server attemptsto install the driver from the Windows operating system. If the driver is not available inWindows, XenApp uses one of the Citrix Universal Printer Drivers.

If an administrator is unsure of the default printing behavior, a printing policy canbe created with all printing policy rules enabled. The options that are selected bydefault in the enabled rules are the default settings.

Altering the Default Printing Behavior

An administrator can alter the default printing behavior in the environment using the printingpolicies in the Citrix policies node of the Group Policy Management Console or the Policiesnode of the Delivery Services Console.

Use the Group Policy Management Console unless XenApp is in a workgroup or theXenApp administrator does not have permission to the Group Policy ManagementConsole. In those cases use the Delivery Services Console.

Altering the printing behavior can affect the performance of printing in the environment andthe user experience. There are several ways to configure printers for use in an ICA session andadministrators must carefully consider the:

• Available printing options

• Types of printer drivers

• Printing environment


• User requirements

• Administrative requirements

• Business needs

Prior to changing the default printing behavior through policies, an administrator shouldunderstand basic XenApp printing concepts, including printing definitions, printer types,printing security, printer provisioning, printing pathways and printer driver behavior.


Printer Provisioning

XenApp print environments are highly dynamic because they are typically built during sessioninitialization or application launch. The process by which XenApp makes printers availablein a session is known as printer provisioning.

An administrator can control printer provisioning and configure which printers users see intheir sessions. Administrators can specify the method by which printers are provisioned tousers:

If an administrator does not want to specify (and administer) userprinters, the administrator can prevent printer auto-creation and let usersself-provision the printers that are visible from their client devices.

User

self-provisioning

If an administrator wants to ensure that printers are available when usersstart their sessions, the administrator should provision printers through

Auto-creation

auto-creation. Any printer defined on the client device can be auto-createdat the beginning of a session.

In order for client printers to be auto-created in user sessions, the Clientprinter redirection policy rule must be enabled in the Citrix policies nodeof the Group Policy Management Console or the Policies node of theDelivery Services Console. This is the default setting.

The user self-provisioning and auto-creation methods areconsidered dynamic. Dynamic provisioning is used to describeprinters that appear in a session, but are not predetermined and


stored. Rather, the printers that are available in a session aredetermined as the session is built. As a result, an administratorcan allow printing configurations to change according tochanges in policies, user location and the network.

Administrators can automatically provision network printers to userswithin XenApp sessions by adding the network printers and configuringthe Session printers policy.

Network

printer

provisioning

There are other ways in which printers can be provisioned, such as through ActiveDirectory policies and logon scripts. These methods do not change how print jobsare handled in user sessions.

User Self-Provisioning

Users may want need printers that are not auto-created at the beginning of their sessions. Bydefault, users can add printers in their sessions using the Windows Add Printer wizard on theserver or an application that lets them browse to the printers.


Users of thin clients and non-Windows plug-ins, by default, cannot add printers to theirsessions. An administrator must publish the ICA Client Printer Configuration tool(PRINTCFG.EXE) for these users.

For information about publishing the ICA Client Printer Configuration tool, see theXenApp documentation on the http://support.citrix.com/proddocs/index.jsp website.

By allowing users to self-provision printers, administrators may reduce their ownoverhead, but limit their control over printer provisioning. The lack of administrativecontrol may result in users installing printer drivers that are not approved in theenvironment.

Retained Printers

After a user adds a printer through user self-provisioning, the printer is known as a retainedprinter. Retained printers are created again (or remembered) at the start of the next sessionand route print jobs along the client printing pathway.

Retained printers appear in the session on the client device until the client printer within thesession is deleted manually, the remembered printer connection is removed from the client'sproperties store or the client-side printer is inaccessible. A retained printer will show thenotation "Auto Retained" in the Comment field of the printer properties.

An administrator can prohibit retained printers from auto-creating at the beginning of asession using the Retained and restored client printers policy rule in the Citrix Policies nodeof the Group Policy Management Console or the Policies node of the Delivery Services Console.

Printer Auto-Creation

Auto-creation refers to the process that XenApp uses to automatically create printers at thebeginning of each session, depending on which printers are configured on the client deviceand network and the policies that apply to the session.

By default, XenApp makes printers available in sessions by creating all printers configured onthe client device automatically, including locally attached and network printers. After the userends the session, the printers for that session are deleted. The next time a session starts, XenAppevaluates the printer creation policies and enumerates the appropriate printers on the clientdevice.

An administrator can change the default auto-creation settings to limit the number or type ofprinters that are auto-created. XenApp can auto-create:

• Locally attached printers, including locally-defined network printers

• Network printers

• Citrix Universal Printer


Printer auto-creation may be the easiest for the administrator to configure, but auto-creatingall printers may require extensive processing on the XenApp servers. In addition, maintenancemay be required when new printers are added or drivers for the printers are needed on theXenApp servers.

By default, native Windows printer drivers are automatically installed on a XenAppserver when a client printer is auto-created. When an error occurs during theauto-creation of a printer, it is logged to the Windows Event log on the server. Anadministrator can control this behavior using the Printer auto-creation event logpreference policy rule in the Citrix Policies node of the Group Policy ManagementConsole or the Policies node of the Delivery Services Console.

Client Printer Auto-creation

Printer auto-creation creates a list of printers for use after logging in. When the user logs in,the printer drivers will be installed and all printers returned in this list will be available for use.

XenApp can auto-create client printers in two different ways:

• By creating a one-to-one match with printers on the client device

• By creating one generic printer, the Citrix Universal Printer, that represents all (or any)printers on the client device

In many environments, especially large ones, Citrix recommends auto-creation forthe default printer only. Auto-creating a smaller number of printers creates lessoverhead on the server and is better for CPU utilization. However, there may beinstances when all printers may need to be auto-created; in those cases use the defaultauto-creation settings so that all printers are created at logon.


Controlling Client Printer Auto-Creation

At the start of a session, XenApp auto-creates all printers on the client device by default. Theadministrator can control which, if any, types of printers are provisioned to users and canprevent auto-creation entirely.

To ensure that printers auto-create successfully, the following requirements must be met:

• User accounts should not be shared

• Only Windows native or fully tested printer drivers should be installed

• Users should have write access on the server to the %SYSTEMROOT%\SYSTEM32\SPOOLfolder

The Auto-create client printers policy rule in the Citrix Policies node of the Group PolicyManagement Console or the Policies node of the Delivery Services Console allows anadministrator to control printer auto-creation and specify that:

• No printers visible to the client device are created automatically

• Only the default printer for the client device is created automatically

• All non-network printers physically attached to the client device are created automatically

• All printers visible to the client device, including network and locally attached printers, arecreated automatically at the start of each session

By default, all network printing devices available from the client device areauto-created at the beginning of a session. XenApp always tries to route networkprint jobs directly from XenApp to the print server and not through the client printingpathway.


Assigning Printer Creation Settings to Published Applications

When publishing an application or configuring published application properties, printercreation for that published application can be specified as synchronous or asynchronous.

The information in the following table describes the printer creation settings.

DescriptionPrinter

Creation

Settings

Printers are created before the users have access to interact with and use theirsessions. The users must wait for all printers to be created in the backgroundbefore they can perform any activities.

Synchronous printer creation should be used:

Synchronous

• When applications require all printers to be created first

• When applications require a stable printing environment

An administrator can enable synchronous printer creation bydeselecting the Start this application without waiting for printers

to be created option in the application properties.

Printers are created in the background while the users have control of andare using their sessions. This process minimizes the amount of time it takes

Asynchronous

before users can work in their applications and does not impact the usersbecause some application activity usually occurs before printing.

Asynchronous printer creation is the default setting and is typically used forpublished applications.

An administrator can enable asynchronous printer creation byselecting the Start this application without waiting for printers

to be created option in the application properties.

Synchronous or asynchronous printer creation can be specified when publishing an applicationor afterwards by editing the Client options in the properties of the published application.


Printing Pathways

The term 'printing pathway' encompasses both the path by which print jobs are routed andthe location where print jobs are spooled. Both aspects of this concept are important. Routingaffects network traffic; spooling affects utilization of local resources on the device that processesthe job.

All print jobs start on the XenApp server when a user elects to print a document from apublished application. In XenApp, print jobs can take two different printing pathways:

When network printers are reachable from the XenApp server, anadministrator can use policies to route print jobs to network printers.

Network printing

pathway

This is accomplished either by leaving the default settings so that thenetwork printer is auto-created or by provisioning the networkprinter through the Session printers policy rule. Print jobs are routedthrough the network printing pathway by default; if the networkprinting pathway is unavailable, the client printing pathway is used.

By default, local and redirected client printers route print jobs alongthe client printing pathway.

Client printing

pathway

Network Printing Pathway

The network printing pathway refers to print jobs that are routed from the XenApp serverhosting the user's session to a print server and then spooled on a print server.

Routing jobs along the network printing pathway is ideal for fast local networks and in twoother instances: when the user experience should be the same as the experience that users haveon their local client device and when the printer names should appear the same in every session.

The network printing pathway is not suitable for printing jobs across a WAN because:

• Print jobs using the network printing pathway method use more bandwidth thanthose using the client printing pathway.

• Many packets are exchanged between the host server and the print server.

• Users might experience latency while the print jobs are spooling over the WAN.

• Print job traffic from the server to the print server is not compressed and is treatedas regular network traffic.


Server Local Printers

Server local printers refer to printing devices that are physically attached to XenApp serversand use the network printing pathway. Server local printers are managed and configured inthe same way as network printers and might be appropriate for printing in small farmenvironments. However, server local printers might not be ideal in enterprise environmentsbecause they require the printer drivers to be installed on each XenApp server in the farm anduse additional resources on the XenApp servers.

The previous diagram shows a server local printing example where printing begins on theXenApp server hosting the user's session and is routed to a printing device attached locally tothe server.


Configuring a Server Local Printer

An administrator can permit users to print to a printer that is physically attached to a XenAppserver by sharing the printer. Sharing the printer allows the creation of the printer when asession is launched on the server. XenApp will not recognize server local printers unless theyare shared.

Print jobs are redirected through the client printer pathway when the Render printjobs on client computers option is selected.


Disabling the Network Printing Pathway

XenApp routes print jobs to network printers from the XenApp server directly to the printserver, along the network printing pathway, by default.

An administrator can use the Direct connections to print servers policy rule in the CitrixPolicies node of the Group Policy Management Console or the Policies node of the DeliveryServices Console to disable the network printing pathway.

When print jobs must be routed across a network with limited bandwidth, the printjobs should be routed through the client printing pathway so that the ICA protocolcompresses the jobs.

Managing Printers Using the Network Printing Pathway

Print queues for network printers that use the network printing pathway are private and cannotbe managed through XenApp. In order to modify or manage a user's network print queue, anadministrator must:

• Have the correct level of Windows administrator privileges.

• Use the Control Panel on the print server.

If a print job is routed over the network printing pathway and the server hosting the applicationdoes not have the appropriate printer driver or cannot install the printer driver, XenApp willsend the print job through the client printing pathway, by default.


When a print job has been redirected from the network printing pathway to the client printingpathway, the printer will appear in the Print and Document Services role of the Server Managersnap-in on the server with the following syntax:

PrinterName on PrintServer (from clientname) in session n

where:

PrinterName is the name of the printer being redirected.

PrintServer is the name of the print server with which the printer is associated.

clientname is the name of the client through which the print job is being rerouted.

n is the session ID for the ICA connection.

Client Printing Pathway

The client printing pathway refers to print jobs that are routed over the ICA protocol throughthe client device to the printer and spooled through the plug-in to the client device. The printermust be connected directly to the client device through either a UNC path or physically througha cable.

When the client printing pathway is used, a virtual printer is constructed in the session thatredirects the print job to the printer object within the session on the client device. The clientdevice, in turn, sends the print job to the printing device.

Even though one additional hop is added at the client device, the impact on the WANis minimized and efficiency is increased.

Client Printing Pathway Configurations

There are two different configurations for the client printing pathway: one for printers attacheddirectly to the client device and another for network printers defined on the client device.

Print jobs from locally attached printers are routed to the printer throughthe ICA protocol and plug-in on the client device, and then to the printing

Client

local

printers device. The ICA protocol compresses the print job traffic. Print jobs to clientlocal printers must be routed through the plug-in.

By default, print jobs destined for network printers route from the server,across the network and directly to the print server using the network printing

Network

printers

pathway. However, if the XenApp server is unable to communicate with the


print server, such as when the XenApp and print servers are on differentdomains, XenApp automatically routes the print job through the plug-inusing the client printing pathway.

In addition, the client printing pathway should be used for network printerswhen the client is connecting across low bandwidth connections such asWANs. This configuration takes advantage of the traffic compression thatresults from sending jobs over an ICA connection and provides theadministrator the ability to limit or restrict the bandwidth allocated for theprint jobs. To force print jobs to route through the client printing pathway,select Disabled in the Printing > Client Printers > Direct connections to

print servers user policy rule.

Client Local Printers

The simplest printing configuration in a XenApp environment is one in which the printer isattached directly to the client device. In this configuration, the XenApp server spools the printjob and sends it back to the client device. The client device then relays it to a locally attachedprinter.

The previous diagram shows a simplified example of printing from a published resource on aXenApp server to a client local printer.


Client Printers on the Network

While client printers are often printers physically attached to client devices, they can also beprinters connected to a network print server. In this case, print jobs are routed through theclient printing pathway to the print server.

The process is the same as printing to a locally attached printer through the client printingpathway. However, instead of sending the job to a printer attached to the client device, the jobis sent to the network print server which sends it to the printer.

By default, client printers on the network route print jobs through the networkprinting pathway, not the client printing pathway.

The previous diagram shows client printing to a network printer.

Printing to a Network Printer

When a print job is spooled to a network printer along the client printing pathway, it uses thefollowing process:

1. The XenApp server generates a spool file and sends the print job through the ICA protocolto the client device.

2. The client device processes the spooled print job and sends it to the print server.

3. The print server sends the print job to the appropriate network printer.


Identifying Printers that Use the Client Printing Pathway

An administrator can use the Printers icon in the Control Panel of a XenApp server to determinewhich printers are using a client printing pathway, that is, printers that are auto-created. Theprinters listed will fluctuate on the server based on the sessions connecting to the server andthe printers on the client devices.

By default, the name of a printer using the client printing pathway appears with the followingsyntax:

Printername (from Clientname) in session n

Where:

Printername is the name of the printer on the client device.

Clientname is the unique name given to the client device or the Web Interface.

n is the session ID of the user's session on the server.

If User Access Control is enabled on the XenApp server, the administrator must usethe Print Management snap-in in the Microsoft Management Console (MMC) toview the printers.

Printing Pathway Demonstration

Watch as the instructor demonstrates how print jobs are routed when a user prints from apublished application to a local printer and when a policy is used to direct a print job fromthe published application to a network printer.


Printer Drivers

Printer drivers enable the operating system and applications to create device-ready print datastreams for specific print devices. Printer drivers vary among manufacturers and models. Notall drivers work as intended in a multi-user (Remote Desktop Services) environment. Usingan incorrect printer driver can cause garbled print jobs or print job failure. Administratorsare advised to test printer drivers in a test XenApp environment prior to using them in aproduction environment.

The data store keeps track of all printer drivers in the environment. As drivers are added,entries are added in the data store. Because printer drivers can cause instability in a serverfarm, it is a best practice to only install the necessary printer drivers.

Printer Driver Types

XenApp supports the following types of printer drivers:

Drivers that are included with the Windows operating systemNative

printer

driversThese drivers have been tested and approved by Microsoft to work withthe respective operating system and Remote Desktop Services.

Drivers that have been created by printer manufacturersOEM

printer

driversMany, though not all, OEM drivers have passed Microsoft logocertifications but may not have been fully tested in a Remote DesktopServices environment.

Drivers that are automatically installed on all XenApp servers and supportclient printers without specific native or OEM printer drivers installed onthe server

Citrix

Universal

Printer

Drivers

An administrator can use a printing policy to auto-create printers to usea universal printer driver. A Citrix Universal Printer Driver can:


• Enable users to print to most printers.

Specialized functionalities may not be available through theuniversal printer drivers.

• Ensure that client printers auto-create regardless of printer driveravailability on the server.

• Reduce the size of some print jobs and reduce delays when spoolingprint jobs over slow connections.

• Prevent problems with driver maintenance or printing-related issuesin a diverse environment.

• Limit the installation and replication of a large set of printer drivers orpotentially problematic printer drivers in the server farm.

• Minimize help desk calls.

An administrator should keep the following considerations in mind whenconfiguring XenApp to use universal printer drivers:

• Universal printer drivers work with locally-attached client printers,Citrix Universal Printers and network printers that use the clientprinting pathway.

• Some universal printer driver features may have reduced functionalityfor some plug-ins.

• Some features of multi-function printers may not be available withuniversal printer drivers.

Automatic Driver Installation

When XenApp auto-creates printers, it determines if the corresponding printer drivers aremissing. By default, XenApp installs the missing Windows native printer drivers. If anincompatible printer driver is installed, it can cause issues on the XenApp server.

An administrator can control which printer drivers are installed on the XenApp servers usingthe following policy rules in the Citrix Policies node of the Group Policy Management Consoleor the Policies node of the Delivery Services Console:


Automatic installation of in-box printer drivers

Controls whether Windows native printer drivers are automatically installed when auto-creatingprinters. Disabling this policy rule prevents the automatic installation of printer drivers.

The Automatic installation of in-box printer drivers policy rule is enabled by defaultand can result in the installation of a large number of native drivers in theenvironment.

Printer driver mapping and compatibility


Lists printer driver substitution settings for auto-created printers, identifies which printerdrivers can and cannot be used to auto-create client printers and identifies whether the universalprinter drivers should be substituted for specific printer drivers.

When a user logs on, XenApp checks the compatibility and mapping list before it auto-createsthe client printers.

• If a printer driver is on the list of allowed drivers, the printer is auto-created.

• If a printer driver is on the list of drivers that are not allowed, the printer is not auto-createdunless the universal printer driver is specified for use.

To configure this policy rule to prevent printer drivers from being installed, entries must bemade for the allowed drivers and another entry must be made using a wildcard (*) for thedriver name with the Do not create setting selected.

When the compatibility list prevents the setup of a client printer, XenApp writes a message inthe event log of the server hosting the user's session.

Server/Client Driver Mapping

During logon, each client provides information about its client-side printers, including theprinter model name. The XenApp server uses this information to select the appropriate printerdriver on the server to use to auto-create the printer. If the printer drivers for server and clientdevice operating systems have different names for the same driver, XenApp may not recognizethat the drivers are the same. This could result in users having difficulty printing or the failureof printer auto-creation.


An administrator can resolve this issue by overriding or mapping, the printer driver namethat the client device provides with the appropriate driver on the server. Mapping client printerdrivers gives published applications access to client printers that use the same drivers as theserver but have different driver names.

An administrator can configure the Printer driver mapping and compatibility policy rule inthe Citrix Policies node of the Group Policy Management Console (GPMC) or the Policiesnode of the Delivery Services Console by specifying the client printer driver and the serverprinter driver to substitute for that driver. A wildcard (*) can be used in the names. For example,to force all HP printers to use a specific server printer driver, HP* can be specified as the drivername.

When printer driver mappings are configured, the mappings are retained in the data storedatabase and are available to all servers in the farm. Entries can be prioritized, changed orremoved using the corresponding buttons in the policy rule.

Managing Printer Drivers


An administrator can use the Windows Print Management snap-in to manage the drivers,ports and printers on a print server. For information about using the Print Managementsnap-in, refer to Microsoft documentation for the operating system.

The Print and Document Services role must be installed on the server to add thePrint Management snap-in to the Microsoft Management Console.

Practice: Printer Drivers

Provide the correct response for each of the following questions.

1. In order to prevent printer drivers from being installed automatically, which policy ruleshould be configured?

2. What are four benefits of using the Universal printer driver?


Citrix Universal Printing

Citrix Universal Printer Drivers and printers are printing solutions that allow users to printregardless of whether the correct printer drivers and printers are installed.

There are several different universal printing solutions. An administrator can configure a:

At the beginning of each session, a device-specific printer isauto-created using the Citrix Universal Printer Driver

Citrix Universal

Printer Driver

(EMF-based) (EMF-based). For example, the LaserJet5L printer is auto-createdand uses the Citrix Universal Printer Driver (EMF-based) tocommunicate with the printer driver on the client device. Theprint job is processed on the client device. This is the defaultuniversal printer driver.

At the beginning of each session, a device-specific printer isauto-created using the Citrix XPS Universal Printer Driver. For

Citrix XPS Universal

Printer Driver

example, the LaserJet5L printer is auto-created and uses the CitrixXPS Universal Printer Driver to communicate with the printerdriver on the client device. The print job is processed on the clientdevice.

At the beginning of each session, a Citrix Universal Printer isauto-created using a Citrix Universal Printer Driver. The session

Citrix Universal

Printer with a Citrix

uses the Citrix Universal Printer Driver to communicate with theUniversal Printer

Driver printer driver on the client device. The print job is processed onthe client device. For more information about this printer, seethe Citrix Universal Printer topic later in this module.

Configuring a printer to use a universal printer driver improves server performance,reduces the number of drivers required on the XenApp servers and decreases thecomplexity of printer administration. However, configuring a universal printer driverwill not improve session start time because the printers on the client device are stillenumerated and auto-created at the beginning of sessions. In addition, a CitrixUniversal Printer Driver may create smaller print jobs than older or less advancedprint drivers but may not be able optimize print jobs as well as a device-specificprinter driver.


Citrix Universal Printing Requirements

A Citrix universal printing solution requires:

• The Citrix online plug-in (or a previous version) on a Windows client device.

• A non-Windows plug-in can be used with universal printing on a non-Windows clientdevice only if a universal printer driver based on the postscript universal printer driver isused. These drivers are installed automatically with XenApp.

• Citrix universal printing works only with applications hosted on a XenApp server.Connections made with the Citrix offline plug-in to virtualized applications on the clientdevice cannot use universal printing.

The Novell iPrint driver is not supported in a XenApp environment.

Enhanced MetaFile Format

The Universal Printer Driver is installed automatically with XenApp, supports nearly allcommon printer capabilities and forms and can discover underlying client printer capabilities.When the EMF-based Universal Printer Driver is used for client printing, the printer outputis sent in Enhanced MetaFile (EMF) format using the Citrix Print Manager Service.

The EMF format:

• Reduces the size of some print jobs

• Allows jobs to print faster

• Allows users to set printer properties and preview documents before printing

• Reduces server load by saving bandwidth and CPU processing because processing is deferredto the client device

Users can view the options of a client printer created with a universal printer driver throughthe properties of the printer. Other universal printer driver formats are available for clientdevices:

• PCL5c, which is primarily used by older applications that are not compatible with the EMFinstructions within the new universal printer driver

• PCL4, which is used for older printers and for non-Windows client devices, such as Macand UNIX

• PS, which is used by non-Windows client devices, such as Mac and UNIX

Non-Windows client devices should use the PS universal printer drivers. By default, the CitrixPrint Manager Service engages the EMF driver and then rolls back subsequently to PCL5c,PCL4 and PS, based on the client device.


Print Preview

The EMF-based and XPS-based Citrix Universal Printer Driver provide the following ways topreview and select print settings:

• The EMF-based Citrix Universal Printer Driver allows a user to preview a print job usingthe Citrix Print Previewer. The Local Settings button in the Citrix Print Previewer can beused to select a different printer, control the device settings for the printer hardware andpreview the print job. An administrator can control whether or not the Local Settings buttonis available to users. If users are not allowed to change their printer through the LocalSettings button, the print job prints to the default printer on the client device.

The Citrix Print Previewer cannot be controlled by an administrator unless usershave Citrix Presentation Server Client, version 10.100 or later, the Citrix XenAppPlug-in for Hosted Apps, version 11 x , or the Citrix online plug-in.

• The Citrix XPS Universal Printer Driver allows a user to preview a print job using InternetExplorer. The Print Preview button displays the print job in the Microsoft XPS "electronicpaper" format.

A user can follow this procedure to preview and print a document.

1. Open the Print screen ( CTRL+P ).

2. Select the client printer that is auto-created using the universal printer driver.

3. Click Properties in the Print dialog box.

4. Select Preview on client and click OK.

5. Click OK to view the document in the EMF Viewer application.


6. Use the navigation buttons to view the pages of the document.

< = Page Up

> = Page Down

<< = Home

>> = End

7. Click the printer icon to select the printer.

8. Select the pages and number of copies to print.

9. Click Print.

The Print Preview feature is disabled by default. The User > Printing > Universal

Printing > Universal printing preview preference policy must be configured toenable the feature.

Citrix Universal Printer

The Citrix Universal Printer is a generic printer that an administrator can configure toauto-create on behalf of a single printer or each printer on a client device. The Citrix UniversalPrinter interacts directly with the printing devices, reducing the need to auto-create printersand, thus, reducing server overhead. The Citrix Universal Printer can be created for the lengthof a session at the beginning of that session.


The Citrix Universal Printer is a generic printer that is not tied to any specific printer on theclient device. It can be used to print through the client to any client-side printer. Anadministrator can specify that the Citrix Universal Printer be auto-created for a single printeror each printer on the client device.

When the Citrix Universal Printer is enabled, the printer is created in the session with thename Citrix UNIVERSAL Printer in session number. The printer name is the samefor all users with the exception of the session number. This makes it easier for users thatreconnect from different client devices and can prevent issues with applications that rely onthe printer name.

The Citrix Universal Printer can be made available to all sessions that use a Citrix onlineplug-in. In addition, the Citrix Universal Printer can be the only printer that is auto-createdin the session or can be auto-created along with other client printers and session printers.

The Citrix Universal Printer will not auto-create if Legacy printer names are specifiedin the Client printer names policy rule in the Citrix Policies node of the Group PolicyManagement Console or the Policies node of the Delivery Services Console.

An administrator can prevent the auto-creation of printers on the client device sothat only the Citrix Universal Printer can be used in sessions. To implement thisconfiguration, the Citrix Universal Printer should be enabled through the policy andthe Auto-create all client printers policy rule must be configured with the Do notauto-create client printers setting selected.

Configuring Citrix Universal Printing

Universal printer drivers are installed on each XenApp server, but are not used, by default.


An administrator can use the following policy rules in the Citrix Policies node of the GroupPolicy Management Console or the Policies node of the Delivery Services Console to controlthe usage of the Citrix Universal Printer Drivers:

Universal

driver

priority

Specifies the order in which XenApp attempts to use the universal printerdrivers, beginning with the first entry in the list. An administrator can add,edit or remove drivers and change the order of the drivers in the list.

Universal

printing

Specifies when to use universal printer drivers instead of native Windowsprinter drivers.


Universal

printing

preview

preference

Specifies whether to use the print preview function for a Citrix UniversalPrinter or auto-created printers that use a Citrix Universal Printer Driver.

Auto-create

generic

universal

printer

Enables or disables the auto-creation of a Citrix Universal Printer printingobject. By default, generic universal printers are not auto-created.

Citrix universal printing can be used with Citrix Presentation Server 4.0 throughCitrix XenApp 6 and the following client software:

• Citrix Presentation Server Client, version 9.x or version 10.x

• Citrix XenApp Plug-in for Hosted Apps version 11.x

• Citrix online plug-in


Administrator-Assigned Network Printers

User requirements, client devices and network printer availability are factors in determiningif and how network printers should be configured. An administrator can define policies toconstruct customized printing and assign network printers to specific users.

Network printers route print jobs from the XenApp server, across the network, directly to theprinter server. Network printers do not have to be installed and configured on any of the clientdevices because the configurations are performed on the server by an administrator.

XenApp allows an administrator to specify printers on print servers, along with related printqueues into the farm. The network printers can then be assigned to users.

Adding a Network Printer

An administrator can use the Session printers policy rule in the Citrix Policies node of theGroup Policy Management Console or the Policies node of the Delivery Services Console toadd a network printer.

Within the Session printers policy rule, an administrator can add a network printer by:

• Specifying the printer UNC path in the \\servername\printername format

• Browsing to a printer on the network


• Browsing for printers on a specific server by typing the server name using the \\servernameformat

The server merges all enabled Session printer settings for all applied policies, startingfrom the highest to lowest priority. When a printer is configured in multiple policies,the customized settings are taken from only the highest priority policy object in whichthat printer is configured.

Editing Network Printer Settings

An administrator can use the Session printers policy rule in the Citrix Policies node of theGroup Policy Management Console or the Policies node of the Delivery Services Console tospecify the following printer settings for a network printer:

• Paper size

• Copy count

• Collation setting

• Print quality

• Orientation (portrait or landscape)

An administrator can ensure that the printer settings are reset to these specific settings for allsessions, by selecting the Apply customized settings at every logon option. This results in usercustomization to the printer settings for the printer only being valid in the current session.


Specifying the Default Printer

The printer that XenApp selects for the default session printer can be:

• A client printer

• A network printer that has been added through the Session printers policy rule

An administrator can use the Default printer policy rule in the Citrix Policies node of theGroup Policy Management Console or the Policies node of the Delivery Services Console toset the default printer for a session using the following settings:

Uses the Remote Desktop Services (Terminal Services) or Windowsuser profile to determine the default printer. The default printer willbe the first printer auto-created in the session, which can be the:

Do not adjust the

user's default

printer

• First printer added locally to the server

• Default printer on the client device

This setting does not save the default printer choice in the profileand does not change according to other session or client properties.An administrator can use this setting along with the Session printerspolicy rule to configure proximity printing, which is the ability forroaming users to print to the nearest network printer.

Uses the printer set as the default printer on the client device as thedefault printer in sessions.

Set default printer

to the client's main

printer

Windows group policies and Remote Desktop Services(Terminal Services) settings can disable the mapping ofthe main printer on the client.


Workspace Control and Proximity Printing

In some environments, users move among different client devices or sites. An administratorcan make sure that the closest printers are presented to these users wherever they try to print.Examples of such users include:

• Hospital employees who move among client devices in different wings of a hospital andreconnect to the same session on a different client device using a smart card

• Employees who travel to remote business units

If employees need this type of printing functionality, an administrator can use one of thesefeatures:

Also known as SmoothRoaming, this feature allows a user to disconnect fromone session, move to another client device and reconnect to continue that same

Workspace

Control

session. The printers assigned on the first client device are replaced onreconnection with the printers designated on the second client device. As aresult, the user is always presented with applicable printer options fromwherever the user connects.

For more information, see Configuring Workspace Control in thiscourse.

This feature allows an administrator to control the assignment of networkprinters for mobile workers so that the most appropriate printer is presented,based on the location of the client device.

Proximity

Printing


Proximity printing can make printer administration easier even if mobileworkers do not exist in the environment. For example, if a user moves fromone department or floor to another, the administrator will not need to assignadditional printers to that user, if proximity printing is implemented. Whenthe client device is recognized within the IP address range of the new location,it has access to all network printers within that range. However, if anadministrator configures proximity printing, the Session printer policy mustbe maintained as network printers are added or removed, or the DHCP IPaddress ranges for floors or departments are changed.


Configuring Proximity Printing

Proximity printing is enabled through the Session printers policy rule in the Citrix Policiesnode of the GPMC or the Policies node of the Delivery Services Console. Proximity printingrequires that the policy be filtered based on some type of geographic indicator (IP address).The ability to configure proximity printing assumes that the network is designed as follows:

• DHCP addressing is used to assign IP addresses based on location (for example, floor of abuilding).

• All departments/floors within the company have unique designated IP address ranges.

• Network printers are assigned IP addresses based on the department/floor in which theyare located

To configure proximity printing, the administrator should:

1. Create a separate policy for each subnet or geographic location to correspond with eachprinter location.

2. Add the printers in that subnet or geographic location to the Session printers policy rule.

3. Set the Default printer policy rule to use the Do not adjust the user's default printer setting.

4. Filter the policies by client IP address.


Printing Preferences

In a XenApp environment, when users modify printing settings, the settings are stored in thefollowing locations:

• On the client device: The settings are set on the client device by selecting Printing Preferencesfor a printer in the Printers folder on the client device. For example, if Landscape is selectedas the page orientation and saved, it becomes the default page orientation preference forthat printer. This type of preference is known as device settings.

• In a document: In word-processing and desktop-publishing programs, settings, such aspage orientation, are often stored inside documents. These settings are often referred to asdocument settings. Document settings appear by default the next time the user prints thatdocument.

Device settings are treated distinctly from, and usually take precedence overdocument settings.

• From changes a user made during a session: The settings are set within the session byselecting Printing Preferences for an auto-created printer in the Printers folder within thesession.

• On the server: These are the default settings associated with a particular printer driver onthe server.

If an administrator wants to control printing preferences, it is important to understand thatthe settings preserved in any Windows-based environment vary according to where the usermade the changes. This means that the printing settings can be between different applicationswithin the same session or different sessions.

Printing Properties

Printing properties are a combination of:

• Printing preferences, which are settings configured within the session by selecting PrintingPreferences for an auto-created printer in the Printers folder within the session

• Printing device settings, which are settings configured on the client device by selectingPrinting Preferences for a printer in the Printers folder on the client device

By default, changes users make to the printer preferences and settings for a printer, whetheron the local client device or in a session, are saved and used both locally and in a session. Thismeans that printer preferences and setting are the same on the client device and in a session.


By default, XenApp attempts to store the printing properties on the client device. If the clientdoes not support this operation, XenApp stores the printing properties in the user profile forthat user.

By default, sessions from non-Windows clients and older Windows clients use theuser profiles on the server for printing properties retention.

The following factors can affect how an administrator configures the Printer properties retentionpolicy rule using the Citrix Policies node of the GPMC or the Policies node of the DeliveryServices Console:

• If a client prior to Citrix Presentation Server Client, version 9.x is used, printing propertiescannot be stored on the client device.

• If a mandatory profile is used, the printing properties must be stored on the client device.

• If a roaming profile is used, the printing properties must be stored in the user profile.

• If applications are load balanced in a large farm, local profiles will provide users with aninconsistent printing experience. To correct this issue, printing properties must be savedon the client device.

If none of these factors apply, Citrix recommends that the printing properties be stored onthe client device, if possible, otherwise stored in the user profile; this is the default setting. Thisis the easiest way to ensure consistent printing properties.

Printing Preference Hierarchy

Because printing properties can be stored in more than one place, XenApp processes themaccording to a specific priority. XenApp searches for printing properties in the following order:

1. XenApp checks for retained settings (settings changed during the session). If XenApp findsretained settings, it applies the settings when the user prints.

2. XenApp checks for any changes to the printer settings for the printers on the client device.If XenApp finds any changes on the client device, it applies the settings when the userprints.

3. XenApp checks the printer settings stored on the server and applies the settings when theuser prints.

At this point, the printer settings are merged.


Configuring Printer Property Retention

An administrator can use the Printer properties retention policy rule in the Citrix Policiesnode of the Group Policy Management Console or the Policies node of the Delivery ServicesConsole to configure where printer properties are stored. Printer properties can be:

Stores printer properties on the client device, if available, or ifnot, in the user profile

Held in profile only if

not saved on client

This is the default setting. Although this option is the mostflexible, it can also slow logon time and use extra bandwidth toperform necessary system checking. This option providesbackward compatibility with prior versions of XenApp and itsplug-ins.

Stores printer properties only on the client deviceSaved on the client

device only

This option should be used if users are assigned a mandatoryprofile or roaming profile.

Stores printer properties in the user profile on the server andprevents the exchange of any properties with the client device

Retained in user

profile only

This option requires the use of a roaming profile and reducesnetwork traffic making it an ideal choice for connections with:

• Bandwidth constraints

• Presentation Server, version 3.0 or earlier


• Presentation Server Clients, version 8.x or earlier

These products are no longer supported.

Does not retain printer properties and the user must configurethe desired printer properties each time

Do not retain printer

properties

To obtain printer properties directly from the printer itself, rather than from theproperties store, an administrator can edit the printer preferences in the Registry.For more information about synchronizing the printer properties, refer to the XenAppdocumentation on the http://support.citrix.com/proddocs/index.jsp web site.


Printing Bandwidth

While printing files from published applications to client printers, other virtual channels, suchas video, may experience decreased performance due to competition for bandwidth. Thisperformance degradation is magnified if users are accessing servers through slower networksor dial-up connections. To prevent such degradation, an administrator can limit the bandwidthused by client printing.

If a printer bandwidth limit is configured in a policy, it is always enforced, even whenno other virtual channels are in use.

By limiting the data transmission rate for printing, an administrator can make more bandwidthavailable in the ICA data stream for the transmission of video, keystrokes, mouse data andmore. Making additional bandwidth available can help prevent degradation of the userexperience during printing.

An administrator can configure printing bandwidth in client sessions using the followingpolicy rules:

This policy rule can be used to enable and disable the printingbandwidth limit using the Citrix Policies node of the GPMCor the Policies node of the Delivery Services Console.

Printer redirection

bandwidth limit

This policy rule can be used to specify the percentage of totalbandwidth that can be used for printing. In addition, the

Printer redirection


Overall session bandwidth limit policy rule must be enabled


before this rule will have an effect on the bandwidth used byprinting.

An administrator can use the Citrix Session Monitoring and Control Console,included in the WFAPI SDK, to obtain real-time information about printingbandwidth. The print spooling virtual channel control, that is, the CTXCPM Clientprinter mapping virtual channel control, allows an administrator to set a priorityand bandwidth limit for bandwidth control of the virtual channel.


Practice: Printing Definitions

Match the printing policy rules in the following table to the correct terms.

DefinitionTerm

a. A rule that enables the use of old-style printer names asused by prior versions of XenApp

__ Auto-creation

b. A rule that controls whether network printer jobs flowdirectly from XenApp server to the print server or take anextra step and are routed back through the client device

__ Printer properties retention

c. A rule that controls whether printer properties are storedon the client device or user profile

__ Turn off client printermapping

d. A rule that disables the mapping of all client printers__ Legacy client printers

e. A rule that controls the auto-creation of all, local, defaultor no client printers.

__ Print job routing


Troubleshooting Printing Issues

An administrator can use the solutions in the following table to address common printingissues.

ResolutionIssue

Verify that the printer driver for the printer is installed on the serverbeing accessed by the session. If not, install the printer driver on allXenApp servers or use a Citrix Universal Printer Driver.

Verify that the Auto-create client printers policy rule does notprohibit the creation of the printer.

Printers do notauto-create.

Verify that a higher priority policy is not preventing theauto-creation of the printers.

Verify that the administrator can auto-create client printers. If so,confirm that users have at least Read, Write, and Executepermissions to the following folder and file:

%SYSTEMROOT%\SYSTEM32\SPOOL

%SYSTEMROOT%\SYSTEM32\PRINTER.INF

Verify that the client device/Windows Terminal has the latestsoftware/firmware installed.

Verify that the printer driver name for the client is the same as theprinter driver name for the server. If not, map the driver names.

Remove the incompatible printer driver, restart the Citrix PrintManager Services and use the Citrix Universal Printer Driver instead.

Print jobs are garbled orfail to print.

Consider restarting the Citrix Print Manager Services afterregular business hours because the restart will discard allcurrent print jobs on the server.

Verify that the Session printers policy rule is applied to the session.By default, policies are applied to all sessions unless a filter is usedto limit the application.

Verify that a higher priority policy is not preventing the use of theprinter.

Network printers arenot available in thesession.


ResolutionIssue

Use the NET USE command from the client device to verify thatthe user has permissions to the print server.

Verify that network printers are attempting to auto-create for theuser and then set the Auto-create client printers policy rule to

Session appears to hangat startup when users

Auto-create local (non-network) client printers only for mobileusers.

are disconnected fromnetwork.

Use the information available in the CTX113555 Knowledge Basearticle on www.citrix.com.

The Ctx_CpsvcUseraccount becomescorrupt.

For additional printing troubleshooting tips, see the CTX107137 and CTX113261Knowledge Base articles.


Review

1. Which type of printer is accessed as a shared resource and connected to the network bymeans of a print server?

a. Network printer

b. Client local printer

c. Server local printer

d. Client network printer

2. Which statement concerning printing in a XenApp environment is true?

a. Auto-created network printers are identified only by their printer name.

b. Printer properties can be stored on the client device or in the user profile.

c. Auto-created client local printers are identified only by their printer name.

d. By default, only the default client printer is automatically created during logon.

3. Which statement is NOT a benefit of implementing the Universal printing policy rule?

a. It limits which printers users can access.

b. It reduces printer driver maintenance issues.

c. It ensures that client printers are auto-created regardless of printer driver availabilityon the server.

d. It reduces the size of some print jobs and reduces delays when print jobs are spooledover slow connections.

4. Which printer drivers are installed by default on a XenApp server?

a. No printer drivers

b. HP printer drivers

c. Universal printer drivers

d. Those designated during installation

5. Printer bandwidth limitations can be set using which two methods? (Choose two.)

a. Worker group properties

b. Published application properties

c. Policies in the Delivery Services Console

d. Citrix Policies in Group Policy Management Console


Module 14

Securing XenApp

Overview

Security is a crucial component of any production environment, including environmentscontaining XenApp. Depending on the security needs of the environment, an administratorcan incorporate several Citrix-specific security measures.

By the end of this module, you will be able to:

• Identify the components of a comprehensive XenApp security solution.

• Describe the SSL Relay communication flow.

• Secure XenApp communications using SSL Relay.

• Describe the benefits of using Citrix Access Gateway in a XenApp environment.

• Secure application access using Access Gateway.

• Avoid or resolve common security configuration missteps with simple solutions.

447Module 14: Securing XenApp© Copyright 2010 Citrix Systems, Inc.

XenApp Security Solutions

Administrators can incorporate the following security measures for XenApp servers:

SecureICA can secure:SecureICA

• Internal communication in a LAN or a WAN

• Communications from older clients such as the Client for DOS or theClients for Windows (16-bit) that cannot be upgraded

SecureICA encryption should not be the only security solution usedto secure communications across public networks.

SSL Relay can secure:SSL Relay

• End-to-end communication between client devices and XenApp serversusing encryption

• Communication with servers that host the Citrix XML Service

SSL Relay cannot be used with Network Address Translation (NAT) whenthe IP addresses of servers must be hidden or when access must be securedat a DMZ.

Citrix Access Gateway can secure:Citrix

Access

Gateway• Environments of all sizes

• Access to servers and resources in a server farm through endpoint scansand policies

• Access by users in locked-down environments such as Internet cafes

• Access from unknown or non-corporate devices

Citrix Access Gateway is a secure access solution that provides administratorswith application control while empowering users with access from anywhere.With flexible deployment options and a single point of management, ITadministrators set policies, which are based on roles, devices, and networks,to control access and users' actions, ensuring better security and compliancemanagement.


Access Gateway appliance information is not addressed in this course.

For more information about Citrix Access Gateway courses, visitthe http://www.citrixeducation.com web site.


SecureICA

SecureICA (ICA encryption) guards against the threat of eavesdropping by encrypting theinformation sent between XenApp servers and client devices. In the unlikely event that anattack succeeds, SecureICA encryption ensures that the attacker sees only screen commandsand does not see sensitive information.

Although SecureICA encryption prevents eavesdropping, it does not authenticatethe identity of XenApp servers as SSL/TLS does. Information is susceptible toman-in-the-middle attacks, particularly if the plug-in traffic is crossing a publicnetwork. As a result, SecureICA encryption should be used for internal networksonly and should be considered as one aspect of a more comprehensive security policy.


Citrix SSL Relay

SSL Relay provides server authentication, user credential and data encryption, as well as messageintegrity for a TCP/IP connection. It encrypts the ICA and XML communications between:

• Web Interface and Citrix XML Service

• Client devices and XenApp servers

SSL Relay is commonly used to secure Citrix XML traffic, especially when the Web Interfaceserver is located in the DMZ.

When SSL Relay is implemented in a farm, a server certificate and SSL Relay must be installedand configured on each XenApp server. The SSL root certificate must be present on everyclient device as well. The client device must connect using the FQDN of the XenApp server,not the IP address.


SSL Relay Communication

The client device and the web server running the Web Interface are allowed access to a XenAppserver with SSL Relay after confirming the server certificate against a list of trusted certificateauthorities.

After authentication of the server certificate occurs, all requests are negotiated in an encryptedform. SSL Relay decrypts the requests and passes them to the XenApp server. The XenAppserver then uses SSL Relay to encrypt any data being sent to the client device and the webserver running Web Interface. Message integrity checks in SSL Relay verify that eachcommunication has not been tampered with.


Configuring SSL Relay

An administrator can use the following procedure to configure SSL Relay:

1. Obtain and install a unique server certificate for each XenApp server.A separate server certificate is needed for each server on which SSL Relay is enabled.

2. Install a root certificate from the certificate authority (CA) on each client device and webserver running the Web Interface, if one is not already installed.

3. Configure the relay credentials, connections and ciphersuites using the SSL RelayConfiguration tool.

4. Restart the XenApp servers for the configuration to take effect.

5. Configure the web servers running the Web Interface to verify the signature of the CA onthe server certificate.

6. Configure the client devices so they can:

• Support 128-bit encryption.

• Verify the signature of the CA on the server certificate.

• Access network traffic on the TCP listening port used by the Citrix XTE Service.

The default TCP port is number 443.


Access Gateway

Access Gateway is a universal SSL VPN appliance that can be used to secure client connectionsto XenApp and XenDesktop environments as well as provide secure access to other internalnetwork resources. Access Gateway is available both as a hardware appliance and as a virtualappliance.

Access Gateway provides the following benefits:

• A secure and scalable device

• SmartAccess technology, which allows administrators to control access based on user andendpoint device characteristics

• Secure remote access to hosted applications and desktops from the Internet

• XenApp connections through Access Gateway do not require concurrent user(CCU) licenses. Full VPN connections and endpoint analysis require the AccessGateway universal license, which is included in XenApp Platinum. The AccessGateway hardware appliance must be purchased separately.

• For complete information on using Access Gateway with XenApp, refer to theAccess Gateway documentation on thehttp://support.citrix.com/products/index.jsp web site.

Access Gateway Deployment Scenarios

Two deployment scenarios of Access Gateway with XenApp are possible:

In this deployment scenario, which is best practice, the AccessGateway and the Web Interface server are both located in theDMZ.

DrawbacksBenefits

Access Gateway and

the Web Interface in

the DMZ

Some security expertsconsider locating Internet

No unauthenticated trafficreaches the secure internal

Information Services (IIS) inthe DMZ to be a security risk.

network. If a user fails toauthenticate, the user traffic willnot pass beyond the DMZ.


In this deployment scenario, the Access Gateway is located inthe DMZ and the Web Interface is deployed behind the firewall,within the internal network.

DrawbacksBenefits

Access Gateway in the

DMZ and Web

Interface in the

internal network

Access Gateway does notperform authentication.

• IIS is not located in the DMZand is more secure behindthe firewall in the internalnetwork.

Therefore, encrypted butunauthenticated traffic canenter the internal network toreach Web Interface.• Only one Web Interface

instance is required for bothinternal and external users.

Figure 14-1: Access Gateway in the DMZ and Web Interface in the internal network


It is important to consult with a security expert to determine an appropriate security strategyfor the organization. In general:

• Carefully consider whether the Web Interface should be located in the DMZ or in theinternal network.

• If the Web Interface is placed in the DMZ, use Citrix SSL Relay to secure the Citrix XMLtraffic.

Access Gateway Communications

The following process provides an overview of the communications when Access Gateway isdeployed in a XenApp environment.

1. The user navigates to the Access Gateway entry point. Access Gateway optionally runs anendpoint analysis scan before authentication. If the scan is successful, Access Gatewaypresents the authentication page to the user.


2. The user authenticates to Access Gateway. If authentication is successful, the credentialsand endpoint analysis scan results are forwarded to the Web Interface, which passes theresults to XenApp.

3. The user clicks a published application and the request is sent to the Web Interface.

4. The Web Interface generates an ICA file that includes a session ticket generated by theSecure Ticket Authority (STA).

5. The plug-in on the client device processes the ICA file and presents the ICA session ticketto Access Gateway.

6. Access Gateway validates the ticket. If the ticket is valid, the STA responds with the IPaddress of the XenApp server hosting the published application.

7. Access Gateway establishes a connection between the plug-in on the client device and theXenApp server.

Digital Certificates

ICA traffic between client devices on unsecured networks and the XenApp servers in the securenetwork is encrypted using an SSL version 3 or TLS version 1 protocol. These protocols relyon digital certificates to verify the identity of the systems participating in the connection.

Access Gateway uses two types of digital certificates to provide secure communication andeffective authentication:

Issued by a certificate authority (CA) and provides a way to confirm theidentity of a server before data is transmitted to it

Server

certificates

The server certificate is based on the unique FQDN name of the server.

Issued by a CA and used to confirm the authenticity of the CA signatureon the server certificates

In a XenApp environment, the root certificate must be installed on eachclient device and Web Interface server. If an internal certificate is used

Root

certificates

for cost savings, the internal certificate must also be installed on eachclient device.

Access Gateway self-signed certificates cannot be used as a rootcertificate.

The responsibility for issuing certificates can be delegated to an intermediate CA, which issuesintermediate certificates, when a certificate base is too large for a single CA to maintain.

Obtaining digital certificates incurs a cost and can take several days, especially if a third partyis contracted for this purpose. However, the main advantage of using a third party is that most


popular operating systems embed root certificates so an administrator does not need to installthem on the servers and client devices.

Access Gateway Certificate Requirements

• Web Interface - Root certificate

• Citrix XML Service on XenApp servers - Server certificate

A root certificate must be installed on the Web Interface server because IIS requires a rootcertificate to make HTTPS connections to the Access Gateway. The IIS certificate and AccessGateway certificate must be from the same certificate authority. The Certificates MMC snap-intool must be used to install the certificate and add it to the Trusted Root CertificationAuthorities on the local system.


If the communication is secured between the Access Gateway and the Secure Ticket Authority(STA) on the XenApp servers, each XenApp server that hosts the Citrix XML Service mustalso have a server certificate installed. The certificate must be trusted by the Access Gateway.

Securing Access to Hosted Applications

Instead of allowing VPN traffic between clients and servers running XenApp, administratorscan configure Access Gateway for ICA proxy mode, sometimes known informally as SecureGateway replacement mode.

In ICA proxy mode, Access Gateway functions as an SSL proxy server between XenApp andclient devices accessing published resources. In this configuration, client devices do not connectto the internal IP addresses of servers running XenApp. As a result, client devices do not needthe Secure Access plug-in to access published resources; only the Citrix online plug-in isrequired on client devices.

ICA proxy allows Access Gateway to secure access to hosted applications with the followingbenefits:

• A hardened appliance in the DMZ

• Browser-only access to published resources

• Granular access control with secure application access

• Traffic optimization, compression and SSL offload

• Support for Citrix Receiver

When Access Gateway is configured for ICA proxy mode, the Secure Accessplug-in is not required.

Access Gateway Authentication

When ICA proxy mode is enabled, Access Gateway authentication can be either enabled ordisabled. If Access Gateway authentication is disabled, Web Interface is responsible forauthenticating users. As a result, when users navigate to the Access Gateway FQDN, they areautomatically forwarded to the Web Interface site. Users enter their credentials directly onthe Web Interface site, which validates the credentials against the authentication service.

However, if Access Gateway authentication is enabled, both Access Gateway and Web Interfaceare responsible for authenticating users. When users navigate to the FQDN of the AccessGateway, the Access Gateway logon page is displayed. Users enter their credentials on thelogon page, which validates the credentials against the configured authentication server. Ifvalidation is successful, Access Gateway automatically forwards the credentials to Web Interface,which also validates them.


Single Sign-on to Web Interface

If ICA proxy mode is enabled, Access Gateway automatically provides single sign-on to WebInterface. User credentials entered on the Access Gateway logon page are forwarded to WebInterface, which also validates them. As a result, users enter their credentials only once butare authenticated twice. This increases security as only authenticated users and traffic areallowed access to Web Interface.

When ICA proxy mode is disabled but the Access Gateway home page is set to the WebInterface site, administrators can enable Single sign-on manually.

Enabling ICA Proxy Mode

ICA proxy mode is set as part of an access policy. An administrator can use the followingprocedure to enable ICA proxy mode in the Access Gateway Administration Tool.

1. Click Authentication > Secure Ticket Authority and enter the Secure Ticket Authoritysettings.

2. Select the Access Policy Manager tab.

3. Right-click a user group and then click Properties.

4. Select the Gateway Portal tab and select Redirect to Web Interface.

5. Type the appropriate path in the Path field:

PathWeb Interface Type

/Citrix/AccessPlatformWeb Interface 4.5

/Citrix/XenAppXenApp Web for Web Interface

/Citrix/PNAgentXenApp Services for Web Interface

6. Type the IP address or FQDN of the Web Interface in the Web server field and click OK.

SmartAccess

SmartAccess allows administrators to control user access to applications published in XenAppbased on Access Gateway policy expressions, including end-point analysis (EPA) scans andSSL certificate checks. For example, by configuring secure application access, administrators


can deny users access to published applications if they fail an antivirus endpoint analysis scan.Administrators can also use SmartAccess to allow users a full VPN tunnel if connecting froma corporate-managed system or ICA-only access if connecting from another type of device.

SmartAccess Policies

Secure application access utilizes Citrix policy filters to control user access to publishedapplications. If an Access Gateway policy evaluates to true based on the results of an EPA scan,the name of the session policy is sent to XenApp. XenApp compares the policy name with thepolicy filter names configured in the Access Control properties for a published application.Depending on the policy configuration, if the names match, the application will or will notappear in the list of applications available to the user.

If an Access Gateway policy does not evaluate to true, the Access Gateway policy name is notsent to XenApp. Again, depending on the configuration, the application will or will not appearin the list of applications available to the user.

In addition to controlling application access, policy filters can be used to apply Citrix policiesto user sessions. If an Access Gateway policy evaluates to true based on the results of an EPAscan, the corresponding Citrix policy will be applied to the user session. If an Access Gatewaypolicy does not evaluate to true, the corresponding Citrix policy will not be applied to the usersession. For example, an administrator can configure policies so that if a connection attemptpasses an EPA scan for antivirus software, client drive mapping would be enabled for the user’sXenApp session. Conversely, if the connection attempt did not pass the EPA scan, client drivemapping would be disabled.

For more information on SmartAccess, see the Access Gateway documentation onthe http://support.citrix.com web site.


Practice: Security Solutions

Match the security solutions listed below with the appropriate scenario in the following table.Each solution is used at least once.

• SecureICA

• SSL Relay

• Access Gateway

ScenarioSecurity

Solution

Lydia is the administrator of a large server farm with users that access the serverfarm resources through the Internet.

Jeremy is the administrator of a large server farm with users that access theserver farm resources internally through the LAN at the company.

Ben is the administrator of a small server farm and needs to provide encryptionof the communications being sent to the client devices and the Web Interface.

Adam is the administrator of a small server farm and needs to providetwo-factor authentication to users accessing server farm resources through theWeb Interface.


Web Interface Configuration

Access Gateway, together with the Web Interface, provides a single, secure encrypted pointof access from the Internet to servers on an internal corporate network.

When Access Gateway is implemented in an environment, the Web Interface site can beconfigured to send the addresses of the XenApp servers to the Access Gateway. Thisconfiguration allows plug-ins to securely connect to XenApp servers.

Access Methods

Web Interface can be configured for the following access methods:

Sends the actual address of the XenApp server to the Access Gateway

This setting is the most common access method.

Gateway direct

Sends the alternate address assigned to the XenApp server to theAccess Gateway

This setting requires configuration of the XenApp server with analternate address and configuration of the firewall for networkaddress translation.

Gateway alternate

Uses the address translation mappings set in the Web Interface todetermine which address is sent to the Access Gateway

This setting is required when the address and port of the XenAppservers are translated at the internal firewall.

Gateway

translated

Gateway alternate and Gateway translated access methods each require configurationelsewhere. In a Gateway alternate configuration, ALTADDR must run on each server.Gateway translated requires configuration on the internal firewall.


Client Routes

In order to send communications through the Access Gateway, the access method must bespecified in the client route. The default client route is configured to send the communicationsfrom and to all client devices using the specified access method. Additional client routes canbe created for specific client devices that use a different access method.

When multiple client routes are specified, they are applied in the order in which they appearin the client address table. An administrator can change the order that the client routes areapplied by moving the client routes up or down in the table.

Client Route Example

An administrator wants the communications from external users coming in over the Internetto go through the Access Gateway; however, the communications from internal users shouldnot go through the Access Gateway. To accomplish this, the administrator configures thedefault client route to use a "Gateway" access method and another client route to use eitherthe direct, alternate or translated access method so that internal communications bypass theAccess Gateway. In this case Web Interface would need to be on an internal network.

Access Gateway Settings

The following settings can be configured for a Web Interface site to enable it to work with theAccess Gateway:

Identifies the FQDN of the Access Gateway. This value must exactlymatch the name on the Access Gateway certificate.

FQDN

Identifies the port to be used by the Access Gateway. The defaultport is 443.

Port

Enables and disables the reconnection of user sessions in brokenconnections. Session Reliability is provided by the Citrix XTE Servicethrough the Common Gateway Protocol (CGP).

Enable session

reliability

Identifies the URLs of the Secure Ticket Authorities (STAs). A singleSTA is capable of supporting a large number of users. As many as

Secure Ticket

Authorities URLs

256 STAs can be specified to provide fault tolerance. The URL must


include the FQDN of a XenApp server and end with/SCRIPTS/CTXSTA.DLL.

Distributes the ticketing load across the available pool of STAs. Loadbalancing is done by round robin. By default, any failed STA is

Load Balancing

removed from the round-robin list for one hour. Hardware loadbalancer solutions are not recommended for STA load balancing.

Specifies the amount of time the Web Interface will avoid contactinga failed STA. After the bypass interval has passed, the Web Interfacewill attempt to contact that STA again.

Bypass failed

servers for

Configuring Web Interface for Access Gateway

Connections

Web Interface must be able to reach a virtual server on the Access Gateway. If the AccessGateway is running in a two-arm configuration, an Access Gateway virtual server must havethe same certificate and Web Interface must be able to contact the virtual server directly. Thisrequirement includes:

• Resolving the name

• Routing traffic to the address

• Trusting the certificate

An administrator can use the following procedure to configure Web Interface for AccessGateway connections in the Web Interface Management console.

1. Select a Web Interface site and click Secure Access in the Edit Settings pane.

2. Click Add in the Edit Secure Access Settings.

3. Enter the IP address and netmask of the client network.

4. Select an access method from the list.

• Gateway direct

• Gateway alternate

• Gateway translated

If ICA proxy mode is disabled and VPN traffic to Web Interface is allowed, WebInterface can be configured in direct mode to accept user connections.


5. Type the FQDN of the Access Gateway in the Address (FQDN) field.

The Access Gateway FQDN must match the FQDN used on the Access Gateway certificate,and Web Interface must be able to resolve and send traffic to the address.

6. Type the port number of the Access Gateway virtual server.

7. Add the URLs of the Secure Ticket Authorities.


Security Configuration Best Practices

Security configuration best practices include:

• Always install the latest version of Citrix plug-ins.

• Use IP addresses rather than FQDNs to connect to the Secure Ticket Authority.

• Secure connections between Access Gateway and other services (such as LDAP and WebInterface) with SSL.

• Deploy Access Gateway in the DMZ and Web Interface in the secure network.

• Ensure the management interface for Access Gateway and XenApp are not routable froma public network and are protected by host- and network-based firewalls.

For more information about security best practices, see the XenApp securitydocumentation on the http://support.citrix.com/proddocs/index.jsp web site.


Troubleshooting Access Gateway with

XenApp

An administrator can use the solutions in the following table to address issues in a XenAppenvironment with Access Gateway. The Access Gateway log file is available in the administrationtool under Access Gateway Cluster > Gateway > Logging/Settings > Show log file.

ResolutionIssue

The client cannot connectto Access Gateway

• Ensure that DNS is properly configured between the clientdevice and the Access Gateway.

• Verify that the FQDN of the Access Gateway is specifiedcorrectly and matches the name on the server certificate. TheIP address cannot be used.

• Ensure that the address and port to which the plug-in connectsis a valid Access Gateway service if network errors such as SSLerror 4 are returned.

• Install the CA root certificate on all client devices so they canconnect when using an internal certificate server or a trialcertificate from a CA.

Ensure that Web Interface 5.0 or higher and the latest Citrixplug-ins are installed.

IPv6 connections fail

Access Gateway cannotconnect to the SecureTicket Authority

• Double-check the URL for the Secure Ticket Authority. TheURL can change depending on whether or not port sharingis being used, or XML is being run on a different port.

• Understand how XML is running in the environment of theSecure Ticket Authority configuration because the URL andconfiguration information may reside in different areas.

Users are not able to log into Access Gateway

• Ensure the LDAP bind account has read privilege on the ADtree.

• Investigate:

– The Access Gateway log file

– The security event log on the domain controller

– The contents of LDAP using LDAP Browser


ResolutionIssue

A user is not able to log into Access Gateway

• Verify that the logon credentials are valid.

• Investigate:


– The security event log on the domain controller

User gets an "Accessdenied" error

• Verify that the access method settings and Access Gatewaysettings for the Web Interface are correct.

• Investigate:

– The Access Gateway settings:

› Authentication

› Secure Ticket Authority IP address and port

› Authorization

› Session profile settings for published applications

– The Web Interface settings:

› DMZ settings

› Gateway settings

› Authentication service URL

– XML settings on XenApp server

– Access Gateway log file

– Web Interface trace

– Web Interface application event log

User gets a "Resource nolonger available" error

• Verify the XML port in the Secure Ticket Authority for theWeb Interface configuration is correct.

• Investigate:


– The XML service and configuration on Web Interface andXenApp servers

A Secure Ticket Authorityticket is not issued and

• Verify the Secure Ticket Authority configuration.

• Investigate:


ResolutionIssue

user gets an SSL errorupon launching apublished application

– The ICA file to ensure that it contains a valid ticket(right-click published application icon and save it as .TXTfile)

– The accuracy of the Secure Ticket Authority link in WebInterface

– The Security Ticket Authority monitor to ensure it isrunning


For more information on troubleshooting, see the Access Gateway documentationon the http://support.citrix.com/proddocs/index.jsp web site.


Review

1. Which component is not required for Access Gateway integration with Web Interface?

a. A failover virtual server

b. A FQDN that Web Interface can resolve

c. An SSL certificate that Web Interface trusts

d. An Access Gateway server that Web Interface can access

2. Which two critical security capabilities is SecureICA not designed to do? (Choose two.)

a. It does not authenticate the XenApp server that the client accesses with SSL certificates.

b. It does not encrypt session data sent between the client and the XenApp server.

c. It does not authenticate the user that is requesting access to the XenApp server.

d. It does not encrypt user authentication credentials sent between the client and theXenApp server.

3. Which two deployment scenarios are valid for Access Gateway and XenApp? (Choose two.)

a. Access Gateway in the DMZ, Web Interface in the DMZ

b. Access Gateway in the DMZ, Secure Ticket Authority in the DMZ

c. Access Gateway in the DMZ, Web Interface in the internal network

d. Access Gateway in the secure network, Web Interface in the DMZ

e. Access Gateway in the secure network, Secure Ticket Authority in the DMZ


Module 15

Monitoring

Overview


• Identify available Health Monitoring and Recovery tests.

• Track the usage of XenApp licenses at a point in time and over time.

• Automate complex workflows.

• Access XenApp information using PowerShell and other command line tools.

475Module 15: Monitoring© Copyright 2010 Citrix Systems, Inc.

Health Monitoring and Recovery

Health monitoring and recovery verifies specified XenApp services and sends an alert or takesan action when the verification fails. This capability is important to ensure proper functioningof a XenApp environment.

Health Monitoring Policies

Health monitoring and recovery settings are implemented as Citrix policies. Three policy typesare available:

Allows or prevents running health monitoring tests on the farm serversHealth

monitoring

Specifies which tests to runHealth

monitoring

testsPreconfigured, default tests include the following:

FunctionTest

Queries the service to ensure that it is runningCitrix IMA Service

Monitors session logon/logoff cyclesLogon Monitor

Requests a ticket from the Citrix XML Servicerunning on the server and prints the ticket

XML Service

Enumerates the list of sessions running on theserver and the session user information, such asuser name

Terminal Services(Remote DesktopServices)

Performs a forward DNS lookup using the localhost name to query the local DNS server in theenvironment for the IP address

Check DNS

Ensures the data stored in the local host cache ofthe XenApp server is not corrupted and that thereare no duplicate entries

Check Local HostCache (LHC)

Inspects the threshold of the current number ofworker threads running in the Citrix XML Service

Check XML threads


FunctionTest

Enumerates printer drivers, printer processors,and printers to determine whether or not the

Microsoft Print SpoolerService

Print Spooler Service in Windows Server 2008 R2is healthy and ready for use

Determines whether or not the XenApp server isable to accept ICA connections

ICA Listener

Enumerates session printers to determine thehealth of the Citrix Print Manager Service.

Citrix Print ManagerService

In addition, custom tests can be scripted and added to a health monitoringpolicy.

Administrators can update the default names of the preconfiguredtests.

For more information on Health Monitoring Tests for XenApp6, see the support.citrix.com/proddocs/index.jsp web site.

For each test, the following parameters are required:

How frequently to checkInterval

How long to wait after checking before determiningthat the check has failed

Time-out

How many checks to run before executing therecovery action

Threshold

Which action the farm should take if the test failsRecovery action

The options are:

• Alert only

• Remove server from load balancing

• Shutdown IMA service

• Restart IMA service

• Reboot server


The maximum percentage of servers that health monitoring and recoverycan exclude from load balancing.

Maximum

percent of

offline

servers

An administrator can use the Citrix Policies node of the Group Policy Management Console(GPMC) or the Policies node of the Delivery Services Console to enable or disable healthmonitoring and recovery policies.

Health Monitoring and Recovery Example

An administrator of a small server farm has configured the health monitoring and recoveryfeature to run all of the available tests on all servers running XenApp in the farm except onthe servers acting as dedicated data collectors. Because no user sessions will be running onthese servers, the administrator configures only the Citrix IMA Services test to be run on thedata collector servers.


EdgeSight Monitoring

Citrix EdgeSight is a performance and availability management solution. In XenAppenvironments, it is used to monitor:

• License usage

• XenApp server performance and availability

• Published application performance and availability

EdgeSight for XenApp provides visibility into the following key areas:

• Farm-wide monitoring, including a tree view of the entire farm structure, visual detectionof farm and subfolder errors and visual flags for devices with alerts

• Server availability, health check and session reliability monitoring

• Suite Monitoring and Alerting (SMA) log entries and alerting

• Extended end-user experience monitoring (EUEM) of the full set of ICA channels, providinga granular view of the environment

Active Application Monitoring (AAM) allows for the establishment of configurable servicelevel agreements (SLAs). An administrator can synthesize user tasks and monitor their executiontime while EdgeSight provides feedback on application performance and availability based onthe user experience. When SLA violations occur, real-time alerts containing diagnosticinformation can be triggered for the administrator’s review and action.

EdgeSight Components

For general performance reasons, 64-bit systems are recommended for EdgeSight servercomponents. A Citrix EdgeSight environment consists of the following components:

• EdgeSight web console

• EdgeSight agents

• EdgeSight server

– Web Component

– Microsoft SQL Server Database

– Microsoft SQL Server Reporting Services

• Citrix License Server

• SMTP server

• SNMP server


EdgeSight Agents

The EdgeSight agent is a service that runs on a user device or XenApp server and collects data,which it writes into an agent-side database. At intervals the agent aggregates the data into apayload, sends the payload to the EdgeSight server and issues alerts if certain criteria are met.Data can also be displayed directly from an agent database for use in issue resolution.

The EdgeSight agent monitors the following types of data:

• Device

• Network

• Process

• Published application

• Session

• User

• XenApp

• XenDesktop

The following list describes the types of EdgeSight agents available:

The endpoint agent is designed for client devices. The agent operatescontinuously and discreetly on client devices collecting performance,resource, application and network data.

Endpoint

agent

The XenApp agent is designed for use on Citrix XenApp servers. Theagent records information about user sessions, client and server

XenApp agent

performance, application usage and network connections. Two types ofXenApp agents are available:

Records data equivalent to previous versions ofXenApp Resource Manager

Basic

Records the full set of metrics for end-userexperience monitoring (EUEM)

Advanced

Basic agent functionality requires only a XenApp EnterpriseEdition license, while advanced agent functionality requires aXenApp Platinum Edition or EdgeSight for XenApp license.

The Virtual Desktop agent is designed for XenDesktop virtual desktops.It monitors system, application and network performance.

Virtual

Desktop agent


EdgeSight Server

The EdgeSight server collects data from the distributed agents and allows administrators todisplay the data to identify potential issues in the enterprise and to assist in issue resolution.

The following components make up the EdgeSight server:

Serves as the configuration and reporting console of the EdgeSightarchitecture, accepts the data uploads from the agents and displays

Web component

performance and availability information in a wide range of standardreports

Stores the data uploaded from the agents and acts as the data sourcefor Microsoft SQL Server Reporting Services

Database

Generates performance and availability information as reports fromMicrosoft SQL Server Reporting Services

Report server

EdgeSight Web Console

Administrators and support personnel interact with the EdgeSight server through the EdgeSightweb console. The console provides a powerful and flexible tool for displaying availability andperformance information from the data collected by the distributed agents. Accessing theconsole is as simple as opening a web browser to the URL for the EdgeSight server and providing


credentials on the logon page. An EdgeSight user can access the console using thehttp://servername/edgesight URL. Replace servername with the name of the EdgeSight server.

License Server

A Citrix license server is used to supply licenses authorizing EdgeSight agents to upload datato an EdgeSight server. The license server can be anywhere on the network as long as it canbe reached from the web server component of the EdgeSight server. A single license servercan be shared by several Citrix products, including multiple EdgeSight servers.

SMTP Server

An SMTP server is used to send email notices to administrators for many conditions, including:

• Alert notification distribution

• Server error conditions

• New user passwords

SNMP Server

An SNMP server is an optional component of the EdgeSight environment. EdgeSight can sendSNMP traps to notify system management consoles that alert conditions have been reached.

Microsoft System Center Operations Manager

System Center Operations Manager is an end-to-end service management product. EdgeSightalerts can be forwarded to System Center Operations Manager.

EdgeSight Communication

It is important for an administrator to understand the basic EdgeSight architecture andcommunication processes to effectively monitor an environment.


Agent Data Collection

Data collection is typically performed during hours of normal system usage to ensure that thedata collected is an accurate representation of system availability and performance, withoutbeing skewed by large amounts of idle time. Some metrics, such as critical application andservice resource statistics, are only collected when the user is actively using the system. Thisimproves data accuracy and avoids capturing usage data for non-critical tasks, such as screensavers.

Agent Data Aggregation

XenApp agent data is aggregated in the following way:

• Every 15 seconds, data is collected and stored in the local agent database. The detailed datais retained for approximately four hours, dependent on the volume of data generated.


• Approximately every 20 minutes, the collected data is aggregated into five-minute chunks.This time interval may vary up to several hours under system load.

• The five-minute data is retained in the agent database for three days so that historicalinformation can be displayed. The time that the data is retained can be extended up to 29days.

• Twice each day, the agent contacts the EdgeSight server to determine if data needs to beuploaded. The agent re-aggregates the data into one-hour chunks and then uploads it tothe EdgeSight server. This frequency is configurable.

If the agent software cannot reach the EdgeSight server, the aggregated data isretained for up to 29 days, or until the data is uploaded to the server.

The data retention time can be configured by an administrator if required.

Performance Data

Performance data includes system metrics that are not linked to a specific event but to normalsystem operation. EdgeSight captures data related to system, network, application and XenAppsession performance.

For complete lists of individual metrics, see the EdgeSight documentation on thesupport.citrix.com/proddocs/index.jsp web site.

Event-Driven Data

Event-driven data includes metrics that are generated by an event occurring on the user system,for example, when the user invokes and starts to use an application or when a socket connectionis made. The following list describes the application data that EdgeSight captures:

EdgeSight can be used to determine:Application

issues• Which error message appeared

• When the error or crash occurred

• How many times the error or crash occurred

• Which system generated the error or crash

• What else was running on the system at the time of the error orcrash

EdgeSight can be used to determine:Application

usage• How long the application was running in memory


• How much active or idle time has elapsed

EdgeSight can be used to determine:Network

connection• How long network communications take

• What the average speed of the network is

• How much network volume is being utilized

• Which systems are experiencing the most delay

• Which applications are generating the most volume

• Which systems are responding slowly

• Which protocols are in use on the network

Agent Data Upload

When the agent is first installed, it registers itself with the server and obtains informationabout when data is scheduled to be uploaded to the server and what data is required by theserver. Details about the data upload process include the following:

Data is uploaded from the agent database to the associated EdgeSightserver by default once each day for endpoints and twice each day forXenApp servers.

Upload schedule

The agent can be configured to upload as frequently as onceeach hour. For instance, a midday data upload can bescheduled to evaluate morning activity.

EdgeSight for XenApp agent data uploads can reach 500KB to 5MB.

These data upload sizes depend on a number of factors such as theagent configuration and the usage profile of the system hosting theagent.

Data upload size

For a database size estimation tool, see Knowledge Basearticle CTX122146 on the http://support.citrix.com web site.

HTTP or HTTPS is used to transfer the data to the server.Communication

Protocol


The data upload process is as follows:

1. The EdgeSight agent contacts the EdgeSight server to find out which data is requested basedon when the last successful upload occurred.

2. The EdgeSight server responds with instructions for the data upload.

3. Based on the instructions, the agent aggregates its data into hourly chunks, bundles theaggregated data into a compressed payload and sends that payload to the configuredEdgeSight server over HTTP/S.

4. The server stores the data in the local data folder from where it is retrieved and processedby the EdgeSight Script Host (RSSH).

5. The EdgeSight Script Host uploads the payload data to the Microsoft SQL Server database.


License Usage Monitoring

Service monitoring, which leverages the EdgeSight component, tracks XenApp license usage.License tracking functionality is available in all XenApp editions and is separate from thelicenses that EdgeSight agents need to run. The Track Usage tab in the EdgeSight consolecontains reports for both current license usage and historical trends.

EdgeSight users can view current or historical license usage for all types of Citrix licenses.

The service monitoring function does not require any agents; the EdgeSight serverpolls the license server directly. If an EdgeSight environment will be used solely formonitoring license usage, no agents are involved.


Configuring License Alerts

An administrator can use the following procedure to create an alert rule for a license server.

1. Open the EdgeSight Console and log on with your administrator credentials. Navigate toConfigure > Company Configuration > Alerts > Rules.

2. Create a new alert rule by navigating to XenApp Error Alerts > License Server Connection

Failure.

No other parameter but a name for the rule is required.

3. Create an optional alert action.

Viewing License Usage

An EdgeSight user can use the following procedure to view current license usage information.

1. Navigate to Track Usage > License Usage Summary tab in the EdgeSight console.

2. Select a Product groups or Individual product and click Go.The current license usage is displayed.

Viewing Historical License Data

An EdgeSight user can use the following procedure to view license usage trends:

1. Navigate to Track Usage > License Usage Trending in the EdgeSight console.

2. Select Product groups or Individual product and click Go.Historical license usage is displayed.

3. Select applicable timeframes using the Zoom button.

4. Click the magnifying glass icon next to a product to isolate trends.


Workflow Studio Overview

Citrix Workflow Studio is an IT process automation solution that enables the creation,scheduling, management and running of workflows. Workflow Studio is built on the Microsoft.NET Framework, Windows Workflow Foundation and Windows PowerShell. Through useof a graphical workflow designer, an individual with no prior scripting experience can buildworkflows to fully automate business and IT processes.

Key Workflow Studio terms include:

A workflow is a compiled set of code that performs actions. CitrixWorkflow Studio is geared specifically for automating IT processesthrough the use of workflows.

Workflow

A job is an instance of a workflow that is scheduled to be deployed.Job

An activity library is a pre-configured set of workflow scripts that extendthe graphical workflow designer. Using activity libraries, workflows can

Activity

Library

easily be created by dragging and dropping workflow tasks to createautomated processes and build customized workflows. Existing activitylibraries can be downloaded from the http://community.citrix.com/cdn/wfweb site.


Workflow Studio Architecture

The Workflow Studio technology stack depicted in the graphic works as follows:

1. Products expose functionality through APIs.

2. Activity Libraries make the product functionality available to the workflow developer.

3. Workflows can be created to solve business problems.

Workflow Studio is comprised of three components:

User interface for:Management

Console/Designer• Developing and testing workflows

• Scheduling and reviewing workflow jobs

A Windows service that runs the workflow for testingDesigner Runtime


A Windows service that runs the workflow when a jobis scheduled

Runtime Engine

Workflow Automation Use Cases

A workflow is the sequence of actions for a particular operation. The sequence of actionstypically represents interactions between a computer system and a human operator. Workflowautomation enables a computer system to complete the sequence of actions without involvementof the operator by specifying actions to perform given a set of specific criteria. Workflowautomation allows instantaneous response times when thresholds are triggered by removingthe need for operator interaction.

Key use cases for workflow automation include:

Power consumption in the datacenter can be reduced bytriggering the shutdown and startup of datacenter resources tocoincide with time periods of high and low usage.

Power Management

The process of provisioning users, which includes group,password and resources assignment, can be automated.

User Provisioning

Changes in user traffic patterns can be detected and serverresources for on-demand access can be automatically

Dynamic Resource

Allocation

re-configured by provisioning new resources as needed tosupport these changes.

Failover and recovery procedures can be automated to meetrecovery time objectives and enforce consistency during adisaster event.

Disaster Recovery

Repetitive tasks can be automated to ensure best practices arefollowed without introducing operator error.

Product Automation

Server restarts can be scheduled to automatically occur at aspecified date and time, or at a recurring interval using workflowautomation.

Scheduled Restarts

vDisk image updates can be automated on a scheduled or on-callbasis in environments using Provisioning Services.

vDisk Image Updates


EdgeSight can use the external actions capability to launch aworkflow when an alert occurs.

Fault Recovery


Accessing the Server Farm using

PowerShell

XenApp is built on the PowerShell SDK and provides cmdlets for automating XenAppadministration and monitoring. XenApp information is available in interactive PowerShellsessions or in PowerShell scripts.

Any task that can be performed in the Delivery Services Console can be automated withPowerShell, and most common administrative tasks have a cmdlet that can perform the taskin only one line. For example, the New-XAWorkerGroup, New-XAFolder andNew-XAApplication cmdlets manage applications.

An administrator can use the following procedure to access the server farm using PowerShell:

1. Open a PowerShell window from the Start menu.

2. Add the XenApp PowerShell snap-in:

PS C:\Users\Administrator> Add-PSSnapin Citrix.XenApp.Commands

3. Execute a XenApp PowerShell cmdlet.For example, the Get-XAServer cmdlet retrieves and displays information about a XenAppservers in a farm.

PS C:\Users\Administrator> Get-XAServer XAProd1

ServerName : XAPROD1FolderPath : ServersZoneName : Default ZoneElectionPreference : MostPreferredIPAddresses : {10.6.28.152}OSVersion : 6.1.7600OSServicePack : Is64Bit : TrueCitrixProductName : Citrix Presentation ServerCitrixVersion : 6.0.6406CitrixEdition : PlatinumCitrixEditionString : PLTCitrixServicePack : 0CitrixInstallDate : 3/6/2010 10:23:39 AMCitrixInstallPath : C:\Program Files (x86)\Citrix\LicenseServerName : dmcLicenseServerPortNumber : 27000LogOnsEnabled : TrueIcaPortNumber : 1494


RdpPortNumber : SessionCount : 163

Type

PS C:\Users\Administrator> Get-Help XA

to view a complete list of the cmdlets.

For more information on using a cmdlet, see the product documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.

For example, execute the following command to view the help on the Get-XAServercommand.

PS C:\Users\Administrator> Get-Help Get-XAServer


Administering the Server Farm using

Commands

A number of command-line utilities are available to manage XenApp farms as an alternativeto the Delivery Services Console. They are:

Specifies server alternate IP addressALTADDR

Runs application execution shellAPP

Generates server logon/logoff reportsAUDITLOG

Changes client device mappingCHANGECLIENT

Generates farm key for IMA encryptionCTXKEYTOOL

Changes the Citrix XML Service port numberCTXXMLS

Validates the integrity of the farm data storeDSCHECK

Maintains the farm’s data storeDSMAINT

Enables load balancing for servers that fail healthmonitoring tests

ENABLELB

Configures TCP/IP port number used by the ICA protocolon the server

ICAPORT

Changes IMA portsIMAPORT

Displays information about server farms, processes, ICAsessions, and users

QUERY


These commands can be executed from a command prompt or PowerShell session.

For more information on these commands and their options, see the XenAppdocumentation on the http://support.citrix.com/productdocs/index.jsp web site.


Review

1. At which interval is data collected and stored in the local Firebird database on a XenAppEdgeSight agent?

a. 1 hour

b. 5 minutes

c. 5 seconds

d. 20 minutes

e. 15 seconds

2. When health monitoring and recovery is configured for a server, which three actions canbe configured to take place automatically? (Choose three.)

a. Restart the Citrix IMA Service.

b. Restart the Citrix XML Service.

c. Shut down the Citrix IMA Service.

d. Send alerts to the Event Log of the server.

e. Send a message to the data store database.


Module 16

Additional Components

Overview

This module briefly discusses some of the additional Citrix components that can be used withXenApp.

By the end of this module, you should be able to:

• Identify the purpose and key components of SmartAuditor.

• Identify the purpose and key components of Single sign-on.

• Identify the purpose and key components of EasyCall voice services.

• Identify the purpose and key components of Branch optimization.

• Identify the purpose and key components of Provisioning Services.

• Identify the purpose and key components of Power and Capacity Management.

• Identify the purpose and key components of XenServer.

501Module 16: Additional Components© Copyright 2010 Citrix Systems, Inc.

SmartAuditor

SmartAuditor allows an organization to record the on-screen activity of any user's session,over any type of connection, from any server running XenApp. SmartAuditor uses flexiblepolicies to automatically trigger recordings of XenApp sessions, which enables IT to monitorand examine the user activity in applications and demonstrate internal control, thus ensuringregulatory compliance and successful security audits.

SmartAuditor should not be configured in countries that prohibit the recording ofusers' sessions.

Key benefits of SmartAuditor include:

Provides regulatory compliance that allows organizations torecord on-screen user activity in applications

Enhanced auditing

Captures and archives screen updates, including mouse activityand the visible output of keystrokes in secured video recordings

Activity monitoring

to provide a record of activity for specific users, applications andservers

Allows the recording of thousands of sessions concurrently withminimum impact on system operation and performance

Scalability

Allows administrators to monitor activity in user sessions in nearreal-time

Live playback

Allows administrators to record activity based on the user,application or XenApp server being accessed

Flexible recording

Encrypts the playback of recordings through HTTPScommunications, enables clientless recording and supports allWindows platforms that have a Citrix plug-in

Strong security

architecture

SmartAuditor supports the monitoring of publishedapplications, but cannot monitor applications streamedto client devices.


Requires no client-side software and eliminates the need forclient-side updates

Clientless recording

Records any session initiated on XenApp from all supportedWindows and non-Windows devices

Multi-platform

support

SmartAuditor Components

SmartAuditor consists of the following components:

A SQL Server 2005 or 2008 Enterprise or Express editiondatabase used to store recorded session file metadata and servicesearch requests

SmartAuditor

Database

A server that hosts a web application responsible for searchqueries, file download requests, policy administrator requestsand evaluates recording policies for each session

SmartAuditor Server

A Windows service on this server manages the recorded sessionfiles from each XenApp server containing a SmartAuditor agent.

A visual interface for defining SmartAuditor recording policiesSmartAuditor Policy

Console

Policies can be defined at the user, group, application or serverlevel.

An agent installed on each XenApp server that records sessiondata

SmartAuditor Agent

The user interface that is used to play recorded session files andis typically installed on a workstation that is not in the datacenter

SmartAuditor Player

The SmartAuditor database, SmartAuditor server and SmartAuditor Policy Consolecan be installed on the same server or on separate servers.


Session Recording Process

SmartAuditor uses flexible policies to trigger recordings of sessions automatically, so anadministrator can monitor and examine user activity, ensure regulatory compliance andconduct successful security audits of applications.

The following process explains how session recording with SmartAuditor works:

1. A user launches a published application running on XenApp.

2. The SmartAuditor Agent begins recording the session while it queries the SmartAuditorServer to determine if the session should be recorded.

3. The SmartAuditor Server returns one of the following replies:

• Record with Notification (The user is presented with a dialog stating that the session isbeing recorded.)

• Record without Notification (The recording begins without user notification.)

• Do Not Record (The agent stops recording and the recording file is deleted.)

4. The Agent records the session.

5. The SmartAuditor Server stores the session metadata to the database and the sessionrecording to disk, so the recording can be retrieved and reviewed using the SmartAuditorPlayer.

For more information on SmartAuditor, see the product documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.


Single Sign-on

Citrix Single sign-on (formerly Citrix Password Manager) provides password security andSingle sign-on access to Windows, web, and terminal emulator applications running in theXenApp environment as well as applications running on the client device. Users authenticateonce and Single sign-on completes the authentication, automatically logging on to selectedpassword-protected information systems, enforcing password policies, monitoring allpassword-related events, and even automating user tasks.

In addition, Single sign-on contains self-service features such as account unlock and self-servicepassword reset. These features allow users to reset their domain password or unlock theirdomain accounts from the Web Interface logon page without help desk or administratorintervention.

Single Sign-on Components

The main components of Single sign-on include:

Is the centralized repository used to store and manage user datasuch as credentials and security question answers, and

Central Store

administrative data such as password policies, applicationdefinitions and security questions.

Contains a Single sign-on node in the console and is the commandcenter used to configure user configuration, application definitions,password policies and identity verification for Single sign-on.

Delivery Services

Console

Submits the credentials to the applications running on the clientdevice or server, enforces password policies, provides self-service

Single sign-on

plug-in

functionality and enables users to manage their credentials withthe Logon Manager.

Provides the foundation for optional features such as self-servicepassword resets by users, protection of data during transit to the

Single sign-on

service (optional)

plug-in, secondary credential recovery capability, provisioning ofuser data and credential information and credential synchronizationamong domains.


Single Sign-on Process

The following process shows how password authentication works with Single sign-on:

1. The Single sign-on plug-in is installed on the client device.

2. A users attempts to access an application that requires authentication.

3. The plug-in detects the application request for authentication.

4. The plug-in locates the correct credentials in the local or central store and submits themto the application.

5. The local and central stores are synchronized.

For more information on Single sign-on, see the product documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.


EasyCall Voice Services

EasyCall voice services integrates with the existing telephone system and corporate directoryand enables a user to call any phone number displayed in published, streamed, or installedWindows, Macintosh and web-based applications without dialing the number. The user simplyhovers the mouse pointer over telephone numbers in application windows and then clicks abutton to start the call from any telephone (office, mobile, home and so on).

EasyCall does not replace the existing VoIP or softphone system.

EasyCall Components

The main components of EasyCall include:

Is a virtual appliance that installs on Citrix XenServer 5 and isadjunct to the corporate telephony system

EasyCall Gateway

Enables most telephone numbers that appear in Windowsapplications to be directly called, including local, long distance,international and internal extensions

Communications

plug-in

Allows developers to build click-to-call functions intoapplications and develop a web service client that verifiesdomain/username against an authentication mechanism

EasyCall Web Services

APIs

EasyCall Process

EasyCall allows each user to create profiles for work, home and mobile phones. These profilesare used by the EasyCall Gateway to contact the user when a call is placed. After the EasyCallprofiles are created, the user can begin using EasyCall to initiate calls from phone numberswithin applications.

The following process outlines the steps involved in placing a call with EasyCall, from start tofinish:

1. The user hovers the mouse pointer over a number in an application.


2. The EasyCall phonebar appears.

3. The user clicks the EasyCall button to place the call.

4. The Communications plug-in sends a call request to the EasyCall Gateway.

5. The EasyCall Gateway initiates a call from the private branch exchange (PBX) to the user’sphone.

6. The user accepts the call.

7. The EasyCall Gateway initiates a call from the PBX to the call recipient’s number.

8. The recipient accepts the call.

9. The PBX establishes the call path.

10. The EasyCall Gateway removes itself from the call cycle.

11. The user completes the conversation and terminates the call.

For more information on EasyCall, see the product documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.


Branch Optimization

Citrix Branch Optimization is a WAN optimization solution that provides a LAN-like desktopand application experience to branch and mobile users while dramatically reducing WANbandwidth costs and simplifying branch infrastructure.

Branch Repeater Components

Branch Optimization is a symmetric solution that requires Branch Repeater technology atboth ends of the WAN link. Branch optimization can take place between any pair of BranchRepeater appliances or between a Branch Repeater appliance and a Branch Repeater plug-in.A Branch Repeater appliance in the datacenter can communicate concurrently with manyBranch Repeater appliances and Branch Repeater plug-ins at branch offices.


Branch Repeater is available with the following components:

Resides in the datacenter of large offices and providesacceleration for high-volume and mission-critical links

Repeater appliance

Has a browser-based user interface.

Resides in branch offices and is smaller than a Repeater applianceBranch Repeater

appliance

Uses the same user interface as the Repeater appliance.

Is a Windows-based appliance that resides in branch offices andis smaller than a Repeater appliance

Branch Repeater with

Windows Server

Uses a Microsoft Management Console user interface.

Is a virtual Branch Repeater appliance that runs on a serverrunning an open-source Xen hypervisor and resides in branchoffices

Branch Repeater VPX

(virtual appliance)

Most, but not all of the functionality provided by a BranchRepeater appliance is available with the Branch Repeater VPX.

Is a software implementation of Citrix acceleration technologythat runs on Windows-based client devices to provide similar

Acceleration plug-in

acceleration features to the Repeater and Branch Repeater VPXcomponents

The plug-in is compatible with a Repeater appliance and a BranchRepeater VPX, but not with a Branch Repeater or BranchRepeater with Windows Server.

Branch Optimization Process for the Plug-in

The Branch Optimization solution can be easily deployed because it is transparent to both theapplication and the network. No changes are required to the existing application deliveryinfrastructure.


Administrators deploy a Repeater appliance in the data center. Users install the Repeaterplug-in and the plug-in accelerates the applications traffic.

The following process explains how Branch Optimization works:

1. The user's application opens a connection to the server.

2. The Acceleration plug-in looks up the address and decides to redirect the connection tothe Repeater appliance.

3. The Repeater appliance accepts the connection and forwards the packet to the server.

4. The server accepts the connection and responds with an acknowledgement packet.

5. The Repeater appliance rewrites the addresses and forwards the packet to the Accelerationplug-in.

6. The connection is open and the client device and server send packets back and forth throughthe Repeater appliance.

For more information on Branch Optimization, see the product documentation onthe http://support.citrix.com/proddocs/index.jsp web site.



Provisioning Services reduces total cost of ownership and improves both manageability andbusiness agility by virtualizing the workload of a datacenter server, including the operatingsystem, applications, and configuration and the streaming server workloads on demand tophysical or virtual servers in the network.

Provisioning Services can also be used to provision physical and virtualized desktopsfor use with VM hosted apps.

Delivering server workloads on demand rather than deploying them on individual servers:

• Simplifies and streamlines server management and reduces software rollout risk


• Delivers the operating system, applications and server configuration information in areal-time stream, maximizing performance and minimizing network load

• Ensures server consistency by provisioning servers simultaneously from a single standardimage

• Increases IT responsiveness and agility by enabling capacity on demand; repurposes anyserver to do any job

• Reduces utility costs and space needs by lowering the number of backup servers needed tosupport disaster recovery and business continuity

• Enables rollback to a previous working image in the time it takes to reboot

• Supports redundant servers, networks, and databases

Provisioning Services included with XenApp Platinum Edition is limited toprovisioning XenApp Platinum Edition workloads only.

Provisioning Services Components


The following components are used by Citrix Provisioning Services:

Streams a vDisk to a target deviceProvisioning Services

Server

Stores the Provisioning Services, vDisk, target device andsystem configuration settings


Database

Identifies the logical name given to a physical storage locationfor vDisks

Store

The store can be placed on the Provisioning Services localdrive, a SAN, CIFS share, NAS or UNC path.

Contains an image of a workloadvDisk

Identifies the collection of all vDisks available to a sitevDisk Pool

A site can contain only one vDisk pool.

Receives the streamed operating system and applications froma vDisk

Target Device

For more information on Provisioning Services, see the product documentation onthe http://support.citrix.com/proddocs/index.jsp web site.


Power and Capacity Management

Power and Capacity Management helps to reduce power consumption and manage servercapacity by dynamically scaling up or scaling down the number of online virtualized XenAppservers. This is accomplished by consolidating users sessions onto fewer servers to improveserver utilization so unnecessary servers can be powered down.

In addition, Power and Capacity Management can be used to observe and record utilizationand capacity levels through monitoring and report generation.

Power and Capacity Management configuration is managed according to farms andworkloads. These are distinct from XenApp farms and server groups.

Workloads and Profiles

A workload is a group of servers, defined by the administrator, that are managed as a commonpool. Workloads often consist of servers that all host the same application or set of applications,referred to as an application silo. A Power and Capacity Management farm can contain oneor more workloads.

Within a workload, servers are grouped by profiles. A server profile contains information theagent discovers and information provided by the administrator to measure server capacity.

The agent discovers hardware information such as the CPU type and the amount of memory,and sends it to the concentrator. The concentrator creates a profile entry in the database fora new profile or, if the profile values are the same as those in an existing profile, the existingprofile is reused.

If the hardware configuration changes (for example, more RAM is added to a server), Powerand Capacity Management creates a new profile. The original profile is not altered, becauseother servers may still be using it.

As new servers connect and report their profiles, they inherit any existing configured capacityvalue if they have the same profile as an existing configured server.

Power and Capacity Management Farm

XenApp servers being managed by Power and Capacity Management are called a farm. Membersof a Power and Capacity Management farm can include some or all of the XenApp servers ina XenApp farm and even XenApp servers from multiple XenApp farms.


Control Modes

In Power and Capacity Management, servers are assigned a control mode. The control modedetermines whether the server is eligible for power management or is participating in loadconsolidation. Control modes include:

Servers assigned this control mode are not controlled by Power andCapacity Management.

Unmanaged

Servers assigned this control mode contribute to the capacity of theworkload, but are not controlled by Power and Capacity Management.

Managed (base

load)

Servers that contribute essential services and should not be takenoffline, for example the data collector and the server hosting the datastore should be assigned this control mode.

Servers assigned this control mode are fully controlled by Power andCapacity Management.

Managed

Power Management

Power Management controls the power on and power off operations for the servers in aworkload or farm using the power controller preferences set in the server properties.

For a power-on operation, the selection algorithm chooses a server with the highest powercontroller preference before selecting a server with a lower preference.

For a power-off operation, the algorithm chooses a server with a lower power controllerpreference before a server with a higher preference. If that server is currently hosting sessions,the server is placed into drain mode. While in drain mode, the server does not accept newsessions but allows the reconnection of disconnected sessions. A server in drain mode powersoff only when no sessions remain.

Load Consolidation

Load consolidation has the opposite effect of traditional XenApp load balancing. It aims toconsolidate sessions onto fewer servers instead of spreading load evenly across many servers.By consolidating sessions, there is greater opportunity to power down excess servers, savingpower and reducing running costs. Greater consolidation of sessions equates to higher levelsof utilization for each server while online.

Load consolidation works by continually monitoring the number of active sessions andremaining capacity for each server. It aims to load up small groups of servers with new sessions


to an optimal load level that each server can effectively handle. Once a server reaches its optimalload, load consolidation enables an additional server in the workload to accept new sessionload. When used in conjunction with Power Management, this additional server will be poweredon automatically if it is currently powered off.

Power and Capacity Management Components

Power and Capacity Management consists of the following components:

The agent is a Windows service that reports the capacity and system stateof the XenApp server. In addition, the agent acts on operations and

Agent

commands issued by the concentrator. The agent is installed on XenAppservers.

The concentrator is a Windows service that coordinates the system statesand operations for the managed XenApp servers. As many as two

Concentrator

concentrators can be installed, in which case they form a cluster. In acluster, one concentrator will be the master concentrator. The Powerand Capacity Management console connects to the master concentratorto obtain its data. The second concentrator will assume the master roleif the master concentrator fails.

The database uses Microsoft SQL Server to store information such as theinventory of servers being managed, workload assignments, schedules,metric data and configuration settings.

Database

The reporting component uses Microsoft SQL Server Reporting Servicesto provide workload reports for historical system loads, capacities andutilization summaries.

Reporting

The management console is an MMC snap-in and is used to manage,monitor and configure Power and Capacity Management.

Management

Console

Power Setpoints

Throughout the day and week, different demands are placed on a XenApp environment. Asa result, different setpoints must be used so Power and Capacity Management can ensure thatthe appropriate number of servers are online to handle the expected load and that servers arepowered down during periods of low demand. This can be accomplished with schedules.


Schedules allow an administrator to assign values to the setpoints based on the time of dayand day of week.

A setpoint defines either a target capacity level (number of sessions) or a target number ofonline servers. Setpoints are used to determine how many servers should be powered on.

For more information on Power and Capacity Management, see the productdocumentation on the http://support.citrix.com/proddocs/index.jsp web site.


XenServer

Citrix XenServer is a virtualization platform that provides open and powerful servervirtualization. XenServer can reduce datacenter costs by transforming static and complexdatacenter environments into more dynamic, easy to manage server workload delivery centers.It is based on the open source Xen hypervisor and delivers a secure and mature servervirtualization platform with near bare-metal performance.

XenServer Components

XenServer consists of the following components:

The software installed on a physical server that is dedicated entirely tohosting virtual machines

XenServer host

The XenServer host controls the interaction between the virtualizeddevices seen by VMs and the physical hardware.

The software used to manage the XenServer hostXenCenter

This software can be installed on any system running a Windowsoperating system and can be used to run other applicationssimultaneously.

For more information on XenServer, see the product documentation on thehttp://support.citrix.com/proddocs/index.jsp web site.


Review

1. Which three components are included in XenApp? (Choose three.)

a. EdgeSight

b. NetScaler

c. XenDesktop

d. SmartAuditor

e. Single sign-on

2. Which statement about EasyCall voice services is true?

a. It is a virtual appliance that allows users to access applications using any phone

b. It is a virtual appliance that enables users to place calls from business applications

c. It is a virtual appliance that verifies the password of a user accessing a business application

d. It is a virtual appliance that speeds up communication channels and replaces the PBXin an organization

3. What are two benefits of SmartAuditor? (Choose two.)

a. Administrators can monitor sessions to aid in the compliance of regulatory policies.

b. Administrators can configure a Security Module to protect the data store database.

c. Administrators can configure policies to control which applications client devices canaccess.

d. Administrators can specify recording options based on the user, application or theXenApp server that is accessed.

4. For which purpose can Provisioning Services be used?

a. Secure ICA traffic

b. Host virtual machines

c. Provision physical and virtual desktops

d. Automate business and IT processes


Appendix A

Review Questions and

Answers

Module 2 Introducing XenApp: Review

Answers

1. Which options are editions of XenApp?

a. Standard, Enterprise, Custom

b. Advanced, Essential, Platinum

c. Basic, Intermediate, Advanced

d. Advanced, Enterprise, Platinum

Answer: d

2. Which feature of XenApp delivers a high performance, high definition user experiencethrough virtualized applications from any device, on any network?

a. SSL Relay

b. SNMP Monitoring

c. Citrix HDX technology

d. Support for Microsoft App-V

Answer: c

3. Which component is not one of the primary architectural components of XenApp?

a. Data collector

b. License server

c. Data store database

d. Desktop Delivery Controller

Answer: d

4. Which statement about Independent Management Architecture is true?

a. Communicates with XenApp using TCP port 25000

b. Delivers crucial systems that collectively leverage additional Citrix products

c. Runs on designated XenApp servers and is enabled in the Delivery Services Console

d. Provides the framework for all server-to-server communication that occurs in a XenAppfarm

Answer: d

523Appendix A: Review Questions and Answers© Copyright 2010 Citrix Systems, Inc.

Module 3 Licensing XenApp: Review

Answers

1. After a license server is installed and licenses added, servers can lose contact with the licenseserver for up to how many days without the loss of functionality?

a. 5

b. 30

c. 90

d. 96

Answer: b

2. Which type of licensing manages the licenses that are required for each device or user toconnect to a Remote Desktop Session (RDS) Host server?

a. Citrix licensing

b. XenApp licensing

c. Microsoft plug-in licensing

d. Remote Desktop licensing

Answer: d

3. Complete the following sentence. When implementing XenApp, It is a best practice toinstall the license server _______.

a. After installing XenApp

b. Before installing XenApp

c. On the same server as XenApp

d. On the same server as the Web Interface

Answer: b

4. What should an administrator do to obtain a license file?

a. Call Citrix Technical Support

b. Copy a file from a previous XenApp implementation

c. Log on to the MyCitrix web site using personalized credentials

d. Run the License Generation Wizard from the Delivery Services Console

Answer: c


Module 4 Installing XenApp: Review

Answers

1. True or False: An individual can elevate their privilege to local administrator through UserAccount Control to gain membership to the local administrators group.

a. True

b. False

Answer: b

2. Which item is not available as a role in the XenApp Server Role Manager?

a. Data collector

b. XenApp server

c. Web Interface server

d. Provisioning services

Answer: a

3. Complete the following sentence. When configuring XenApp, to use an existing licenseserver, administrators enter the license server name or __________.

a. IP address

b. license key

c. MAC address

d. administrator credentials

Answer: a

4. Complete the following sentence. If pass-through authentication is not enabled during theinstallation and is later desired on the server, the plug-in software __________.

a. cannot be configured to use pass-through authentication

b. automatically configures upon reboot for pass-through authentication

c. must be reinstalled on the server before pass-through authentication can be used

d. can be copied from another XenApp environment that contains pass-throughauthentication

Answer: c


Module 5 Configuring XenApp

Administration: Review Answers

1. Which privileges can be granted to a XenApp administrator account?

a. Full, View Only, Guest

b. Read Only, Write Only, Add/Update

c. View Only, Full Administration, Custom

d. Create Accounts, Delete Accounts, Update Accounts

Answer: c

2. Which statement about folders in the Delivery Services Console is true?

a. All administrators can create folders.

b. Permissions can be assigned to individual applications in folders.

c. Folders can be used to delegate the administration of applications and servers.

d. Changes to permissions on a parent folder are automatically copied to all subfolders.

Answer: c

3. If IMA encryption is enabled, which effect will it have on the Configuration Loggingdatabase?

a. All data in the Configuration Logging database will be backed up.

b. Credentials to the Configuration Logging database will be encrypted.

c. Only an Oracle database can be used for the Configuration Logging database.

d. Only a SQL Server database can be used for the Configuration Logging database.

Answer: b

4. Which statement about worker groups is true?

a. The first XenApp server moved into a worker group becomes the zone data collector.

b. Farm servers in a worker group with a priority setting of 3 are considered the highestpriority.

c. A farm server added to a worker group will automatically inherit the policy configurationsfor the worker group.

d. A farm server added to a worker group does not need to have an application installedlocally to be able to inherit the published application configurations of the worker groupand host the application.

Answer: c


Module 6 Installing and Configuring Web

Interface: Review Answers

1. Which authentication method is not recommended in secure environments?

a. Smart card

b. Anonymous

c. Single sign-on

d. Novell Directory Services

Answer: b

2. Which feature allows users to disconnect and reconnect to ICA sessions as they movebetween client devices?

a. Workspace control

b. Explicit authentication

c. Pass-through authentication

d. Pass-through with smart card authentication

Answer: a

3. Which two types of Web Interface sites can an administrator create? (Choose two.)

a. XenApp Web

b. XenApp Plug-in

c. XenApp Services

d. XenApp Advanced Configuration

Answer: a, c

4. Which three protocols can be used to transport Web Interface data between the web serverand XenApp servers? (Choose three.)

a. HTTP

b. HTTPS

c. IPX/SPX

d. SSL Relay

Answer: a, b, d

5. Which statement is true when using network address translation in a Web Interfacedeployment?


The alternate IP address of a XenApp server is included in the client filesa.

b. The alternate IP address of a Secure Gateway server is included in client files.

c. The ALTADDR command is used to change the IP address of the Web Interface server.

d. The internal IP address of a XenApp server is mapped to the external IP address of theWeb Interface server.

Answer: a

6. The Client for Java should be used in which two situations? (Choose two.)

a. A web browser does not exist on the client device.

b. Permanent installation of plug-in software is desired.

c. Permanent installation of plug-in software is not permitted.

d. A Java-compatible web browser exists on the client device.

Answer: c, d

7. When the Citrix online plug-in is used to access published applications, which statementis correct?

a. A XenApp Web site is required.

b. A XenApp Services site is required.

c. Pass-through authentication cannot be used.

d. A web browser is used to communicate with the Web Interface site.

Answer: a


Module 7 Delivering Applications and

Content: Review Answers

1. An administrator can manage published content using which node in the Delivery ServicesConsole?

a. Content

b. Applications

c. Published Resources

d. Installation Manager

Answer: b

2. When an application set contains a large number of published applications, server desktopsand content, how can an administrator effectively organize the resources for users?

a. Use load-managed groups.

b. Use the Resource Manager.

c. Create client application folders.

d. Create application folders in the console.

Answer: c

3. What are two types of content redirection? (Choose two.)

a. Client-to-server

b. Server-to-client

c. Client-to-content

d. Application-to-server

e. Content-to-application

Answer: a, b

4. An administrator can configure the importance level of a published application using whichoption in the properties of the application?

a. Type

b. Limits

c. Client options

d. Access control

Answer: b

5. Which statement is true about published resource properties?


Published resource properties cannot be modified.a.

b. Published resource properties can be modified at any time.

c. Published resource properties can be modified only when the resource is disabled.

d. Published resource properties cannot be modified when users are using the resource.

Answer: b

6. Which two statements about session sharing are true? (Choose two.)

a. Session sharing does not take precedence over load balancing settings.

b. All applications in a shared session must be published with the same settings.

c. Session sharing is a mode in which more than one hosted application runs on a singleconnection.

d. Session sharing is a mode in which more than one user can access the same hostedapplication in a single session.

Answer: b, c


Module 8 Streaming Applications: Review

Answers

1. In addition to the standard server farm components of XenApp 6, which Citrix componentis needed for application streaming to a desktop?

a. Citrix Receiver

b. Citrix online plug-in

c. Citrix offline plug-in

d. Citrix Access Gateway

Answer: c

2. Which two statements regarding the Citrix offline plug-in are accurate? (Choose two.)

a. The offline plug-in is invisible to the user.

b. The offline plug-in runs as a service on the client device.

c. The offline plug-in determines the application delivery mode.

d. The offline plug-in is displayed in the Windows notification area.

e. The offline plug-in can be used in conjunction with a XenApp Web site to accessapplications offline.

Answer: a, b

3. A profile creates a target based on which four criteria? (Choose four.)

a. Applications

b. Operating system

c. Service Pack level

d. System drive letter

e. Operating system language

f. Files, folders and registry settings

Answer: b, c, d, e

4. An administrator is creating a profile for an application and wants to include a specificInternet Explorer plug-in. Which type of installation should the administrator use?

a. Quick

b. Default

c. Standard

d. Advanced

e. Integrated


Answer: d

5. An administrator must publish which file type to make a streaming application availableto users?

a. .EXE

b. .MSI

c. .RAD

d. .PROFILE

Answer: d

6. Which two application types can be configured in a Web Interface site so that applicationsstream to the desktop of a client device? (Choose two.)

a. Online

b. Offline

c. Dual mode

d. Streamed to client

e. Streamed to server

Answer: b, c

7. An administrator wants users to be able to access applications installed on the XenAppserver through the online plug-in and access streaming applications when the users areoffline. What must the administrator configure?

a. One XenApp Web site

b. One XenApp Services site

c. One XenApp Web site and one XenApp Services site

d. Two XenApp Web sites and two XenApp Services sites

Answer: b


Module 9 Configuring Policies: Review

Answers

1. Citrix policies can be created using which three management tools? (Choose three.)

a. Delivery Services Console

b. Terminal Services Manager

c. Advanced Configuration Console

d. Advanced Group Policy Manager

e. Group Policy Management Console

Answer: a, d, e

2. When an existing Citrix user policy is changed, how long does the previous policy remainin effect?

a. For the length of the session

b. Until the user profile is changed

c. Until the user disables the policy

d. Until the user is moved to another group

Answer: a

3. Which filter is not valid for use with policies in XenApp?

a. Servers

b. Worker groups

c. Client device name

d. User and user groups

Answer: a

4. Which two events do not trigger a policy update evaluation? (Choose two.)

a. A user logs on

b. The server is rebooted

c. An OU trust is created

d. A policy update is forced

e. A print server is imported

f. The policy refresh interval is reached

Answer: c, e


5. Select the correct order in which policies are processed and applied.

a. Domain GPOs, Local GPOs, IMA-based policies, OU GPOs, Site GPOs

b. IMA-based policies, OU GPOs, Local GPOs, Site GPOs, Domain GPOs

c. Local GPOs, IMA-based policies, Site GPOs, Domain GPOs, OU GPOs

d. OU GPOs, Local GPOs, IMA-based policies, Site GPOs, Domain GPOs

e. Site GPOs, Domain GPOs, Local GPOs, OU GPOs, IMA-based policies

Answer: c


Module 10 Configuring Load

Management: Review Answers

1. An administrator can attach load evaluators to which two components in a server farm?(Choose two.)

a. Users

b. Servers

c. Groups

d. Published applications

Answer: b, d

2. The Default load evaluator is based on which rules?

a. Page Faults, Load Throttling

b. Context Switch, Load Throttling

c. Disk Operations, Load Throttling

d. Server User Load, Load Throttling

Answer: d

3. The Advanced load evaluator is based on which rules?

a. CPU Utilization, Load Throttling, Memory Usage and Page Swap

b. Load Throttling, Memory Usage, Page Swap and Server User Load

c. CPU Utilization, Load Throttling, Page Swap and Server User Load

d. CPU Utilization, Load Throttling, Memory Usage and Server User Load

Answer: a

4. A server to which the Advanced load evaluator is assigned is dropped from the internal listof available servers when which event occurs?

a. When all the rules in the Advanced load evaluator meet their set thresholds

b. When one of the rules in the Advanced load evaluator meets its set threshold

c. When all the rules in the Advanced load evaluator exceed their set thresholds

d. When one of the rules in the Advanced load evaluator exceeds its set threshold

Answer: b

5. An administrator can create a custom load evaluator using which two methods? (Choosetwo.)


By using the Load Manager Monitora.

b. By duplicating an existing load evaluator

c. By using the New > Add Load Evaluator menu option

d. By altering the rules in either the Default or Advanced load evaluator

Answer: b

6. An administrator can adjust load evaluator properties ____________. (Fill in the blankwith the correct answer.)

a. At any time

b. At the time of creation only

c. For the Advanced load evaluator only

d. Only when the load evaluator is not being used

Answer: a


Module 11 Optimizing the User

Experience: Review Answers

1. If a client device is connected to XenApp server over a slow connection and the user isexperiencing delayed mouse clicks and keyboard response, which type of sessionoptimization technology should be implemented to address this issue?

a. HDX RealTime

b. HDX MediaStream for Flash

c. SpeedScreen Latency Reduction

d. HDX MediaStream Multimedia Acceleration

Answer: c

2. An administrator should publish __________ and enable __________ for users who needto watch videos and require high quality.

a. Firefox, HDX 3D Image Acceleration

b. QuickTime, HDX MediaStream for Flash

c. Outlook, SpeedScreen Latency Reduction

d. RealOne Player, HDX MediaStream Multimedia Acceleration

Answer: d

3. Which three statements about HDX 3D Image Acceleration are correct? (Choose three.)

a. HDX 3D Image Acceleration works best with medical imaging.

b. HDX 3D Image Acceleration can be enabled using a Citrix policy.

c. HDX 3D Image Acceleration removes redundant data from an image file.

d. HDX 3D Progressive Display works in conjunction with HDX 3D Image Acceleration.

e. HDX 3D Image Acceleration provides a high image quality when the compression levelis set to high compression.

Answer: b, c, d

4. Which statement about HDX MediaStream for Flash is true?

a. It auto-creates printers after the Flash Player launches.

b. It auto-creates printers before the Flash Player launches.

c. It forces the Flash Player to start in a high-quality mode instead of the default low-qualitymode.

d. It forces the Flash Player to start in a low-quality mode instead of the default high-qualitymode.


Answer: d

5. Which three statements are true concerning Session Reliability? (Choose three.)

a. HDX Broadcast Session Reliability reconnects the user without the loss of data.

b. HDX Broadcast Session Reliability resets the user connection upon session interruption.

c. HDX Broadcast Session Reliability reconnects the user without requiringre-authentication.

d. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common GatewayProtocol (CGP) on port 1494.

e. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common GatewayProtocol (CGP) on port 2598.

Answer: a, c, e


Module 12 Configuring Self-Service

Applications: Review Answers

1. Which plug-in provides a self-service storefront for enterprise resources to users?

a. Dazzle

b. Online plug-in

c. Offline plug-in

d. Communications plug-in

Answer: a

2. From which component does the Merchandising Server obtain new plug-ins to distributeto client devices?

a. XenApp farm

b. Citrix Receiver

c. The Web Interface

d. Citrix Update Service

Answer: d

3. Which component manages plug-ins on a client device, allowing IT to deliver applicationsand desktops as an on-demand service?

a. Dazzle

b. Citrix Receiver

c. Web Interface

d. Merchandising Server

Answer: b


Module 13 Configuring Printing: Review

Answers

1. Which type of printer is accessed as a shared resource and connected to the network bymeans of a print server?

a. Network printer

b. Client local printer

c. Server local printer

d. Client network printer

Answer: a

2. Which statement concerning printing in a XenApp environment is true?

a. Auto-created network printers are identified only by their printer name.

b. Printer properties can be stored on the client device or in the user profile.

c. Auto-created client local printers are identified only by their printer name.

d. By default, only the default client printer is automatically created during logon.

Answer: b

3. Which statement is NOT a benefit of implementing the Universal printing policy rule?

a. It limits which printers users can access.

b. It reduces printer driver maintenance issues.

c. It ensures that client printers are auto-created regardless of printer driver availabilityon the server.

d. It reduces the size of some print jobs and reduces delays when print jobs are spooledover slow connections.

Answer: a

4. Which printer drivers are installed by default on a XenApp server?

a. No printer drivers

b. HP printer drivers

c. Universal printer drivers

d. Those designated during installation

Answer: c

5. Printer bandwidth limitations can be set using which two methods? (Choose two.)


Worker group propertiesa.

b. Published application properties

c. Policies in the Delivery Services Console

d. Citrix Policies in Group Policy Management Console

Answer: d


Module 14 Securing XenApp: Review

Answers

1. Which component is not required for Access Gateway integration with Web Interface?

a. A failover virtual server

b. A FQDN that Web Interface can resolve

c. An SSL certificate that Web Interface trusts

d. An Access Gateway server that Web Interface can access

Answer: a

2. Which two critical security capabilities is SecureICA not designed to do? (Choose two.)

a. It does not authenticate the XenApp server that the client accesses with SSL certificates.

b. It does not encrypt session data sent between the client and the XenApp server.

c. It does not authenticate the user that is requesting access to the XenApp server.

d. It does not encrypt user authentication credentials sent between the client and theXenApp server.

Answer: a, d

3. Which two deployment scenarios are valid for Access Gateway and XenApp? (Choose two.)

a. Access Gateway in the DMZ, Web Interface in the DMZ

b. Access Gateway in the DMZ, Secure Ticket Authority in the DMZ

c. Access Gateway in the DMZ, Web Interface in the internal network

d. Access Gateway in the secure network, Web Interface in the DMZ

e. Access Gateway in the secure network, Secure Ticket Authority in the DMZ

Answer: a, c


Module 15 Monitoring: Review Answers

1. At which interval is data collected and stored in the local Firebird database on a XenAppEdgeSight agent?

a. 1 hour

b. 5 minutes

c. 5 seconds

d. 20 minutes

e. 15 seconds

Answer: e

2. When health monitoring and recovery is configured for a server, which three actions canbe configured to take place automatically? (Choose three.)

a. Restart the Citrix IMA Service.

b. Restart the Citrix XML Service.

c. Shut down the Citrix IMA Service.

d. Send alerts to the Event Log of the server.

e. Send a message to the data store database.

Answer: a, c, e


Module 16 Additional Components:

Review Answers

1. Which three components are included in XenApp? (Choose three.)

a. EdgeSight

b. NetScaler

c. XenDesktop

d. SmartAuditor

e. Single sign-on

2. Which statement about EasyCall voice services is true?

a. It is a virtual appliance that allows users to access applications using any phone

b. It is a virtual appliance that enables users to place calls from business applications

c. It is a virtual appliance that verifies the password of a user accessing a business application

d. It is a virtual appliance that speeds up communication channels and replaces the PBXin an organization

Answer: b

3. What are two benefits of SmartAuditor? (Choose two.)

a. Administrators can monitor sessions to aid in the compliance of regulatory policies.

b. Administrators can configure a Security Module to protect the data store database.

c. Administrators can configure policies to control which applications client devices canaccess.

d. Administrators can specify recording options based on the user, application or theXenApp server that is accessed.

Answer: b, d

4. For which purpose can Provisioning Services be used?

a. Secure ICA traffic

b. Host virtual machines

c. Provision physical and virtual desktops

d. Automate business and IT processes

Answer: c


Appendix B

Practice Questions and

Answers

Module 2 Introducing XenApp: Practice

Answers

Match the components of XenApp in the following table with the description that best identifiesits function.

ResolutionIssue

a. Stores dynamic farm informationc Worker groups

b. Makes it possible for users to access published resourcesd Resource Manager

c. Allows multiple servers to be grouped together to easeadministration

f Load Manager

d. Provides the ability to monitor, report and collect serverresource metrics for all servers in a farm

g Web Interface

e. Allows administrators to configure administrativepermissions and published resources

a Data collector

f. Ensures that each user connects to the server most capableof handling the connection

e Delivery Service Console

g. Provides users access to published resources in one or moreserver farms through a web browser or the Citrix online plug-in

b Citrix Plug-ins

547Appendix B: Practice Questions and Answers© Copyright 2010 Citrix Systems, Inc.

Module 5 Administrative Configuration:

Practice Answers

Use your knowledge of folders and permissions to provide the answers to the followingscenarios.




Six months later, the full administrator creates a folder within the Applications node of theDelivery Services Console to better manage the published applications in the server farm.When creating the new folder, the full administrator chooses to copy permissions from theparent folder.


Answer: The same permissions as those of the parent folder.




Six months later, the full administrator creates a folder within the Applications node of theDelivery Services Console to better manage the published applications in the server farm.When creating the new folder, the full administrator chooses not to copy permissions fromthe parent folder.


Answer: The custom administrator does not have permissions to the new folder.

Scenario 3: CompanyA has a server farm that consists of ten servers: five located in Quebecand five located in Hong Kong. The administrators in each location must have permission tomanage only the servers in their geographic region. To accomplish this task, the fulladministrator creates two folders under the Servers node in the Delivery Services Console(QB_Servers and HK_Servers). The full administrator then moves the servers into the respectivefolders.


What else must the full administrator do to ensure that administrators can only manage theservers in their geographic region?

Answer: The full administrator must grant permissions for the new folders to the

appropriate regional custom administrators to ensure that the administrators in each

location can administer only the servers in their location.


Module 6 Installing Web Interface:

Practice Answers

Site Customization

Match the scenarios in the following table with the customization option used to address thescenario.

• Layout

• Appearance

• Content

ScenarioCustomization Option

Change the number of tabs displayed in the site.Layout

Change the standard language of the site to Spanish for usersin Mexico.

Content

Add the company logo to the header area of the site.Appearance

Add the "Welcome to the Marketing Department" welcomemessage to the site.

Content

Allow users to customize the screen layout on the client device.Layout

Add the company logo.Appearance

Authentication Configuration

Fill in the blanks to complete the following sentences.

1. A User Principal Name is a unique name in Windows Active Directory given to each useras an identifier and consists of a principal name and a domain name or domain alias.

2. When pass-through authentication is implemented, users do not need to enter theircredentials to access their application set.

3. A smart card can be used to authenticate users to a Web Interface site.

4. An administrator can select Windows, NDS or NIS authentication for explicit logon to aWeb Interface site.

5. When Novell Directory Services is selected for explicit authentication, a tree name andcontext name must be specified.


6. Both SafeWord and RSA SecurID two-factor authentication methods use a token and aPIN number to create a passcode.

7. When Single sign-on is integrated with the Web Interface, the reset feature can be enabledto allow users to reset their network password.


Module 7 Delivering Applications and

Content: Practice Answers

Publishing Resources

Identify which statements are true and which statements are false. Correct the false statementsto make them true.

1. F The display name for the published resource is auto-generated. The display name isimportant because it is the name that the plug-in uses to identify the published resource.

The display name for the published resource is not auto-generated. The name is specified

by the administrator. It is important because it is the name that the users use to identify

the published resource.

2. T An administrator can stream an application to XenApp servers and to the desktops ofclient devices using the application streaming feature in XenApp.

3. T After the basic settings have been configured for a published resource, an administratorcan publish the resource immediately without configuring the advanced settings.

4. F Installing an application on servers in a different directory on each server in the serverfarm will make accessing published applications easier for the users.

The location of the published application on a server has no impact on users. Installing

an application in the same directory on all servers in the server farm will make publishing

an application easier for the administrator.

5. T The user profile information is persistent for configured user accounts.

Content Redirection

Match each scenario in the following table with the content redirection method that shouldbe implemented. Each method is used once.

• Server-to-client content redirection

• Client-to-server content redirection

• Published content with client-to-server content redirection


ScenarioContent Redirection Method

Once a month, a published version of a listing of employeeevents is made available to all employees. Because

Published content with

client-to-server content

redirection employees have a range of client devices, HR wantsemployees to view the document using a publishedapplication.

Alisha wants to access a published version of a web-basedaccounting tool using a web browser installed locally onher client device.

Server-to-client content

redirection

The Operations team wants to view its weekly log reports(.XLS files) using a published version of Excel.

Client-to-server content

redirection


Module 10 Configuring Load

Management: Practice Answers

Match the load evaluators listed below with the appropriate scenarios in the following table.Each load evaluator will be used at least once.

• Default

• Advanced

• Custom

IssueLoad Evaluator

All servers in the server farm host the same applications and cansupport 100 user sessions.

Default

The administrator wants to remove one or more publishedapplications from the list of applications for a period of time.

Custom

All servers in the server farm have different server hardware buthost the same published applications.

Advanced, Custom

Some servers contain published applications that require significantserver resources.

Custom


Module 11 Optimizing the User

Experience: Practice Answers

Match the session optimization technology listed below with the issue that each would bestresolve.

1. HDX RealTime

2. HDX Plug-n-Play



5. SpeedScreen Latency Reduction

6. HDX MediaStream Multimedia Acceleration

ScenarioSession Optimization

Technology

Graphic artists experience long load times when viewingimages with published photo imaging software.


Accounting users experience slow keyboard and mouseresponse when using all published applications.

5. SpeedScreen Latency

Reduction

Users in Human Resources experience choppy playbackwhen viewing training videos using published WindowsMedia Player.

6. HDX MediaStream


Executives request the ability to use Microsoft OfficeCommunicator as a video conferencing tool.

1. HDX RealTime

Graphic artists request the ability to use 3D mice withina published application.

2. HDX Plug-n-Play

Marketing users experience choppy playback of all Flashmedia when using published Internet Explorer.



Module 13 Configuring Printing: Practice

Answers

Printer Drivers

Provide the correct response for each of the following questions.

1. In order to prevent printer drivers from being installed automatically, which policy ruleshould be configured?

Native printer driver auto-install

2. What are four benefits of using the Universal printer driver?

1. It reduces the size of some print jobs.

2. It limits the need to install and replicate printer drivers.

3. It reduces the number of help desk calls.

4. It enables users to print to almost any modern printer.

Printing Definitions

Match the printing policy rules in the following table to the correct terms.

DefinitionTerm

a. A rule that enables the use of old-style printer names asused by prior versions of XenApp

e Auto-creation

b. A rule that controls whether network printer jobs flowdirectly from XenApp server to the print server or take anextra step and are routed back through the client device

c Printer properties retention

c. A rule that controls whether printer properties are storedon the client device or user profile

d Turn off client printermapping

d. A rule that disables the mapping of all client printersa Legacy client printers

e. A rule that controls the auto-creation of all, local, defaultor no client printers.

b Print job routing


Module 14 Securing XenApp: Practice

Answers

Match the security solutions listed below with the appropriate scenario in the following table.Each solution is used at least once.

• SecureICA

• SSL Relay

• Access Gateway

ScenarioSecurity Solution

Lydia is the administrator of a large server farm with users that accessthe server farm resources through the Internet.

Access Gateway

Jeremy is the administrator of a large server farm with users thataccess the server farm resources internally through the LAN at thecompany.

SecureICA

Ben is the administrator of a small server farm and needs to provideencryption of the communications being sent to the client devicesand the Web Interface.

SSL Relay

Adam is the administrator of a small server farm and needs toprovide two-factor authentication to users accessing server farmresources through the Web Interface.

Access Gateway


Glossary

Access Management Console

See Delivery Services Console.

account authority

The platform-specific source of information about useraccounts used by a XenApp server; for example, WindowsNT domain, Active Directory domain, or NovelleDirectory.

Advanced Access Control

A management component of Citrix SmartAccess thatenables granular control over applications, files, webcontent and email attachments. It manages what can beaccessed and which actions are permitted, based on theuser's access scenario.

anonymous user

An unidentified user granted minimal access to a serveror farm and its published applications.

anonymous user account

A user account defined on a XenApp server for access byanonymous users.

application set

Users' view of the published resources to which they arepermitted.

authentication

The process of identifying a user, usually based on a username and password. In security systems, authenticationis distinct from authorization, which is the process of

giving users access to system objects based on theiridentity. Authentication confirms the identity of the userbut does not impact the access rights of the user.

authentication service

A service available on a server running Citrix AccessGateway that issues access tokens for connection requestsfor resources available through a server farm. These accesstokens form the basis of authentication and authorizationfor users connecting through Access Gateway.

authorization

The process of granting or denying access to a networkresource. Most computer security systems are based on atwo-step process. The first stage is authentication, whichconfirms the identity of the user. The second stage isauthorization, which allows the user access to variousresources based on the user’s identity.

auto-creation

See printer auto-creation.

automatic reconnect

The feature that automatically reconnects users runningthe Citrix online plug-in to their sessions when theconnections are dropped as a result of network issues.

certificate

See digital certificate.

ciphersuite

When establishing an SSL/TLS connection, the client andserver determine a common set of supported ciphersuites

(encryption/decryption algorithms) and then use the mostsecure one to encrypt the communications. Thesealgorithms have differing advantages in terms of speed,encryption strength and exportability.


Formerly the XenApp Plug-in for Streamed Apps. Theplug-in (formerly named the XenApp Plug-in forStreamed Apps) that provides streamed applications froman application profile on a network file server to the userdesktop or XenApp server.

Citrix Secure Access Plug-in

Citrix plug-in software used with Citrix Access Gatewayto connect users to network resources.

Citrix SSL Relay

A Citrix service that facilitates an SSL-secured connectionbetween a XenApp server, the Web Interface or a Citrixplug-in.

Citrix Streaming Profiler

A stand-alone application that enables administrators toprepare applications, browser plug-ins, files, folders andregistry settings that can stream to the client device forexecution.

Citrix Universal Printer

The Citrix Universal Printer is a device-independentprinter object that represents all printers on the clientdevice. The Citrix Universal Printer reduces the numberof printer objects created during printer auto-creation atthe beginning of sessions.

Citrix Web Interface

The Web Interface provides users with access to publishedresources through the Citrix online plug-in or a standardweb browser.

Citrix XML Service

A service that provides an HTTP interface to the webbrowser. It uses TCP packets instead of UDP, which allowsconnections to work across most firewalls. The defaultport for the Citrix XML Service is 80.

client COM port redirection

The feature that enables applications running on a serverto access peripherals attached to COM ports on the clientdevice.

client device

Any hardware device capable of running the plug-insoftware.

client device mapping

The feature that enables published resources running onthe server to access storage and peripherals attached tothe local client device. Client device mapping consists ofseveral distinct features: client drive mapping, clientprinter mapping, and client COM port mapping.

client drive mapping

The feature that enables applications running on the serverto access physical and logical drives configured on theclient device.

client printer mapping

The feature that enables applications running on the serverto send output to printers configured on the client device.

Common Gateway Protocol

A general-purpose tunneling protocol that providesconnection reliability by allowing broken connections tobe restored without affecting the tunneled protocols.


Configuration Logging

A feature that tracks administrative changes made to theserver farm and logs them to a logging database fromwhich reports can be generated. The ConfigurationLogging feature is available only with the Enterprise andPlatinum Editions of XenApp.

Configuration Logging database

A database that must be set up and configured to supportthe Configuration Logging feature. Information aboutadministrative changes is stored in this database and theDelivery Services Console is used to view reports fromthis information.

connection control

The feature that allows administrators to set a limit onthe number of connections that each user can havesimultaneously in the farm. Administrators can also limitthe number of concurrent connections to specifiedpublished applications and prevent users from launchingmore than one instance of the same published application.

content publishing

This feature allows administrators to publish documentfiles, media files, web URLs and any other type of file fromany network location. Users can double-click publishedcontent icons to access content in the same way theyaccess published applications.

content redirection

This feature allows administrators to specify whetherplug-ins open published content, applications, browsersor media players locally or remotely. There are two typesof content redirection: from server-to-client device andfrom client device-to-server.

CPU prioritization

The feature that allows administrators to assign eachpublished application in the server farm a priority levelfor CPU access. This feature can be used to ensure that

CPU-intensive applications in the server farm do notdegrade the performance of other applications.

custom administrator

An administrator who is subordinate to a fulladministrator. Custom administrators cannot set up otheradministrator accounts and have only a subset of thepermissions that a full administrator has.

data source name

The system data source name (DSN) stores informationabout how a plug-in can connect to a database. XenAppservers use a DSN file to access the data store.

data store

An Open Database Connectivity (ODBC)-compliantdatabase that stores persistent data for a farm. Examplesof persistent data include configuration information aboutpublished applications, users, printers, and servers. Eachserver farm has a single data store.

delegated administration

The feature that allows administrators to delegate areasof administration and farm management to the IT staff.Administrators can assign specialized staff members toperform specific tasks such as managing printers,published applications or user policies. Specialized staffmembers can carry out their assigned tasks without beinggranted full management access to all areas of the farm.

Delivery Services Console

Formerly known as the Access Management Console. TheDelivery Services Console is a stand-alone snap-in to theMicrosoft Management Console (MMC) that allowsadministrators to manage items in multiple server farms.Management functionality is provided through a numberof management tools (extension snap-ins).


demilitarized zone (DMZ)

A network isolated from the trusted or secure networkby a firewall. Network administrators often isolate publicresources, such as web or email servers in the DMZ, toprevent an intruder from attacking the internal network.

digital certificate

A credential for a principal, such as a user or server. Thecertificate consists of the principal’s public key, a digitalsignature from a certificate authority and otherinformation. The digital certificate is used to performauthentication of the principal cryptographically and tosecure communications between the principal and anotherentity.

disconnected session

A disconnected session occurs when the client device isno longer connected to the server, but the applications inthe session continues to run on the server. A user canreconnect to a disconnected session. If the user does notdo so within a specified time-out period, the serverautomatically terminates the session.

display name

A name specified during the application publishingprocess that is used to identify a published resource.

file type association

A method of associating file extensions with publishedresources. When a user double-clicks a file with one ofthe associated file extensions, the published resourceopens.

FQDN

Fully qualified domain name.

full administrator

An administrator who has full access to all theadministrative functions and features of the server farm.

Full administrators are the only ones who are allowed tocreate or modify other administrator accounts.

HDX 3D Image Acceleration

A feature that offers a trade-off between the quality ofphotographic image files as they appear on client devicesand the amount of bandwidth the files consume on theirway from the server to the client device.

HDX 3D Progressive Display

A feature that improves interactivity when displayinghigh-detail images by temporarily increasing the level ofcompression (decreasing the quality) of such an imagewhen it is first transmitted over a limited bandwidthconnection, to provide a fast (but low quality) initialdisplay.

HDX MediaStream for Flash

A feature that can control and optimize the way XenApppasses Adobe Flash animations to users.


Acceleration

A feature that can control and optimize the way XenApppasses streaming audio and video to users.

Health Monitoring and Recovery

A feature of XenApp that can run tests on servers thatparticipate in load balancing to ensure that if one serverexperiences a problem, it does not interfere with the user’sability to access published applications through anotherserver. Citrix provides a standard set of tests; however,administrators can also develop tests using the HealthMonitoring & Recovery SDK. Health Monitoring &Recovery is available only with the Enterprise andPlatinum Editions of XenApp.


ICA (Independent Computing

Architecture)

The architecture that XenApp uses to separate anapplication's logic from its user interface. With ICA, onlyvirtual channel data such as keystrokes, mouse clicks andscreen updates pass between the client device and serveron the network, while 100% of the application's logicexecutes on the server.

ICA Client Printer Configuration tool

The utility used to configure client printers for the plug-infor Windows CE. This utility is run in an ICA sessionfrom the client device.

ICA connection

The logical port used by a plug-in to connect to and starta session on a XenApp server. It is the active linkestablished between a plug-in and a XenApp server.

ICA file

A text file (with the extension .ICA) containinginformation about an ICA connection. ICA files arewritten in Windows .INI file format and organizepublished application information in a standard way thatplug-ins can interpret. When a plug-in receives an ICAfile, it initializes a session running the application on theserver specified in the file.

ICA protocol

The protocol that plug-ins use to format user input, suchas keystrokes and mouse clicks, and address it to a serverfarm for processing. Server farms use it to formatapplication output (display and audio) and return it tothe client device.

ICA session

A connection between a plug-in and a XenApp server,identified by a specific user ID and ICA connection. Thesession consists of the status of the connection, the serverresources allocated to the user for the duration of thesession and any applications executing during the session.

An ICA session normally terminates when the user logsoff from the server.

ICACLIENT.ADM

Group Policy Object template file used to configure theplug-in options and settings.

IMA encryption

A feature of XenApp that allows the administrator toautomatically encrypt sensitive information that is housedin the IMA data store.

Independent Management

Architecture (IMA)

A server-to-server infrastructure that provides robust,secure and scalable tools for managing any size serverfarm. Among other features, IMA enables centralizedplatform-independent management, an ODBC-compliantdata store and management products that plug into amanagement console.

inter-isolation communication

A feature provided by the Streaming Profiler that allowsindividually profiled applications to communicate witheach other when launched on the client device.

isolation environment

A feature provided by the application streaming featurethat allows published applications to run on the localclient device without interfering with other applicationsrunning on the same device. An isolation environment isspecific for the application and user session, regardless ofwhether the user streams to the local client device orvirtualizes the streamed application from a server.

License Administration Console

A web-based tool that runs on the same server as thelicense server. The License Administration Consolefeatures help download license files from Citrix, copylicense files to the license server and evaluate license usage.


license file

A digitally signed text-only file downloaded fromMyCitrix.com that contains product licenses andinformation the license server requires to manage thelicenses.

license server

A shared or dedicated server installed with licensingsoftware and, optionally, the License AdministrationConsole. This server responds to requests for licenses forCitrix products. A license server can be shared amongfarms and can host licenses for more than one product.

load management

A feature of XenApp that enables management ofapplication loads. When a user launches a publishedapplication that is configured for load management, thatuser's session is established on the most lightly loadedserver in the farm, based on criteria an administrator canconfigure.

local application

An application installed on a local client device.

local host cache

A subset of the server farm data store information. Thisfile is present on all XenApp servers.

local text echo

A feature that accelerates the display of text input on aclient device to effectively shield users from experiencinglatency on the network.

metric

One of a series of measurable items for a server orapplication. An administrator can select which metricsto monitor for a particular server.

migrate

A process where an administrator manually moves aserver farm from a legacy version of XenApp to a newerversion of XenApp.

monitoring

The process of automatically checking the values ofmetrics on servers.

mouse click feedback

A feature that enables visual feedback for mouse clicks.When a user clicks the mouse, the plug-in softwareimmediately changes the mouse pointer to an hourglassto show that the user’s input is being processed.

network printer

A shared printer object accessed through a network printserver.

Novell Directory Services (NDS)

support

Support for NDS allows users in Novell networkenvironments to log on using their NDS credentials toaccess applications and content published on XenAppservers.

offline access

The capability to configure users and streamedapplications so that users can disconnect from thecompany network and continue to run the applicationsin offline mode for a specified length of time.

pass-through authentication

A feature that passes the Windows logon information tothe XenApp server so users can log on to sessions withoutreentering credentials.


pass-through client

A plug-in installed on a XenApp server that allows usersof older clients to use a new plug-in to connect topublished resources.

policies

Citrix policies are a method of controlling connectionsettings for groups of users, client devices, and servers.An administrator can use policies to apply select settings,known as rules, to connections filtered for access type,specific users, client devices, IP addresses or servers. Forexample, a policy can apply one set of rules to connectionsfrom client devices in company headquarters and anotherset of rules to connections from lender laptops providedto a roaming sales force.

print job

When a user prints a document, the data sent to theprinter is known as a print job. Jobs are queued to theprinter in a specific sequence, which the print spoolercontrols. When this sequence appears, it is known as theprint queue.

print queue

A sequential, prioritized list of the print jobs waiting tobe printed. The spooler maintains this list for each printerobject in the computer.

print server

A server that manages the communications between clientdevices and printers. In Citrix documentation, the termprint server refers to dedicated computers that are runninga Windows server operating system and hosting x numberof shared printers. Print servers provide client deviceswith drivers they need to print and store files, or printjobs, in a print queue until the printer can print them. Aprint server is a remote print spooler.

print spooler

The spooler is a Windows service that manages printerobjects, coordinates drivers, allows printer creation,

determines where print jobs are processed and managesthe scheduling of print jobs. The print spooler alsodetermines if the printer prints each page as it receives itor if it waits until it receives all pages to print the printjob. Typically, when a print job is spooled to a printer,the spooler loads the print job into a buffer. The printingdevice then retrieves the print jobs from the buffer whenit is ready to print the job. By storing the job, the computercan perform other operations while the printing occursin the background.

printer auto-creation

The term auto-creation refers to a process XenApp usesto add printers (printer objects) at the beginning ofsessions. When a user starts a session, by default, printerobjects are created automatically in the session based onthe printers on the client device. When the user ends thesession, these printers are deleted. This occurs so thatprinter objects are not stored locally on the client device.The way in which the printers are auto-created is basedon printing policy settings.

printer driver

The software program that lets the computercommunicate with the printing device. This programconverts the information to be printed to a language thatthe printing device can process. The printer driver alsounderstands the device and job settings of the printingdevice and presents a user interface for users to configurethe settings. In a Windows system, printer drivers aredistinct from the software representation of printers.

printer driver mapping

The process of connecting inconsistently named printerdrivers on the client device and server operating systems.For example, a printer driver on the client operatingsystem named "HP LaserJet5 PostScript" and the samedriver on the server operating system named "HP LaserJet5 PS,”" can be mapped for XenApp to use the HP LaserJet5 PS driver whenever it encounters the HP LaserJet5PostScript driver.

printers

Refers to the software representation of a printing device.Computers must store information about printers so they


can find and interact with printing devices. The printericons in the Control Panel > Printers panel display thesoftware representation of the printers, not the printerdrivers. Printer object is also used to refer to the softwarerepresentation of a printing device.

printing device

In a XenApp printing context, the term printing devicerefers to the physical printer (that is, the hardware deviceto print jobs are sent.)

process

An instance of a program that is being executed.

published application

An application installed on servers in a XenApp serverfarm that is configured for multi-user access fromplug-ins.

published content

A document, media clip, graphic or other type of file orURL published for access by users. Published content isexecuted by local applications on client devices.

redirection

The term redirection refers to redirecting client deviceresources to server sessions so that published applicationsor desktops have access to them. Redirection is often usedto describe the process by which users can access localhardware devices, such as printers, hard drives, specialfolders, COM ports, TWAIN scanners, smart cards anddigital cameras.

Resource Manager

Resource Manager (powered by EdgeSight technology)is a resource management solution for Citrix XenApp,Enterprise Edition. It monitors user sessions and serverperformance in real time, allowing administrators toquickly analyze, resolve and proactively prevent problems.

The main components are the agents, the server and anadministration and reporting console.

schema

A description of a database to a database managementsystem (DBMS) in the language provided by the DBMS.A DBMS handles requests for database actions andpermits control of security and data integrityrequirements.

seamless window

One of the settings available for the window size of apublished application. If a published application runs ina seamless window, the user can take advantage of all theclient platform's window management features, such asresizing and minimizing.

Secure Gateway

A component that provides a secure, encrypted channelfor ICA traffic over the Internet using Secure SocketsLayer (SSL) or Transport Layer Security (TLS) betweenclients and the Secure Gateway. The Secure Gatewayprovides a single point of encryption and access to serverfarms.

Secure Sockets Layer/Transport

Layer Security (SSL/TLS)

A standards-based architecture for encryption,authentication and message integrity. It is used to securethe communications between two computers across apublic network, authenticate the two computers to eachother based on a separate trusted authority, and ensurethat the communications are not tampered with. See alsociphersuites.

Secure Ticket Authority (STA)

The STA is a ticketing mechanism that runs on eachXenApp server in the server farm and issues session ticketsfor clients. These tickets form the basis of authenticationand authorization for connections to a server farm.


server

A server on which XenApp software is running. Anadministrator can publish applications, content anddesktops on these servers for remote access by plug-ins.

server farm

A group of servers running XenApp managed as a singleentity with some form of physical connection and anIMA-based data store.

server group

A group of servers used for easier application deploymenton target servers.

session ID

A unique identifier for a specific ICA session on a XenAppserver.

session reliability

Session reliability keeps ICA sessions active and on theuser's screen when network connectivity is interrupted.Users continue to see the application they are working inuntil network connectivity resumes.

shadowing

A feature that enables an authorized user to remotely joinor take control of another user’s session for diagnosis,training or technical support.

SpeedScreen Latency Reduction

A combination of technologies implemented in ICA thatdecreases bandwidth consumption and total packetstransmitted, resulting in reduced latency and consistentperformance regardless of network connection.

streaming application profile

A collection of configurations (targets) and a list ofapplications that users can execute. In addition, profilesinclude scripts and other settings that are used instreaming applications to client devices. Administratorscreate application profiles on a profiling system and makethem available for publishing by saving them to a webserver or network file share.

transform file

A database file that modifies an MSI package. Thetransform file modifies instructions about how thepackage is installed; for example, to enable an applicationto run in a Remote Desktop Services environment.

UAC

User Access Control. A security feature of Windows Vistaand Windows Server 2008.

unattended install

An installation type that does not require user interventionduring software installations.

universal printer

See Citrix Universal Printer.

universal printer driver

A universal printer driver can be used as the driver forany printing device. Citrix provides several generic printerdrivers, as well as an XPS-based Citrix Universal PrinterDriver and a EMF-based Citrix Universal Printer Driver.Using a universal printer driver on farm servers canreplace multiple native printer drivers and reduce drivermaintenance.

universal printing

A term that refers to a printing solution which uses theCitrix universal printers.


upgrade

A process by which an administrator moves from oneversion of XenApp to another, newer version. The farmmust be using an earlier version of Presentation Server,or XenApp, that is compatible with the upgrade path tothe newest version; otherwise, the administrator mustmigrate the server farm. Often, the term upgrade denotesusing an installation wizard to move to the newer version.

zone

A logical grouping of XenApp servers. All servers in azone communicate with the server designated as the data

collector for the zone. Citrix recommends limiting thenumber of zones in a farm and using them only fordifferent geographic sites across a WAN.

zone data collector

A server that stores dynamic data for one zone in a farm.Examples of dynamic data include current server load,the number of current user sessions, and the applicationscurrently running in user sessions on a specified server.


Index

A

Access Gateway 37, 47, 118, 156, 193, 448, 454, 456, 460Advanced Access Control 156, 193communications 456deployment scenarios 454description 37SmartAccess 460VPX 47

Active Application Monitoring (AAM) 479Active Directory 37, 49

group policy integration 37Active Directory Federation Services (ADFS) 120ActiveX control 176activity library 489administrative utility 49administrators

account permissions 96creating 96delegating 103disabling accounts 98folder permissions 101permissions 100

Adobe Flash 352, 368alert rule 488anonymous logon 147App-V

support 37application delivery

troubleshooting issues 207application isolation environment 224application set 191application streaming

App-V 219App-V integration 214application caching 214capabilities 214central application updates 214Citrix offline plug-in 220components 216configuring sites 253Dazzle 246delivery method 245Differential synchronization of updated profiles 214digital signature 232dual mode streaming 214enable user updates 223force 327inter-isolation communication 214isolation environments 214

application streaming (continued)local system resource usage 214offline access 214, 255offline license 255process 218profile 222Profiler 222, 223

installing 223profiling

process 222Profiler 222

publishing 249security settings 223streaming to servers

applicationsdual mode 248online 248

troubleshooting 260Windows Services isolation 214, 231

applicationsimportance 200publishing to worker groups 94

authenticationexplicit 148Microsoft Windows domain 149NIS (UNIX) 149Novell Directory Services (NDS) 149pass-through 148, 160pass-through with smart card 160smart card 148, 160

automationworkflow 491

B

benefits 27, 349, 454, 502, 512, 515Access Gateway 454Citrix certification 27Citrix training 27Power and Capacity Management 515Provisioning Services 512SmartAuditor 502

Branch Optimization 509, 510components 509process 510

C

certificateAccess Gateway requirements 458

certificate (continued)certificate authority (CA) 453, 457root certificate 457server certificate 457Trusted Root Certification Authorities 458

certificate, course completion 30Certification Manager 28Citrix Access Gateway 448Citrix Branch Repeater

description 37Citrix certification benefits 27Citrix Dazzle 37, 379

description 37Citrix EdgeSight

description 37Citrix ICA Listener Configuration (CtxICACfg.exe) tool272Citrix License Server 479Citrix Merchandising Server 365, 377Citrix offline plug-in 216, 220, 221, 225

application streaming 216, 220cache

CLIENTCACHE.EXE 221installation 221web browser 220

Citrix online plug-in 147, 216application streaming 216

Citrix online plug-in for Mac 387, 388installing 388system requirements 387

Citrix online plug-in for Windows 385, 386installing 386system requirements 385

Citrix plug-ins 48, 382Citrix Print Manager Service 396, 398Citrix Profile management 364, 365, 366Citrix Receiver 37, 375, 376, 377, 379, 391

Dazzle 379description 37for Macintosh 376for Windows 375Merchandising Server 377requirements 375, 376troubleshooting 391

Citrix Receiver for Linux 389, 390installing 390system requirements 390

Citrix resources 28Citrix Single sign-on 149, 156, 505Citrix SSL Relay 112Citrix Streaming

description 37Citrix Streaming Profiler (Profiler) 216Citrix Streaming Service 218Citrix training benefits 27

Citrix Universal Printer 405, 425, 426configuring 426

Citrix Universal Printer Driver 422Citrix Web Interface Management console 124, 125, 126, 127, 128Citrix XenApp Provider 48Citrix XenDesktop 188Citrix XenServer 519Citrix XML Service 113, 161, 171, 172, 448, 451Citrix XML traffic 454Client audio redirection policy 345Client Deployment option 146client drive mapping 195Client for Java 140, 141, 143, 388, 389

deploying 389system requirements 389

client IP 250client printing pathway 411, 413command-line tool 495commands

CTXKEYTOOL 105Get-CtxConfigurationLogReport 105

Common Gateway Protocol 342compression

Adobe Flash 352images 357, 359, 360lossy image compression 357, 360multimedia 349, 350

concurrent user license 57CONFIG.XML 122, 123, 124, 175Configuration Logging 105, 106, 107

configuring 106creating the database 105database 105, 106enabling 107

configuringadministrative permissions 96, 98Citrix Profile management 365, 366Configuration Logging 105Configuration Logging database 105, 106display settings 339folder permissions 101HDX 3D Image Acceleration 357HDX 3D Progressive Display 360HDX Broadcast Session Reliability 342HDX MediaStream for Flash 352HDX MediaStream Multimedia Acceleration 350HDX Plug-n-Play 347HDX RealTime 344SpeedScreen Latency Reduction 355SSL Relay 453Web Interface 464worker groups 94

Connected Users screen 204considerations

HDX Broadcast Session Reliability 342


considerations (continued)HDX Plug-n-Play 348HDX RealTime 345

content redirectionclient-to-server 194file type association 194server-to-client 194

coursecertificate, emailing 30certificate, printing 30certificate, saving 30completion certificate 30evaluation 30materials 21outline 23prerequisites 22survey 30

CPSVC.EXE 396, 398CPU priority level 193creating

administrator account 96configuration log report 105Configuration Logging database 105

Ctx_cpsvcuser 398CTXKEYTOOL 105CTXXMLSS 112, 172

D

data collection 482data collector 42, 45, 310, 312

description 42election 45

data store 42, 43data store database

description 42database

Configuration Logging 105, 106Microsoft SQL Server 105, 106Oracle 105, 106

database size estimation tool 482Dazzle 375, 377, 379, 380

Citrix Receiver 375communications 380Merchandising Server 377

delegatingadministrator accounts 103

deliveringplug-ins 383

Delivery Services Console 48, 49, 105, 106, 189, 204, 205, 219, 220, 239, 411, 493, 495

published resource information 204deploying

Access Gateway 454Client for Java 389

Desktop Delivery Controller 189

Direct access 165direct connections 411Directory Browsing 247disabling

IMA encryption 105display settings 338, 339

enabling 339DMZ 454Domain field 151

E

EasyCalldescription 37

EasyCall voice services 507components 507process 507

EdgeSight 47, 58, 61EdgeSight Script Host (RSSH) 482emailing

course certificate 30enabling

Configuration Logging 107display settings 339HDX 3D Image Acceleration 357HDX 3D Progressive Display 360HDX Broadcast Session Reliability 342HDX MediaStream for Flash 352HDX MediaStream Multimedia Acceleration 350HDX Plug-n-Play 347HDX RealTime 344ICA Proxy mode 460IMA encryption 105SpeedScreen Latency Reduction 355

encryption 193evaluating course 30exam registration 28Extended end-user experience monitoring (EUEM) 479

F

file share 247file type association 194, 195filtering policies

worker groups 95Flash acceleration 352Flash server-side content fetching whitelist 352Flash URL blacklist 352folder redirection 364folders 191

G

Get-CtxConfigurationLogReport 105


Group Policy Management Console 161, 172, 220, 365, 366, 411

H

HDX 3D Image Acceleration 357enabling 357

HDX 3D Progressive Display 359, 360enabling 360

HDX Broadcast Session Reliability 341, 342considerations 342enabling 342proxy 342

HDX MediaStream for Flash 352enabling 352

HDX MediaStream Multimedia Acceleration 349, 350benefits 349enabling 350

HDX Plug-n-Play 346, 347, 348considerations 348enabling 347

HDX RealTime 343, 344, 345considerations 345enabling 344

Health Assistantdescription 37

health monitoring and recovery 476hosted application 203

I

ICAencryption 451

ICA Client Printer Configuration tool 403ICA Pass-through 345, 348ICA session 194ICACLIENT.ADM 158, 159icons 191IMA 44

service 44images

compression 357, 359, 360HDX 3D Image Acceleration 357HDX 3D Progressive Display 359

incremental method 316Independent Management Architecture (IMA) 44indirect permission 255installation

Citrix offline plug-in 221Installation Manager

description 37installation prerequisites 77installing

Citrix online plug-in for Mac 388Citrix online plug-in for Windows 386Citrix Profile management 365

installing (continued)Citrix Receiver for Linux 390Profiler 223

inter-isolation communication 229Internet Information Services (IIS) 454isolation environment 222, 241

K

Kerberos 118

L

license 257License Administration Console 42, 48license monitoring 487license server 42, 61, 65, 66, 68, 71, 72, 96

dedicated 66description 42shared 66

License Server Configuration tool 65license upgrade 58licensing components 56linked profile 229, 230load balancing 37, 45, 203

description 37load balancing policies 324, 325

creating 325Load Balancing policy 245load evaluator 309, 312, 318, 320, 321, 322

Advanced load evaluator 318assigning 322Boolean 312configuration 318creating custom 320Default load evaluator 318Incremental 312load throttling 312Moving average 312Moving average compared to high threshold 312thresholds 321

Load Manager 47, 308, 309, 310, 312, 313, 314, 316, 329, 332

benefits 308definition 308load balancing process 310load calculation 312load evaluator 312Preferential Load Balancing 329troubleshooting 332

local host cache 44Local Text Echo 355local user profiles 363lossy 357, 360


M

mandatory user profiles 363manifest file 239, 247Master File Table (MFT) 366Merchandising Server 221, 375, 377, 378, 379, 391

architecture 378Citrix Receiver 375Dazzle 379troubleshooting 391

MFCOM 49Microsoft

Active Directory Services 221Application Virtualization for Remote DesktopServices 219client access licenses (CALs) 58, 59Desktop Optimization Pack (MDOP) 219Development Network (MSDN) 219MSI utility 65System Center Configuration Manager 2007 221Terminal Services 58, 59Visual C++ 2008 Redistributable 65Windows Server 2008 R2 58, 59

Microsoft Active Directory Federation Services 118Microsoft Management Console (MMC) 48Microsoft Office Communicator 343, 345

Office Communications Server 345Microsoft SQL Server 43, 105, 106, 517

Microsoft SQL Server Reporting Services 517Microsoft Windows domain

authentication 149Microsoft Windows user profile 363MMC snap-in 517Mouse Click Feedback 355multimedia compression 349, 350MyCitrix.com 68, 69

N

native plug-in 140, 141, 143Network Address Translation 163Network Address Translation (NAT) 448network file share 250network printing pathway 411NIS (UNIX)

authentication 149no-disconnected-sessions policy 136Novell Directory Services (NDS)

authentication 149

O

offline plug-in 256online plug-in 191, 195, 341, 343Operating System User Selector 256Oracle 43, 105, 106

P

pass-through authentication 176password 156Pearson VUE 28permissions

administrator accounts 100folder 101

plug-insCitrix online plug-in for Mac 387Citrix online plug-in for Windows 385Citrix Receiver for Linux 389Client for Java 388delivery 383supported 382troubleshooting 391

policiesapplication process 271Citrix Group Policy Modeling wizard 303evaluation 271filtering 95, 301GPUPDATE /FORCE 271Group Policy architecture 269Group Policy extensions 268group policy ressults 303IMA-based 267load balancing 324Microsoft

Active Directory 266Advanced Group Policy Manager (AGPM) 266Group Policy engine 266Group Policy Management Console (GPMC)266Group Policy Objects (GPOs) 266

modeling 303precedence exceptions 274priorities 274processing and precedence 272rules 276shadowing and encryption settings 274troubleshooting 303

policy 197, 406, 408, 426, 429, 431, 437, 439auto-create client printers 406Auto-create generic universal printer 426default printer 431printer properties retention 437printing bandwidth 439session printers 408, 429universal driver 426universal driver priority 426Universal printing preview preference 426

ports1494 3422598 34227000 62389 378


ports (continued)443 112, 378, 4537279 6280 1128082 62

Power and Capacity Managementcomponents 517control modes 515description 37load consolidation 516Power and Capacity Management farm 515Power Management 516power setpoints 517workloads and profiles 515

power consumption 515PowerShell SDK 493Preferential Load Balancing 200PRINTCFG.EXE 403printer

auto-creation 402, 404, 405, 406, 407asynchronous 407Citrix Universal Printer 405client printer 405controlling client printer 406synchronous 407

driver installation 417driver management 421driver mapping 419drivers 416network printer provisioning 402retained 403user self-provisioning 402, 403

printer driverCitrix universal print driver 416Citrix XPS Universal Printer Driver 422native 416OEM 416

printer typelocal 397network 397redirected client 397

printersdefault 431network 429, 430properties 437

printingbandwidth 439Citrix universal printing 422concepts 396course certificate 30Ctx_cpsvcuser 398default behavior 400definition

Citrix Print Manager Service (CPSVC.EXE) 396default printer 396despooling 396

printing (continued)definition (continued)

device settings 396document settings 396legacy printer names 396network print server 396print queue 396printer driver 396printer object 396printing device 396proximity printing 396rendering 396restored printers 396retained printers 396spooler 396spooling 396

device settings 435preferences 435, 436print preview 424printer initialization 193security 398troubleshooting 442

printing pathwayclient printing pathway 408, 412, 414, 415network printing pathway 408, 409, 410

profileadding target 228advanced install 233creating 223deleting target 228linked 229preference settings 232properties 233quick install 233security settings 223system requirements 232

profile directory 230Profile management

description 37profile manifest file 225Profiler 223profiling

known limits 238Prohibit User Installs 141Prometric 28Provisioning Services 37, 512, 514

components 514description 37

proximity printing 432, 434configuring 434

proxy server 167Publish Application Wizard 201published resources

appearance 202application 183content 183


published resources (continued)desktop 183information 204limits 200organizing 191

publishing resourcesadvanced configurations 182, 193, 202assigning servers 185assigning worker groups 185basic configurations 182command line 184location 184name 184phases 182, 193settings 186streamed applications 249user access 185, 186worker groups 94working directory 184

R

RADEDEPLOY.EXE 259RADERUN utility 218reallocating 66registering

exams, for 28Remote Authentication Dial-in User Service (RADIUS)153Remote Desktop Connection (RDP) 140resource allotment 329Resource Manager 47roaming user profiles 363

S

savingcourse certificate 30

Secure Gateway 163, 165, 166, 459Secure Sockets Layer (SSL) 61Secure Ticket Authority (STA) 456SecureICA 448, 450security

Access Gateway 454access to hosted applications 459best practices 467Citrix Access Gateway 448ICA Proxy mode 460SecureICA 448, 450SmartAccess 460SSL Relay 448, 451troubleshooting 468Web Interface 463

server farms 43, 46mixed 46multiple 43

server ranking 45server-side ticketing 176Service Control Manager 231Service monitoring 487session printers 429session sharing 309, 329settings

display settings 339HDX 3D Image Acceleration 357HDX 3D Progressive Display 360HDX Broadcast Session Reliability 342HDX MediaStream for Flash 352HDX MediaStream Multimedia Acceleration 350HDX Plug-n-Play 347HDX RealTime 344SpeedScreen Latency Reduction 355Web Interface 464

Single sign-on 37, 505, 506authentication process 506components 505description 37

Smart Accessdescription 37

SmartAccess 460SmartAuditor 37, 502, 503, 504

components 503description 37recording process 504

SmoothRoaming 432SpeedScreen Latency Reduction 355

enabling 355SpeedScreen Latency Reduction Manager tool 355

SpeedScreen Latency Reduction Manager tool 355SSL certificates 451SSL Relay 448, 451, 452, 453, 454

communication 452configuring 453

SSL VPN appliance 454streamed application 225, 251

properties 251streaming

video 344streaming application 256streaming application profile 244Suite Monitoring and Alerting (SMA) 479survey, course 30

T

targetadding to profile 228criteria 225definition 224deleting 228environment 223multiple operating systems 228


target (continued)properties 239upgrading applications 243

target directory structure 244temporary user profiles 363tracking

certification progress 28training resources 28troubleshooting

Adobe Flash 368application delivery issues 207application streaming 260Citrix Receiver 391load management 332Merchandising Server 391plug-ins 391policies 303printing 442security 468USB device 368user experience 368user profiles 368

Trust XML 161

U

Universal Printer DriverCitrix Print Previewer 424Enhanced MetaFile (EMF) 423, 424

URLembedded 197

USB devices 346, 347, 348, 368user access

anonymous accounts 185configured accounts 185

User Access Control (UAC 238, 415User Principal Name (UPN) 151user profile security settings 232user profiles 363, 364, 365, 366, 368

folder redirection 364local 363mandatory 363Microsoft Windows user profile 363Profile management 364, 365, 366roaming 363temporary 363

V

video conferencing 344Virtual Desktop Agent 189VM hosted apps 37, 188, 189

components 189description 37

VM Hosted Apps Console 189

W

WAN optimization 509Web Interface 37, 42, 112, 161, 188, 221, 253, 254, 454,

463, 464access methods 463client routes 464description 37, 42ports 112security 463servers 42settings 464streaming applications 253VM hosted apps 188

Web Interface Management console 117, 118, 122, 132, 138, 168, 169, 171, 172, 174, 175Web Interface ticket 174WEBINTERFACE.CONF 118, 124, 125, 175white list 231Windows Services isolation 231worker group preference list 95worker groups 42, 94, 95

description 42filtering policies 95prioritizing 95publishing resources 94worker group preference list 95

Workflow Studioactivity library definition 489description 37job definition 489overview 489workflow automation 491workflow definition 489

workspace control 135, 432

X

XenAppcomponents 42features 37installing 43primary architectural components 41servers 42

XenApp Server Roles Manager 116XenApp Services site 119, 121, 131, 148, 150, 157, 158,

159, 169, 253authentication 148, 150, 157, 158, 159

explicit 150, 157pass-through 158smart card 159

session preferences 131streaming applications 253

XenApp sessiondisplay settings 338, 339HDX 3D Image Acceleration 357


XenApp session (continued)HDX 3D Progressive Display 359HDX Broadcast Session Reliability 341HDX MediaStream for Flash 352HDX MediaStream Multimedia Acceleration 349HDX Plug-n-Play 346HDX RealTime 343passwords 505recording 502, 504SpeedScreen Latency Reduction 355USB devices 346, 347user profiles 363, 364, 365, 366

XenApp Web site 121, 131, 133, 146, 148, 150, 157, 158, 159, 169

authentication 148, 150, 157, 158, 159explicit 150, 157pass-through 158

XenApp Web site (continued)authentication (continued)

smart card 159client deployment 146session preferences 131

XenServer 519components 519

Z

zone 45zones 42, 45, 46, 47

default 47description 42optimal configuration 47sharing data across 47


851 West Cypress Creek Road Fort Lauderdale Florida 33309 USA | (954) 267 3000 | www.citrix.com

Rheinweg 9 8200 Schaffhausen Switzerland | +41 (0) 52 63577 00 | www.citrix.com

© Copyright 2010 Citrix Systems, Inc. All rights reserved.


The following label contains the voucher code needed to access the online student resources.