Академический Документы
Профессиональный Документы
Культура Документы
2011 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Contents
XenApp 6 for Windows Server 2008 R2 XenApp 6 for Windows Server 2008 R2 Readme for XenApp for Windows Server 2008 R2 System Requirements for XenApp 6 for Windows Server 2008 R2 Designing a XenApp Deployment Designing a XenApp Deployment Farm Terminology and Concepts Planning a Successful User Experience Farm Hardware Considerations Planning for Applications and Server Loads Assessing Applications for XenApp Compatibility Evaluating Application Delivery Methods Planning for Application Streaming Placing Applications on Servers Determining the Number of XenApp Servers to Deploy Deciding How Many Farms to Deploy Planning Controllers Planning the XenApp Data Store Database Server Hardware Performance Considerations Replication Considerations Planning for Configuration Logging and IMA Encryption Planning for Data Collectors Designing Zones for a XenApp Deployment Planning for the Web Interface and XML Broker Planning for Accounts and Trust Relationships Recommendations for Active Directory Environments Planning for System Monitoring and Maintenance Planning for UAC Planning for Shadowing
23 24 31 38 42 46 50 54 56 57 58 59 62 63 67 68 70 71 73 75 76 77 78 81 83 85 88 89 90
Securing Delivery and Access Planning for Supported Languages and Windows MUI Support Planning for Passthrough Client Authentication Installing and Configuring XenApp Installation and Configuration Preparing to Install and Configure XenApp Installing XenApp Using the Wizard-Based Server Role Manager Installing XenApp from the Command Line Configuring XenApp Using the Wizard-based Server Configuration Tool Configuring XenApp from the Command Line Command Syntax Preparing for XenApp 6 Imaging and Provisioning Data Store Database Reference Microsoft SQL Server Database Oracle Database XenApp 6 Migration Tool XenApp 6 Migration Tool Requirements and Installation Using the XenApp 6 Migration Tool Cmdlets Cmdlet Reference Advanced Cmdlets Administration XenApp 6 for Windows 2008 R2 Management Consoles and Other Tools To start the console and discover servers To view zones To refresh user data automatically Managing Citrix Administrators Delegating Tasks to Custom Administrators Publishing Resources Publishing Resources for Users To configure servers to publish for multiple users To publish a resource using the Publish Application wizard Publishing App-V Sequences in XenApp To select a resource type and delivery method To configure locations of published applications To configure locations of published content
91 92 93 94 96 99 102 104 107 111 115 120 125 126 129 132 135 138 141 143 149 152 153 155 157 158 159 160 162 165 166 167 168 170 174 176 177
To disable command-line validation Managing Streamed Applications Publishing Streamed Applications To select a streaming delivery method To force a delivery method for streamed applications To provide HTTP or HTTPS delivery method Configuring Offline Access Configuring Content Redirection To enable content redirection from server to client To configure content redirection from client to server Managing Application Properties To rename a published application To configure locations of servers for published resources To specify locations of applications for streaming To enable an application for offline access To configure user access to applications Granting Access to Explicit or Anonymous Users To configure shortcuts for user devices To configure access controlled by the Access Gateway To associate published applications with file types To update file type associations To configure alternate profiles To pass parameters to published applications To reduce user privileges for a streamed application To configure application limits and importance To configure audio and encryption options for published applications To configure application appearance To disable or enable a published application To delete a published application To move a published application to another folder To duplicate published application settings To export published application settings to a file To import published application settings from a file Making Virtual IP Addresses Available to Applications How Virtual IP Addressing Works Binding Applications
178 179 181 182 184 186 189 192 193 195 196 197 198 199 200 201 203 204 205 206 208 209 210 211 212 213 215 216 217 218 219 220 221 222 223 224
To determine whether an application needs to use virtual IP addresses To make virtual IP addresses available to applications running in sessions To make a virtual loopback address available to applications running in sessions To supply client IP addresses to published applications on a server Working with Citrix Policies Navigating Citrix Policies and Settings Creating Citrix Policies Configuring Policy Settings To add settings to a policy Applying Policies To apply a policy Using Multiple Policies Prioritizing Policies and Creating Exceptions Determining Which Policies Apply to a Connection To simulate connection scenarios with Citrix policies Troubleshooting Policies With No Configured Settings Applying Policies to Access Gateway Connections Enabling Scanners and Other TWAIN Devices Managing Session Environments and Connections Defining User Environments in XenApp Controlling the Appearance of User Logons Controlling Access to Devices and Ports To enable user execute permissions on mapped drives Displaying Local Special Folders in Sessions Configuring Audio for User Sessions To enable or disable audio for published applications To configure bandwidth limits for audio To configure audio compression and output quality To enable support for microphones and speakers To use and set sound quality for digital dictation devices Ensuring Session Continuity for Mobile Workers Maintaining Session Activity Configuring Session Reliability Configuring Automatic Client Reconnection Configuring ICA Keep-Alive
225 226 227 228 230 232 234 235 237 238 241 242 243 245 246 247 248 250 252 254 255 256 257 258 261 262 263 264 265 266 267 269 270 271 273
Managing and Monitoring XenApp Sessions Monitoring Session Information Viewing User Sessions Viewing User Sessions with the Shadow Taskbar Enabling Logging for Shadowing Enabling User-to-User Shadowing with Policies Controlling Client Connections in XenApp Preventing Specific Client Connection Types Specifying Connection Limits Limiting Connections to a Server Farm Sharing Sessions and Connections Limiting Application Instances Logging Connection Denial Events Configuring the ICA Listener Preventing User Connections During Farm Maintenance Optimizing User Sessions for XenApp Optimizing Audio and Video Playback Configuring HDX MediaStream Multimedia Acceleration Optimizing Flash Content Optimizing Throughput of Image Files Optimizing Display of Image Files Optimizing Keyboard and Mouse Responsiveness Configuring SpeedScreen Latency Reduction Adjusting SpeedScreen Latency Reduction for an Application To configure latency reduction settings for input fields in an application To create exception entries for non-standard input fields in an application Configuring HDX Broadcast Display Settings Securing Server Farms Securing Access to Your Servers Securing the Data Store Securing Client-Server Communications Using SecureICA Enabling SSL/TLS Protocols To configure session data encryption To set a policy for ICA encryption Configuring SSL/TLS Between Servers and Clients 6
274 277 278 279 281 282 284 285 286 287 288 290 291 292 293 294 295 297 298 299 300 301 302 303 306 308 310 311 312 313 315 316 317 318 319 320
Obtaining and Installing Server and Root SSL Certificates Choosing an SSL Certificate Authority Acquiring a Signed SSL Certificate and Password To enable the SSL Relay and select the relay credentials Using the SSL Relay with the Microsoft Internet Information Service (IIS) Configuring the Relay Port and Server Connection Settings To run the SSL Relay on port 443 without using HTTPS Configuring the Ciphersuites Allowed by the SSL Relay Using the Secure Gateway Using the Secure Ticket Authority Securing Network Communications Configuring TCP Ports Using Proxy Servers Configuring Authentication for Workspace Control Using Smart Cards with XenApp Configuring Kerberos Logon Logging Administrative Changes to a XenApp Farm Setting up the Configuration Logging Database Defining Database Permissions for Configuration Logging To configure the connection to the Configuration Logging database To set Configuration Logging properties Clearing Entries from the Configuration Logging Database Encrypting Configuration Logging Data To generate a key and enable IMA encryption on the first server in a farm To load a key on servers that join the farm Managing IMA Encryption XenApp Service Account Privileges Maintaining Server Farms To search for objects in your farm To change a server's desktop settings To limit the number of server connections per user To disable and re-enable server logons Restarting Servers at Scheduled Times Removing and Reinstalling XenApp To move or remove a server To rename a XenApp server 7
322 323 324 325 326 327 329 330 331 332 334 335 336 337 338 340 343 345 347 349 350 351 352 354 355 356 357 362 363 364 365 366 367 368 370 371
Monitoring Server Performance with Health Monitoring & Recovery Modifying Health Monitoring and Recovery Actions Developing Custom Health Monitoring & Recovery Tests Using Citrix Performance Monitoring Counters Using Worker Groups for Enhanced Resource Access To create a worker group Creating and Prioritizing Load Balancing Policies Enhancing the Performance of a Remote Group of Servers Using Preferential Load Balancing Resource Allotment Multiple Published Applications in the Same Session Managing CPU Usage Deploying virtual memory optimization Managing Farm Infrastructure Maintaining the Local Host Cache Tuning Local Host Cache Synchronization To configure zones and back-up data collectors Updating Citrix License Server Settings To set the product edition Configuring the Citrix XML Service Port and Trust To manually change the XML Service port to use a port different from IIS after installation To manually configure Citrix XML Service to share the TCP port with IIS Understanding XenApp Printing Introduction to Windows Printing Concepts Local and Remote Print Job Spooling XenApp Printing Concepts Overview of Client and Network Printing Pathways Provisioning Printers for Sessions Auto-Creating Client Printers Auto-Creating Network Printers Letting Users Provision Their Own Printers Device or Session-Based Print Settings Device-Based Print Settings Controlling Printing Settings and User Preferences Setting Default Printers Printing and Mobile Workers 8
372 375 377 378 380 382 383 384 385 386 389 390 392 395 396 397 398 400 401 402 404 405 406 407 409 411 412 417 419 423 424 425 426 427 430 431
Optimizing Printing Performance by Routing Managing Printer Drivers Planning Your Printing Configuration Default Printing Behavior Printing Policy Configuration Printing Security Purchasing Printing Hardware Configuring and Maintaining XenApp Printing Configuring Printer Autocreation Settings Configuring Citrix Universal Printing Configuring Network Printers for Users To add a network printer while configuring the Session printers setting To specify a default printer for a session To edit the printer settings in the sessions policy To configure server local printers Configuring Printers for Mobile Workers Changing Network Print Job Routing Providing Tools for User Provisioning To store users printer properties To synchronize properties from the printer Controlling Printer Driver Automatic Installation Configuring Universal Printer Drivers on Farm Servers Mapping Client Printer Drivers Improving Session Performance by Limiting Printing Bandwidth Displaying Printers Managing Printers Using the Network Printing Pathway Displaying Printers Using the Client Printing Pathway XenApp Server Utilities Reference ALTADDR APP AUDITLOG CHANGE CLIENT CTXKEYTOOL CTXXMLSS DSCHECK DSMAINT ENABLELB 9
433 434 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 453 454 455 457 459 461 463 464 465 466 467 469 472 475 479 481 483 485 490
ICAPORT IMAPORT QUERY FARM QUERY PROCESS QUERY SESSION QUERY TERMSERVER QUERY USER Performance Counters Reference Citrix CPU Utilization Mgmt User Counters Citrix IMA Networking Counters Citrix Licensing Counters Citrix MetaFrame Presentation Server Counters ICA Session Counters Secure Ticket Authority Counters Policy Settings Reference Policy Settings: Quick Reference Table ICA Policy Settings Audio Policy Settings Auto Client Reconnect Policy Settings Bandwidth Policy Settings Desktop UI Policy Settings End User Monitoring Policy Settings File Redirection Policy Settings Graphics Policy Settings Image Compression Policy Settings Keep Alive Policy Settings Multimedia Policy Settings HDX MediaStream for Flash (client side) Policy Settings HDX Multimedia for Flash (server side) Policy Settings Ports Policy Settings Printing Policy Settings Client Printers Policy Settings Drivers Policy Settings Universal Printing Policy Settings Security Policy Settings Server Limits Policy Settings Session Limits Policy Settings
491 493 495 498 500 502 504 506 507 508 509 510 512 515 516 517 523 525 527 528 532 533 534 539 541 543 544 546 548 549 551 553 556 557 559 560 561
10
Session Reliability Policy Settings Shadowing Policy Settings Time Zone Control Policy Settings TWAIN Devices Policy Settings USB Devices Policy Settings Licensing Policy Settings Server Session Settings Server Policy Settings Connection Limits Policy Settings Health Monitoring and Recovery Policy Settings Memory Optimization Policy Settings Offline Applications Policy Settings Reboot Behavior Policy Settings Virtual IP Policy Settings XML Service Policy Settings Application Streaming Application Streaming Readme for Citrix Offline Plug-in 6 and Streaming Profiler 6 New Features in This Release System Requirements for Application Streaming Components for Application Streaming Deciding Which Plug-ins to Use for Application Streaming Providing Single Sign-on for Streamed Applications Creating Application Profiles Targets Overview Service Pack Level System Drive Letter Operating System Language Inter-Isolation Communication Overview Isolating Services Specifying Trusted Servers for Streamed Services and Profiles Managing Isolation Environment Rules Types of Isolation Environment Rules Restrictions and Limitations for Rules Creating Isolation Environment Rules for aTarget To create an isolation environment rule To modify a rule
562 564 566 567 568 570 571 572 574 575 576 579 580 582 584 585 587 591 595 596 598 601 603 604 606 608 609 610 611 612 613 615 616 619 620 621 622
11
Using Environment Variables to Construct Rules Preparing a Workstation for Profiling Applications Known Limitations for Profiling To install the profiler To disable and enable profile signing To start the profiler Creating a Profile and Its Initial Target To create a profile and target To allow users to update applications To set up inter-isolation communication To select an install option To install multiple applications through AdvancedInstall To choose an installation program for the application To install Internet Explorer plug-ins To include files and folders in a target To include registry settings To install an application in the profile To run an application in the profiler To select applications for listing in the profile To sign a profile Editing Profiles To view profile information To edit the profile name, description, or location To view details about applications in a profile To view File Type Associations set in a profile To check for launch prerequisites To check for prerequisite registry entries To check for prerequisite applications and files To specify pre-launch and post-exit scripts To add a target to a profile To resolve target conflicts To resolve invalid shortcuts To delete a target from a profile To delete a folder from a profile To delete a profile in a linked profile Editing Targets To edit the target name and description
623 625 626 627 628 629 630 631 634 635 637 638 639 641 642 643 644 645 646 647 648 649 650 651 652 653 654 656 657 658 659 661 662 663 664 665 666
12
To modify the application properties in the target To modify the operating system and language properties of a target To update a target To remove an old version of an updated target Profile Contents on the Server Manifest File Targets Digital Signature Icons Scripts Publishing Resources Publishing Resources for Users To configure servers to publish for multiple users To publish a resource using the Publish Application wizard Publishing App-V Sequences in XenApp To select a resource type and delivery method To configure locations of published applications To configure locations of published content To disable command-line validation Managing Streamed Applications Publishing Streamed Applications To select a streaming delivery method To force a delivery method for streamed applications To provide HTTP or HTTPS delivery method Configuring Offline Access Configuring Content Redirection To enable content redirection from server to client To configure content redirection from client to server Managing Application Properties To rename a published application To configure locations of servers for published resources To specify locations of applications for streaming To enable an application for offline access To configure user access to applications Granting Access to Explicit or Anonymous Users To configure shortcuts for user devices To configure access controlled by the Access Gateway 13
667 669 670 671 672 673 674 675 676 677 678 679 680 681 683 687 689 690 691 692 694 695 697 699 702 705 706 708 709 710 711 712 713 714 716 717 718
To associate published applications with file types To update file type associations To configure alternate profiles To pass parameters to published applications To reduce user privileges for a streamed application To configure application limits and importance To configure audio and encryption options for published applications To configure application appearance To disable or enable a published application To delete a published application To move a published application to another folder To duplicate published application settings To export published application settings to a file To import published application settings from a file Making Virtual IP Addresses Available to Applications How Virtual IP Addressing Works Binding Applications To determine whether an application needs to use virtual IP addresses To make virtual IP addresses available to applications running in sessions To make a virtual loopback address available to applications running in sessions To supply client IP addresses to published applications on a server Managing the Offline Plug-in Citrix Offline Plug-in Overview Deciding Which Plug-ins to Use for Application Streaming Using the Merchandising Server and Citrix Receiver to Deploy the Plug-ins Installing the Offline Plug-in To install the Citrix offline plug-in To configure the cache size of the offline plug-in To deploy the Citrix offline plug-in To deliver the AppHubWhiteList to user devices To configure an .MSI package for the offline plug-in using transforms To deploy the offline plug-in to user devices through Active Directory To deploy applications to user devices
719 721 722 723 724 725 726 728 729 730 731 732 733 734 735 736 737 738 739 740 741 743 744 745 747 748 749 750 751 753 754 755 756
14
To clear the streamed application cache on user devices To clear merged rules for linked profiles on user devices Enhancing the User Experience With HDX Enhancing the User Experience With HDX Configuring HDX MediaStream for Flash Configuring HDX MediaStream for Flash Settings Configuring HDX MediaStream for Flash on the Server Configuring HDX MediaStream for Flash on the User Device Configuring Audio Avoiding Echo During Multimedia Conferences With HDX RealTime Multimedia Conferencing with HDX RealTime Increasing 2D and 3D Application Scalability and Performance Enterprise Management Enterprise Management Management Pack for System Center Operations Manager 2007 System Requirements for the Management Pack To install the Management Pack Management Pack Post-Installation Tasks Uninstalling the Management Pack Security Considerations for the Management Pack Troubleshooting Query Errors in Operations Manager Citrix Managed Objects Included in the Management Pack Citrix Views Included in the Management Pack To view state monitors and processing rules Viewing XenApp Alert and Event Information Viewing XenApp Deployment State Information Viewing Citrix Presentation Server Topology Diagrams To reconfigure security settings on zone data collectors Viewing XenApp Performance Information Viewing License Server Information Configuring and Enabling Site-specific Monitors To open the Access Management Console or Delivery Services Console from the Operations Manager Console Installation Manager Requirements and Installation Using the Installation Manager Console Using Installation Manager PowerShell Cmdlets Installation Manager Messages Reference 15
758 759 760 761 762 763 765 768 771 773 774 776 777 778 780 782 783 784 785 786 787 788 789 790 791 792 793 797 798 799 800 802 803 805 808 812 818
Managing Providers and WMI XenApp Provider Overview Licensing Provider Overview Installing the XenApp Provider Installing the Licensing Provider Starting the Provider Services Security Considerations Uninstalling the Providers WMI Schema XenApp Provider WMI Schema (Part 1 of 3) XenApp Provider WMI Schema (Part 2 of 3) XenApp Provider WMI Schema (Part 3 of 3) Citrix Licensing Provider WMI Schema Load Management Load Manager Working with Load Evaluators To change the properties of a load evaluator To create a new load evaluator To add a rule to a load evaluator List of Load Management Rules Assigning Load Evaluators to Servers and Applications Scheduling Server Availability Power and Capacity Management Power and Capacity Management Understanding Power and Capacity Management Power and Capacity Management System Components Setpoints Power and Capacity Management Schedules Server Profiles Server Control Mode Concentrator Operations Virtual Machine Management Dynamic Capacity Estimation What Happens During Power Management Operations What Happens During Load Consolidation Installing Power and Capacity Management System Requirements for Power and Capacity Management
824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 845 846 847 848 849 850 852 854 855 856 857 858 859 860 861 862 864
16
Considerations for Installing the Concentrator Interactively Installing Components Silently Installing Components Removing Components Configuring Power and Capacity Management Task Descriptions Secure Gateway Secure Gateway Citrix XenApp Components That Work with Secure Gateway Secure Gateway Features System Requirements for Secure Gateway Certificate Requirements Planning a Secure Gateway Deployment Deploying the Secure Gateway in a Single-Hop DMZ Running the Web Interface behind the Secure Gateway in the Demilitarized Zone Locking Down Internet Information Services Running the Web Interface Parallel with the Secure Gateway Setting Up the Web Interface and the Secure Gateway in a Single-Hop Demilitarized Zone Deploying the Secure Gateway in a Double-Hop DMZ Setting Up the Secure Gateway and the Secure Gateway Proxy in a Double-Hop DMZ Publishing the Web Address for the Secure Gateway in a Double-Hop Demilitarized Zone Setting Up and Testing a Server Farm Installing the Secure Ticket Authority Testing Your Deployment Installing and Configuring the Secure Gateway and Secure Gateway Proxy Upgrading Secure Gateway or Secure Gateway Proxy Using Firewall Software with the Secure Gateway or Secure Gateway Proxy Installing the Secure Gateway or Secure Gateway Proxy To install the Secure Gateway or Secure Gateway Proxy Configuring the Secure Gateway or Secure Gateway Proxy To start the configuration wizard manually To select a configuration level (Secure Gateway) To select a configuration level (Secure Gateway Proxy) Task Summary for Secure Gateway, Advanced or Standard Configuration
866 867 868 873 874 877 883 884 885 886 890 892 894 895 897 899 900 901 902 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919
17
Task Summary for Secure Gateway Proxy, Advanced or Standard Configuration To select a server certificate To configure secure protocol settings To configure inbound client connections To configure outbound connections To configure an access control list for outbound connections To configure servers running the Secure Gateway Proxy To add the Secure Ticket Authority details To configure connection parameters To configure logging exclusions To add the Web Interface server details To configure the logging parameters To complete the configuration To stop the Secure Gateway/Secure Gateway Proxy service To uninstall the Secure Gateway Managing the Secure Gateway Viewing Session and Connection Information with the Secure Gateway Console Viewing Secure Gateway Performance Statistics To view the Secure Gateway performance statistics Performance Counters Available for the Secure Gateway Generating the Secure Gateway Diagnostics Report Viewing the Secure Gateway Events Viewing the Secure Gateway Access Logs Secure Gateway Configuration Wizard Secure Gateway Optimization and Security Guidelines Configuring Firewalls for the Secure Gateway Ensuring High Availability of the Secure Gateway Load Balancing Multiple Secure Gateway Servers Load Balancing an Array of the Secure Gateway Proxy Certificate Requirements for Load Balancing Secure Gateway Servers Using Load Balancers and SSL Accelerator Cards with Secure Gateway Servers Coordinating Keep-Alive Values Between the Secure Gateway and Citrix XenApp Setting Connection Keep-Alive Values and the Secure Gateway
920 921 922 923 924 925 927 928 929 930 931 932 933 934 935 936 937 939 940 941 945 946 948 949 950 951 952 954 955 956 957 958 959
18
Improving Security (Recommendations) Preventing Indexing by Search Engines Troubleshooting the Secure Gateway To check your certificates Client Connections Launched from IP Addresses in the Logging Exclusions List Fail Load Balancers Do Not Report Active Client Sessions if Connections Are Idle Performance Issues with Transferring Files Between a User Device and a Citrix XenApp Server Gateway Client Connections Fail When Using Windows XP Service Pack 2 Failed Client Connections to the Secure Gateway Result in Duplicate Entries in the Secure Gateway Log Placing the Secure Gateway Behind a Reverse Web Proxy Causes an SSL Error 4 Run the Secure Gateway Parallel to the Reverse Web Proxy Use a Network Address Translator Instead of a Reverse Web Proxy Digital Certificates and the Secure Gateway Understanding Cryptography Types of Cryptography Combining Public Key and Secret Key Cryptography Understanding Digital Certificates and Certificate Authorities Certificate Chains Certificate Revocation Lists Deciding Where to Obtain Certificates Obtaining and Installing Server Certificates Obtaining and Installing Root Certificates Support for Wildcard Certificates with the Secure Gateway SmartAuditor SmartAuditor System Requirements for SmartAuditor Example Usage Scenarios Getting Started with SmartAuditor Planning Your Deployment Security Recommendations Installing Certificates Scalability Considerations Important Deployment Notes Pre-Installation Checklist
960 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 981 983 984 986 988 989 990 991 994 997 998 1000 1003 1004 1005 1008 1009
19
To install SmartAuditor Automating Installations To configure SmartAuditor to play and record sessions Granting Access Rights to Users Creating and Activating Recording Policies Using System Policies Creating Custom Recording Policies To create a new policy To modify a policy To delete a policy To activate a policy Understanding Rollover Behavior To disable or enable recording To configure the connection to the SmartAuditor Server Creating Notification Messages Enabling Custom Event Recording To enable or disable live session playback To enable or disable playback protection To enable and disable digital signing To specify where recordings are stored Specifying File Size for Recordings Viewing Recordings To launch the SmartAuditor Player To open and play recordings To search for recorded sessions To play recorded sessions To use events and bookmarks To change the playback display To display or hide window elements To cache recorded session files To change SmartAuditor Servers Troubleshooting SmartAuditor Verifying Component Connections Testing IIS Connectivity Troubleshooting Certificate Issues SmartAuditor Agent Cannot Connect SmartAuditor Server Cannot Connect to the SmartAuditor Database 20
1010 1012 1013 1015 1016 1017 1018 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1034 1035 1036 1037 1039 1041 1044 1047 1049 1050 1052 1053 1054 1056 1058 1059 1060
Sessions are not Recording Searching for Recordings in the Player Fails Troubleshooting MSMQ Unable to View Live Session Playback To change your communication protocol Reference: Managing Your Database Records VM Hosted Apps VM Hosted Apps About This Release System Requirements Plan Install and Set Up Installing and Removing Server Components for VM Hosted Apps To configure a VM hosted apps site To replace the default XenServer SSL certificate Installing and Removing the Virtual Desktop Agent To configure firewalls manually To deploy the Virtual Desktop Agent using Active Directory Group Policy Objects To use Windows XP virtual desktops with Single Sign-on Manage Working With Machine Catalogs and Desktop Groups To create an application desktop group Managing Application Desktop Groups Working With Applications To create an application To modify applications To manage applications sessions Organizing Applications with Folders and Tags Customize Configuring USB Support for VM Hosted Apps XenApp Connector for Configuration Manager 2007 R2 XenApp Connection for Configuration Manager 2007 R2 Systems Requirements for XenApp Connector for Configuration Manager 2007 R2 Install and Set Up XenApp Connector for Configuration Manager 2007 R2 Enabling and Disabling Power and Capacity Management with XenApp Connector for Configuration Manager 2007 R2
1061 1062 1063 1064 1065 1067 1069 1072 1073 1074 1075 1078 1079 1081 1084 1086 1088 1089 1090 1091 1092 1094 1095 1096 1098 1100 1102 1104 1105 1106 1111 1112 1113 1114 1117
21
Uninstalling XenApp Connector for Configuration Manager 2007 R2 Deploying Applications to XenApp servers To publish applications with XenApp Connector for Configuration Manager 2007 R2 Maintaining Log Files XenApp Printing Optimization Pack Single Sign-on Secure Application Access Monitor Virtual Services Optimize WAN Access with Branch Repeater Easy Call Voice Services Manage and Dynamically Provision Servers with Provisioning Services Automate IT Processes with Workflow Studio
1119 1120 1122 1123 1125 1129 1130 1131 1132 1133 1134 1135
22
Single Sign-on Workflow Studio orchestration Cant find what youre looking for? If youre looking for documentation for previously released versions of this product, go to the Citrix Knowledge Center. For a complete list of links to all product documentation in the Knowledge Center, go to http://support.citrix.com/productdocs/.
23
Contents
q
Finding Documentation
To access complete and up-to-date product information, in Citrix eDocs, expand the topics for your product. Licensing Documentation To access licensing documentation, go to http://support.citrix.com/proddocs/topic/technologies/lic-library-node-wrapper.html.
Getting Support
Citrix provides technical support primarily through Citrix Solutions Advisors. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor. Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
Installation Issues
24
If you install a role component from the Autorun menu by selecting Manually Install Components and then install the XenApp server role from Autorun, you may be prompted during XenApp role configuration for the location of that component's server, even though you did not select that component during XenApp server role installation. Re-enter the server information you specified during the manual installation. This also applies during a command-line XenApp role configuration; you must specify the server information for all the installed components. [#229147] The Provisioning Services Target Device software resets your network connection during install. As a result, you may see user interface crashes or other failures if you select this component to install from a network location. Citrix recommends that you install the Provisioning Services Target Device software using one of the following methods [#229881]:
q
Install from a local DVD image or ISO Copy the installation media locally before performing the installation Select Manually Install Components from the Autorun menu
Install with a command-line installation You must install the Provisioning Services role and the Provisioning Services Target Device component on separate servers. If you select both on the same server, the installation fails. [#229999]
q
If you install the XenApp server role and then uninstall it, Citrix recommends that you re-image the server with a clean operating system before installing the XenApp server role again. Re-installation of the XenApp server role on a machine where it was previously uninstalled may fail in the following conditions [#228363, 224925]:
q
If you had IIS installed on the machine previously and/or chose to install XML Service Integration with IIS If you specify an unsupported Microsoft SQL Server database version during XenApp server role configuration, the configuration fails but the error message may not state the cause. For supported database versions, see the system requirements topic and http://support.citrix.com/article/CTX114501. [#225264]
q
To install the EdgeSight for XenApp Agent, either install it at the same time you install the XenApp server role (and then restart the server after you configure XenApp), or, if you have already installed the XenApp server role, install the agent from the installation media using the MSI file in Service Monitoring\Installers\Agent\. Then restart the XenApp server. If you installed the XenApp server role and later installed the EdgeSight for XenApp Agent using the Server Role Manager, you are not prompted for the agent configuration, and the agent does not report to your EdgeSight server. To provide the proper configuration in this case, uninstall the agent and reinstall it from the installation media. [#229617, 229778] If the network connection fails or disconnects during a wizard-based XenApp installation, you may see the error message "Citrix eXtensible Meta Installer has stopped working." This is typically a non-fatal error; restart the XenApp Server Role Manager and finish your installation or configuration. You can also avoid this issue by copying the installation media locally or installing from the DVD. [#227578]
25
After installing the Delivery Services Console, if you use the Autorun menu to install Applications on Virtual Machines and select Install optional components > Upgrade Management Consoles, a separate console is installed, rather than adding a "VM Hosted Apps" node to the Delivery Services Console. [#226895] When installing the XenApp server role, if the required IIS role services are deployed on the server and you choose not to enable IIS integration by deselecting the XML Service IIS Integration component in a wizard-based installation, or by omitting the XA_IISIntegration option in a command-line installation, you must change the XML service port (to a port other than 80) when configuring the XenApp role. [#230674] When you select both the XenApp and Web Interface roles to install, and the IIS role services are not deployed on the server, the Web Interface role automatically deploys the IIS server roles. However, the XML Service IIS Integration component checkbox is not selected by default. Either select this checkbox or specify an XML Service port other then 80 when you configure XenApp. [#230683] Launching the Server Configuration Tool by double-clicking XenAppConfiguration.exe is not supported. Launch the Server Configuration Tool through the Server Role Manager. [#230819] When using the Server Role Manager to install and configure the SmartAuditor server role from a network share that requires authentication, after restarting the server, log on to the network share [#231084]
If you change the name of a worker group in your XenApp deployment and are using Configuration Manager, it creates a collection based on the new name of the worker group, but the original collection associated with the prior work group name remains. If you have used the original collection as the target of an advertisement, manually change the advertisement to target the new collection. When there are no servers in a target (due to no successful advertisements yet), an error message displays indicating a browser name error or that no servers were in the collection. This is normal and the error ceases after a server in the target has a successful advertisement. [#234879] When using the publishing wizard to specify the command line that launches the application, if the command line includes quotation marks, type the command line manually instead of browsing to it. [#235821] Ignore this error message in the Publish.log file: "Write-Host : The OS handle's position is not what FileStream expected. Do not use a handle simultaneously in one FileStream and in Win32 code or another FileStream. This may cause data loss." This error message does not indicate that XenApp Connector is not functioning properly.
Saving a Single sign-on plug-in installation image in the protected directories (for example, C:\ or C:\Windows) on a computer running Windows 7 results in an installation failure. To avoid this issue, designate a location (for example, create a folder under C:\ or a user's document folder) in which to save the image. [#224612] Installing the Single sign-on plug-in with XenApp from the wizard-based Server Role Manager does not allow you to install and configure optional plug-in features, such as Self-Service and Data Integrity. To successfully install the Single sign-on plug-in with these features, from the XenApp Autorun menu, click Manually install components > Server Components > Miscellaneous > Single sign-on > Single sign-on Plug-in. Dialog boxes appear during this installation process letting you select and configure the features. [#226801] If you use custom alerts in Citrix Service monitoring for XenApp (formerly Citrix EdgeSight for XenApp), or other event log rollup utilities, you must change the source name of Citrix Password Manager to Citrix Single Sign-On. [#222720] The Single sign-on 4.8 plug-in may not start after it has been upgraded from Password Manager Agent 4.5. An error message appears stating that Syncmgr.vrs is missing. To ensure a successful installation, uninstall Password Manager Agent 4.5 prior to installing Single sign-on 4.8 plug-in. If the Single sign-on 4.8 plug-in is already installed, run the Repair feature from the Programs section of the Control Panel. [#230824] Network credential dialog boxes on Windows Server 2008 R2 and Windows 7 are not recognized by the Citrix Single sign-on plug-in. Users are not prompted to store their user IDs and passwords. An application template, Windows 7 Network Authentication Dialog, available at http://citrix.thinkbuilddeploy.com/index.php, resolves this problem for environments where a single set of credentials is used for each user. [#221161]
On Windows Server 2008 R2 platforms, logging off MSN Messenger using the X button on the Messenger window fails to close the application. When you do so, the application minimizes to the system taskbar, which is not accessible with Windows Server 2008 R2. As a workaround, with administrative privileges, you can configure Messenger to run in Windows XP compatibility mode for all users. To do this, from the Windows Start > All Programs menu, select Windows Live Messenger. From the right-click menu, select Properties. On the Compatibility tab, choose "Change settings for all users." Then check "Run this program in compatibility mode for" and choose "Windows XP (Service Pack 3)." [#228845]
When using XenApp in a Novell Directory Services for Windows environment, XenApp servers experience reduced performance when enumerating published resources and during application launch when resolution to the least-loaded server occurs. As a workaround, modify the following registry key:
q
27
Be sure to set access control lists (ACLs) for the Network Service account to "Read." When this workaround is implemented, the number of simultaneous user logons is reduced. Therefore, users might experience longer logon times during peak usage periods. [#228841]
q
The Cumulative Server Load counter (available as part of the Citrix MetaFrame Presentation Server performance monitor counters) might not display the same values as the XenApp command query farm /load (also known as qfarm /load) when querying the same server running Citrix XenApp if there are pending connections to this server. The counter and command should display identical information once all sessions are active. [#228466, 228842] In some instances, when a user launches a published application, two Status Indicator icons might appear on the Windows Taskbar for the single published application. The second icon disappears after a few seconds. No workaround exists for this issue and it does not interfere with published application functionality. [#221203] If an administrator specifies a specific Windows theme for users through a Personalization group policy template, the Windows theme might not appear to be applied when launching a published application configured for seamless or non-seamless windows. (Any configured themes are correctly applied when launching published desktop.) To ensure themes are applied, administrators can modify the Windows registry. For details, see http://support.citrix.com/article/CTX124407 in the Citrix Knowledge Center. [#228080] On XenApp servers running the German language version of Windows, after configuring Citrix policy settings for a Group Policy Object, the Settings report for the Group Policy Object does not display the Citrix policy setting values when generated. As a workaround, use a language version of Windows other than German to view the policy settings values. [#223303] The Group Policy Results report does not include Citrix policy settings when run on a Group Policy Object (GPO) that meets one of the following conditions:
q
The GPO contains both a Citrix administrative template (.adm) and Citrix policy settings
The GPO containing Citrix policy settings inherits the settings of another GPO that contains a Citrix administrative template To resolve this issue, use separate GPOs for Citrix policy settings and administrative templates and ensure these GPOs do not inherit settings. [#230497]
q q
In user environments where Citrix Receiver is installed and Microsoft Windows 7 Specialized Security Limited Functionality (SSLF) templates are applied, Citrix Receiver might not run automatically at user logon or startup. Additionally, any installed Citrix plug-in and client software might not launch automatically at user logon or startup. The suggested workaround for this scenario for administrators is to remove the CitrixReceiver entry from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deploy the Citrix Receiver software through the user's Startup shortcut. [#230500]
When installing the Citrix online plug-in on a user device, pass-through authentication is not automatically configured. To ensure pass-through authentication is enabled for 28
XenApp 6 for Windows Server 2008 R2 users accessing XenApp Services sites: 1 On the XenApp server, enable the pass-through authentication method for the XenApp Services site. 2 Ensure that on the user device, Internet Explorer has the URL to Web Interface added to the local Intranet Zone. 3 On the user device, add the icaclient.adm file using the Group Policy Editor and configure the following settings:
q
Enable Local user name and password and then select Enable pass-through authentication
Disable Kerberos authentication 4 After configuration, run gpupdate /force, log off the user device, and log back on. For detailed instructions about configuring these settings, see http://support.citrix.com/article/CTX113004 in the Citrix Knowledge Center. [#230082, 230078]
q q
When using Remote Desktop IP Virtualization in per session mode on servers with dual network adapters, virtual IPs are not assigned when sessions are created. This is an issue in Windows Server 2008 R2 that might occur if you use virtual IPs with XenApp. To work around this issue, configure Remote Desktop IP Virtualization to assign virtual IPs on a per program basis. [#228288] The "Pass-through with smart card from Access Gateway" feature cannot be used with XenApp 6.0. Because of an issue with XenApp 6.0, smart card users logging on to Access Gateway integrated XenApp Web sites are unable to access resources when the pass-through with smart card from Access Gateway feature is enabled. Users clicking on a link in the XenApp Web site to access a resource delivered by XenApp 6.0 see the error message "An error occurred while making the requested connection." You can avoid this issue by configuring the site to prompt smart card users for their PIN each time they access a resource. [#230942]
Changes to worker groups might not be reflected accurately in the registry when a worker group is renamed or deleted. The registry entry for the worker group in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\WorkerGroups subkey is not automatically updated. [#231048] As a workaround: 1 Create a new temporary worker group with all servers in the farm, which forces the registry to update for the renamed or deleted worker groups. 2 Delete the temporary worker group. When generating the Settings report of a Group Policy Object (GPO) linked to the domain, the Group Policy Management console stops working. To work around this issue, access the original GPO, under the Group Policy Objects node, to generate the Settings report. [#261163] For changes to Health Monitoring and Recovery to take effect, in Windows Component Services, Services (Local), restart the Citrix Health Monitoring and Recovery Service. [230902]
29
For instructions about creating server-side content fetching whitelists for HDX MediaStream for Flash, search Citrix eDocs (this Web site) for the topic "Configuring HDX MediaStream for Flash on the User Device." Instructions found in the HDX administrative templates are outdated. [#229985] Windows Media Player, when installed on a XenApp server, occasionally hides video behind a black Media Player screen on a user device running Windows 7. To correct this, users should change their Media Player view to Skin Mode. Alternatively, they can minimize and maximize the Media Player (more than once might be necessary) to refresh the video. [#230238] Installing the HDX MediaStream for Flash version 1.1.0 package (CitrixHDXMediaStreamForFlash-ServerInstall.msi) using Active Directory Software Installation might fail. To prevent this failure, use a start-up script to deploy the package. [#229263] After performing a Repair on Citrix HDX MediaStream for Flash-Server, the HDX MediaStream for Flash service might fail to restart. To avoid this issue, uninstall Citrix HDX MediaStream for Flash - Server and reinstall it. [#228502] The Session Shadowing feature in XenApp 6 is supported only in single-monitor configurations for both computers. If either the shadowing or shadowed computer is configured with multiple monitors, shadowing is not supported. [#251490]
30
Contents
q
Finding Documentation
To access complete and up-to-date product information, in Citrix eDocs, expand the topics for your product. Licensing Documentation To access licensing documentation, go to http://support.citrix.com/proddocs/topic/technologies/lic-library-node-wrapper.html.
Getting Support
Citrix provides technical support primarily through Citrix Solutions Advisors. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor. Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
Installation Issues
31
If you install a role component from the Autorun menu by selecting Manually Install Components and then install the XenApp server role from Autorun, you may be prompted during XenApp role configuration for the location of that component's server, even though you did not select that component during XenApp server role installation. Re-enter the server information you specified during the manual installation. This also applies during a command-line XenApp role configuration; you must specify the server information for all the installed components. [#229147] The Provisioning Services Target Device software resets your network connection during install. As a result, you may see user interface crashes or other failures if you select this component to install from a network location. Citrix recommends that you install the Provisioning Services Target Device software using one of the following methods [#229881]:
q
Install from a local DVD image or ISO Copy the installation media locally before performing the installation Select Manually Install Components from the Autorun menu
Install with a command-line installation You must install the Provisioning Services role and the Provisioning Services Target Device component on separate servers. If you select both on the same server, the installation fails. [#229999]
q
If you install the XenApp server role and then uninstall it, Citrix recommends that you re-image the server with a clean operating system before installing the XenApp server role again. Re-installation of the XenApp server role on a machine where it was previously uninstalled may fail in the following conditions [#228363, 224925]:
q
If you had IIS installed on the machine previously and/or chose to install XML Service Integration with IIS If you specify an unsupported Microsoft SQL Server database version during XenApp server role configuration, the configuration fails but the error message may not state the cause. For supported database versions, see the system requirements topic and http://support.citrix.com/article/CTX114501. [#225264]
q
To install the EdgeSight for XenApp Agent, either install it at the same time you install the XenApp server role (and then restart the server after you configure XenApp), or, if you have already installed the XenApp server role, install the agent from the installation media using the MSI file in Service Monitoring\Installers\Agent\. Then restart the XenApp server. If you installed the XenApp server role and later installed the EdgeSight for XenApp Agent using the Server Role Manager, you are not prompted for the agent configuration, and the agent does not report to your EdgeSight server. To provide the proper configuration in this case, uninstall the agent and reinstall it from the installation media. [#229617, 229778] If the network connection fails or disconnects during a wizard-based XenApp installation, you may see the error message "Citrix eXtensible Meta Installer has stopped working." This is typically a non-fatal error; restart the XenApp Server Role Manager and finish your installation or configuration. You can also avoid this issue by copying the installation media locally or installing from the DVD. [#227578]
32
After installing the Delivery Services Console, if you use the Autorun menu to install Applications on Virtual Machines and select Install optional components > Upgrade Management Consoles, a separate console is installed, rather than adding a "VM Hosted Apps" node to the Delivery Services Console. [#226895] When installing the XenApp server role, if the required IIS role services are deployed on the server and you choose not to enable IIS integration by deselecting the XML Service IIS Integration component in a wizard-based installation, or by omitting the XA_IISIntegration option in a command-line installation, you must change the XML service port (to a port other than 80) when configuring the XenApp role. [#230674] When you select both the XenApp and Web Interface roles to install, and the IIS role services are not deployed on the server, the Web Interface role automatically deploys the IIS server roles. However, the XML Service IIS Integration component checkbox is not selected by default. Either select this checkbox or specify an XML Service port other then 80 when you configure XenApp. [#230683] Launching the Server Configuration Tool by double-clicking XenAppConfiguration.exe is not supported. Launch the Server Configuration Tool through the Server Role Manager. [#230819] When using the Server Role Manager to install and configure the SmartAuditor server role from a network share that requires authentication, after restarting the server, log on to the network share [#231084]
If you change the name of a worker group in your XenApp deployment and are using Configuration Manager, it creates a collection based on the new name of the worker group, but the original collection associated with the prior work group name remains. If you have used the original collection as the target of an advertisement, manually change the advertisement to target the new collection. When there are no servers in a target (due to no successful advertisements yet), an error message displays indicating a browser name error or that no servers were in the collection. This is normal and the error ceases after a server in the target has a successful advertisement. [#234879] When using the publishing wizard to specify the command line that launches the application, if the command line includes quotation marks, type the command line manually instead of browsing to it. [#235821] Ignore this error message in the Publish.log file: "Write-Host : The OS handle's position is not what FileStream expected. Do not use a handle simultaneously in one FileStream and in Win32 code or another FileStream. This may cause data loss." This error message does not indicate that XenApp Connector is not functioning properly.
Saving a Single sign-on plug-in installation image in the protected directories (for example, C:\ or C:\Windows) on a computer running Windows 7 results in an installation failure. To avoid this issue, designate a location (for example, create a folder under C:\ or a user's document folder) in which to save the image. [#224612] Installing the Single sign-on plug-in with XenApp from the wizard-based Server Role Manager does not allow you to install and configure optional plug-in features, such as Self-Service and Data Integrity. To successfully install the Single sign-on plug-in with these features, from the XenApp Autorun menu, click Manually install components > Server Components > Miscellaneous > Single sign-on > Single sign-on Plug-in. Dialog boxes appear during this installation process letting you select and configure the features. [#226801] If you use custom alerts in Citrix Service monitoring for XenApp (formerly Citrix EdgeSight for XenApp), or other event log rollup utilities, you must change the source name of Citrix Password Manager to Citrix Single Sign-On. [#222720] The Single sign-on 4.8 plug-in may not start after it has been upgraded from Password Manager Agent 4.5. An error message appears stating that Syncmgr.vrs is missing. To ensure a successful installation, uninstall Password Manager Agent 4.5 prior to installing Single sign-on 4.8 plug-in. If the Single sign-on 4.8 plug-in is already installed, run the Repair feature from the Programs section of the Control Panel. [#230824] Network credential dialog boxes on Windows Server 2008 R2 and Windows 7 are not recognized by the Citrix Single sign-on plug-in. Users are not prompted to store their user IDs and passwords. An application template, Windows 7 Network Authentication Dialog, available at http://citrix.thinkbuilddeploy.com/index.php, resolves this problem for environments where a single set of credentials is used for each user. [#221161]
On Windows Server 2008 R2 platforms, logging off MSN Messenger using the X button on the Messenger window fails to close the application. When you do so, the application minimizes to the system taskbar, which is not accessible with Windows Server 2008 R2. As a workaround, with administrative privileges, you can configure Messenger to run in Windows XP compatibility mode for all users. To do this, from the Windows Start > All Programs menu, select Windows Live Messenger. From the right-click menu, select Properties. On the Compatibility tab, choose "Change settings for all users." Then check "Run this program in compatibility mode for" and choose "Windows XP (Service Pack 3)." [#228845]
When using XenApp in a Novell Directory Services for Windows environment, XenApp servers experience reduced performance when enumerating published resources and during application launch when resolution to the least-loaded server occurs. As a workaround, modify the following registry key:
q
34
Be sure to set access control lists (ACLs) for the Network Service account to "Read." When this workaround is implemented, the number of simultaneous user logons is reduced. Therefore, users might experience longer logon times during peak usage periods. [#228841]
q
The Cumulative Server Load counter (available as part of the Citrix MetaFrame Presentation Server performance monitor counters) might not display the same values as the XenApp command query farm /load (also known as qfarm /load) when querying the same server running Citrix XenApp if there are pending connections to this server. The counter and command should display identical information once all sessions are active. [#228466, 228842] In some instances, when a user launches a published application, two Status Indicator icons might appear on the Windows Taskbar for the single published application. The second icon disappears after a few seconds. No workaround exists for this issue and it does not interfere with published application functionality. [#221203] If an administrator specifies a specific Windows theme for users through a Personalization group policy template, the Windows theme might not appear to be applied when launching a published application configured for seamless or non-seamless windows. (Any configured themes are correctly applied when launching published desktop.) To ensure themes are applied, administrators can modify the Windows registry. For details, see http://support.citrix.com/article/CTX124407 in the Citrix Knowledge Center. [#228080] On XenApp servers running the German language version of Windows, after configuring Citrix policy settings for a Group Policy Object, the Settings report for the Group Policy Object does not display the Citrix policy setting values when generated. As a workaround, use a language version of Windows other than German to view the policy settings values. [#223303] The Group Policy Results report does not include Citrix policy settings when run on a Group Policy Object (GPO) that meets one of the following conditions:
q
The GPO contains both a Citrix administrative template (.adm) and Citrix policy settings
The GPO containing Citrix policy settings inherits the settings of another GPO that contains a Citrix administrative template To resolve this issue, use separate GPOs for Citrix policy settings and administrative templates and ensure these GPOs do not inherit settings. [#230497]
q q
In user environments where Citrix Receiver is installed and Microsoft Windows 7 Specialized Security Limited Functionality (SSLF) templates are applied, Citrix Receiver might not run automatically at user logon or startup. Additionally, any installed Citrix plug-in and client software might not launch automatically at user logon or startup. The suggested workaround for this scenario for administrators is to remove the CitrixReceiver entry from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deploy the Citrix Receiver software through the user's Startup shortcut. [#230500]
When installing the Citrix online plug-in on a user device, pass-through authentication is not automatically configured. To ensure pass-through authentication is enabled for 35
Readme for XenApp for Windows Server 2008 R2 users accessing XenApp Services sites: 1 On the XenApp server, enable the pass-through authentication method for the XenApp Services site. 2 Ensure that on the user device, Internet Explorer has the URL to Web Interface added to the local Intranet Zone. 3 On the user device, add the icaclient.adm file using the Group Policy Editor and configure the following settings:
q
Enable Local user name and password and then select Enable pass-through authentication
Disable Kerberos authentication 4 After configuration, run gpupdate /force, log off the user device, and log back on. For detailed instructions about configuring these settings, see http://support.citrix.com/article/CTX113004 in the Citrix Knowledge Center. [#230082, 230078]
q q
When using Remote Desktop IP Virtualization in per session mode on servers with dual network adapters, virtual IPs are not assigned when sessions are created. This is an issue in Windows Server 2008 R2 that might occur if you use virtual IPs with XenApp. To work around this issue, configure Remote Desktop IP Virtualization to assign virtual IPs on a per program basis. [#228288] The "Pass-through with smart card from Access Gateway" feature cannot be used with XenApp 6.0. Because of an issue with XenApp 6.0, smart card users logging on to Access Gateway integrated XenApp Web sites are unable to access resources when the pass-through with smart card from Access Gateway feature is enabled. Users clicking on a link in the XenApp Web site to access a resource delivered by XenApp 6.0 see the error message "An error occurred while making the requested connection." You can avoid this issue by configuring the site to prompt smart card users for their PIN each time they access a resource. [#230942]
Changes to worker groups might not be reflected accurately in the registry when a worker group is renamed or deleted. The registry entry for the worker group in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\WorkerGroups subkey is not automatically updated. [#231048] As a workaround: 1 Create a new temporary worker group with all servers in the farm, which forces the registry to update for the renamed or deleted worker groups. 2 Delete the temporary worker group. When generating the Settings report of a Group Policy Object (GPO) linked to the domain, the Group Policy Management console stops working. To work around this issue, access the original GPO, under the Group Policy Objects node, to generate the Settings report. [#261163] For changes to Health Monitoring and Recovery to take effect, in Windows Component Services, Services (Local), restart the Citrix Health Monitoring and Recovery Service. [230902]
36
For instructions about creating server-side content fetching whitelists for HDX MediaStream for Flash, search Citrix eDocs (this Web site) for the topic "Configuring HDX MediaStream for Flash on the User Device." Instructions found in the HDX administrative templates are outdated. [#229985] Windows Media Player, when installed on a XenApp server, occasionally hides video behind a black Media Player screen on a user device running Windows 7. To correct this, users should change their Media Player view to Skin Mode. Alternatively, they can minimize and maximize the Media Player (more than once might be necessary) to refresh the video. [#230238] Installing the HDX MediaStream for Flash version 1.1.0 package (CitrixHDXMediaStreamForFlash-ServerInstall.msi) using Active Directory Software Installation might fail. To prevent this failure, use a start-up script to deploy the package. [#229263] After performing a Repair on Citrix HDX MediaStream for Flash-Server, the HDX MediaStream for Flash service might fail to restart. To avoid this issue, uninstall Citrix HDX MediaStream for Flash - Server and reinstall it. [#228502] The Session Shadowing feature in XenApp 6 is supported only in single-monitor configurations for both computers. If either the shadowing or shadowed computer is configured with multiple monitors, shadowing is not supported. [#251490]
37
Deploying Prerequisites
During a wizard-based installation, the XenApp Server Role Manager (using the Server Role Installer), automatically installs prerequisites for the selected roles. For command-line installations, deploy the prerequisites before initiating XenApp role installation. Citrix recommends you deploy prerequisites (such as IIS role services) using the Microsoft ServerManagerCmd.exe command or Powershell, which Microsoft provides for Windows operating system roles.
38
64-bit architecture with Intel Pentium Xeon family with Intel Extended Memory 64 Technology AMD Opteron family AMD Athlon 64 family Compatible processor
Memory
Disk space 32GB (minimum) The XenApp Server Role Manager deploys the following software (except as noted), if it is not already installed:
q
.NET Framework 3.5 SP1 (this is a prerequisite for the XenApp Server Role Manager; it is deployed automatically when you choose to add the XenApp server role from the Autorun menu) Windows Server Remote Desktop Services role (if you do not have this prerequisite installed, the Server Role Manager installs it and enables the RDP client connection option; you will be asked to restart the server and resume the installation when you log on again) Windows Application Server role Microsoft Visual C++ 2005 SP1 Redistributable (x64) Microsoft Visual C++ 2008 SP1 Redistributable (x64)
If the server already has the following IIS role services installed, the Citrix XML Service IIS Integration component is selected by default in the wizard-based XenApp installation, and the Citrix XML Service and IIS share a port (default = 80). If the IIS role services are not installed, the Citrix XML Service IIS Integration component is not selected by default in the wizard-based installation. In this case, if you select the checkbox, the Server Role Manager installs the following IIS role services. (If you do not install these services, the Citrix XML Service defaults to standalone mode with its own port settings, which you can configure using the XenApp Server Configuration Tool.)
q
Web Server (IIS) > Common HTTP Features > Default Document (selecting this role service automatically selects Web Server (IIS) > Management Tools > Management Console, which is not required or checked for XenApp installation) Web Server (IIS) > Application Development > ASP.NET (selecting this role service automatically selects Web Server (IIS) > Application Development > .NET Extensibility; although not checked for XenApp installation, .NET Extensibility is required by ASP.NET) Web Server (IIS) > Application Development > ISAPI Extensions Web Server (IIS) > Application Development > ISAPI Filters Web Server (IIS) > Security > Windows Authentication Web Server (IIS) > Security > Request Filtering
39
Web Server (IIS) > Management Tools > IIS 6 Management Compatibility (which includes IIS 6 Metabase Compatibility, IIS 6 WMI Compatibility, IIS 6 Scripting Tools, and IIS 6 Management Console)
If you plan to use Philips SpeechMike devices with XenApp, you may need to install drivers on the servers hosting sessions that record audio, before installing XenApp. For more information, see Citrix information on the Philips web site. If installation of a required Windows role or other software requires a restart (reboot), restart the server before starting the XenApp server role installation. Important: Do not install XenApp on a domain controller. Citrix does not support installing XenApp on a domain controller.
XenApp Management
XenApp Management includes the Delivery Services Console. By default, the console is installed on the same server where you install the XenApp server role; however, you can install and run the console on a separate computer. To install the Delivery Services Console on a workstation, from the XenApp Autorun menu, select Manually Install Components > Common Components > Management Consoles. Supported operating systems:
q
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 (Standard, Datacenter, and Enterprise editions)
q
Windows Server 2003, 32-bit edition, with Service Pack 2 Windows Server 2003, 64-bit edition
q Windows XP Professional, 64-bit edition, with Service Pack 2 Windows Vista (Business, Enterprise, and Ultimate editions), 32-bit and 64-bit editions, with Service Pack 1
Requirements:
q
For Windows Vista, Windows 7, and Windows Server 2008 R2: MMC 3.0 (installed by default)
40
The XenApp Server Role Manager deploys the following software, if it is not already installed:
q
Microsoft .NET Framework 3.5 SP1 Microsoft Windows Installer (MSI) 3.0 Microsoft Windows Group Policy Management Console Microsoft Visual C++ 2005 SP1 Redistributable (x64) Microsoft Visual C++ 2008 SP1 Redistributable (x64) Microsoft Visual C++ 2008 SP1 Redistributable Microsoft Visual C++ 2005 SP1 Redistributable Microsoft Primary Interoperability Assemblies 2005
If you install the Delivery Services Console on a computer that previously contained the Microsoft Group Policy Management Console (GPMC) and an earlier version of the Delivery Services Console, you may also need to uninstall and reinstall the Citrix XenApp Group Policy Management Experience (x64) program in order to use the GPMC to configure Citrix policies.
Microsoft SQL Server 2008 Express (can be deployed for you by the XenApp Server Configuration Tool when creating a new XenApp farm) Microsoft SQL Server 2005 Microsoft SQL Server 2008 Oracle 11g R2
41
Server-side application virtualization: applications run inside the Data Center. XenApp presents each application interface on the user device, and relays user actions from the device, such as keystrokes and mouse actions, back to the application. Client-side application virtualization: XenApp streams applications on demand to the user device from the Data Center and runs the application on the user device. VM hosted application virtualization: problematic applications or those requiring specific operating systems run inside a desktop in the Data Center. XenApp presents each application interface on the user device and relays user actions from the device, such as keystrokes and mouse actions, back to the application.
To provide these types of application delivery, you have many choices of deployment designs and XenApp features, which you can tailor for your users' needs. A typical process for planning a XenApp farm includes: 1 Becoming familiar with XenApp and XenApp Setup by creating a small, one-server or two-server test farm. 2 Deciding which applications to deliver to users. 3 Determining how you want to deliver applications - this includes testing and evaluating the applications and peripheral requirements. 4 Determining application to application communication, where to install the applications on XenApp servers, and which applications can be collocated. 5 Determining the number of servers you need for applications. 6 Determining the total number of servers you need for your farm and evaluating hardware requirements. 7 Creating the network infrastructure design. 8 Defining the installation processes. 9 Creating and testing a pre-production pilot farm based on your farm design. 10 Releasing the farm into production. To help you understand how a XenApp deployment delivers applications so you can complete planning tasks, consider the following diagram.
42
A XenApp deployment consists of three deployment groups: user device (represented in this diagram by Citrix Receiver and Citrix Dazzle), Access Infrastructure, and Virtualization Infrastructure.
q
On the left of this diagram are Citrix Dazzle and Citrix Receiver, which represent the set of devices on which you can install client software. Citrix Dazzle provides your users with a selection of applications you have made available to them. Citrix Receiver manages the client software plug-ins that enable your users to interact with virtualized applications. When designing a XenApp deployment, you consider how your users work, their devices, and their locations. Access Infrastructure represents secure entry points deployed within your DMZ and provide access to resources published on XenApp servers. When designing a XenApp deployment, you provide secure access points for the different types of users in your organization. Virtualization Infrastructure represents a series of servers that control and monitor application environments. When designing a XenApp deployment, you consider how applications are deployed based on your user types and their devices, the number of servers you need, and which features you want to enable in order to provide the support, monitoring, and management your organization requires.
43
All of your users use Citrix Dazzle to choose applications they want to run. Citrix Receiver plug-ins run them. Onsite users within your corporate firewall interact directly with the XenApp Web and Services Site. Remote-site users access applications through sites replicated by Citrix Branch Repeater. Off-site users access applications though secure access, such as Access Gateway. The Merchandising Server makes available self-service applications to your users through Citrix Dazzle. EasyCall Voice Services enables your users to initiate telephone calls by clicking on telephone numbers displayed in their applications. The XML Service relays requests and information between the Access Infrastructure and the Virtualization Infrastructure.
44
The XML service relays information and requests. Based on Active Directory profiles and policies, the XenApp servers invoke the correct application delivery type for the user. The XenApp servers provide server-side application virtualization and session management. Session and deployment configuration information are stored in data collectors and a central data store represented by the deployment data store. The App Hub provides Streamed Application Profiles, which are client-side virtualization applications housed in your enterprise storage. The VM Hosted Apps server isolates problematic applications inside a seamless desktop, which, depending on the user profile, can be virtualized on the user device or on the server. The desktop images are provisioned through Provisioning Server. Session and server configuration information are stored in the deployment data store. Provisioning Services delivers desktops to servers, which are stored as desktop images in your image repository. SmartAuditor provides session monitoring. Recorded sessions are stored in your enterprise storage and configuration information is stored in the deployment data store. Service Monitoring enables you to test server loads so you can estimate how many servers you need for your deployment and to monitor those servers once they are deployed. Power and Capacity Management enables you to reduce power consumption and manage server capacity by dynamically scaling the number of online servers. Single Sign-on provides password management for virtualized applications. Passwords are stored in the account authority.
45
Terminology
The XenApp planning documentation uses the following terminology: Multi-user environment An environment, including XenApp and Remote Desktop Services, where applications are published on servers for use by multiple users simultaneously. Production farm A farm that is in regular use and accessed by users. Design validation farm A farm that is set up in a laboratory environment, typically as the design or blueprint for the production farm. Pilot farm A preproduction pilot farm used to test a farm design before deploying the farm across the organization. A true pilot is based on access by select users, and then adding users until all users access the farm for their everyday needs.
About Controllers
XenApp farms have two types of infrastructures:
q
The virtualization infrastructure consists of the XenApp servers that deliver virtualized applications and VM hosted Applications, and controllers that support sessions and administration, such as the data store, data collector, Citrix XML Broker, Citrix License Server, a computer for profiling applications, Configuration Logging database (optional), Load Testing Services database (optional), and Service Monitoring agents, players, and database. Access infrastructure consists of controllers such as the Web Interface, Secure Gateway (optional), and Access Gateway (optional) that provide access administration.
In small deployments, you can group one or more controllers together. In large deployments, you provide services on one or more dedicated servers. Factors other than size can affect how you group controllers. Security concerns, virtualized servers, and user load play a part in determining which functions can be collocated.
46
Designing a XenApp Deployment This illustration depicts controllers in a large farm. The Web Interface, XML Service, data collector, and data store are deployed on separate servers.
Typically, in larger farms, you segregate the controller functions onto distinct servers. For small farms, you might have one controller server hosting infrastructure functions and multiple worker servers hosting published applications. Small farms that require redundancy might have one or two servers hosting controllers. For example, in a small farm with a Microsoft SQL Server Express data store, the data store might be configured on the same server as the data collector and the XML Broker and, perhaps also the Citrix License Server and the Web Interface. Medium and large farms might group controllers and services together when they have similar functions. For example, the XML Broker might be grouped with the data collector. In some larger deployments, each infrastructure service would likely have one or more dedicated servers. In large farms, the Citrix License Server and the Web Interface are typically hosted on separate servers.
47
Designing a XenApp Deployment To deliver an application to your users through Citrix Dazzle and the XenApp online or offline plug-ins, whether virtualized on the desktop or the server, you use the Delivery Services Console to publish the application. Citrix Licensing A Citrix License Server is required for all XenApp deployments. Install the license server on either a shared or stand-alone server, depending on your farms size. After you install the license server, download the appropriate license files and add these to the license server. Data Store The data store is the database where servers store farm static information, such as configuration information about published applications, users, printers, and servers. Each server farm has a single data store. Data Collector A data collector is a server that hosts an in-memory database that maintains dynamic information about the servers in the zone, such as server loads, session status, published applications, users connected, and license usage. Data collectors receive incremental data updates and queries from servers within the zone. Data collectors relay information to all other data collectors in the farm. By default, the first server in the farm functions as the data collector. By default, the data collector is configured on the first farm server when you create the farm and all other servers are configured with equal rights to become the data collector if the data collector fails. When the zones data collector fails, a data collector election occurs and another server takes over the data collector functionality. Farms determine the data collector based on the election preferences set for a server. The data collector is a controller and applications are typically not published on it. Zones A zone is a grouping of XenApp servers that communicate with a common data collector. In large farms with multiple zones, each zone has a server designated as its data collector. Data collectors in farms with more than one zone function as communication gateways with the other zone data collectors. The data collector maintains all load and session information for the servers in its zone. All farms have at least one zone, even small ones. The fewest number of zones should be implemented, with one being optimal. Multiple zones are necessary only in large farms that span WANs. Streaming Profiles You can deliver applications to users by either virtualizing them on the desktop (streaming) or by virtualizing them on the server (hosting). If you are virtualizing applications on the desktop, either streaming to the client or server, create a streaming profile server in your environment. To virtualize applications on the desktop, you create profiles of the application and then store the profile on a file or Web server. The profile consists of the manifest file (.profile), which is an XML file that defines the profile, as well as the target files, a hash key file, the icons repository (Icondata.bin), and a scripts folder for pre-launch and post-exit scripts. 48
Designing a XenApp Deployment Web Interface The Web Interface is a required component in any environment where users access their applications using either the online plug-in or a Web browser. Install the Web Interface on a stand-alone computer; however, where resources are limited, the Web Interface is sometimes collocated with other functions.. XenApp Web and XenApp Services Sites XenApp Web and XenApp Services sites (formerly known as Access Platform and Program Neighborhood Agent Services sites, respectively) provide an interface to the server farm from the client device. When a user authenticates to a XenApp Web or XenApp Services site, either directly or through the XenApp plug-in or the Access Gateway, the site:
q
Forwards the users credentials to the Citrix XML Service Receives the set of applications available to that user by means of the XML Service
Displays the available applications to the user either through a Web page or by placing shortcuts directly on the users computer Citrix XML Service and the Citrix XML Broker
q
The Citrix XML Broker functions as an intermediary between the other servers in the farm and the Web Interface. When a user authenticates to the Web Interface, the XML Broker:
q
Receives the users credentials from the Web Interface and queries the server farm for a list of published applications that the user has permission to access. The XML Broker retrieves this application set from the Independent Management Architecture (IMA) system and returns it to the Web Interface.
Upon receiving the users request to launch an application, the broker locates the servers in the farm that host this application and identifies which of these is the optimal server to service this connection based on several factors. The XML Broker returns the address of this server to the Web Interface. The XML Broker is a function of the Citrix XML Service. By default, the XML Service is installed on every server during XenApp installation. However, only the XML Service on the server specified in the Web Interface functions as the broker. (The XML Service on other farm servers is still running but is not used for servicing end-user connections.) In a small farm, the XML Broker is typically designated on a server dedicated to several infrastructure functions. In a large farm, the XML Broker might be configured on one or more dedicated servers.
q
The XML Broker is sometimes referred to as a Citrix XML Server or the Citrix XML Service. For clarity, the term XML Broker is used to refer to when the XML Service functions as the intermediary between the Web Interface and the IMA service, regardless of whether it is hosted on a dedicated server or collocated with other controller functions.
49
Terminology
The XenApp planning documentation uses the following terminology: Multi-user environment An environment, including XenApp and Remote Desktop Services, where applications are published on servers for use by multiple users simultaneously. Production farm A farm that is in regular use and accessed by users. Design validation farm A farm that is set up in a laboratory environment, typically as the design or blueprint for the production farm. Pilot farm A preproduction pilot farm used to test a farm design before deploying the farm across the organization. A true pilot is based on access by select users, and then adding users until all users access the farm for their everyday needs.
About Controllers
XenApp farms have two types of infrastructures:
q
The virtualization infrastructure consists of the XenApp servers that deliver virtualized applications and VM hosted Applications, and controllers that support sessions and administration, such as the data store, data collector, Citrix XML Broker, Citrix License Server, a computer for profiling applications, Configuration Logging database (optional), Load Testing Services database (optional), and Service Monitoring agents, players, and database. Access infrastructure consists of controllers such as the Web Interface, Secure Gateway (optional), and Access Gateway (optional) that provide access administration.
In small deployments, you can group one or more controllers together. In large deployments, you provide services on one or more dedicated servers. Factors other than size can affect how you group controllers. Security concerns, virtualized servers, and user load play a part in determining which functions can be collocated.
50
Farm Terminology and Concepts This illustration depicts controllers in a large farm. The Web Interface, XML Service, data collector, and data store are deployed on separate servers.
Typically, in larger farms, you segregate the controller functions onto distinct servers. For small farms, you might have one controller server hosting infrastructure functions and multiple worker servers hosting published applications. Small farms that require redundancy might have one or two servers hosting controllers. For example, in a small farm with a Microsoft SQL Server Express data store, the data store might be configured on the same server as the data collector and the XML Broker and, perhaps also the Citrix License Server and the Web Interface. Medium and large farms might group controllers and services together when they have similar functions. For example, the XML Broker might be grouped with the data collector. In some larger deployments, each infrastructure service would likely have one or more dedicated servers. In large farms, the Citrix License Server and the Web Interface are typically hosted on separate servers.
51
Farm Terminology and Concepts To deliver an application to your users through Citrix Dazzle and the XenApp online or offline plug-ins, whether virtualized on the desktop or the server, you use the Delivery Services Console to publish the application. Citrix Licensing A Citrix License Server is required for all XenApp deployments. Install the license server on either a shared or stand-alone server, depending on your farms size. After you install the license server, download the appropriate license files and add these to the license server. Data Store The data store is the database where servers store farm static information, such as configuration information about published applications, users, printers, and servers. Each server farm has a single data store. Data Collector A data collector is a server that hosts an in-memory database that maintains dynamic information about the servers in the zone, such as server loads, session status, published applications, users connected, and license usage. Data collectors receive incremental data updates and queries from servers within the zone. Data collectors relay information to all other data collectors in the farm. By default, the first server in the farm functions as the data collector. By default, the data collector is configured on the first farm server when you create the farm and all other servers are configured with equal rights to become the data collector if the data collector fails. When the zones data collector fails, a data collector election occurs and another server takes over the data collector functionality. Farms determine the data collector based on the election preferences set for a server. The data collector is a controller and applications are typically not published on it. Zones A zone is a grouping of XenApp servers that communicate with a common data collector. In large farms with multiple zones, each zone has a server designated as its data collector. Data collectors in farms with more than one zone function as communication gateways with the other zone data collectors. The data collector maintains all load and session information for the servers in its zone. All farms have at least one zone, even small ones. The fewest number of zones should be implemented, with one being optimal. Multiple zones are necessary only in large farms that span WANs. Streaming Profiles You can deliver applications to users by either virtualizing them on the desktop (streaming) or by virtualizing them on the server (hosting). If you are virtualizing applications on the desktop, either streaming to the client or server, create a streaming profile server in your environment. To virtualize applications on the desktop, you create profiles of the application and then store the profile on a file or Web server. The profile consists of the manifest file (.profile), which is an XML file that defines the profile, as well as the target files, a hash key file, the icons repository (Icondata.bin), and a scripts folder for pre-launch and post-exit scripts. 52
Farm Terminology and Concepts Web Interface The Web Interface is a required component in any environment where users access their applications using either the online plug-in or a Web browser. Install the Web Interface on a stand-alone computer; however, where resources are limited, the Web Interface is sometimes collocated with other functions.. XenApp Web and XenApp Services Sites XenApp Web and XenApp Services sites (formerly known as Access Platform and Program Neighborhood Agent Services sites, respectively) provide an interface to the server farm from the client device. When a user authenticates to a XenApp Web or XenApp Services site, either directly or through the XenApp plug-in or the Access Gateway, the site:
q
Forwards the users credentials to the Citrix XML Service Receives the set of applications available to that user by means of the XML Service
Displays the available applications to the user either through a Web page or by placing shortcuts directly on the users computer Citrix XML Service and the Citrix XML Broker
q
The Citrix XML Broker functions as an intermediary between the other servers in the farm and the Web Interface. When a user authenticates to the Web Interface, the XML Broker:
q
Receives the users credentials from the Web Interface and queries the server farm for a list of published applications that the user has permission to access. The XML Broker retrieves this application set from the Independent Management Architecture (IMA) system and returns it to the Web Interface.
Upon receiving the users request to launch an application, the broker locates the servers in the farm that host this application and identifies which of these is the optimal server to service this connection based on several factors. The XML Broker returns the address of this server to the Web Interface. The XML Broker is a function of the Citrix XML Service. By default, the XML Service is installed on every server during XenApp installation. However, only the XML Service on the server specified in the Web Interface functions as the broker. (The XML Service on other farm servers is still running but is not used for servicing end-user connections.) In a small farm, the XML Broker is typically designated on a server dedicated to several infrastructure functions. In a large farm, the XML Broker might be configured on one or more dedicated servers.
q
The XML Broker is sometimes referred to as a Citrix XML Server or the Citrix XML Service. For clarity, the term XML Broker is used to refer to when the XML Service functions as the intermediary between the Web Interface and the IMA service, regardless of whether it is hosted on a dedicated server or collocated with other controller functions.
53
Printer autocreation policy settings - Consider limiting the number of printers that are autocreated if session start time is a factor. Network activities occurring independently of sessions - Operations such as logging on to Active Directory, querying Lightweight Directory Access Protocol (LDAP) directory servers, loading user profiles, executing logon scripts, mapping network drives, and writing environment variables to the registry, can affect session start times. Also, connection speed and programs in the Startup items within the session, such as virus scanners, can affect start times. Roaming profile size and location - When a user logs onto a session where Microsoft roaming profiles and home folders are enabled, the roaming profile contents and access to that folder are mapped during logon, which uses additional resources. In some cases, this can consume significant amounts of the CPU usage. Consider using home folders with redirected personal folders to mitigate this problem. Whether the data collector has sufficient resources to make load balancing decisions efficiently - In environments with collocated infrastructure servers, Citrix suggests hosting the Citrix XML Broker on the data collector to avoid delays. License server location - For WANs with multiple zones, where the license server is in relation to the zone.
Printing Configuration
Your printing configuration directly affects how long sessions take to start and the traffic on your network. Planning your printing configuration includes determining the printing pathway to use, how to provision printers in sessions, and how to maintain printer drivers. Consider these recommendations:
q
Use Citrix Universal printer drivers and the Universal Printer whenever possible. This results in fewer drivers and less troubleshooting. Disable the automatic installation of printer drivers, which is the default setting. Adjust printer bandwidth using XenApp policy rules, if appropriate.
54
If printing across a WAN, use the XenApp Print job routing policy rule to route print jobs through the client device. Test new printers with the Stress Printers utility, which is described in the Citrix Knowledge Center.
Choose printers that are tested with multiuser environments. Printers must be PCL or PS compatible and not host-based. The printing manufacturer determines whether printers work in a XenApp environment, not Citrix.
55
The servers hardware specifications The applications deployed (CPU and memory requirements) The amount of user input being processed by the applications The maximum desired resource usage on the server (for example, 90% CPU usage or 80% memory usage)
RAID - In multiprocessor configurations, Citrix recommends a RAID (Redundant Array of Independent Disks) setup. XenApp supports hardware and software RAID. Reducing hard disk failure - Hard disks are the most common form of hardware failure. You can reduce the likelihood of hardware failure with a RAID 1 (mirroring) and RAID 5 (striped set with distributed parity) configuration. If RAID is not an option, a fast Serial Attached SCSI (SAS) or a Small Computer System Interface (SCSI) Ultra-320 drive is recommended. Disk speed - Faster hard disks are inherently more responsive and might eliminate or curtail disk bottlenecks. Number of controllers - For quad or eight-way servers, Citrix recommends installing at least two controllers: one for the operating system and another to store applications and temporary files. Isolate the operating system as much as possible, with no applications installed on its controller. This principle also applies in small farms. If possible (assuming a multicore or multiprocessor system), install the operating system on a separate hard drive from XenApp and the applications. This prevents input/output bottlenecks when the operating system needs to access the CPU. Distribute hard drive access load as evenly as possible across the controllers. Dual-processor (dual-core) deployments combine overall efficiency and a lower total cost of ownership. However, once a system has a dual-core processor, implementing additional processors does not necessarily provide proportionate performance increases. Server scalability does not increase linearly with the number of processors: scalability gains level off between eight to sixteen CPU cores.
Hard disk partitions - Partition and hard-disk size depend on the number of users connecting to the XenApp server and the applications on the server. Because each users Remote Desktop Services profile is loaded on the server, consider that large numbers of user profiles can use gigabytes of disk space on the server. You must have enough disk space for these profiles on the server.
56
Can I run the applications? Citrix recommends testing non-Vista-compliant applications before you publish them on your farm. Some non-Vista-compliant applications run using the Application Compatibility feature. How many users do I anticipate will want to connect to each application during peak and off-peak hours? Do I need to allocate servers for load balancing? Will users be accessing certain applications frequently? Do I want to publish all of these applications on the same server to facilitate session sharing and reduce the number of connections to a server? If you want to use session sharing, you might also want users to run applications in seamless windows. . Will my organization need to provide proof of regulatory compliance for certain applications? Will any applications undergo a security audit? If you intend to use SmartAuditor to record sessions on these servers, install the SmartAuditor agent on these servers. In addition, make sure the servers have sufficient system resources to ensure adequate performance. Will any of my applications be graphically intensive? If so, consider using the XenApp SpeedScreen, Memory Utilization Management, or CPU Utilization Management features as well as more robust hardware for sessions hosted on these servers.
57
.INI files that contain hard-coded file path names, database connection settings, and read/write file locking configurations that need to be reconfigured to prevent file conflicts. Custom applications developed with hard-coded paths in the registry. Applications that use the computer name or IP address for identification purposes. Because a server can run multiple instances of the application, all instances could use the same IP address or computer name, which can cause the application to fail.
When you find any of these hard-coded settings or other conflicts, document the setting in your farm design document. After you find resolutions to these issues, design your farm and test your design by creating a pilot test farm.
58
Advantages
q
Considerations
q
Applications are installed on the server, where the processing takes place, and accessed from the server. This is the traditional XenApp application delivery model. For many organizations, this provides the lowest cost of ownership for IT resources because it provides the greatest scalability.
This method provides a consistent user experience regardless of the user device. You manage applications centrally. User devices do not require extensive resources, such as excessive memory or hard drive space. This delivery method supports thin clients. This method is effective for applications with components that are intertwined with the operating system (such as a .NET framework).
Farm servers require sufficient resources to support the applications. Users must be connected to the server or network to run the applications (no offline access).
59
Evaluating Application Delivery Methods Streamed to server: Executables for applications are put in profiles and stored on a file server or Web server (the App Hub); however, when launched, they stream to the server, and application processing takes place on the server. Unlike installed applications, streamed applications are stored in the App Hub and provide application isolation by design.
q
This method has similar advantages as for installed applications, including a consistent user experience, central management, and use of server resources instead of those of the user device. In many cases, streaming to server lets conflicting applications, such as multiple versions of the same application, run on the same server without needing to silo them. Updating applications is simplified because you update only a single application profile. Users can have the local application experience, but you manage the applications centrally. Users might have a better experience when resource-intensive applications, such as graphics applications, are streamed to desktops. Using application properties and Citrix policies and filters for Offline Applications, you control the applications and users that have offline access, as well as the license period for offline use.
Farm servers require sufficient resources to support the applications. Users must be connected to the server or network (no offline access). Some applications are not candidates for profiling, such as those using a .NET framework.
Streamed to desktop: Executables for applications are put in profiles and stored on a file server or Web server (the App Hub). When launched, the files required to execute the application are streamed to the user device, and application processing takes place on the user device instead of the XenApp server. When applications are streamed to the user device, the user experience is similar to running applications locally. After applications are cached on the user device, users can continue running the apps after disconnecting from the network (referred to as offline access).
User devices must have sufficient resources to run the applications locally; the user devices cannot be thin clients. User devices must run Windows operating systems, including Windows 7, XP, or Vista.
60
When you select "streamed if possible, otherwise accessed from a server" (referred to as dual mode or fallback), XenApp tries to stream the application to the user device first, but uses the backup access method if streaming to desktop is not supported on the user device. For example, you can specify that some users, such as sales personnel, run applications streamed to desktop when they are accessing the applications from Windows devices, and run them as installed applications when they are accessing them from handheld mobile or kiosk-type devices.
This method provides the most versatility for application delivery, offering all the advantages of streaming to desktops for supported user devices, plus a backup delivery method for the rest. You control delivery options centrally using Citrix policies and filters, such as the server's Load Balancing Policies for Streamed App Delivery.
For the backup method to occur, ensure that the application is either installed on the XenApp server or the streaming profile is configured for a target operating system that matches the server.
Publishing the desktop - Presents users with an entire Windows Server desktop when they log onto XenApp. (For security, the desktop should be locked down .) Publishing applications - Publishes specific applications and delivers only those applications to users. This option provides greater administrative control and is used most frequently.
You can use policies to prevent users from accessing server drives and features with both methods of application delivery.
61
Network-attached storage (NAS) or storage area network (SAN) solution, if feasible. A RAID storage configuration, depending on the fault-tolerant solution desired. A single 1 Gbps network card or multiple 100 Mbps cards. If your network infrastructure and configuration does not support this speed, use dual network cards; this configuration doubles the connection speed of a traditional single network-card configuration.
Streaming file shares can be hosted on a file server or a Web server. There are two configurations for a streaming file share in branch office environments:
q
A streaming file share in each branch office hosted on network file servers - For performance (and in some countries, legal) reasons, branch offices cannot connect to a network file server in a main office. To store streaming profiles on a network file server, configure a streaming file share in each branch office. A streaming file share in the main office hosted on a Web Server - Using a Web server sends all the traffic between the client devices and the file share over HTTP or HTTPS, which is faster than a file transmission protocol.
Using a Web server for the file share reduces the need to have a file share in each branch office for performance reasons. Instead of putting a file share at each branch office, you can put all the profiles on the Web server file share at the main office.
62
The servers on which the applications are installed If load balancing or preferential load balancing changes your need to dedicate servers to mission-critical or highly used applications The geographic location of the servers delivering applications (for WANs and organizations with branch offices)
Advantages
Disadvantages
63
It is easy to track the applications location and usage Centralization makes it is easy to configure and maintain the application Other applications do not interfere with the installed application Can be useful for mission-critical applications Reduces the number of servers required for applications in smallto medium-sized farms Might simplify user permissions and ensure consistent settings during application installation
Nonsiloed
q q
A single server is accessed by each user and session sharing is ensured By using features such as Load Manager and Preferential Load Balancing, you might not need to silo mission-critical applications or applications with high levels of peak usage.
q
When an application conflicts with other applications, rather than silo it on one server, consider streaming the application. Streaming the application effectively isolates it, which allows conflicting applications to run on a single server, reducing the need for silos.
Load Manager - Lets you balance new connections to the server. When a user launches the first published application, that user session is established on the least loaded server in the farm, based on criteria you configured. When the user launches a second application that is published on the same server, the existing session is shared, and no load management occurs. However, if that application is not published on the same server, Load Manager is invoked and another load-balancing decision is made. Load-balancing is enabled by default. When you publish an application on multiple servers, load balancing automatically ensures that the user is sent to the least-loaded server.
Preferential Load Balancing - Lets you allocate a specific portion of CPU resources to a specific session or application. You can use Preferential Load Balancing to assign importance levels (Low, Normal, or High) to specific users and applications. For
64
Placing Applications on Servers example, doctors in a hospital could be specified as important users and MRI scans or X-rays could be specified as important applications. These important users and applications with higher levels of service have more computing resources available to them. By default, a Normal level of service is assigned to all users and applications. Different application workloads can co-exist on a server; simply assign important applications a higher importance level. The key difference between the Load Manager and Preferential Load Balancing features is that the Preferential Load Balancing can be used to treat each session differently, whereas Load Manager treats each session the same. Although you can use applications as the basis for Load Manager decisions, Citrix does not recommend it. Citrix recommends invoking Load Manager based on the server only. Citrix does not recommend load balancing across zones on a WAN.
Advantages
q
Disadvantages
q
Centralized server administration and support. Centralized application management. Potentially better physical security than in branch offices.
Single point of failure; if the site loses connectivity, users have no alternative access.
65
Enhanced business continuity and redundancy; if one site loses connection, it does not affect all application access. When data is maintained at different sites, placing servers at those sites provides users with local access to the data. Sites can administer their own servers. Zone Preference and Failover can be invoked if multiple zones.
Server-to-server communication crosses the WAN. If users need access to multiple sites, you might need to coordinate and replicate domains, trusts, user profiles, and data. Sites might need added local administration and support.
q q
66
The processing requirements of the applications and the processing capacity and available RAM of your servers. To determine the processing requirements for an application, see its product documentation. The native operating system of the applications. Running 32-bit applications on 64-bit operating systems requires more RAM than running a 32-bit application on a 32-bit operating system. Whether you are streaming applications to the server or installing the applications on the server. Depending on the network topography and the application being delivered, a deployment where applications are installed on the servers can service more users than a deployment with an equal number of servers where the applications are streamed to the servers. The size of the files with which your users work and how they use them.
Using this data you can roughly estimate the number of servers to deploy in your test farm. After setting up your test farm, use Load Testing Services on the XenApp servers to simulate how your users run applications on your servers. With Load Testing Services, you can track a variety of Perfmon counters, such as Total Processor Time, Thread Queue Length, Memory Consumption, and Pages Per Second, to determine the resource limits of the servers in your environment. This will help you determine the number of servers to deploy in your production environment.
67
Location and needs of the users or your organization - If your organization is a service provider, you might want to dedicate a farm to each organization for which you provide service. Multiple farms might make it easier to demonstrate compliance with specific service level agreements. Geographic layout of your organization - If your IT infrastructure is organized by region and managed in a decentralized manner, multiple farms could improve farm performance. Multiple farms could also save time when coordinating farm administration and simplify troubleshooting farm-wide issues. Network infrastructure limitations - In WANs with high latency or error rates, multiple farms may perform better than a single farm with multiple zones. Organizational security policies concerning server communications - Consider multiple farms if your organization needs to segregate data based on security level. Likewise, you might need multiple farms for regulatory compliance.
There is no exact formula for determining the ideal number of farms, but general guidelines can help:
q
In general, a single farm meets the needs of most deployments. A significant benefit to deploying a single farm is needing only one data store database. Consider using multiple farms when you have geographically dispersed data centers that can support their own data store database, or when you do not want communication between servers within the farm to cross a firewall or WAN. For very large deployments with thousands of servers, breaking the environment into multiple farms can increase performance.
Single Farm The farm has one data store. Citrix recommends that you replicate the data store to remote sites when using one farm in a WAN environment.
Multiple Farms Each farm must have a data store. If each remote site is a farm with its own data store, there is no need for data store replication.
68
Deciding How Many Farms to Deploy Load Balancing You can load balance an application across the farm. If the farm spans multiple sites, firewall ports must be open for server-to-server communication. Data store information is synchronized with member servers through notifications and queries. When a farm has multiple zones, data collectors communicate dynamic information such as logons and application use across the farm. You can monitor and configure the farm from a single management console and need to log on to only one farm to do so. You cannot load balance an application across servers in different farms. Site-based farms eliminate the need to open firewall ports for server-to-server communication. Multiple farms might improve performance over a single farm when server-to-server traffic crosses a WAN link or when the farm is very large.
Management Tools
You can monitor and configure multiple farms from management console. Communicating with multiple farms from the console requires logging on to each farm.
Web Interface - Sharing Web Interface between farms provides central access to applications published on different farms. SmartAuditor - With the exception of the SmartAuditor Agent, all components are independent of the server farm. For example, you can configure multiple farms to use a single SmartAuditor Server. Citrix Licensing - You can manage multiple farms using one Citrix License Server; however, performance might be affected if you use only one license server for all servers in a WAN. EdgeSight - You can use EdgeSight and Resource Manager powered by EdgeSight to monitor multiple farms. Note that servers running Presentation Servers 4.5 agents appear as endpoints.
69
Planning Controllers
Regardless of your farm size, Citrix recommends having at least one server dedicated to controller functions, which are deployment functions other than those related to running published applications. Publishing applications on a controller slows down application enumeration. If you decide to install controller functions on a server hosting published applications, choose a server that hosts an infrequently used and not resource-intensive application (or lower the load threshold for that server so that it accepts fewer connections). While farm size (small, medium, large) as determined by the number of servers, can indicate the general category of your farm, another factor to consider is the number of user connections. Because applications can scale differently from server to server (some servers might support 100 user connections, others might support only ten), looking solely at the number of servers might be misleading. Determine how you want to group controller functions by designing an initial configuration, then fine tune the design after testing the pilot farm. As you add user connections in your test configuration, watch the Windows Performance Monitor counters:
q
When the peak number of users is connecting simultaneously to the farm; this usually occurs in the morning. When the peak number of users is connected to the farm; this usually occurs during the day.
If the counters exceed the values listed in the table, move the controller functions on to separate servers until the counter metric no longer exceeds the value.
Criteria > 85% - 90% > 80% > 0 for extended periods of time > 0 for extended periods of time
LastRecordedLicenseCheck-OutResponseTime > 5000 ms Typically, you need to evaluate the LastRecordedLicenseCheck-OutResponseTime counter only in large farms.
70
Farm configuration information Published application configurations Server configurations Citrix administrator accounts Printer configurations
The System Requirements lists the databases you can use for the farm data store. For information about supported database versions, see http://support.citrix.com/article/CTX114501.
Choosing a Database
Consider these factors before deciding which database product to use:
q
The number of servers you currently plan to have in the farm, and whether or not you plan to expand that number Whether or not you have a database administrator with the expertise to configure and manage a data store running on SQL Server or Oracle Whether or not you foresee the enterprise expanding, which would result in expanding the size and maintenance of the database Any database maintenance requirements, such as backup, redundancy, and replication
General recommendations are listed below, based on the following size table.
Microsoft SQL Server and Oracle are suitable for any size environment and are recommended for all large and enterprise environments. When deploying large farms across a WAN, you can obtain a performance advantage by replicating the data store and distributing the load over multiple database servers. SQL Server and Oracle are
71
Planning the XenApp Data Store suitable for large farms and support replication. Do not install XenApp on the SQL Server or Oracle database server.
q
SQL Server Express is suitable for all small and many medium environments located in one physical location, which do not have branch offices across a WAN.
See the database product documentation for hardware requirements for the database server. Important: Ensure that the data store is backed up regularly. If the data store database is lost, you must recreate the farm. You cannot recreate the data store from an existing farm.
72
Starting the Citrix IMA Service on multiple servers simultaneously Adding a server to the farm Removing a server from the farm
The response time of other events (such as starting the IMA Service on a single server, recreating the local host cache, or replicating printer drivers to all servers in the farm) is affected more by the farm size than by the data store response time. Adding processors to the server hosting the data store can improve response time when executing multiple simultaneous queries. In environments with large numbers of servers coming online simultaneously and at frequent intervals, additional processors can service requests faster. The capabilities of the processor on the database server affect management console performance, how long it takes to add (configure) and remove a server from the farm, and how long it takes to start multiple servers simultaneously. In the following chart, five sample farm configurations (A through E) are listed, with measurements of various metrics in the farm.
Configuration Number of servers in farm Number of applications published to all servers Number of user policies Printers per server Printer drivers installed per server Network print servers with printers Number of Load Manager load evaluators Number of application folders in management console Number of server folders in management c onsole
A 50 50 25 5 25 5 10 10 8
B 100 50 25 5 25 5 10 10 16
C 250 50 25 5 25 5 10 10 25
D 500 50 25 5 25 5 10 10 50
E 1000 50 25 5 25 5 10 10 50
73
Database Server Hardware Performance Considerations Number of Application Isolation Environments Number of Citrix administrators 10 10 10 10 10 10 10 10 10 10
Size of data store database in megabytes 32 51 76 125 211 The following table lists suggested hardware for the server hosting the data store, for each configuration in the previous table.
Configuration Dual Pentium 4/1.6GHz with 2GB RAM Dual Pentium 4/3.0GHz with 4GB RAM
A X X
B X X
C X X
D X
Quad Pentium 4/3.0GHz with 4GB RAM X X X X X The actual performance of a farms data store varies depending on the database engine and the level of performance tuning achieved.
74
Replication Considerations
A significant amount of network traffic for XenApp farms consists of reads from the data store; writes are infrequent. The amount of bandwidth required increases as farm size increases. Actions such as data store reads and restarting multiple servers simultaneously use disproportionately more bandwidth on larger farms. Citrix recommends using a single data store for most deployments, but in some situations, placing a replicated data store at remote sites can improve farm performance. Citrix recommends replicating the data store across all high-latency or low-bandwidth WAN links. A replicated data store ensures all data store reads occur on the network local to the XenApp server. In a WAN environment, place replicas of the data store at sites with a large number of servers; this minimizes reads across the WAN link. Database replication consumes bandwidth. Limit the use of replicated databases to configurations where the remote site has enough servers to justify the bandwidth cost of placing a replicated copy of the database at the site. For SQL Server, you must use immediate updating transactional replication. Crossing high latency links without using replicated databases can create situations where the data store is locked for extended periods of time when performing farm maintenance from remote sites. Data store reads do not adversely affect local connections but remote sites can experience slower performance. This means that the Citrix IMA Service may start after extended periods of time and some normal operations may fail when initiated from the remote site. Note: You might experience poor performance if you use a local XenApp management console to perform farm maintenance on a remote site that has high latency. You can resolve this issue by publishing the management consoles as applications on a server at the remote site and use a Citrix plug-in to access the published management tools.
75
Deploying XenApp by using images, and including the key file as part of the server image Generating a key, putting the key in a folder on your network, using a UNC path to specify the location, and performing an unattended installation
If you have multiple farms in your environment, Citrix recommends you generate separate keys for each farm.
76
If you need a dedicated data collector If you do not need a dedicated data collector, which infrastructure services can share the same server If you need a zone in each geographic region, which means that you need data collectors for those regions as well
To maintain consistent information between zones, data collectors relay information to all other data collectors in a farm, creating network traffic. In general, data collector memory consumption increases as farm size increases. However, it is not significant. For example, the Independent Management Architecture service running on the data collector typically uses 300MB on a 1000 server farm. Likewise, CPU usage is not significant. A data collector hosted on a dual-processor server can support over 1000 servers in its zone. In general, CPU usage increases as the number of servers in a zone increases, the number of zones increases, and the number of users launching applications increases. On most networks, Citrix recommends reducing the number of data collectors and zones. For example, if you have a farm with 100 servers in one location, Citrix recommends having one zone with a dedicated data collector (although you can have backup data collectors). Citrix recommends installing XenApp on the server you want to host the data collector functionality and, after installing other member servers, configuring a server as the backup data collector.
77
Collect data from member servers in a hierarchical structure Efficiently distribute changes to all servers in the farm
Each zone contains a server designated as its data collector. Data collectors store information about the zones servers and published applications. In farms with more than one zone, data collectors also act as communication gateways between zones. This illustration depicts a server farm with multiple zones. Each zones data collector communicates with the other data collectors across the WAN link.
Because session and load information within a XenApp farm can become large in enterprise deploymentsup to several megabytesto ensure a scalable and resilient XenApp farm, it is imperative that you design zones based on your network topology. XenApp member servers replicate their dynamic data to the ZDC designated for their zone. XenApp uses a star topology for replication among zoneseach ZDC replicates all of its zone dynamic data to all other ZDCs in the farm. Thus, it is important to design zones so that there is adequate bandwidth among ZDCs.
78
Designing Zones for a XenApp Deployment When designing zones, the most important variables to consider are latency and bandwidth. The amount of bandwidth and the impacts of latency are highly dependent on your XenApp deployment. The lower the bandwidth and the higher the latency, the longer a farm takes to resynchronize the dynamic data among zones after an election. In farms distributed across WANs, zones enhance performance by grouping geographically related servers together. Citrix does not recommend having more than one zone in a farm unless it has servers in geographically distributed sites. Zones are not necessary to divide large numbers of servers. There are 1000-server farms that have only one zone. Data collectors generate a lot of network traffic because they communicate with each other constantly:
Each zone data collector has an open connection to all data collectors in the farm. During a zone update, member servers update the data collector with any requests and changed data. Data collectors relay changes to the other data collectors. Consequently, data collectors have the session information for all zones.
In general, Citrix recommends using the fewest number of zones possible, with one being optimal. If all farm servers are in one location, configuring only one zone for the farm does not reduce performance or make the farm harder to manage. However, in large networks, such as organizations with data centers on different continents, grouping geographically-related servers in zones can improve farm performance. Keep in mind that data collectors must replicate changes to all other data collectors in the farm. Also, bandwidth consumption and network traffic increase with the number of zones. Separate zones are not required for remote sites, even ones on separate continents; latency is the biggest factor in determining if servers should be put in their own zone. For large farms with servers in different geographic regions, create zones based on the location of significant numbers of servers. Also decide if you want to configure failover zones or preferred zones. If a zone fails, you can configure for user connections to be redirected to another zone (failover) or control to which zones specific users connect (preference). Failover requirements might determine the number of zones required. For example, an organization with 20 farm servers in London, 50 servers in New York, and three servers in Sydney could create two or three zones. If the Sydney location has good connectivity to either New York or London, Citrix recommends grouping Sydney with the larger location. Conversely, if the WAN connection between Sydney and the other locations is poor or zone preference and failover is required, Citrix recommends configuring three zones. Consider these zone design guidelines:
q
Minimize the number of zones in your farm. Create zones for major datacenters in different geographic regions. If a site has a small number of servers, group that site in a larger sites zone.
79
If your organization has branch offices with low bandwidth or unreliable connectivity, do not place those branch offices in their own zone. Instead, group them with other sites with which they have the best connectivity. When combined with other zones, this might form a hub-and-spoke zone configuration. If you have more than five sites, group the smaller sites with the larger zones. Citrix does not recommend exceeding five zones.
80
Run XenApp and the Web Interface on the same server, depending on your security considerations. Group the XML Broker with other infrastructure services, such as the data collector or the data store, in very small farms (one to five servers). Citrix recommends grouping the XML Broker with the data collector.
Configuring the XML Broker on data collectors or dedicated servers. In deployments with dedicated servers for infrastructure functions, dedicate a server to the XML Broker to accommodate authentication traffic. Running the Web Interface on dedicated Web servers.
Do not publish applications on the server functioning as the XML Broker Important: If you change the port used by the Citrix XML Service on the XML Broker, set the correct port in the plug-in.
Security Considerations
When users access the Web Interface from the Internet, Citrix recommends locating the Web Interface server on the internal network and the Citrix XML Broker with the XenApp farm. Shielding the XML Broker from the external Internet protects the XML Broker and the farm from Internet security threats. If you must place the Web Interface in the DMZ and want to secure the connection between the XML Broker and the Web Interface, put the Web Interface server in the DMZ with Secure Gateway or Access Gateway. This configuration requires putting the Web Interface on a separate Web server. Install a certificate on the Web Interface server and configure SSL Relay on the servers hosting the Citrix XML Broker.
81
Planning for the Web Interface and XML Broker In very small farms, configuring the Web Interface and the XML Broker on the same server eliminates having to secure the link from the Web Interface to the farm. This deployment is used primarily in environments that do not have users connecting remotely. However, this might not be possible if your organization does not want Web servers such as Internet Information Services (IIS) in the farm.
82
Publish copies of an application in each domain, and allow users access only to the copy of the application in the domain in which they have access permissions. Create a Worker Group Preference and Failover policy that routes users to servers in domains in which the users have access permissions.
One full authority administrator account must always exist for the server farm. Citrix XenApp prevents you from deleting the last full authority administrator account. However, if no administrator accounts exist in the farm data store database, a local administrator account can log on to the Delivery Services Console to set up Citrix administrator accounts. To create effective Citrix administrator accounts, ensure that all users you are going to add as Citrix administrators are Domain Users for the domain in which your farm resides. Users who are Citrix administrators who take server snapshots must also be authorized Windows Management Instrumentation (WMI) users on each server for which they are taking snapshots.
83
Authenticating a Citrix administrator Refreshing the display or launching an application in Web Interface Enumerating users and groups Resolving users or groups when adding users to published application, printer auto-creation lists, or defining new Citrix administrators
Requests to enumerate applications are routed to a server that has the required domain trust relationship if the originating server does not.
Configuration Manager for the Web Interface Ctx_ConfigMgr Service Citrix strongly recommends that if you want to change local accounts to domain accounts, you do so before installing XenApp. Changing service accounts after installation is not supported. Install XenApp as a domain administrator to ensure the accounts are created correctly. If you are changing the accounts for services and your farm has servers in multiple domains, the domains must have trust relationships with each other.
84
XenApp servers are in their own Organizational Units (OUs). Create OUs for application silos, keeping servers from different silos organized in their own OUs. (You can, however, create application silos that span multiple OUs.) All servers reside in the same domain. The server farm domain has no trust relationships with non-Active Directory domains, as this can affect operations requiring trusted domains. The server farm is in a single Active Directory forest. If your farm has servers in more than one forest, users cannot log on by entering user principal names (UPNs). UPN logons use the format username@UPN identifier. With Active Directory, UPN logons do not require a domain to be specified, because Active Directory can locate full UPN logons in the directory. However, if the server farm has multiple forests, problems occur if the same UPN identifier exists in two domains in separate forests. Important: Citrix XenApp does not support UPN logons if a server farm spans multiple Active Directory forests.
85
Recommendations for Active Directory Environments Domain Local Groups Authenticating to published applications Recommendation: All servers that load balance an application must be in the same domain if a domain local group is authorized to use the application. Rationale: Domain local groups assigned to an application must be from the common primary domain of all the load balancing servers. When you publish applications, domain local groups appear in the accounts list if the condition above is met and accounts from the common primary domain are displayed. If a published application has users from any domain local groups and you add a server from a different domain, domain local groups are removed from the configured users list, because all servers must be able to validate any user with permission to run the application. Authenticating to management console Recommendation: If a user is a Citrix administrator only by membership in a domain local group, the user must connect the console to a server in the same domain as the domain local group. Rationale: If the user connects the console to a server in a different domain than the domain local group, the user is denied access to the console because the domain local group is not in the users security token. Universal Groups Authenticating to published applications Recommendation: If universal groups are assigned permission to the application, all servers that manage the application must be in an Active Directory domain. Rationale: A server in a non-Active Directory domain could authenticate the user to run the application. In this case, universal groups are not in the users security token, so the user is denied access to the application. It is possible for a server in a non-Active Directory domain to load balance an application with servers in an Active Directory domain if the domains have an explicit trust relationship. Authenticating to management console Recommendation: If a user is authenticating to the console and is a Citrix administrator only by membership in a universal group, the console must connect to a server that belongs to an Active Directory domain in the universal groups forest. Rationale: Non-Active Directory domain controllers and domains outside a universal groups forest have no information about the universal group.
86
When installing XenApp on each server in your farm, ensure the port sharing with IIS option and ensure that IIS is configured to support HTTPS; see System Requirements for more information. Set up a trust relationship between the server running the Web Interface and any other servers in the farm communicating with the Web Interface through the Citrix XML Broker. The Web Interface must be able to access the certificate revocation list (CRL) for the Certificate Authority used by the federation servers. If you are provisioning the farm by imaging, configure trust requests on the server before you take the image. These trust requests must be enabled on each server in the farm and cannot be set at a farm level. To prevent external users from having unauthorized access to services on farm servers, configure all XenApp servers for constrained delegation. To provide users with access to resources on those servers, add the relevant services to the Services list using the MMC Active Directory Users and Computers snap-in.
For more information about configuring support for AD FS, see the Web Interface documentation.
87
88
Instruct the Windows server to elevate the UAC level automatically, without prompting, by configuring a Local Security Policy setting. Instruct Windows to elevate the UAC level without prompting, through an Active Directory Default Domain Policy. This avoids having to enable this setting on each server before installation, provided you join the domain before installing XenApp. When a computer joins the domain, the domain policy is applied automatically. Enable the Print Services role so you can manage printer drivers and print queues on clients.
The following XenApp management features and tools require users be domain administrators, delegated administrators, or part of the Administrators group on the local computer:
q
Delivery Services Console XenApp Commands SSL Relay tool Speedscreen Latency Reduction Manager
These permissions are in addition to any requirements for the feature, such as having a Citrix administrator account. To allow multiuser access to an application, install the application as a built-in administrator or enable the Create Users setting when prompted by UAC.
89
90
Increasing security through two-factor authentication (adding a second authentication method such as RSA tokens). Limiting automatic printer driver installation on servers (enabled by default) if users are connecting from devices with locally attached printers. Employing a SmartAccess strategy (for example, using the Access Gateway and configuring policies that limit access according to conditions on the users client device or location). Determining how you will deploy plug-ins to users, especially if they connect from airport kiosks or other public locations. Securing connections to published applications with SSL/TLS. If plug-ins communicate with your farm across the Internet, Citrix recommends enabling SSL/TLS encryption when you publish a resource. If you want to use SSL/TLS encryption, use either the SSL Relay feature (for farms with fewer than five servers) or the Secure Gateway to relay ICA traffic to the XenApp server. You can also use SSL Relay to secure Citrix XML Broker traffic.
Important: XenApp installation and configuration opens Windows firewall ports to allow incoming connections, such as those from ICA traffic, Citrix Independent Management Architecture service, the Citrix XML Service, and SQL Server Express (if that database is specified during XenApp configuration).
91
Windows Server 2008 R2 Language Locale English and languages other than those listed in this table French German Japanese Simplified Chinese
XenApp User Interface Language English French German Japanese Simplified Chinese
Spanish Spanish Before installing XenApp, install the target Windows Language Pack on the Windows Server, and change the language options (such as system locale and display language) to the target language. For information about installing the Language Pack and changing language options, see the Microsoft documentation. (Changing the Windows system locale after installing and configuring the XenApp server role may cause data store issues.)
92
(The passthrough authentication functionality described in this topic is not the same functionality provided by Citrix Single Sign-on or password management applications in general.) Enabling passthrough authentication requires configuring components on all XenApp application servers and enabling passthrough authentication in the plug-ins installed on end-user client devices. If the passthrough authentication feature is not enabled before deploying the plug-ins to end users, users must reinstall the plug-ins with this feature enabled before passthrough authentication will work. To configure passthrough authentication functionality on the server, install a Citrix online plug-in on each XenApp server. If you are deploying the plug-in as the client for users, install the plug-in on your server as the passthrough client.
93
For a wizard-based XenApp installation or configuration, use the Server Role Manager. For a command-line installation, use the XenAppSetupConsole command to install XenApp roles and the XenAppConfigConsole command to configure XenApp roles.
This task division provides flexibility when using provisioning tools and disk imaging:
q
Use startup scripts to install and configure XenApp when a disk image is launched. Install XenApp on the disk image and use startup scripts to configure XenApp when the instance is launched. Install and configure XenApp on the disk image and run startup scripts that modify the configuration when the image is launched. You can use this option to modify your XenApp configuration on the fly, without having to reconfigure or reimage disks.
For information about provisioning and imaging using Citrix products, see the Citrix Web site.
Add server roles Launch installers for partially-integrated roles Automatically install many role prerequisites Launch configuration tools such as the XenApp Server Configuration Tool to configure the XenApp server Initiate a XenApp server restart (reboot)
You can run the XenApp Server Role Manager at any time. It initially runs from the XenApp installation media. After you install a role, the Server Role Manager is installed locally, and runs every time you log on to the XenApp server (you can disable this feature by selecting a checkbox on the main Server Role Manager page). You can also rerun it from its Program Files location (Program Files (x86)\Citrix\XenApp\ServerRoleManager\XenAppServerRoleManager). If a Server Role 94
Installing and Configuring XenApp Manager is installed locally and you invoke a different one from the XenApp installation media, the version on the installation media is used. Each XenApp role has an integration level: Integration Level Full Description Role prerequisites and the role software install automatically. Fully integrated roles include XenApp, Citrix License Server, Web Interface, Single sign-on service, and Provisioning Server. Role prerequisites install automatically. The role is added to the Server Role Manager task list, where you can launch the role installer (that is, the wizard for that role). Partially integrated roles include Secure Gateway, Power and Capacity Management Administration, SmartAuditor Server, and EdgeSight Server. Roles you cannot install using the Server Role Manager. Information-only roles include Merchandising Server, which is a virtual appliance that requires a virtual machine. The XenApp installation media contains installation files for media-only roles. See the role documentation for installation instructions.
Partial
Information-only or media-only
95
96
Review the installation process (wizard-based or command-line) to learn what information you must provide. Review the system requirements for the XenApp server and for other roles you plan to install.
q
Wizard-based installations include automatic installation of prerequisite software and required Windows roles.
For command-line installations, you must install the prerequisite software and Windows roles before initiating XenApp installation. You can deploy prerequisites with PowerShell cmdlets, the Microsoft ServerManagerCmd.exe command, or the Microsoft Deployment Image Servicing and Management (DISM) tool. Ensure the Microsoft Windows Server has the latest Microsoft hotfixes and that the operating system clock has the correct time.
q
Prepare for Windows Multilingual User Interface (MUI) support, if needed. Important: By default, the XenApp server installation process creates install logs in the user's temporary directory (%TEMP%). On Windows Server 2008 R2 servers, the session's temporary directory is deleted by default when the server restarts. If you encounter problems during installation or want to preserve those log files, use one of the following options:
q
Copy the logs from the %TEMP% location to a safe place before the server restarts. Before installing the XenApp server role, change your local computer policy to prevent deletion of the temporary directories. 1 Go to Start > Run, then type gpedit.msc. 2 Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary folders. 3 Verify that Do not delete temp folder upon exit is set. 4 Restart the server. For a command-line installation, use the /logfile:path option to specify an installation log file in a different directory.
97
Review the configuration process (wizard-based or command-line) to learn what information you must provide. During configuration, you specify the database to be used for the XenApp farm data store: Microsoft SQL Server Express, Microsoft SQL Server, or Oracle. See CTX114501 for supported versions.
q
If you use a Microsoft SQL Server Express database, XenApp configuration installs it automatically.
If you use a Microsoft SQL Server or Oracle database, install and configure the database before initiating XenApp configuration. (For an Oracle database, this includes installing an Oracle client on the XenApp server and restarting the server.) If you use a Microsoft SQL Server or Oracle database for the farm data store, and use command-line XenApp configuration, create a Data Source Name (DSN) file before configuring XenApp. (A wizard-based configuration creates the DSN file for you.) Each server in the farm must have the DSN file. You can create the file and copy it to other servers, or put it on a network share, provided you remove the value for any workstation-specific information (such as the Oracle WSID). Use the /DsnFile:dsn_file option to specify the file location on the XenApp configuration command line.
q
If you plan to use the Configuration Logging feature and encrypt the data being logged, you must load the encryption key on servers that join the farm after configuring XenApp but before restarting the server.
98
99
Review the installation process (wizard-based or command-line) to learn what information you must provide. Review the system requirements for the XenApp server and for other roles you plan to install.
q
Wizard-based installations include automatic installation of prerequisite software and required Windows roles.
For command-line installations, you must install the prerequisite software and Windows roles before initiating XenApp installation. You can deploy prerequisites with PowerShell cmdlets, the Microsoft ServerManagerCmd.exe command, or the Microsoft Deployment Image Servicing and Management (DISM) tool. Ensure the Microsoft Windows Server has the latest Microsoft hotfixes and that the operating system clock has the correct time.
q
Prepare for Windows Multilingual User Interface (MUI) support, if needed. Important: By default, the XenApp server installation process creates install logs in the user's temporary directory (%TEMP%). On Windows Server 2008 R2 servers, the session's temporary directory is deleted by default when the server restarts. If you encounter problems during installation or want to preserve those log files, use one of the following options:
q
Copy the logs from the %TEMP% location to a safe place before the server restarts. Before installing the XenApp server role, change your local computer policy to prevent deletion of the temporary directories. 1 Go to Start > Run, then type gpedit.msc. 2 Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary folders. 3 Verify that Do not delete temp folder upon exit is set. 4 Restart the server. For a command-line installation, use the /logfile:path option to specify an installation log file in a different directory.
100
Review the configuration process (wizard-based or command-line) to learn what information you must provide. During configuration, you specify the database to be used for the XenApp farm data store: Microsoft SQL Server Express, Microsoft SQL Server, or Oracle. See CTX114501 for supported versions.
q
If you use a Microsoft SQL Server Express database, XenApp configuration installs it automatically.
If you use a Microsoft SQL Server or Oracle database, install and configure the database before initiating XenApp configuration. (For an Oracle database, this includes installing an Oracle client on the XenApp server and restarting the server.) If you use a Microsoft SQL Server or Oracle database for the farm data store, and use command-line XenApp configuration, create a Data Source Name (DSN) file before configuring XenApp. (A wizard-based configuration creates the DSN file for you.) Each server in the farm must have the DSN file. You can create the file and copy it to other servers, or put it on a network share, provided you remove the value for any workstation-specific information (such as the Oracle WSID). Use the /DsnFile:dsn_file option to specify the file location on the XenApp configuration command line.
q
If you plan to use the Configuration Logging feature and encrypt the data being logged, you must load the encryption key on servers that join the farm after configuring XenApp but before restarting the server.
101
If the server on which you are installing XenApp has IIS installed, the XML Service IIS Integration component is selected by default.
If IIS is not installed, the component checkbox is not selected. In this case, if you select the checkbox, the Server Role Installer installs IIS. (If you do not install the XML Service IIS Integration component, the Citrix XML Service defaults to standalone mode with its own port settings, which you can configure using the XenApp Server Configuration Tool.) The Citrix online plug-in and Citrix offline plug-in are installed automatically when you install the XenApp role. These plug-ins do not appear in the components lists, and you cannot disable these installations during a wizard-based installation.
q
8 Review the prerequisites summary, which indicates which role or subcomponent needs the prerequisite, and whether the Server Role Installer installs it or you must install it. For software you must install, the display indicates whether the XenApp installation 102
Installing XenApp Using the Wizard-Based Server Role Manager media contains the software or you must obtain it elsewhere. 9 Review the summary, which lists the selected roles and subcomponents to be installed or prepared. It also lists prerequisites which will be automatically deployed for all selected roles. After you click Install, a display indicates installation progress and the result. Important: When installing the XenApp role, the IMA Service is not started, nor are any configuration options set, such as creating or joining a farm and data store database information. After the installation result displays and you click Finish, the Server Role Manager task list displays. For each role you selected, the task list indicates the next task necessary for installation or configuration.
q
For installed fully integrated roles that require configuration, click Configure to launch the configuration tool for that role. For partially integrated roles, click Install to launch the installer for that role. See the role documentation for details.
103
EdgeSightServer. EdgeSight Server. Licensing. Citrix Licensing Server. MerchandisingServer. Merchandising Server. PCMAdmin. Power and Capacity Management administration components. Provisioning. Provisioning Services. Secure Gateway. Secure Gateway. SmartAuditorServer. SmartAuditor server. SsonService. Single sign-on service. WebInterface. Web Interface. XenApp. XenApp server. If you select XenApp, the Delivery Services Console, Citrix online plug-in, and Citrix offline plug-in are installed by default. You can also specify one or more of the
104
Installing XenApp from the Command Line following options to install, separated by commas. If you do not specify an option, it is not installed. Option XA_IISIntegration Description If the server has IIS role services installed, this option is installed by default and the Citrix XML Service and IIS share a port (default = 80). If the server does not have the IIS role services installed, XA_IISIntegration is not installed by default, and the Citrix XML Service defaults to standalone mode with its own port settings, which you can change during XenApp configuration. EdgeSight agent. SmartAuditor agent. Single sign-on plug-in. Power and Capacity Management agent. Provisioning Services target device.
(Valid only when installing the XenApp server) Comma-separated list of sub-features to be omitted from the installation. Valid values are:
q
XA_Console. Omits the automatic installation of the Delivery Services Console when you install the XenApp role.
XA_IISIntegration. Exclude this sub-feature if the server has IIS role services installed, but you choose to use a nondefault XML port (default = 80) for your installation. If the server has the IIS role services installed and you do not specify /exclude:XA_IISIntegration, the default XML port is selected and you cannot reconfigure this setting later. /edition
q
Platinum Enterprise
/logfile:path Specifies where to create a log file. INSTALLDIR=directory Specifies where to install the items. Default: C:\Program Files\Citrix ONLINE_PLUGIN_INSTALLDIR=directory
105
Installing XenApp from the Command Line Specifies where to install the Citrix online plug-in. Default: C:\Program Files\Citrix\ICA Client
Examples
The following command installs the XenApp server Platinum Edition in its default location. XenAppSetupConsole.exe /install:XenApp /Platinum The following command installs the XenApp server Platinum edition and the Web Interface in C:\Program Files\Citrix (which is the default location). XenAppSetupConsole.exe /install:XenApp,WebInterface INSTALLDIR=C:\Program Files\Citrix The following command installs the XenApp server Platinum Edition and the Single sign-on plug-in, and excludes installation of the Delivery Services Console. XenAppSetupConsole.exe /install:XenApp,SSONAgentFeature /exclude:XA_Console
106
When you install XenApp for Windows Server 2008 R2 on the first server, that server is where you create a new farm. After you install XenApp on other servers, you add each server to (join) an existing farm.
Note:
q
If you previously configured the XenApp server role, and you are using the XenApp Server Configuration Tool from the XenApp 6 for Windows Server 2008 R2 installation media, you can create a farm, add the server to (join) an existing farm, or leave (remove the server from) the farm. If you choose to create a farm or add the server to an existing farm, the server will be removed from its current farm before creating or joining another farm.
If you previously configured the XenApp server role, and you installed the updated XenApp Server Configuration Tool, you can prepare the server for imaging and provisioning, or leave (remove the server from) the farm. 4 When creating a farm, on the Enter basic information page:
q q
Enter a farm name, up to 32 characters (can include spaces). If you are using Oracle as your Configuration Logging database, do not use hyphens in the farm name. Specify the domain and username for a user who will be the first Citrix administrator. The administrator has full permissions to the farm and can create additional administrator accounts.
107
Configuring XenApp Using the Wizard-based Server Configuration Tool 5 When creating a farm, specify Citrix License Server information. Choose one of the options:
q
To use an existing license server, enter the license server name. By default, the license server uses port 27000 unless you deselect that option and specify a different port number.
Defer specifying license server information. For complete information, see the licensing documentation.
q
6 Select the data store database type and connection information. If you choose the entry for New database Action When creating a farm, the Server Configuration Tool installs the Microsoft SQL Server Express database automatically, with the instance name CITRIX_METAFRAME and database name MF20; the database uses Windows authentication. You are prompted for the instance name, the database name, and the authentication method. This database can be located on a remote SQL server.
You are prompted for the Net Service name. (The Oracle entry appears only if the Oracle client is installed on the server where you are configuring the XenApp role.) 7 Specify the database credentials. Specify the user name in the form <DBMACHINE>\<USER> or <DOMAIN>\<USER>. SQL Server Express requires an existing Windows account, but it does not need to be a server or system administrator. The XenApp Server Configuration Tool adds two database administrators to SQL Server Express: (local)\administrators and the supplied credentials for the local or domain user. When adding a server to (joining) a farm, you can optionally test the connection to the database. The result does not affect Server Configuration Tool operations. 8 The default session shadowing settings (which allow shadowing) are recommended for most farms. Shadowing settings supplied during XenApp configuration override system or domain policy for user-to-user shadowing. Important: Shadowing features are permanent and should be changed only if you wish to permanently prevent system or domain policy from affecting that setting. If you disable shadowing or change shadowing features during configuration, you cannot reconfigure them later. Option Prohibit shadowing of user session on this server Description Disables user session shadowing on this server. If selected, shadowing cannot be enabled on this server through policies. Default = unselected
108
Configuring XenApp Using the Wizard-based Server Configuration Tool Allow shadowing of user sessions on this server Enables user session shadowing on this server. Default = selected When you enable shadowing, you can apply the following features (default = all unselected):
q
Authorized users can view sessions but do not have keyboard and mouse input
Remote control is permanently prohibited; this cannot be enabled on this server through policies. Force a shadow acceptance prompt. If selected:
q q
Authorized users must send an acceptance prompt when attempting to shadow a session.
A shadow acceptance prompt is shown on every shadowing attempt; this cannot be disabled on this server through policies. Force logging of all shadow connections. If selected:
q q
All shadowing attempts, successes, and failures are logged in the Windows event log.
Shadow connections are always logged; this cannot be disabled on this server through policies. 9 If you do not change the following server settings, the Server Configuration Tool uses default values.
q
Description (Displays only when adding a server to (joining) a farm). Choose one of the options:
q
Enter the name of an existing license server name (NetBIOS computer name, fully-qualified domain name (FQDN), or IP address). By default, the license server uses port 27000 unless you deselect that option and specify a different port number. (Default) To use the global farm settings for the license server, select this option.
Zone
The default zone name is Default Zone. To create a custom zone name, select the checkbox and enter the name. By default, XenApp server role installation configures the Citrix XML Service and Internet Information Service (IIS) to share the same TCP/IP port (80) for communications. In this case, you cannot change the XML Service setting. See System Requirements for more information. Server name or URL of the Web Interface server used by the Citrix online plug-in.
XML Service
Online plug-in
109
Configuring XenApp Using the Wizard-based Server Configuration Tool Remote Desktop Users Only members of the Remote Desktop Users group can connect to published applications. Until you add users to this group, only administrators can connect remotely to the server. Select one or more of the following.
q
Add Anonymous users. Adds anonymous users to the Remote Desktop Users group. Default = selected Add the Authenticated users. Adds current (and future) domain accounts in the Windows Users group to the Remote Desktop Users group. Default = unselected
Add the list of users from the Users group. Adds all current users from the Users group to the Remote Desktop Users group. If you add users later, you must add them manually to the Remote Desktop Users group. Default = selected 10 If you installed the plug-in (or agent) for Single sign-on, SmartAuditor, EdgeSight, or Power and Capacity Management on this server, specify the requested information to enable communications with them. (The plug-in (or agent) roles use separate tools for their configuration.)
q
11 Review the summary page and click Apply. After configuration completes, you are returned to the XenApp Server Role Manager task list, which indicates if any requirements remain, such as a server restart. The XenApp Server Role Manager updates the task list after any task completes.
q
To initiate a server restart, click Reboot. To change a role configuration, click Edit Configuration.
110
Command Conventions
Several options use Boolean values (true or false).
q
If you omit an option that requires a Boolean value, the default value is used. For example, if you do not include the /AddLocalAdmin:True|False option in the command, the default value (false) is used (that is, a local administrator is not added). If you specify an option that requires a Boolean value but you omit the value, the option default value is true. For example, for the /AddLocalAdmin:True|False option, if you specify only /AddLocalAdmin (with no :True or :False value), the option is true (that is, a local administrator is added).
You can use environment variables to represent one or more command-line options. For example, you can group the standard Pause, Confirm, and NotStrict options as a single environment variable. You can also use environment variables in the command-line option values. For example, /ServerName:%currentServer%, where currentServer is defined as an environment variable.
111
/ExecutionMode - required when creating, joining, or leaving a farm /FarmName - required when creating a farm /CitrixAdministratorAccount - required when creating a farm /LicenseServerName /LicenseServerPort /ZoneName /AddLocalAdmin /SqlExpressRootDir /SimpleDB - this option and /DsnFile are mutually exclusive /ServerName - required when joining a farm if you specified /SimpleDB when creating the farm /DsnFile - required when creating or joining a farm if you are using a SQL Server or Oracle database; this option and /SimpleDB are mutually exclusive /AuthenticationType /OdbcUserName - required when creating and joining a farm /OdbcPassword - required when creating and joining a farm
If you use a Microsoft SQL Server Express database, you can simplify configuration by using the /SimpleDB option when creating the XenApp farm. When joining a farm that uses a Microsoft SQL Server Express database, use the /ServerName:server_name option to specify the name of the XenApp server on which you created the farm.
112
Configuring XenApp from the Command Line Session shadowing Shadowing is enabled by default. Important: Citrix recommends using the default values (that is, do not specify them in this command). Shadowing settings specified during XenApp configuration override system or domain policy for user-to-user shadowing. Shadowing features are permanent and should be changed only if you wish to permanently prevent system or domain policy from affecting that setting. If you disable shadowing or change shadowing features during configuration, you cannot reconfigure them later.
q
Return Codes
The XenAppConfigConsole command supports the following return codes: Value 0 1 Meaning Success Invalid command-line options - for example, the command includes the options /ServerName:server_name and /ExecutionMode:Create (an option that is valid only when joining a farm was specified when creating a farm) Unmatched parameters - an unrecognized option was specified Invalid parameters - for example, for an option that requires a Boolean value (that is, True or False), you specified 'Bob' Commit failed - the configuration process did not complete; check the log file for details
2 3 4
113
114
Command Syntax
Command Syntax
On the server where the XenApp server role is installed, from C:\Program Files (x86)\Citrix\XenApp\ServerConfig, type the following at a command prompt: XenAppConfigConsole.exe [options]
Options
/help Displays command help. /NotStrict Allows the executable to continue processing even if options do not apply in the current context. /Confirm Displays a confirmation message before modifying the server. This can be useful when testing for correct use of command options. /Pause Pauses the executable after processing completes. This prevents the command prompt from closing when launching the command from a batch file. /LogFilename:file Logs the progress of the executable to a log file. In the log, the symbols >> indicate a function call; the symbols << indicate a function return /SqlExpressRootDir:sql_express_install_src_dir Specifies the location of the SQL Server Express source installation directory. Default = C:\Program Files (x86)\Citrix\XenApp\ServerConfig\SqlExpress_2008. /ExecutionMode:Create | Join | Leave | ImagePrep Specifies the task you want to perform. If you have not yet configured the XenApp server role, you can create a farm or add the server to (join) an existing farm. Task Description
115
Command Syntax Create If you have not yet configured the XenApp server role on this server: After you install XenApp on the first server, that server is where you Create a new farm during configuration and add the server to the farm. If you previously configured the XenApp server role on this server, specifying Create removes the server from its current farm before creating another farm. Join If you have not yet configured the XenApp server role on this server: After you install XenApp on other servers, you Join a farm when you configure each of those servers and add each server an existing farm. If you previously configured the XenApp server role on this server, specifying Join removes the server from its current farm before joining another farm. Leave (Valid only if you previously configured the XenApp server role on this server to join an existing farm) Specify Leave if you want to remove the server from the farm.
(Valid only with the updated XenApp Server Configuration Tool and if you previously configured the XenApp server role on this server to join an existing farm) For information about this task, see Preparing for XenApp 6 Imaging and Provisioning. /FarmName:farm_name Valid only with /ExecutionMode:Create) Specifies the farm name, up to 32 characters (can include spaces). If you are using Oracle for the Configuration Logging database, do not use hyphens in the farm name. /CitrixAdministratorAccount:domain_name\user_name (Valid only with /ExecutionMode:Create) Specifies the domain and username for the user who will be the first Citrix administrator. The administrator has full permissions to the farm and can create additional administrator accounts. /SimpleDB Indicates the farm uses a SQL Server Express database for the data store. /ServerName:server_name (Valid only with /ExecutionMode:Join and /SimpleDB) Specifies the name of the server where the XenApp farm was created (that is, where the SQL Server Express database was installed). /DsnFile:dsn_file Specifies the path to the DSN file used to connect to the data store. /AuthenticationType:Windows | Sql (Valid only when using a SQL Server database for the farm data store) Specifies the authentication type. Default = Windows /OdbcUserName:odbc_user_name 116
ImagePrep
Command Syntax Specifies the database user name in the form <DBMACHINE>\<USER> or <DOMAIN>\<USER>. SQL Server Express requires an existing Windows account, but it does not need to be a server or system administrator. XenApp configuration adds two database administrators to SQL Server Express: (local)\administrators and the supplied credentials for the local or domain user. Specify the database user password with the /OdbcPassword option. /OdbcPassword:odbc_password Specifies the database user password. Specify the database user name with the /OdbcUserName option. /LicenseServerName:license_server_name Specifies the name of the existing license server. /LicenseServerPort:license_server_port Specifies the license server port. Default = 27000 /ProhibitShadowing:True | False Disables or enables session shadowing. Default = False (shadowing is enabled) Important: Citrix recommends using the default values (that is, do not specify them in this command). Shadowing settings specified during XenApp configuration override system or domain policy for user-to-user shadowing. Shadowing features are permanent and should be changed only if you wish to permanently prevent system or domain policy from affecting that setting. If you disable shadowing or change shadowing features during configuration, you cannot reconfigure them later. /ProhibitRemoteControl:True | False (Valid only if shadowing is enabled) Prohibits or allows remote control shadowing. When this option is true, authorized users can view sessions but do not have keyboard and mouse input. Default = False Important: Citrix recommends using the default values (that is, do not specify them in this command). Shadowing settings specified during XenApp configuration override system or domain policy for user-to-user shadowing. Shadowing features are permanent and should be changed only if you wish to permanently prevent system or domain policy from affecting that setting. If you disable shadowing or change shadowing features during configuration, you cannot reconfigure them later. /ForceShadowPopup:True | False (Valid only if shadowing is enabled) Enables or disables sending a shadowing acceptance popup. When this option is true, authorized users must send an acceptance prompt when attempting to shadow a session. Default = False Important: Citrix recommends using the default values (that is, do not specify them in this command). Shadowing settings specified during XenApp configuration override system or domain policy for user-to-user shadowing. Shadowing features are permanent and should be changed only if you wish to permanently prevent system or
117
Command Syntax domain policy from affecting that setting. If you disable shadowing or change shadowing features during configuration, you cannot reconfigure them later. /ForceShadowLogging:True | False (Valid only if shadowing is enabled) Enables or disables logging of all shadow connections. When this option is true, all shadowing attempts, successes, and failures are logged to the Windows event log. Default = False Important: Citrix recommends using the default values (that is, do not specify them in this command). Shadowing settings specified during XenApp configuration override system or domain policy for user-to-user shadowing. Shadowing features are permanent and should be changed only if you wish to permanently prevent system or domain policy from affecting that setting. If you disable shadowing or change shadowing features during configuration, you cannot reconfigure them later. /ZoneName:zone_name Specifies the zone name. Default = Default Zone /CustomXmlServicePort:port_number Specifies the port number to be used by the Citrix XML Service. By default, the Citrix XML Service and Internet Information Service (IIS) use the same TCP/IP port (80) for communications. Specify this option if you do not want those services to share the port (for example, if you install the Citrix XML Service on a dedicated XML server). See System Requirements for more information. Default = 80 /SkipXmlSetting:True | False When this option is true, the Citrix XML service and IIS port numbers are not configured (that is, the default port 80 is not used). Default = False /AddAnonymousUsersToRemoteDesktopUserGroup:True | False Enables or disables adding anonymous users to the Remote Desktop Users group. Default = True /AddUsersGroupToRemoteDesktopUserGroup:True | False Enables or disables adding all current users from the Users group to the Remote Desktop Users group. If you add users later, you must add them manually to the Remote Desk-top Users group. Default = True /AddAuthenticatedUsersToRemoteDesktopUserGroup:True | False Enables or disables adding current (and future) domain accounts in the Windows Users group to the Remote Desktop Users group. Default = False /AddLocalAdmin:True | False Enables or disables creation of Citrix administrator accounts for all user accounts in the local Administrators group. Default = False /SmartAuditorServerName:smart_auditor_server_name
118
Command Syntax (Required if you installed the SmartAuditor agent on the XenApp server) Specifies the name of the SmartAuditor server. /SsoPluginUncPath:path_to_central_store UNC path to Single sign-on central store. Default = use Active Directory /OnlinePluginServerUrl:wi_url_or_servername Server name or URL of the Web Interface server used by the Citrix online plug-in. /PcmFarmName:pcm_farm_name Power and Capacity Management farm name. /PcmWorkloadName:pcm_workload_name Power and Capacity Management workload name. EdgeSightCompanyName:edgesight_company_name EdgeSight company name. /EdgeSightServerName:edgesight_server_name EdgeSight server name. /EdgeSightServerPort:edgesight_server_port EdgeSight server port. Default = 80 /RemoveCurrentServer:True | False (Valid only with /ExecutionMode:ImagePrep and updated XenApp Server Configuration Tool) Enables or disables removing the current server intance from the XenApp farm. Default = True /PrepMsmq:True | False (Valid only with /ExecutionMode:ImagePrep and updated XenApp Server Configuration Tool) Enables or disables resetting the MSMQ ID during resealing. Default = True
119
Approach 1: Capture an image after XenApp installation, but before configuration and restart
In this approach, you install the XenApp server role, but wait to configure XenApp (join a farm) until after the server is cloned and booted. XenApp server configuration is automated, using a script. This approach is not supported in Citrix Provisioning Services using Shared Image mode. 1 Install the XenApp server role, but do not configure the server. You may want to restart the server to ensure the system path is updated properly before installing other applications. Deploying prerequisites such as Remote Desktop Services roles may require a server restart before you can install XenApp. 2 Install your applications and configure the settings you want in your image. 3 Run the generalization tools you normally run. 4 Set up a script to run when each cloned server boots. This script configures the XenApp server (including farm information) using the command line (XenAppConfigConsole.exe). The script then restarts the server, whereupon the server joins the farm. You can set up scripts using typical methods such as Active Directory startup scripts or the RunOnce registry key.
120
Preparing for XenApp 6 Imaging and Provisioning 5 Capture an image of the server.
Approach 2: Capture an image after XenApp installation and configuration, but before restart
In this approach, you install and configure the XenApp server role, but wait to restart the server until after it is cloned. When the server restarts as a clone of the original image, it joins the farm with its new identity. You do not need direct access to your database server or network during configuration, so this approach can be used to prepare XenApp images for remote deployments. If you do not or cannot verify your database credentials, and they are invalid, XenApp will not join the farm when the server restarts. In that case, run the XenApp Server Configuration Tool, providing correct credentials, and then recapture an image. 1 Install your applications and configure the settings you want in your image. 2 Install the XenApp server role. Deploying prerequisites such as Remote Desktop Services roles may require a server restart before you can install XenApp. 3 Configure the XenApp server to add the server to (join) a farm, but do not restart the server. 4 Run the generalization tools you normally run. 5 Capture an image of the server. Note: If you are using the SmartAuditor agent or other features that depend on Microsoft Messaging Queuing (MSMQ), use the updated XenApp Server Configuration Tool and the procedure in Approach 3.
Approach 3: Capture or update an image after XenApp installation, configuration, and restart
If you require XenApp to be installed and working before you create a final image, you must remove the server from the farm, then rejoin the farm before your final shutdown (for example, after sysprep), so that the server will join the farm on the next restart, with its new identity. Note: You can use this approach with the XenApp Server Configuration Tool included on the XenApp 6 for Windows Server 2008 R2 installation media. However, the process is streamlined and more effective if you use the updated XenApp Server Configuration Tool (see CTX124981) before installing XenApp. 1 Install the XenApp server role. Optionally, install the Provisioning Services Target Device software. This software resets your network connection during installation. Failures may occur if you install this component from a network location. Although these failures are not commonly harmful, Citrix recommends installing the Provisioning Services Target Device software from a DVD, mounted ISO, or local copy of the installation media. 121
Preparing for XenApp 6 Imaging and Provisioning 2 Configure XenApp to join a farm, and then restart (reboot) the server. 3 Install your applications and configure the settings you want in your image. 4 If you are using the Server Configuration Tool from the XenApp 6 for Windows Server 2008 R2 installation media: a From the XenApp Server Role Manager, edit your configuration and choose the task to remove the server from the farm. (For a command-line configuration, specify the /ExecutionMode:Leave option.) b If you are provisioning the XenApp server with SmartAuditor agent or other features that depend on MSMQ, you must enable MSMQ (manually or scripted) to reset its identifier when the server image boots. c Edit your configuration to join the farm again (this requires providing database credentials). If you installed the updated XenApp Server Configuration Tool, edit your XenApp configuration and select the task Prepare this server for imaging and provisioning. (For a command-line configuration, specify the /ExecutionMode:ImagePrep option.)
q
If you are working with an image template that you do not want to keep in the current farm, enable the Remove this current server instance from the farm checkbox. (For a command-line configuration, use the /RemoveCurrentServer:True option.)
If you are provisioning the XenApp server with SmartAuditor or other features that depend on MSMQ, enabling the Prepare Microsoft Messaging Queuing provisioning checkbox ensures a new unique machine identifier when the server image boots. (For a command-line configuration, use the /PrepMsmq:True option.) 5 Run the generalization tools you normally run.
q
6 Capture an image of the server. The server joins the farm when the image boots.
Resealing an image
If a golden image requires updating (for example, with Citrix or Windows hotfixes, or third-party applications and patches), you can reseal the image. This procedure is similar to approach 3. 1 Boot into the image to make modifications. The XenApp server will try to join the farm if it can. 2 Modify the server as needed. 3 Proceed with step 4 in Approach 3. During the resealing process, the updated Server Configuration Tool:
q
122
Creates a unique Secure Ticket Authority (STA) ID in CtxSta.config, using the MAC address. Resets the local databases and removes the Servers setting from the Independent Management Architecture (IMA) data store by clearing the IMA local host cache and RadeOffLine databases. Places the following configuration information into the Local Group Policy Object (LGPO) if they have nondefault values (nondefault values appear as configured, default values appear as not configured).
q
Product feature and server edition License server hostname License server port number XML Service port
The server should not be the only server in the XenApp farm. The server should not be the data collector. The server should not have the data store database installed on it. The server should not have the Citrix License Server installed on it.
Important: When provisioning XenApp, you must remove the server SSL certificate before running XenConvert; otherwise, the SSL certificate will be distributed to all provisioned XenApp servers. For example, the following command, issued from the root of the installation media, installs the XenApp server role and the Provisioning Services target device, and excludes installation of the Delivery Services Console. \XenApp Server Setup\bin\XenAppSetupConsole.exe /install:XenApp,PVDeviceFeature /exclude:XA_Console Configuring the XenApp server after it is instanced (approach 1) should be automated using the command line. You can use the wizard-based XenApp Server Configuration Tool or the command line to configure the XenApp server if you choose approach 2 or 3. For example, the following command, issued from the typical XenApp Server Configuration Tool location (C:\Program Files (x86)\Citrix\XenApp\ServerConfig\XenAppCOnfigConsole.exe), joins the server to the farm,
123
Preparing for XenApp 6 Imaging and Provisioning specifying database credentials and the DSN file location, license server information, log file location, and Remote Desktop User Group configuration settings. C:\Program Files (x86)\Citrix\XenApp\ServerConfig\ -XenAppConfigConsole.exe" /ExecutionMode:Join /OdbcUserName:administrator /OdbcPassword:somepasswd /LicenseServerName:somelicenseserver /LicenseServerPort:27000 /ZoneName:some_zone_name /DsnFile:"c:\somepath\to\example.dsn" /Log:c:\SomewhereConfigLog.txt /CustomXmlServicePort:8080 /AddAnonymousUsersToRemoteDesktopUserGroup:True /AddUsersGroupToRemoteDesktopUserGroup:True /AddAuthenticatedUserstoRemoteDesktopUserGroup:True The following command prepares XenApp for imaging and provisioning. The server will be removed from the current farm, and when the server image boots, it will contain a unique MSMQ machine identifier. C:\Program Files (x86)\Citrix\XenApp\ServerConfig\ -XenAppConfigConsole.exe" /ExecutionMode:ImagePrep /RemoveCurrentServer=True /PrepMsmq:True
124
Citrix does not support case-sensitive databases. To avoid corruption, do not directly edit data in the data store database with utilities or tools other than those provided by Citrix.
Upgrade the XenApp data store Move the data in the data store to a different database server Change the name of the DSN file
If the data store fails, each farm server can run from the data in its Local Host Cache indefinitely, provided it can contact the license server. However, you cannot make any modifications to the farm or use the Delivery Services Console. Create a backup copy of the data store (dsmaintbackup). Without a backup, you must manually recreate all of the farm policies, settings, accounts, and other persistent data in the data store. To restore a backup database or to migrate to a new server, use the dsmaint migrate command. Without a backup, prepare a new data store the way you did before configuring XenApp and run the Server Configuration Tool from any farm server. After running the Server Configuration Tool, manually reenter the lost settings. If you use the same name as the previous data store, you do not need to reconfigure the farm servers.
125
Approximately 100MB of disk space for every 250 servers and 50 published applications in the XenApp farm. Provide more disk space for greater numbers of published applications. Set the "temp" database to automatically grow on a partition with at least 1GB of free disk space. Citrix recommends 4GB if the farm is large and includes multiple print drivers.
The default database installation settings and database sizes usually suffice for XenApp data store needs. Microsoft SQL Server supports Windows and Microsoft SQL Server authentication. For high-security environments, Citrix recommends using Windows authentication only. The user account for installing, upgrading, or applying hotfixes to the data store must have database owner (db_owner) rights to the database. When you finish installing the database with database owner rights, set the user permissions to read/write only to increase the security of the database. Change the rights back to database owner before installing service packs or feature releases; installations can fail if the user account used to authenticate to the data store during Setup does not have database owner rights. When using Microsoft SQL Server in a replicated environment, use the same user account for the data store on each Microsoft SQL Server. Each farm requires a dedicated database. However, multiple databases can be running on a single server running Microsoft SQL Server. Do not configure the farm to use a database that is shared with any other client/server applications. Back up the database regularly and follow Microsoft recommendations for configuring database and transaction logs for recovery (for example, setting the Truncate log on Checkpoint option to control log space).
126
Microsoft SQL Server Database up an instance of Microsoft SQL Server and start accepting connection requests for that instance. Microsoft Cluster Services clustering does not support load balancing among clustered servers because it functions in active/passive mode only.
128
Oracle Database
The server hosting the Oracle database should meet the following minimum requirements:
q
Approximately 100MB of disk space for every 250 servers and 50 published applications in the farm. Provide more disk space for greater numbers of published applications. 20 MB minimum tablespace size.
Oracle supports Windows and Oracle authentication. Oracle for Solaris supports Oracle authentication only; it does not support Windows authentication. In the Oracle sqlnet.ora file, set SQLNET.AUTHENTICATION_SERVICES= (NONE). The default setting (NTS) will cause connection failures. Do not install XenApp on a server hosting an Oracle database. Install the Oracle client on the server where you will be installing XenApp and then restart the server before you install XenApp. The Oracle user account must be the same for every server in the farm because all XenApp servers share a common schema. If you are using one database to hold information for multiple farms, each farm represented in the database must have a different user account because the data store information is stored in the Oracle user account. The account used to connect to the data store database has the following Oracle permissions:
q
Use Shared/Multi-Threaded Server mode to reduce the number of processes in farms with more than 100 servers (performance may be affected during periods of high data store load). If you are using Multi-Threaded Server mode, verify that values in the Init.ora file are greater than or equal to the following values. If you are running multiple farms on the same Oracle database, include all XenApp servers in the calculations. Round up fractional values. shared_servers = Number of servers / 10 max_shared_servers = Number of servers / 5
129
Oracle Database Where Number of servers is the total number of servers running XenApp.
q
When using an Oracle server in dedicated mode, add one additional process for each server connected directly to the Oracle database. For example, if the Oracle server uses 100 processes before installing XenApp, and the farm has 50 servers, set the processes value to at least 150 in the Init.ora file on the Oracle server. Create online backups using Archivelog mode, which reduces the recovery time of an unresponsive database. If you are using the same Oracle database for multiple server farms, create a unique tablespace with its own user name and password for added security for each farm. Do not use the default system account within Oracle. Maintain a standby database for quick disaster recovery. A standby database maintains a copy of the production database in a permanent state of recovery.
All participating databases must be running Oracle. All participating databases must be running in Multi-Threaded Server/Shared mode (rather than Dedicated mode). All Oracle clients (XenApp servers that connect directly to the Oracle database) must be SQL*Net Version 2 or Net8. Install the farm data store database first on the master site, then configure replication at the sites used for database replication snapshots. Replicate all objects contained in the data store user schema (tables, indexes, and stored procedures).
If the performance at the replicated database site is significantly slower, verify that all the indexes for the users schema are successfully replicated. When configuring Oracle for a two-phase commit:
q
Use synchronous snapshots that can be updated with a single master site. XenApp requires write access to snapshot. Use the Oracle Fast Refresh feature where possible (this requires snapshot logs). When setting up the replication environment, do not configure conflict resolution.
130
Oracle Database
q
Set the replication link interval to be as frequent as the network environment allows. With Oracle replication, if no changes are made, data is not sent over the link. When Oracle is configured in Multi-Threaded Server mode and remote data transfers are initiated from the remote site, they can block local data transfers (because all connections share a set of worker threads). To remedy this, increase the value of the Max_Mts_Servers parameter in the Init.ora file.
131
132
XenApp 6 Migration Tool Folder Includes application folders and server folders. Server folders are migrated so that server permissions can be copied; however, the server objects are not migrated. Load evaluators and their rules are migrated. Migrated load evaluators are attached to applications (where applicable), but they are not attached to servers. Policies are migrated by creating an IMA (Independent Management Architecture) User GPO (Group Policy Object) with the same name as the policy. Server filters are migrated by using the Server Group (worker group) filter for the servers in the mapping file. For user filters, only the accounts that can be resolved on the target server in the new farm (account authorities that are trusted in the new farm) are migrated. The Zone Preference and Failover policy is converted to a Worker Group Preference and Failover policy. Servers in the zone that are specified in the server mapping file resolve to a worker group. Server configuration Configuration settings for servers specified in the server mapping file are migrated by creating an IMA Machine GPO named "WorkerGroupname" where name is the name of the worker group specified in the server mapping file. This policy is filtered by worker group. Worker groups are created as necessary, but they are not associated with servers or OUs (Organizational Units). Farm configuration settings are migrated by creating an IMA Machine GPO named "Farm." This policy is unfiltered.
Load evaluator
Policy
Only Citrix administrators whose accounts can be resolved on the server in the new farm are migrated (the corresponding account authorities are trusted in the new farm or they represent Citrix built-in accounts). Farm and server settings from the legacy farm are compared against the default values used when the new XenApp farm was created. The corresponding setting in the policy in the new farm is set to "Not Configured" if it matches the default value for the same setting in the new farm. Health Monitoring and Recovery (HMR) test executables are not copied; however, HMR test configurations are migrated into policies in the new farm. You cannot transfer the following settings using the Migration Tool:
q
Only settings that reside in the IMA data store are migrated; settings that reside only in the server registry are not migrated. The migration process ignores the following settings:
q
133
Permissions that do not exist in the XenApp 6 for Windows Server 2008 R2 release, whether they correspond to a deprecated feature or a configuration setting that is now supported as a policy.
134
The servers in the legacy farm must be running XenApp 5 for Windows Server 2003 with Hotfix Rollup Pack 5 (HRP5) or XenApp 5 for Windows Server 2008. The legacy farm server from which you are exporting must have network COM+ access enabled. To access the XenApp 5 server in the legacy farm using a remote connection, you must be a member of the DCOM users group, and you must be a Citrix administrator with at least view-only privileges in the legacy farm. When migrating from a 32-bit XenApp farm to a XenApp 6 farm, network printers used by policies (session printers) must have a 64-bit driver installed in the print server; otherwise, those printers will not be migrated.
135
The servers in the new farm must be running XenApp 6 for Windows Server 2008 R2. To install the Citrix XenApp Migration Module, you must have permission to install components. To run the XenApp 6 Migration Tool cmdlets, you must be a Citrix administrator with full privileges. You must have write access to the folder where the migrationoptions.xml file (containing server mappings, migration options, and object property overrides) and the exported data from the legacy farm is placed. By default, this is a folder named Data, located under the XenApp 6 Migration Tool installation files in C:\Users\user\appdata\local\citrix\citrix.xenapp.migration). You can specify a different folder with the -DataFolderPath option in the Set-XAMigrationOption cmdlet. By default, execution of PowerShell scripts is disabled. To run the XenApp 6 Migration Tool cmdlets, sign the scripts or enable the scripts to run (Set-ExecutionPolicy RemoteSigned). You are prompted during installation if this has not been done. If your legacy farm uses file type association for published applications, update the new farm with file type associations (using the Update file types from registry task in the Delivery Services Console) before you migrate applications. This allows the migration process to create the associations in the new farm. Create worker groups in the new farm for server and application silos. (However, if a worker group specified in a server mapping does not exist, the XenApp 6 Migration Tool creates it.) The following software is required to install the Citrix XenApp Migration Module and run the cmdlets. This software is required for XenApp server installation and configuration, so it is likely to already be installed.
q
q PowerShell 2.0 If you installed the beta version of the XenApp 6 Migration Tool, manually uninstall it and then delete the folder \users\user\AppData\Local\Citrix\Citrix.XenApp.Migration before installing the newer version of the tool.
136
XenApp 6 Migration Tool 3 The installer creates shortcuts in the Start menu. Clicking (launching) the shortcut opens PowerShell and loads the module. (If you do not use the shortcut, open a PowerShell console and type Import-Module Citrix.XenApp.Commands.) When launching the XenApp 6 Migration Tool, restart the server if you receive the following error message: Import-Module: The specified module 'Citrix.XenApp.Migration' was not loaded because no valid module file was found in any module directory. Note: Citrix recommends performing the migration entirely from a server in the new farm. If your deployment does not allow this, see Advanced Cmdlets.
137
The servers in the legacy farm must be running XenApp 5 for Windows Server 2003 with Hotfix Rollup Pack 5 (HRP5) or XenApp 5 for Windows Server 2008. The legacy farm server from which you are exporting must have network COM+ access enabled. To access the XenApp 5 server in the legacy farm using a remote connection, you must be a member of the DCOM users group, and you must be a Citrix administrator with at least view-only privileges in the legacy farm. When migrating from a 32-bit XenApp farm to a XenApp 6 farm, network printers used by policies (session printers) must have a 64-bit driver installed in the print server; otherwise, those printers will not be migrated.
138
The servers in the new farm must be running XenApp 6 for Windows Server 2008 R2. To install the Citrix XenApp Migration Module, you must have permission to install components. To run the XenApp 6 Migration Tool cmdlets, you must be a Citrix administrator with full privileges. You must have write access to the folder where the migrationoptions.xml file (containing server mappings, migration options, and object property overrides) and the exported data from the legacy farm is placed. By default, this is a folder named Data, located under the XenApp 6 Migration Tool installation files in C:\Users\user\appdata\local\citrix\citrix.xenapp.migration). You can specify a different folder with the -DataFolderPath option in the Set-XAMigrationOption cmdlet. By default, execution of PowerShell scripts is disabled. To run the XenApp 6 Migration Tool cmdlets, sign the scripts or enable the scripts to run (Set-ExecutionPolicy RemoteSigned). You are prompted during installation if this has not been done. If your legacy farm uses file type association for published applications, update the new farm with file type associations (using the Update file types from registry task in the Delivery Services Console) before you migrate applications. This allows the migration process to create the associations in the new farm. Create worker groups in the new farm for server and application silos. (However, if a worker group specified in a server mapping does not exist, the XenApp 6 Migration Tool creates it.) The following software is required to install the Citrix XenApp Migration Module and run the cmdlets. This software is required for XenApp server installation and configuration, so it is likely to already be installed.
q
q PowerShell 2.0 If you installed the beta version of the XenApp 6 Migration Tool, manually uninstall it and then delete the folder \users\user\AppData\Local\Citrix\Citrix.XenApp.Migration before installing the newer version of the tool.
139
Requirements and Installation 3 The installer creates shortcuts in the Start menu. Clicking (launching) the shortcut opens PowerShell and loads the module. (If you do not use the shortcut, open a PowerShell console and type Import-Module Citrix.XenApp.Commands.) When launching the XenApp 6 Migration Tool, restart the server if you receive the following error message: Import-Module: The specified module 'Citrix.XenApp.Migration' was not loaded because no valid module file was found in any module directory. Note: Citrix recommends performing the migration entirely from a server in the new farm. If your deployment does not allow this, see Advanced Cmdlets.
140
Use the Add-XAServerMapping cmdlet to map servers in the legacy farm to worker groups in the new farm. The servers in the mapping are representative servers chosen from each server silo in the legacy farm. Server mappings are not required, but a XenApp farm cannot be completely migrated without them (without server mappings, no data about the servers will be migrated; for example, server settings, application servers, or Zone Preference and Failover policy).
q
To display the server mappings you specified, use the Get-XAServerMapping cmdlet.
To remove a server mapping, use the Remove-XAServerMapping cmdlet. Use the Set-XAMigrationOption cmdlet to tailor the migration. Setting migration options is optional; it offers flexibility in tailoring your migration.
q
You can specify a remote server name; this is the name of the server in the legacy farm from which objects will be migrated. Specifying the remote server name as a migration option eliminates having to specify it each time you start a migration. You can also optionally specify a nondefault folder location where the exported data from the legacy farm is stored, and object types or named objects to include or exclude from the migration. To display the migration options you specified, use the Get-XAMigrationOption cmdlet. Use the Add-XASettingOverride cmdlet to specify values for individual object properties, if you do not want to use the migrated values in the new farm. Specifying setting overrides is optional.
q q
To display the names of object properties you can specify with the Add-XASettingOverride cmdlet, use the Get-XALegacySettingName cmdlet. To display the property override values you specified, use the Get-XASettingOverride cmdlet.
To remove a property override value you specified, use the Remove-XASettingOverride cmdlet. 2 Launch the migration with the Start-XAMigration cmdlet.
q q
To see what would happen during the migration (for example, which objects are migrated and updated, and changes to property values) without actually performing the action, use the -PendingReportOnly option. This option provides more detailed output than the -WhatIf PowerShell common parameter.
141
Using the XenApp 6 Migration Tool Cmdlets 3 After running a migration, use the Get-XAMigrationObjectCount cmdlet to display a count of the objects in the legacy and new farms. This helps monitor equivalency between the new farm and the legacy farm. You can tailor the display to report differences from an existing snapshot. Subsequent migrations (using the Start-XAMigration cmdlet) will use the current specifications in the server mappings, migration options, and property value overrides file.
Post-migration Tasks
q
Associate servers or OUs with worker groups. Associate application folders with worker groups. Attach load evaluators to servers. Assign zones. Configure printer settings. Initiate Configuration Logging in the new farm. Configure Health Monitoring settings. Optionally, add new servers in the old server folder hierarchy to preserve delegated permissions. To enable streamed-to-server applications to launch after migrating from a 32-bit XenApp farm to a XenApp 6 farm, rebuild profiled applications.
142
Cmdlet Reference
Cmdlet Summary
For PowerShell help, type Get-Help cmdlet-name.
q
To see examples, use the -examples option. For detailed information, use the -detailed option. For technical information, use the -full option. Description Adds a server mapping. Specifies a value for an object property. Outputs the settings you can use with the Add-XASettingOverride cmdlet. Outputs a count of objects in the legacy and new farms. Outputs the list of migration options. Outputs the list of server mappings. Outputs the list of object property value overrides. Removes a server mapping. Removes an object property value override. Sets migration options.
Cmdlet Add-XAServerMapping Add-XASettingOverride Get-XALegacySettingName Get-XAMigrationObjectCount Get-XAMigrationOption Get-XAServerMapping Get-XASettingOverride Remove-XAServerMapping Remove-XASettingOverride Set-XAMigrationOption
Start-XAMigration Starts the migration. The Migration Tool cmdlets support the PowerShell common parameters. In particular, -Confirm and -Verbose can be helpful in the migration process. Although the -WhatIf common parameter is supported, using the -PendingReportOnly option with the Start-XAMigration cmdlet provides more detailed information.
Add-XAServerMapping
Adds a mapping between a server in the legacy farm and a worker group in the new farm. You must specify the following options: Option -ServerName server-name Description MFCOM name of the server in the legacy farm.
143
Cmdlet Reference Name of the worker group in the new farm. If the worker group does not exist, it is created. For example, the following cmdlet maps the server named OfficeApps5 to the worker group named DenverAcctg. Add-XAServerMapping -ServerName OfficeApps5 -WorkerGroupName DenverAcctg -WorkerGroupName name
Add-XASettingOverride
Specifies a value for an object property (setting). This value is used for the object property in the new farm, regardless of the value of the property in the legacy farm (it overrides the setting in the legacy farm). To display the names of object properties you can specify with the Add-XASettingOverride cmdlet, use theGet-XALegacySettingName cmdlet. You can specify the following options: Option -PropertyName property-name -ObjectType object-type Description Property name. You can use wildcards. Object type. Valid values are: Administrator, Application, FarmConfiguration, Folder, LoadEvaluator, Policy, and ServerConfiguration. You can use wildcards. -Value -MatchValue New property value. Original property value to match before overriding the setting with the new value. If the value does not match, the override is skipped. If this option is omitted, the override always occurs. -ObjectName object-name Object name. For example, the following cmdlet specifies a CPU priority level of "high" for migrated applications in the new farm. AddXASettingOverride CpuPriorityLevel High The following cmdlet changes the CommandLineExecutable property value to C:\Program Files\Test\Test.exe when its current value is C:\ProrgramFiles (x86)\Test\Test.exe. Add-XASettingOverride -PropertyName CommandLineExecutable -ObjectType Application -Value "C:\Program Files\Test\Test.exe" -MatchValue "C:\Program Files (x86)\Test\Test.exe"
144
Cmdlet Reference
Get-XALegacySettingName
Outputs the settings you can use with the Add-XASettingOverride cmdlet. You can specify the following options: Option -PropertyName property-name -ObjectType object-type Description Property name. You can use wildcards. Object type.
Valid values are: Administrator, Application, FarmConfiguration, Folder, LoadEvaluator, Policy, and ServerConfiguration. You can use wildcards. For example, the following cmdlet gets a list of valid settings that contain "LicenseServer" in the property name. Get-XALegacySettingName *LicenseServer* The following cmdlet gets a list of valid settings for object types that start with "Server" and that contain "LicenseServer" in the property name. Get-XALegacySettingName *LicenseServer* -ObjectType Server*
Get-XAMigrationObjectCount
Outputs counts of objects in the legacy and new farms. Use the -ImportOnly option to generate the differences from an existing snapshot.
Get-XAMigrationOption
Outputs the list of migration options (that is, the migration options previously specified with Set-XAMigrationOption cmdlets).
Get-XAServerMapping
Outputs the list of all server mappings (that is, the mappings previously specified with Add-XAServerMapping cmdlets).
Get-XASettingOverride
Outputs the list of setting overrides (that is, object property values previously specified with AddXASettingOverride cmdlets). 145
Cmdlet Reference
Remove-XAServerMapping
Removes a server mapping (that is, a mapping previously specified with an Add-XAServerMapping cmdlet).
Remove-XASettingOverride
Removes a setting override (that is, an object property value previously specified with an Add-XASettingOverride cmdlet).
Set-XAMigrationOption
Sets migration options. Option -RemoteServerName name Description Name of the server in the legacy farm from which objects will be exported. This value is used if you do not specify the -RemoteServerName option in the Start-XAMigration cmdlet. If you do not specify the -RemoteServerName option in the Start-XAMigration or Set-XAMigrationOption cmdlet, the migration ends. -DataFolderPath path Path to the folder where exported data from the legacy farm is placed. If the folder does not exist, the Migration Tool will attempt to create it. If you do not specify this option, exported data is moved to the Data folder located under the Migration Tool installation files. -ObjectType object-type Object type. This option is used with the Include and Exclude options, which specify object names. Valid values are: Administrator, Application, FarmConfiguration, Folder, LoadEvaluator, Policy, and ServerConfiguration. -Include object-name Object names to include in the migration. This option is used with the ObjectType option. Separate multiple object names with commas. You can use wildcards. Object names to exclude from the migration. This option is used with the ObjectType option. Separate multiple object names with commas. You can use wildcards.
-Exclude object-name
146
Cmdlet Reference Provides an alternative to using the -Exclude * option to exclude all objects specified with the -ObjectType option from the migration. For example, the following cmdlet uses the -ObjectType and -Exclude options to exclude applications named "A1" and "A2" from the migration. Set-XAMigrationOption ObjectType Application Exclude A1, A2 The following cmdlet uses the -ObjectType, -Include, and -Exclude options to include all applications with a name containing "Microsoft" except "Office." Set-XAMigrationOption ObjectType Application Include *Microsoft* Exclude *Office* The following cmdlet uses the -ObjectType and -Enabled options to disable migration of all applications. Set-XAMigrationOption ObjectType Application Enabled $false -Enabled $false | $true
Start-XAMigration
Launches the migration. You can specify the following options: Option -RemoteServerName name Description Name of the server in the legacy farm from which objects will be exported. If you do not specify this option, but you specified a -RemoteServerName option in the Set-XAMigrationOption cmdlet, that name is used. If you do not specify the -RemoteServerName option in the Start-XAMigration or Set-XAMigrationOption cmdlet, the migration ends. -PendingReportOnly Generates records that indicate which objects will be migrated and which values will be changed, but does not actually perform the migration. This option provides more detail than the standard PowerShell -WhatIf option. -ExportOnly Exports objects from the legacy farm to a file, but does not import them to the new farm. This option is generally used only when MFCOM cannot be used between the legacy farm and the new farm. In this case, use a Start-XAMigration ExportOnly cmdlet on a server in the legacy farm.
147
Cmdlet Reference -ImportOnly Imports objects to the new farm. This option is generally used only when MFCOM cannot be used between the legacy farm and the new farm. In this case, use a Start-XAMigration ExportOnly cmdlet on a server in the legacy farm, collecting exported information in a file. Then, use a Start XAMigration ImportOnly cmdlet on a server in the new farm to import the objects, using the exported information.
148
Advanced Cmdlets
Using the Migration Tool on Separate Servers (Indirect Migration)
Citrix recommends performing the migration entirely from a server in the new farm (a direct migration). However, if you cannot use MFCOM to communicate between the legacy farm and the new farm, perhaps because the two farms are in different domains that do not have a trust relationship, you can perform an indirect migration. In this case, you must also install the XenApp 6 Migration Tool on a server in the legacy farm, in addition to installing it on a server in the new farm. For an indirect migration, after you install the XenApp 6 Migration Tool on a server in the new farm: 1 On a server in the legacy farm: a Install the required software (.NET Framework 3.5 SP1, MSI 3.0, and PowerShell 2.0). b Download the XenApp 6 Migration Tool from My Citrix. c Install the XenApp 6 Migration Tool (32-bit or 64-bit version, depending on the legacy server operating system). d Build a file containing server mappings, migration options, and property value overrides, as described in Using the XenApp 6 Migration Tool Cmdlets. e Export settings using the Start-XAMigration cmdlet with the -ExportOnly option. The output is a series of XML files. 2 Copy the XML files to the server in the new farm, replacing the files on that server. This includes the file containing server mappings, migration options, and property value overrides. 3 From the new farm, issue a cmdlet to import the settings (using the Start-XAMigration cmdlet with the -ImportOnly option or using one of the advanced import cmdlets .
149
Get-XALegacyAdministrator Get-XALegacyApplication Get-XALegacyFarmConfiguration Get-XALegacyFolder Get-XALegacyHmrTest Get-XALegacyLoadEvaluator Get-XALegacyPolicy Get-XALegacyPolicyConfiguration Get-XALegacyPolicyFilter Get-XALegacyServer Get-XALegacyServerConfiguration Get-XALegacySessionPrinter Convert-XALegacyObject New-XALegacyConnection
150
Advanced Cmdlets
q
Remove-XALegacyConnection
These advanced cmdlets include objects that cannot be migrated alone (for example, session printers that are inside a user policy, and HMR tests that are inside farm or server settings). This greater granularity may be helpful when troubleshooting migration, because these objects are more complex, with multiple sets of properties.
151
XenApp Administration
The administration of your Citrix XenApp environment consists of performing tasks in the console to administer servers, manage administrators, and publish resources. You can also administer and modify your environment through policy-based settings. Before you install Citrix XenApp, review the Readme for Citrix XenApp, installation, and administration topics.
152
153
Shadow Taskbar
Shadowing allows users to view and control other users sessions remotely. Use the Shadow Taskbar to shadow sessions and to switch among multiple shadowed sessions. You can also shadow ICA sessions with the Access Management Console or Delivery Services Console.
154
155
Shadow Taskbar
Shadowing allows users to view and control other users sessions remotely. Use the Shadow Taskbar to shadow sessions and to switch among multiple shadowed sessions. You can also shadow ICA sessions with the Access Management Console or Delivery Services Console.
156
157
To view zones
Zones can be viewed and configured in the console. For information on configuring zones, see To configure zones and back-up data collectors. 1 Depending on the version of XenApp you have installed, from the Start menu, select All Programs > Citrix > Management Consoles and choose Citrix Delivery Console. 2 In the left pane, expand the Zones node. 3 Under Zones, select a zone. The results pane displays the servers in the chosen zone.
158
The farm for which you want to refresh the user data automatically The server for which you want to refresh the user data automatically
q The application for which you want to refresh the user data automatically 2 In the Actions pane or from the Other Tasks section (depending on the node that you selected), click Refresh user data and choose one of these options:
Automatically refresh user data for servers. Selecting this option enables automatic refreshing of each servers configuration and connection information. After selection, the associated Refresh rate field becomes available. Automatically refresh user data for farms and server folders. Selecting this option enables automatic refreshing of the folder organization for farm and server. After selection, the associated Refresh rate field becomes available.
Automatically refresh user data for applications. Selecting this option enables automatic refreshing of each published applications configuration and connection information. After selection, the associated Refresh rate field becomes available. 3 In the Refresh rate (seconds) box, select the number of seconds between each update (10, 30, 60, or 90).
q
159
To change an administrator's privilege level, open the Privileges page To assign or update custom permissions, open the Permissions page
160
161
162
Note: If you change an administrators OBDA permissions, he or she must manually rerun discovery.
163
Choose Copy the permissions of this administrator for this folder to its subfolders to copy newly configured permissions to all folders nested in the selected folder for the custom administrator. Choose Copy the permissions of all administrators for this folder to its subfolders to copy the newly configured permissions of each custom administrator who has access to the selected folder to the folders nested within it. Note: If you change the permissions later in the top level folder, the changes are not automatically copied to the nested folders. When you make changes to top level folders, use either the Copy the permissions of this administrator for this folder to its subfolders or the Copy the permissions of all administrators for this folder to its subfolders function to copy the permissions again.
164
Publishing Resources
With XenApp, you provide users with access to information by publishing the following types of resources that can be virtualized on servers or desktops:
q
Applications installed on servers running XenApp. When users access them, the published applications appear to be running locally on client devices. Streamed applications installed in application profiles and stored on a file server in your App Hub. Users access the profile and virtualize the applications on their client desktops. For information about preparing and publishing applications for streaming, see the topics for Application Streaming. Data files such as Web pages, documents, media files, spreadsheets, and URLs. In XenApp, the combined total of data types you publish is referred to as content. The server desktops, so users can access all of the resources available on the server. Note: Citrix recommends that server desktops be locked down to prevent user access to sensitive areas of the operating system.
Publish all of these resource types using the Publish Application wizard in the XenApp console. To further refine how your users launch and access published resources, refer to information about configuring content redirection and XenApp policies. Citrix recommends installing applications that interact with each other on the same group of servers (called a silo). If you have multiple applications silos, Citrix recommends using separate organizational units, so they can be convenient targets for policies and worker groups. For more guidance about planning for applications and server loads, see the eDocs section about designing a XenApp deployment. Important: Before you begin, refer to the system requirements for supported platforms and system prerequisites.
165
Use groups to categorize and assign permissions to large numbers of users. An application published to one group of 1,000 users requires XenApp to validate only one object for all 1,000 users. The same application published to 1,000 individual user accounts requires IMA to validate 1,000 objects. When adding users through the Citrix User Selector, if the Users container holds thousands of objects, add a list of names.
166
Install applications as the Built-in Administrator Select an install for multiple users option in the installation wizard for the application, if the Setup for the application provides this option Install the application for all users from a command line
To install an application for all users, after enabling Remote Desktop Services, use these steps before installing the application: 1 Open a command prompt so that you are running it with Administrator privileges; for example, right-click the command prompt and select Run as Administrator. 2 Run the following command at a command prompt: change user /install 3 From the command prompt, run the Setup executable for the application.
167
168
To publish a resource using the Publish Application wizard icon for all new applications. 10 On the Publish immediately page, choose whether or not to make the published application immediately available to users.
q
To prevent users from accessing the application until you manually enable it through application properties, select Disable application initially. 11 To view and select advanced options, check Configure advanced application settings now. Alternatively, modify the advanced settings using the application properties.
q
When you finish, published resources (unless disabled) are available for users.
169
Citrix supports App-V sequences on all operating systems supported by Microsoft App-V. Citrix Receiver Updater for Windows supports App-V clients 4.5 and 4.6. User devices must have the Citrix Offline Plug-in 6.x installed locally.
Deliver the App-V client to users through Citrix Merchandising Server and Citrix Receiver Updater Publish App-V sequences for virtualizing on user devices if possible, otherwise virtualizing on XenApp servers
Users can then launch the App-V sequences on their desktops by clicking on the icons delivered through XenApp. Before you start, locate the following files and have them available:
q
Microsoft Application Virtualization Desktop Client installer (setup.exe) from your Microsoft Desktop Optimization Pack (MDOP) installation media, to upload to the Merchandising Server.
App-V Integration Kit from Citrix ( http://citrix.com/English/ss/downloads/details.asp?downloadId=2310183&productId=1689163&ntref=clie ). Save the unzipped contents locally:
q
Save the App Streaming To AppV Conduit folder on your App Hub (the server where you store your profiles). The folder contains a pre-created AppStreamingToAppVConduit.profile file, as well as the required support files for the profile. This single profile can be used to publish an unlimited number of App-V sequences. Upload the App-V MetaData files and the App-V client's setup.exe file to the Merchandising Server to create an App-V client. Citrix provides these files to add
170
Publishing App-V Sequences in XenApp the functionality to the client needed for Citrix Receiver Updater. These files include:
q
AppV_MetaData.xml AppVReg.msi
AppVReg_MetaData.xml Save the Streaming Conduit - source code folder locally. These files are not needed to publish your applications, but you can use them to modify the conduit, if needed. This folder contains the source code for the conduit.
q
To deliver the App-V client with the Citrix Merchandising Server and Citrix Receiver Updater
1 In the Merchandising Server Administrator Console, navigate to the Plug-in > Upload page. 2 To upload the App-V_Reg plug-in components: a For the Metadata File, click Browse to navigate to the unzipped location of AppVReg_MetaData.xml. b For the Plug-in File, click Browse to navigate to the unzipped location of AppVReg.msi. c Click Upload. 3 To upload the App-V client components: a For the Metadata File, click Browse to where you downloaded App-V_MetaData.xml. b For the Plug-in File, click Browse to navigate to the location of the Microsoft Application Virtualization Desktop Client installer, setup.exe. c Click Upload. 4 Configure a delivery to communicate with your App-V server. (For additional information on creating and scheduling deliveries, see the Merchandising Server documentation.) An overview of the entire Plug-in upload and delivery process when using Merchandising Server 1.0 can be viewed at http://www.citrix.com/tv/#videos/773. If users have the Self-service Plug-in, they can add published App-V sequences as they normally add applications.
171
Select Application. For application type, select the dual-mode option: Streamed if possible, otherwise accessed from a server.
For the server application type, select the secondary delivery method, such as Installed application. 4 On the Location page:
q q
Browse to your App-V server where both the conduit utility and App-V sequence are located. The application to launch is AppStreamingToAppVConduit. Add the command-line parameters to locate the specific App-V sequence on your App-V server. For Command Line: Enter the full path to your Microsoft Application Virtualization Client executable, followed by the location of your App-V sequence, such as:
"C:\\Program Files\Microsoft Application Virtualization Client\sfttray.exe" "\\appv\content\Off2k7\Microsoft Office PowerPoint 2007 12.0.6425.0000.osd" 5 On the Shortcut presentation page, manually select the icon from your icons directory (no icon by default), such as the icon for Microsoft PowerPoint. 6 Finish the publishing wizard as you normally do. For more information about the AppStreamingToAppVConduit utility, see http://support.citrix.com/article/CTX124860 in the Citrix Knowledge Center.
172
Citrix Receiver Updater informs them of Plug-in updates, and if they accept the App-V client, it installs silently in the background. If they use the Citrix Self-service Plug-in for the Receiver, they can subscribe to App-V sequences through that Plug-in.
Users launch applications as they normally do, and the conduit checks for presence of the App-V client:
q
If the App-V client is installed, the App-V sequence streams to the user device, where it runs in the App-V isolation environment. If the client is not installed (or the device does not support streaming for other reasons), the conduit triggers the Offline Plug-in to initiate a XenApp server session where the application executes and is presented to the user over a remote display protocol.
173
Server desktop. Publishes the entire Windows desktop of a server in the farm. When the plug-in connects to the server, the user sees a desktop interface from which any application installed on that server can be started. After selecting this application type, you must specify the server that you want to publish. To publish a desktop, you must be running XenApp. If you are running the console on a computer that is not running XenApp, you cannot publish the local desktop.
Content. Publishes nonexecutable information, such as media, Web pages, or documents. After selecting this application type, you must specify the URL (Uniform Resource Locator) or UNC (Uniform Naming Convention) path to the file you want to publish. Click Browse to view available content resources on your network. Application (selected by default). Publishes an application installed on one or more servers in the farm. Note that if you are running the console on a computer that is not a member of the farm, you cannot publish local applications. You need to indicate one of the following application types:
Accessed from a server. Grants users access to applications that run on a XenApp server and use shared server resources. If you choose this option, you must then enter the location of the executable file for the application and the XenApp server on which it will run. Choose this option as the application type unless you intend to stream your applications. Streamed if possible, otherwise accessed from a server (also called dual mode streaming). Grants users access to a profiled application that streams from the file share to their user devices and launches locally from within an isolation environment. Alternatively, for user devices that do not support streamed applications (for example, if the offline plug-in is not installed), this setting allows the use of an ICA connection to access the application installed on or streamed from a XenApp server. Streamed to client. Grants users access to a profiled application that streams from the file share to their user devices and launches locally from within an isolation environment. With this option, the application uses client resources instead of server resources. Users must have the offline plug-in installed and
174
To select a resource type and delivery method access the application using online plug-in or a Web Interface site. If selected, user devices that do not support client-side application virtualization (such as, they use a non-Windows client) or do not have the offline plug-in installed locally cannot launch the application. 2 If you selected Accessed from a server or Streamed if possible, otherwise accessed from a server, you also need to select the Server application type. These are:
q
Installed application. Enables users to launch an application installed on a XenApp server. Streamed to server. Grants users access to stream a profiled application from the file share to a XenApp server and launch it from XenApp through an ICA connection. Note: For more information about client-side application virtualization through streaming, see the information for application streaming.
175
Command-line. The full path of the application's executable file. Append the symbols %* (percent and star symbols enclosed in double quotation marks) to the end of the command-line to act as a placeholder for client-supplied application parameters. When a plug-in makes a connection request, the server replaces the symbol %* in the command-line with application parameters provided by the plug-in. If the path to the application's executable includes directory names with spaces, enclose the command line for the application in double quotation marks. Include a space between the closing quotation mark and the double quotation marks around the percent and star symbols. An example of the format to use with a path with spaces and a placeholder is:
Important: Changing the command-line text removes all file type associations from the application. If you change the command-line text, modify the Content Redirection application property page to select the file types you want to associate with the application for client to server content redirection.
q
Working directory. By default, this path is the same as the path in the Command line field. To run the application from a different directory, add an absolute path to this field.
176
HTML Web site address (http://www.citrix.com) Document file on a Web server (https://www.citrix.com/press/pressrelease.doc) Directory on an FTP server (ftp://ftp.citrix.com/code) Document file on an FTP server (ftp://ftp.citrix.com/code/Readme.txt) UNC file path (file://myServer/myShare/myFile.asf) or (\\myServer\myShare\myFile.asf) UNC directory path (file://myServer/myShare) or (\\myServer\myShare)
177
If your environment includes published applications that use customized client-supplied parameters for purposes other than content redirection from client to server, these applications might not function correctly when command-line validation is enabled. To ensure client-supplied parameters are passed from client to server, disable command-line validation for these published applications. To disable command-line validation for selected published applications, from the Location page of the application properties, append the symbols %** (percent and two star symbols enclosed in double quotation marks) to the command-line parameter.
178
Install the offline plug-in locally, where it runs in the background to enable application streaming. Install the latest version of online plug-in locally. To stream to client devices across a network protected by a firewall, configure firewall policies to allow those applications access.
After all of these tasks are complete, publish the application as Streamed to client.
Remote applications only, or Dual mode streaming (streamed if possible, otherwise accessed from a server)
179
Managing Streamed Applications For information about managing application types on Web Interface sites, see Technologies > Web Interface. After you ensure all of these tasks are complete, publish the application as Streamed to a server.
180
181
Accessed from a server. Users launch the application that runs on a XenApp server and uses shared server resources, or launch it from a Web browser using a Web Interface site you create. If you choose this option, you must then enter the location of the executable file for the application and the XenApp server on which it will run. This is the typical application type unless you intend to stream your applications to the client desktop. With this method, users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. From the Server application type list, select the delivery method:
Streamed to server. The application in the profile is streamed from the App Hub to the XenApp server, where the offline plug-in is installed by default. The application displays on the user devices using the online plug-in or Web plug-in; the offline plug-in is not required on the user device. With this method, users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. Streamed if possible, otherwise accessed from a server (called dual mode streaming). Grants users access to a profiled application that streams from the file share to their user devices and launches locally from within an isolation environment. Alternatively, user devices that do not support streamed applications (such as when they do not have the offline plug-in installed) instead use an ICA connection to access the application installed on or streamed from a XenApp server.
q
182
To select a streaming delivery method From the Server application type list, select the alternative delivery method for clients that do not support streaming to user device:
Streamed to server. The application in the profile is streamed from the App Hub to the XenApp server, where the offline plug-in is installed by default. The application displays on the user devices using the online plug-in or Web plug-in; the offline plug-in is not required on the user device. With this method, users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. Streamed to client. With this method, you make available the full set of application streaming features. When you stream applications directly to client desktops, some of the application files are cached locally and the application runs locally from within an isolation environment using the resources of the user device.
q q
Users must have both the offline plug-in and online plug-in installed locally. With this delivery method, you can configure the application and users for offline access. When this configuration is completed, the entire application is fully cached on the user device. Users can disconnect from the network and continue using the application for the time specified in the offline license. User devices that do not support client-side application virtualization (such as, they use a non-Windows client) or do not have the offline plug-in installed locally cannot launch the application.
Note: You can also force a delivery method for applications published as "Streamed to client" based on filters. To do this, configure the Load Balancing policy setting (located in the Delivery Services Console) for Streamed App Delivery. The policy setting overrides the selection in the publishing wizard.
183
Allow applications to stream to the client or run on a Terminal Server (default setting). Force applications to stream to the client. User devices always stream the application from the App Hub to the user devices. Users must have the offline plug-in installed and access the application using the online plug-in or a Web Interface site. For example, you might use this setting to prevent the use of server resources. User devices without the offline plug-in and either the online or Web plug-in cannot launch the application. Do not allow applications to stream to the client. Users always launch streamed applications from the server. For example, you might use this option to prevent applications from streaming to specific clients. In addition:
q
If you publish a streaming application with Streamed if possible, otherwise accessed from a server (dual mode streaming), users always launch the application from the server using the alternative method you selected. If you publish an application as Streamed to client (without dual mode), the connection fails.
This table describes the default delivery of each application type and the results of setting the policy. The policy setting overrides the delivery protocol for applications that are published as streamed to client.
Application type
184
To force a delivery method for streamed applications Streamed to client Accessed from a server: Installed application Streamed to server Citrix offline plug-in streams application to desktop. Citrix online plug-in virtualizes the application installed on XenApp (not streamed). Offline plug-in streams application from file share to XenApp and any online plug-in virtualizes the application from XenApp. Dual mode: Offline plug-in streams application to desktop. Otherwise, the online plug-in connects to the application installed on server (not streamed). Dual mode: Offline plug-in streams application to desktop. Otherwise, offline plug-in streams application to the server. Connection fails. Policy does not apply. Connection works. Policy does not apply.
Streamed if possible; otherwise accessed from a server (dual mode): Installed application Streamed to server
185
For 32-bit systems: HKEY_LOCAL_MACHINE\Software\Citrix\Rade\AllowUnsecuredHttpAuth For 64-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\Rade\AllowUnsecuredHttpAuth Type: REG_DWORD Value: 1
In the following example, the XenApp server, Web server, and file server are located on the same physical server. This is not a requirement. To configure the Web server: 1 Create a file share, if one does not already exist. For example: Web server name: WebServer Physical location on Web server: c:\webProfiles The share name: webProfiles An administrator must share this folder with the everyone group assigned READ access and the administrators group assigned WRITE access at both the share level and NTFS level. UNC path: \\WebServer\webProfiles 2 On the Web site hosting the profile, add the following MIME type information:
q
Set "Execute Permissions" to NONE You can set this information for the Web site hosting the profiles or for a specific folder in the virtual directory that holds the profiles.
q
3 In addition, if the profile includes pre-launch or post-exit scripts, also add the following MIME type information for the file extension of each script, such as .bat or .com. 186
To provide HTTP or HTTPS delivery method Extension: <file extension>, and MIME type: application/octet-stream 4 In the directory hosting the profiles: a Open Properties and select the Directory tab. b In the Configuration area, keep one application file extension (it doesn't matter which one you keep) and remove all the rest of the file extensions. c Create a placeholder extension for application mapping; for example, ".testcitrix," which should not occur in the profile. d Copy the settings from the file extension that remains (Step 4b) to the placeholder extension. e Delete the file extension that remained in Step 4b, leaving only the placeholder extension from Step 4c. 5 Create a virtual Web site that points to the file share using the UNC path. For best results, do not use spaces in the URL. For example: HTTP (or HTTPS) path of virtual directory: http://WebServer.domain.com/webProfiles 6 Turn on Directory Browsing on the virtual Web site. Now you can test the configuration; continuing the example, browse to http://WebServer.domain.com/webProfiles/myApplication/myApplication.profile. If the Web server is configured correctly, the .profile file opens looking like an xml file (not an error message). For HTTP, you have now completed the configuration of the Web server. 7 For HTTPS, additional binding configuration of the Web server is required. See the additional steps following this procedure, based on your operating system. 8 In the XenApp console, publish the application as Streamed to client, Streamed to server, or Streamed if possible, otherwise accessed from a server and continue in the wizard. 9 On the Location page, enter the full URL path (starting with HTTP or HTTPS) to the profile (browsing to an HTTP location is not supported at this time). Use a fully qualified domain name, not a relative domain name. 10 Click in the field titled Application to launch from the Citrix streaming application profile to select the application. 11 Finish the remaining pages of the wizard. The application is ready to stream to the client device using the HTTP delivery method.
To stream from an HTTPS address from Windows Server 2008 additional configuration is required on the Web server. An appropriate Web Server Certificate must be already installed:
1 From IIS, edit the Bindings for the Web Site. 2 In the Site Bindings dialog, click Add. 3 Under Type, choose https. 187
To provide HTTP or HTTPS delivery method 4 For SSL certificate, choose the installed Web Server Certificate. 5 Using the previous example, browse to https://WebServer/webProfiles on the Web server, which must be a member of the domain and have the root certificate installed. To stream from an HTTPS address from Windows Server 2003, install a Web Server Certificate from a domain certificate authority:
1 From IIS, open Properties for the virtual Web site. 2 Click the Directory Security tab. 3 Under Server Communications, click Server Certificate. 4 Complete the Web Server Certificate wizard, and using the previous example, browse to https://WebServer/webProfiles on the Web server, which must be a member of the domain and have the root certificate installed.
188
Step 1: Configure policy settings for offline access Step 2: Install the online and offline plug-ins on user devices Step 3: Publish the application for offline access
You can complete these steps in any order, but users cannot run applications in offline mode until all steps are completed.
Offline app users (required). Create a list of users or groups who have offline access permission and add that list both when creating the policy for Offline app users and when publishing the application. Users or groups listed in the offline app users policy setting and who are also configured for the application have permission to run offline-enabled applications in online and offline mode. Users who are configured for the application, but who are not added to the policy list can access the application online, but not offline. Users or groups on this list use an offline license to launch applications regardless of whether they are connected to the network or disconnected.
Offline app license period (required). Specify the number of days applications can work offline before users have to renew the license (21 days by default, but can range from 2 to 365 days). For versions 1.0 through 5.1 of the plug-in, the license for each application in the profile is activated when the user launches the application the first time, for online or offline use. Beginning with version 5.2 of the plug-in, when the user launches an
189
Configuring Offline Access application in the profile for the first time, for online or offline use, the offline license is activated for all other applications in the profile, as well. This occurs at the farm level. Thus, the offline license for all applications in the profile expires based on the date of the first application launched the first time, regardless of when the other applications are launched. To configure licenses, administrators can use the License Management Console or command-line tools. They must also ensure they have a sufficient number of licenses to support the total number of users with offline access permission. Users who run XenApp hosted applications can also stream applications to user devices without requiring a separate license. For general information, in the topics for Licensing Your Product, see Getting Started with Citrix Licensing. When users with offline access log on using the online plug-in, they automatically either check out an offline license or renew a license already checked out. If users stay logged on, licenses are renewed automatically each day. If the license is near its expiration date while a user is running the application in offline mode, a notice appears reminding the user to log on (that is, change to online mode). When the user logs on, the offline license is renewed automatically if a license is available. If the license expires and no license is available, the user cannot launch the application offline.
q
Offline app client trust (optional). Use this setting to enable offline application clients that have disconnected to recreate sessions when reconnecting, without authenticating again. Offline app event logging (optional). Use this setting to enable logging of offline application events to the event log on the server.
Enable the application for offline access and select the caching preference. Create a list of users or groups who have offline access permission and add that list both when creating the policy for Offline app users and when publishing the application.
191
192
HTTP (Hypertext Transfer Protocol) HTTPS (Secure Hypertext Transfer Protocol) RTSP (Real Player and QuickTime) RTSPU (Real Player and QuickTime) PNM (Legacy Real Player) MMS (Microsoft Media Format)
If content redirection from server to client is not working for some of the HTTPS links, verify that the user device has an appropriate certificate installed. If the appropriate certificate is not installed, the HTTP ping from the client device to the URL fails and the URL is redirected back to the server. For legacy plug-ins, content redirection from server to 193
To enable content redirection from server to client client requires Internet Explorer Version 5.5 with Service Pack 2 on systems running Windows 98 or higher.
194
When you configure content redirection from client to server, context menu commands available from within Windows Explorer function differently than on user devices that do not use this feature. For example, if you right-click a file in Windows Explorer on a user device with content redirection from client to server enabled for the file type, the Open command opens the file with the remote application on XenApp. For a streamed application, the file could be opened either on the user device or on the XenApp server, depending on the delivery configuration. Most commands on the Windows Explorer context menu are unaffected because they are not configured under keys modified by XenApp. Context menu items are generally defined by each application when installed.
195
Rename, move, disable, and delete published applications Change, duplicate, import, and export published application settings
Only a Citrix administrator with full access to the Published Applications task can change published applications. Use the application properties to change settings for a published application, including the location of the published application, the servers on which the published application is available, and the user accounts allowed to access the published application. From the Action menu, select Application properties. Important: The resource type you publish (application, content, or server desktop) determines your path through the Publish Application wizard; consequently, the properties associated with the resource may vary.
196
Important: If a duplicate application name is found in the farm, a four-digit hexadecimal number is appended to the original string. If the character limit is reached and duplicated, the console replaces the end characters with four-digit hexadecimal numbers, starting from the right. The application name appears in the left pane of the Properties dialog box for an application.
197
The Servers list displays the servers that belong to the farm. Initially, all servers in the farm appear. Use a filter to display only servers running a particular operating system or Citrix version. Note: If you apply a filter (in the Select Servers dialog box), the filter settings remain in effect each time the Publish Application wizard is run until the filter is removed or changed.
Use the Import from file option to import an application server list file (*.asl). You export the server list of a previously published application and then import this settings file when creating a new published application.
If you modify your servers for a published application, some users may not be in a trusted domain for that server. If you receive an error message when trying to modify configured servers for a published application, duplicate the application and then modify the servers and users lists of the new application.
198
199
Configure streamed applications for offline access as you publish them or later in the Application Properties:
As you publish applications in the Publish Applications wizard, click the Enable offline access check box on the Offline Access page. In Application Properties, select Basic > Streaming settings > Offline Access. Click the Enable offline access check box to enable the feature.
Tip: If, later, some operation in the application fails offline due to a missing component, it will fail while connected as well. The solution is to ensure that you package all the necessary components by thoroughly testing the profile. The server fully caches applications enabled for offline access on user devices; the entire application is sent to user devices while the user is online so that the user can launch the application offline and have full functionality of the application. By default, applications are cached when a user logs on. Select when to cache the streamed application:
Pre-cache application at login. Caches the application when the user logs on (selected by default). However, concurrent logons may slow network traffic. Cache application at launch time. Caches the application when users launch it. Use this option if the number of users logging on at the same time (and pre-caching their applications) could overload the network.
Pre-caching is also possible using third-party tools, such as Microsoft System Management Server (SMS) or Altiris. If you use a third-party caching method, ignore this setting because it is not used; that is, applications are not cached twice.
200
Select Allow anonymous users to let all users log on anonymously and start the streamed application without specifying a user name, domain name, and password (selected by default). This selection disables the remaining options on the page. Select Allow only configured users to allow only configured users to start the application. For example, select this option for all streamed applications. Selecting this option enables the Select directory type drop-down list, which allows you to configure the users for this application. You can configure the list later in the application properties.
Note: Streamed applications do not support anonymous users. Additionally, if you enable the streamed application for offline access, these options are not shown. 2 Use the Select directory type drop-down box to select either Citrix User Selector or Operating System User Selector. 3 Click Add. If you selected Citrix User Selector, complete the following tasks in the Select Users or Groups dialog box:
Select your account authority from the Look in drop-down list. The drop-down list contains all trusted account authorities configured on the servers in the farm. These include Novell Domain Services for Windows (NDSfW) domains, Windows NT domains, Active Directory domains, and local servers. (NDSfW domains appear only if previously configured.) When you select an account authority, the user accounts that are part of the selected authority appear in the window below the drop-down list. By default, only user groups appear. Select Show users to display all user names in the selected domain. This option displays every user in the selected domain. For NDS, alias objects also appear. The user accounts you select are listed in Configured users.
201
To configure user access to applications Tip: Instead of selecting names from the list, type them in a text box. To do this, click Add List of Names and use semicolons (;) to separate names. If you selected Operating System User Selector, use the standard Windows dialog box to select your user or group. Note: This option has several limitations. You can browse only account authorities and select users and groups that are accessible from the computer running the console. In addition, you might initially select users and groups outside the trust intersection of the farm, which causes errors later. Other limitations include the inability to add NDS users and groups. The list of user accounts is added to the Configured Accounts list. Changes take effect the next time the user launches the application.
202
Ten-minute idle (no user activity) time-out Logoff from broken or timed out connections The user cannot change the password (none is required)
When an anonymous user session ends, no user information is retained. The server does not maintain desktop settings, user-specific files, or other resources created or configured for the user device. Note: The anonymous user accounts that XenApp creates during installation do not require additional configuration. If you want to modify their properties, do so with the standard Windows user account management tools.
203
Add to the clients Start menu. Creates a shortcut to this application in the users local Start menu. A folder appears in the first pane of the Start menu in the location you select:
q
Place under Programs folder. This option creates a shortcut under the Programs folder of the local Start menu. If a folder structure is specified in the Start Menu Folder text box, the folder structure is created within the local Programs folder.
Start menu folder. The location of the shortcut within the Start menu (or Programs folder, if selected). For example, to have the application appear under a folder called Reports, enter Reports. For more than one level of folders, separate each folder name with a backslash; for example, Reports\HR\survey. If no folder structure is specified, the application is available from the top level of the Start menu. q Add shortcut to the clients desktop. Creates a shortcut to this application on the users local desktop. Changes take effect after the user reconnects or refreshes the user device.
q
204
Allow connections made through Access Gateway Advanced Edition (Version 4.0 or later). This is the default. Select the type of connections that allow the application to appear in the list of applications:
q
Any connection. Allows connections made through Access Gateway (Version 4.0 or later), regardless of filters. This is the default. Any connection that meets any of the following filters. Allows connections made through Access Gateway (Version 4.0 or later) that meet one or more of the connection filters specified in the list.
To Add or Edit a filter, click the respective button and enter the predefined Access Gateway farm name and filter. Allow all other connections. Allows all connections except those made through Access Gateway (Version 4.0 or later). This is the default.
Users who do not have the required software running on the user device cannot access the published application.
205
Content redirection from user device to server. Users running a Citrix plug-in open all files of an associated type with a specific published application and delivery method. For example, when users double-click an email attachment, the attachment opens in an application based on the file type and delivery method set for those users. Note: If you do not want specific users to launch published applications automatically when opening published content, do not assign published applications associated with file types to those users.
Content publishing. Users connecting through the Web Interface or using the online plug-in open content published on servers with applications published on servers. For example, you publish a Microsoft Word document. When you also publish the Microsoft Word application, associate it with a list of file types (files with the .doc extension, for example), and assign it to a group of users, the published content is opened in the Microsoft Word application published on the server.
File type association is a two-step process. For example, if you want to associate Microsoft Word with the .doc file extension:
q
Publish a document of the Microsoft Word for Windows file type. Publish the Microsoft Word application and associate it with the Microsoft Word for Windows file type. When users double-click the document from the user device, it opens in the Microsoft Word application published on the server. Users connecting through the Web Interface or using the online plug-in can open published content with published applications.
1 Select one or more of the buttons to select the file types that you want the application to open when a user opens a file. Published applications can be associated with one or more file types. 2 To list all file types associated with the application, click Show all available file types for this application. Clear the check box to display only the selected file types. When changing the available file types for an application, select this check box to display the superset of file types available, not just those selected when initially publishing the application.
206
To associate published applications with file types Note: When you associate a file type with a published application, several file extensions can be affected. For example, when you associate the Word document file type, file extensions in addition to the .doc extension are associated with the published application.
207
You installed an application but have not yet published it. You plan to enable content redirection from user device to server or have users open published content using the application. The data store does not already contain the file type associations. If you updated the file types from the registries of other servers hosting the application, the data store already contains the associations.
If needed, update file types for the farm or for an individual server:
q
In the console, select a farm in the left pane and from the Action menu, select Other Tasks > Update file types. Select a server in the left pane and from the Action menu, select Other Tasks > Update file types from registry.
Choose which file types are opened with a published application. When you publish an application, a list of available file types appears on the Content redirection page. This list is current only if the data store was updated with the file type associations for the application. Update the data store from the registries of several servers containing an application to associate a complete set of file types with the application. If you publish applications to be hosted on more than one server, be sure to update the file types on each server.
208
209
210
211
Limit instances allowed to run in server farm and then enter the numerical limit in Maximum instances Allow only one instance of application for each user
If Preferential Load Balancing is available in your XenApp edition, this setting (along with the session importance policy setting) determines the Resource Allotment associated with the session. The higher the Resource Allotment of the session, the higher the percentage of CPU cycles allotted to it. In the Application Importance list box, set the priority that is used with the Session Importance setting to determine the level of service for the session in the XenApp farm: High, Normal, and Low.
212
The setting in Remote Desktop Server Configuration and/or the setting in Citrix Connection Configuration Tool (Mfcfg.exe) The policy setting that applies to the connection The application setting (that is, the level you are setting in this dialog box) The Microsoft Group Policy
The encryption settings specified here when publishing an application should be at the same level as the encryption settings you specified elsewhere. That is, any encryption setting you specify in the Remote Desktop Server Configuration tool or connection policies cannot be higher than the application publishing setting. If the encryption level for an application is lower than any settings you specified for Remote Desktop Server Configuration and connection policies, those settings override the application settings. If the minimum requirements check box is selected and the plug-in connection does not meet the most restrictive level of encryption, the server rejects the connection when the plug-in tries to connect to the application. If the minimum requirements check box is selected, the plug-in setting is always used. However, the plug-in setting must be as secure as the server setting or the connection is denied. If you select Minimum requirement under the Encryption list box, plug-ins can connect to the published application only if they are communicating using the specified level of encryption or higher. After you set this encryption level on the server, any plug-ins connecting with that server must connect at that encryption level or higher. If a plug-in is running on a 64-bit computer, only basic encryption is supported. In this situation, setting a level of encryption higher than Basic and selecting the minimum requirements check box prevents plug-ins from connecting.
213
Select Client audio options: Enable legacy audio. Select this option to allow audio support for applications to which HDX MediaStream Multimedia Acceleration does not apply. Note: By default, audio is disabled on the user device. To allow users to listen to audio in sessions, turn on audio or give the users permission to turn on audio themselves in the plug-in interface they are using, such as Citrix XenApp. Minimum requirement. Select this option to allow plug-ins to connect to the published application only if they have audio support. The Minimum requirement check box under the Client audio list box applies only to the legacy audio setting. It does not apply to HDX MediaStream Multimedia Acceleration. In the Connection encryption section, select one or more of the following options:
q q
Select Enable SSL and TLS protocols to request the use of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for plug-ins connecting to the published application.
q Select Encryption to apply the RC5 encryption level for the connection. In the Printing section, select or clear Start this application without waiting for printers to be created. Selecting this option can allow the plug-in to connect faster. However, if you select this option, the printers may take a few seconds to be created; do not select this option for applications that print to the printer immediately after being launched.
214
To set the default window size, select the Session window size. Specify window size as a standard resolution, custom resolution, percentage of the screen, or full screen. To set the color depth for the application, select the Maximum color quality. The available options are Better appearance (32-bit), Better speed (16-bit), or 256-color (8-bit). To hide the application title bar and maximize the application at startup, change the setting in the Application Startup Settings.
215
From the Publish Application wizard, continue to the Publish immediately page and select the Disable application initially check box. When checked, the application is published, but users cannot access it until you enable it. In the console, select the application in the navigation pane, and from the Action menu, select Enable application or Disable application.
In the console, select the application in the navigation pane, and to modify the file types, from the Action menu, select Application properties and then select Name. On this page, select Disable application.
Note: If the Disable application initially option is selected and cannot be cleared, either the application requires configured users but none are specified, or the application is of a type that runs on a server (such as an installed application or streamed-to-server application) but no servers are specified.
216
217
218
219
Entire Application. Exports the application and all the settings associated with the published application to an .app file. If you choose this option, you can export settings from multiple applications; select them from the left pane of the console before selecting the export task. Important: If application settings are exported as a batch, they must be imported as a batch.
Server List Only. Exports only the list of configured servers for the application to an ASL file, including any per-server command-line overrides, if applicable. Then select an application and import the server list, replacing the existing server list. Alternatively, import this list of servers when publishing an application by clicking Import from file on the Servers page of the Publish Application wizard.
Note: This task is available only for applications that have servers associated with them. For this reason, this task is unavailable for published content or streamed-to-client applications. You can export the server list associated with one published application only. 3 Settings files are saved in XML format. The settings associated with your published application are saved to a settings file with one of the following extensions: APP, AUL, or ASL. The file name is the same as the application by default. For example, if you choose to export all the application settings of a published application called Notepad123, the default file name for the exported application settings file is Notepad123.app.
220
If you selected a folder in Step 1 of this procedure and an APP file in Step 2, the new application appears under the folder you selected. If you selected a previously published application in Step 1 and either an ASL or AUL file in Step 2, click Yes to confirm that you want to overwrite existing settings. The imported ASL or AUL file updates the server settings or user settings of the application, respectively.
Note: If any of the servers or users that were exported for a published application cannot be imported, a warning message appears identifying the list of users or servers that could not be imported. You either proceed or cancel the import at that point. Cancelling the import cancels the entire import operation. This situation might occur if a server was removed from the farm after a published application was exported, if a user was removed from the domain, or if the administrator does not have proper permissions to publish the application on one or more of the servers that were exported.
221
They use a hard-coded TCP port number, or They do both of the following:
q
Require a unique IP address or require a specified TCP port number Also, this feature lets you configure applications that depend on communication with localhost (127.0.0.1 by default) to use a unique virtual loopback address in the localhost range (127.*).
q
They use the Windows socket loopback (localhost) address (127.0.0.1), or They use a hard-coded TCP port number
If the application requires an IP address for identification purposes only, configure your server to use the client IP address.
222
In Microsoft Server Manager, expand Remote Desktop Services > RD Session Host Connections to enable the RD IP Virtualization feature and configure the settings. For details, refer to Microsoft help and documentation, including the Microsoft TechNet Web site.
q
Once the feature is enabled, at session start-up, the server requests dynamically-assigned IP addresses from the Dynamic Host Configuration Protocol (DHCP) server. Based on your Virtual IP policy and the settings you configure, the RD IP Virtualization feature assigns IP addresses to remote desktop connections on a per session or per program basis. If you assign IP addresses for multiple programs, they share a per-session IP address. After an address is assigned to a session, it uses the virtual address rather than the primary IP address for the system whenever the following calls are made:
Bindclosesocketconnect, WSAConnect, WSAAccept, getpeername, getsockname, sendto, WSASendTo, WSASocketW, gethostbyaddr, getnameinfo, getaddrinfo XenApp extends the Windows virtual IP feature by allowing the gethostbyname API to return the virtual IP address. In addition, XenApp adds virtual loopback to all APIs. Note: All processes that require the XenApp feature must be added to the programs list for the Virtual IP policy that you enable. Child processes do not inherit this functionality automatically. Processes can be added with full paths or just the executable name. For security reasons, Citrix recommends that you use full paths.
223
Binding Applications
Using the Microsoft IP virtualization feature within the Remote Desktop session hosting configuration, applications are bound to specific IP addresses by inserting a filter component between the application and Winsock function calls. The application then sees only the IP address it is supposed to use. Any attempt by the application to listen for TCP or UDP communications is bound to its allocated virtual IP address (or loopback address) automatically, and any originating connections opened by the application are originated from the IP address bound to the application. In functions that return an address such as GetHostByName() (controlled by a XenApp policy) and GetAddrInfo() (controlled by a Windows policy), if the local host IP address is requested, virtual IP looks at the returned IP address and changes it to the virtual IP address of the session. Applications that try to get the IP address of the local server through such name functions see only the unique virtual IP address assigned to that session. This IP address is often used in subsequent socket calls (such as bind or connect). Often an application requests to bind to a port for listening on the address 0.0.0.0. When an application does this and uses a static port, you cannot launch more than one instance of the application. The virtual IP address feature also looks for 0.0.0.0 in these types of calls and changes the call to listen on the specific virtual IP address. This enables more than one application to listen on the same port on the same computer because they are all listening on different addresses. Note this is changed only if it is in an ICA session and the virtual IP address feature is turned on. For example, if two instances of an application running in different sessions both try to bind to all interfaces (0.0.0.0) and a specific port, such as 9000, they are bound to VIPAddress1:9000 and VIPAddress2:9000 and there is no conflict.
224
To use the virtual IP address feature, configure any processes that open the IP address of the server, 0.0.0.0, or 127.0.0.1. To ensure that an application does not open the same IP address on a different port, launch an additional instance of the application.
225
Virtual IP enhanced compatibility. Use this setting if your application uses the GetHostByName API. When enabled, calls to GetHostByName within a session return the virtual IP address for the session (disabled by default). The feature applies only for the applications listed in the virtual IP compatibility programs list. Virtual IP compatibility programs list. Lists the applications that use the virtual IP enhanced compatibility policy. Virtual IP adapter address filtering. Use this setting if your application returns a large number of addresses, which slows down performance. When enabled, the list of addresses returned by GetAdaptersAddresses includes only the session virtual IP address and the loopback address, which can improve performance (disabled by default). The feature is enabled only for the applications listed in the virtual IP filter adapter addresses programs list. Virtual IP filter adapter addresses programs list. Lists the applications that use the IP adaptor address filtering policy.
226
Virtual IP loopback support. Use this setting to allow each session to have its own virtual loopback address for communication (disabled by default). The feature is enabled only for the applications listed in the Virtual IP virtual loopback programs list. Virtual IP virtual loopback programs list. Lists the applications that use the Virtual IP loopback support policy.
227
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\VIP\ Name: UseClientIP Type: REG_DWORD Data: 1 (enable) or 0 (disable, which is the default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\VIP\
228
To supply client IP addresses to published applications on a server Name: HookProcessesClientIP Type: REG_MULTI_SZ Data: multiple executable names representing application processes that use client IP addresses Note: On XenApp, 32-bit Edition, these entries are found in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VIP\. 3 Close regedit and restart your server. 4 After making the prescribed registry modifications, add the application process in the programs list for the policy. Do not configure the use of client IP addresses if:
q
Plug-ins connect using network protocols other than TCP/IP Plug-ins reconnect to disconnected sessions from different client devices Sessions use a pass-through plug-in
229
Configure farm settings such as Virtual IP, Health Monitoring and Recovery, and multimedia acceleration Control sound quality for client devices Allow users to access the Documents folder on their local client device Allow or prevent remote users from being able to save to their hard drives from a session Allow or prevent users from accessing the Windows clipboard Set a required encryption level for Citrix plug-ins Set the session importance level, which, along with the application importance level, determines resource allotment for Preferential Load Balancing
You can work with policies through the Group Policy Editor in Windows or the Delivery Services Console in XenApp. The console or tool you use to do this depends on whether or not your network environment includes Microsoft Active Directory and whether or not you have the appropriate permissions to manage Group Policy Objects (GPOs).
230
Working with Citrix Policies take precedence over the farm GPO.
1 Create and name the policy. 2 Configure policy settings. 3 Apply the policy to connections by adding filters. 4 Prioritize the policy. In general, Citrix policies override similar settings configured for the entire server farm, for specific servers, or on the client. However, the highest encryption setting and the most restrictive shadowing setting always override other settings.
231
Summary displays the settings and filters currently configured for the selected policy Settings displays by category the available and configured settings for the selected policy Filters displays the available and configured filters for the selected policy
For searching policies, use the search tool near the list of Citrix policies For searching settings, use the search tool on the Settings tab For searching filters, use the search tool on the Filters tab
On the Settings or Filters tabs, selecting Active Settings or Active Filters, respectively, to search only the settings or filters that have been added to the selected policy.
232
On the Settings tab, selecting a category such as Auto Client Reconnect or Bandwidth to search only the settings in that category.
To search the entire catalog of settings or filters, select All Settings or All Filters.
233
To create a policy
1 Depending on the console you use to manage Citrix policies:
q
From the Delivery Services Console, select the Policies node in the left pane and then select the Computer or User tab.
From the Group Policy Editor, select the Citrix Policies node in the left pane. 2 Click New. The New Policy wizard appears.
q
3 Enter the policy name and, optionally, a description. Consider naming the policy according to who or what it affects; for example, Accounting Department or Remote Users. 4 Choose the policy settings you want to configure. 5 Choose the filters you want to apply to the policy. 6 Elect to leave the policy enabled or clear the Enable this policy checkbox to disable the policy. Enabling the policy allows it to be applied immediately to users logging on to the farm. Disabling the policy prevents it from being applied. If you need to prioritize the policy or add settings at a later time, consider disabling the policy until you are ready to apply it to users.
234
Allowed or Prohibited allows or prevents the action controlled by the setting. Enabled or Disabled turns the setting on or off. If you disable a setting, it is not enabled in lower-ranked policies.
For settings that are Allowed or Prohibited, the action controlled by the setting is either allowed or prevented. In some cases, users are allowed or prevented from managing the setting's action in the session. For example, if the Menu animation setting is set to Allowed, users can control menu animations in their client environment. In addition, some settings control the effectiveness of dependent settings. For example, the Client drive redirection setting controls whether or not users are allowed to access the drives on their devices. To allow users to access their network drives, both this setting and the Client network drives setting must be added to the policy. If the Client drive redirection setting is disabled, users cannot access their network drives even if the Client network drives setting is enabled. In general, Computer policy setting changes go into effect when the server reboots. User policy setting changes go into effect the next time the relevant users establish a connection. Policy setting changes can also take effect when XenApp re-evaluates policies at 90 minute intervals.
235
Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated automatically when you add or remove users from the group. Do not enable conflicting or overlapping settings in Remote Desktop Session Host Configuration. In some cases, Remote Desktop Session Host Configuration provides similar functionality to Citrix policy settings. When possible, keep all settings consistent (enabled or disabled) for ease of troubleshooting. Disable unused policies. Policies with no settings added create unnecessary processing.
236
Using the New Policy wizard, when creating a new policy Using the Settings tab of the Edit Policy dialog box, when modifying an existing policy Using the Settings tab of the AppCenter or Group Policy Editor (located beneath the policies list), when modifying an existing policy
Note: When you modify a policy using the Settings tab on the console, the changes you make are applied to the policy immediately after you configure the selected setting. However, when you modify a policy using the Edit Policy dialog box, changes you make are applied to the policy only after you click OK on the Edit Policy dialog box. 1 Select a setting you want to add to the policy and click Add. The Add Setting dialog box appears, displaying the setting's default value, if applicable. You can accept or change this value according to your policy requirements. If no default value is present, enter the appropriate value for your environment. 2 Click OK to add the setting to the policy. The configured setting appears on the Settings tab of the console in the Active Settings view.
237
Applying Policies
When you add a filter to a policy, the policy's settings are applied to connections according to specific criteria or rules. If no filter is added, the policy is applied to all connections. You can add as many filters as you want to a policy, based on a combination of criteria. The availability of certain filters depends on whether you are applying a Computer policy or a User policy. The following table lists the available filters:
Filter Description Applies a policy based on the access control conditions through which a client is connecting. Applies a policy based on the IP address (IPv4 or IPv6) of the user device used to connect to the session. Applies a policy based on the name of the user device from which the session is connected. Applies a policy based on the user or group membership of the user connecting to the session.
Client IP Address
Client Name
User
238
Applying Policies Worker Group Applies a q policy based Computer policies on the worker q group User policies membership of the server hosting the session. When a user logs on, XenApp identifies the policies that match the filters for the connection. XenApp sorts the identified policies into priority order, compares multiple instances of any policy setting, and applies the policy setting according to the priority ranking of the policy. XenApp recalculates the policy every 90 minutes after the user logs on to the farm. Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.
Unfiltered Policies
By default, XenApp provides Unfiltered policies for Computer and User policy settings. The settings added to this policy apply to all connections. If you use Active Directory in your environment and use the Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to all farm servers and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy. For example, the Sales OU contains a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the farm, the settings in the Unfiltered policy are automatically applied to the session because the user is a member of the Sales-US GPO. If you use the Delivery Services Console to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers and connections in the farm.
Filter Modes
A filter's mode determines whether or not the policy is applied only to connections that match all the filter criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the filter criteria. If the mode is set to Deny, the policy is applied if the connection does not match the filter criteria. The following examples illustrate how filter modes affect Citrix policies when multiple filters are present.
239
Filter A is a User filter that specifies the Sales group and the mode is set to Allow. Filter B is a User filter that specifies the Sales manager's account and the mode is set to Deny.
Because the mode for Filter B is set to Deny, the policy is not applied when the Sales manager logs on to the farm, even though the user is a member of the Sales group.
Filter C is a User filter that specifies the Sales group and the mode is set to Allow. Filter D is a Client IP Address filter that specifies 10.8.169.* (the corporate network) and the mode is set to Allow.
When the Sales manager logs on to the farm from the office, the policy is applied because the connection satisfies both filters. Policy 3 includes the following filters:
q
Filter E is a User filter that specifies the Sales group and the mode is set to Allow. Filter F is an Access Control filter that specifies Access Gateway connection conditions and the mode is set to Allow.
When the Sales manager logs on to the farm from the office, the policy is not applied because the connection does not satisfy Filter F.
240
To apply a policy
You must add at least one filter to a policy for that policy to be applied. 1 From the policy wizard, select the filter you want to apply and click Add. 2 From the New Filter dialog box, click Add to configure filter elements. 3 Select the mode for the filter.
The policy is applied the next time the relevant users establish a connection.
241
242
Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the policy for the entire group Using the Deny mode of a filter added to the policy
A filter with the mode set to Deny tells XenApp to apply the policy to connections that do not match the filter criteria. For example, a policy contains the following filters:
q
Filter A is a Client IP address filter that specifies the range 208.77.88.* and the mode is set to Allow. Filter B is a User filter that specifies a particular user account and the mode is set to Deny.
The policy is applied to all users who log on to the farm with IP addresses in the range specified in Filter A. However, the policy is not applied to the user logging on to the farm with the user account specified in Filter B, even though the user's computer is assigned an IP address in the range specified in Filter A.
243
244
Use the Citrix Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be applied Use Group Policy Results to produce a report describing the Citrix policies in effect for a given user and server.
You can launch both tools from the Group Policy Management console in Windows. If your XenApp environment does not include Active Directory, you can launch the Citrix Group Policy Modeling Wizard from the Actions pane of the Delivery Services Console.
245
From the Delivery Services Console, click the Policies node in the console tree and then click Run the modeling wizard from the Actions pane.
From the Group Policy Management console, right-click the Citrix Group Policy Modeling node in the console tree and then select Citrix Group Policy Modeling Wizard. 2 Follow the wizard to select the domain controller, users, computers, environment settings, and Citrix filter criteria you want to use in the simulation.
q
When you click Finish, the wizard produces a report of the modeling results. In the Delivery Services Console, the report appears as a node in the console tree, underneath the Policies node. The Modeling Results tab in the middle pane displays the report, grouping effective Citrix policy settings under User Configuration and Computer Configuration headings.
246
No policies have filters that match the policy evaluation criteria Policies that match the filter do not have any settings configured Policies that match the filter are disabled
If you want to apply policy settings to the connections that meet the specified criteria:
q
Make sure the policies that you want to apply to those connections are enabled Make sure the policies that you want to apply have the appropriate settings configured
247
Create one or more filters within Access Gateway. See the Access Gateway section of Citrix eDocs for more information about creating filters. Note: You must be using Access Gateway Advanced Edition (Version 4.0 or later) or Access Gateway Enterprise Edition (Version 9.1 or later) to create filters that work with XenApp.
For published applications, select Allow connections made through Access Gateway Advanced Edition in the application properties. Ensure that your farm is configured to allow Access Gateway connections, which it is by default. Create a Computer policy within XenApp that has the Trust XML requests policy setting enabled. Create a User policy within XenApp that includes a filter referencing Access Gateway filters.
248
If using Access Gateway Advanced Edition, enter the name of the Access Gateway farm.
If using Access Gateway Enterprise Edition, enter the virtual server name of the Access Gateway appliance. b In Access condition, enter one of the following items:
q q
If using Access Gateway Advanced Edition, enter the name of the Access Gateway filter for XenApp to use. If using Access Gateway Enterprise Edition, enter the name of the endpoint session policy for XenApp to use.
Important: XenApp does not validate Access Gateway farm, server, and filter names, so always verify this information with the Access Gateway administrator. 9 To apply the policy to every connection except those made through Access Gateway, in the Mode list box, select Deny. The filter's mode tells XenApp whether or not to apply the policy to connections that match the filter criteria. Selecting Deny tells XenApp to apply the policy to connections that do not match the filter criteria.
249
The imaging device must be connected locally to the user device and have the associated vendor-supplied TWAIN driver installed locally. Citrix online plug-in 11.x or later or the Citrix offline plug-in. XenApp 32-bit and 64-bit servers support TWAIN redirection for 32-bit TWAIN applications only. XenApp does not support 16-bit TWAIN drivers. The Client TWAIN device redirection policy setting must be added to the appropriate policy. To configure image compression, add the TWAIN compression level setting and select the appropriate compression level.
The following table lists the TWAIN hardware and software tested with XenApp. While other TWAIN devices may work, only those listed are supported.
Canon CanoScan 3200F Canon CanoScan 8000F Canon CanoScan LiDE600F Fujitsu fi-6140 HP ScanJet 8250
Software
Microsoft Office Publisher 2007 Microsoft Office Word 2007 Clip Organizer
Configure bandwidth limits for image transfers. You can add the TWAIN device redirection bandwidth limit or the TWAIN device redirection bandwidth limit percent settings to the policy and enter the appropriate values denoting the maximum bandwidth allowed for image transfers. Some applications are not Remote Desktop Session Host aware and look for Twain32.dll in the \Windows directory of the user profile (by default, C:\Documents and Settings\UserName\Windows). Copying Twain32.dll into the \Windows directory of each user profile resolves this issue. You can also correct this by adding the application to
250
Enabling Scanners and Other TWAIN Devices the Remote Desktop Session Host application compatibility list with the following two flags specified:
q
Do not substitute user Windows directory: 0x00000400 This feature supports the following modes of TWAIN information transfer:
q q
Native Buffered Memory (most scanning software works by default in Buffered Memory mode)
251
Customizing user environments Controlling connections Monitoring, managing, and optimizing sessions
When a user initially connects to your farm and opens a published application, the server opens the application in a session. In XenApp, the term session refers to a particular instance of a users activity on the server; sessions are the virtualization of the users environment. Users access published applications in sessions after the client device establishes a connection with the server.
When a user logs on to the farm, the client device links to the server through a connection and establishes a session. This connection is known as the client connection. Users access published resources through client connections, inside of sessions. As an administrator, you can customize users environments, including whether or not users can access mapped drives, such as the local client devices hard disk; if they can access local special folders, the printers that are available, and the amount of bandwidth used for audio support. You can change these settings based on the location from where the users are connecting.
252
Managing Session Environments and Connections XenApp provides settings to ensure sessions remain reliable. You can also monitor users sessions, and their sessions status, by shadowing.
253
By suppressing the number of progress bars users see when they first open an application, so that XenApp appears to be an integrated part of their everyday environment. By either allowing or preventing users from accessing their local devices or ports during a session. You can also prevent users from accessing devices and ports during remote sessions. By defining whether or not users can hear audio or use microphones during sessions. If you enable audio support, you can specify the level of audio compression and limit bandwidth, if necessary. You can control audio either at the group level through policies or at the published application level. By ensuring that mobile workers, such as travelling salespeople or workers inside a hospital, always have the most appropriate printers and devices available to them inside of a session.
For the Citrix online plug-in, you can also customize the users experience by choosing whether you want published applications and desktops to appear in a window within a Remote Desktop window or seamlessly. In seamless window mode, published applications and desktops appear in separate resizable windows, which make the application appear to be installed locally. Certain features are available only in seamless mode. Some features that relate to session environments or connections, such as dual-monitor mode support and information about logons, are plug-in specific. Details about these features are located in the Citrix online plug-in and the Web Interface documentation.
254
Administrative Templates > System > Remove Boot / Shutdown / Logon / Logoff status messages Administrative Templates > System > Verbose versus normal status messages
However, Active Directory group policies take precedence over equivalent local group policies on servers. Therefore, when you install XenApp on servers that belong to an Active Directory domain, those Active Directory policies may prevent XenApp from suppressing the status screens generated by the Windows operating systems of the individual servers. In that case, users see the status screens generated by the Windows operating system when connecting to that server. For optimal performance, do not configure these group policies in Active Directory.
255
Access to local drives and ports Cut-and-paste data transfer between a session and the local clipboard Audio (system sounds and .wav files) playback from the session
During logon, the plug-in reports the available client drives and COM ports to the server. By default, client drives appear as network resources so the drives appear to be directly connected to the server. The clients drives are displayed with descriptive names so they are easy to locate among other network resources. These drives are used by Windows Explorer and other applications like any other network drive. In Citrix policies, redirection settings are used for mapping.
256
2 Find the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\picadm\Parameters\ExecuteFromMappedDrive 3 To grant users execute permission on mapped drives, set ExecuteFromMappedDrive to 1. 4 To deny users execute permission on mapped drives, set ExecuteFromMappedDrive to 0. 5 Restart the server.
257
Restrictions
Do not enable Special Folders Redirection in situations when a user connects to the same session from multiple client devices simultaneously. For Special Folder Redirection to work, the user must log off from the session on the first client device and start a new session on the second client device. If users must run multiple sessions simultaneously, use roaming profiles or set a home folder for that user in the User Properties in Active Directory. Because Special Folder Redirection must interact with the client device, some settings prevent Special Folder Redirection from working. You cannot have policy settings that prevent users from accessing or saving to their local hard drives. Currently, for seamless and published desktops, Special Folder Redirection works only for the Documents folder. For seamless applications, Special Folder Redirection only works for the Desktop and Documents folders. Citrix does not recommend using Special Folder Redirection with published Windows Explorer. Special Folder Redirection requires access to the Documents and Desktop folders on the users local computer. When a user launches an application through the Web Interface and uses File Security to select No Access in the File Security dialog box in Connection Center, access is denied to the users local workstation drives, including the users local Documents and Desktop folders. As a result, some applications might be unstable when trying to perform read/write operations to the denied folders. To avoid this, always grant full local access when Special Folder Redirection is enabled. Caution: Special Folder Redirection does not redirect public folders on Windows Vista and Windows Server 2008. If users are connecting to servers that are not in their domain, instruct users not to save to public folders. If users save documents to public folders, they are saving them to a local folder on the server hosting the published application. In large environments where many servers host the same application, it could be difficult to
258
Displaying Local Special Folders in Sessions determine which server contains the public folder where the user saved the document.
259
Displaying Local Special Folders in Sessions Enable Special Folder Redirection by default and let users turn it off in their session options. Provide Special Folder Redirection to all users Allow users to customize Special Folder Redirection Disable Special Folder Redirection by default, but let users turn it on in their session options Enable Special Folder Redirection by default and prevent users from turning it on or off Allow users to customize Special Folder Redirection Provide Special Folder Redirection to all users
260
Audio properties you configure for individual published applications Audio related policy settings you configure for specific connection types Audio settings the user configures on the user device
For example, you can use audio-related connection policy settings to control bandwidth usage and server CPU utilization. You can configure a policy setting to enable audio for connections where audio is essential, and configure another setting to disable audio for connections where it is not essential. Use policy settings to control the availability of speakers and microphones in sessions. Important: To use audio in sessions, users must also enable audio on the user device. When audio is enabled, you can also use policy settings to set compression levels and bandwidth allocation.
261
262
Audio redirection bandwidth limit. Specify the bandwidth available for audio in kilobits per second. Audio redirection bandwidth limit percent. Limit the bandwidth available for audio to a percentage of the overall bandwidth available. If you configure this setting, you must enable the Overall session bandwidth limit setting.
263
Low - for low-speed connections. This causes any sounds sent to the client device to be compressed to a maximum of 16Kbps. This compression results in a significant decrease in the quality of the sound. The CPU requirements and benefits of this setting are similar to those of the Medium setting; however, the lower data rate allows reasonable performance for a low-bandwidth connection. Medium - optimized for speech. This is recommended for most LAN-based connections. This setting causes any sounds sent to the client device to be compressed to a maximum of 64Kbps. This compression results in a moderate decrease in the quality of the sound played on the client device. High - high definition audio. This is recommended for connections where bandwidth is plentiful and sound quality is important. This setting allows client devices to play a sound file at its native data rate. Sounds at the highest quality level require about 1.3Mbps of bandwidth to play clearly. Transmitting this amount of data can increase bandwidth requirements, and result in increased CPU utilization and network congestion.
264
265
266
Logging on. By default, Workspace Control enables users to reconnect automatically to all running applications when logging on, bypassing the need to reopen individual applications. Through Workspace Control, users can open disconnected applications plus applications active on another client device. Disconnecting from an application leaves the application running on the server. If you have roaming users who need to keep some applications running on one client device while they reconnect to a subset of their applications on another client device, you can configure the logon reconnection behavior to open only the applications that the user disconnected from previously. Reconnecting. After logging on to the server farm, users can reconnect to all their applications at any time by clicking Reconnect. By default, Reconnect opens applications that are disconnected plus any applications currently running on another client device. You can configure Reconnect to open only those applications that the user disconnected from previously. Logging off. For users opening applications through the Web Interface, you can configure the Log Off command to log the user off from the Web Interface and all active sessions together, or log off from the Web Interface only. Disconnecting. Users can disconnect from all running applications at once without needing to disconnect from each application individually.
Workspace Control is enabled in the server farm by default and is available only for users accessing applications through the Web Interface or the Citrix online plug-in. User policies, client drive mappings, and printer configurations change appropriately when a user moves to a new client device. Policies and mappings are applied according to the client device where the user is currently logged on to the session. For example, if a health care worker logs off from a client device in the emergency room of a hospital and then logs on to a workstation in the hospitals X-ray laboratory, the policies, printer mappings, and client drive mappings appropriate for the session in the X-ray laboratory go into effect at the session startup.
267
Ensuring Session Continuity for Mobile Workers You can customize what printers appear to users when they change locations as well as control whether they can print to local printers, how much bandwidth is consumed when users connect remotely, and other aspects of their printing experiences. For more information about enabling and configuring Workspace Control for users, see the Web Interface documentation.
268
269
270
Auto client reconnect. Enables or disables automatic reconnection by the same client after a connection has been interrupted. Auto client reconnect authentication. Enables or disables the requirement for user authentication upon automatic reconnection Auto client reconnect logging. Enables or disables logging of reconnection events in the event log. Logging is disabled by default. When enabled, the server's System log captures information about successful and failed automatic reconnection events. Each server stores information about reconnection events in its own System log; the server farm does not provide a combined log of reconnection events for all servers.
Auto Client Reconnect incorporates an authentication mechanism based on encrypted user credentials. When a user initially logs on to a server farm, XenApp encrypts and stores the user credentials in memory, and creates and sends a cookie containing the encryption key to the plug-in. The plug-in submits the key to the server for reconnection. The server decrypts the credentials and submits them to Windows logon for authentication. When cookies expire, users must reauthenticate to reconnect to sessions. Cookies are not used if you enable the Auto client reconnection authentication setting. Instead, XenApp displays a dialog box to users requesting credentials when the plug-in attempts to reconnect automatically. Note: For maximum protection of users credentials and sessions, use SSL encryption for all communication between clients and the server farm. Disable Auto Client Reconnect on the Citrix plug-in for Windows by using the icaclient.adm file. For more information about plug-in configuration, see the online plug-in documentation. Settings for connections also affect Auto Client Reconnect.
271
272
ICA keep alive timeout. Specifies the interval (1-3600 seconds) used to send ICA keep-alive messages. Do not configure this option if you want your network monitoring software to close inactive connections in environments where broken connections are so infrequent that allowing users to reconnect to sessions is not a concern. The 60 second default interval causes ICA Keep-Alive packets to be sent to client devices every 60 seconds. If a client device does not respond in 60 seconds, the status of the ICA sessions changes to disconnected.
ICA keep alives. Sends or prevents sending ICA keep-alive messages periodically.
273
274
To reset a session: Caution: Resetting effectively deletes the session and results in loss of data for the user. Only reset a session when it malfunctions or is not responding. 1 Select the server to which the user is connected. 2 In the results pane, click the Sessions tab. 3 Select the session you want to reset. (You can select one or more sessions.) 4 In the Actions pane, select Reset. To disconnect a session: 1 Select the server to which the user is connected. 2 In the results pane, click the Sessions tab. 3 Select the session you want to reset. (You can select one or more sessions.) 4 In the Actions pane, select Disconnect. To logoff from a session: Caution: Ending user sessions using Logoff can result in loss of data if users do not close their applications first. Before initiating the logoff, send a message to warn users to exit all applications. 1 Select the server to which the user is connected. 2 In the results pane, click the Sessions tab. 3 Select the session you want to log off. (You can select one or more sessions.) 4 In the Actions pane, select Log off. Confirm the logoff when prompted. To terminate processes in a user session: Caution: Terminating a process may abruptly end a critical process and leave the server in an unusable state. 1 Select the server to which the user is connected. 2 In the results pane, click the Users tab and select the session for which you want to terminate a process. 3 In the lower portion of the results pane, click the Processes tab and select the process you want to terminate. 4 In the Actions pane, select Terminate.
275
To send a message to one or more users from the Delivery Services Console
Sending a message that appears in user sessions can be helpful in situations such as broadcasting information about new applications and upgrades, requesting a shadowing session, or warning of a logoff or system shutdown. 1 From the Delivery Services Console, select the server to which the users are connected. To send a message to all user sessions in the farm, select a farm node instead of a server. 2 In the results pane, click the Users tab and select one or more sessions. 3 In the Actions pane, select Send Message. The Send Message dialog box appears. 4 Edit the title of the message, if required, and enter the message text.
276
Session ID
Server Server on which the application is running. 3 Select a session. Depending on the session you select:
q
Tasks become available in the Actions pane; these can include Reset, Log off, Disconnect, and Send Message. The lower portion of the results pane displays tabs containing additional information: Information, Client Cache, Session Information, Client Modules, and Processes.
277
278
The client uses a license to log on to the server and start shadowing a user. The Shadow Taskbar shows sessions on the server or domain you logged on to. You can view servers in a different domain by logging on to an account in that domain and restarting the Shadow Taskbar. Each shadow session consumes memory on the server, so limit the number of simultaneous shadow sessions.
Each shadowed session is represented by a task button on the Shadow Taskbar. Use this button to switch quickly between the shadowing sessions you have open.
279
The Available Users list shows user sessions that can be selected for shadowing in the current domain. User sessions are organized by servers, published applications, and users. You can shadow only client user sessions. . The Shadowed Users list shows user sessions selected for shadowing and existing shadow sessions; it also displays the user name of currently shadowed users next to the shadow icon.
2 In the Available Users list, select one or more users to shadow and click Add. The selected users move to the Shadowed Users list. Shadowing is initiated for all users in the Shadowed Users list when you click OK.
280
In a central file. Configuring this option records a limited number of logging events, such as when and who started a shadowing session and who is being shadowed. When you configure shadow logging through the Shadow Taskbar, the logged events are not recorded in the Windows Event log. Instead, they go to a file that you specify. In the Windows Event log. Configuring this option logs several different event types in the Application log of the Windows Event log. These include user shadowing requests, such as when users stop shadowing, failure to launch shadowing, and access to shadowing denied. However, these events are logged as they occur and it can be cumbersome to see a shadowing history because the events are strewn throughout the Event log.
For ease of management, consider logging events in a central file. Only shadowing events go in to this file, so they are more centralized and easier to review.
281
Note: Instruct users not to launch the Shadow taskbar in seamless mode. The Shadow taskbar cannot function in seamless mode.
Example: To create a user policy for user-to-user shadowing and assign it to users
This example demonstrates how to enable user-to-user shadowing by creating a policy for your Sales user group that allows them to shadow the department manager for online collaboration on sales leads. This procedure shows the creation of a shadowing policy. 1 Create a new policy named Sales Group Shadowing. 2 Add the Shadowing Citrix Computer policy setting and set it to Allowed.
282
Enabling User-to-User Shadowing with Policies 3 Because the Sales Manager may work with sensitive data, add the Notify user of pending shadow connections Citrix User policy setting and set it to Enabled. If the Sales Manager does not want other users to be able to take control of his mouse and keyboard, add the Input from shadow connections Citrix User policy setting and set it to Prohibited. 4 Add the Users who can shadow other users Citrix User policy setting, and select the users who can shadow the Sales Manager. 5 To specify users who cannot shadow the Sales Manager, add the Users who cannot shadow other users Citrix User policy setting, and select users. 6 Add the User filter and select the users who can receive shadowing requests.
283
XenApp policies
Policies let you define how you want clients to connect, including SSL or encryption requirements, and the properties for the users environments after the connection is established. Citrix recommends using XenApp policies whenever possible to control connections. Connection settings defined through XenApp policies also supersede all other connection settings in your environment, including those specified at the operating system level and when you publish an application
Application Publishing
You can define connection settings on a per-application basis when you are publishing a resource. Settings you can define include the maximum number of connections to an application, importance level of the application, maximum number of instances an application can run in the farm, types of connections that can access an application, audio properties, and encryption requirements.
Active Directory
Citrix provides a Group Policy Object (GPO) template, the icaclient.adm, that contains Citrix-specific rules for securing client connections. This GPO lets you configure rules for network routing, proxy servers, trusted server configuration, user routing, remote client devices, and the user experience. For more information, see the Citrix online plug-in documentation.
284
Any connections allows access to published applications through any connection. Citrix Access Gateway, Citrix online plug-in, and Web Interface connections only allows access to published applications through the listed connections, including any version of Access Gateway. Denies access through any other connection. Citrix Access Gateway connections only allows access to published applications only through Access Gateway Advanced Edition servers (Version 4.0 or later).
285
Performance degradation and errors resulting from individual users who run more than one instance of a published application at the same time Denial-of-service attacks by malicious users who run multiple application instances that consume server resources and connection license counts Over-consumption of resources by non-critical activities such as Web browsing
Connection limits, including the option to log denials resulting from connection limits, are configured in Computer policy settings. (You cannot configure connection limits in the plug-ins.) There are two types of connection limits:
q
Concurrent connections to the server farm - Restricts the number of simultaneous connections that each user in the server farm can establish. See Limiting Connections to a Server Farm. Published application instances - Restricts the total number of instances of a published application that can run in the server farm at one time, and prevents users from launching more than one instance of a published application. See Limiting Application Instances. .
286
Limit user sessions. The maximum number of concurrent connections a user can establish, in the range 0-8192. A value of 0 indicates no connections.
Limits on administrator sessions. Enables or disables connection limit enforcement for Citrix administrators. Limiting connections for Citrix administrators can adversely affect their ability to shadow other users. Local administrators are exempt from the limit so they can establish as many connections as necessary.
q
To specify the maximum number of connections a user can make to the server farm at a given time
When this setting is used and the specified number is reached, the user cannot launch additional sessions, even if the server has availability. 1 Configure the Citrix User Policy Concurrent logon limit setting.
287
In seamless window mode, published applications and desktops are not contained within an ICA session window. Each published application and desktop appears in its own resizable window, as if it is physically installed on the client device. Users can switch between published applications and the local desktop. In non-seamless window mode, published applications and desktops are contained within an ICA session window. This creates the effect of the application appearing in two windows.
The mode that you choose typically depends on the type of client device that your users will be using and whether you are publishing a desktop or individual applications. Desktops are typically published in non-seamless window mode. This table provides examples of when you might want to publish desktops and applications.
If your users will be using... Local computers Local computers with locally installed applications Thin clients Kiosks
then you... Might want to publish desktops or individual applications. Might want to publish individual applications. Must publish desktops.
Might want to publish desktops, which allows the user to have a more holistic experience and provide more control from a security perspective. When a user launches a published application, the plug-in establishes a connection to a XenApp server and initiates a session. If session sharing is not configured, a new session is opened on the server each time a user opens an application. Likewise, every time a user opens a new application, a new client connection is created between the client device and the server. Session sharing is a mode in which more than one published application runs on a single connection. Session sharing occurs when a user has an open session and launches another application that is published on the same server; the result is that the two applications run in the same session. For session sharing to occur, both applications must be hosted on the same server. Session sharing is configured by default when you specify that applications appear in seamless window mode. If a user runs multiple applications with session sharing, the session counts as one connection. If you want to share sessions, ensure all applications are published with the same settings. Inconsistent results may occur when applications are configured for different requirements, such as encryption. Note: Session sharing is not supported on PocketPC clients. 288
Sharing Sessions and Connections Session sharing always takes precedence over load balancing. That is, if users launch an application that is published on the same server as an application they are already using but the server is at capacity, XenApp still opens the second application on the server. Load management does not transfer the users request to another server where the second application is published.
289
Limit instances allowed to run in server farm. Enter the maximum number of instances that can run at one time in the server farm without regard to who launches the application. For example, if you enter 10 and a user tries to launch the application when 10 instances are running, the server denies the connection request and records the time and the name of the published application in the System log.
Allow only one instance of application for each user. Prevents any user from running more than one instance of this application at the same time.
290
Maximum connections per user Application instance limits Application instances per user
To enable or disable logging of connection denial events, configure the Logging of logon limit events Citrix Computer policy setting.
291
292
Note: To reenable disabled logons, select Other Tasks > Enable logon.
293
MDX MediaStream Multimedia Acceleration. Allows you to control and optimize the way XenApp servers deliver streaming audio and video to users. HDX MediaStream Flash. Allows you to control and optimize how XenApp servers deliver Adobe Flash animations to users. HDX 3D Image Acceleration. Enables you to adjust the quality of photographic image files as they appear on client devices and the amount of bandwidth the files consume on their way from the server to the client. HDX 3D Progressive Display. Allows you to improve interactivity when displaying high-detail images by temporarily increasing the level of compression (decreasing the quality) of the image when it is first transmitted over a limited bandwidth connection, providing a fast (but low quality) initial display. If the image is not immediately changed or overwritten by the application, it is then improved in the background to produce the normal quality image, as defined by the normal lossy compression level. SpeedScreen Latency Reduction. Helps reduce a users perception of latency when typing and clicking. It provides visual feedback for mouse clicks and Local Text Echo; a feature that accelerates the display of input text, effectively shielding the user from experiencing latency on the network. HDX Broadcast Display. HDX Broadcast Display provides control over settings that let you reserve bandwidth by limiting session-memory usage and discarding obsolete queued images on the client. HDX Broadcast Browser. HDX Broadcast Browser provides control over whether or not the servers in your network will respond to broadcast messages sent from Citrix online plug-in. You may reduce bandwidth consumption if you disable these options.
294
User Experience. Multimedia playback in sessions is much smoother. Server CPU Utilization. The client device decompresses and renders multimedia content, freeing server CPU utilization. Network Bandwidth. Multimedia content is passed over the network in compressed form, reducing bandwidth consumption.
Note: With HDX MediaStream Multimedia Acceleration enabled, RealOne Players built-in volume and balance controls do not work within client sessions. Instead, users can adjust volume and balance from the volume controls available from the device notification area. Without HDX MediaStream Multimedia Acceleration, the cumulative cost of several users playing multimedia content in sessions simultaneously is high, both in terms of server CPU utilization and network bandwidth consumption. When you play multimedia content in a session, the server decompresses and renders the multimedia file, which increases the servers CPU utilization. The server sends the file over the network in uncompressed form, which consumes more bandwidth than the same file requires in compressed form. With HDX MediaStream Multimedia Acceleration, the server streams multimedia to the client in the original, compressed form. This reduces bandwidth consumption and leaves the media for the client device to decompress and render, thereby reducing server CPU utilization. HDX MediaStream Multimedia Acceleration optimizes multimedia files that are encoded with codecs (compression algorithms) that adhere to Microsofts DirectShow, DirectX Media Objects (DMO), and Media Foundation standards. DirectShow and Media Foundation are application programming interfaces (APIs) that allow, among other things, multimedia playback. To play back a given multimedia file, a codec compatible with the encoding format of the multimedia file must be present on the client device. Generally, if you can play back a given multimedia file locally on a given client device, you can play back the same file on the same client device within a session. Users can download a wide range of codecs, such as those supported by Windows Media Player or RealOne Player, from vendor Web sites. Users accessing audio-visual applications on servers on which HDX MediaStream Multimedia Acceleration is enabled use a little more memory but far less bandwidth than when this feature is disabled. Users use only a little more memory or bandwidth when accessing audio-visual applications compared to regular enterprise applications.
295
Optimizing Audio and Video Playback To allow users to run multimedia applications in ICA sessions, turn on audio or give the users permission to turn on audio themselves in Citrix online plug-in. By default, all other plug-ins and methods are configured with audio enabled and optimized for speech sound quality. Other requirements for using HDX MediaStream Multimedia Acceleration are:
q
Users must be running a Citrix online plug-in. The user device must have the same memory and processing speed as is needed for playing multimedia locally. The correct codec to decompress the media file type used (MPEG for example) must reside on the user device. Windows devices have the most common codecs already installed. If you need additional codecs, you can download them from the Web sites of the manufacturers of media players.
Note: To make Windows Media Player 11 and Media Foundation components available on your XenApp server, install and configure the Microsoft Windows Server 2008 Desktop Experience in the Server Manager. Applications and media formats supported by HDX MediaStream Multimedia Acceleration are:
q
Applications based on Microsofts DirectShow, DirectX Media Objects (DMO), and Media Foundation filter technologies such as Windows Media Player, RealPlayer. Applications like Internet Explorer and Microsoft Encarta are also supported, as they leverage Windows Media Player. Both file-based and streaming (URL-based) media formats: WAV, all variations of MPEG, unprotected Windows Media Video (WMV), and Windows Media Audio (WMA).
Note: HDX MediaStream Multimedia Acceleration does not support media files protected with Digital Rights Management (DRM). When the quality of media playing on a user device deteriorates, possible solutions are:
q
If video appears in slowly changing slides while audio is intact or audio becomes choppy, this is caused by low bandwidth. Arrange for users to play media on the network where more bandwidth is available. If audio and video are not synchronized, generally only the video or audio is played using HDX MediaStream Multimedia Acceleration. This can happen if a client device lacks a codec for either video or audio. Install the needed codec on the client or use media content on the server for which clients have both codecs.
By default, HDX MediaStream Multimedia Acceleration is enabled at the server farm level.
296
HDX MediaStream Multimedia Acceleration. Enables or disables the feature. HDX MediaStream Multimedia Acceleration default buffer size. Specifies the buffer size in seconds, in the range 1-10; requires enabling the HDX MediaStream Multimedia Acceleration default buffer size use option. You can see how much server memory the selected buffer can use by changing the buffer time. HDX MediaStream Multimedia Acceleration default buffer size use. Enables or disables use of a buffer. When this option is enabled, specify the buffer size with the HDX MediaStream Multimedia Acceleration default buffer size option
297
Optimize Adobe Flash animation options for all connections. Select this option to always reduce the amount of Flash data sent to users. The result is minimized CPU usage on the servers on which users are using Flash within Internet Explorer. Optimize Adobe Flash animation options for low bandwidth connections only. Select this option to improve responsiveness when Flash content is sent to users on restricted bandwidth connections (under 150Kbps). On restricted bandwidth connections, such as over a WAN, less data is downloaded and the quality of Flash content is lower. When bandwidth is not limited, for example on a LAN, users get higher quality Flash animation.
Do not optimize Adobe Flash animation options. Select this option if bandwidth is not limited. 2 To reduce bandwidth consumption and improve video playback and server scalability, configure the Citrix Computer policy setting for Queueing and tossing. Configuring this setting can cause animations to become choppy due to dropped frames.
q
298
None Same as original Highest Choose none or low compression for users who need to view images at original or near original quality levels. If this policy setting is not configured, medium compression is used for all connections, which amounts to slightly better performance due to slightly lower image quality. To configure Image Acceleration without enabling Progressive Display, after configuring the policy setting for the lossy compression level, configure the Progressive compression level Citrix User policy setting with the None option.
299
300
301
302
Click the icon at the bottom of the page and drag the pointer onto the window of an application. The application must be running when you select it.
Click the Browse button and navigate to the application. 4 Specify whether Local Text Echo is enabled or disabled on the application by selecting or clearing the Enable local text echo for this application check box. For a definition of Local Text Echo, see Optimizing Keyboard and Mouse Responsiveness
q
303
Adjusting SpeedScreen Latency Reduction for an Application 5 Specify whether the setting you selected in the previous step should be applied to all instances of the application on the server or just the instance selected.
Test all aspects of an application with Local Text Echo in a non-production environment before enabling it to ensure that the display is acceptable to users. When you configure SpeedScreen Latency Reduction Manager on a particular server, the settings are saved in the ss3config folder in the Citrix installation directory of that server. You can propagate the settings to other servers by copying this folder and its contents to the same location on the other servers. Note: If you plan to propagate SpeedScreen Latency Reduction Manager settings to other servers, select Apply settings to all installations of the selected application when configuring Local Text Echo through the wizard. Paths to published applications might differ from one server to another; therefore, applying the settings to all instances of the selected application ensures that the settings apply regardless of where the application is located on the destination server.
Enable local text echo as default for all applications on this server. Select this check box to enable Local Text Echo for all applications on the server. Enable mouse click feedback as default for all applications on this server. Select this check box to enable Mouse Click Feedback for all applications on the server. Latency threshold times for SpeedScreen (in milliseconds). Latency threshold times are used when the client device setting for SpeedScreen is set to Auto.
q
High latency threshold. Specify a threshold value above which SpeedScreen options should be enabled.
Low latency threshold. Specify a threshold value below which SpeedScreen options should be disabled. For a definition of Local Text Echo and Mouse Click Feedback, see Optimizing Keyboard and Mouse Responsiveness.
q
304
Application Name. The application executable name appears here; for example, Excel.exe.
Path to Application. The path to the application executable appears here; for example, C:\Microsoft Office\Excel.exe. 4 If desired, configure application settings:
q q
Disable local text echo for this application. The current setting for Local Text Echo is displayed. Select the check box to disable Local Text Echo for this application. Clear the check box to enable it. Limit local text echo for this application. The current Local Text Echo setting for the application appears. Select the check box to limit Local Text Echo functionality for this application, and select the type of text display you need from the drop-down list. Forces Speedscreen to treat all input fields in the selected application in native mode. Select the check box if you configure a setting that forces SpeedScreen to treat all input fields in the selected application in native mode.
305
The Configured Input Field List displays the list of configured input fields. SpeedScreen Latency Reduction uses a window hierarchy to identify the input fields that need special settings. The entries shown in the tree view are the window class names of the configured fields. For example, _WwG is the window class name of the main document window in Microsoft Word.
q
Click New to run the Advanced Input Field Compatibility wizard to add a new input field. This wizard guides you through the process of configuring SpeedScreen Latency Reduction settings for an input field.
Click Delete to delete the selected input field from the Configured Input Field List. Enable local text echo for this input field enables Local Text Echo. If this check box is selected, you can apply more Local Text Echo settings to the selected field.
q
Limit local text echo forces behavior in input fields in nonstandard applications that may not behave correctly. Select one of the two available settings:
q
Display text in a floating bubble ensures text is echoed within a floating bubble. Reduce font size forces input fields in non-standard applications to display text at a reduced font size. Use this setting when input fields in non-standard applications display misaligned text, oversized fonts, or other undesirable font behavior. Choose the percentage by which to reduce the font size. Percentage values available are 10%, 20%, and 30%.
q
Use system default colors forces non-standard input fields to use system default colors. SpeedScreen Latency Reduction tries to auto-detect the text and background colors used in input fields; however, non-standard input fields
306
To configure latency reduction settings for input fields in an application sometimes report incorrect or inadequate information. As a result, text echo in input fields on nonstandard applications can appear corrupted. This setting turns off auto-detection and controls how system default colors are applied to input fields.
q
Choose Both the text and background to apply system default colors to both text and background.
Choose The background only to apply system default colors only to the background. Input field is a password controls how hidden characters are displayed in non-standard input fields. Typically, hidden characters are located in password entry fields. Text echo in non-standard input fields might make these hidden characters appear as normal text, compromising security. This setting forces hidden characters to display as asterisks or spaces.
q q
Choose Hidden characters denoted by * if you want Local Text Echo for such input fields to be replaced by asterisks. Choose Hidden characters denoted by spaces if you want Local Text Echo for password input fields to be replaced by spaces.
307
Medium Compatibility. Use this level of compatibility for input fields that are incompatible with the default Auto setting. Text echo appears in place with limited acceleration. Low Compatibility. If an input field is incompatible with both the Auto and Medium compatibility settings, select Low. Text echo appears in a floating text bubble rather than within the input field.
308
Off, or Zero Compatibility. If an input field is incompatible with Auto, Medium, and Low compatibility settings, disable Local Text Echo for that field by selecting Off.
309
Degrade color depth first. Select this option if you want color depth to be reduced before resolution is lowered when the session memory limit is reached.
Degrade resolution first. Select this option if you want resolution to be lowered before color depth when the session memory limit is reached. 5 To display a brief explanation to the user when a session is degraded, configure the Citrix Computer policy Notify user when display mode is degraded setting. Possible reasons for degradation include exceeding the memory limit and connecting with a client that cannot support the requested parameters.
q
310
311
312
Users who access your farms servers do not require and should not be granted any access to the data store. All farm servers share a single user account and password for accessing the data store. Select a password that is not easy to deduce. Keep the user name and password secure and give it to administrators only to install XenApp.
Caution: If the user account for accessing the database is changed at a later time, the Citrix IMA Service fails to start on all servers configured with that account. To reconfigure the Citrix IMA Service password, use the dsmaint config command on each affected server. Be sure to create a backup of your data store before changing the password on your data store. Consult the database vendor documentation for more information.
313
Oracle
Give the Oracle user account employed for the server farm "connect" and "resource" permissions only. System administrator (system or sys) account permissions are not needed for data store access.
314
SecureICA. The SecureICA feature encrypts the session data sent between a server running XenApp and a client. In general, increase the level of ICA protocol encryption when you want to encrypt internal communication within a LAN or a WAN, or you want to encrypt internal access to an intranet. Increasing the level of ICA protocol encryption prevents session data from being sent in clear text, but it does not perform any authentication. SSL/TLS protocols. SSL/TLS protocols can protect you from internal and external threats, depending on your network configuration. Citrix recommends that you enable SSL/TLS protocols. Enabling SSL/TLS ensures the confidentiality, authentication, and integrity of session data.
If you enable protection against both internal and external threats, you must enable SSL encryption. Using SecureICA with SSL or TLS provides end-to-end encryption. Both protocols are enabled on the server side, when you publish an application or resource. The Web Interface and Citrix online plug-in automatically detect and use the settings specified on the server (that is, when you publish a resource). The settings you specify for client-server encryption can interact with any other encryption settings in XenApp and your Windows operating system. If a higher priority encryption level is set on either a server or client device, settings you specify for published resources can be overridden. The most secure setting out of any of the settings below is used:
q
The setting in Remote Desktop Server Configuration The XenApp policy setting that applies to the connection The client-server setting (that is, the level you set when you publish a resource) The Microsoft Group Policy
When you set an encryption level, make sure that it is consistent with the encryption settings you specified elsewhere. For example, any encryption setting you specify in the TSCC or connection policies cannot be higher than the application publishing setting. If the encryption level for an application is lower than what you specified through the TSCC and connection policies, the TSCC settings and the policies override the application settings.
315
Using SecureICA
By default, client-server communications are obfuscated at a basic level through the SecureICA feature, which can be used to encrypt the ICA protocol. Plug-ins use the ICA protocol to encode user input (keystrokes and mouse clicks) and address it to a server farm for processing. Server farms use the ICA protocol to format application output (display and audio) and return it to the client device. You can increase the level of encryption for the ICA protocol when you publish a resource or after you publish a resource. In addition to situations when you want to protect against internal security threats, such as eavesdropping, you may want to use ICA encryption in the following situations:
q
You need to secure communications from devices that use Microsoft DOS or run on Win16 systems You have older devices running plug-in software that cannot be upgraded to use SSL As an alternative to SSL/TLS encryption, when there is no risk of a man-in-the-middle attack
When traversing public networks, Citrix does not recommend SecureICA as your only method of encryption. Citrix recommends using SSL/TLS encryption for traversing public networks. Unlike SSL/TLS encryption, SecureICA, used on its own, does not provide authentication of the server. Therefore information could be intercepted as it crosses a public network and then be rerouted to a counterfeit server. Also, SecureICA does not check data integrity.
316
For client devices communicating with your farm remotely, Citrix recommends that you use the Secure Gateway to pass client communications to the computer running XenApp. The Secure Gateway can be used with SSL Relay on the computer running XenApp to secure the Secure Gateway to XenApp traffic, depending on your requirements. For client devices communicating with your farm internally, you can do one of the following to pass client communications to the computer running XenApp:
q
Use the Secure Gateway with an internal firewall and place your farm behind the firewall
Use the SSL Relay feature to secure the traffic between servers in your farm In larger environments, it may not be convenient to use SSL Relay because doing so requires storing certificates on every server in your farm. In large environments, you may want to use the Secure Gateway with an internal firewall if you are concerned with internal threats.
q
Regardless of whether you use the Secure Gateway or SSL Relay, if you want to use SSL, you must select the Enable SSL and TLS protocols setting when you publish an application. If you are using Web Interface with the Secure Gateway, see the information about SSL in the Secure Gateway and Web Interface administrator documentation.
317
Select the Enable SSL and TLS protocols check box. This option requests the use of the SSL and TLS protocols for clients connecting to the published application. In the Encryption section, select a higher level of encryption from the drop-down list box.
If you are using SecureICA and you want to ensure that ICA traffic is always encrypted at a certain level, you can set a policy for encryption. Creating a SecureICA policy prevents you from accidentally publishing a resource at a lower level of encryption. If this policy is enabled and you publish a resource at a lower level of encryption than the policy requires, the server rejects client connections. For plug-ins that take their encryption settings from the server, such as the Web Interface and the Citrix online plug-in, this can be problematic. Therefore, Citrix recommends as a best practice, that if you enable an encryption policy, you publish applications (or resources) by replicating an existing published application and editing it so as to replace the application with the new application you want to publish.
318
Basic. Encrypts the client connection using a non-RC5 algorithm. It protects the data stream from being read directly, but it can be decrypted. RC5 (128 bit) logon only. Encrypts the logon data with RC5 128-bit encryption and the client connection using Basic encryption. RC5 (40 bit). Encrypts the client connection with RC5 40-bit encryption. RC5 (56 bit). Encrypts the client connection with RC5 56-bit encryption. RC5 (128 bit). Encrypts the client connection with RC5 128-bit encryption.
319
Want to secure communications with servers that host the Citrix XML Service. Have a small number of servers to support (five or fewer). To use SSL/TLS to protect against internal threats in larger farms, consider configuring SSL/TLS support with Secure Gateway. Do not need to secure access at a DMZ. Do not need to hide server IP addresses or you are using Network Address Translation (NAT). Need end-to-end encryption of data between clients and servers.
Configure SSL Relay and the appropriate server certificate on each XenApp server in the server farm. By default, SSL Relay is installed with XenApp in C:\Program Files (x86)\Citrix\SSLRelay, where C is the drive where you installed XenApp. The Citrix XML Service provides an HTTP interface for enumerating applications available on the server. It uses TCP packets instead of UDP, which allows connections to work across most firewalls. The Citrix XML Service is included in the server. The default port for the Citrix XML Service is 80.
320
Domain administrator Delegated administrator Administrator group of the local computer where you are installing the tool
321
322
Certificates from a CA bundled with the operating system. Some of the newer Windows operating systems include native support for many CAs. If you choose to install the certificate from a bundled CA, double-click the certificate file and the Windows Certificate Store wizard installs the server certificate on your server. For information about which operating systems include native support, see your Microsoft documentation. Certificates from an enterprise CA. If your organization makes a CA accessible to you for use, that CA appears in your list of CAs. Double-click the certificate file and the Windows Certificate Store wizard installs the server certificate on your server. For more information about whether or not your company uses an enterprise CA, consult your security team. Certificates from a CA not bundled with the operating system. Certificates from CAs that are not bundled with your operating system or made accessible to you by your organization must be installed manually on both the server running Citrix SSL Relay and on each client device. For instructions about installing certificates from an external CA, see the documentation for the servers and clients in your configuration. Alternatively, you can install certificates using Active Directory or the IIS snap-in:
q
If your computers belong to an Active Directory server, you can install the certificates using Active Directory. For instructions about how to use Active Directory to install your certificates, see your Microsoft documentation. You can use the Microsoft Web Server Certificate wizard in the IIS snap-in to request and import a certificate. For more information about using this wizard, see your Microsoft documentation.
323
324
325
Using the SSL Relay with the Microsoft Internet Information Service (IIS)
To use the SSL Relay and Microsoft Internet Information Services (IIS) on the same server, for example, if you install the Web Interface and XenApp on the same server, you must change the port number that IIS or the SSL Relay use. SSL Relay uses TCP port 443, the standard port for SSL connections. Most firewalls open this port by default. Optionally, you can configure the SSL Relay to use another port. Be sure that the port you choose is open on any firewalls between the client devices and the server running the SSL Relay. Microsoft IIS is installed by default on Windows Server 2003 and allocates port 443 for SSL connections. It is not installed by default on Windows Server 2008. To run SSL Relay on a server running Windows Server 2003 or 2008 (with Web Server IIS installed and enabled), you must:
q
Install a server certificate on IIS before you change the port number. You can use the same server certificate with IIS and the SSL Relay. Configure IIS to use a different port or configure the SSL Relay to use a different port.
To change the SSL port for Internet Information Services, see the relevant Microsoft documentation.
326
Relay Listening Port. The TCP port where SSL clients connect to the SSL Relay. The default port number is 443. If your server has multiple IP addresses, this port is used on all of them. If you change this value, you must make the same change on the client device. You may also need to open the port on any firewalls between the client device and the SSL Relay. Encryption Standard. SSL Relay can be configured to use either SSL or TLS. The protocol that is required is configured using the SSL Relay configuration tool. Server Name. The fully qualified domain name (FQDN) of the server to which to relay the decrypted packets. If certificates are not configured, no servers are listed. If certificates are configured, the FQDN of the server on which the SSL Relay is running appears here. Ports. The TCP ports where ICA and the Citrix XML Service are listening.
Important: If you change the default Citrix SSL Relay port, you must set SSLProxyHost to the new port number in the Citrix online plug-in icaclient.adm file. For more information about plug-in settings, see the plug-in administrator documentation.
327
To add a server to the destination server list: a Click New. b Type the FQDN of the computer in the Server Name box. (Additional servers must also be specified in the configuration of servers running the Web Interface.) c Type the port number of the Citrix XML Service in the Destination ports box and click Add. To change the port for a server listed in the destination server list: a Select the server entry and click Edit. b In the Target Server Properties dialog box, select a destination port to remove and click Delete. c In the field below Destination ports, type the number of the new destination port and click Add.
328
329
330
You want to hide internal IP addresses You want to secure public access to your farms servers You need two-factor authentication (in conjunction with the Web Interface)
Secure Internet access Removes the need to publish the addresses of every server running XenApp Simplifies server certificate management Allows a single point of encryption and access to the servers
Use the Secure Gateway to create a gateway that is separate from the computers running XenApp. Establishing the gateway simplifies firewall traversal because ICA traffic is routed through a widely accepted port for passage in and out of firewalls. The Secure Gateway provides increased scalability. However, because ICA communication is encrypted only between the client and the gateway, you may want to use SSL Relay to secure the traffic between the gateway and the servers running XenApp, including the servers hosting the Citrix XML Service. For more information, see the Secure Gateway for Windows administrator documentation.
331
stayyyymmdd-xxx.log
332
Using the Secure Ticket Authority where yyyy is the year, mm is the month, and dd is the day of the log file creation. The first time the STA is loaded, it creates a log file. To view entries in the STA log, use a plain-text editor to open the log file. If the STA does not create a log file, it may be due to lack of write privileges to the \inetpub\scripts directory.
333
Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption At the network level, when clients are communicating with your farm remotely across the Internet:
q q
Proxy servers Part of securing your server farm is making sure that only properly authenticated users can access your servers and resources, which can include smart cards.
q
334
Communication Delivery Services Console/Access Management Console Citrix SSL Relay Citrix XML Service Client-to-server (directed UDP) ICA sessions (clients to servers) License Management Console Server to license server Server to Microsoft SQL Server or Oracle server Server to server Session reliability
443 80 1604 1494 8082 27000 139, 1433, or 443 for MS-SQL 2512 2598
See Using the SSL Relay with the Microsoft Internet Information Server (IIS) See Installing and Configuring XenApp Not configurable See XenApp Command Reference for information about using the ICAPORT command See Licensing Your Product In the console, open the farm or server properties page, and select License Server See the documentation for the database software
See XenApp Command Reference for information about using the IMAPORT command See Configuring Session Reliability
335
Microsoft Internet Security and Acceleration (ISA) Server 2004 and 2006 iPlanet Web Proxy Server 3.6 Squid 2.6 STABLE 4 Microsoft Proxy Server 2.0
336
The trust relationship is not necessary unless you want to implement Workspace Control and your users log on using smart cards or pass-through authentication. Enable the trust relationship only on servers directly contacted by the Web Interface. These servers are listed in the Web Interface Console. When you set up the trust relationship, you depend on the Web Interface server to authenticate the user. To avoid security risks, use SSL Relay, IPSec, firewalls, or any technology that ensures that only trusted services communicate with the Citrix XML Service. If you set up the trust relationship without using IPSec, firewalls, or other security technology, it is possible for any network device to disconnect or terminate client sessions. Configure SSL Relay, IPSec, firewalls, or other technology that you use to secure the environment so that they restrict access to the Citrix XML Service to only the Web Interface servers. For example, if the Citrix XML Service is sharing a port with IIS, you can use the IP address restriction capability in IIS to restrict access to the Citrix XML Service.
337
Authenticate users to networks and computers Secure channel communications over a network Use digital signatures for signing content
If you are using smart cards for secure network authentication, your users can authenticate to applications and content published on servers. In addition, smart card functionality within these published applications is also supported. For example, a published Microsoft Outlook application can be configured to require that users insert a smart card into a smart card reader attached to the client device to log on to the server. After users are authenticated to the application, they can digitally sign email using certificates stored on their smart cards. Citrix has tested smart cards that meet Standard 7816 of the International Organization for Standardization (ISO) for cards with electrical contacts (known as a contact card) that interface with a computer system through a smart card reader device. The reader can be connected to the host computer by the serial, USB, or PCMCIA port. Citrix supports the use of PC/SC-based cryptographic smart cards. These cards include support for cryptographic operations such as digital signatures and encryption. Cryptographic cards are designed to allow secure storage of private keys such as those used in Public Key Infrastructure (PKI) security systems. These cards perform the actual cryptographic functions on the smart card itself, meaning the private key and digital certificates never leave the card. In addition, Citrix supports two-factor authentication for increased security. Instead of merely presenting the smart card (one factor) to conduct a transaction, a user-defined PIN (a second factor), known only to the user, is employed to prove that the cardholder is the rightful owner of the smart card. Note: XenApp does not support the RSA Security Inc. PKCS (Public-Key Cryptography Standard) #11 functional specification for personal cryptographic tokens. You can also use smart cards with the Web Interface for XenApp. For details, see the Web Interface administrator documentation.
338
Using Smart Cards with XenApp The following components are required on the server:
q
These components are required on the device running the supported Citrix plug-in:
q
PC/SC software Smart card reader software drivers Smart card reader
Your Windows server and client operating systems may come with PC/SC, CSP, or smart card reader drivers already present. See your smart card vendor for information about whether these software components are supported or must be replaced with vendor-specific software. You do not need to attach the smart card reader to your server during CSP software installation if you can install the smart card reader driver portion separately from the CSP portion. If you are using pass-through authentication to pass credentials from your client device to the smart card server session, CSP software must be present on the client device.
Citrix online plug-in Client for Linux Client for Windows-based terminals Client for MacIntosh
To configure smart card support for users of these plug-ins and clients, see the plug-in or client documentation.
339
System requirements
Kerberos logon works only between clients and servers that belong to the same or to trusted Windows domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool. Kerberos logon is not available:
q
Always use the following logon information or Always prompt for password If you route connections through Secure Gateway
q
Kerberos requires Citrix XML Service DNS address resolution to be enabled for the server farm or reverse DNS resolution to be enabled for the Active Directory domain.
Kerberos logon is enabled on the server running XenApp Users logging on to the computer running XenApp are members of the Administrator group on that computer After logon, Administrator group users attempt to access network resources such as shared folders and printers
340
Applications running on XenApp that depend on the NTLM protocol for authentication generate explicit user authentication prompts or fail. Most applications and network services that support Windows pass-through authentication accept both Kerberos and NTLM protocols, but some do not. In addition, Kerberos does not operate across certain types of domain trust links in which case applications automatically use the NTLM protocol. However the NTLM protocol does not operate in a XenApp session that is started using the Kerberos pass-through authentication, preventing applications that cannot use Kerberos from authenticating silently.
Kerberos pass-through authentication for applications expires if the XenApp session is left running for a very long time (typically one week) without being disconnected and reconnected. Kerberos is based on security tickets issued by domain controllers, which impose a maximum refresh period (typically one week). When the maximum refresh period has ended, Windows obtains a new Kerberos ticket automatically by using the cached network credentials that are required for the NTLM protocol. However these network credentials are not available when the XenApp session was started using Kerberos pass-through authentication.
341
Configuring Kerberos Logon You can configure the Citrix online plug-ins to use Kerberos with or without pass-through authentication.
342
Delivery Services Console some command-line utilities tools custom built with SDKs
Determine the level of security and control you need over the configuration logs. This determines if you need to set up additional database user accounts and if you want to make XenApp administrators enter credentials before clearing logs. Determine how strictly you want to log tasks; for example, if you want to log administrative tasks and if you want to allow administrators to make changes to a farm if the task cannot be logged (for example, if the database is disconnected). Determine if you want to allow administrators to be able to clear configuration logs and if you want them to have to supply credentials for this purpose. This requires the permission to Edit Configuration Logging settings.
Important: To securely store the credentials used for accessing the Configuration Logging database, you can enable the IMA encryption feature when you deploy your server farm. After this is enabled, however, you cannot disable it without losing the data it encrypted. Citrix recommends that you configure IMA encryption before the Configuration Logging feature is configured and used. To enable the Configuration Logging feature:
q
Set up the Configuration Logging database Define the Configuration Logging database access permissions Configure the Configuration Logging database connection Set the Configuration Logging properties
343
The Configuration Logging feature, after it is properly enabled, runs in the background as administrative changes trigger entries in the Configuration Logging database. The only activities that are initiated by the user are generating reports, clearing the Configuration Logging database, and displaying the Configuration Logging properties. To generate a configuration logging report, use the PowerShell command Get-CtxConfigurationLogReport. For more information, see help for Get-CtxConfigurationLogReport or Windows PowerShell with Common Commands.
344
345
Setting up the Configuration Logging Database Important: To use an Oracle database for configuration logging, the 32-bit Oracle client must be installed on the Delivery Services Console. Before running the Delivery Services Console, update the Oracle tnsnames.ora client file to include the connectivity information needed to access the available databases.
346
INSERT for the database tables EXECUTE for the stored procedures SELECT
q
SQL Server: for sysobjects and sysusers Oracle: for sys.all_objects, and for sequence objects and the "create session" system privilege
DELETE/INSERT for the database tables EXECUTE for the GetFarmData stored procedure SELECT
q
SQL Server: for sysobjects and sysusers Oracle: for sys.all_objects, and for sequence objects and the "create session" system privilege
To create a report
Oracle: for sys.all_objects, and for sequence objects and the "create session" system privilege The Configuration Logging components must have access to the GetFarmData stored procedure to find out if a Configuration Logging database is associated with a farm. If you do not have permission to execute an existing GetFarmData stored procedure, this farm is invisible to the Configuration Logging components.
q
347
348
After you configure the connection to the Configuration Logging database, you cannot set the database back to None. To stop logging, clear the Log administrative tasks to Configuration Logging database check box in the Configuration Logging dialog box.
349
350
For SQL authentication, credentials with permissions for the Configuration Logging database on the SQL server are required For Windows Integrated authentication, XenApp impersonates the database user when it connects to the SQL database, so credentials for the Windows user account are required
Use one of the following methods to clear log entries from the Configuration Logging database:
q
From the Delivery Services Console, expand the farm node and select History. Select Clear history in the Actions pane or the Action menu. Use the PowerShell command Clear-XAConfigurationLog. For more information, see help for Clear-XAConfigurationLog or Windows PowerShell with Common Commands.
351
Key file
The same valid IMA encryption key must be loaded on all servers in the farm if IMA encryption is enabled. After copying the key file to a server, you load the key by using CTXKEYTOOL. Configuring IMA encryption includes the following tasks:
q
Key
On the first server in a farm (that is, the server on which you create the farm during XenApp configuration), generate a key file, load the key, and enable it Make the key file accessible to other servers in the farm or put it on a shared network location Load the key onto other servers in the farm (that is, the servers that join the farm during configuration)
Citrix recommends that if you are enabling IMA encryption in environments that have multiple farms, you give the key for each farm a different name.
352
353
To generate a key and enable IMA encryption on the first server in a farm
Before enabling IMA encryption on the first server in the XenApp farm (that is, the server on which you created the farm), install and configure XenApp, and restart the server. 1 On the server where you created the XenApp farm, run CTXKEYTOOL with the generate option, specifying the full UNC or absolute path (including the file name of the key you want to generate) to the location where you want to store the file key. Citrix suggests naming the key after the farm on which it will be used; for example, farmakey.ctx. Citrix also suggests saving the key to a folder that uses the name of your farm; for example, Farm A Key. If the key file generates successfully, the message Key successfully generated" appears. 2 To obtain the key from the file and put it in the correct location on the server, run CTXKEYTOOL with the load option on the server on which you want to add the key, specifying the full UNC or absolute path (including the key file name) to the location where you stored the key file. If the key loaded successfully, the message Key successfully loaded appears. 3 Run CTXKEYTOOL with the newkey option to use the currently loaded key and enable the key. If IMA encryption is enabled successfully, the message The key for this farm has been replaced. IMA Encryption is enabled for this farm appears.
Give the folder a meaningful name that specifies the name of the farm for which the key was created. This is important in situations when you follow the Citrix best practice recommendation of creating a unique key for the farm. Ensure that the account you use to generate the key is the same as the account that will be used to configure all the servers in the farm. You must use the same account for both tasks.
1 When you generate the key file, save it to a local directory (as you normally would). 2 After enabling IMA encryption on the server where you generated the key, copy the key file to the shared network location. 3 Grant Read/Execute access to the key file for each server that will be joining the farm, and to the administrator performing the installation.
354
Changing Farms
If you move a server that has IMA encryption to a farm that has IMA encryption enabled, run CTXKEYTOOL with the load option (specifying the key that was generated for the new farm) on that server is configured but before it is restarted. If you move a server that has IMA encryption enabled to a farm that does not have IMA encryption enabled, IMA encryption is disabled automatically on the server being moved.
355
Citrix strongly recommends backing up the farm key to a safe, secondary location, such as a CD, immediately after you generate a key. You can create a copy of the key file when you create it, or you can back up the farm key by running CTXKEYTOOL with the backup option. You can recreate a key file that you accidentally deleted, lost, or overwrote. All servers in the same farm use the same key, so you can obtain a key from another server on the farm; however, XenApp does not allow you to access keys. You must recreate the entire key file by running CTXKEYTOOL with the backup option on any server in the farm that has the key and is functioning properly. You can disable IMA encryption by running CTXKEYTOOL with the disable option. Because IMA encryption is a farm-wide feature, disabling it on one server disables the feature on all servers. If you disable IMA encryption, to access the Configuration Logging database, you must reenter the password for the Configuration Logging database. In addition, no configuration information is logged until you reenter your database credentials. To reenable IMA encryption after you disabled it, run CTXKEYTOOL with the enable option. After enabling IMA encryption, Citrix recommends that you run CTXKEYTOOL with the query option to verify that IMA encryption is enabled.
For more information about CTXKEYTOOL, see the XenApp Command Reference documentation.
356
Executable ctxsfosvc64.exe
Description Dynamically optimizes 64-bit applications running on a XenApp server. Maps client drives and peripherals for access in sessions.
Dependencies None
cdmsvc.exe
Client Drive Mapping (CDM), Windows Management Instrumentation Driver Extensions, Workstation None
ctxcpubal.exe
.\ctx_cpuuser/Manual nhances E resource management across multiple CPUs. Installed only on servers that have multiple CPUs.
357
XenApp Service Account Privileges Citrix CPU Utilization Mgmt/Resource Mgmt (ctxcpuSched) Citrix Diagnostic Facility COM Server (CdfSvc) ctxcpusched.exe Local System/ Manual Manages resource consumption to enforce entitlement policies. Manages and controls diagnostic trace sessions, which diagnose problems on a XenApp server. Enables secure communication with RC5 128-bit encryption between Citrix plug-ins and XenApp. Collects and collates end-user experience measurements. Provides health monitoring and recovery services in the event problems occur. Provides management services in the XenApp farm. Remote Procedure Call (RPC)
CdfSvc.exe
encsvc.exe
SemsService.exe
Citrix Independent Management Architecture service Citrix Services Manager service, IPsec Policy Agent, Remote Procedure Call (RPC)m TCP/IP Protocol Driver, Server, Windows Management Instrumentation Driver Extensions, Workstation
ImaSrv.exe
358
XenApp Service Account Privileges Citrix MFCOM Service (MFCom) mfcom.exe NT AUTHORITY\ NetworkService/ Automatic Provides COM services that allow remote connections from the management tools. Remote Procedure Call (RPC), Citrix Independent Management Architecture service, Citrix Services Manager service Print Spooler, Remote Procedure Call (RPC)
CpSvc.exe
Local Service/Automatic
Manages the creation of printers and driver usage within XenApp sessions. Supports the Citrix Universal Printing features. Proxy to the Citrix Secure Gateway server. Provides XenApp with an interface to the operating system. Other services use this services for elevated operations.
CtxSGSvc.exe
None
None
RadeSvc.exe
.\Ctx_StreamingSvc Manages the /Automatic Citrix offline plug-in when streaming applications. Local System /Manual Dynamically optimizes applications running on a XenApp server to free up server memory.
CTXSFOSvc.exe
None
359
XenApp Service Account Privileges Citrix WMI ctxwmisvc.exe Service (CitrixWMIservice) NT AUTHORITY\ Local Service/Manual Provides the Citrix WMI classes for information and management purposes. Citrix Independent Management Architecture service , Citrix Services Manager service, IPsec Policy Agent, Remote Procedure Call (RPC), TCP/IP Protocol Driver, Server, Windows Management Instrumentation Driver Extensions, Workstation None
ctxxmlss.exe
Services XML data requests sent by XenApp components Services network requests for session reliability and SSL from XenApp components.
None
Caution: Citrix does not recommend altering account permissions and privileges. If you delete the accounts or alter their permissions incorrectly, XenApp might not function correctly.
360
XenApp Service Account Privileges Ctx_StreamingSvc Ctx_ConfigMgr Ctx_CpuUser Domain or local user Domain or local user Domain or local user Acts as a User Acts as a Power User Acts as a User
Privileges Change the system time Generate security audits Increase quotas Log on as a batch job Log on as a service Replace a process level token Debug programs
Local Service x x x x x x
Network Service x x x x x x
Ctx_ConfigMgr x x
Ctx_CpuUser x x
Increase x scheduling priority Citrix does not support changing the account for the Citrix Streaming Service (Ctx_StreamingSvc), which has the privileges: log on as a batch job, log on as a service, backup files and directories, restore files and directories, deny log on locally, deny remote log on, and take ownership of files or other objects.
361
362
Discovered items. Searches discovered items. Sessions By User. Lists the sessions to which a specific user is connected. Type a user name in the Name box. Applications By User. Lists the applications that the specified user is using. Type a user name in the Name box.
Servers without hotfix. Lets you search for all of the servers missing a specific hotfix. This feature is useful if you want to check that you applied a hotfix to all servers in your farm. Type a hotfix number in the Name box. 3 Use the Browse button to select one of the Citrix Resources locations to search in.
q
363
Connect directly to server's desktop 4 In the Launch ICA Desktop Session dialog box, choose from the following selections. The selections you make here become the new default settings.
q q
Accept the Width and Height values (800 x 600 by default) or specify a different resolution. Colors (Better Speed by default). Select the color depth for the application. The available options are 256 colors (8-bit), Better Speed (16-bit), or Better Appearance (32-bit). Encryption. Select one of the following options from the list.
q
Basic encrypts the connection using a non-RC5 algorithm (default setting). Basic encryption protects the data stream from being read directly but can be decrypted. 128-Bit Login Only (RC5) encrypts the logon data with RC5 128-bit encryption and the ICA connection with basic encryption. 40-Bit (RC5) encrypts the connection with RC5 40-bit encryption. 56-Bit (RC5) encrypts the connection with RC5 56-bit encryption. 128-Bit (RC5) encrypts the connection with RC5 128-bit encryption.
364
Limit User sessions. Specify the maximum number of connections a user can make to any single server at the same time. Limits on administrator sessions. Enable this setting to extend the connection limit to Citrix administrators. Important: Limiting connections for Citrix administrators can adversely affect their ability to shadow other users.
Logging of logon limit events. Enable this setting to record information about denied connection events in the servers system log.
365
Other Tasks > Disable logon Other Tasks > Enable logon
366
Scheduled reboots (disabled by default). Enable this setting to apply a restart schedule and warnings. Continue by configuring related reboot policy settings for scheduling restarts, including settings for warnings to users and the schedules by frequency and start date.
367
Moving a server to another farm Renaming a server Removing a server from your farm Removing XenApp from a computer in your farm or forcing its removal Removing a server from your farm if the hardware hosting XenApp fails
To accomplish these tasks, you might need to remove XenApp from its host computer, remove it from the farm or from the list of farm servers in the Delivery Services Console, or repair the installation. In addition, see the procedures in this section for related tasks, including moving or removing a server from the farm and renaming a XenApp server.
Removing XenApp
Citrix recommends that you remove XenApp by using Control Panel > Programs and Features while the server is still connected to the farm and the network. Select Citrix XenApp <version>, click Uninstall. After the program is finished, restart the server. This method removes the host information from the farm data store and removes the server from the farm properties displayed in the management tools. To remove XenApp remotely, you can do so from within a Remote Desktop Connection (RDC) session or using tools such as Microsoft Configuration Manager 2007 (formerly Systems Management Server (SMS)). If you want to remove only specific components of XenApp, do so in the following order:
q
Citrix Access Management Console or Delivery Services Console XenApp Advanced Configuration or Presentation Server Console Citrix XenApp Citrix Web Interface Citrix Licensing
368
Server name Operating system Settings for applications made during installation or when the application was published User accounts
369
370
371
Health monitoring (enabled by default). Use this setting to allow the Health Monitoring and Recovery feature. Health monitoring tests. Use this setting to specify which tests to run. Select from a standard set of Citrix tests (described below) or add your own customized tests. For descriptions of recovery actions, see Modifying Health Monitoring and Recovery Actions. Maximum percent of offline servers (10 percent by default). Use this setting to specify the number of servers that the Health Monitoring and Recovery feature can exclude from load balancing.
Use the load balancing feature of XenApp with Health Monitoring and Recovery to ensure that if a server in the farm experiences a problem (for example the Citrix IMA Service is down), the state of that server does not interfere with the users ability to access the application because the users connection to that application is redirected through another server. For more information about load balancing and using Load Manager, see the Load Management section in eDocs.
Citrix Tests
Citrix IMA Service test 372
Monitoring Server Performance with Health Monitoring & Recovery This test queries the service to ensure that it is running by enumerating the applications available on the server. Logon monitor test This test monitors session logon/logoff cycles to determine whether or not there is a problem with session initialization or possibly an application failure. If there are numerous logon/logoff cycles within a short time period, the threshold for the session is exceeded and a failure occurs. The session time, interval, and threshold can be configured by modifying the parameters in the Test file field. These parameters are listed and described in the following table.
Description Defines the maximum session time for a short logon/logoff cycle. Default is five seconds. The time period designated to monitor logon/logoff cycles. Default is 600 seconds. The number of logon/logoff cycles that must occur within the session interval for the test to fail. Default is 50 cycles.
Remote Desktop Services test This test enumerates the list of sessions running on the server and the session user information, such as user name. XML Service test This test requests a ticket from the XML service running on the server and prints the ticket. Check DNS test This test performs a forward DNS lookup using the local host name to query the local DNS server in the computers environment for the computers IP address. A failure occurs if the returned IP address does not match the IP address that is registered locally. To perform reverse DNS lookups in addition to forward DNS lookups, use the flag /rl when running this test. Check Local Host Cache test Citrix does not recommend running this test unless you have problems with corrupted local host caches. This test ensures the data stored in the XenApp servers local host cache is not corrupted and that there are no duplicate entries. Because this test can be CPU-intensive, use a 24-hour test interval (86,400 seconds) and keep the default test threshold and time-out values. Before running this test, ensure the permissions of the files and registry keys that the test accesses are set properly. To do this, run the LHCTestACLsUtil.exe file located in C:\Program Files (x86)\Citrix\System32 of the XenApp server. To run this utility, you must have local administrator privileges. Check XML Threads test 373
Monitoring Server Performance with Health Monitoring & Recovery This test inspects the threshold of the current number of worker threads running in the Citrix XML Service. When running this test, use a single integer parameter to set the maximum allowable threshold value. The test compares the current value on the XenApp server with the input value. A failure occurs if the current value is greater than the input value. Citrix Print Manager Service test This test enumerates session printers to determine the health of the Citrix Print Manager service. A failure occurs if the test cannot enumerate session printers. Microsoft Print Spooler Service test This test enumerates printer drivers, printer processors, and printers to determine whether or not the Print Spooler Service in Windows Server 2008 is healthy and ready for use ICA Listener test This test determines whether or not the XenApp server is able to accept ICA connections. The test detects the default ICA port of the server, connects to the port, and sends test data in anticipation of a response. The test is successful when the server responds to the test with the correct data.
374
Recovery Actions
Alert Only Sends an error message to the Event log but takes no other action. The test continues to run, and if it subsequently successfully passes, an event is sent to the system log. This recovery action is the default for all tests except the Citrix XML Service test. Remove Server from load balancing Excludes the server from load balancing. Clients do not attempt to make new connections to this server through Load Manager. However, existing connections are maintained, and attempts are made to reconnect disconnected sessions. You can make new direct connections to the server; this enables you to try to correct any problems. To prevent possible farm-wide outages, this is the default recovery action for the Citrix XML Service test. Note: To restore one or more servers to load balancing, use the enablelb command-line utility. Shut Down IMA Shuts down the Citrix IMA Service. After this happens, tests continue to run but failures will not trigger events to be sent to the Event log until the Citrix IMA Service is up and running again. Restart IMA Shuts down and then restarts the Citrix IMA Service. After this happens, tests will run but failures will not trigger events to be sent to the Event log until the Citrix IMA Service is up and running again. Reboot Server Restarts the server. An alert is triggered before the server is restarted. After the system is restarted, the tests resumes.
375
Modifying Health Monitoring and Recovery Actions Note: If the Recovery Action list contains the entry Action ID followed by a number, this means that Citrix supplied a new action through a hotfix. Although you applied the hotfix to the selected server, you did not apply it to the computer on which the Access Management Console or Delivery Services Console is running. When the hotfix is fully applied, a meaningful name for the new action is added to the list.
376
Save the test in the custom test location, such as c:\program files (x86)\Citrix\HealthMon\Tests\Custom Specify the custom test in a Citrix policy
Provide a name for the test. Provide the file location using the following example: If the file location is: c:\program files (x86)\Citrix\HealthMon\Tests\Custom\mytest.exe The path you enter is: Custom\mytest.exe The rest of the path is added by the Health Monitoring & Recovery feature based on the installed location.
377
Bandwidth and compression counters for ICA sessions and computers running XenApp Bandwidth counters for individual virtual channels within an ICA session Latency counters for ICA sessions
1 On the server where XenApp is installed, open the Server Manager console. 2 In the Tree view, select Diagnostics > Performance > Monitoring Tools > Performance Monitor. 3 From the menu bar, selection Action > Properties. 4 In the Performance Monitors dialog box, select the Data tab. 5 Click Add. 6 In the Add Counters dialog box, from the Select counters from computer drop-down list, ensure Local computer is selected. 7 In the Available counters list, select ICA Session. 8 To add all ICA counters, in the Available counters list, select ICA Session. To add one or more ICA counters, click the plus sign next to ICA Session and select the individual counters to be added. 9 Select All instances to enable all instances of the selected ICA counters, No instance, or Select instances from list and highlight only the instances you need. In Performance Monitor, the instance list contains all active ICA sessions, which includes any session (shadower) that is shadowing an active ICA session (shadowee). An active session is one that is logged on to successfully and is in use; a shadowing session is one that initiated shadowing of another ICA session. Note: In a shadowing session, although you can select ICA counters to monitor, you see no performance data for that session until shadowing is terminated. 10 Click Add and then click Close.
378
Using Citrix Performance Monitoring Counters You can now use Performance Monitor to view and analyze performance data for the ICA counters you added. For more information about using Performance Monitor, see your Windows documentation.
379
Streamline application publishing to multiple farm servers Load balance access to published resources Filter policies so that settings are applied only to sessions hosted on a specific set of farm servers
A farm server can belong to multiple worker groups A worker group can include any number of XenApp servers or none at all Only servers that belong to the same XenApp farm are included in a worker group
Publishing Applications
When publishing an application, you can use worker groups to specify the servers hosting the application. To increase capacity for the application, you can add more servers to the worker group rather than modify the application properties. If your environment includes Active Directory, you can create the worker group based on the Organizational Unit (OU) that includes the servers hosting the application. To increase capacity for the application, you add servers to the OU. New servers that you add to the OU are automatically included in the worker group. When adding servers to worker groups for application publishing, all XenApp servers in the worker group must have the application installed. When a user attempts to launch an application, XenApp checks to ensure the application is installed on the farm servers in the worker group. If the application is not installed, the application does not launch and an error is logged to the Application event log on the data collector.
380
Direct users to a backup server in the event of an outage Direct a specific group of users to a group of dedicated servers
A filter to determine when the policy is applied A worker group preference list to determine the servers to which users are directed when logging on
When you create a load balancing policy, configure a filter so that the load balancing policy can be applied to users when they access published resources. If you do not configure a filter, the load balancing policy will have no effect when users log on. As with other Citrix policies, you can filter based on access control, client IP address, client name, and users. Additionally, to ensure users are directed to the appropriate servers, create a worker group preference list to prioritize the servers that users can access. A priority of 1 is considered the highest priority. When a user launches a published application, the load balancing policy directs the user to servers in the highest priority worker groups first. Users are directed to servers in lower priority worker groups if servers in the higher priority worker groups are offline or have reached maximum capacity. Users are not directed to servers in worker groups that are not included in the worker group preference list. If a user attempts to launch an application that is not installed on any servers in any of the listed worker groups, regardless of priority, the launch attempt fails and an error is logged to the Application event log on the data collector. After you create load balancing policies, you prioritize them just as you would any other Citrix policy. If multiple load balancing policies apply to a single user, XenApp uses the worker group preference list from the highest priority policy to direct the user. Preference lists from lower priority load balancing policies are not considered.
381
382
Click Set priority and enter the priority level you want for the worker group. Entering a priority for a worker group does not affect the priority of any other worker group in the list. Multiple worker groups can share the same priority. Click Increase Priority or Decrease Priority to adjust incrementally the priority of the worker group.
Click Set priority and enter the priority level you want for the policy. Click Increase priority or Decrease priority as appropriate to adjust incrementally the priority of the policy.
383
Direct requests for applications by specifying a Worker Group connection order in the Load Balancing Policies. Create a policy that applies to connections from a worker group. Then, specify that worker group as the Primary Group in the policy. This makes XenApp route incoming connection requests from users to that worker group first.
For more information about worker groups, see Creating Worker Groups.
384
385
Resource Allotment
Resource Allotment is calculated based on the published application importance level and the result of the XenApp policy engine for that session. The policy engine bases the session result on the session importance policy setting. A sessions Resource Allotment determines the level of service it experiences in comparison with other sessions on the same XenApp server, as well as sessions on other XenApp servers. The higher a sessions Resource Allotment, the higher service it receives compared with those other sessions. The figure illustrates a XenApp farm running sessions with different Resource Allotments. It illustrates how a sessions Resource Allotment affects its competition with other sessions on the same server and on different servers. Session 1 on Server 2 has a relatively high Resource Allotment compared with all other sessions in the farm. As a result Session 1 gets the highest percentage of CPU cycles (90%) of any session running in the farm, and at the same time has to compete with fewer sessions on that server (there are only two sessions on Server 2, as opposed to three). Any new session would be assigned to Server 1 because it has the lowest Resource Allotment of the three servers. The session with the highest Resource Allotment gets the highest percentage of CPU cycles of any sessions running in the farm.
386
Resource Allotment
The three application importance settings have Resource Allotment values associated with them, as do the three session importance policy settings. To determine the effective Resource Allotment associated with a session running the published application, multiply the application importance value by the session importance policy value. The most powerful session is one with a high importance policy setting (3) running a high importance application (3), with a total Resource Allotment of 9 (3x3). Conversely, the least powerful session is one with a low importance policy setting (1) running a low importance application (1), with a total Resource Allotment of 1 (1x1). Use this table to help determine how to set your importance levels for applications and sessions.
Resource Allotments based on importance levels Application Importance Low (1) Low (1) Low (1) Normal (2) Session Importance (from policy) Low (1) Normal (2) High (3) Low (1) Session Resource Allotment 1 2 3 2
387
Resource Allotment Normal (2) Normal (2) High (3) High (3) High (3) Normal (2) High (3) Low (1) Normal (2) High (3) 4 6 3 6 9
388
389
CPU reservation is a percentage of your servers CPU resource that is available to a user. If all of a reserved allocation is not being used, other users or processes can use the available resource, as needed. Up to 20% of the work capability of a single CPU on a server is always set aside for the local system account and is not available to users. CPU shares are percentages of the CPU time. By default, CPU utilization management allocates four shares for each user. If two users are logged on to a server and the local system account does not need any of the resources on the system, each user receives 50% of the CPU time. If there are four users, each user receives 25% of the CPU time.
Important: The range for CPU share is 1 through 64 percent. For CPU reservation, the total cannot be more than 99%, which represents the entire CPU resource on the computer. If you enable CPU utilization management, you must disable the Microsoft Dynamic Fair Share Scheduling (DFSS). Do not enable CPU utilization management on farms or servers that host:
q
CPU-intensive applications that may require a user to have a share of the CPU greater than that allocated to fellow users. Special users who require higher priority access to servers. You can exclude specified users from CPU restrictions.
390
Managing CPU Usage 1 Configure the Citrix policy settings for Memory/CPU > CPU management server level. Choose one of the following settings:
q
Select Fair sharing of CPU between sessions to allocate an equal share of the CPU to each user.
Select Preferential Load Balancing to allocate shares based on importance levels. 2 Continue by applying one or more filters to the policy based on worker groups or organizational units.
q
391
392
Applications that reside on network shares (automatically excluded). Applications that have digitally signed components. Applications whose DLLs are protected by Windows Rights Management. For example, applications such as Office 2003 do not benefit from this feature. Applications whose executable programmatically checks the DLL after it is loaded. Applications that require a fixed DLL address.
In general, if an application was working, but it stops working after you enable this feature, add the application to the exclusion list and see if the problem is resolved. With memory optimization enabled, to exclude additional applications, configure the Citrix policy settings for Memory/CPU > Memory optimization application exclusion list by adding the full path and executable name for the application, for example: C:\\%Program Files%\ProgramName.exe where %Program Files% is the full path to the application.
Memory optimization interval. Set the frequency internal to daily (default), weekly, monthly, or only when you restart your server. If you choose to run the program weekly or monthly, specify the day of the week or month. Memory optimization schedule: day of month (1 by default). Enter the day of the month using values 1-31. Note that if the specified day does not occur in a given month, such as day "31" in June, memory optimization does not run in that month. This setting is used only if you set the interval to Monthly.
393
Memory optimization schedule: day of week (Sunday by default). Select the day of the week that memory optimization runs. This setting is used only if you set the interval to Weekly. Memory optimization schedule: time (3:00 AM by default). This setting is used only if you set the interval to Daily, Weekly, or Monthly.
394
395
Sets the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\ RUNTIME\PSRequired to 1. Deletes the existing local host cache (Imalhc.mdb) Creates an empty local host cache (Imalhc.mdb)
You must restart the IMA Service after running dsmaint recreatelhc. When the IMA Service starts, the local host cache is populated with fresh data from the data store. The data store server must be available for dsmaint recreatelhc to work. If the data store is not available, the IMA Service fails to start.
396
397
Most Preferred. The server is always the first choice to become the data collector. It is recommended that only one server per zone be given this setting. Preferred. When electing a new data collector, XenApp elects the next collector from the Preferred servers if the Most Preferred server is not available. Default Preference. The default setting for all servers. The next collector is selected from the Default servers if neither a Most Preferred server nor a Preferred server is available.
Not Preferred. Apply this setting to servers that you do not want to become the data collector for the zone. This setting means that this server becomes the data collector only when no servers are available with any of the other three settings (Most Preferred, Preferred, Default Preference). 3 Restart the servers to apply the changes.
q
Zones are listed in the middle pane according to their election preference.
398
To configure zones and back-up data collectors Also from the Actions pane, select the Set server's zone membership option to move the selected server to another zone, or select the Change server's zone membership option to move the selected server to another zone.
399
You rename your license server. You want to point to a second license server to relieve some of the traffic to the first license server. For example, you have many connections and you find that it is slowing down the network, or you would like to add a second license server to the farm and point half of the connections to it. You want to specify another license server to point to individual servers to segregate licenses. For example, you want to host the accounting departments licenses on a server other than the human resources department. The default port number (27000) is already in use. You have a firewall between the license server and the computers running your Citrix products, and you must specify a static Citrix vendor daemon port number.
To change the name of the license server or port number that it uses to communicate, configure the Citrix policy for Licensing by setting the following options:
q
Enter the License server host name of the server hosting XenApp licenses. Enter the License server port number (default 27000).
Changing the settings on this page is only one part of the procedure, however. If you decide to change the license server name, ensure that a license server with the new name already exists on your network. Because license files are tied to the license servers host name, if you change the license server name, you must download a license file that is generated for the new license server. This may involve returning and reallocating the licenses. To return and reallocate your licenses, go to www.mycitrix.com. If you change the port number, specify the new number in all license files on the server. For additional information, see Technologies > Licensing Your Product.
400
401
Smooth Roaming works when connecting with the Web Interface using pass-through or smart card authentication, and when connecting with the online plug-in using smart card authentication or the Kerberos pass-through option.
402
Configuring the Citrix XML Service Port and Trust For example, you can use workspace control to assist health-care workers in a hospital using smart cards, who need to move quickly among workstations and be able to pick up where they left off in published applications.
q
XenApp can use the information passed on from Access Gateway (Version 4.0 or later) to control application access and session policies. This information includes Access Gateway filters that can be used to control access to published applications and to set XenApp session policies. If you do not trust requests sent to the XML Service, this additional information is ignored.
Before enabling the Citrix XML Service to trust requests it receives, use IPSec, firewalls, or another technology to ensure that only trusted services communicate with the Citrix XML Service. To avoid security risks, enable the setting only under the following conditions:
Some users connecting to their sessions using the Web Interface are also using pass-through authentication or smart cards. The same users need to move from one client device to another and still be able to pick up where they left off in published applications. You implemented IPSec, firewalls, or any technology that ensures that only trusted services communicate with the XML Service. You are selecting this setting only on servers that are contacted by the Web Interface. You are restricting access to the XML Service to the servers running the Web Interface. When Internet Information Services (IIS) and the XML Service share a port, you can use IIS to restrict port access to include the IP addresses of servers running the Web Interface only.
403
To manually change the XML Service port to use a port different from IIS after installation
Note: This setting takes effect only after the XML Service restarts. The XML Service port set using a Group Policy Object takes precedence over the port you set using the command-line in this method. 1 At a command prompt, stop IIS by typing: net stop w3svc 2 Delete the following files from the IIS scripts directory on your Web server:
q
q wpnbr.dll 3 At a command prompt, restart IIS by typing: net start w3svc The XML Service no longer shares a port with IIS.
4 To ensure the XML Service is stopped, at a command prompt, type: net stop ctxhttp 5 At a command prompt, to unload the XML Service from memory, type: ctxxmlss /u 6 To install the XML service, type: ctxxmlss /rnn where nn is the number of the port you want to use; for example, ctxxmlss /r88 forces the Citrix XML Service to use TCP/IP port 88. 7 At a command prompt, start the XML Service by typing: net start ctxhttp
404
To manually configure Citrix XML Service to share the TCP port with IIS
You must have Administrator privileges to configure the Citrix XML Service. 1 At a command prompt, stop the XML Service by typing: net stop ctxhttp 2 At a command prompt, to unregister the Citrix XML Service, type: ctxxmlss /u 3 Copy the following files to the IIS scripts directory on your Web server:
q
wpnbr.dll These files are installed in \Program Files (x86)\Citrix\System32 during XenApp installation. The default scripts directory is \Inetpub\AdminScripts.
q
4 In the IIS scripts directory, create a folder called ctxadmin and copy the file ctxadmin.dll from \Program Files (x86)\Citrix\System32 to \Inetpub\AdminScripts\ctxadmin. 5 Ensure that you have read and write permission to the files in the IIS scripts directory; for example, use Windows Explorer to view and change the permissions. 6 At a command prompt, stop and restart the Web server by typing: iisreset This setting takes effect after the Web server restarts.
405
The concept of printer provisioning in a session and the two major types of provisioning (auto-created and self-provisioned). To understand these concepts, you need to understand, among other things, the difference between a printer, a printing device, and a printer driver. How print jobs can be routed in XenApp. The policies that you can create to manage drivers.
XenApp printing concepts build on Windows printing concepts. To configure and successfully manage printing in a Citrix environment, you must understand how Windows network and client printing works and how this translates into printing behavior in a Citrix environment.
406
Here are a few basic definitions: Printing Device In the context of this topic, the term printing device refers to the physical printer (that is, the hardware device to which you send print jobs). Printers The term printer refers to the software representation of a printing device. Computers must store information about printers so they can find and interact with printing devices. 407
Introduction to Windows Printing Concepts When you see printer icons in the Printers panel in the Control Panel, you are seeing the software representation of the printers. (You are not seeing the printer drivers.) For clarity, the term printer object is sometimes used to denote the software representation of a printing device. Printer driver The printer driver is the software program that lets the computer communicate with this hardware device. This program converts the information to be printed to a language that the printing device can process. It also understands the device and job settings of the printing device and presents a user interface for users to configure these. In Windows systems, printer drivers are distinct from the software representation of printers. Print job When a user prints a document, the data sent to the printer is known as a print job. Jobs are queued to the printer in a specific sequence, which the print spooler controls. When this sequence appears, it is known as the print queue. Print spooler The spooler is the Windows service that manages printer objects, coordinates drivers, lets you create new printers, determines where print jobs are processed, and manages the scheduling of print jobs. The print spooler also determines if the printer prints each page as it receives it or if the printer waits until it receives all pages to print the job. Typically, when a print job is spooled to a printer, the spooler loads documents into a buffer. The printing device then retrieves the print jobs from the buffer when it is ready to print the job. By storing the job, the computer can perform other operations while the printing occurs in the background. Print queue A sequential, prioritized list of the print jobs waiting to be printed. The spooler maintains this list for each printer object in the computer. Print server A computer that manages the communications between client devices and printers. In this context, the term print server refers to dedicated computers that are running a Windows server operating system and hosting x number of shared printers. Print servers provide client workstations with drivers they need to print and store files, or print jobs, in a print queue until the printer can print them. A print server is a remote print spooler. Network printer A shared printer object accessed through a network print server.
408
1 The application tells the local spooler to create a print job and an associated spool file on the local computer. 2 On the local computer, Windows writes the applications drawing commands to the local spool file. This process of writing commands occurs repeatedly until the job is completely spooled. 3 The local spooler processes the job with the printer driver in a process known as rendering. 4 The local spooler delivers the rendered data to the printing device (for example, a locally attached printer).
1 The application tells the remote spooler to create a print job on the print server and an associated spool file. 2 On the local computer, Windows writes the applications drawing commands to the remote spool file. This process of writing commands across the network occurs
409
Local and Remote Print Job Spooling repeatedly until the job is completely spooled. 3 The remote spooler processes the job with the printer driver in a process known as rendering. 4 The print server delivers the rendered data to the printing device (typically a network printer).
410
Determines what printers (that is, printer objects) to provide to the user. This is known as printer provisioning. Restores the users printing preferences. Determines which printer is the default for the session.
However, you can customize how XenApp performs these tasks by configuring options for printer provisioning, print job routing, printer property retention, and driver management. Settings for these options can affect the performance of printing in your environment and the user experience. For example, you can reduce the amount of latency when users print by choosing a method of provisioning that is appropriate for your network configuration. As a result, understanding key printing concepts is critical when planning your printing configuration:
q
The difference between the client and network printing pathway and how this is not the same as local printers and network printers The term printer provisioning, the types of printer provisioning (static and dynamic), printer autocreation, and user self-provisioning Print job routing and when changing it can improve utilization The basics of printer driver management
411
This diagram shows a XenApp network printing example: Printing begins on the farm server hosting the users session (where the application is published and executing). XenApp routes the print job over a network connection to the network print server. The network print server then routes the print job to an associated network printing device.
When a print job is spooled remotely in a Windows environment, it uses this process:
1 The application tells the remote spooler to create a print job and an associated spool file.
412
Overview of Client and Network Printing Pathways 2 The Windows Print Provider sends the spool file to the print server. 3 The print server processes the spool file. 4 The print server then sends the print job to the appropriate network printer.
This diagram shows a XenApp server local printing example: Printing begins on the farm server hosting the users session and is routed to a printing device attached locally to the server.
413
This diagram shows a simplified XenApp client printing example: Printing begins on the server where the application is published. XenApp sends the print job over the connection to the client device. The client device then routes the print job to the printer connected locally to the client device.
When a print job is spooled to a client along the client printing pathway, it uses this process:
1 The published application tells the local spooler on the server hosting the application (that is, the host server) to create a print job and an associated spool file on the host server.
414
Overview of Client and Network Printing Pathways 2 On the host server, Windows writes the applications drawing commands to the local spool file. (This process of writing commands occurs repeatedly until the job is completely spooled.) 3 The local spooler processes the job with the printer driver in a process known as rendering. 4 The rendered data is delivered to the client device through the ICA protocol. 5 The client device relays the print data to the client-side printing device (a locally attached printer in this example).
This diagram shows client printing to a network printer: Printing begins on the server where the application is published. XenApp routes the print job over the connection to the client device. The client device then routes the print job over the network to the print server, which in turn routes the print job to the network printer.
415
When a print job is spooled to a network printer along the client printing pathway, it uses this process:
1 The application server sends the print job to the client for processing. 2 The client processes the spooled job and sends it to the Windows print server for processing. 3 The Windows print server then sends the print job to the appropriate network printer. Configuring XenApp to use the client printing pathway for network printing devices is useful when a print server is in a domain different from the farm servers (and the client devices have access to the print servers domain). Using the client printing pathway lets application servers send print jobs over the ICA connection to access the printer through the client device. Configuring the client printing pathway for network printing is useful for low bandwidth connections, such as WANs, that can benefit from the traffic compression that results from sending jobs over the ICA connection. The client printing pathway also lets you limit traffic or restrict bandwidth allocated for print jobs.
416
Static. Server local printers are provisioned only once, when you connect them to the farm server. After that, they are always created in sessions with the same properties and do not vary according to policies. Dynamic. The printers that are available in a session are determined as the session is built. As a result, they can change according to changes to policies, changes in user location, and changes to the network (provided they are reflected in policies). When printers are provisioned dynamically, the printers that appear in a session are not predetermined and stored. Rather, the printers are assembled, based on policies, as the session is built.
Because provisioning static printers is relatively simple, this topic focuses on provisioning printers dynamically. The two most common methods of dynamic printer provisioning are:
q
To control what printers users have in their sessions and ensure printers are available when users start their sessions, provision their printers through autocreation. If you do not want to specify (and administer) user printers, you can let users self-provision their printers. If you choose, you can prevent printer autocreation and let users provision printers visible from their client device.
User Provisioning
You can allow users to add printers to their sessions on their own. Users can map client printers that are not autocreated by policy manually in a user session through the Windows Add Printer wizard on the server (in their sessions). If users have thin clients or cannot access their client devices, they can self-provision by running the ICA Client Printer Configuration tool (PrintCfg.exe). For users to self-provision with the utility, you must publish PrintCfg.exe on your farm.
417
Autocreation
The term autocreation refers to printers XenApp creates automatically, at the beginning of each session, based on what printers are configured on the client device and any policies that apply to the session. By default, XenApp makes printers available in sessions by creating all printers configured on the client device automatically, including locally attached and network printers. After the user ends the session, the printers for that session are deleted. The next time a session starts, XenApp evaluates any policies for printer creation and enumerates the appropriate printers from the client device. You can change the default autocreation policy settings to limit the number or type of printers that are auto-created. XenApp can auto-create:
q
Client redirected printers, including auto-created client printers and a Universal Printer Network printers
There is maintenance associated with provisioning by printers by using client and network printer autocreation. When you add new printers, you need to update the autocreation list. Also, the drivers for these printers must be added to all servers on the farm; however, you can specify for XenApp to do this automatically. This topic comprises:
q
Auto-Creating Client Printers Provisioning a Citrix Universal Printing Solution Auto-Creating Network Printers Letting Users Provision Their Own Printers
All of these provisioning methods use the client printing pathway except for Auto-Creating Network Printers, which uses the network printing pathway.
418
By creating a one-to-one match with printers on the client device By creating one generic printer, the Citrix Universal Printer, that represents all (or any) printers on the client device
In many environments, especially large ones, Citrix recommends that you auto-create only one default printer. Auto-creating a smaller number of printers creates less overhead on the server and is better for CPU utilization. However, in environments where users with limited computer skills need to print to a wide variety of local printing devices, you may want to leave the default autocreation setting so that all printers are created on logon. If you do not want large numbers of printers created at the beginning of each session, consider specifying for XenApp to use the Citrix Universal Printer.
All printers visible to the client device, including network and locally attached printers, are created automatically at the start of each session All non-network printers physically attached to the client device are created automatically Only the default printer for the client device is created automatically No printers visible to the client device are created automatically
User accounts are not shared Users are not in the local power user or administrators group on the client devices You add Microsoft native or fully tested drivers only
419
Citrix Universal Printer. A generic printer object, replacing the printers that appear in the users Printers control panel during their session. This printer can be used with almost any printing device. Citrix Universal Printer Drivers. Windows Native Printer drivers are generic drivers that work with almost any printer. These drivers also work with non-Windows clients. Citrix-created Universal printer drivers consist of the Citrix XPS Universal Printer driver and the EMF-based Citrix Universal Printer driver.
Auto-created device printer with Citrix Universal printer driver. A device-specific printer gets auto-created but uses a Citrix Universal printer driver. For example, configured policy rules specify that the printer LaserJet5L still gets auto-created at the beginning of each session; however, the session uses the Citrix Universal printer driver to communicate with the driver on the client device and the print job is processed on the client device. Auto-created Citrix Universal Printer with a Citrix Universal printer driver. A Citrix Universal Printer gets auto-created and it uses a Citrix Universal printer driver. That is, at the beginning of each session, the only printer that is auto-created is the Citrix Universal Printer. Like the first example, the session uses the Citrix Universal printer driver to communicate with the driver on the client device and the print job is processed on the client device. Auto-created device printers, auto-created Citrix Universal Printer with a Citrix Universal printer driver At the beginning of the session, the Citrix Universal Printer and device-specific printers are auto-created. Both printers use the Citrix Universal printer driver.
Whether you use a Citrix Universal printing solution depends on various factors:
q
The Citrix Universal Printer and printer driver might not work for all client devices or plug-ins in your environment. The Citrix Universal Printer and printer driver solution requires the Citrix online plug-in or the Citrix offline plug-in.
420
Auto-Creating Client Printers The Citrix Universal Printer does not work if plug-ins are not connecting through the ICA channel, such as when you are using the Citrix offline plug-in and streaming applications to the client. If you want to use a universal printing solution for non-Windows plug-ins, use one of the other universal printer drivers that are based on postscript/PCL and installed automatically with XenApp.
q
The Citrix Universal printer driver might also create smaller print jobs than older or less advanced printer drivers. However, sometimes it might be better to use a device-specific driver because the driver might be able to optimize print jobs for its associated printer.
Note: If you want the Citrix Universal Printer to appear in sessions, make sure that the Citrix policy setting Client printer names is not set to Legacy printer names in any policies affecting those sessions. Universal printer drivers are installed by default on each farm server; the printer is not enabled, however. To get the best results when configuring your farm, use both the Citrix Universal Printer and a Citrix Universal printer driver. Note: Citrix Universal Printing is available for Citrix Presentation Server Client, Version 9.x or Version 10.x, Citrix XenApp Plugin for Hosted Apps 11.0, the Citrix online plug-in, the Citrix XenApp Plug-in for Streamed Apps, and the Citrix offline plug-in. This feature is available in Presentation Server 4.0 to XenApp 6.
421
EMF-based Citrix Universal Printer. The EMF-based Citrix Universal Printer can display a Print Previewer before printing. Clicking Local Settings in the Citrix Print Previewer is the only way users can select a different printer, control the device settings for the printer hardware, and preview the print job. You control whether or not the Local Settings button is available to users. If you do not allow users to change their printer through the Local Settings button, the Citrix Universal Printer prints to the default printer on the client device. XPS-based Citrix Universal Printer. Like Microsoft XPS Document Writer, the Citrix XPS Universal Printer sends documents to Internet Explorer if a user selects Print Preview or modifies the print settings, displaying them in Microsofts XPS electronic paper format.
Note: The Print Previewer cannot be controlled by the administrator unless users have the Citrix Presentation Server Client, Version 10.100 or later, the Citrix XenApp Plug-in for Hosted Apps, Version 11x, or the Citrix online plug-in.
422
423
424
425
426
The locations printing settings can be stored in a XenApp environment The priority XenApp software uses to apply printing preferences from previous sessions to the printers in a newly created session Where XenApp software stores printing preferences by default and if there are factors in your environment that will prevent the software from successfully storing them in this location (that is, when you need to change this setting)
On the client device itself. The settings are set on the client device by right-clicking the printer in the Control Panel and selecting Printing Preferences. For example, if Landscape is selected as page orientation, landscape is saved as the default page orientation preference for that printer. This type of preference is known as Device Settings. Inside of a document. In word-processing and desktop-publishing programs, settings, such as page orientation, are often stored inside documents. These settings are often referred to as Document Settings. For example, when you queue a document to print, Microsoft Word typically stores the printing preferences you specified, such as page orientation and the printer name, inside the document. These settings appear by default the next time you print that document. From changes a user made during a session. XenApp keeps only changes to the printing settings of an auto-created printer if the change was made in the the Control Panel in the session; that is, on the server. On the server. These are the default settings associated with a particular printer driver on the server.
If you want to control user printing preferences, it is important to understand that the settings preserved in any Windows-based environment vary according to where the user made the changes. This also means that the printing settings that appear in one place, such as in a spreadsheet program, can be different than those in others, such as documents. As result, printing settings applied to a specific printer can change throughout a session.
427
1 XenApp checks for retained printer settings. If XenApp finds retained settings, it applies these settings when the user prints. 2 If there are no retained printer settings, XenApp searches for any changes to the printer settings for the default printer for the client device. If XenApp finds any changes to printing preferences on the client device, it applies these settings when the user prints. 3 If there are no retained or client printer settings, XenApp applies the default printer settings stored on the server when the user prints. At this point, the printer settings are merged. Generally, XenApp merges any retained settings and the settings inherited from the client device with the settings for the default printer driver on the server. By default, XenApp always applies any printing settings a user modified during a session; that is, the retained settings, before considering any other settings.
Client version. Not all XenApp plug-ins allow users to store printer properties on a client device. Users must be running Citrix Presentation Server Client 9.x and higher to store user-modified printer properties on the client device. Type of Windows user profile. That is, if you are using local, roaming, or mandatory profiles on your Windows network. If you are using a mandatory profile and you want to retain the users printer properties, you must store the properties on the client device.
428
Farm Size. If you have a large farm and you are load balancing applications, users will experience inconsistent printing behavior and properties if you use local profiles. The only way you can get consistent printing behavior is to save the printer properties on the client device. Type of workers. If you have mobile or remote workers and you are using roaming profiles, you must save the printer properties to the users profile and not the client device.
If none of these factors apply to you, Citrix recommends you not change where the printer properties are stored. Leaving the default setting, which saves the printer properties on the client device, is the easiest way to ensure consistent printing properties. You can specify whether you want these settings stored on the client device or with the users profile. You can also change this default behavior so settings are not stored. However, before you make these decisions, you must understand how XenApp determines what print settings it applies and also what the difference is between storing print settings on the client device or with a profile.
429
A network printer you specify as the default The default printer on the client device
If you want to base the default session printer on either of these, use the Citrix policy setting Default printer. See To specify a default printer for a session for details. However, if you specified that XenApp auto-create the default client printer, then, if no other printers are provisioned in sessions, you might not need to specify a default session printer.
430
SmoothRoaming
Also known as Workspace control, this feature lets a user disconnect from one session, move to another device, and reconnect to continue that same session. The printers assigned on the first client device are replaced on reconnection with the printers designated on the second client device. As a result, users are always presented with applicable printer options from wherever they connect.
Proximity Printing
This feature lets you control the assignment of network printers so that the most appropriate printer is presented, based on the location of the client device. The Proximity Printing solution is enabled through the Citrix policy setting Default printer. Proximity Printing can make administration easier even if you do not have mobile workers. For example, if a user moves from one department or floor to another, you do not need to assign additional printers to that user if Proximity Printing is implemented. When the workstation is recognized within the new locations IP address range, it has access to all network printers within that range. However, if you configure Proximity Printing, you must maintain the Session printer policy. For example, as network printers are added or removed, you must update this policy to reflect the current set of network printers. Likewise, if you modify the DHCP IP address ranges for floors or departments, you must update this policy. Proximity Printing requires that you can filter the policy on some type of geographic indicator, such as:
q
The name of the workstation, if the name relates to the workstations location
431
432
Auto-created client printers. XenApp routes jobs to locally attached printers from the server, through the client, and then to the print device. The ICA protocol compresses the print job traffic. When a printing device is attached locally to the client device, the jobs must be routed through the plug-in. Auto-created network printers. By default, all print jobs destined for network printers route from the server, across the network, and directly to the print server. However, if the application server and the print server are on different domains, XenApp automatically routes the print job through the plug-in.
When network printers are visible from the server, you can use policies to control how print jobs are routed to network printers. You can configure that jobs be routed to network printers:
q
Through the plug-in. This is accomplished by auto-creating the network printer but specifying its jobs to route through the plug-in. Over the network. This is accomplished either by leaving the default settings so that the network printer is auto-created (or configuring a policy to do this) or by provisioning the network printer through the Session printers policy rule.
Routing jobs along the network printing pathway is ideal for fast local networks and when you want users to have the same user experience that they have on their local client device (that is, when you want the printer names to appear the same in every session). However, print jobs relayed using the network printing pathway are not suited to WANs. The spooling of print jobs using the network printing pathway method uses more bandwidth than using the client pathway; many packets are exchanged between the host server and the print server. Consequently, users might experience latency while the print jobs are spooling over the WAN. Also, the print job traffic from the server to the print server is not compressed and is treated as regular network traffic. When printing jobs across a network with limited bandwidth, Citrix recommends routing jobs through the client device so that the ICA protocol compresses the jobs. To do so, disable the Citrix policy setting Direct connections to print servers.
433
The printer driver on the server and the driver used by the client device must match exactly. If not, printing fails. As a result, XenApp provides features to manage drivers, install them automatically, and replicate them across your farm. The following problems can arise from not managing client printer drivers correctly:
q
Any missing drivers can prevent users from printing successfully. If a third-party printer driver has multiple or inconsistent names across your farm, a session might not be able
434
Managing Printer Drivers to find it and a users job may fail to print.
q
Printing to a client printer with a defective driver can cause a fatal system error on a server. XenApp does not download drivers, including printer drivers, from the print server. For XenApp servers to print across the network printing pathway, the correct device-specific printer driver for the XenApp server's operating system (version and bit depth) must be installed on the XenApp server. Two print servers are not required. If a defective driver is replicated throughout a server farm, it is difficult and time consuming to remove it from every server to prevent its use with client printers.
When planning your driver management strategy, determine if you will support device-specific or the Universal Printing driver, or both. If you support standard drivers, you also need to determine:
q
What types of drivers you want to support If you want printer drivers automatically installed when they are missing on farm servers If you want to create driver compatibility lists If you want to replicate drivers across your farm servers automatically
435
Your business needs and your existing printing infrastructure. Design your printing configuration around the needs of your organization. Your existing printing implementation (users ability to add printers, which users have access to what printers, and so on) might be a useful guide when defining your XenApp printing configuration. If your organization has security policies that reserve printers for certain users (for example, printers for Human Resources or payroll). If users need to print while away from their primary work location; for example, workers who move between workstations or travel on business.
When designing your printing configuration, try to give users the same experience in a session as they have when they print when working on their local client devices.
436
All printers configured on the client device are created automatically at the beginning of each session. This behavior is equivalent to configuring the Citrix policy setting Auto-create client printers with the Auto-create all client printers option. XenApp routes all print jobs queued to printers locally attached to client devices as client print jobs (that is, over the ICA channel and through the client device). XenApp routes all print jobs queued to network printers directly from the server hosting the published application. If XenApp cannot route the jobs over the network, it will route them through the client device as a redirected client print job. This behavior is equivalent to disabling the Citrix policy setting Direct connection to print servers. XenApp retains all properties and settings users configure for printers they provision themselves in sessions. XenApp stores printing properties on the client device. If the client device does not support this operation, XenApp stores printing properties in the user profile for that user. This behavior is equivalent to configuring the Citrix policy setting Printer properties retention with the Held in profile only if not saved on client option. XenApp uses the Windows version of the printer driver if it is available on the server hosting the application. If the printer driver is not available, the XenApp server attempts to install the driver from the Windows operating system. If the driver is not available in Windows, it uses one of the Citrix Universal printer drivers. This behavior is equivalent to enabling the Citrix policy setting Automatic installation of in-box printer drivers and configuring the Universal printing setting with the Use universal printing only if requested driver is unavailable.
Note: If you are unsure about what the shipping defaults are for printing, display them by creating a new policy and setting all printing policy rules to Enabled. The option that appears is the default.
437
How printers are provisioned (or added to sessions) How print jobs are routed How printer drivers are managed
You can have different printing configurations for different client devices or users or any other objects on which policies are filtered. You must understand the ramifications of setting the options in printing policies, so review the information in the printing topics carefully before configuring them. See Configuring and Maintaining XenApp Printing for configuration details.
438
Printing Security
Client printing can, potentially, let a user from one session use another users printer in a different session. Unlike network printer connections, client printers auto-created in a XenApp session are local printers managed by the local print provider and Citrix spooler extensions. The local print provider maintains a single shared namespace for all local printers on a server. This means that a users client printers may be visible and potentially accessible to users from other sessions on the server. By default, the XenApp printer naming convention helps combat this problem by avoiding the potential for printers and ports to be shared between sessions. Printers connected through a pass-through server use the session ID to identify the printer uniquely, keeping the remainder of the name the same. This allows the user to identify both the printer and client it is connected to, without identifying which pass-through server through which it might have connected. In addition, to increase client printing security, access to the client printers is restricted to:
q
The account that the print manager service runs in Processes running in the SYSTEM account such as the spooler Processes running in the users session
Windows security blocks access to the printer from all other processes on the system. Furthermore, requests for services directed to the print manager must originate from a process in the correct session. This prevents bypassing the spooler and communicating directly with CpSvc.exe. As an administrator, you cannot access client printers from another session; this prevents you from inadvertently printing to printers in another session. If you need to adjust security settings of a printer in another session, you can do so through Windows Explorer. Note: If administrators require frequent access to printers in other sessions, add the Admins Can Manage bit flag to default print flags in the system registry of your server. See the Citrix Knowledge Center for more information.
439
440
Client printers. The settings in this category affect the client redirected printers and printing using the client printing pathway. Drivers. The settings in this category control driver management. Printer redirection bandwidth limit. This setting restricts the bandwidth allocated to printers. Session printers. This setting configures how network printers are provisioned.
If you do not enable any settings that affect printing, XenApp uses the default printing behavior that is described in Planning Your Printing Configuration. Printing settings follow standard Citrix policy behavior:
q
Printing settings are evaluated during initial logon and remain in force throughout the session. Any new printers added to a policy or a user device during a session do not appear in the session until the user logs off and logs on, creating a new session. The policies are filtered on standard objects that apply to all Citrix policy settings. Therefore, when configuring printing settings, determine which filter objects best achieve your goals. Filtering on Client Device Name is useful if you are trying to configure proximity printing. Filtering on Client IP address is useful when associating network printers with specific workstations.
Policy prioritization
All printing policy settings follow standard XenApp prioritization. Citrix policies always take precedence over Windows policies in a XenApp environment.
Policy maintenance
Changes in your network often result in the need to update printing policy configurations. For example, users changing departments or workstation locations require that you update the printing policies associated with that user. Adding or removing printers from your network require that you update any configured Session printers policy settings.
441
Do not auto-create client printers. Client printers are not auto-created. Auto-create the clients default printer only. Only the clients default printer attached to or mapped from the client preconfigured in the Control Panel is auto-created in the session. Auto-create local (non-network) client printers only. Any non-network printers attached to the client device preconfigured in the Control Panel are auto-created in the session. Auto-create all client printers. All network printers and any printers attached to or mapped from the user device preconfigured in the Control Panel are auto-created in the session.
442
Citrix XPS Universal Printer driver Citrix Universal Printer driver, which is EMF-based Auto-created Citrix Universal Printer with a Citrix Universal printer driver
Configuring only a Universal printer driver will not improve session start time (printers on the client device are still enumerated and auto-created at the beginning of sessions). However, configuring a Universal printer driver does improve printer driver performance.
Auto-create generic universal printer. Enables or disables the auto-creation of the Citrix Universal Printer generic printing object. By default, generic universal printers are not auto-created. Universal driver priority. Specifies the order in which XenApp attempts to use universal printer drivers, beginning with the first entry in the list. You can add, edit, or remove drivers and change the order of the drivers in the list. Universal printing. Specifies when to use universal printing. Universal printing preview preference. Specifies whether to use the print preview function for auto-created or generic universal printers.
443
444
Printer UNC path. Enter the path using the format \\servername\printername. Browse. Locate a printer on the network. Browse for printers on a specific server. Enter the server name using the format \\servername and click Browse.
Important: The server merges all enabled session printer settings for all applied policies, starting from the highest to lowest priorities. When a printer is configured in multiple policy objects, custom default settings are taken from only the highest priority policy object in which that printer is configured.
445
Name of the network printer you want to be default for this policy. Printers that were added with the Session printers policy setting are displayed in this drop-down menu and can be specified as the default printer. Set default printer to the clients main printer. Sets the default printer for the session to the clients current default printer. If the client's main printer is not mapped, this option has no effect. Important: Mapping for the clients main printer can also be disabled through other policies, group policies, or Remote Desktop Services settings.
Do not adjust the users default printer. Uses the current Remote Desktop Services or Windows user profile setting for the default printer. If you choose this option, the default printer is not saved in the profile and it does not change according to other session or client properties. You can use this option to present users with the nearest printer through profile settings (functionality known as Proximity Printing). When Do not adjust the users default printer is selected, the default printer in a session will be the first printer autocreated in the session, which is either:
q
The first printer added locally to the Windows server in the Control Panel
The first autocreated printer, if there are no printers added locally to the server 3 Apply the policy to the group of users (or other filtered objects) you want to affect.
q
446
447
Render print jobs on client computers Sharing the printer allows creation of the printer when a session on that server is launched.
q
448
It uses a DHCP server to assign your users IP addresses by their location (for example, floor of a building) All departments/floors within the company have unique designated IP address ranges Network printers are assigned IP addresses within the range of IP addresses for the department/floor in which they are located
449
450
Windows users who do not have access to the Add Printer wizard on the local client device or any applications that let them browse to printers Non-Windows plug-in users
If you want these users to add printers on their own, publish either:
The ICA Client Printer Configuration Tool (PrintCfg.exe). This tool lets Windows CE and DOS users add printers. The Add Printer wizard. Publishing this Windows wizard lets users with Windows plug-ins add printers that are on the local client device or network. Publishing this wizard is also referred to sometimes as publishing the Print Manager.
After a user adds printers using either of these methods, XenApp retains the printer information for the next time a user logs on from that client device. Client printers created using this process are considered retained printers.
451
452
Held in profile only if not saved on client. Selected by default. Allows the system to determine the method. It stores printer properties on the client device, if available, or if not, in the user profile. Although this option is the most flexible, it can also slow logon time and use extra bandwidth to perform the needed system-checking. Choose this option if your server farm requires backward compatibility with prior versions of XenApp and its plug-ins and is not constrained by bandwidth or logon performance.
Saved on the client device only. Stores printer properties only on the client device. If users are assigned a Remote Desktop Services mandatory profile or roaming profile, select this option. Retained in user profile only. Stores printer properties in the user profile on the server and prevents any properties exchange with the client device. This option is useful if your system is constrained by bandwidth (this option reduces network traffic) and logon speed or your users use legacy plug-ins. Use this option with MetaFrame Presentation Server 3.0 or earlier and MetaFrame Presentation Server Client 8.x or earlier. Note that this is applicable only if a Remote Desktop Services roaming profile is used. Do not retain printer properties. Does not retain printer properties.
453
For 32-bit, HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Preferences 2 Create the following registry key: Name:Win32FavorRetainedPrinterSettings Data Type: REG_SZ Value Data: false
q
454
If you know what printer drivers cause problems, you can specify banned printer drivers in the compatibility list If you do not know what drivers cause problems or you want tighter control over the drivers on the farm, specify to install only drivers on the compatibility list
XenApp checks the client printer driver compatibility list before it sets up the client printers If a printer driver is on the list of drivers that are not allowed, XenApp does not set up the printer unless the Universal Printing feature is enabled When the compatibility list prevents setup of a client printer, XenApp writes a message in the servers Event log
To prevent drivers from being installed automatically, configure the Citrix policy setting Automatic installation of in-box printer drivers.
Automatic installation of in-box printer drivers. Controls whether Windows native drivers are automatically installed when auto-creating either a client or network printer. Disabling this setting prevents the automatic installation of printer drivers. Printer driver mapping and compatibility. Lists driver substitution settings for auto-created printers. Allows or prevents printers to be created with the specified driver. Additionally, you can allow created printers to use only universal printer drivers.
455
456
Citrix Universal Printer, which is the .EMF driver Citrix XPS Universal Printer HP Color LaserJet 2800 PS (Citrix PS Universal Printer Driver)
If you need a Universal driver that does not appear in this list, you must install it.
Use only printer model specific drivers. Specifies that the client printer uses only the native drivers that are autocreated at logon. If the native driver of the printer is unavailable, the client printer cannot be autocreated. Use universal printing only. Specifies that the client printer uses the universal printer driver only. Select this option if you do not want to use native drivers. Use universal printing only if requested driver is unavailable. Uses native drivers for client printers if they are available. If the driver is not available on the server, the client printer is created automatically with the highest available universal driver, as specified in the Universal driver priority policy setting. Use printer model specific drivers only if universal printing is unavailable. Specifies that the client printer uses universal printer driver if it is available. If the driver is not available on the server, the client printer is created automatically with the appropriate native printer driver.
457
Configuring Universal Printer Drivers on Farm Servers To force XenApp to use the Citrix XPS Universal Printer driver before the EMF-based Citrix Universal Printer driver, configure the Citrix policy setting Universal driver priority and move XPS to the top of the list.
458
Good printer drivers for outdated or corrupted drivers Specific Windows printer drivers for manufacturers client printer drivers A driver that is available on Windows server for a client driver name
Each client provides information about client-side printers during logon, including the printer model name. During client printer autocreation, Windows server printer driver names are selected that correspond to the printer model names provided by the client. The autocreation process then employs the identified, available printer drivers to construct redirected client print queues.
459
Mapping Client Printer Drivers 1 On the Printer driver mapping and compatibility settings page, select the printer driver for which you want to modify the settings. 2 Click Settings. 3 Specify the printer settings.
460
Use the Citrix policy Bandwidth printer settings in the Delivery Services Console to enable and disable the printing bandwidth session limit for the farm. Use individual server settings to limit printing bandwidth in the server farm. You can perform this task using gpedit.msc locally on each server to configure the Citrix policy Bandwidth printer settings.
You can use the Citrix Session Monitoring and Control Console (included in the WFAPI SDK) to obtain real-time information about printing bandwidth. The print spooling virtual channel control (that is, the CTXCPM Client printer mapping virtual channel control) lets you set a priority and bandwidth limit for bandwidth control of this virtual channel.
Printer redirection bandwidth limit to specify the bandwidth available for printing in kilobits per second (kbps). Printer redirection bandwidth limit percent to limit the bandwidth available for printing to a percentage of the overall bandwidth available.
461
Improving Session Performance by Limiting Printing Bandwidth Note: If you want to specify bandwidth as a percentage using the Printer redirection bandwidth limit percent setting, you must enable the Overall session bandwidth limit as well.
Printer redirection bandwidth limit to specify the bandwidth available for printing in kilobits per second (kbps). Printer redirection bandwidth limit percent to limit the bandwidth available for printing to a percentage of the overall bandwidth available. Note: If you want to specify bandwidth as a percentage using the Printer redirection bandwidth limit percent setting, you must enable the Overall session bandwidth limit as well.
462
Displaying Printers
The following table summarizes where you can manage and modify print queues and display printers in a XenApp environment. For definitions of the terms client printing pathway and network printing pathway, see Overview of Client and Network Printing Pathways. Client printing pathway is not synonymous with printers attached to client devices.
UAC Enabled? On
Location Print Management snap-in in the Microsoft Management Console Control Panel Print Management snap-in in the Microsoft Management Console Control Panel Print Server > Print Management snap-in in the Microsoft Management Console Print Server > Control Panel Control Panel Control Panel Control Panel Control Panel
Off Network printers (Printers on a network print server) Client printing pathway On
Off Network printers (Printers on a network print server) Network printing pathway On
Off Server local printers (Shared printers locally attached to a XenApp server) Local network server printers (Printers from a network print server that are added to server running XenApp) N/A On Off Network printing pathway On Off
463
464
To display printers that use the client printing pathway when UAC is enabled
1 On the XenApp server that is hosting the session for which you want to display the printers, install the Print Services server role. 2 In Administrative Tools, open the Print Management stand-alone snap-in. 3 To display client redirected printers, in the Print Management tree, select Print Management > Custom Filters > All Printers. The Print Management snap-in displays the client printers redirected from all clients connected to that server. You can display and manage the print queues for these printers and select Printers With Jobs in the Print Management Tree to display active jobs on redirected printers.
To display printers that use the client printing pathway without UAC enabled
1 On the XenApp server, open Control Panel > Printers. The Printers screen displays the local printers mapped to the ICA session. By default, the name of the printer takes the form printername (from clientname) in session x; for example, printer01 (from machine01) in session 7. Printername is the name of the printer on the client device, clientname is the unique name given to the client device or the Web Interface, and x is the SessionID of the users session on the server.
465
Command altaddr app auditlog change client ctxkeytool ctxxmlss dscheck dsmaint enablelb icaport imaport query
Description Specify server alternate IP address. Run application execution shell. Generate server logon/logoff reports. Change client device mapping. Generate farm key for IMA encryption. Change the Citrix XML Service port number. Validate the integrity of the server farm data store. Maintain the server farms data store. Enable load balancing for servers that fail health monitoring tests. Configure TCP/IP port number used by the ICA protocol on the server. Change IMA ports. View information about server farms, processes, ICA sessions, and users.
466
ALTADDR
Use altaddr to query and set the alternate (external) IP address for a server running Citrix XenApp. The alternate address is returned to clients that request it and is used to access a server that is behind a firewall.
Syntax
altaddr [/server:servername] [/set alternateaddress] [/v] altaddr [/server:servername] [/set adapteraddress alternateaddress] [/v] altaddr [/server:servername] [/delete] [/v] altaddr [/server:servername] [/delete adapteraddress] [/v] altaddr [/?]
Parameters
servername The name of a server. alternateaddress The alternate IP address for a server. adapteraddress The local IP address to which an alternate address is assigned.
Options
/server:servername Specifies the server on which to set an alternate address. Defaults to the current server. /set Sets alternate TCP/IP addresses. If an adapteraddress is specified, alternateaddress is assigned only to the network adapter with that IP address.
467
ALTADDR /delete Deletes the default alternate address on the specified server. If an adapter address is specified, the alternate address for that adapter is deleted. /v (verbose) Displays information about the actions being performed. /? Displays the syntax for the utility and information about the utilitys options.
Remarks
The server subsystem reads the altaddr settings for server external IP addresses at startup only. If you use altaddr to change the IP address setting, you must restart the Citrix Independent Management Architecture service for the new setting to take effect. If altaddr is run without any parameters, it displays the information for alternate addresses configured on the current server.
Examples
Set the servers alternate address to 1.1.1.1: altaddr /set 1.1.1.1 Set the servers alternate address to 2.2.2.2 on the network interface card whose adapter address is 1.1.1.1:
Security Restrictions
None.
468
APP
App is a script interpreter for secure application execution. Use App to read execution scripts that copy standardized .ini type files to user directories before starting an application, or to perform application-related cleanup after an application terminates. The script commands are described below.
Syntax
app scriptfilename
Parameters
scriptfilename The name of a script file containing app commands (see script commands below).
Script Commands
copy sourcedirectory\filespec targetdirectory Copies files from sourcedirectory to targetdirectory. Filespec specifies the files to copy and can include wild cards (*,?). deletedirectory\filespec Deletes files owned by a user in the directory specified. Filespec specifies the files to delete and can include wild cards (*,?). See the Examples section for more information. deleteall directory\filespec Deletes all files in the directory specified. execute Executes the program specified by the path command using the working directory specified by the workdir command. path executablepath Executablepath is the full path of the executable to be run.
469
APP workdir directory Sets the default working directory to the path specified by directory
Script Parameters
directory A directory or directory path. executablepath The full path of the executable to be run. filespec Specifies the files to copy and can include wildcards (*,?). sourcedirectory The directory and path from which files are to be copied. targetdirectory The directory and path to which files are to be copied.
Remarks
If no scriptfilename is specified, app displays an error message. The Application Execution Shell reads commands from the script file and processes them in sequential order. The script file must reside in the %SystemRoot%\Scripts directory.
Examples
The following script runs the program Notepad.exe. When the program terminates, the script deletes files in the Myapps\Data directory created for the user who launched the application:
PATH C:\Myapps\notepad.exeWORKDIR C:\Myapps\DataEXECUTEDELETE C:\Myapps\Data\*.* The following script copies all the .wri files from the directory C:\Write\Files, executes Write.exe in directory C:\Temp.wri, and then removes all files from that directory when the program terminates:
470
APP PATH C:\Wtsrv\System32\Write.exeWORKDIR C:\Temp.wriCOPY C:\Write\Files\*.wri C:\Temp.wriEXECUTEDELETEALL C:\Temp.wri\*.* The following example demonstrates using the script file to implement a front-end registration utility before executing the application Coolapp.exe. You can use this method to run several applications in succession:
Security Restrictions
None.
471
AUDITLOG
Auditlog generates reports of logon/logoff activity for a server based on the Windows Server security event log. To use auditlog, you must first enable logon/logoff accounting. You can direct the auditlog output to a file.
Syntax
auditlog [username | session] [/eventlog:filename] [/before:mm/dd/yy] [/after:mm/d [[/write:filename] | [/detail | /time] [/all]]
auditlog [username | session] [/eventlog:filename] [/before:mm/dd/yy] [/after:mm/d [[/write:filename] | [/detail] | [/fail ] | [ /all]] auditlog [/clear:filename] auditlog [/?]
Parameters
filename The name of the eventlog output file. session Specifies the session ID for which to produce a logon/logoff report. Use this parameter to examine the logon/logoff record for a particular session. mm/dd/yy The month, day, and year (in two-digit format) to limit logging. username Specifies a user name for which to produce a logon/logoff report. Use this parameter to examine the logon/logoff record for a particular user.
Options
/eventlog:filename
472
AUDITLOG Specifies the name of a backup event log to use as input to auditlog. You can back up the current log from the Event Log Viewer by using auditlog /clear: filename. /before:mm/dd/yy Reports on logon/logoff activity only before mm/dd/yy. /after:mm/dd/yy Reports on logon/logoff activity only after mm/dd/yy. /write:filename Specifies the name of an output file. Creates a comma-delimited file that can be imported into an application, such as a spreadsheet, to produce custom reports or statistics. It generates a report of logon/logoff activity for each user, displaying logon/logoff times and total time logged on. If filename exists, the data is appended to the file. /time Generates a report of logon/logoff activity for each user, displaying logon/logoff times and total time logged on. Useful for gathering usage statistics by user. /fail Generates a report of all failed logon attempts. /all Generates a report of all logon/logoff activity. /detail Generates a detailed report of logon/logoff activity. /clear:filename Saves the current event log in filename and clears the Event log. This command does not work if filename already exists. /? Displays the syntax for the utility and information about the utilitys options.
Remarks
Auditlog provides logs you can use to verify system security and correct usage. The information can be extracted as reports or as comma-delimited files that can be used as input to other programs. You must enable logon/logoff accounting on the local server to collect the information used by auditlog. To enable logon/logoff accounting, log on as a local administrator and enable
473
Security Restrictions
To run auditlog, you must have Windows administrator privileges.
474
CHANGE CLIENT
Change client changes the current disk drive, COM port, and LPT port mapping settings for a client device.
Syntax
change client [/view | /flush | /current] change client [{/default | [/default_drives] | [/default_printers]} [/ascending]] [/persistent] [/force_prt_todef] change client [{/default | [/default_drives] | [/default_printers]} [/ascending]] [/persistent] [/force_prt_todef] change client [/delete host_device] [host_device client_device] [/?]
Parameters
host_device The name of a device on the host server to be mapped to a client device. client_device The name of a device on the client to be mapped to host_device.
Options
/view Displays a list of all available client devices. /flush Flushes the client drive mapping cache. This action forces the server and the client to resynchronize all disk data. /current Displays the current client device mappings.
475
CHANGE CLIENT /default Resets host drive and printer mappings to defaults. /default_drives Resets host drive mappings to defaults. /default_printers Resets host printer mappings to defaults. /ascending Uses ascending, instead of descending, search order for available drives and printers to map. This option can be used only with /default, /default_drives, or /default_printer. /noremap If /noremap is specified, client drives that conflict with server drives are not mapped. /persistent Saves the current client drive mappings in the client device users profile. /force_prt_todef Sets the default printer for the client session to the default printer on the clients Windows desktop. /delete host_device Deletes the client device mapping to host_device. /? (help) Displays the syntax for the utility and information about the utilitys options.
Remarks
Typing change client with no parameters displays the current client device mappings; it is equivalent to typing change client /current. Use change client host_device client_device to create a client drive mapping. This maps the client_device drive letter to the letter specified by host_device; for example, change client v: c: maps client drive C to drive V on the server. The /view option displays the share name, the share type, and a comment describing the mapped device. Sample output for change client /view follows:
476
CHANGE CLIENT Sharename \\Client\A$ \\Client\C$ \\Client\D$ \\Client\LPT1: Type Disk Disk Disk Printer Comment Floppy FixedDrive CdRom Parallel Printer
\\Client\COM1: Printer Serial Printer The /flush option flushes the client drive cache. This cache is used to speed access to client disk drives by retaining a local copy of the data on the server running Citrix XenApp. The time-out for hard drive cache entries is 60 seconds and the time-out for diskette data is two seconds. If the client device is using a multitasking operating system and files are created or modified, the server does not know about the changes. Flushing the cache forces the data on the server to be synchronized with the client data. The cache time-out for diskettes is set to five seconds because diskette data is usually more volatile; that is, the diskette can be removed and another diskette inserted. The /default option maps the drives and printers on the client device to mapped drives and printers on the server running Citrix XenApp. Drives A and B are always mapped to drives A and B on the server. Hard drives are mapped to their corresponding drive letters if those drive letters are available on the server. If the corresponding drive letter is in use on the server, the default action is to map the drive to the highest unused drive letter. For example, if both computers have drives C and D, the client drives C and D are mapped to V and U respectively. These default mappings can be modified by the /ascending and /noremap options. The /default_printers option resets printer mappings to defaults. /default_printers attempts a one-to-one mapping of all client printers; for example, the clients LPT1 and LPT2 ports are mapped to the servers LPT1 and LPT2 ports. If the /ascending option is specified, the mapping is done in ascending order. The /default_drives option resets host drive mappings to defaults. /default_drives attempts a one-to-one mapping of all client drives; for example, client drives A and B are mapped to server drives A and B. Hard drives are mapped to their corresponding drive letters if those drive letters are available on the server. If the corresponding drive letter is in use on the server, the default action is to map the drive to the highest unused drive letter. For example, if both computers have drives C and D, the client drives C and D are mapped to V and U respectively. If the /ascending option is specified, the mapping is done in ascending order. The /ascending option causes the mapping to occur in ascending drive letter order. For example, if the first two available drive letters on the server are I and J, drives C and D in the preceding example are mapped to I and J respectively. The /noremap option causes the mapping to skip drive letters occupied on the server. For example, if the server has a drive C but no drive D , the clients drive C is mapped to D on the server, but the clients drive D is not mapped. The /persistent option causes the current device mappings to be saved in the users profile. Drive conflicts can occur if the /persistent option is in use and the user logs on from a client device that has a different disk drive configuration, or logs on to a server that has a different disk drive configuration.
477
CHANGE CLIENT The /force_prt_todef option sets the default printer for the ICA session to the default printer on the clients Windows desktop.
Security Restrictions
None.
478
CTXKEYTOOL
Use ctxkeytool to enable and disable the IMA encryption feature and generate, load, replace, enable, disable, or back up farm key files.
Syntax
ctxkeytool [generate | load | newkey | backup] filepath ctxkeytool [enable | disable | query]
Options
generate Generates a new key and saves it to the filepath. This command alone is not sufficient to enable IMA encryption. load Can be used to load:
q
A new key onto a server with no preexisting key The correct key onto a server that has an existing key
Creates a new encryption key in the data store using the local farm key. backup Backs up the existing farm key to a file. enable Enables the IMA encryption feature for the farm. disable Disables the IMA encryption feature for the farm. query
479
For a key on the local computer To see if IMA encryption is enabled for the farm If your key matches the farm key
Remarks
The first time you generate a key for the first server on the farm on which you are enabling IMA encryption, use the following sequence of options: generate, load, and newkey. On each subsequent server in the farm, you just need to load the key. After you activate the IMA encryption feature on one server, the feature is enabled for the entire farm. If you lose the key file for a server, you can get a duplicate key file by running the backup option on another server in the same farm that still has its key. This command recreates the key file. After recreating the key file, use load to load it to the server on which it was lost. After using the disable option to disable the IMA encryption feature, you must reenter the configuration logging database password. If you want to activate the IMA encryption feature again, run enable on any server in the farm.
Security Restrictions
You must be a Citrix administrator with local administrator privileges to run ctxkeytool.
480
CTXXMLSS
Use ctxxmlss to change the Citrix XML Service port number.
Syntax
ctxxmlss [/rnnn] [/u] [/knnn] [/b:a] [/b:l] [/?]
Options
/rnnn Changes the port number for the Citrix XML Service to nnn. /u Unloads Citrix XML Service from memory. /knnn Keeps the connection alive for nnn seconds. The default is nine seconds. /b:a Binds the service to all network interfaces. This is the default setting. /b:l Binds the service to localhost only. /? Displays the syntax for the utility and information about the utilitys options.
Security Restrictions
None.
481
CTXXMLSS
Remarks
For more information, see System Requirements.
482
DSCHECK
Use dscheck to validate the consistency of the database used to host the server farms data store. You can then repair any inconsistencies found. dscheck is often used after running dsmaint.
Syntax
dscheck [/clean] [/?]
Options
/clean Attempts to fix any consistency error that is found. /? Displays the syntax for the utility and information about the utilitys options.
Remarks
Dscheck performs a variety of tests to validate the integrity of a server farms data store. When run without parameters, only these tests are run. Run dscheck on a server in the farm that has a direct connection to the data store. When you run dscheck with the /clean option, the utility runs tests and removes inconsistent data (typically servers and applications) from the data store. Because removing this data can affect the farms operation, be sure to back up the data store before using the /clean option. When you run the utility with the /clean option, you may need to run the dsmaint command with the recreatelhc parameter on each server in the farm to update the local host caches. Running this command sets the PSRequired registry value to 1 in HKLM\SOFTWARE\Wow6432Node\Citrix\IMA\RUNTIME, or HKLM\SOFTWARE\Citrix\IMA\RUNTIME on XenApp, 32-bit Edition. Dscheck reports the results of the tests in several ways. First, it sends any errors found as well as a summary to the Event log and to the command window. You can also write the output produced by dscheck to a file.
483
DSCHECK Second, several performance monitor values are updated under the performance object for Citrix XenApp. These values include a count of server errors, a count of application errors, a count of group errors, and an overall flag indicating that errors were detected. Third, dscheck returns an error code of zero for a successful scan (no errors are found) and an error code of one if any problems are encountered. Dscheck looks primarily at three data store objects: servers, applications, and groups. For each of these object types, dscheck performs a series of tests on each object instance. For example, for each server object in the data store, dscheck verifies that there is a corresponding common server object and then further verifies that both objects have matching host IDs and host names.
Examples
To run consistency checks only: dscheck To check consistency and fix errors:
dscheck /clean
484
DSMAINT
Run dsmaint on farm servers to perform XenApp data store maintenance tasks, including backing up the data store, migrating the data store to a new server, and compacting the XenApp data store or the Streaming Offline database. Not all dsmaint commands apply to all database types.
When using this command, user names and passwords may be case-sensitive, depending on the database and the operating system you are using.
Syntax
dsmaint config [/user:username] [/pwd:password] [/dsn:filename] dsmaint backupdestination_path destination_path dsmaint compactdb [/lhc]
dsmaint migrate [{/srcdsn:dsn1 /srcuser:user1 /srcpwd:pwd1}] [{/dstdsn:dsn2 /dstus /dstpwd:pwd2}] dsmaint publishsqlds {/user:username /pwd:password} dsmaint recover dsmaint recreatelhc dsmaint recreaterade dsmaint verifylhc [/autorepair] dsmaint [/?]
Parameters
destination_path Path for the backup data store. Do not use the same path as the original database. dsn1 The name of the DSN file for the source data store. dsn2
485
DSMAINT The name of the DSN file for the destination data store. filename The name of the data store. password The password to connect to the data store. pwd1 The source data store password. pwd2 The destination data store password. user1 The source data store user logon. user2 The destination data store user logon. username The name of the user to use when connecting to the data store.
Options
config Changes configuration parameters used to connect to the data store. Enter the full path to the DSN file in quotation marks. For example,
dsmaint config /user:ABCnetwork\administrator /pwd:Passw0rd101 /dsn:"C:\Program Files (x86)\Citrix\Independent Management Architecture\mf20.dsn Stop the Citrix Independent Management Architecture service before using config with the /pwd option. Caution: Specify a /dsn for dsmaint config or you will change the security context for access to the SQL Server or Oracle database. /user:username The user name to connect to a data store. /pwd:password The password to connect to a data store.
486
DSMAINT /dsn:filename The filename of an IMA data store. backup Creates a backup copy of the SQL Server Express database that is the farms data store. Run this command on the server that hosts the data store. Requires a path or share point to which the backup database file will be copied. Do not use this parameter to back up SQL Server or Oracle data stores. Caution: When running dsmaint backup, specifying the same path as the existing data store can damage it irreparably. compactdb Compacts the local database file. During database compaction, the database is temporarily unavailable for both reading and writing. The compacting time can vary from a few seconds to a few minutes, depending on the size of the database and the usage. /lhc Compacts the local host cache on the server where this parameter is run. Run dsmaint /lhc after your farm has been running for a long period of time as a maintenance task. migrate Migrates data from one data store database to another. Run this command on any XenApp server that has a connection to the data store. Use this command to move a data store to another server, rename a data store in the event of a server name change, or migrate the data store to a different type of database (for example, migrate from SQL Server Express to SQL Server). To migrate the data store to a new server: 1 Prepare the new database server using the steps you did before running XenApp Setup for the first time. 2 Create a DSN file for this new database server on the server where you will be running dsmaint migrate. 3 Run dsmaint migrate on any server with a connection to the data store. 4 Run dsmaint config on each server in the farm to point it to the new database. /srcdsn:dsn1 The name of the data store from which to migrate data. /srcuser:user1 The user name to use to connect to the data store from which the data is migrating. /srcpwd:pwd1 The password to use to connect to the data store from which the data is migrating.
487
DSMAINT /dstdsn:dsn2 The name of the data store to which to migrate the data. /dstuser:user2 The user name that allows you to connect to the data store to which you are migrating the source data store. /dstpwd:pwd2 The password that allows you to connect to the data store to which you are migrating the source data store. publishsqlds Publishes a SQL Server data store for replication. Run publishsqlds only from the server that created the farm. The publication is named MFXPDS. recover Restores a SQL Server Express data store to its last known good state. Run this directly on the server while the Citrix Independent Management Architecture service is not running. recreatelhc Recreates the local host cache database. Run if prompted after running dsmaint verifylhc. After running dsmaint recreatelhc, restart the IMA Service. When the IMA Service starts, the local host cache is populated with fresh data from the data store. recreaterade Recreates the application streaming offline database. Run as a troubleshooting step if the Citrix Independent Management Architecture service stops running and the local host cache is not corrupted. verifylhc Verifies the integrity of the local host cache. If the local host cache is corrupt, you are prompted with the option to recreate it. With the verifylhc /autorepair option, the local host cache is automatically recreated if it is found to be corrupted. Alternatively, you can use dsmaint recreatelhc to recreate the local host cache. /? Displays the syntax and options for the utility.
Remarks
After using dsmaint, Citrix recommends running dscheck to check the integrity of the data on the XenApp data store.
488
DSMAINT
Security Restrictions
The dsmaint config and dsmaint migrate commands can be run only by a user with the correct user name and password for the database.
489
ENABLELB
If one or more servers is removed from load balancing because they failed a Health Monitoring test, use enablelb to restore them to the load balance tables.
Syntax
enablelb servername [servername servername ]
Parameters
servername The name of the computer running Citrix XenApp.
Security Restrictions
To use this utility you must be a Citrix administrator with edit privileges for Other Farm Settings and Other Server Settings for the server you want to restore to load balancing.
490
ICAPORT
Use icaport to query or change the TCP/IP port number used by the ICA protocol on the server.
Syntax
icaport {/query | /port:nnn | /reset} [/?]
Options
/query Queries the current setting. /port:nnn Changes the TCP/IP port number to nnn. /reset Resets the TCP/IP port number to 1494, which is the default. /? Displays the syntax for the utility and information about the utilitys options.
Remarks
The default port number is 1494. The port number must be in the range of 065535 and must not conflict with other well-known port numbers. If you change the port number, restart the server for the new value to take effect. If you change the port number on the server, you must also change it on every plug-in that will connect to that server. For instructions for changing the port number on plug-ins, see Citrix eDocs for the plug-ins that you plan to deploy.
Examples
To set the TCP/IP port number to 5000 491
ICAPORT
icaport /reset
Security Restrictions
Only Citrix administrators with Windows administrator privileges can run icaport.
492
IMAPORT
Use imaport to query or change the IMA port.
Syntax
imaport {/query | /set {IMA:nnn | ds:nnn}* | /reset {IMA | DS | ALL} } [/?]
Options
/query Queries the current setting. /set Sets the designated TCP/IP port to a specified port number. ima:nnn Sets the IMA communication port to a specified port number. ds:nnn Sets the data store server port to a specified port number. /reset Resets the specified TCP/IP port to the default. ima Resets the IMA communication port to 2512. ds Resets the data store server port to 2512. all Resets all of the applicable ports to the defaults. /? Displays the syntax for the utility and information about the utilitys options.
493
IMAPORT
494
QUERY FARM
Use query to display information about server farms within the network.
Syntax
query farm [server [/addr | /app | /app appname | /load | /ltload]] query farm [ /tcp ] [ /continue ] query farm [ /app | /app appname | /disc | /load | /ltload | /lboff | /process] query farm [/online | /online zonename] query farm [/offline | /offline zonename] query farm [/zone | /zone zonename] query farm [/?]
Parameters
appname The name of a published application. server The name of a server within the farm. zonename The name of a zone within the farm.
Options
farm Displays information about servers within an IMA-based server farm. You can use qfarm as a shortened form of query farm. server /addr
495
QUERY FARM Displays address data for the specified server. /app Displays application names and server load information for all servers within the farm or for a specific server. /app appname Displays information for the specified application and server load information for all servers within the farm or for a specific server. /continue Do not pause after each page of output. /disc Displays disconnected session data for the farm. /load Displays server load information for all servers within the farm or for a specific server. /ltload Displays server load throttling information for all servers within the farm or for a specific server. /lboff Displays the names of the servers removed from load balancing by Health Monitoring & Recovery. /process Displays active processes for the farm. /tcp Displays TCP/IP data for the farm. /online Displays servers online within the farm and all zones. The data collectors are represented by the notation D. /online zonename Displays servers online within a specified zone. The data collectors are represented by the notation D. /offline Displays servers offline within the farm and all zones. The data collectors are represented by the notation D. 496
QUERY FARM /offline zonename Displays servers offline within a specified zone. The data collectors are represented by the notation D. /zone Displays all data collectors in all zones. /zone zonename Displays the data collector within a specified zone. /? Displays the syntax for the utility and information about the utilitys options.
Remarks
Query farm returns information for IMA-based servers within a server farm.
Security Restrictions
You must be a Citrix administrator to run query farm .
497
QUERY PROCESS
Use query to display information about processes within the network.
Syntax
query process [ * | processid | username | sessionname | /id:nn | programname ] [ /server:servername ] [ /system ] query process [/?]
Parameters
* Displays all visible processes. processid The three- or four-digit ID number of a process running within the farm. programname The name of a program within a farm. servername The name of a server within the farm. sessionname The name of a session, such as ica-tcp#7. username The name of a user connected to the farm.
Options
process Displays information about processes running on the current server.
498
QUERY PROCESS process * Displays all visible processes on the current server. process processid Displays processes for the specified processid. process username Displays processes belonging to the specified user. process sessionname Displays processes running under the specified session name. process /id:nn Displays information about processes running on the current server by the specified ID number. process programname Displays process information associated with the specified program name. process /server:servername Displays information about processes running on the specified server. If no server is specified, the information returned is for the current server. process /system Displays information about system processes running on the current server. /? Displays the syntax for the utility and information about the utilitys options.
Security Restrictions
None.
499
QUERY SESSION
Use query to display information about sessions within the network.
Syntax
query session [sessionname | username | sessionid] query session [/server:servername] [/mode] [/flow] [/connect] [/counter] query session [/?]
Parameters
servername The name of a server within the farm. sessionname The name of a session, such as ica-tcp#7. sessionid The two-digit ID number of a session. username The name of a user connected to the farm.
Options
session sessionname Identifies the specified session. session username Identifies the session associated with the user name. session sessionid
500
QUERY SESSION Identifies the session associated with the session ID number. session /server: servername Identifies the sessions on the specified server. session /mode Displays the current line settings. session /flow Displays the current flow control settings. session /connect Displays the current connection settings. session /counter Displays the current Remote Desktop Services counter information. /? Displays the syntax for the utility and information about the utilitys options.
Security Restrictions
None.
501
QUERY TERMSERVER
Use query to display information about terminal servers within the network.
Syntax
query termserver [servername] [/domain:domain] [/address] [/continue] query termserver [/?]
Parameters
servername The name of a server within the farm. domain The name of a domain to query.
Options
termserver servername Identifies a Terminal Server. /address Displays network and node addresses. /continue Do not pause after each page of output. /domain: domain Displays information for the specified domain. Defaults to the current domain if no domain is specified. /? Displays the syntax for the utility and information about the utilitys options.
502
QUERY TERMSERVER
Remarks
If no parameters are specified, query termserver lists all Terminal Servers within the current domain.
Security Restrictions
None.
503
QUERY USER
Use query to display information about users within the network.
Syntax
query user [ username | sessionname | sessionid ] [ /server:servername ] query user [/?]
Parameters
servername The name of a server within the farm. sessionname The name of a session, such as ica-tcp#7. sessionid The ID number of a session. username The name of a user connected to the farm.
Options
user username Displays connection information for the specified user name. user sessionname Displays connection information for the specified session name. user sessionid Displays connection information for the specified session ID.
504
QUERY USER user /server: servername Defines the server to be queried. The current server is queried by default. /? Displays the syntax for the utility and information about the utilitys options.
Remarks
If no parameters are specified, query user displays all user sessions on the current server. You can use quser as a shortened form of the query user command.
Security Restrictions
None.
505
Citrix CPU Utilization Mgmt User Citrix IMA Networking Citrix Licensing Citrix MetaFrame Presentation Server ICA Session Secure Ticket Authority
506
507
Description The inbound bytes per second. The outbound bytes per second. The number of active IMA network connections to other IMA servers.
508
Counter Average License Check-In Response Time (ms) Average License Check-Out Response Time (ms) Last Recorded License Check-In Response Time (ms) Last Recorded License Check-Out Response Time (ms) License Server Connection Failure Maximum License Check-In Response Time Maximum License Check-Out Response Time
Description The average license check-in response time in milliseconds. The average license check-out response time in milliseconds. The last recorded license check-in response time in milliseconds. The last recorded license check-out response time in milliseconds. The number of minutes that the XenApp server has been disconnected from the License Server. The maximum license check-in response time in milliseconds. The maximum license check-out response time in milliseconds.
509
Counter Application Enumeration/sec Application Resolution Time (ms) Application Resolutions Failed/sec Application Resolutions/sec Cumulative Server Load DataStore Connection Failure DataStore bytes read DataStore bytes read/sec DataStore bytes written/sec DataStore reads DataStore reads/sec DataStore writes/sec DynamicStore bytes read/sec DynamicStore bytes written/sec DynamicStore Gateway Update Count DynamicStore Gateway Update, Bytes Sent DynamicStore Query Count DynamicStore Query Request, Bytes Received
Description The number of application enumerations per second. The time in milliseconds that a resolution took to complete. The number of application resolutions failed per second. The number of resolutions completed per second. The combined processor utilization and connected XenApp user session loads for this server. The number of minutes that the XenApp server has been disconnected from the data store. The number of bytes read from the data store. The number of bytes of data store data read per second. The number of bytes of data store data written per second. The number of times data was read from the data store. The number of times data was read from the data store per second. The number of times data was written to the data store per second. The number of bytes of dynamic store data read per second. The number of bytes of dynamic store data written per second. The number of dynamic store update packets sent to remote data collectors. The number of bytes of data sent across gateways to remote data collectors. The number of dynamic store queries that were performed. The number of bytes of data received in dynamic store query request packets.
510
Citrix MetaFrame Presentation Server Counters DynamicStore Query Response, Bytes Sent DynamicStore reads/sec DynamicStore Update Bytes Received DynamicStore Update Packets Received DynamicStore Update Response Bytes Sent DynamicStore writes/sec Filtered Application Enumerations/sec ICA Roundtrip Latency Median LocalHostCache bytes read/sec LocalHostCache bytes written/sec LocalHostCache reads/sec LocalHostCache writes/sec Maximum number of XML threads Number of busy XML threads Number of XML threads Resolution WorkItem Queue Executing Count Resolution WorkItem Queue Ready Count WorkItem Queue Executing Count WorkItem Queue Pending Count WorkItem Queue Ready Count Zone Elections The number of bytes of data sent in response to dynamic store queries. The number of times data was read from the dynamic store per second. The number of bytes of data received in dynamic store update packets. The number of update packets received by the dynamic store. The number of bytes of data sent in response to dynamic store update packets. The number of times data was written to the dynamic store per second. The number of filtered application enumerations per second. The median time of ICA roundtrip latency for all sessions on the server. The number of bytes of IMA local host cache data read per second. The number of bytes of IMA local host cache data written per second. The number of times data was read from the IMA local host cache per second. The number of times data was written to the IMA local host cache per second. The maximum number of threads allocated to service Web-based sessions since the server restarted. The number of busy threads. The number of threads allocated to service Web-based sessions. The number of resolution work items that are currently being executed. The number of resolution work items that are ready to be executed. The number of work items that are currently being executed. The number of work items that are not yet ready to be executed. The number of work items that are ready to be executed. The number of zone elections. This value starts at zero each time the IMA Service starts and is incremented each time a zone election takes place. The number of times a server triggers a zone election. The number of times a server wins a zone election.
511
Description The bandwidth, measured in bps, used when playing sound in an ICA session. The bandwidth, measured in bps, used when performing clipboard operations such as cut-and-paste between the ICA session and the local window. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 1 port. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 2 port. The bandwidth, measured in bps, used when sending data to the client COM port. The bandwidth, measured in bps, used when executing LongCommandLine parameters of a published application. The bandwidth, measured in bps, used when performing file operations between the client and server drives during an ICA session. The bandwidth, measured in bps, used when initiating font changes within a SpeedScreen-enabled ICA session. The bandwidth, measured in bps, used when streaming Flash data in an HDX-enabled session. The bandwidth, measured in bps, used to negotiate licensing during the session establishment phase. Often, no data for this counter is available, as this negotiation takes place before logon. The bandwidth on the virtual channel that prints to a client printer attached to the client LPT 1 port through an ICA session that does not support a spooler. This is measured in bps. The bandwidth on the virtual channel that prints to a client printer attached to the client LPT 2 port through an ICA session that does not support a spooler. This is measured in bps.
Input COM Bandwidth Input Control Channel Bandwidth Input Drive Bandwidth
Input Font Data Bandwidth Input HDX Mediastream for Flash Data Bandwidth Input Licensing Bandwidth
512
ICA Session Counters Input Printer Bandwidth The bandwidth, measured in bps, used when printing to a client printer through a client that has print spooler support enabled. The bandwidth, measured in bps, used for published applications that are not embedded in a session window. The bandwidth, measured in bps, used from client to server for a session. The compression ratio used from client to server for a session. The line speed, measured in bps, used from client to server for a session. The bandwidth, measured in bps, used from client to server for data channel traffic. The bandwidth, measured in bps, used for text echoing. The bandwidth, measured in bps, used from client to server for ThinWire traffic. The last recorded latency measurement for the session. The average client latency over the lifetime of a session. The difference between the minimum and maximum measured latency values for a session. The bandwidth, measured in bps, used for playing sound in an ICA session. The bandwidth, measured in bps, used for clipboard operations such as cut-and-paste between the ICA session and the local window. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 1 port. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 2 port. The bandwidth, measured in bps, used when receiving data from the client COM port. The bandwidth, measured in bps, used when executing LongCommandLine parameters of a published application. The bandwidth, measured in bps, used when performing file operations between the client and server drives during an ICA session. The bandwidth, measured in bps, used when initiating font changes within a SpeedScreen-enabled ICA session.
Input Session Bandwidth Input Session Compression Input Session Line Speed Input SpeedScreen Data Channel Bandwidth Input Text Echo Bandwidth Input ThinWire Bandwidth Latency - Last Recorded Latency - Session Average Latency - Session Deviation Output Audio Bandwidth Output Clipboard Bandwidth
Output COM Bandwidth Output Control Channel Bandwidth Output Drive Bandwidth
513
ICA Session Counters Output Licensing Bandwidth The bandwidth, measured in bps, used to negotiate licensing during the session establishment phase. Often, no data for this counter is available, as this negotiation takes place before logon. The bandwidth, measured in bps, used when streaming Flash data in an HDX-enabled session. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client LPT 1 port. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client LPT 2 port. The bandwidth, measured in bps, used when performing management functions. The bandwidth, measured in bps, used when printing to a client printer through a client that has print spooler support enabled. The bandwidth, measured in bps, used for published applications that are not embedded in a session window. The bandwidth, measured in bps, used from server to client for a session. The compression ratio used from server to client for a session. The line speed, measured in bps, used from server to client for a session. The bandwidth, measured in bps, used from server to client for data channel traffic. The bandwidth, measured in bps, used for text echoing. The bandwidth, measured in bps, used from server to client for ThinWire traffic. The total number of shares used by the session.
Output HDX Mediastream for Flash Data Bandwidth Output LPT 1 Bandwidth
Output Session Bandwidth Output Session Compression Output Session Line Speed Output SpeedScreen Data Channel Bandwidth Output Text Echo Bandwidth Output ThinWire Bandwidth Resource Shares
514
STA Good Refresh Request Count STA Good Ticket Request Count STA Peak All Request Rate STA Peak Data Request Rate STA Peak Ticket Refresh Rate STA Peak Ticket Request Rate STA Ticket Timeout Count
515
The name of the policy setting The Citrix products to which the policy setting applies The additional settings, if applicable, required to enable a particular feature Other settings that are similar to the policy setting in question, if applicable
516
Graphics & Multimedia Task: Control the amount of memory allocated for displaying graphics in a session Control how a user's display degrades in response to memory limits and whether or not to notify the user Control compression of images for use in sessions of limited bandwidth Use this policy setting: Display memory limit
Display mode degrade preference Notify user when display mode is degraded
Lossy compression level Lossy compression level threshold value Progressive compression level Progressive compression threshold value
Control whether or not Flash content is rendered in sessions Control whether or not Web sites can display Flash content when accessed in sessions Desktop UI Task:
Flash acceleration
517
Policy Settings: Quick Reference Table Control whether or not Desktop wallpaper is used in users' sessions View window contents while a window is dragged User Devices To limit bandwidth used for: Client audio mapping Use this policy setting: Desktop wallpaper View window contents while dragging
Audio redirection bandwidth limit, or Audio redirection bandwidth limit percent Clipboard redirection bandwidth limit, or Clipboard redirection bandwidth limit percent COM port redirection bandwidth limit, or COM port redirection bandwidth limit percent File redirection bandwidth limit, or File redirection bandwidth limit percent LPT port redirection bandwidth limit, or LPT port redirection bandwidth limit percent OEM channels bandwidth limit, or OEM channels bandwidth limit percent
Cut-and-paste using local clipboard Devices connected to a local COM port Access in a session to local client drives Printers connected to the client LPT port Custom devices connected to the client through OEM virtual channels Client session Printing
Printer redirection bandwidth limit, or Printer redirection bandwidth limit percent TWAIN device redirection bandwidth limit, or TWAIN device redirection bandwidth limit percent
Audio Task: Control whether or not to allow audio input from microphones on the user device 518 Use this policy setting: Client microphone redirection
Policy Settings: Quick Reference Table Control audio quality on the user device Control audio mapping to speakers on the user device User drives and devices Task: Control whether or not drives on the user device are connected when users log on to the server Control how drives map from the user device Improve the speed of writing and copying files to a client disk over a WAN Control whether or not user devices attached to local COM ports are available in a session Control whether or not client printers attached to local LPT ports are available in a session Control whether or not users' local hard drives are available in a session Control whether or not users' local floppy drives are available in a session Control whether or not users' network drives are available in a session Use this policy setting: Auto connect client drives Audio quality Client audio redirection
519
Policy Settings: Quick Reference Table Control whether or not users' local CD, DVD, or Blu-ray drives are available in a session Control whether or not users' local removable drives are available in a session Control whether or not users' TWAIN devices, such as scanners and cameras, are available in a session and control compression of image data transfers Control cut-and-paste data transfer between the server and the local clipboard Control use of custom devices, such as an electronic pen (stylus) Printing Task: Control creation of client printers on the user device Allow use of legacy printer names and preserve backward compatibility with prior versions of the server Use this policy setting:
q
OEM channels
520
Policy Settings: Quick Reference Table Control the location where printer properties are stored Control whether print requests are processed by the client or the server Control whether or not users can access printers connected to their user devices Control installation of native Windows drivers when automatically creating client and network printers Control when to use the Universal Printer Driver Choose a printer based on a roaming users session information Content redirection Task: Control whether or not to use content redirection from the server to the user device Time Zone Control Task: Control whether or not to use the servers time zone instead of the clients estimated local time zone Control whether to use the servers time zone or the clients time zone User Connections and Shadowing Task: Use this policy setting: Use this policy setting: Local Time Estimation Use this policy setting: Host to client redirection Printer properties retention
Universal printing
Default printer
521
Policy Settings: Quick Reference Table Limit the number of sessions that a user can run at the same time Control whether or not shadowing is allowed Allow or deny permission for users to shadow connections Single Sign-On Task: Identify which credential repository to use when using Single Sign-On Allow or prevent use of Single Sign-On Offline Applications Task: Allow or prevent offline application users to reconnect without reauthentication Allow or deny permission for users to access offline applications Security Task: Require that connections use a specified encryption level Use this policy rule: SecureICA minimum encryption level Use this policy setting: Offline app client trust Offline app users Use this policy setting: Single Sign-On central store Single Sign-On Concurrent logon limit
Shadowing
Users who can shadow other users Users who cannot shadow other users
522
523
Desktop launches
This setting allows or prevents non-administrative users to connect to a desktop session on the server. When allowed, non-administrative users can connect. By default, non-administrative users cannot connect to desktop sessions.
OEM Channels
This setting allows or prevent custom (OEM) devices attached to ports on the user device to be mapped to ports on the server. By default, mapping of custom devices is allowed. After allowing this setting, configure the maximum amount of bandwidth the OEMs virtual channel can consume in a client connection using the OEM channels bandwidth limit or the OEM channels bandwidth limit percent settings. Related Policy Settings
524
Audio Quality
Use the projected figures for each level of sound quality to calculate the bandwidth potentially consumed in connections to specific servers. For example, if 25 users record at Medium on one server, the bandwidth used in the connections to that server is over 52,500 bytes per second. Bandwidth is consumed only while audio is recording or playing. If both occur at the same time, the bandwidth consumption is doubled. To control sound quality, choose one of the following options:
q
Select Low - for low speed connections for low-bandwidth connections. Sounds sent to the client are compressed up to 16 Kbps. This compression results in a significant decrease in the quality of the sound but allows reasonable performance for a low-bandwidth connection. With both audio playback and recording total bandwidth consumption is 22 Kbps at maximum. Select Medium - optimized for speech for most LAN-based connections. Sounds sent to the client are compressed up to 64 Kbps. With both audio playback and recording total bandwidth consumption is 33.6 Kbps at maximum. Select High - high definition audio for connections where bandwidth is plentiful and sound quality is important. Clients can play sound at its native rate. Sounds can use up to 1.3 Mbps of bandwidth to play clearly. Transmitting this amount of data can result in increased CPU utilization and network congestion.
525
Audio Policy Settings performance but may also degrade audio quality. Bandwidth is consumed only while audio is recording or playing. If both occur at the same time, the bandwidth consumption doubles. To specify the maximum amount of bandwidth, configure the Audio redirection bandwidth limit or the Audio redirection bandwidth limit percent settings. Related Policy Settings
Audio redirection bandwidth limit Audio redirection bandwidth limit percent Client microphone redirection
Client audio redirection Audio redirection bandwidth limit Audio redirection bandwidth limit percent
526
527
528
529
530
531
Desktop wallpaper
By default, user sessions can show wallpaper. To turn off desktop wallpaper and reduce the bandwidth required in user sessions, select Prohibited when adding this setting to a policy.
Menu animation
Menu animation is a Microsoft personal preference setting that causes a menu to appear after a short delay, either by scrolling or fading in. When this policy setting is set to Allowed, an arrow icon appears at the bottom of the menu. The menu appears when you mouse over that arrow. By default, menu animation is allowed.
532
533
Client drive redirection Client floppy drives Client optical drives Client fixed drives Client network drives Client removable drives
Client floppy drives Client optical drives Client fixed drives Client network drives Client removable drives
534
536
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) Real Player and QuickTime (RTSP) Real Player and QuickTime (RTSPU) Legacy Real Player (PNM) Microsofts Media Format (MMS)
537
538
Image caching
This setting enables or disables caching of images in sessions. When needed, the images are retrieved in sections to make scrolling smoother. By default, image caching is enabled.
539
540
Lossy compression threshold value Progressive compression level Progressive heavyweight compression level
541
Image Compression Policy Settings For progressive compression to be effective, its compression level must be higher than the Lossy compression level setting; by default, progressive compression is not applied. Note: The increased level of compression associated with progressive compression also enhances the interactivity of dynamic images over client connections. The quality of a dynamic image, such as a rotating three-dimensional model, is temporarily decreased until the image stops moving, at which time the normal lossy compression setting is applied. Related Policy Settings
Progressive compression threshold value Lossy compression level Progressive heavyweight compression
542
543
544
Multimedia conferencing
This setting allows or prevents support for video conferencing applications. By default, video conferencing support is enabled. When adding this setting to a policy, make sure the HDX Mediastream Multimedia Acceleration setting is present and set to Allowed. When using multimedia conferencing, make sure the following conditions are met:
q
Manufacturer-supplied drivers for the web cam used for multimedia conferencing must be installed. The web cam must be connected to the client device before initiating a video conferencing session. XenApp uses only one installed web cam at any given time. If multiple web cams are installed on the client device, XenApp attempts to use each web cam in succession until a video conferencing session is created successfully. An Office Communicator server must be present in your farm environment. The Office Communicator client software must be published on the server.
545
Flash acceleration
This setting enables or disables Flash content rendering on user devices instead of the server. By default, client-side Flash content rendering is enabled. When enabled, this setting reduces network and server load by rendering Flash content on the user device. Additionally, the Flash URL blacklist setting forces Flash content from specific Web sites to be rendered on the server. When this setting is disabled, Flash content from all Web sites, regardless of URL, is rendered on the server. To allow only certain Web sites to render Flash content on the user device, configure the Flash server-side content fetching whitelist setting.
546
HDX MediaStream for Flash (client side) Policy Settings When adding this setting to a policy, make sure the Flash acceleration setting is present and set to Enabled. Otherwise, Web sites listed in the whitelist are ignored. Listed URL strings do not need the http:// or https:// prefix. These prefixes are ignored if found. Wildcards (*) are valid at the beginning and end of a URL.
547
548
Auto connect client COM ports COM port redirection bandwidth limit COM port redirection bandwith limit percent
549
Ports Policy Settings LPT ports are used only by legacy applications that send print jobs to the LPT ports and not to the print objects on the client device. Most applications today can send print jobs to printer objects. This policy setting is necessary only for servers that host legacy applications that print to LPT ports. Related Policy Settings
Auto connect client LPT ports LPT port redirection bandwidth limit LPT port redirection bandwith limit percent
550
Default printer
This setting specifies how the default printer on the user device is established in a session. By default, the user's current printer is used as the default printer for the session. To use the current Remote Desktop Services or Windows user profile setting for the default printer, select Do not adjust the users default printer. If you choose this option, the default printer is not saved in the profile and it does not change according to other session or client properties. The default printer in a session will be the first printer autocreated in the session, which is either:
q
The first printer added locally to the Windows server in Control Panel > Printers The first autocreated printer, if there are no printers added locally to the server
You can use this option to present users with the nearest printer through profile settings (known as Proximity Printing).
551
Session printers
This setting specifies the network printers to be auto-created in a session. You can add printers to the list, edit the settings of a list entry, or remove printers from the list. You can apply customized settings for the current session at every logon.
552
Auto-create all client printers automatically creates all printers on a user device. Auto-create the clients default printer only automatically creates only the printer selected as the default printer on the user device. Auto-create local (non-network) client printers only automatically creates only printers directly connected to the user device through an LPT, COM, USB, or other local port. Do not auto-create client printers turns off autocreate for all client printers when users log on. This causes the Remote Desktop Services settings for autocreating client printers to override this setting in lower priority policies.
553
Held in profile only if not saved on client allows the system to determine where printer properties are stored. Printer properties are stored either on the client device, if available, or in the user profile. Although this option is the most flexible, it can also slow logon time and use extra bandwidth for system-checking. Saved on the client device only is for user devices that have a mandatory or roaming profile that is not saved. Choose this option only if all the servers in your farm are running XenApp 5 and above and your users are using Citrix XenApp online plug-in versions 9.x and above. Retained in user profile only is for user devices constrained by bandwidth (this option reduces network traffic) and logon speed or for users with legacy plug-ins. This option stores printer properties in the user profile on the server and prevents any properties exchange with the client device. Use this option with MetaFrame Presentation Server 3.0 or earlier and MetaFrame Presentation Server Client 8.x or earlier. Note that this is applicable only if a Remote Desktop Services roaming profile is used.
Client Printers Policy Settings Retained printers are user-created printers that are created again, or remembered, at the start of the next session. When XenApp recreates a retained printer, it considers all policy settings except the Auto-create client printers setting. Restored printers are printers fully customized by an administrator, with a saved state that is permanently attached to a client port.
555
556
Universal printing
This setting specifies when to use universal printing. Universal printing consists of a generic printer object (Citrix Universal Printer) and universal printer drivers that work with both Windows and non-Windows clients. By default, universal printing is used only if the requested driver is unavailable. When adding this setting to a policy, select an option:
q
Use universal printing only if requested driver is unavailable uses native drivers for client printers if they are available. If the driver is not available on the server, the client printer is created automatically with the appropriate universal driver. Use only printer model specific drivers specifies that the client printer use only the native drivers that are auto-created at logon. If the native driver of the printer is unavailable, the client printer cannot be auto-created. Use universal printing only specifies that no native drivers are used. Use printer model specific drivers only if universal printing is unavailable uses the universal printer driver if it is available. If the driver is not available on the server, the client printer is created automatically with the appropriate native printer driver.
557
558
SecureICA Encryption
This setting specifies the minimum level at which to encrypt session data sent between the server and a user device. When adding this setting to a policy, select an option:
q
Basic encrypts the client connection using a non-RC5 algorithm. It protects the data stream from being read directly, but it can be decrypted. By default, the server uses Basic encryption for client-server traffic. RC5 (128 bit) logon only encrypts the logon data with RC5 128-bit encryption and the client connection using Basic encryption. RC5 (40 bit) encrypts the client connection with RC5 40-bit encryption. RC5 (56 bit) encrypts the client connection with RC5 56-bit encryption. RC5 (128 bit) encrypts the client connection with RC5 128-bit encryption.
The settings you specify for client-server encryption can interact with any other encryption settings in XenApp and your Windows operating system. If a higher priority encryption level is set on either a server or user device, settings you specify for published resources can be overridden. You can raise encryption levels to further secure communications and message integrity for certain users. If a policy requires a higher encryption level, plug-ins using a lower encryption level are denied connection. SecureICA does not perform authentication or check data integrity. To provide end-to-end encryption for your server farm, use SecureICA with SSL/TLS encryption. SecureICA does not use FIPS-compliant algorithms. If this is an issue, configure the server and plug-ins to avoid using SecureICA.
559
560
561
562
563
Shadowing
This setting allows or prevents users from shadowing other users sessions. By default, administrators can shadow users sessions. When you add this setting to a policy, specify the users allowed to shadow by configuring the Users who can shadow other users and Users who cannot shadow other users policy settings. Session shadowing monitors and interacts with user sessions. When you shadow a user session, you can view everything that appears on the users session display. You can also use your keyboard and mouse to remotely interact with the user session. Shadowing is protocol-specific. This means you can shadow ICA sessions over ICA and Remote Desktop Protocol (RDP) sessions over RDP only.
564
Shadowing Policy Settings Shadowing restrictions are set at install time and are permanent. If you enable or disable shadowing, or certain shadowing features during Setup, you cannot change these restrictions later. You must reinstall XenApp on the server to change shadowing restrictions. Any user policies you create to enable user-to-user shadowing are subject to the restrictions you place on shadowing during Setup.
565
566
TWAIN compression level TWAIN device redirection bandwidth limit TWAIN device redirection bandwidth limit percent
567
568
USB Devices Policy Settings Protocol from either the device descriptor or an interface descriptor When creating new policy rules, be aware of the following:
q
Rules are case-insensitive. Rules may have an optional comment at the end, introduced by #. Blank and pure comment lines are ignored. Tags must use the matching operator =. For example, VID=1230. Each rule must start on a new line or form part of a semicolon-separated list. Refer to the USB class codes available from the USB Implementers Forum, Inc. Web site.
Examples of administrator-defined USB policy rules Allow: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive Deny: Class=08 subclass=05 # Mass Storage To create a rule that denies all USB devices, use DENY: with no other tags.
569
570
Session importance
This setting specifies the importance level at which a session is run. If the CPU management server level setting is configured for No CPU utilization management, sessions with higher importance levels are allowed to use more CPU cycles than sessions with lower importance levels. If the CPU management server level setting is configured for Preferential Load Balancing, sessions with higher importance levels are directed to servers with lower resource allotments. Related Policy Settings CPU Management Server Level
Single Sign-On
This setting enables or disables the use of Single Sign-on when users connect to servers or published applications in a XenApp farm. By default, Single Sign-On is enabled.
571
Any connections (selected by default) allows access to published applications through any connection. Citrix Access Gateway, Citrix online plug-in, and Web Interface connections only allows access to published applications through the listed connections, including any version of Access Gateway. This option denies access through any other connection. Citrix Access Gateway connections only allows access to published applications only through Access Gateway Advanced Edition servers (Version 4.0 or later).
572
573
574
Health monitoring
This setting allows or prevents running Health Monitoring and Recovery tests on the farm servers. By default, Health Monitoring and Recovery tests are allowed to run.
Citrix IMA Service Logon Monitor XML Service Remote Desktop Services
575
No CPU utilization management disables CPU utilization management on the server. Fair sharing of CPU between sessions ensures that CPU resources are equitably shared among users by having the server allocate an equal share of CPU to each user. Preferential Load Balancing allocates more CPU resources to one user over another based on the resource allotment for each session. The resource allotment is determined by the importance levels of both the published application running in the session and the session itself.
Note: To use CPU Utilization Management, ensure the Fair Share CPU Scheduling (DFSS) feature of Remote Desktop Services is disabled on the server. Related Policy Settings Session importance
Memory optimization
This setting enables or disables memory optimization. Enabling memory optimization improves the ability to manage DLL allocation in both real and overall virtual memory by creating shared DLLs for applications that are open in multiple sessions. By default, this setting is disabled.
576
If the specified day does not occur in a given month (for example, the 30th day in February, or the 31st day in April or June), memory optimization does not run in that month.
Memory optimization, set to Enabled Memory optimization interval, set to Daily, Weekly,or Monthly
Memory optimization times are scheduled in the local time zone of the server and use a 12-hour clock. If you enter a time according to a 24-hour clock, the time is converted 577
Memory Optimization Policy Settings automatically to a 12-hour clock. If you enter a time without a TT value, the time defaults to AM.
578
579
580
Scheduled reboots
This setting enables or disables scheduled server restarts. You can configure automatic restarts at specific times and frequencies, as well as the starting date of the schedule. By default, server reboots are not scheduled.
581
582
583
584
Application Streaming
Application streaming simplifies application delivery to users by virtualizing applications on client devices. Administrators can install and configure an application centrally and deliver it to any desktop on demand. Use the application streaming feature to install and configure an application on one file server in your App Hub, publish the application using the XenApp publishing wizard, and deliver it to any desktop or server on demand. To upgrade or patch an application, you make the updates only in the location where you stored the application. Application streaming augments application delivery not only to user desktops, but also to servers in your server farms. Application streaming offers the following features: Install once, deliver anywhere Provides the ability to install an application once on a profiler workstation and have it replicated to file servers within the existing enterprise infrastructure. Once there, the applications are delivered to client devices that request access to the application, on-demand, as a result of end-user activity. Seamless updates No need to profile applications again. Updates are as simple as updating an application on a desktop using the update program supplied by the manufacturer. The update is performed once on the profiler workstation and delivered to client devices in a manner similar to that used in the initial delivery. Application isolation All streamed applications run within isolation environments that keep the applications from interfering with others running on the same client device. The isolation environment is specific for the application and user session, regardless of whether the user streams to the local client or virtualizes the streamed application from a server. The specific data files of the application, such as INI files and registry keys, are all isolated and maintained centrally for the streamed application. Application caching Application files can be cached on the client device to allow faster access the next time the application is launched. Before an application runs, cached files are updated automatically if there is a newer version on the file server. Note that application caching is strictly for performance reasons; there is no requirement to have the application cached for the application to run. Wide range of target environments Nearly any modern Windows platform can host a streamed application. Specifically, supported operating systems include Windows XP Professional, Windows Server 2003 and 2008, Windows Vista, and Windows 7. With dual mode streaming, target environments are
585
Application Streaming increased to include all supported XenApp client desktops. Dual mode streaming Configure XenApp to stream software to client devices; otherwise, virtualize from a XenApp server. If launching a streamed application fails on the client device, XenApp seamlessly streams the application to the server and virtualizes the application on the client device from XenApp. Easy delivery of applications to farm servers When publishing applications in a server farm, choose to virtualize applications from XenApp, which can simplify application delivery. Instead of installing applications on your farm servers, you stream them to XenApp from a central file share in your App Hub. Update the application in the central location, and you update the application on all the farm servers. Consistent end-user experience Applications that can be accessed through the server appear next to other applications that the user is accustomed to either within the Web Interface, Citrix plug-ins, or on the desktop. The user does not have to know where and how the application is executing. Offline access Once configured and delivered, applications are available to the user while disconnected from the network. Easy disaster recovery On-demand application delivery is a powerful concept for disaster recovery situations because the application and data are not lost if the profiles can be easily backed up, and servers and desktops can be replaced easily.
586
Contents
q
Finding Documentation
To access complete and up-to-date product information, in Citrix eDocs, expand the topics for your product. Licensing Documentation To access licensing documentation, go to http://support.citrix.com/proddocs/topic/technologies/lic-library-node-wrapper.html.
Getting Support
Citrix provides technical support primarily through Citrix Solutions Advisors. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor. Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
587
Application Streaming
Known Issues
q
To install the Streaming Profiler with the required Visual C## redistributables, manually install the CitrixStreamingProfiler.exe from the installation media. If you install the Streaming Profiler from the Autorun menu, such as by selecting Manually Install Components > Common Components > Plug-ins, Streaming Profiler, and Documentation > Streaming Profiler, Autorun launches the .msi installer instead of the .exe installer. As a result, the redistributables are not installed. [#231179] When using RadeDeploy -p /delete command to delete cached offline applications from user devices, it deletes the contents from the Deploy folder, but does not delete the corresponding offline application names from the registry or from the list of offline apps on the user device. [#224182] On Windows Server 2008 R2 platforms, the session information in the Delivery Services Console might be incomplete or inaccurate for applications streamed to clients. For example, session information does not include the application names or client names. In addition, when users run multiple sessions, properties for all sessions are overwritten with the most current session properties. There is no workaround for these issues. [#223417, 223863, 223872] After editing the isolation rules for a profile with inter-isolation communication (IIC), confirm whether or not the dependent profiles are still linked with each other. If the link is missing, add the dependent profiles again to the IIC profile. [#224742] When creating profiles in the Profiler 6.0, inter-isolation communication is allowed only with other profiles created (or updated) in version 6.0 of the profiler. Linking to profiles created in earlier versions of the profiler is not supported. To update profiles, simply open and re-save them in Profiler 6.0. Then proceed to add the updated profiles to the IIC profile. [#227331] Uninstalling the offline plug-in from a XenApp server uninstalls two .dll files that the server needs: radeapphook64.dll and radeapphook.dll. Before uninstalling the plug-in, make a backup of these files, or locate them on another server. After uninstalling the plug-in, copy the two .dll files on the server to C:\Program Files\Citrix\system32 directory, and restart the server. [#224537] On XenApp 5 for Windows 2003, if you publish Application Isolation Environment (AIE) applications, do not install the offline plug-in 6.0 or higher on the XenApp server. If you install it, AIE applications run slowly or do not launch successfully; no error message appears to explain the failure. This issue occurs because the AIE functionality is deprecated in offline plug-in 6.0, making application streaming the preferred method of application isolation, and the plug-in does not support AIE applications. Because the application streaming technology shares binary files with the deprecated AIE technology, installing the offline plug-in 6.0 or higher on the XenApp server over-writes shared files and causes the AIE applications to fail. As a best practice, remove your AIE applications and adopt application streaming technology, including profiling and re-publishing your applications for streaming. Alternatively, you can silo your servers for either AIE applications or streamed applications. You can have both types in the same farm, just not on the same server. For more details, see http://support.citrix.com/article/CTX127234.
Application Streaming For best practices for streaming Office 2007 applications, see Customizing Microsoft Office 2007 for streaming environments at http://support.citrix.com/article/CTX118396. For information about delivering Microsoft Application Virtualization (App-V) sequences to users, see the eDocs topic To publish App-V sequences.
Creating Visual Reports in Project 2007 is not supported when users stream Project to their desktops. [#223304]
Running Microsoft Office Web Components in Project 2007 is not supported on Windows 7 operating systems [#223553] There are no workarounds for these issues.
q q
When using the RadeCache.exe "flushall" command to clear the Office 2007 cache on user devices, in some cases, the target is not fully deleted. This occurs when svchost.exe (running outside isolation) is still running processes from the target. If this occurs, restart the computer and then run the flushall command again. [#227323] In addition, for service-based applications, if that application uses a network service, then flushing RadeCache might not delete all the registry keys, but this will not impact the next application launch. [#230383]
On Windows 7 operating systems, if Office 2007 is installed locally, streamed Office 2007 applications sometimes fail to launch or launch with errors. For example, Outlook 2007 signatures do not appear. There is no workaround for this issue. [#229723] On the following operating systems, issues occur when profiling the Microsoft MSN Messenger toolbar as an Internet Explorer plug-in. Use the following workarounds: [#228314]
q
On Windows Server 2008 R2 platforms, deselect the "Live Writer" component from the installation. If you try to include the Live Writer component, the toolbar installation fails.
On XP SP3 (32-bit) platforms, if an error message appears, click OK and the wizard continues normally. Microsoft Office 2010. The offline plug-in 6.0 and streaming profiler 6.0 have been tested to support profiling and streaming Office 2010 applications. This testing was completed through the release candidate of Office 2010. It is possible that the final version of Office 2010 will change compared to the release candidate, causing a required change to the offline plug-in; the scope of any such change cannot be anticipated prior to release.
q
For best practices for customizing Office 2010 applications for streaming environments, see http://support.citrix.com/article/CTX124565. Known issues for profiling and streaming Office 2010 release candidate applications:
q
Profiling and launching streamed Office 2010 applications on Windows Server 2003 and XP operating systems require Microsoft hotfixes. Symptoms of missing hotfixes include error messages appearing while profiling Office 2010 applications, or application launch on the user device consuming 100% of the CPU on the device. This third-party issue occurs if you install Microsoft security update KB956572, but not the hotfixes KB973573 or KB978835 that correct a problem. [#229982, 227925]
589
Application Streaming To profile or stream Office 2010 applications, install these hotfixes on profiler workstations and user devices:
On Windows XP 64-bit or Windows 2003 32-bit and 64-bit platforms, install hotfix KB973573. For more information, see http://support.citrix.com/article/CTX124563.
q q
For streamed Office 2010 applications, some fonts might not appear immediately, such as Elephant font. You might have to restart the application for the font to appear. [#222823]
590
Contents
q
Finding Documentation
To access complete and up-to-date product information, in Citrix eDocs, expand the topics for your product. Licensing Documentation To access licensing documentation, go to http://support.citrix.com/proddocs/topic/technologies/lic-library-node-wrapper.html.
Getting Support
Citrix provides technical support primarily through Citrix Solutions Advisors. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor. Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
591
Known Issues
q
To install the Streaming Profiler with the required Visual C## redistributables, manually install the CitrixStreamingProfiler.exe from the installation media. If you install the Streaming Profiler from the Autorun menu, such as by selecting Manually Install Components > Common Components > Plug-ins, Streaming Profiler, and Documentation > Streaming Profiler, Autorun launches the .msi installer instead of the .exe installer. As a result, the redistributables are not installed. [#231179] When using RadeDeploy -p /delete command to delete cached offline applications from user devices, it deletes the contents from the Deploy folder, but does not delete the corresponding offline application names from the registry or from the list of offline apps on the user device. [#224182] On Windows Server 2008 R2 platforms, the session information in the Delivery Services Console might be incomplete or inaccurate for applications streamed to clients. For example, session information does not include the application names or client names. In addition, when users run multiple sessions, properties for all sessions are overwritten with the most current session properties. There is no workaround for these issues. [#223417, 223863, 223872] After editing the isolation rules for a profile with inter-isolation communication (IIC), confirm whether or not the dependent profiles are still linked with each other. If the link is missing, add the dependent profiles again to the IIC profile. [#224742] When creating profiles in the Profiler 6.0, inter-isolation communication is allowed only with other profiles created (or updated) in version 6.0 of the profiler. Linking to profiles created in earlier versions of the profiler is not supported. To update profiles, simply open and re-save them in Profiler 6.0. Then proceed to add the updated profiles to the IIC profile. [#227331] Uninstalling the offline plug-in from a XenApp server uninstalls two .dll files that the server needs: radeapphook64.dll and radeapphook.dll. Before uninstalling the plug-in, make a backup of these files, or locate them on another server. After uninstalling the plug-in, copy the two .dll files on the server to C:\Program Files\Citrix\system32 directory, and restart the server. [#224537] On XenApp 5 for Windows 2003, if you publish Application Isolation Environment (AIE) applications, do not install the offline plug-in 6.0 or higher on the XenApp server. If you install it, AIE applications run slowly or do not launch successfully; no error message appears to explain the failure. This issue occurs because the AIE functionality is deprecated in offline plug-in 6.0, making application streaming the preferred method of application isolation, and the plug-in does not support AIE applications. Because the application streaming technology shares binary files with the deprecated AIE technology, installing the offline plug-in 6.0 or higher on the XenApp server over-writes shared files and causes the AIE applications to fail. As a best practice, remove your AIE applications and adopt application streaming technology, including profiling and re-publishing your applications for streaming. Alternatively, you can silo your servers for either AIE applications or streamed applications. You can have both types in the same farm, just not on the same server. For more details, see http://support.citrix.com/article/CTX127234.
Readme for Citrix Offline Plug-in 6 and Streaming Profiler 6 For best practices for streaming Office 2007 applications, see Customizing Microsoft Office 2007 for streaming environments at http://support.citrix.com/article/CTX118396. For information about delivering Microsoft Application Virtualization (App-V) sequences to users, see the eDocs topic To publish App-V sequences.
Creating Visual Reports in Project 2007 is not supported when users stream Project to their desktops. [#223304]
Running Microsoft Office Web Components in Project 2007 is not supported on Windows 7 operating systems [#223553] There are no workarounds for these issues.
q q
When using the RadeCache.exe "flushall" command to clear the Office 2007 cache on user devices, in some cases, the target is not fully deleted. This occurs when svchost.exe (running outside isolation) is still running processes from the target. If this occurs, restart the computer and then run the flushall command again. [#227323] In addition, for service-based applications, if that application uses a network service, then flushing RadeCache might not delete all the registry keys, but this will not impact the next application launch. [#230383]
On Windows 7 operating systems, if Office 2007 is installed locally, streamed Office 2007 applications sometimes fail to launch or launch with errors. For example, Outlook 2007 signatures do not appear. There is no workaround for this issue. [#229723] On the following operating systems, issues occur when profiling the Microsoft MSN Messenger toolbar as an Internet Explorer plug-in. Use the following workarounds: [#228314]
q
On Windows Server 2008 R2 platforms, deselect the "Live Writer" component from the installation. If you try to include the Live Writer component, the toolbar installation fails.
On XP SP3 (32-bit) platforms, if an error message appears, click OK and the wizard continues normally. Microsoft Office 2010. The offline plug-in 6.0 and streaming profiler 6.0 have been tested to support profiling and streaming Office 2010 applications. This testing was completed through the release candidate of Office 2010. It is possible that the final version of Office 2010 will change compared to the release candidate, causing a required change to the offline plug-in; the scope of any such change cannot be anticipated prior to release.
q
For best practices for customizing Office 2010 applications for streaming environments, see http://support.citrix.com/article/CTX124565. Known issues for profiling and streaming Office 2010 release candidate applications:
q
Profiling and launching streamed Office 2010 applications on Windows Server 2003 and XP operating systems require Microsoft hotfixes. Symptoms of missing hotfixes include error messages appearing while profiling Office 2010 applications, or application launch on the user device consuming 100% of the CPU on the device. This third-party issue occurs if you install Microsoft security update KB956572, but not the hotfixes KB973573 or KB978835 that correct a problem. [#229982, 227925]
593
Readme for Citrix Offline Plug-in 6 and Streaming Profiler 6 To profile or stream Office 2010 applications, install these hotfixes on profiler workstations and user devices:
On Windows XP 64-bit or Windows 2003 32-bit and 64-bit platforms, install hotfix KB973573. For more information, see http://support.citrix.com/article/CTX124563.
q q
For streamed Office 2010 applications, some fonts might not appear immediately, such as Elephant font. You might have to restart the application for the font to appear. [#222823]
594
Support for Windows Server 2008 R2 for application streaming features, including inter-isolation communication, differential synchronization, streaming profiles using HTTP/HTTPS, and RadeDeploy commands. Compatibility with Microsoft Office 2010. Create streaming profiles for 32-bit Office 2010 applications, including the services they require. Isolation of services in profiles. Use this new feature in the Streaming Profiler to install services in application profiles so they run in isolation on user devices. After you create a whitelist of approved servers and edit the registry on user devices, users can stream profiles with services from approved locations. RadeRun command to stream apps without using a license. Enable the function RadeRun to execute without a license so that applications can be streamed without being published. This feature eliminates the implementation of XenApp infrastructure as a streaming requirement. Streaming licensing is still enforced through the EULA. However, when the offline plug-in launches a published application from a XenApp server and communicates with XenApp servers, it uses a license. Also, the offline license period still applies to offline applications.
Change from .CAB files to directory locations. With this change, profiled applications (especially those in Office 2010 and 2007) are no longer packaged in .CAB files. Instead, locate the application files in directory subfolders for the application. Backward compatibility. To take advantage of the latest updates in application streaming, Citrix recommends installing the Streaming Profiler 6.0 and the current versions of the Citrix plug-ins included in this release. This release provides backward compatibility for streaming profiles created with profilers in earlier releases, including 1.x through 5.x. However, profiles created in the Streaming Profiler 6.0 are supported only with the Citrix offline plug-in 6.0 in this release and online plug-in versions 11.2 through 12.x.
595
Windows XP Home and Professional editions, 32-bit edition, with Service Pack 3 Windows XP Home and Professional editions, 64-bit edition, with Service Pack 2 Windows Server 2008, 32- and 64-bit editions Windows Server 2003, 32- and 64-bit editions Windows Server 2003 R2 Windows Server 2008 R2 Windows Vista (Home, Business, Enterprise, and Ultimate editions), 32- and 64-bit editions, with Service Pack 1 Windows 7, 32-bit and 64-bit (Enterprise, Professional, Ultimate)
The current offline plug-in supports Citrix Receiver 1.0, 1.1, and 1.2. The profiler workstation and user devices must meet the following requirements:
q
Microsoft XML 2.0 installed (use Windows Update to ensure you installed all recent Internet Explorer updates). Standard PC architecture, 80386 processor or greater as required for the operating system. Administrator rights for the person installing. To profile and stream Microsoft Office applications to Windows Server 2003 operating systems, install the Windows Data Execution Prevention (DEP) hotfix on the server and profiling workstation. For information, see http://support.microsoft.com/kb/931534.
The profiler workstation must provide a run-time environment that is as close to your users' environment as possible:
q
To stream applications to user devices, the profiler workstation should be a similar platform. The profiler workstation should also include standard programs that are part of the company image, such as an antivirus program. To stream Microsoft Office 2007 or 2010 programs or to stream profiles enabled for inter-isolation communication, install .NET Framework 2.0 (3.0 or 3.5 optional).
596
If you install the offline plug-in and profiler on the same computer, they must be the same exact version.
Install the profiler in a path with single-byte characters only. Double-byte characters in the installation path are not supported. The user devices must meet the following requirements:
q
A network connection to the server farm, such as a network interface card (NIC). A supported browser: Microsoft Internet Explorer 6.0, 7.0, or 8.0. To stream Microsoft Office 2007 or 2010 programs or to stream profiles enabled for inter-isolation communication, install .NET Framework 2.0 (3.0 or 3.5 is optional). Manually uninstall any previous version of the Streaming Client and Program Neighborhood Agent on user devices. To ensure availability of the features and functionality of XenApp for Windows Server 2008 R2 to your users, install the most recent version of the online and offline plug-ins:
q
Citrix recommends using Citrix Receiver on user devices to install (and uninstall) Citrix plug-ins. To stream applications to user desktops, install both the Citrix offline plug-in and online plug-in on user devices. To stream applications to a server, install the online plug-in or Web plug-in on user devices. The offline plug-in is not required. If streaming to a Web Interface site, add the site to the list of trusted sites.
597
598
1 Licensing. Consists of the license server and License Management Console. Use the License Management Console to manage licensing. To install Citrix Licensing, see the licensing section in the Technologies node of Citrix eDocs. For more information about licensing application streaming and offline access, see Application Streaming Licensing Explained (CTX112636). 2 Administration (server farm). Consists of the following components:
599
Farm servers. IMA database. The Web Interface. The console, depending on your XenApp version. Use the console to configure and manage the server delivery and publish applications for streaming.
q
Access Management Console 3 Citrix Streaming Profiler. Creates and maintains streaming application profiles. The Streaming Profiler is an independent application that enables you to profile Windows applications, Web applications, browser plug-ins, files, folders, and registry settings that can be streamed to user devices and servers.
q
Use the profiler to create one or more targets within an application profile that can match all the platforms of your users. This strategy creates a single profile that can accommodate a variety of user platforms. The profiler can also update applications in the profile and provide other resources that your users need. 4 Citrix plug-ins. The Citrix offline plug-in is the new name for the Streaming Client. To support streaming applications to the user's desktop, as well as offline access to applications and dual-mode streaming, install both the offline plug-in and online plug-in on user devices. When a user runs a published application enumerated by Citrix Receiver or Citrix online plug-in or through a Web Interface site, the offline plug-in finds the correct target in the profile in the App Hub, sets up the isolation environment on the user device, and then streams the application from the profile location to the safety of the isolation environment set up on the user device. To support streaming applications to the server, install either the online plug-in or Web plug-in on user devices. These applications must be published as "stream to server." When users run an application, it streams to the server and launches using an ICA connection on the user device. To stream using the Web plug-in, the Web Interface site must be added to the list of trusted sites.
600
Enumerate published applications in the desktop Start menu and create shortcuts on the desktop. Provide dual-mode streaming. When you select "Streamed if possible, otherwise accessed from a server" and "Streamed to server," if streaming to the client desktop fails, applications automatically stream to a XenApp server and launch using the online plug-in. Configure the application and users for offline access. When this configuration is completed, the entire application is fully cached on the user device. Users can disconnect from the network and continue using the application for the time specified in the offline license.
Accessed from a server. The profile is streamed from the App Hub to the XenApp server, where the offline plug-in is installed by default. The application displays on the user devices using the online plug-in or Web plug-in; the offline plug-in is not required on the user device. When you publish applications as "Accessed from a server" and "Streamed to server," users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. Select the online plug-in package that fits your corporate needs:
q
Install CitrixOnlinePluginFull.exe to stream applications to XenApp servers and launch them with the online plug-in, which provides transparent integration on desktops, or launch them from a Web browser using a Web Interface site you create. Users have the full online plug-in feature set. Install CitrixOnlinePluginWeb.exe to stream applications to XenApp servers and launch them from a Web browser using a Web Interface site you create. Users have a limited online plug-in feature set.
Important: For users to stream applications through a Web site using an Internet Explorer or Firefox browser, add the site to the Trusted sites list in Internet Explorer on the user 601
602
603
Application Streaming FAQs for Administrators at http://support.citrix.com/article/CTX118181 Enhancing Security in Application Streaming for Desktops at http://support.citrix.com/article/CTX110304 Application Streaming Delivery and Profiling Best Practices for XenApp at http://support.citrix.com/article/CTX118623 Additionally, select your product version of XenApp on the support Web site, click the Technotes tab, and then click Application Streaming.
604
Creating Application Profiles Note: The Streaming Profiler SDK offers a set of COM objects and .NET interfaces that give Citrix customers, distributors, and partners a programmatic interface into the profiler. For information, download the SDK and Readme from the Citrix Developer Network Web site at http://community.citrix.com/.
605
Targets Overview
A target is a collection of disk files, registry data, and other information used to represent an application isolation environment. In addition, each target denotes a combination of operating system, service pack level, system drive letter, and language. Applications can be profiled for each combination of these values to support separate targets; for example: Microsoft Vista for all service packs, drive letter C, and English. There can be multiple executables inside a target including multiple applications that normally receive an entry on the Start menu. As an example, Microsoft Office is a profile and Microsoft Word is an application inside that profile. A profile can support multiple targets where the target is a separate installation of the profile-level software targeted for execution on a specific version of the operating system or language. For example, create one target for Windows Vista and another target for Windows Server 2008. User devices select targets for execution based on the computer configuration you specify while creating the target. By default, a target matches the operating system and configuration of the profiling workstation, but you can select different operating systems as well. In addition, refer to information about the following selection criteria for creating targets:
q
Service Pack Level System Drive Letter Operating System Language Inter-Isolation Communication Overview
You use the profiler to set criteria for each target in a profile. One or more administrators can run the profiler multiple times and from different packaging environments to achieve a complete set of differentiating targets. For many common scenarios, a single installation image supports a variety of computer configurations, which simplifies profile creation. The criteria associated with each target is stored in a profile manifest, a .profile file, stored with the profile files. Overlapping definitions are not permitted: only one target in a profile can be a correct match for any computer configuration at application launch. An administrator can update a profile and target at any time without affecting already active executions on user devices. The cost for this support is that file-server disk space is consumed to maintain old versions. The profiler provides no facility to delete old versions of targets. Instead, manually delete old versions of targets to reclaim server-side disk space. When deleting targets, it is the responsibility of the administrator to ensure that the deleted versions are sufficiently old that no users are employing the target. For the list of supported operating systems for application streaming, see the system requirements. By design, future operating systems are not supported, and the execution environment refuses to execute an application if the user device has an unsupported
606
607
Not required (any service pack is acceptable) Minimum Service Pack Level Maximum Service Pack Level Range of Service Pack Levels A single, specified service pack level No service packs installed
When choosing supported service packs, ensure that you do not choose service packs that are not supported by the Citrix offline plug-in. Refer to the system requirements for supported platforms.
608
609
Using the English version of the profiler, create targets for the following operating system languages:
q
The profiler can create targets for all languages, including languages other than those listed here, but doing so is not fully supported. To create targets for other languages, Citrix recommends that you use the English language version of the profiler.
610
An associated profile does not include any additional installation. You link existing profiles and set their hierarchy so that they can communicate when launched on the user device. For example, if you profile Microsoft Outlook and Adobe Reader in individual, simple profiles, the applications operate independently, but Outlook is not aware of the streamed Adobe Reader and therefore cannot call the application in the simple profile to open the .PDF attachment. By associating these two profiles, Outlook and the Reader can interact as users expect, even though the individual applications are profiled separately. This happens because they are now aware of each other and can interact as though they are profiled together. A dependent profile includes the installation of an application that depends on the presence of one or more other applications before its installation is complete. While you create the profile, to simulate this dependency, the existing profiles that you select are temporarily downloaded from the file server during the profiling process to establish the hierarchy and isolation rules that are used at runtime. You then install the application that is dependent on them. For example, you might include simple profiles with Office 2007 and Microsoft Dynamics in this profile before you install a .NET application that depends on them. That way, when users launch the .NET application, Office and Dynamics are also launched on the user device.
When you create a profile enabled for inter-isolation communication, applications launch on the user device and remain isolated from the system and from other isolated applications, but they can interact with each other. The advantage of inter-isolation communication is that applications can be maintained separately and updates are included automatically in all the linked profiles in which the profile is included. This feature saves time for the administration of the profile set. When you create a dependent profile, the additional properties added to any of the individual profiles in the linked profile are enabled for all the individual profiles. These properties include custom rules, pre-launch or post-exit scripts, and pre-launch analysis. When users stream applications from the inter-isolation communication profile, the combined properties of all the linked profiles execute in hierarchical order, from the lowest profile to the highest profile as listed in the profiling wizard and Linked Profiles property page. However, if you create an associated profile, without installing a new application, additional properties are not available. You can add properties only to profiles that have installed applications.
611
Isolating Services
Certain applications, such as Microsoft Office 2010 and 2007, require related services to run on the user device. Beginning with version 6.0 of the profiler, services that are required by applications are automatically installed with the application as you create application profiles. Important: This feature requires that you create a whitelist of approved locations of profiles in the registry of user devices. After you create the whitelist and edit the registry for the user devices, only services from the approved locations can be loaded and run on the user device. For these steps, see Specifying Trusted Servers for Profiles and Services. Based on its startup type, a service runs in an isolation environment on the user device with the application that requires it and continues until the session ends:
q
Automatic start: These services start automatically at logon and continue running until the user shuts down or restarts the device. Manual start: These services start when called by an application in the profile and continue running until the application ends the service or the user shuts down or restarts the device.
To view or modify the services available for a target, from the profiler, from the Edit menu, select Target Properties. The Services tab lists the services, their paths, logon names, and start type.
Considerations
q
Isolated services might extend launch time for the first launch of the application each time the device is restarted. When a service runs in isolation, it might not communicate all the needed information with services running outside isolation, such as locally installed services. If communication is required, consider removing the service from isolation and installing it locally on the user device. If the profile uses inter-isolation communication to link one or more subprofiles, all services within the linked profile are started. To update a service, open the existing profile in the Update Profile wizard. Citrix recommends updating services during off-peak hours because the procedure stops the service and closes that application for end users. After completing the update, the service restarts and users can relaunch the application. In any environment, only a single instance of the service launches in isolation. For example, in a multiuser environment, the service starts when the first user launches the application and then is shared by all subsequent users running the application.
612
For unsigned profiles that include services, you must create a whitelist of approved server locations on the user device. If profiles attempt to stream a service from a location that is not on the whitelist, the service launch is denied and an event is sent to the event log. Optionally, to extend the whitelist requirement to unsigned profiles without services, create an additional registry setting.
Alternatively, signed profiles are always trusted, whether or not they include services, and a whitelist is not required for them. Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
613
Specifying Trusted Servers for Streamed Services and Profiles The following examples are valid entries:
q
http://streamauto;https://10.105.68.11 10.105.68.11;streamauto;foo.bar.com
10.105.68.11;c:\profiles;c:\folder with spaces;foo.bar.com The following example is invalid (it has spaces after the semicolon): 10.105.68.11; c:\profiles; foo.bar.com
q
After you create the registry entry and whitelist on user devices, unsigned profiles with services can load only from the locations on the whitelist. Signed profiles are always allowed.
q 0 - Disables the whitelist requirement to profiles without services After you create the registry entry and whitelist in the previous steps and then create and enable this registry entry on the user device, all unsigned profiles, with or without services, can load only from the locations on the whitelist. Signed profiles are always allowed.
614
615
Isolate Rules
This is the default behavior while profiling applications in the Streaming Profiler. For the Citrix offline (streaming) plug-in Versions 1.0 through 5.1, this rule is the default for streaming applications to the user device, but starting with Version 5.2, offline plug-ins use the Ignore rule as the default. With the Isolate rule, when user devices create a new isolation environment, its default behavior is to isolate everything with a few exceptions. When an application requests access to a system resource (such as a file, registry, or named object), a per-user version of the file or key is created as required. This behavior relieves most application conflicts and allows applications to run correctly. Isolation rules ensure that per-user level versions of files and keys are created. This creates an individual copy of each resource that a particular user accesses. Add this rule to ensure that there is one copy of a resource per isolation environment. For example, create a rule that isolates the registry hive, HKEY_LOCAL_MACHINE\SOFTWARE\classes, when you install Microsoft Office. Because each user does not require a separate version of this hive, create a rule that isolates this particular registry hive for the isolation environment.
616
Ignore Rules
The Ignore rule allows the rules engine to define holes in the isolation environment so that an application can write to the underlying system. Starting with Version 5.2 of the Citrix offline plug-in, this rule is the default behavior for streaming applications. Note that Versions 1.0 through 5.1 use the Isolate rule as the default. Also note that the Isolate rule is still the default behavior while profiling applications in the Streaming Profiler. This rule allows a streamed application running inside an isolation environment to share data with an application outside the isolation environment. For example, if you try to open a file from streamed application A to use in locally installed application B, the applications can communicate normally, as though they are both locally installed. Also, in a scenario where users can print to network printers available within a streamed-to-client session, these printers are created automatically when the user connects to a published application.
Redirect Rules
A Redirect rule redirects an application request for a file or registry key to a specified location. For example, if an application creates the file, c:\temp\data.txt, this rule can redirect those files to c:\guidtemp\%USERNAME%, regardless of the user. For example, if UserA runs the application in an isolation environment, c:\temp\data.txt is created in c:\guidtemp\UserA\data.txt. In this example, the administrator might choose to clean up the \temp directory each time the system starts up. By redirecting all access of c:\temp directory to c:\guidtemp on a per-user basis, the administrator can clean up the temporary data easily at startup.
Examples
Consider the effects of the following rules: An Ignore rule for the file path: C:\Documents and Settings\%USERNAME% Every file and directory created under C:\Documents and Settings\%USERNAME% is created in the system location because you specified, through the Ignore rule, that this directory location is not isolated. If an application opens the file C:\Documents and Settings\%USERNAME%\ ApplicationData\CompanyA\foo.txt, the Ignore rule for C:\Documents and Settings\%USERNAME% applies.
q q
617
Types of Isolation Environment Rules This rule isolates the per-user Windows directory, C:\Documents and Settings\%USERNAME%\Windows. If an application opens C:\Documents and Settings\%USERNAME%\Windows\Win.ini, the isolate per-user rule for C:\Documents and Settings\Windows applies.
618
Do not modify or delete the default rules available for an isolation environment. If you modify these rules, the isolation environment might be unable to run applications correctly. Use an asterisk (*) as a wildcard character only at the end of an ignore named object rule. For example, the rule ignore object* ignores all named objects with a name starting with object. Use of an asterisk is not allowed in isolate or redirect object rules. Important: Do not use the wildcard in a rule that applies to a file system or registry key. By definition, the rule applies to all the children of a path name.
File system rules can apply to either files or directories. Create a rule to alter the behavior of individual files or of directories and all of the files within them. For example, you might have a Redirect rule for C:\temp\fileA.txt, as well as one for C:\temp\subdir1. Rules that specify a registry object apply only to registry keys. They do not apply to registry values. Rules for an isolation environment are interpreted at run time. Any modifications to existing rules are interpreted the next time you launch an application associated with, or installed in, an isolation environment. If you are executing an isolated application and modify the rule definitions, these changes do not affect running applications. The modified rules are interpreted and take effect the next time the application is executed. A rule must be specified in terms of a full directory or key level. Matches are performed on the full name of a given hierarchy level. For example, if you create a Redirect rule for C:\temp\file, the rule applies only to a file or directory called c:\temp\file. The rule does not apply to any files or directories that have c:\temp\file as part of their name. For example, this rule does not apply to the file C:\temp\fileA.txt, the directory c:\temp\filledWithFiles\, or any files under that directory. The same principle applies for the file system, registry, and named objects (with the exception of wildcards and named object rules).
619
If an application creates a directory for per-user data that is stored in a nonstandard location (Ignore rule) If the profiler workstation has extra drive volumes and an installer writes to those drives while installing in a target (Ignore rule) If your file share volume is on your profiler workstation (Ignore rule) If you must isolate a subdirectory of an ignored directory on the user device (Ignore and Isolate rules) If you must support multiple versions of an application running on the user device (Strictly Isolate rule)
The Rules list shows the existing rules for the target and for each rule identifies:
q
Arbitrary name for the rule Action, which is the isolation environment rule that is being called Object on which the action performs
The Rule Description box at the bottom shows the command represented by the currently selected rule. To edit the set of rules, use the Add, Copy, Modify, and Delete buttons.
620
If you selected Files and Folders as the object type, use the file browser to select the files and folders on which you want the rule to operate If you selected Registry Entries as the object type, use the Choose Registry Entry dialog box to select a hive and type a key on which you want the rule to operate
If you selected Named Objects as the object type, use the Choose Named Object dialog box to type the name of the object on which you want the rule to operate If for the action, you choose Redirect, specify the source path, registry entry, or named object and its destination.
q
3 If necessary, modify the default name of the rule. By default, the New Rule wizard creates a rule name consisting of the name of the action and the name of the object.
To copy a rule in the currently defined set of rules, from the Rules tab of Target Properties , select the rule and then click Copy. The copy operation adds the copied rule to the top of the list of rule set members. Use the property also to modify the name, action, or object of the rule. To delete a rule from the currently defined set of rules, from the Rules page of theTarget Properties, select the rule and click Delete.
621
To modify a rule
To modify a rule in the currently defined set of rules, from the Rules tab of Target Properties, select the rule and click Modify. Use the New Rule wizard to define the new rule. Modifying a rule lets you modify the action and objects, but not the object type. 1 Select the action. 2 On the Select Objects page, add or modify objects. If the selected action is Ignore, Isolate, or Strictly Isolate:
q
If Files and Folders is the object type, use the file browser to select the files and folders on which you want the rule to operate If Registry Entries is the object type, use the Choose Registry Entry dialog box to select a hive and type a key on which you want the rule to operate
If Named Objects is the object type, use the Choose Named Object dialog box to type the name of the object on which you want the rule to operate If the selected action is Redirect, specify the source path, registry entry, or named object and its destination.
q
622
Path location contains a user name Translation issues can occur with standard application locations Relative locations can change; for example, the location where you install XenApp
Environment variables can also quickly check where certain paths are within a script. For example, to find out what the file system installation root for an isolation environment is, use AIE_FSINSTALLROOT. All environment variables for isolation environments are prefixed with AIE_. When you create a new isolation environment, a number of default rules apply. These default rules use the environment variables listed in the following table to make the rules universally applicable. To view the default rules for application isolation environments, refer to the list in the Rules wizard. Note: Exercise caution when using backslash characters (\) with these environment variables. Ensure that you insert a backslash (\) after an environment variable before adding additional path information; for example, AIE_USERAPPLICATIONDATA\MyData\Mine. This table shows environment variables available for isolation environments: Environment Variable Description Example C:\Documents and Settings\All Users\Application Data C:\Documents and Settings\All Users\Desktop C:\Documents and Settings\All Users\Start Menu
AIE_COMMONAPPLICATIONDATA Common application data location AIE_COMMONDESKTOP AIE_COMMONSTARTMENU Common desktop location Common Start menu location
623
Using Environment Variables to Construct Rules AIE_FSINSTALLROOT AIE_FSUSERROOT File system install root File system user root C:\Program Files\Citrix\RadeCache\MyAIE C:\Documents and Settings\Administrator\ Application Data\Citrix\RadeCache\MyAIE C:\Program Files MyAIE HKEY_LOCAL_MACHINE \SOFTWARE\CitrixRade Cache\MyAIE HKEY_CURRENT_USER \SOFTWARE\CitrixRade Cache\MyAIE C:\Documents and Settings\Administrator\ Application Data C:\Documents and Settings\Administrator\Local Settings\Application Data C:\Documents and Settings\Administrator \Desktop S-1-5-2001-
AIE_REGUSERROOT
AIE_USERAPPLICATIONDATA
User global application data location User local application data location (including temporary files) User desktop location
AIE_USERLOCALDATA
AIE_USERDESKTOP
AIE_USERSID
Unique security identifier for the current user; it is used extensively internally for security checking. User Start menu location
AIE_USERSTARTMENU
624
If applications are streamed to user devices, the profiler workstation should be similar platforms The profiler workstation should also include standard programs that are part of the company image, such as an antivirus program
For the full list of supported operating systems for targets, see the System Requirements for Application Streaming. In addition, profiles created on one operating system automatically run on compatible operating systems. For example, targets created on Windows XP 32-bit platforms automatically run on Windows 2003 32-bit platforms (and vice versa). Compatible operating systems include:
q
Windows XP 32-bit and Windows 2003 32-bit Windows XP 64-bit and Windows 2003 64-bit Windows Vista 32-bit, Windows 2008 32-bit, and Windows 7 32-bit Windows Vista 64-bit and Windows 2008 64-bit
Install the Citrix Streaming Profiler on a clean, nonproduction server or workstation. To achieve the ideal goal of a single target executing on multiple operating system versions, Citrix recommends in general to use the oldest candidate operating system for profiling, Windows XP Professional. If the created target works on all candidate execution operating systems, you are finished. If, however, a specific operating system level has issues with the multiple-operating-system target, rerun the profiler and create a new target specific to the failing operating system version. In this later case, for this target, run the profiler on the same level operating system that is intended for execution. Other than standard operating system software and utilities, ensure the workstation is clean of other software applications, particularly any applications or files that you intend to install in a profile. During profiling, application files that are installed locally on the profiler workstation are ignored and, thus, are missing in the profile. Important: Do not use the profiling workstation to store or stream applications. In addition, do not install the plug-in used for streaming, such as the Citrix offline plug-in or XenApp Streaming Plug-in, on this workstation. After installing the profiler, simplify the creation or modification of profiles by setting profiling preferences.
625
Applications that include drivers, such as AutoCAD Other applications such as Microsoft Internet Explorer 7.0, Microsoft Data Access Components (MDAC), and the .NET framework
Important: If you profile an application that requires User Access Control (UAC) rights elevation or administrator rights, make sure that you configure access to the published application only for users and groups that have the required rights on the user device. If an application you are installing in a profile must interact with an application that cannot be profiled, Citrix suggests the following procedures: 1 Install the application that cannot be profiled, such as .NET framework, on the profiling workstation before you create a profile for the applications that interact with it. 2 While profiling the new application, enable pre-launch analysis to confirm that the non-profiled application is installed before the new application can launch. 3 Install the non-profiled application on user devices to run outside isolation so that the new application can interact with it as needed. For known issues and workarounds in this product release, see the Readmes in Citrix eDocs.
626
Insert the installation media, and in the autorun window, choose Browse Media to locate the Application Streaming Profiler folder and run CitrixStreamingProfiler.exe.
Navigate to the Citrix Web site for Downloads and locate the most current version of the profiler and offline plug-in for application streaming. 2 Choose a language for the installer interface and complete the installation wizard.
q
627
628
When the profiler starts, the Welcome page appears. Use the Welcome page as an easy starting point for creating and modifying profiles. To see the profiler interface, on the Welcome page, click Close. The profiler interface includes four main components:
Menu and toolbar. Located at the top. The toolbar contains buttons that initiate the following actions:
q
Starting the New Profile wizard to create a profile Opening an existing profile Saving the current profiler to a file share Updating a target or application in the open profile
Adding a new target to the profile Navigation pane. Located on the left. When populated, lists a profile and its targets.
q
Profile and target information. Located on the right. Status bar. Located across the bottom.
After starting the profiler for the first time, set profiler preferences that optimize how you create profiles and targets. To set these default preferences for all new profiles, from the Edit menu of the profiler window, choose Preferences.
Save the default User Profile Security settings for all profiles you create. This relieves you of specifying enhanced or relaxed security as you create profiles. If you are not signing profiles, use the Digital Signature setting to hide the Sign Profile page in the wizards.
Preferences save time and improve usability by enabling you to store relevant settings for use in future packaging tasks.
629
Profile name Ability for users to update applications Optionally, inter-isolation communication with existing profiles
As you continue, choose the following configuration-matching criteria for the target:
q
Then you install applications in the target (although not on the workstation itself) through either advanced or quick installation procedures. Profiling a single, standard application in a target is called a quick install. If the target needs multiple applications or other resources, use an advanced install. You must complete a full installation and can then perform any initializations or customizations needed before users access the application. A target can offer any of the following resources:
q
Finally you can opt to digitally sign the profile. After you build the profile, manually save it to a file share in your App Hub where you can publish the profiled application for streaming to your users. Note that you can modify the profile at any time, including updating the application, add pre-launch or post-exit scripts, add pre-launch scripts, and modify the file type association. The changes are immediately available the next time users access the published application.
630
From the profiler workstation, make sure that you have access to the executable for the application, but that the application is not installed on the workstation. Open the profiler from the Start menu. 1 To start the New Profile wizard, either select New Profile from the first screen, or if it is already open, from the File menu, choose New. Use the New Profile wizard to complete the remaining steps. 2 Name the profile. When naming a profile, choose a simple name. Do not include any criteria that will be used to identify targets. For example, do not include a version number in the profile name. 3 Select the level of user profile security you want for the profile. 4 Use the Set up Inter-Isolation Communication page to link existing profiles that need to communicate with each other on the user device (optional). If you are not setting up inter-isolation communication, do not make any entries on this page. 5 Set at least one target operating system and language. By default, the wizard selects all operating systems compatible with the profiling workstation. To link existing profiles for inter-isolation communication only but not create any new targets, click the top check box (not selected by default). To create a new target or profile, ensure the check box is not selected. Setting the target operating system and language criteria are the first steps in creating the initial target for a profile. The default operating system and language are those of the operating system installed on your profiler workstation.
a If you selected profiles for inter-isolation communication, to associate those existing profiles without creating a new target (and skipping the installation pages of the wizard), check Minimal Target. When selected, the remaining target creation options are disabled and the wizard skips the installation pages. It goes directly to Step 12, signing the profile with a digital signature. To create a new target within the linked profile, make sure the option is not checked. b To support other operating systems and languages, select the check boxes associated with those you want to support. When selecting target operating systems and languages, do not select those languages for which you are going to create separate targets.
631
To create a profile and target c To consider the service pack level, click Set Service Pack. By default a target matches all service packs of the operating systems it supports. d When selecting the service pack supported by the target, use the Supported Service Pack Levels pull-down menu to choose a rule for considering the service pack level. e Type the number representing the service pack level in the applicable field for Minimum Level, Maximum Level, Exact Level, or, if for a range, Minimum Level and Maximum Level. Note: For subsequent targets, to ensure the current target you are adding does not conflict with other targets in the profile, click Check for Target Conflicts. 6 Choose an installation option according to the type of application or number of applications you want to install in a target:
q
Quick Install. Select this option if you are installing only one application and it has an installation program, such as setup.msi or .exe (selected by default and recommended for normal installations).
Advanced Install. Select this option only if you are installing Internet Explorer plug-ins, editing registry settings, installing an application manually, or installing from multiple installers. 7 On the Choose Installer page, click Browse to choose an executable file or a script you run to install the application in the current target. In this step you are just choosing the installer, not running it. If needed, enter required command-line arguments.
q
8 On the Run Installer page, ensure the installation program and command-line parameters are correct. Use advanced installations to select resources, including files, folders, registry settings, and Internet Explorer and plug-ins to add to the profile. 9 Click Launch Installer. Wait until the installer program launches on the workstation. For large applications, this can take several minutes. Then complete a full installation for the application. The destination path shown in the installer does not matter because the application is installed in the profile, so accept the default location. 10 When the application is fully launched and configured on the workstation, close the application and click Next in the profiling wizard. If a restart is required to complete the installation, the profiler automatically performs a virtual restart. After the virtual restart completes, the application is ready to run. 11 On the Run Application page, select and run the application. Close the application before clicking Next in the profiling wizard. Tip: After completing a full installation, which installs the application for all your users, run the application once to ensure that you complete all needed initializations before delivering the application to users. For example, you might have to enter a product serial number or license key. In addition, take some time to configure preferences or options and to enable or disable features before you publish the application. For example, you might have to disable auto-updates to prevent users from receiving unwanted messages or files on their computers.
632
To create a profile and target 12 On the Select Application page, view the list of applications discovered in the current target. Use the buttons to modify the list of applications that you want to publish later using the console. 13 On the Sign Profile page, sign the profile with a digital signature, if needed. 14 Click Finish to build the profile. Before clicking Finish, you have the opportunity to review profile information and edit profile and target settings. 15 When the wizard closes, save the profile by typing the UNC path to the file share in your App Hub. Note that a subfolder is created with a name that matches the profile name. For example, if you enter the following path:
\\citrixserver\profiles
The following Save To storage location appears, based on the values of UNC Path and Profile Name:
If needed, change the name of the profile at this point. Important: Windows File Explorer cannot handle file paths that exceed 256 characters, However, when profiling some applications, such as Microsoft Office 2010, the file paths might exceed that limit due to the high level of folder nesting. To prevent issues due to long file names, Citrix recommends using a utility such as Robocopy to replicate profile data without errors. This utility is available with Windows Resource Kit and is a feature in Windows Vista, Windows 7, and Windows 2008. After you save your profile, use other workstations to add unique targets to the profile, if needed.
633
Select the check box to permit executable files that are accessed through the profiled application to run from the user profile root. If you profile the application with this setting selected, the application can download vendor-supplied updates over the Internet. Any updates are stored as part of the user root, so they are unique to that user. The next time the user device connects to the profiled application on a server or file share, the streamed application will not overwrite the updates, and the application runs using the updates. Selecting this setting is recommended for streamed macromedia plug-ins, which download extensions (DLLs) based on the content that is being processed. Also, some applications decompress DLLs during runtime that need to run from the user root.
Clear the check box to ensure that all executables from the profile launch from the install root location and not from the user profile root location. Clearing this setting prevents most product-update executables from installing updates automatically on user devices and lets you manage the updates centrally through the wizards in the profiler. When cleared, the system specifically inhibits the ability to run code that is not streamed from the server. Administrators can enforce a cleanup policy to delete all session artifacts when the user closes the application or logs off. Note: if your testing finds that this setting does not prevent automatic updates for an application, look for a preference in the application installer to disable automatic updates when you run the application during profiling. Alternatively, disable or uninstall the update programs manually on user devices.
634
\\hostname\fileshare\Profiles\Adobe\Adobe.profile
navigate to the Profiles directory (the grandparent of the profile file). To be added, all the profile directories must be located in a single directory, such as Profiles in the example. 3 Click the check box of the individual profiles to link in this profile. 4 When you highlight a profile, use the Move Up and Move Down buttons to set the order of priority. For example, if you create a linked profile for Microsoft Office 2007 and Adobe Reader (any version), make sure that Office 2007 is the top-level application in the profile, which ensures that the Office isolation rules take priority over those of Adobe Reader. This priority is required for Office applications to launch correctly. 5 For new profiles, continue in the wizard to the Set Operating System and Language page:
q
To link existing profiles only (the profiles you selected on the previous page) but not create any new applications or targets, called an associated profile, check the top check box (not selected by default). When you click Next, the wizard skips the installation pages and goes directly to the final step, signing the profile with a digital signature.
635
To create an additional target or application in this profile, called a dependent profile, make sure the top check box is not selected and continue using the wizard to create the new target or install the application in the profile. Use this option if the new target or application is to be dependent on the profiles you selected on the previous page.
6 On the lower part of the page, carefully review the lists of operating systems and languages. Important: Each profile must contain a similar set of targets as all the other profiles in the linked profile, including a target that matches the profiling workstation. Note the superset of operating systems, service packs, and languages contained in all the linked profiles, and then check to make sure that each linked profile contains a target for all the operating systems, service packs, and languages in the superset. User devices must have a target in each of the linked profiles or they cannot launch any applications in any of the linked profiles. Available. This profile property is available in the common range of target configurations. Not Available. This profile property is missing in one or more target configurations.
Continue the installation using the profiling wizard, as normal. After you save the profile enabled with inter-isolation communication, publish the applications using the console in XenApp. To view or modify the contents of the inter-isolation communication profile, from the navigation panel, select the profile; from the Edit menu, select Profile Properties; and from the navigation pane, select Linked Profiles. Linked profiles are stored within the .profile file by name rather than by the path. At application launch, the profiler service searches the INSTALLROOT locations of the linked profiles. When the user device runs a profile enabled for inter-isolation communication, the user-level settings that are stored on that user device by an application in one of the individual profiles are ignored, and the user-level settings of the application start fresh as if the application is being launched for the first time. To change this behavior, write a pre-launch script to migrate settings from specific applications whenever the linked profile is executed on the user device.
636
Quick Install. Select this option if you are installing only one application and it has an installation program, such as setup.msi or .exe (recommended for normal installations). Advanced Install. Select this option if you are installing Internet Explorer plug-ins, editing registry settings, installing an application manually, or installing from multiple installers. Also, use this option to update profiles built using a previous version of the profiler. Enhancements from the new version of the profiler are applied to the profile. You can perform more installations or finish the profile.
637
To install an application in the target, choose Run install program or command line script. This option runs a wizard similar to the quick install. To install Internet Explorer and plug-ins so they run in isolation, choose Install IE plug-ins. To add files and folders that might be needed on the user device or to remove unneeded files and folders, choose Select files and folders. For example, use this option to include required files that are on the profiler workstation, but might not be on the user device.
To customize the registry as viewed by the user device, choose Edit registry. Each of these options provides you with the opportunity to return to this screen and install additional applications.
q
2 After you complete an installation, you have the option to install additional resources in the target. If needed, check the option to Run an application before the next installation. 3 After installing all the applications you want to include, choose Finish or Continue with none of the above, which enables you to finish creating the target.
638
Click Browse to choose an executable file or a script you run to install the application in the current target. In this step you are just choosing the installer, not running it. Note: Make sure that the application is not currently installed on the profiling workstation. Files that exist on the profiling workstation are not added to the profile, causing the application to fail when launched from the profile.
Optionally, add a command-line script. Command-line arguments run a streamed application by modifying its properties in the target. If you add placeholders in the profile, they are replaced by command-line arguments specified when you publish the application. Command-line parameters can modify application properties after you install the application during the target creation process (in the New Profile or Add New Target wizards) or by editing application properties after you create the target. If you do not use a placeholder in the profile, the extra parameters specified when publishing an application are added at the end of the command-line.
To choose an installation program for the application /x %* /y Launch the application with content redirection. For example, on a file named my.doc, the steps are: 1 The profiled application command-line is used. app.exe /a ** /b 2 The ** placeholder is replaced with the published application arguments. app.exe /a /x %* /y /b 3 The file for content redirection replaces the %*, producing the final command-line. app.exe /a /x my.doc /y /b
640
641
642
643
644
If the application is not already in the list, click Add and browse to and select the application executable file Select the application in the list and click Run
After the application is fully initialized, close it and continue in the profiling wizard by selecting the applications that you want to make available for publishing.
645
Application Name gives you an indication as to whether or not you must modify the application name. If the names of applications in multiple targets match, those applications are considered available in those targets. To add other, undiscovered applications you installed in the target, click Add and browse to and select the applications you want to add to the Applications list. To remove applications from the list, select the unwanted applications and click Delete. This removes the applications only from the list. It does not delete the application from the target. If you want to change properties of the application before completing target creation, select the application whose properties you want to change and click Modify. Change properties including the name, version number, location of the executable, current working directory, application icon, and command-line parameters. An example of when you might want to change an application property is when the name of the application contains a version number or is different from the same or similar applications in other targets. In such a case, remove the version number or change the name so the application is recognized as existing in other targets.
If the Applications list is not populated, click Recover to find newly installed applications and populate the Applications list.
646
To sign a profile
Application streaming to desktops can use digital signatures to authenticate the origin and integrity of profiles signed by a trusted publisher. The signed profile applies to all applications and files contained in the profile. Applications from signed profiles are checked by user devices that have a trust list installed and can authenticate the code-signed certificate against the trust list. When signing is enabled, the user device checks the integrity of each file as it is cached. After you install and configure your code-signing certificates, sign profiles through the New Profile, New Target, and Update Target wizards. To view or modify the signature settings for the profile, from the Tools menu, select Sign Profile. To sign a profile, you need a code-signing certificate on the profiler workstation and a Certificate Trust List certificate for certificate verification on the user device. Also, you must know the password for the certificate you are using to sign.
q
To sign the profile using a certificate residing on the drive, choose Sign using key from selectable file and browse and select your certificate file To sign the profile using the code-signing certificate installed on your profiler workstation, choose Sign using locally installed certificate
Signing a linked profile created for inter-isolation communication does not sign the individual profiles automatically. Instead, each linked profile must be signed separately. Remove a signature from a signed profile at any time by opening the profile, and from the Tools menu, select Unsign Profile. Additionally, to set a default signature setting for profiles and skip this page in future profiling, you can set a preference to disable or enable profile signing.
647
Editing Profiles
After you create an initial profile and target, use the profiler to modify and maintain the profile. For example, to make applications available to more user devices, add targets to a profile that match additional and unique combinations of target criteria. For example, you can add separate targets for English, French, German, and Japanese language-based operating systems. Use the profiler to add new targets, delete targets or folders from a profile, delete old profiles, and resolve invalid shortcuts or target conflicts. To modify the profile properties, with the profile open in the profiler, select the profile name, and from the Edit menu, select Profile Properties. Profiles have the following properties:
q
Information. Contains general properties, which are the name, description, location, size, and creation and modification dates of a profile. Applications. Lists the settings of all applications from all targets and their availability. File Types. Lists the file types registered for the applications in the profile. Linked Profiles (visible for profiles set up for inter-isolation communication only). Lists the individual profiles included in the linked profile. User Profile Security. Specifies type of security enabled for the profile. Pre-launch Analysis. Enables the profile to examine the user device for the existence of required applications, files, or registry entries before streaming the application. Pre-launch and Post-exit Scripts. Adds scripts to run prior to and following the execution of applications in the target.
648
Digital Signatures From the Edit menu, choose Profile Properties to view the profile properties.
q
4 Select the target in the left pane of the profiler to view information about a target. The right pane displays the following tabs for information about the target:
q
Information Applications
File Types Select the target, and from the Edit menu, choose Target Properties to view the target properties.
q
649
Profile name. Manifest name of the profile. To modify the name or folder location on the file share, select File > Save as, and enter the new Profile name or path; for example, a UNC might be: \\hostname\FileShare\Profile Name\Profile Name.profile. Description. Add or modify a description of the profile. Location. The storage location of the profile. Size. The size of the profile. Created. The date set by the profiler. Last updated. The date set by the profiler.
650
Name of the targets in which the application is installed Whether or not the application is available in all targets Version number of the application Path to the application within the isolation environment Working directory the application uses within the isolation environment
Note that the version number displayed here is not the same as the target version number. The version number displayed here is set by the application installer. Alternatively, click Find Application if the application is missing from the target. To modify the remainder of the properties, update the target in which the application is installed.
651
File type extension. Description of the file type. Application invoked by the file. Whether or not the application is currently available to users. Use the options on the page to view the details about file types for each target in the profile.
To modify these properties, update the target in which the application is installed.
652
Applications and versions (specific or a range) Binary files and versions (specific or a range) Registry entries
653
Key exists. The key must exist, whether or not it has subkeys or values. Key and value exist. The key must have a value of the specified type, but the data is not checked. Key and value exist, and data matches. The key must have a value of the specified type, and the data for the value must exactly match the specified data.
Key exists, and data for default value matches. The key must exist, and the data for its default value must match the specified data. 2 From the Hive drop-down list, choose the registry hive in which the registry entry resides:
q q
HKEY_USERS 3 Type the name of the key. The following is an example: Environment
q
4 Type the value name. The following is an example: TEMP 5 To select the matching registry type for the prerequisite you are choosing, use the Type pull-down menu:
q
String value (REG_SZ) Binary value (REG_BINARY) DWORD value (REG_DWORD) Multi-string value (REG_MULTI_SZ) Expandable string value (REG_EXPAND_SZ)
654
QWORD value
6 When you select a type, the list updates to reflect the registry entries.
655
656
Pre-launch and post-exit scripts are commonly CMD files, but can be any file executable by Windows. You create pre-launch and post-exit scripts independent of the profiler. Valid file extensions are included in the PATHEXT environment variable, which shows a list of file extensions that are considered to be executable. In addition to the default file extensions, add new file extensions, if needed, by adding them on the profiling workstation in the system variable PATHEXT. After you add them, they are read from the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment in the PATHEXT element. For example, to copy dynamic files each time a user launches a certain application, create a VB Script or batch file that copies those files or runs a utility each time the application starts and exits.
657
658
Operating system overlap. Both targets support an operating system and service pack level. For example, if both targets support Windows Vista with no service packs, there is an operating system overlap. Language overlap. Both targets have at least one language in common. System drive overlap. Both targets have the same boot drive. However, the boot drive of a target cannot be changed after the target is created.
There is an operating system overlap and There is a language overlap and The boot drive letters are the same
For example, the following targets overlap because they share an operating system, language, and boot drive, and they cannot coexist in the same profile:
Target A: Windows XP Professional [SP 2 and above] and Windows Server 2003 with CPS [all service packs] English and French languages Boot drive C
659
660
If the missing application is not needed for your publishing, do nothing. Click OK and proceed. If the missing application is one that you intend to publish, cancel the wizard, exit the profiler, and remove the existing files from the profiler workstation. Then repeat the profiling operation.
661
662
663
664
Editing Targets
If users experience problems running applications in a profile, edit the target properties to resolve some of those problems. To view the targets, with the profile open in the Profiler, select the target and from the Edit menu, select Target Properties. Targets have the following properties:
q
General. Contains name and description, as well as the operating systems, languages, boot drive, version, location, and creation and modification dates of the current target. Applications. Contains names and version numbers of applications installed in the target, as well as the paths to the application executables, and whether or not the applications are available in all the other targets in the profile. Target Operating System and Language. Specifies the user devices that can run applications installed in the target. Rules. Governs how the isolation environment functions when running an application on the user device. Pre-launch Analysis. Ensures the existence of required applications on the user device and required registry entries in the isolation environment before streaming the applications in the target. If the check box to Use Profile settings is selected, the settings are identical to those in Profile Properties. Pre-launch and Post-exit Scripts. Specifies the scripts to run prior to and following the execution of applications in the target. If the check box to Use Profile settings is selected, the settings are identical to those in Profile Properties. Services. Lists the services installed in the profile that are available for the target, including the logon name, path, and start type (manual or automatic). When started, these services run in isolation on the user device.
665
666
Application name. Manually set from the profiler by the administrator when the application is installed in the target. Availability. Specifies whether or not the application is available, not in this target, or not in other targets. Version. Set by the administrator who installed the application into the profile. Path and Working Directory. Set by the application installer. The path is not the true path to the application executable, but it is the path simulated by the isolation environment. Command line parameters. Manually set from the profiler by the administrator when the application was installed.
To recover or add applications to the list: If you suspect the list of applications is not complete, click Recover to force the profiler to discover all applications installed in the target. If the operating system of the workstation on which you are currently running the profiler does not match the operating system of the current target, the recover function is not available. If you want to browse to an application and add it manually, click Add. When you add or recover an application, data about the application is added to the profile manifest file.
To delete files from the list: You might want to delete an application from the list if it is auxiliary, as with an uninstall or update application. When you delete an application from the list, the profiler removes only application data from the profile manifest file. The profiler does not delete the application files. Add a deleted application back to the list by clicking Recover or Add.
To modify an entry in the list: You might want to modify an application in the list if the application name or icon is different from other similar applications in other targets or contains a version number.
667
668
The updated settings apply to targets when you save the changes.
669
To update a target
To upgrade an application within a target or add applications to a target, use the profiler to update a target. When you update a target, the profiler increments the version number and saves the target as a new file in the profile. To provide uninterrupted service to your users, the profiler maintains multiple versions of each target. After you save the profile, user devices use the most recent version of the target for new application executions. Application executions that are in progress continue to use the version of the target that was current when the applications were invoked. This enables you to update targets without forcing your users to exit the applications and restart. The next time the users run the application, they run the newest version in the target. After saving an updated profile, do not use the profiler to delete or modify previous versions of an updated target. 1 In the left pane of the profiler, with the profile open, select the target whose application you want to update. 2 From the Edit menu, choose Update/Install Application. 3 Choose an installation option according to the type of application or number of applications you want to install in a target.
q
If you want to update a single application in a target or add a single application to a target without adding any additional files, folders, or registry entries, choose Quick Install. If you want to add multiple applications in a target or add Internet Explorer plug-ins, files and folders, or registry settings to the target, choose Advanced Install.
After you update the target, save the updated profile in the original location. The next time user devices connect, they stream the updated profile. If user devices have a previous version of the cabinet file stored in the cache (such as applications enabled for offline access), the streaming service uses a technique called differential synchronization to open the cached cabinet file on the user device and compare it with the updated cabinet file in the profile. The service updates only the changed files and removes outdated files from the cabinet file in the cache. This feature reduces the time and bandwidth needed to update applications on the user device.
670
\\hostname\fileshare\Profile Name\720edd68-0972-49e6-aa00-80974eb81d5b_2
To choose directory folders that are obsolete, identify the folders that have trailing integers of the least value. 3 Use Windows Explorer to delete the obsolete folders from the profile on your file share.
671
Profile manifest file (.profile), an XML file that defines the profile Target directory providing isolation environment contents for applications in the targets Hash key file (Hashes.txt) for digital signatures and signing profiles Icons repository (Icondata.bin) Scripts folder for pre-launch and post-exit scripts
For example, if you create a profile called PDF Viewer with a single target, the profile, a folder called PDF Viewer, has contents similar to the following on the file share:
q
PDF Viewer.profile (the manifest file) 720edd68-0972-49e6-aa00-80974eb81d5b_1 (the target directory folder, first version) Hashes.txt Icondata.bin Scripts folder
672
Manifest File
The manifest (.profile) is the top file in the data structure that defines a profile. The manifest file is an XML-formatted text file that describes a profile. Manifest files have the file extension .profile. The information in a manifest file includes:
q
Description Create date Modify date User profile security (Boolean) Scripts File type association Internet Explorer application (Boolean) Applications Targets
The manifest file of a profile created for inter-isolation communication includes references to the subprofiles and may or may not have targets listed in the manifest file.
673
Targets
Each target consists of a set of files representing a compressed subdirectory structure within the profile structure. Target file names are based on the target GUID and version. The association to a user level concept, such as MS Office, comes from the profile manifest. Each time a target is created, it is assigned a GUID so it can be uniquely identified and independently cached on the user device. The GUID is used to set the name of the isolation environment so that no two different installations of the same named target occupy the same location in the execution system cache. The directory used to store the isolation environment on the user device also includes the version number of the target. In this way, when you update a target, user devices are assured that the execution InstallRoot accurately reflects the install root of the target you defined. For speed, the user device locally updates the internal file cache when a target version is updated rather than reloading from the server. If a profile is copied (including its targets), the GUID is unchanged. If a profile is new (when you use save as), the new profile has new targets, and new GUIDs are assigned for the targets in that profile. Use them to maintain each profile separately without conflicts if you update either one.
674
Digital Signature
You have the option of digitally signing the contents of a profile. The manifest file indicates if the profile is signed, and when signed, the manifest file is digitally signed to sign the entire profile. The hashes for all files in a target are stored in a single file, Hashes.txt. The same process is conducted for all of the profile level files. The SHA 1 of the Hashes.txt file at the profile level is stored in the manifest, and the SHA 1 of each target in the profile is stored in the manifest. Because the manifest file is digitally signed, the SHA 1 of each file listed in each Hashes.txt file can be authenticated.
675
Icons
To keep the manifest file size small, the binary data that represents the application icons is stored in a separate file called icondata.bin. The profiler stores all icons for the installed application. When you publish the streamed application, you have the option to change the icon by choosing among the set of icons that the application installed or other icons that you prefer.
676
Scripts
Specify when the Citrix offline plug-in should execute scripts associated with a profile or target:
q
Before the plug-in executes the first application from a profile After the plug-in terminates the last application from a profile
Intermediate applications executed from a profile do not invoke pre-launch or post-exit scripts. Scripts are commonly .CMD files, but can be any file that Windows can execute. Create pre-launch and post-exit scripts independent of the profiler, and after creating a script, use the profiler to add the script to a target, including these settings:
q
A disk file that is executed Arguments for the executable A Boolean value indicating whether or not the script is enabled
When you add a script to a target, the profiler copies the script file to the profile. The profiler also retains the original file name of the script. If an .EXE script requires a .DLL file, add a script for the .DLL file and disable it. The .DLL file is available for the script to load, but the user device does not run the disabled .DLL. For example, use this technique to add a signed .DLL to the profile even though it is not executed.
677
Publishing Resources
With XenApp, you provide users with access to information by publishing the following types of resources that can be virtualized on servers or desktops:
q
Applications installed on servers running XenApp. When users access them, the published applications appear to be running locally on client devices. Streamed applications installed in application profiles and stored on a file server in your App Hub. Users access the profile and virtualize the applications on their client desktops. For information about preparing and publishing applications for streaming, see the topics for Application Streaming. Data files such as Web pages, documents, media files, spreadsheets, and URLs. In XenApp, the combined total of data types you publish is referred to as content. The server desktops, so users can access all of the resources available on the server. Note: Citrix recommends that server desktops be locked down to prevent user access to sensitive areas of the operating system.
Publish all of these resource types using the Publish Application wizard in the XenApp console. To further refine how your users launch and access published resources, refer to information about configuring content redirection and XenApp policies. Citrix recommends installing applications that interact with each other on the same group of servers (called a silo). If you have multiple applications silos, Citrix recommends using separate organizational units, so they can be convenient targets for policies and worker groups. For more guidance about planning for applications and server loads, see the eDocs section about designing a XenApp deployment. Important: Before you begin, refer to the system requirements for supported platforms and system prerequisites.
678
Use groups to categorize and assign permissions to large numbers of users. An application published to one group of 1,000 users requires XenApp to validate only one object for all 1,000 users. The same application published to 1,000 individual user accounts requires IMA to validate 1,000 objects. When adding users through the Citrix User Selector, if the Users container holds thousands of objects, add a list of names.
679
Install applications as the Built-in Administrator Select an install for multiple users option in the installation wizard for the application, if the Setup for the application provides this option Install the application for all users from a command line
To install an application for all users, after enabling Remote Desktop Services, use these steps before installing the application: 1 Open a command prompt so that you are running it with Administrator privileges; for example, right-click the command prompt and select Run as Administrator. 2 Run the following command at a command prompt: change user /install 3 From the command prompt, run the Setup executable for the application.
680
681
To publish a resource using the Publish Application wizard icon for all new applications. 10 On the Publish immediately page, choose whether or not to make the published application immediately available to users.
q
To prevent users from accessing the application until you manually enable it through application properties, select Disable application initially. 11 To view and select advanced options, check Configure advanced application settings now. Alternatively, modify the advanced settings using the application properties.
q
When you finish, published resources (unless disabled) are available for users.
682
Citrix supports App-V sequences on all operating systems supported by Microsoft App-V. Citrix Receiver Updater for Windows supports App-V clients 4.5 and 4.6. User devices must have the Citrix Offline Plug-in 6.x installed locally.
Deliver the App-V client to users through Citrix Merchandising Server and Citrix Receiver Updater Publish App-V sequences for virtualizing on user devices if possible, otherwise virtualizing on XenApp servers
Users can then launch the App-V sequences on their desktops by clicking on the icons delivered through XenApp. Before you start, locate the following files and have them available:
q
Microsoft Application Virtualization Desktop Client installer (setup.exe) from your Microsoft Desktop Optimization Pack (MDOP) installation media, to upload to the Merchandising Server.
App-V Integration Kit from Citrix ( http://citrix.com/English/ss/downloads/details.asp?downloadId=2310183&productId=1689163&ntref=clie ). Save the unzipped contents locally:
q
Save the App Streaming To AppV Conduit folder on your App Hub (the server where you store your profiles). The folder contains a pre-created AppStreamingToAppVConduit.profile file, as well as the required support files for the profile. This single profile can be used to publish an unlimited number of App-V sequences. Upload the App-V MetaData files and the App-V client's setup.exe file to the Merchandising Server to create an App-V client. Citrix provides these files to add
683
Publishing App-V Sequences in XenApp the functionality to the client needed for Citrix Receiver Updater. These files include:
q
AppV_MetaData.xml AppVReg.msi
AppVReg_MetaData.xml Save the Streaming Conduit - source code folder locally. These files are not needed to publish your applications, but you can use them to modify the conduit, if needed. This folder contains the source code for the conduit.
q
To deliver the App-V client with the Citrix Merchandising Server and Citrix Receiver Updater
1 In the Merchandising Server Administrator Console, navigate to the Plug-in > Upload page. 2 To upload the App-V_Reg plug-in components: a For the Metadata File, click Browse to navigate to the unzipped location of AppVReg_MetaData.xml. b For the Plug-in File, click Browse to navigate to the unzipped location of AppVReg.msi. c Click Upload. 3 To upload the App-V client components: a For the Metadata File, click Browse to where you downloaded App-V_MetaData.xml. b For the Plug-in File, click Browse to navigate to the location of the Microsoft Application Virtualization Desktop Client installer, setup.exe. c Click Upload. 4 Configure a delivery to communicate with your App-V server. (For additional information on creating and scheduling deliveries, see the Merchandising Server documentation.) An overview of the entire Plug-in upload and delivery process when using Merchandising Server 1.0 can be viewed at http://www.citrix.com/tv/#videos/773. If users have the Self-service Plug-in, they can add published App-V sequences as they normally add applications.
684
Select Application. For application type, select the dual-mode option: Streamed if possible, otherwise accessed from a server.
For the server application type, select the secondary delivery method, such as Installed application. 4 On the Location page:
q q
Browse to your App-V server where both the conduit utility and App-V sequence are located. The application to launch is AppStreamingToAppVConduit. Add the command-line parameters to locate the specific App-V sequence on your App-V server. For Command Line: Enter the full path to your Microsoft Application Virtualization Client executable, followed by the location of your App-V sequence, such as:
"C:\\Program Files\Microsoft Application Virtualization Client\sfttray.exe" "\\appv\content\Off2k7\Microsoft Office PowerPoint 2007 12.0.6425.0000.osd" 5 On the Shortcut presentation page, manually select the icon from your icons directory (no icon by default), such as the icon for Microsoft PowerPoint. 6 Finish the publishing wizard as you normally do. For more information about the AppStreamingToAppVConduit utility, see http://support.citrix.com/article/CTX124860 in the Citrix Knowledge Center.
685
Citrix Receiver Updater informs them of Plug-in updates, and if they accept the App-V client, it installs silently in the background. If they use the Citrix Self-service Plug-in for the Receiver, they can subscribe to App-V sequences through that Plug-in.
Users launch applications as they normally do, and the conduit checks for presence of the App-V client:
q
If the App-V client is installed, the App-V sequence streams to the user device, where it runs in the App-V isolation environment. If the client is not installed (or the device does not support streaming for other reasons), the conduit triggers the Offline Plug-in to initiate a XenApp server session where the application executes and is presented to the user over a remote display protocol.
686
Server desktop. Publishes the entire Windows desktop of a server in the farm. When the plug-in connects to the server, the user sees a desktop interface from which any application installed on that server can be started. After selecting this application type, you must specify the server that you want to publish. To publish a desktop, you must be running XenApp. If you are running the console on a computer that is not running XenApp, you cannot publish the local desktop.
Content. Publishes nonexecutable information, such as media, Web pages, or documents. After selecting this application type, you must specify the URL (Uniform Resource Locator) or UNC (Uniform Naming Convention) path to the file you want to publish. Click Browse to view available content resources on your network. Application (selected by default). Publishes an application installed on one or more servers in the farm. Note that if you are running the console on a computer that is not a member of the farm, you cannot publish local applications. You need to indicate one of the following application types:
Accessed from a server. Grants users access to applications that run on a XenApp server and use shared server resources. If you choose this option, you must then enter the location of the executable file for the application and the XenApp server on which it will run. Choose this option as the application type unless you intend to stream your applications. Streamed if possible, otherwise accessed from a server (also called dual mode streaming). Grants users access to a profiled application that streams from the file share to their user devices and launches locally from within an isolation environment. Alternatively, for user devices that do not support streamed applications (for example, if the offline plug-in is not installed), this setting allows the use of an ICA connection to access the application installed on or streamed from a XenApp server. Streamed to client. Grants users access to a profiled application that streams from the file share to their user devices and launches locally from within an isolation environment. With this option, the application uses client resources instead of server resources. Users must have the offline plug-in installed and
687
To select a resource type and delivery method access the application using online plug-in or a Web Interface site. If selected, user devices that do not support client-side application virtualization (such as, they use a non-Windows client) or do not have the offline plug-in installed locally cannot launch the application. 2 If you selected Accessed from a server or Streamed if possible, otherwise accessed from a server, you also need to select the Server application type. These are:
q
Installed application. Enables users to launch an application installed on a XenApp server. Streamed to server. Grants users access to stream a profiled application from the file share to a XenApp server and launch it from XenApp through an ICA connection. Note: For more information about client-side application virtualization through streaming, see the information for application streaming.
688
Command-line. The full path of the application's executable file. Append the symbols %* (percent and star symbols enclosed in double quotation marks) to the end of the command-line to act as a placeholder for client-supplied application parameters. When a plug-in makes a connection request, the server replaces the symbol %* in the command-line with application parameters provided by the plug-in. If the path to the application's executable includes directory names with spaces, enclose the command line for the application in double quotation marks. Include a space between the closing quotation mark and the double quotation marks around the percent and star symbols. An example of the format to use with a path with spaces and a placeholder is:
Important: Changing the command-line text removes all file type associations from the application. If you change the command-line text, modify the Content Redirection application property page to select the file types you want to associate with the application for client to server content redirection.
q
Working directory. By default, this path is the same as the path in the Command line field. To run the application from a different directory, add an absolute path to this field.
689
HTML Web site address (http://www.citrix.com) Document file on a Web server (https://www.citrix.com/press/pressrelease.doc) Directory on an FTP server (ftp://ftp.citrix.com/code) Document file on an FTP server (ftp://ftp.citrix.com/code/Readme.txt) UNC file path (file://myServer/myShare/myFile.asf) or (\\myServer\myShare\myFile.asf) UNC directory path (file://myServer/myShare) or (\\myServer\myShare)
690
If your environment includes published applications that use customized client-supplied parameters for purposes other than content redirection from client to server, these applications might not function correctly when command-line validation is enabled. To ensure client-supplied parameters are passed from client to server, disable command-line validation for these published applications. To disable command-line validation for selected published applications, from the Location page of the application properties, append the symbols %** (percent and two star symbols enclosed in double quotation marks) to the command-line parameter.
691
Install the offline plug-in locally, where it runs in the background to enable application streaming. Install the latest version of online plug-in locally. To stream to client devices across a network protected by a firewall, configure firewall policies to allow those applications access.
After all of these tasks are complete, publish the application as Streamed to client.
Remote applications only, or Dual mode streaming (streamed if possible, otherwise accessed from a server)
692
Managing Streamed Applications For information about managing application types on Web Interface sites, see Technologies > Web Interface. After you ensure all of these tasks are complete, publish the application as Streamed to a server.
693
694
Accessed from a server. Users launch the application that runs on a XenApp server and uses shared server resources, or launch it from a Web browser using a Web Interface site you create. If you choose this option, you must then enter the location of the executable file for the application and the XenApp server on which it will run. This is the typical application type unless you intend to stream your applications to the client desktop. With this method, users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. From the Server application type list, select the delivery method:
Streamed to server. The application in the profile is streamed from the App Hub to the XenApp server, where the offline plug-in is installed by default. The application displays on the user devices using the online plug-in or Web plug-in; the offline plug-in is not required on the user device. With this method, users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. Streamed if possible, otherwise accessed from a server (called dual mode streaming). Grants users access to a profiled application that streams from the file share to their user devices and launches locally from within an isolation environment. Alternatively, user devices that do not support streamed applications (such as when they do not have the offline plug-in installed) instead use an ICA connection to access the application installed on or streamed from a XenApp server.
q
695
To select a streaming delivery method From the Server application type list, select the alternative delivery method for clients that do not support streaming to user device:
Streamed to server. The application in the profile is streamed from the App Hub to the XenApp server, where the offline plug-in is installed by default. The application displays on the user devices using the online plug-in or Web plug-in; the offline plug-in is not required on the user device. With this method, users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. Streamed to client. With this method, you make available the full set of application streaming features. When you stream applications directly to client desktops, some of the application files are cached locally and the application runs locally from within an isolation environment using the resources of the user device.
q q
Users must have both the offline plug-in and online plug-in installed locally. With this delivery method, you can configure the application and users for offline access. When this configuration is completed, the entire application is fully cached on the user device. Users can disconnect from the network and continue using the application for the time specified in the offline license. User devices that do not support client-side application virtualization (such as, they use a non-Windows client) or do not have the offline plug-in installed locally cannot launch the application.
Note: You can also force a delivery method for applications published as "Streamed to client" based on filters. To do this, configure the Load Balancing policy setting (located in the Delivery Services Console) for Streamed App Delivery. The policy setting overrides the selection in the publishing wizard.
696
Allow applications to stream to the client or run on a Terminal Server (default setting). Force applications to stream to the client. User devices always stream the application from the App Hub to the user devices. Users must have the offline plug-in installed and access the application using the online plug-in or a Web Interface site. For example, you might use this setting to prevent the use of server resources. User devices without the offline plug-in and either the online or Web plug-in cannot launch the application. Do not allow applications to stream to the client. Users always launch streamed applications from the server. For example, you might use this option to prevent applications from streaming to specific clients. In addition:
q
If you publish a streaming application with Streamed if possible, otherwise accessed from a server (dual mode streaming), users always launch the application from the server using the alternative method you selected. If you publish an application as Streamed to client (without dual mode), the connection fails.
This table describes the default delivery of each application type and the results of setting the policy. The policy setting overrides the delivery protocol for applications that are published as streamed to client.
Application type
697
To force a delivery method for streamed applications Streamed to client Accessed from a server: Installed application Streamed to server Citrix offline plug-in streams application to desktop. Citrix online plug-in virtualizes the application installed on XenApp (not streamed). Offline plug-in streams application from file share to XenApp and any online plug-in virtualizes the application from XenApp. Dual mode: Offline plug-in streams application to desktop. Otherwise, the online plug-in connects to the application installed on server (not streamed). Dual mode: Offline plug-in streams application to desktop. Otherwise, offline plug-in streams application to the server. Connection fails. Policy does not apply. Connection works. Policy does not apply.
Streamed if possible; otherwise accessed from a server (dual mode): Installed application Streamed to server
698
For 32-bit systems: HKEY_LOCAL_MACHINE\Software\Citrix\Rade\AllowUnsecuredHttpAuth For 64-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\Rade\AllowUnsecuredHttpAuth Type: REG_DWORD Value: 1
In the following example, the XenApp server, Web server, and file server are located on the same physical server. This is not a requirement. To configure the Web server: 1 Create a file share, if one does not already exist. For example: Web server name: WebServer Physical location on Web server: c:\webProfiles The share name: webProfiles An administrator must share this folder with the everyone group assigned READ access and the administrators group assigned WRITE access at both the share level and NTFS level. UNC path: \\WebServer\webProfiles 2 On the Web site hosting the profile, add the following MIME type information:
q
Set "Execute Permissions" to NONE You can set this information for the Web site hosting the profiles or for a specific folder in the virtual directory that holds the profiles.
q
3 In addition, if the profile includes pre-launch or post-exit scripts, also add the following MIME type information for the file extension of each script, such as .bat or .com. 699
To provide HTTP or HTTPS delivery method Extension: <file extension>, and MIME type: application/octet-stream 4 In the directory hosting the profiles: a Open Properties and select the Directory tab. b In the Configuration area, keep one application file extension (it doesn't matter which one you keep) and remove all the rest of the file extensions. c Create a placeholder extension for application mapping; for example, ".testcitrix," which should not occur in the profile. d Copy the settings from the file extension that remains (Step 4b) to the placeholder extension. e Delete the file extension that remained in Step 4b, leaving only the placeholder extension from Step 4c. 5 Create a virtual Web site that points to the file share using the UNC path. For best results, do not use spaces in the URL. For example: HTTP (or HTTPS) path of virtual directory: http://WebServer.domain.com/webProfiles 6 Turn on Directory Browsing on the virtual Web site. Now you can test the configuration; continuing the example, browse to http://WebServer.domain.com/webProfiles/myApplication/myApplication.profile. If the Web server is configured correctly, the .profile file opens looking like an xml file (not an error message). For HTTP, you have now completed the configuration of the Web server. 7 For HTTPS, additional binding configuration of the Web server is required. See the additional steps following this procedure, based on your operating system. 8 In the XenApp console, publish the application as Streamed to client, Streamed to server, or Streamed if possible, otherwise accessed from a server and continue in the wizard. 9 On the Location page, enter the full URL path (starting with HTTP or HTTPS) to the profile (browsing to an HTTP location is not supported at this time). Use a fully qualified domain name, not a relative domain name. 10 Click in the field titled Application to launch from the Citrix streaming application profile to select the application. 11 Finish the remaining pages of the wizard. The application is ready to stream to the client device using the HTTP delivery method.
To stream from an HTTPS address from Windows Server 2008 additional configuration is required on the Web server. An appropriate Web Server Certificate must be already installed:
1 From IIS, edit the Bindings for the Web Site. 2 In the Site Bindings dialog, click Add. 3 Under Type, choose https. 700
To provide HTTP or HTTPS delivery method 4 For SSL certificate, choose the installed Web Server Certificate. 5 Using the previous example, browse to https://WebServer/webProfiles on the Web server, which must be a member of the domain and have the root certificate installed. To stream from an HTTPS address from Windows Server 2003, install a Web Server Certificate from a domain certificate authority:
1 From IIS, open Properties for the virtual Web site. 2 Click the Directory Security tab. 3 Under Server Communications, click Server Certificate. 4 Complete the Web Server Certificate wizard, and using the previous example, browse to https://WebServer/webProfiles on the Web server, which must be a member of the domain and have the root certificate installed.
701
Step 1: Configure policy settings for offline access Step 2: Install the online and offline plug-ins on user devices Step 3: Publish the application for offline access
You can complete these steps in any order, but users cannot run applications in offline mode until all steps are completed.
Offline app users (required). Create a list of users or groups who have offline access permission and add that list both when creating the policy for Offline app users and when publishing the application. Users or groups listed in the offline app users policy setting and who are also configured for the application have permission to run offline-enabled applications in online and offline mode. Users who are configured for the application, but who are not added to the policy list can access the application online, but not offline. Users or groups on this list use an offline license to launch applications regardless of whether they are connected to the network or disconnected.
Offline app license period (required). Specify the number of days applications can work offline before users have to renew the license (21 days by default, but can range from 2 to 365 days). For versions 1.0 through 5.1 of the plug-in, the license for each application in the profile is activated when the user launches the application the first time, for online or offline use. Beginning with version 5.2 of the plug-in, when the user launches an
702
Configuring Offline Access application in the profile for the first time, for online or offline use, the offline license is activated for all other applications in the profile, as well. This occurs at the farm level. Thus, the offline license for all applications in the profile expires based on the date of the first application launched the first time, regardless of when the other applications are launched. To configure licenses, administrators can use the License Management Console or command-line tools. They must also ensure they have a sufficient number of licenses to support the total number of users with offline access permission. Users who run XenApp hosted applications can also stream applications to user devices without requiring a separate license. For general information, in the topics for Licensing Your Product, see Getting Started with Citrix Licensing. When users with offline access log on using the online plug-in, they automatically either check out an offline license or renew a license already checked out. If users stay logged on, licenses are renewed automatically each day. If the license is near its expiration date while a user is running the application in offline mode, a notice appears reminding the user to log on (that is, change to online mode). When the user logs on, the offline license is renewed automatically if a license is available. If the license expires and no license is available, the user cannot launch the application offline.
q
Offline app client trust (optional). Use this setting to enable offline application clients that have disconnected to recreate sessions when reconnecting, without authenticating again. Offline app event logging (optional). Use this setting to enable logging of offline application events to the event log on the server.
Enable the application for offline access and select the caching preference. Create a list of users or groups who have offline access permission and add that list both when creating the policy for Offline app users and when publishing the application.
704
705
HTTP (Hypertext Transfer Protocol) HTTPS (Secure Hypertext Transfer Protocol) RTSP (Real Player and QuickTime) RTSPU (Real Player and QuickTime) PNM (Legacy Real Player) MMS (Microsoft Media Format)
If content redirection from server to client is not working for some of the HTTPS links, verify that the user device has an appropriate certificate installed. If the appropriate certificate is not installed, the HTTP ping from the client device to the URL fails and the URL is redirected back to the server. For legacy plug-ins, content redirection from server to 706
To enable content redirection from server to client client requires Internet Explorer Version 5.5 with Service Pack 2 on systems running Windows 98 or higher.
707
When you configure content redirection from client to server, context menu commands available from within Windows Explorer function differently than on user devices that do not use this feature. For example, if you right-click a file in Windows Explorer on a user device with content redirection from client to server enabled for the file type, the Open command opens the file with the remote application on XenApp. For a streamed application, the file could be opened either on the user device or on the XenApp server, depending on the delivery configuration. Most commands on the Windows Explorer context menu are unaffected because they are not configured under keys modified by XenApp. Context menu items are generally defined by each application when installed.
708
Rename, move, disable, and delete published applications Change, duplicate, import, and export published application settings
Only a Citrix administrator with full access to the Published Applications task can change published applications. Use the application properties to change settings for a published application, including the location of the published application, the servers on which the published application is available, and the user accounts allowed to access the published application. From the Action menu, select Application properties. Important: The resource type you publish (application, content, or server desktop) determines your path through the Publish Application wizard; consequently, the properties associated with the resource may vary.
709
Important: If a duplicate application name is found in the farm, a four-digit hexadecimal number is appended to the original string. If the character limit is reached and duplicated, the console replaces the end characters with four-digit hexadecimal numbers, starting from the right. The application name appears in the left pane of the Properties dialog box for an application.
710
The Servers list displays the servers that belong to the farm. Initially, all servers in the farm appear. Use a filter to display only servers running a particular operating system or Citrix version. Note: If you apply a filter (in the Select Servers dialog box), the filter settings remain in effect each time the Publish Application wizard is run until the filter is removed or changed.
Use the Import from file option to import an application server list file (*.asl). You export the server list of a previously published application and then import this settings file when creating a new published application.
If you modify your servers for a published application, some users may not be in a trusted domain for that server. If you receive an error message when trying to modify configured servers for a published application, duplicate the application and then modify the servers and users lists of the new application.
711
712
Configure streamed applications for offline access as you publish them or later in the Application Properties:
As you publish applications in the Publish Applications wizard, click the Enable offline access check box on the Offline Access page. In Application Properties, select Basic > Streaming settings > Offline Access. Click the Enable offline access check box to enable the feature.
Tip: If, later, some operation in the application fails offline due to a missing component, it will fail while connected as well. The solution is to ensure that you package all the necessary components by thoroughly testing the profile. The server fully caches applications enabled for offline access on user devices; the entire application is sent to user devices while the user is online so that the user can launch the application offline and have full functionality of the application. By default, applications are cached when a user logs on. Select when to cache the streamed application:
Pre-cache application at login. Caches the application when the user logs on (selected by default). However, concurrent logons may slow network traffic. Cache application at launch time. Caches the application when users launch it. Use this option if the number of users logging on at the same time (and pre-caching their applications) could overload the network.
Pre-caching is also possible using third-party tools, such as Microsoft System Management Server (SMS) or Altiris. If you use a third-party caching method, ignore this setting because it is not used; that is, applications are not cached twice.
713
Select Allow anonymous users to let all users log on anonymously and start the streamed application without specifying a user name, domain name, and password (selected by default). This selection disables the remaining options on the page. Select Allow only configured users to allow only configured users to start the application. For example, select this option for all streamed applications. Selecting this option enables the Select directory type drop-down list, which allows you to configure the users for this application. You can configure the list later in the application properties.
Note: Streamed applications do not support anonymous users. Additionally, if you enable the streamed application for offline access, these options are not shown. 2 Use the Select directory type drop-down box to select either Citrix User Selector or Operating System User Selector. 3 Click Add. If you selected Citrix User Selector, complete the following tasks in the Select Users or Groups dialog box:
Select your account authority from the Look in drop-down list. The drop-down list contains all trusted account authorities configured on the servers in the farm. These include Novell Domain Services for Windows (NDSfW) domains, Windows NT domains, Active Directory domains, and local servers. (NDSfW domains appear only if previously configured.) When you select an account authority, the user accounts that are part of the selected authority appear in the window below the drop-down list. By default, only user groups appear. Select Show users to display all user names in the selected domain. This option displays every user in the selected domain. For NDS, alias objects also appear. The user accounts you select are listed in Configured users.
714
To configure user access to applications Tip: Instead of selecting names from the list, type them in a text box. To do this, click Add List of Names and use semicolons (;) to separate names. If you selected Operating System User Selector, use the standard Windows dialog box to select your user or group. Note: This option has several limitations. You can browse only account authorities and select users and groups that are accessible from the computer running the console. In addition, you might initially select users and groups outside the trust intersection of the farm, which causes errors later. Other limitations include the inability to add NDS users and groups. The list of user accounts is added to the Configured Accounts list. Changes take effect the next time the user launches the application.
715
Ten-minute idle (no user activity) time-out Logoff from broken or timed out connections The user cannot change the password (none is required)
When an anonymous user session ends, no user information is retained. The server does not maintain desktop settings, user-specific files, or other resources created or configured for the user device. Note: The anonymous user accounts that XenApp creates during installation do not require additional configuration. If you want to modify their properties, do so with the standard Windows user account management tools.
716
Add to the clients Start menu. Creates a shortcut to this application in the users local Start menu. A folder appears in the first pane of the Start menu in the location you select:
q
Place under Programs folder. This option creates a shortcut under the Programs folder of the local Start menu. If a folder structure is specified in the Start Menu Folder text box, the folder structure is created within the local Programs folder.
Start menu folder. The location of the shortcut within the Start menu (or Programs folder, if selected). For example, to have the application appear under a folder called Reports, enter Reports. For more than one level of folders, separate each folder name with a backslash; for example, Reports\HR\survey. If no folder structure is specified, the application is available from the top level of the Start menu. q Add shortcut to the clients desktop. Creates a shortcut to this application on the users local desktop. Changes take effect after the user reconnects or refreshes the user device.
q
717
Allow connections made through Access Gateway Advanced Edition (Version 4.0 or later). This is the default. Select the type of connections that allow the application to appear in the list of applications:
q
Any connection. Allows connections made through Access Gateway (Version 4.0 or later), regardless of filters. This is the default. Any connection that meets any of the following filters. Allows connections made through Access Gateway (Version 4.0 or later) that meet one or more of the connection filters specified in the list.
To Add or Edit a filter, click the respective button and enter the predefined Access Gateway farm name and filter. Allow all other connections. Allows all connections except those made through Access Gateway (Version 4.0 or later). This is the default.
Users who do not have the required software running on the user device cannot access the published application.
718
Content redirection from user device to server. Users running a Citrix plug-in open all files of an associated type with a specific published application and delivery method. For example, when users double-click an email attachment, the attachment opens in an application based on the file type and delivery method set for those users. Note: If you do not want specific users to launch published applications automatically when opening published content, do not assign published applications associated with file types to those users.
Content publishing. Users connecting through the Web Interface or using the online plug-in open content published on servers with applications published on servers. For example, you publish a Microsoft Word document. When you also publish the Microsoft Word application, associate it with a list of file types (files with the .doc extension, for example), and assign it to a group of users, the published content is opened in the Microsoft Word application published on the server.
File type association is a two-step process. For example, if you want to associate Microsoft Word with the .doc file extension:
q
Publish a document of the Microsoft Word for Windows file type. Publish the Microsoft Word application and associate it with the Microsoft Word for Windows file type. When users double-click the document from the user device, it opens in the Microsoft Word application published on the server. Users connecting through the Web Interface or using the online plug-in can open published content with published applications.
1 Select one or more of the buttons to select the file types that you want the application to open when a user opens a file. Published applications can be associated with one or more file types. 2 To list all file types associated with the application, click Show all available file types for this application. Clear the check box to display only the selected file types. When changing the available file types for an application, select this check box to display the superset of file types available, not just those selected when initially publishing the application.
719
To associate published applications with file types Note: When you associate a file type with a published application, several file extensions can be affected. For example, when you associate the Word document file type, file extensions in addition to the .doc extension are associated with the published application.
720
You installed an application but have not yet published it. You plan to enable content redirection from user device to server or have users open published content using the application. The data store does not already contain the file type associations. If you updated the file types from the registries of other servers hosting the application, the data store already contains the associations.
If needed, update file types for the farm or for an individual server:
q
In the console, select a farm in the left pane and from the Action menu, select Other Tasks > Update file types. Select a server in the left pane and from the Action menu, select Other Tasks > Update file types from registry.
Choose which file types are opened with a published application. When you publish an application, a list of available file types appears on the Content redirection page. This list is current only if the data store was updated with the file type associations for the application. Update the data store from the registries of several servers containing an application to associate a complete set of file types with the application. If you publish applications to be hosted on more than one server, be sure to update the file types on each server.
721
722
723
724
Limit instances allowed to run in server farm and then enter the numerical limit in Maximum instances Allow only one instance of application for each user
If Preferential Load Balancing is available in your XenApp edition, this setting (along with the session importance policy setting) determines the Resource Allotment associated with the session. The higher the Resource Allotment of the session, the higher the percentage of CPU cycles allotted to it. In the Application Importance list box, set the priority that is used with the Session Importance setting to determine the level of service for the session in the XenApp farm: High, Normal, and Low.
725
The setting in Remote Desktop Server Configuration and/or the setting in Citrix Connection Configuration Tool (Mfcfg.exe) The policy setting that applies to the connection The application setting (that is, the level you are setting in this dialog box) The Microsoft Group Policy
The encryption settings specified here when publishing an application should be at the same level as the encryption settings you specified elsewhere. That is, any encryption setting you specify in the Remote Desktop Server Configuration tool or connection policies cannot be higher than the application publishing setting. If the encryption level for an application is lower than any settings you specified for Remote Desktop Server Configuration and connection policies, those settings override the application settings. If the minimum requirements check box is selected and the plug-in connection does not meet the most restrictive level of encryption, the server rejects the connection when the plug-in tries to connect to the application. If the minimum requirements check box is selected, the plug-in setting is always used. However, the plug-in setting must be as secure as the server setting or the connection is denied. If you select Minimum requirement under the Encryption list box, plug-ins can connect to the published application only if they are communicating using the specified level of encryption or higher. After you set this encryption level on the server, any plug-ins connecting with that server must connect at that encryption level or higher. If a plug-in is running on a 64-bit computer, only basic encryption is supported. In this situation, setting a level of encryption higher than Basic and selecting the minimum requirements check box prevents plug-ins from connecting.
726
Select Client audio options: Enable legacy audio. Select this option to allow audio support for applications to which HDX MediaStream Multimedia Acceleration does not apply. Note: By default, audio is disabled on the user device. To allow users to listen to audio in sessions, turn on audio or give the users permission to turn on audio themselves in the plug-in interface they are using, such as Citrix XenApp. Minimum requirement. Select this option to allow plug-ins to connect to the published application only if they have audio support. The Minimum requirement check box under the Client audio list box applies only to the legacy audio setting. It does not apply to HDX MediaStream Multimedia Acceleration. In the Connection encryption section, select one or more of the following options:
q q
Select Enable SSL and TLS protocols to request the use of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for plug-ins connecting to the published application.
q Select Encryption to apply the RC5 encryption level for the connection. In the Printing section, select or clear Start this application without waiting for printers to be created. Selecting this option can allow the plug-in to connect faster. However, if you select this option, the printers may take a few seconds to be created; do not select this option for applications that print to the printer immediately after being launched.
727
To set the default window size, select the Session window size. Specify window size as a standard resolution, custom resolution, percentage of the screen, or full screen. To set the color depth for the application, select the Maximum color quality. The available options are Better appearance (32-bit), Better speed (16-bit), or 256-color (8-bit). To hide the application title bar and maximize the application at startup, change the setting in the Application Startup Settings.
728
From the Publish Application wizard, continue to the Publish immediately page and select the Disable application initially check box. When checked, the application is published, but users cannot access it until you enable it. In the console, select the application in the navigation pane, and from the Action menu, select Enable application or Disable application.
In the console, select the application in the navigation pane, and to modify the file types, from the Action menu, select Application properties and then select Name. On this page, select Disable application.
Note: If the Disable application initially option is selected and cannot be cleared, either the application requires configured users but none are specified, or the application is of a type that runs on a server (such as an installed application or streamed-to-server application) but no servers are specified.
729
730
731
732
Entire Application. Exports the application and all the settings associated with the published application to an .app file. If you choose this option, you can export settings from multiple applications; select them from the left pane of the console before selecting the export task. Important: If application settings are exported as a batch, they must be imported as a batch.
Server List Only. Exports only the list of configured servers for the application to an ASL file, including any per-server command-line overrides, if applicable. Then select an application and import the server list, replacing the existing server list. Alternatively, import this list of servers when publishing an application by clicking Import from file on the Servers page of the Publish Application wizard.
Note: This task is available only for applications that have servers associated with them. For this reason, this task is unavailable for published content or streamed-to-client applications. You can export the server list associated with one published application only. 3 Settings files are saved in XML format. The settings associated with your published application are saved to a settings file with one of the following extensions: APP, AUL, or ASL. The file name is the same as the application by default. For example, if you choose to export all the application settings of a published application called Notepad123, the default file name for the exported application settings file is Notepad123.app.
733
If you selected a folder in Step 1 of this procedure and an APP file in Step 2, the new application appears under the folder you selected. If you selected a previously published application in Step 1 and either an ASL or AUL file in Step 2, click Yes to confirm that you want to overwrite existing settings. The imported ASL or AUL file updates the server settings or user settings of the application, respectively.
Note: If any of the servers or users that were exported for a published application cannot be imported, a warning message appears identifying the list of users or servers that could not be imported. You either proceed or cancel the import at that point. Cancelling the import cancels the entire import operation. This situation might occur if a server was removed from the farm after a published application was exported, if a user was removed from the domain, or if the administrator does not have proper permissions to publish the application on one or more of the servers that were exported.
734
They use a hard-coded TCP port number, or They do both of the following:
q
Require a unique IP address or require a specified TCP port number Also, this feature lets you configure applications that depend on communication with localhost (127.0.0.1 by default) to use a unique virtual loopback address in the localhost range (127.*).
q
They use the Windows socket loopback (localhost) address (127.0.0.1), or They use a hard-coded TCP port number
If the application requires an IP address for identification purposes only, configure your server to use the client IP address.
735
In Microsoft Server Manager, expand Remote Desktop Services > RD Session Host Connections to enable the RD IP Virtualization feature and configure the settings. For details, refer to Microsoft help and documentation, including the Microsoft TechNet Web site.
q
Once the feature is enabled, at session start-up, the server requests dynamically-assigned IP addresses from the Dynamic Host Configuration Protocol (DHCP) server. Based on your Virtual IP policy and the settings you configure, the RD IP Virtualization feature assigns IP addresses to remote desktop connections on a per session or per program basis. If you assign IP addresses for multiple programs, they share a per-session IP address. After an address is assigned to a session, it uses the virtual address rather than the primary IP address for the system whenever the following calls are made:
Bindclosesocketconnect, WSAConnect, WSAAccept, getpeername, getsockname, sendto, WSASendTo, WSASocketW, gethostbyaddr, getnameinfo, getaddrinfo XenApp extends the Windows virtual IP feature by allowing the gethostbyname API to return the virtual IP address. In addition, XenApp adds virtual loopback to all APIs. Note: All processes that require the XenApp feature must be added to the programs list for the Virtual IP policy that you enable. Child processes do not inherit this functionality automatically. Processes can be added with full paths or just the executable name. For security reasons, Citrix recommends that you use full paths.
736
Binding Applications
Using the Microsoft IP virtualization feature within the Remote Desktop session hosting configuration, applications are bound to specific IP addresses by inserting a filter component between the application and Winsock function calls. The application then sees only the IP address it is supposed to use. Any attempt by the application to listen for TCP or UDP communications is bound to its allocated virtual IP address (or loopback address) automatically, and any originating connections opened by the application are originated from the IP address bound to the application. In functions that return an address such as GetHostByName() (controlled by a XenApp policy) and GetAddrInfo() (controlled by a Windows policy), if the local host IP address is requested, virtual IP looks at the returned IP address and changes it to the virtual IP address of the session. Applications that try to get the IP address of the local server through such name functions see only the unique virtual IP address assigned to that session. This IP address is often used in subsequent socket calls (such as bind or connect). Often an application requests to bind to a port for listening on the address 0.0.0.0. When an application does this and uses a static port, you cannot launch more than one instance of the application. The virtual IP address feature also looks for 0.0.0.0 in these types of calls and changes the call to listen on the specific virtual IP address. This enables more than one application to listen on the same port on the same computer because they are all listening on different addresses. Note this is changed only if it is in an ICA session and the virtual IP address feature is turned on. For example, if two instances of an application running in different sessions both try to bind to all interfaces (0.0.0.0) and a specific port, such as 9000, they are bound to VIPAddress1:9000 and VIPAddress2:9000 and there is no conflict.
737
To use the virtual IP address feature, configure any processes that open the IP address of the server, 0.0.0.0, or 127.0.0.1. To ensure that an application does not open the same IP address on a different port, launch an additional instance of the application.
738
Virtual IP enhanced compatibility. Use this setting if your application uses the GetHostByName API. When enabled, calls to GetHostByName within a session return the virtual IP address for the session (disabled by default). The feature applies only for the applications listed in the virtual IP compatibility programs list. Virtual IP compatibility programs list. Lists the applications that use the virtual IP enhanced compatibility policy. Virtual IP adapter address filtering. Use this setting if your application returns a large number of addresses, which slows down performance. When enabled, the list of addresses returned by GetAdaptersAddresses includes only the session virtual IP address and the loopback address, which can improve performance (disabled by default). The feature is enabled only for the applications listed in the virtual IP filter adapter addresses programs list. Virtual IP filter adapter addresses programs list. Lists the applications that use the IP adaptor address filtering policy.
739
Virtual IP loopback support. Use this setting to allow each session to have its own virtual loopback address for communication (disabled by default). The feature is enabled only for the applications listed in the Virtual IP virtual loopback programs list. Virtual IP virtual loopback programs list. Lists the applications that use the Virtual IP loopback support policy.
740
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\VIP\ Name: UseClientIP Type: REG_DWORD Data: 1 (enable) or 0 (disable, which is the default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\VIP\
741
To supply client IP addresses to published applications on a server Name: HookProcessesClientIP Type: REG_MULTI_SZ Data: multiple executable names representing application processes that use client IP addresses Note: On XenApp, 32-bit Edition, these entries are found in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VIP\. 3 Close regedit and restart your server. 4 After making the prescribed registry modifications, add the application process in the programs list for the policy. Do not configure the use of client IP addresses if:
q
Plug-ins connect using network protocols other than TCP/IP Plug-ins reconnect to disconnected sessions from different client devices Sessions use a pass-through plug-in
742
The server farm to which user devices connect The operating systems on the user devices
When you publish applications for streaming, the method you select determines the type of plug-ins your users need to access the applications. For more information, see Deciding Which Plug-ins to Use for Application Streaming.
743
For Windows Vista and Windows 2008, right-click a column heading and select More. In the Choose Details page, check to option to display the version. For earlier Windows operating systems, select plug-in name, and click the link for support information.
To take advantage of the latest updates in application streaming, Citrix recommends installing the most current versions of the offline and online plug-ins. If upgrading is not possible, this release provides limited backward compatibility for Streaming Clients 1.1x. The current plug-in supports profiles created with Streaming Profiler 1.1.
744
Enumerate published applications in the desktop Start menu and create shortcuts on the desktop. Provide dual-mode streaming. When you select "Streamed if possible, otherwise accessed from a server" and "Streamed to server," if streaming to the client desktop fails, applications automatically stream to a XenApp server and launch using the online plug-in. Configure the application and users for offline access. When this configuration is completed, the entire application is fully cached on the user device. Users can disconnect from the network and continue using the application for the time specified in the offline license.
Accessed from a server. The profile is streamed from the App Hub to the XenApp server, where the offline plug-in is installed by default. The application displays on the user devices using the online plug-in or Web plug-in; the offline plug-in is not required on the user device. When you publish applications as "Accessed from a server" and "Streamed to server," users access the applications using the online plug-in or Web plug-in. This method does not support desktop integration or offline access to applications. Select the online plug-in package that fits your corporate needs:
q
Install CitrixOnlinePluginFull.exe to stream applications to XenApp servers and launch them with the online plug-in, which provides transparent integration on desktops, or launch them from a Web browser using a Web Interface site you create. Users have the full online plug-in feature set. Install CitrixOnlinePluginWeb.exe to stream applications to XenApp servers and launch them from a Web browser using a Web Interface site you create. Users have a limited online plug-in feature set.
Important: For users to stream applications through a Web site using an Internet Explorer or Firefox browser, add the site to the Trusted sites list in Internet Explorer on the user 745
746
Using the Merchandising Server and Citrix Receiver to Deploy the Plug-ins
Citrix recommends using the Merchandising Server and Citrix Receiver for Windows to deploy and update the plug-in to a user device. Citrix Merchandising Server administrator console. With the administrator console, you can upload the plug-in installation and metadata files, create reuseable rules to define the delivery recipients, and create deliveries. Citrix Receiver client (Receiver for Windows). After users install Receiver for Windows on their user devices, Receiver installs, updates, and starts the plug-in without user interaction. Users having the correct permissions to manage their plug-in can change the Citrix XenApp server that hosts their published resources using the Receiver Preference panel Advanced tab. Important: For Firefox to work correctly with the online plug-in, ensure that you or the user install Firefox before installing the plug-in. If the plug-in is already installed, uninstall it, install Firefox, and reinstall the plug-in. Also ensure that the whitelists of trusted and untrusted servers contain the XenApp and Web Interface server names.
747
Installing using the Receiver. Citrix recommends using the Receiver to install plug-ins, which lets you deliver and update plug-ins automatically with the Merchandising Server. The Receiver upgrades plug-ins when a newer plug-in is available. Installing manually. The offline plug-in installer deploys drivers and requires administrator privileges on the user devices. For users who have administrator privileges, you can make the plug-in installer CitrixOfflinePlugin.exe available, and they can install it themselves. The plug-in installer does not require any configuration during installation.
To take advantage of continuing improvements in the profiler, when you upgrade to the latest offline plug-in, also upgrade to the latest Streaming Profiler and either update your existing applications or re-profile the applications in the new profiler. In addition, Citrix provides command-line utilities and transforms with the offline plug-in to perform actions on user devices.
748
After installing the plug-in and restarting the user device, the Citrix Streaming Service starts automatically and runs in the background as the user Ctx_StreamingSvc. Restarting the user device also ensures that other applications and plug-ins detect the offline plug-in.
749
750
/Q suppresses the extraction dialog box. /T: full path specifies the temporary working folder in which to extract the files. /C extracts files only to the folder when used also with /T. Use this only if you are not including a command-line. /C:[Cmd ] overrides the install command, where Cmd is the command-line that runs after extracting the files to the temporary folder. For Cmd, set command-line properties as needed. The following properties are supported to set the user interface level and other options:
q
/qn executes a completely silent installation; no user interface. /qb shows simple progress and error handling; a basic user interface. /qf shows a full user interface (default). /qr shows a reduced user interface. /l [logfile] creates a verbose install log where logfile is the path and filename for where to save the log. Use double double-quotes for a path with spaces. /norestart prevents restarting of the user device following the installation. /restart initiates a restart automatically (without prompting) upon successful completion of the installation.
751
To deploy the Citrix offline plug-in Locations with spaces must be enclosed with quotes; however, only single sets of double quotes are allowed, and nested double quotes causes the command to fail. In cases where a nested quote is required inside the double quotes, use double double-quotes on each end of the expression. Type the following at a command prompt, where package is the name of the Windows Installer installation package and TransformList is the list of the transforms that you want to apply: CitrixOfflinePlugin /I package TRANSFORMS=[TransformList].mst If you are applying multiple transforms, separate each transform with a semicolon. The following examples demonstrate valid command-lines:
To simply extract files: path\ CitrixOfflinePlugin.exe /C /T:c:\Documents and Settings\Administrator\Desktop\Streaming Client To run a silent install with no options: path\ CitrixOfflinePlugin.exe /C:setup /qr To add some options: path\X CitrixOfflinePlugin.exe /C:setup /qr INSTALLDIR=C:\Program Files\Citrix\Streaming Client /norestart /l c:\Log Files\streaming.log With some options and a transform: path\ CitrixOfflinePlugin.exe /C:setup /qr INSTALLDIR=C:\Program Files\Citrix\Streaming Client /norestart /l c:\Log Files\streaming.log TRANSFORMS=C:\some_transform.mst
752
If you manually install the offline plug-in 6.0.2 using command line parameters, during the installation, a CTX_APPHUB_WHITELIST and the IP address or FQDN of the share drive, and HTTP/HTTPS server path. For example:
To deploy the AppHubWhiteList when users install the offline plug-in using Receiver, configure the AppH parameter) in Citrix Merchandising Server.
To deploy the Citrix offline plug-in Specifying Trusted Servers for Streamed Services and Profiles Configuring Plug-in Parameters in Merchandising Server
753
754
1 To extract the installation files to a file share, run: CitrixOfflinePlugin.exe /C /T:[fileshareDirectory] where the fileshareDirectory is the UNC path to a shared folder that is accessible to all the domain user devices on which you will install the offline plug-in. 2 From a computer in the domain:
q
On Windows Server 2003, from Administrative Tools, open Active Directory Users and Computers, right-click the organizational unit, and select Properties. From the Group Policy tab, click New.
On Windows Server 2008, open Group Policy Management, right-click Group Policy Objects, and select New. 3 Name the policy and click Edit.
q
4 In the Group Policy Object (or Management) Editor, under Computer Configuration > Software Settings, right-click Software installation. Note: Assigning the package to a User Configuration is not supported. 5 Select New and then select Package. 6 In the Open dialog box, browse to the file share location and select XenAppStreaming.msi. 7 After selecting Open, select the Advanced deployment method. 8 After the properties dialog box opens, from the Modifications tab, click Add and then double-click streaming_client_ad.mst to open the transform. This installation performs the equivalent installation of CitrixOfflinePlugin.exe, including installing the offline plug-in, starting the Citrix Streaming Service, and adding the Microsoft Visual C++ 2005 Redistributable Package on all user devices in the domain.
755
/enum enumerates the applications currently deployed on the user device. /deploy adds the profiled application on the user device. /delete removes the profiled application from the user device. -m monitors the deployment until complete.
-p deletes the application profile from the user device. Note that this command also removes any other applications deployed on the user device from this application profile. 4 Repeat for other applications, as needed.
q
756
To deploy applications to user devices Alternatively, run the command-line in third-party software, such as Microsoft System Management Server (SMS) or Microsoft Active Directory Services (ADS) to deploy applications.
757
/? displays the syntax for the utility and information about the options of the utility -i clears the registry and files in the install root -if clears only files in the install root -ir clears only the registry in the install root -u clears the registry and files in the user root -uf clears only the files in the user root -ur clears only the registry in the user root
/flushall clears the registry and files in both the install root and user root for all streamed applications 3 Repeat for other applications, as needed.
q
758
rules clears the merged rules in the RadeStore location hives clears the registry hives in the RadeStore location tabs clears the registry tab files in the RadeStore location fonts clears fonts in the RadeStore location scripts clears scripts in the RadeStore location
/all clears the merged rules, registry hives, registry tab files, fonts, and scripts in the RadeStore location 3 Repeat for other RadeStore locations, as needed.
q
759
Quick Links
q
Configuring HDX MediaStream for Flash Configuring Audio Multimedia Conferencing with HDX RealTime
760
User device is Windows-based. Citrix online plug-in 11.2 or 12.0 is installed on the user device. Low latency LAN-type network connection is in use. Adobe Flash Player 10 is installed on the user device and servers running XenApp. Note: If an earlier version of the Flash Player is installed, or the Flash Player is not installed, Flash content is rendered on the server.
Only Windows Internet Explorer browsers with ActiveX capabilities are supported (Windows Internet Explorer 7 and 8) and should be available to the user device from the server. HDX server-side installations on computers running Windows Server 2003 require the update contained in the Microsoft Knowledge Base article KB956572, available from the Microsoft Web site.
761
User device is Windows-based. Citrix online plug-in 11.2 or 12.0 is installed on the user device. Low latency LAN-type network connection is in use. Adobe Flash Player 10 is installed on the user device and servers running XenApp. Note: If an earlier version of the Flash Player is installed, or the Flash Player is not installed, Flash content is rendered on the server.
Only Windows Internet Explorer browsers with ActiveX capabilities are supported (Windows Internet Explorer 7 and 8) and should be available to the user device from the server. HDX server-side installations on computers running Windows Server 2003 require the update contained in the Microsoft Knowledge Base article KB956572, available from the Microsoft Web site.
762
Flash acceleration Flash event logging Flash latency threshold Flash server-side content fetching whitelist Flash URL blacklist
After installation on user devices and in the absence of any overriding Policy settings on the client, HDX MediaStream for Flash is ready for use by your users. No further configuration is needed. If you want to change the default settings on the user device, you can do so with the Group Policy Object Editor. When users connect to an Adobe Flash application for the first time during a XenApp session, a dialog box appears advising them to enable HDX MediaStream for Flash only if they trust the program to which they are connecting. Your users can then enable or disable HDX MediaStream for Flash. The dialog box does not reappear during the current XenApp session, but returns the first time the user accesses Flash content during future XenApp sessions. If users do not enable HDX MediaStream for Flash, the Flash content plays on the server. It is possible to add and configure the Group Policy Objects prior to installation on the client device. If the Group Policy Objects are set to enable prior to installation, HDX MediaStream for Flash will be enabled on the user device and the dialog box will not appear to the user. Caution: HDX MediaStream for Flash requires significant interaction between the user device and server components. Therefore, this feature should only be used in environments where security separation between the user device and server is not needed. User devices should be configured to use the HDX MediaStream for Flash feature only with trusted servers. HDX MediaStream for Flash requires the Flash Player to be installed on the user device. Therefore, HDX MediaStream for Flash should only be enabled if the Flash Player itself is secured.
763
To configure HDX MediaStream for Flash on the User Device with Group Policy Objects
1 Create or select an existing Group Policy Object. 2 Import and add the HDX MediaStream for Flash - Client administrative template (HdxFlash-Client.adm), available in:
q
For 32-bit computers: %Program Files%\Citrix\ICA Client\Configuration\language. For 64-bit computers: %Program Files (x86)%\Citrix\ICA Client\Configuration\language.
Note: For details on creating Group Policy Objects and importing and adding templates, see the Microsoft Active Directory documentation at http://www.microsoft.com.
764
Flash acceleration Flash event logging Flash latency threshold Flash server-side content fetching whitelist Flash URL blacklist
To enable and disable HDX MediaStream for Flash from the server
HDX MediaStream for Flash is enabled on the server for client-side rendering by default. You can enable and disable HDX MediaStream for Flash from the server through the Citrix User Policy setting Flash acceleration, in the HDX MediaStream for Flash (client side) category. Configure the Flash acceleration setting by selecting Enable, the default, or Disable. When Enable is selected, all Flash content from sites not blocked by the Flash URL blacklist are rendered on the user device. If Disable is selected, all Flash content is rendered on the server.
HDX MediaStream for Flash reports events to the Application log The Source value is Flash The Category value is None
In addition to the Windows event log, on computers with Windows Server 2008 or Windows Server 2008 R2, an HDX MediaStream for Flash-specific log appears in the Applications and 765
Configuring HDX MediaStream for Flash on the Server Services Logs node. If Windows Server 2003 is used, HDX MediaStream for Flash log information is only found in the Windows event log. Configure the Flash event logging setting by selecting Enable, the default, or Disable.
Add the top-level .html page that instantiates the Flash Player to the whitelist; not the URL of the Flash application. Use an asterisk character at the beginning or end of the URL as a wildcard to expand your list. Use a trailing wildcard to allow all child URLs, for example http://www.sitetoallow.com/*). The prefixes http:// or https:// are used when present, but they are not required.
Configure the Flash server-side content fetching whitelist setting by clicking New to add new URLs to the whitelist. Important: The Enable server-side content fetching setting on the user device must also be enabled for the Flash server-side content fetching whitelist on the server to work.
766
To block Web sites from working with HDX MediaStream for Flash
Block specified Web sites from playing on user devices with HDX MediaStream for Flash by adding the sites' URLs to a blacklist. Instead, the blocked Flash content plays on the server. Consider the following when configuring the Flash URL blacklist setting:
q
Add the top-level .html page that instantiates the Flash Player to the blacklist; not the URL of the Flash application. Use an asterisk character at the beginning or end of the URL as a wildcard to expand your list. Use a trailing wildcard to block all child URLs, for example http://www.sitetoblock.com/*). The prefixes http:// or https:// are treated equally, so http://www.sitetoblock.com/ is treated the same as https://www.sitetoblock.com/. Add sites containing Flash content that does not render correctly on the user device to the blacklist.
Configure the Flash URL blacklist setting by clicking New to add new URLs to the blacklist.
767
Enable HDX MediaStream for Flash on the user device Enable synchronization of the client-side HTTP cookies with the server-side Enable server-side content fetching
Computer Configuration: Changes take effect as computers in the organizational unit restart. User Configuration: Users in the organizational unit must log off and then log on to the network.
768
Computer Configuration: Changes take effect as computers in the organizational unit restart. User Configuration: Users in the organizational unit must log off and then log on to the network.
Computer Configuration: Changes take effect as computers in the organizational unit restart.
769
User Configuration: Users in the organizational unit must log off and then log on to the network.
770
Configuring Audio
You can configure audio through the Policies node of the Delivery Services Console. You control the settings for the audio features through the following Citrix User Policy settings:
q
Audio quality Client audio redirection Client microphone redirection Audio redirection bandwidth limit Audio redirection bandwidth limit percent
Low - for low speed connections. Audio playback consumes a maximum of 11 kbps of bandwidth. With both audio playback and recording total bandwidth consumption is 22 kbps at maximum. Ideal for multimedia conferences when using low speed connections. Medium - optimized for speech. Audio playback consumes a maximum of 16.8 kbps of bandwidth. With both audio playback and recording total bandwidth consumption is 33.6 kbps at maximum. Ideal for multimedia conferences. High - high definition audio. Audio playback consumes a maximum of 96 kbps of bandwidth. With both audio playback and recording total bandwidth consumption is 166 kbps at maximum. Ideal for music and video playback. Note: High definition increases bandwidth requirements by sending more audio data to user devices and increases server CPU utilization.
771
Configuring Audio
To disable speakers
You can allow users to receive audio from an application on a server through speakers or other sound devices, such as headphones, on their client devices. Client audio mapping can cause excessive load on the servers and the network. Configure the Client audio redirection setting by choosing Allowed, the default, or Prohibited. Important: When Client audio redirection is disabled, all audio functionality is disabled.
772
773
Install Citrix Online Plug-in 12.0 for Windows on the user device. Install Microsoft Office Communications Server 2007 in the same environment as the computer running XenApp. This is not a published application. Note: Best practice indicates installing Microsoft Office Communications Server 2007 on a different computer than XenApp.
Publish Microsoft Office Communicator 2007 on your XenApp server. Ensure the user device has the appropriate hardware to produce sound. Assign one processor per user per session, whether physical or virtual devices are used for video conferencing. Use the web camera default settings. Enable the following three policies settings:
q
HDX MediaStream Multimedia Acceleration (see Configuring HDX MediaStream Multimedia Acceleration) Install Drivers for web cameras on the user device. Where possible, use drivers obtained from the camera manufacturer, rather than from a third party.
q
Note: Only one web camera is supported at a time. If a device has multiple web cameras attached, HDX RealTime tries the first camera found, continuing in succession until a connection is made.
774
775
776
Enterprise Management
This section of Citrix eDocs contains XenApp components and features that help you manage and maintain your servers and farms.
q
Management Pack for System Center Operations Manager 2007 Installation Manager Managing Providers and WMI
777
The XenApp Provider that runs on Citrix servers The Licensing Provider that runs on license servers System events generated on Citrix servers
Key features and benefits of using the Management Pack in your XenApp deployment are: State monitoring The Management Pack monitors the overall state of your deployment, determining its availability and performance state at any given time by comparing real-time data collected from the Provider and the Licensing Provider against thresholds defined in the Management Pack. You can view this information at different levels, from the state of the deployment as a whole, right down to the state of individual servers. Event management The Management Pack captures a variety of events from servers and server farms. These events are collated and then presented through the Operations Manager Console, allowing an overall view of server operation. Performance monitoring
778
Enterprise Management You can use the Management Pack to monitor server performance. You can customize rules and create new ones to set thresholds for key performance attributes in the server farm. Extensive knowledge base The Management Pack includes an extensive product support knowledge base, including links to relevant Citrix Knowledge Center articles. Centralized access to information about managing servers allows you to quickly interpret events and troubleshoot problems. Customizable monitors, rules, and alerts Changes in state, such as raised events or breached thresholds, trigger rules and alerts to notify you of any state changes. You can configure the Management Pack to customize how it responds to state-changing events by modifying and extending the monitors and rules to meet the needs of your environment. Important: Alerts relating to farm metric servers or summary database servers are not raised on servers running XenApp 5. Citrix views Citrix views are available in the Citrix Presentation Server folder. These views allow you to monitor events and alerts raised for servers and server farms, and to identify trends and performance issues occurring on servers and published applications. Easy installation The Management Pack consists of three files that are available on the installation media or for download from http://www.citrix.com/. To install the Management Pack, simply import these files into Operations Manager using the Operations Manager Console. Sealed Management Pack The Management Pack is packaged, versioned, and signed with a certificate. The certificate used to sign the Management Pack is provided by a publicly trusted Certificate Authority verifying that the software was developed and produced by Citrix. Sealing the Management Pack means that you can import and customize the Management Pack and all your customizations are saved separately from the original pack. When you upgrade to a new version of the Management Pack, all your customizations are retained and included in the next version of the pack. For further information about installing the XenApp Provider and the Licensing Provider, see Managing Providers and WMI.
779
The XenApp Provider that runs on Citrix servers The Licensing Provider that runs on license servers System events generated on Citrix servers
Key features and benefits of using the Management Pack in your XenApp deployment are: State monitoring The Management Pack monitors the overall state of your deployment, determining its availability and performance state at any given time by comparing real-time data collected from the Provider and the Licensing Provider against thresholds defined in the Management Pack. You can view this information at different levels, from the state of the deployment as a whole, right down to the state of individual servers. Event management The Management Pack captures a variety of events from servers and server farms. These events are collated and then presented through the Operations Manager Console, allowing an overall view of server operation. Performance monitoring
780
Management Pack for System Center Operations Manager 2007 You can use the Management Pack to monitor server performance. You can customize rules and create new ones to set thresholds for key performance attributes in the server farm. Extensive knowledge base The Management Pack includes an extensive product support knowledge base, including links to relevant Citrix Knowledge Center articles. Centralized access to information about managing servers allows you to quickly interpret events and troubleshoot problems. Customizable monitors, rules, and alerts Changes in state, such as raised events or breached thresholds, trigger rules and alerts to notify you of any state changes. You can configure the Management Pack to customize how it responds to state-changing events by modifying and extending the monitors and rules to meet the needs of your environment. Important: Alerts relating to farm metric servers or summary database servers are not raised on servers running XenApp 5. Citrix views Citrix views are available in the Citrix Presentation Server folder. These views allow you to monitor events and alerts raised for servers and server farms, and to identify trends and performance issues occurring on servers and published applications. Easy installation The Management Pack consists of three files that are available on the installation media or for download from http://www.citrix.com/. To install the Management Pack, simply import these files into Operations Manager using the Operations Manager Console. Sealed Management Pack The Management Pack is packaged, versioned, and signed with a certificate. The certificate used to sign the Management Pack is provided by a publicly trusted Certificate Authority verifying that the software was developed and produced by Citrix. Sealing the Management Pack means that you can import and customize the Management Pack and all your customizations are saved separately from the original pack. When you upgrade to a new version of the Management Pack, all your customizations are retained and included in the next version of the pack. For further information about installing the XenApp Provider and the Licensing Provider, see Managing Providers and WMI.
781
782
783
784
785
786
787
Description Represents a discovered XenApp deployment that can consist of multiple farms and zones. Represents a XenApp farm that can consist of multiple zones. A farm is monitored by a single farm metric server. Represents a zone that can consist of multiple Citrix managed servers. A zone is managed by a single zone data collector. Represents a managed server performing the role of zone data collector. Represents a managed server performing the role of farm metric server. Represents a server monitored by Operations Manager. Represents a server not monitored by Operations Manager. An unsupported server is not running a version of XenApp supported by the Management Pack running the XenApp Provider. Represents a server not monitored by Operations Manager. An unlicensed server is running the XenApp Provider, but is unlicensed or missing a valid license. Operations Manager checks the licenses on these servers hourly. Represents a server running Citrix Licensing. Represents a server running any XenApp component.
Citrix Zone
Citrix Zone Data Collector Citrix Farm Metric Server Citrix Managed Server Citrix Unsupported Server
788
789
The monitors and rules are grouped according to the object to which they apply. You can configure these monitors and rules and create new ones; see your Operations Manager documentation for more information. Note: After you install the Management Pack, some Citrix views might be empty for a short time until the discovery script runs. By default, this script runs hourly.
790
View All Citrix Events Active Alerts from Citrix Servers Active Citrix Alerts
Description Displays all the events raised by XenApp components on managed servers. Displays all unresolved alerts raised against managed servers by all management packs (not only the XenApp Management Pack). Displays all unresolved alerts raised by the Management Pack.
791
View Citrix Farms Citrix Managed Servers Citrix Unlicensed Servers Citrix Unsupported Servers Citrix Zones Farm Metric Servers Zone Data Collectors
Description Displays the state of the XenApp farms in your deployment. Displays the state of the XenApp managed servers in your deployment. Displays the state of the XenApp unlicensed servers in your deployment. Displays the state of the XenApp unsupported servers in your deployment. Displays the state of the XenApp zones in your deployment. Displays the state of the farm metric servers in your deployment.
Displays the state of the zone data collectors in your deployment. State views display high-level state information about a XenApp component without detailing how and why changes of state occurred. You can investigate the reasons behind state changes by right-clicking a managed object in the Results pane of any view and selecting Show Health Explorer. The Health Explorer presents the detailed state of the selected object, displaying the state of each of its monitors on the left and a record of events that caused state changes on the right. The type of managed object you select determines which monitors appear in the Health Explorer. For example, if you select a farm or a farm metric server, the Health Explorer displays farm-wide alert monitors. Monitors are grouped by potential problem sources. For example, all printing issues are grouped together. Expanding the printing node allows you to see specific printing monitors, together with the history and causes of any state changes.
792
793
Viewing Citrix Presentation Server Topology Diagrams The Citrix Presentation Server topology diagram is an Operations Manager diagram view that provides a hierarchical representation of a XenApp deployment, showing farms, zones, servers, license servers, and their relationships.
Diagram showing a Citrix Presentation Server topology diagram view The following table lists the XenApp-specific icons used in the topology view and their meanings:
794
Server farm
Server
License server
Zone
The name of the farm, zone, or server. Zone names are prefixed by their farm names.
795
The current alert state, propagated up the tree so that state changes are visible even when the view is collapsed. Whether a server is a zone data collector or a farm metric server and the hosting server name.
XenApp version number, including hotfixes where appropriate Role (zone data collector or farm metric server) The name of the license server the computer uses Logons enabled or disabled For zones, the number of servers in the zone For zone data collectors, the name of the zone being managed For farm metric servers, the name of the farm being monitored
Note: If you make changes to your deployment and move one or more servers from one zone to another zone, the topology diagram view may still show the moved servers in their original zone. Reimporting the Management Pack forces the topology view to refresh.
796
797
Description Displays the number of active sessions on each managed server. Displays the published application load from the Load Manager component. Note that this information is available only if you are using Load Manager in your server farm and you configured the application load level. In addition, you must also enable the Sample published application load from load balancing rule in MOM. See Sample Published Application Load for more information. Displays the server load from the Load Manager component. Note that this information is available only if you are using Load Manager in your server farm.
798
View Active Citrix License Server Alerts License Servers Pooled Licenses In Use
Description Displays all unresolved alerts raised against license servers by the Management Pack. Displays the state of the license servers in your deployment. Displays the number of pooled licenses in use, as a percentage of the total number of pooled licenses.
799
Description of Monitor Defines an upper limit of disconnected XenApp sessions. The global default is 100 sessions. If this limit is exceeded, the alert warns you about possible performance problems. Note that this limit is used for all managed servers. This monitor is disabled by default because the acceptable number of disconnected sessions varies between sites. Runs a script that retrieves information from the XenApp Provider to determine if an XenApp session has been idle too long. If a session is idle too long, the script triggers an alert in response to the Operations Manager event. The alert signals problems with the session. Note that all sessions, including idle sessions, consume resources. Therefore, idle sessions might cause problems where server resources are limited. This monitor is disabled by default because the acceptable length of time for which a session should be idle varies among sites.
800
Configuring and Enabling Site-specific Monitors Too Many Active Sessions The number of active sessions on this server is high. Triggers an alert to signal that there are too many active sessions running on a server. This monitor is disabled by default because the number of active sessions is dependent upon several variables including the hardware and software in your deployment. Sample Published Application Load From Load Balancing Enabling this monitor displays information in the Published Application Load From Load Balancing health monitoring view. Retrieves WMI information about the published application load from Load Manager. This monitor is disabled by default because this information is available only if you are using Load Manager in your server farm and if you configured the application load level.
801
To open the Access Management Console or Delivery Services Console from the Operations Manager Console
If you installed the Access Management Console or Delivery Services Console (the name of the console depends on the version of XenApp you are using) on the Operations Manager server, you can start the console from the Operations Manager Console. You can start the Access Management Console or Delivery Services Console from any non-empty Citrix view. Important: To start the Access Management Console or Delivery Services Console, the ASCLAUNCHPATH environment variable must be set to the path of the console; for example, C:\Program Files (x86)\Citrix\Citrix Delivery Services Console\Framework\CmiLaunch.exe. 1 Log on to the Operations Manager Console. 2 Perform one of the following:
q
In the Actions pane, select Start Access Management Console. Right-click an object in the Results pane, and select Managed Citrix Presentation Server tasks > Start Access Management Console.
802
Installation Manager
Installation Manger is a XenApp feature you can use to distribute hot fixes, patches, and file/registry updates. You can also use Installation Manager to distribute simple applications, but Citrix recommends using application streaming or App-V to manage applications. Additionally, you can use XenApp Connector for Configuration Manager 2007 R2 to install and publish applications to XenApp servers. Use Installation Manager to:
q
Schedule the installation of MSI or MSP packages on target XenApp servers. You can also specify an MST (transform) file to change parameters in the MSI package. Distribute XML files generated by Windows Task Scheduler to target XenApp servers. Automate server restarts after installing an application on a target XenApp server, making the application and the server ready for use. You can also notify users of upcoming operations such as a server restart. Associate a published application with a XenApp server. View task status to see if it ran successfully on target XenApp servers.
You can use Installation Manager through a Microsoft Management Console (MMC) snap-in, or by issuing custom Microsoft PowerShell cmdlets.
Target servers The XenApp servers on which tasks are deployed. The task management computer and the file share can be on separate computers or on one of the target servers. Installation Manager comprises two packages: Package Administration Description Contains the core Installation Manager functionality. Install this package on the task management computer.
803
Installation Manager Utilities Contains the PowerShell cmdlets required for MSI or MSP installation on target servers. Install this package on the target servers. Note: If you will not use Installation Manager to deploy MSI or MSP packages, you do not need to install the Utilities package on the target servers.
804
Platform Requirements
The task management computer (where you install the Administration package) can be a separate computer or one of the target servers.
q
Supported platforms
q
.NET Framework 3.5 SP1 PowerShell 2.0 (on Vista platforms, PowerShell 1.0 is also supported)
MMC 3.0 XenApp 6 for Windows Server 2008 R2 must be installed on the Windows Server 2008 R2 platform if you want to publish applications using the management console, associate published applications with servers, or deploy existing published applications to target servers.
q
The target servers must be running Windows Server 2008 R2 and XenApp 6 for Windows Server 2008 R2. Each target server requires the following software (this software is required for XenApp installation, so it is likely to already be installed):
q
If you will be using Installation Manager to deploy MSI or MSP packages to target servers, you must install the Utilities package on each target server. There are no additional software requirements to install or use the Utilities package on the target servers. The file share can be on any Windows Server 2003 or later platform. The file share can be on a separate computer, on the task management computer, or on a target server.
805
Save the Administration package (IMAdmin.msi for 32-bit systems or IMAdmin-x64.msi for 64-bit systems) to the task management computer. Save the Utilities package (IMUtilities-x64.msi) to each target server.
Note: A target server requires the Utilities package only if you plan to schedule the installation of MSI or MSP packages on the target server. 2 Be sure all users are logged off the computers where you will install the Installation Manager packages. Close all applications, including the consoles. 3 On the task management computer, double-click the Administration package (IMAdmin.msi for 32-bit systems or IMAdmin-x64.msi for 64-bit systems) and follow the wizard instructions. 4 If you will be using Installation Manager to deploy MSI or MSP packages to the target server, on each target server, double-click the Utilities package (IMUtilities-x64.msi) and follow the wizard instructions. 5 In the MMC on the task management computer, use Add/Remove Snap-in to add the Installation Manager snap-in. When prompted for the Installation Manager shared folder, either type the path or click Browse and navigate to it.
806
Requirements and Installation When you install the Utilities package on a target server, four Windows firewall rules are enabled (these rules are disabled by default). These rules allow access to the Task Scheduler and Event Log Management services using DCOM. The enabled rules are:
q
Remote Scheduled Task Management (RPC and RPC-EPMAP) Remote Event Log Management (RPC and RPC-EPMAP)
807
The Task pane lists tasks created using Installation Manager. This information is stored in the file share as IMTask.xml. The Target pane displays the results on each target server of the task selected in the Task pane. This information is stored in subdirectories of the shared folder as ImTaskResult.xml. The display refreshes automatically every ten minutes. To manually refresh the display, click Refresh in the Actions pane. The lower pane displays the PowerShell cmdlet equivalent of an action selected in the Actions pane. For example, if you select a task named InstallApp in the Task pane and a target server named srv2 in the Target pane, then click Refresh in the Actions pane, the lower pane displays: Get-IMTask Name InstallApp Targets srv2 Log \\im\InstallApp\IMTaskResult.xml
Schedule installation of an MSI or MSP package Schedule installation of a Task Scheduler file Schedule installation of a command-line task Associate published applications with servers Reschedule a task Remove a scheduled task
Enter the name of the task. The task name must start with an alphabetic character. The name must be unique, unless you click Advanced and select Overwrite existing task definition in the Advanced Options dialog box. When you select this option, the task is updated with the new definition. In the Target list, specify the target servers where you want to install this package. Click Servers to select from Active Directory or XenApp server folders, or enter a
808
Using the Installation Manager Console comma-delimited list of servers by DNS name.
q
In MSI/MSP file path, enter the location of the MSI or MSP package to be scheduled for installation. To include a transform file, specify its location in MST list. To make the MSI, MSP, and MST files available from a single shared folder accessible by all target servers, click Advanced and specify a Shared folder in the Advanced Options dialog box. Any selected MSI, MSP, and MST files will be copied to this folder, if not already present. Installation Manager assigns read permission from the target servers to the file share.
Enter the date and time to start the installation in Schedule date and time, or select Now to launch the task immediately. Use Session Options to specify what happens to user sessions on the target servers during and after the installation process. Option Disable session logon during installation process Logoff existing sessions What happens when selected Prevents users from logging on during the installation. Forces users to log off the server before launching the installation. You can specify how long to wait before users are logged off; you can also send a message to logged-on users that instructs them to save their work and log off.
Restarts the server after installation. You can specify how long to wait after the installation completes to restart the server. If Installation Manager fails to schedule a task on a server (for example, when a server is offline), it tries to reschedule the task. To specify how long Installation Manager will retry, and the interval between retries, click Advanced and specify Retry Interval values. (If you specify a retry time or retry interval, you must specify both values; otherwise, an error occurs.)
To schedule installation of MSI or MSP packages using a PowerShell cmdlet, see Create-IMMSITask.
Enter the name of the task. The task name must start with an alphabetic character. The name must be unique, unless you click Advanced and select Overwrite existing task definition in the Advanced Options dialog box. When you select this option, the task is updated with the new definition.
809
Enter the location of the Task Scheduler file in Task XML file. In the Target list, specify the target servers where you want to install this task. Click Servers to select from Active Directory or XenApp server folders, or enter a comma-delimited list of servers by DNS name. If Installation Manager fails to schedule a task on a server (for example, when a server is offline), it tries to reschedule the task. To specify how long Installation Manager will retry, and the interval between retries, click Advanced and specify Retry Interval values. (If you specify a retry time or retry interval, you must specify both values; otherwise, an error occurs.)
To schedule installation of Task Scheduler Files using a PowerShell cmdlet, see Create-IMTask.
Enter the name of the task. The task name must start with an alphabetic character. The name must be unique, unless you click Advanced and select Overwrite existing task definition in the Advanced Options dialog box. When you select this option, the task is updated with the new definition. In the Target list, specify the target servers where you want to install this task. Click Servers to select from Active Directory or XenApp server folders, or enter a comma-delimited list of servers by DNS name. Enter the command, or the location of the command, you want to execute on the target servers. If you enter a path, the command must be available to execute on the target servers at the specified path, or it must be available in the profile PATH. To make a command available from a single shared folder accessible by all target servers, click Advanced and specify a Shared Folder in the Advanced Options dialog box. Enter the date and time to start the installation in Schedule date and time, or select Now to launch the task immediately. If Installation Manager fails to schedule a task on a server (for example, when a server is offline), it tries to reschedule the task. To specify how long Installation Manager will retry, and the interval between retries, click Advanced and specify Retry Interval values. (If you specify a retry time or retry interval, you must specify both values; otherwise, an error occurs.)
810
To reschedule a task
Rescheduling creates a copy of the task, so you can change its parameters. You can reschedule command-line tasks and MSI/MSP package deployments. 1 From the Installation Manager console, select a task in the Task pane and then click Reschedule in the Actions pane. 2 In the Reschedule CMD Task or Reschedule MSI Task dialog box, change field values as needed.
811
Cmdlet Summary
This reference assumes you are familiar with using PowerShell. The Installation Manager cmdlets support the standard PowerShell common parameters, such as WhatIf. To import the Installation Manager PowerShell cmdlets, either:
q
Type Add PSSnapIn IMAdmin at the PowerShell command prompt, or Import the cmdlets automatically by adding asnp IMAdmin to the PowerShell profile profile.ps1
This topic provides brief options descriptions. For complete cmdlet syntax, type Get-Help cmdlet-name at the PowerShell prompt. Cmdlet Get-IMServer Create-IMMSITask Create-IMTask Create-IMCMDTask Get-IMTask Remove-IMTask Description Lists servers in a XenApp farm Schedules installation of an MSI or MSP package Schedules installation of a Task Scheduler file Schedules installation of a command-line task Obtains success or failure status information about scheduled tasks Removes a scheduled task
Get-IMServer
Lists the servers in a specific XenApp farm. You can specify the following options: Option -farm Description IP address or DNS name of the MFCOM farm object. If this option is omitted, the local server is used.
-folder Path to the server folder in the farm, in the format \folder1\folder2. For example, the following cmdlet lists servers in the XenApp farm with a DNS name of XenAppFarmIN.
812
Using Installation Manager PowerShell Cmdlets Get-IMServer -farm XenAppFarmIN -folder Servers\TargetFolder
Create-IMMSITask
Schedules installation of an MSI or MSP package on target servers. You can specify the following options: Option -name -msi Description (Required) Unique task name. (Required) Path to the installation package. The file must be accessible by the task management computer. The cmdlet checks if this file exists; if it does not exist, an error is displayed. (Required) Target servers where the package will be installed. Specify one of the following:
q
-targets
A comma-delimited list of individual servers by DNS name An object containing Name attributes (as returned by the Get-IMServer cmdlet)
-mst
List of paths to MSI transform files. The files must be accessible by the task management computer. The cmdlet checks if this file exists; if it does not exist, an error is displayed. Date and time the installation task will run. Specify one of the following:
q
-schedule
A date in the format DD/MM/YYYY and the time in 24-hour format HH:MM:SS, enclosed in single or double quotes now to launch the task immediately
-logoffSessions
Forces users to log off the server before launching the installation. (You can use the -message option to prompt users to save their work and log off.) Prevents users from logging on during the installation. Restarts the server after installation. (You can use the -timeout option to specify how long to wait after installation completes to restart the server, and the -message option to specify a message to be sent to connected sessions before the restart.) Sends a message to all connected sessions before a logoff or restart. This option is valid with the -logoffSessions and -reboot options. Specifies the number of minutes that connected sessions have until a server restart. Overwrites any existing task with the same task name. If this option is omitted and another task with the same name exists, the task fails.
-disablelogon -reboot
813
Using Installation Manager PowerShell Cmdlets -prepareUnc Specifies a shared folder, in UNC format, that Installation Manager uses to transfer files to target servers. Installation Manager automatically copies the specified MSI, MSP, and transform (MST) files to this folder and assigns read permission from the target servers to the file share. You must have sufficient rights to set UNC permissions. The folder must be accessible by all specified target servers. Path to a file or XML object where the success or failure status of the installation on each target server is logged. If a target server cannot be contacted, this option specifies how long (in seconds) Installation Manager will retry the installation task. If you specify a retry time, you must also specify a retry interval.
-log -retrytime
If a target server cannot be contacted, this option specifies how often (in seconds) Installation Manager will retry the installation task. If you specify a retry interval, you must also specify a retry time. For example, the following cmdlet distributes an MSI package (located at c:localfolder\myapp.msi), using a transform (located at c:\localfolder\myapp_silent.mst), and a shared folder (\\fileserver\im), on the target servers XAWRK1, XAWRK2, and XAWRK3. The task will launch the first day of October 2010 at 11:50 p.m. Users will be alerted with a message before the installation begins. Users will not be able to log on during the installation, and the server will be restarted ten minutes after the installation completes. If a target server is busy, Installation Manager will retry every 10 seconds for a total of 60 seconds. Create-IMMSITask -name Installmyapp -targets XAWRK1,XAWRK2,XAWRK3 -msi c:\localfolder\myapp.msi -mst c:\localfolder\myapp_silent.mst -schedule '01/10/2010 23:50:00' -prepareUNC \\fileserver\im -retrytime 60 -retryinterval 10 -message "Please save your work and logoff. Server will reboot for maintenance." -timeout 10 -logoffsessions -reboot
-retryinterval
Create-IMTask
Schedules installation of a Task Scheduler file. You should be familiar with using Task Scheduler. Use the Task Scheduler MMC to create the Task Scheduler file. Installation Manager passes the Task Scheduler file directly to Windows Task Scheduler; it is not transferred using the file share. You can specify the following options: Option -name -task Description (Required) Unique task name. (Required) Path to the XML file or PowerShell XML object to install. The XML schema must follow Task Scheduler 2.0 specifications.
814
Using Installation Manager PowerShell Cmdlets -targets (Required) Target servers where the file will be installed. Specify one of the following:
q
A comma-delimited list of individual servers by DNS name An object containing Name attributes (as returned by the Get-IMServer cmdlet)
-update -retrytime
Overwrites any existing task with the same task name. If this option is omitted and another task with the same name exists, the task fails. If a target server cannot be contacted, this option specifies how long (in seconds) Installation Manager will retry the installation task. If you specify a retry time, you must also specify a retry interval. If a target server cannot be contacted, this option specifies how often (in seconds) Installation Manager will retry the installation task. If you specify a retry interval, you must also specify a retry time.
-retryinterval
Path to a file or XML object where the success or failure status of the installation on each target server is logged. For example, the following cmdlet distributes a Windows Task Scheduler file (located at C:\task.xml) that runs a backup script (named Backuptask) on the target servers (XAWRK1, XAWRK2, and XAWRK3). If a target server is busy, Installation Manager will retry every 10 seconds for a total of 60 seconds. If a task with the same name already exists, its definition will be overwritten. Success/failure status of the installations will be logged to C:\log.xml. Create-IMTask -name Backuptask -targets XAWRK1,XAWRK2,XAWRK3 -task c:\task.xml -update -retrytime 60 -retryinterval 10 -log c:\log.xml
-log
Create-IMCMDTask
Schedules installation of a command-line task. You can specify the following options: Option -name -command -targets Description (Required) Unique task name. (Required) Command-line operation to run on the target servers. (Required) Target servers where the package will be installed. Specify one of the following:
q
A comma-delimited list of individual servers by DNS name An object containing Name attributes (as returned by the Get-IMServer cmdlet)
-schedule
Date and time the installation task will run. Specify one of the following:
q
A date in the format DD/MM/YYYY and the time in 24-hour format HH:MM:SS, enclosed in single or double quotes now to launch the task immediately
815
Using Installation Manager PowerShell Cmdlets -update -prepareUnc Overwrites any existing task with the same task name. If this option is omitted and another task with the same name exists, the task fails. Specifies a shared folder, in UNC format, that Installation Manager can use to transfer files to target servers. Installation Manager automatically transfers files to this folder and updates the folders' ACL to ensure all servers have read access to it. You must have sufficient rights to set UNC permissions. If a target server cannot be contacted, this option specifies how long (in seconds) Installation Manager will retry the installation task. If you specify a retry time, you must also specify a retry interval. If a target server cannot be contacted, this option specifies how often (in seconds) Installation Manager will retry the installation task. If you specify a retry interval, you must also specify a retry time.
-retrytime
-retryinterval
Path to a file or XML object where the success or failure status of the installation on each target server is logged. For example, the following cmdlet schedules installation of a task (named Installnotepad) using the command-line notepad.exe, on target servers XAWRK1, XAWRK2, and XAWRK3. If a target server is busy, Installation Manager will retry every 10 seconds for a total of 60 seconds. If a task with the same name already exists, its definition will be overwritten. Success/failure status of the installations will be logged to C:\log.xml. Create-IMCMDTask -name Installnotepad -command notepad.exe -targets XAWRK1,XAWRK2,XAWRK3 -update -retrytime 60 -retryinterval 10 -log C:\log.xml
-log
Get-IMTask
Obtains success or failure status about scheduled task installations. You can specify the following options. Option -targets Description (Required) Target servers for which you want task installation information. Specify one of the following:
q
A comma-delimited list of individual servers by DNS name An object containing Name attributes (as returned by the Get-IMServer cmdlet)
Task name. Starting date of the interval for which you want status. End date of the interval for which you want status.
XML path of the log file. If this option is omitted, the status is displayed in the PowerShell console. For example, the following cmdlet displays status in the PowerShell console about the installation of the task named Installnotepad on target servers XAWRK1 and XAWWRK2. Get-IMTask -targets XAWRK1,XAWRK2 -name Installnotepad 816
Remove-IMTask
Removes a task scheduled on target servers. You can specify the following options: Option -targets Description (Required) Target servers on which you want to remove a scheduled task. Specify one of the following:
q
A comma-delimited list of individual servers by DNS name An object containing Name attributes (as returned by the Get-IMServer cmdlet)
-name -retrytime
(Required) Task name. If a target server cannot be contacted, this option specifies how long (in seconds) Installation Manager will retry the task removal. If you specify a retry time, you must also specify a retry interval. If a target server cannot be contacted, this option specifies how often (in seconds) Installation Manager will retry the task removal. If you specify a retry interval, you must also specify a retry time.
-retryinterval
Path to a file or XML object where the success or failure status of the task removal on each target server is logged. For example, the following cmdlet removes the task named Installnotepad from target servers XAWRK1 and XAWRK2. If a target server is busy, Installation Manager will retry every 10 seconds for a total of 60 seconds. Success/failure status of the task removal will be displayed in the PowerShell console. Remove-IMTask -targets XAWRK1,XAWRK2 -name Installnotepad -retrytime 60 -retryinterval 10
-log
817
IMAdmin IMUtilities
Generally, a positive value indicates a successful condition or provides general information. A negative value usually indicates an error condition. The numbers in the following tables are organized by the absolute value of the initial digit, then by remaining digits.
818
Administration Messages
Number 0 1 -1 -100 -101 103 String SUCCESS SCHEDULED FAILURE A connection to the server could not be established. Invalid farm argument. Specify a valid server address. This Citrix XenApp PowerShell snap-in contains cmdlets used to perform remote management operations in your XenApp environments. Invalid arguments. Specify either "match" or "like" arguments, not both. XenApp SDK is not installed or Check DCOM Settings The folder specified {0} does not exist. Specify a valid folder name in the format Servers/folder1/folder2. Access denied while enumerating Servers/Folders in farm. EXECUTING Server is unreachable. Check network connections. You do not have permission to access the target server. You must be a local Administrator on that server. Invalid Task XML format. Document contains invalid tags. Unable to write Log file {0}. check that the path exists and that you have write permissions to it. Unable to read Task file {0} check that the file exists and that you have read permissions to it. Trigger or Condition The task ran successfully. The task is scheduled in the Task Scheduler. The task failed to register or execute. The server may not be physically connected. The specified farm name may either be syntactically wrong or may not exist.
-104
Specify either Match or Like for filtering servers. DCOM settings in the client computer are either missing or incorrect.
-105 -106
-107
The administrator is not a Citrix Administrator. The task is running. The task cannot register itself with the Task Scheduler. The application cannot register a task because the logon credentials are not valid. The task XML document does not comply with the Task Scheduler 2.0 standard schema. The application cannot create the log file because it does not have write permission for the specified path. The task file is not at the specified location or cannot be accessed due to incorrect permissions.
2 -205 -207
-211
-212
-214
819
Installation Manager Messages Reference -216 Specify the interval time in seconds for the Retry parameter. This task name already exists on the target server. Enter a unique task name. Network path {0} is unreachable. Check network connections. Invalid Task XML format. Cannot find "action" tag. You do not have permission to schedule a task. You must be a local Administrator on the target server. Invalid Task XML format. The "command" tag contains invalid data. Invalid Task XML format. The "command" tag is not well-formed. The filename, directory name, or volume label syntax is incorrect for path {0} Invalid Task XML format. Task successfully registered. Invalid task name. Invalid target argument. Specify a valid server address. Task successfully updated. Missing retrytime argument. It is mandatory if retryinterval is provided. Missing retryinterval argument. It is mandatory if retrytime is provided. SCHEDULE_PENDING Use the following date and 24-hour time format: DD/MM/YYYY HH:MM:SS. Unable to prepare UNC path {0}. Check your credentials. A negative value was specified for the retry interval time. The specified task name already exists.
-219
-220
-221 -222
The task XML file does not contain the mandatory <actions> tag. Insufficient permissions exist to access the target task scheduler.
-223
The task XML file does not contain the mandatory <command> tag. The task XML <command> tag formation is not valid. The specified task name is in an invalid format. The Task Scheduler cannot recognize the XML format. The task registered successfully in the Task Scheduler. The specified task name does not start with an alphabetical character. The specified server IP address is not valid. The existing task in the Task Scheduler updated successfully. A retry interval value was specified without a retry time value. A retry time value was specified without a retry interval value. The task is not yet registered in the Task Scheduler. The time and date specified for the schedule option are not in the required format. Access was denied to the PrepareUNC path due to insufficient permission.
-224
-226
-242
3 -300
-301
820
Installation Manager Messages Reference -302 Invalid command argument. Specify a valid command-line operation. Failed to assign read permissions of computer {0} to the path {1}. Ensure the path and computer name are correct, and that you have sufficient access rights to the path. CANCELLED Specify a reboot timeout period in minutes for the Reboot-Timeout parameter. Unable to read MSI file {0}. Check that the file exists and that you have read permissions to it. Unable to read MST file {0}. Check that the file exists and that you have read permissions to it. CANCEL_PENDING Task successfully removed. REMOVED Unable to connect to Event Log of the target server. You must be a member of "Event Log Readers" group in the target server. Task not found. Task was scheduled. Task is running... Scheduling... Task was cancelled. Canceling task... Task failed. Task Failed. Verify if IM Utilities is installed at target server. COM error while scheduling task in target system : {0} A cmdlet option was incorrectly specified.
-303
4 -400
The running task was stopped. The timeout value specified is not an integer. Access was denied to the MSI file due to insufficient permission.
-404
-405
Access was denied to the transform (MST) file due to insufficient permission.
5 501 6 -600
The task running is being stopped. The task was successfully removed from the Task Scheduler. The task was removed from the Task Scheduler.
The task is not found in the target server's Task Scheduler. The task is scheduled to run on the target server. The task is running on the target server. The task is not yet registered. The running task has been stopped. The task running is being stopped. The task failed to execute. The Utilities package is not installed on the target server. A COM exception occurred while schedule a task in the Task Scheduler on the target server.
821
Installation Manager Messages Reference -802 Generic error while scheduling task in target system :{0} COM error while retrieving task information from target system :{0} COM error while removing task form target system :{0} Generic error while removing task from target system :{0} MFCOM is not registered on the system. Use the MFREG tool to register the server. An exception occurred while scheduling a task in the Task Scheduler on the target server. A COM exception occurred while retrieving task information from the Task Schedule on the target server. A COM exception occurred while removing a task form the Task Scheduler on the target server. An exception occurred while removing a task from the Task Scheduler on the target server.
-803
-804
-805
-901
Utilities Messages
The following messages may be generated if you installed the Utilities package on the target servers, which is required if you are scheduling MSI or MSP packages for installation on the target servers. Number -105 -226 String XenApp SDK is not installed or Check DCOM Settings The filename, directory name, or volume label syntax is incorrect for path {0} Installation failed: {0} Unable to read Installation files using system credentials. Ensure "Everyone" has read permission to the share and "Advanced:Shared Folder" parameter contains the UNC path where the file is located. Unable to connect to the XenApp farm. Specify only XenApp servers when using publish-app or disable-logon parameters. Unable to add server to published application. The installation was successful, use Delivery Services Console to add the server to the published application object. Trigger or Condition DCOM settings in the client computer are either missing or incorrect.
-700 -701
-702
-703
822
Installation Manager Messages Reference 705 -709 Published Application name is already existed. Terminal Server role is not enabled. Reboot and logoff parameters are only available for Terminal Server targets. Unable to send message to connected sessions. Operation was canceled. Unable to reboot server. The installation was successful otherwise, reboot the server manually to complete the operation. This Citrix XenApp PowerShell snap-in contains cmdlets used to perform installations on XenApp servers. Incorrect number of parameters to MSIScriptlet.ps1 Missing MSI file path argument. Success. Missing task name argument. Success. System will reboot. Unable to write event to Windows Event Log. Target server does not have Terminal Services enabled.
-710
Error sending Terminal Services messages. Error restarting Terminal Services target.
-711
712
Not all parameters were passed to scriplet file. The MSI file option is required. The MSI installed successfully. The task name option is required. The task ran successfully and the server will restart to complete the installation. An error occurred when writing to Event Logger.
823
WMI Provider. Acts as an intermediary between the CIM (Common Information Model) Object Manager and the system being managed. The purpose of a WMI provider is to extract management information from the underlying system and present this to a WMI consumer. The CIM Object Manager (CIMOM). Acts as a broker between the WMI providers and consumers. When a WMI consumer requests information, CIMOM identifies the WMI provider that can supply the information, obtains the information, and passes it to the consumer. CIMOM has its own repository in which it stores the data supplied to consumers. The Managed Object Format (MOF) files are also stored in the CIMOM repository. A MOF file defines the schema, which is the data that a WMI provider can supply and the methods it can execute in response to WMI requests. WMI Consumer. A management tool such as Microsoft Operations Manager (MOM), an MMC snap-in such as the Citrix Access Management Console or Delivery Services Console, or a third party application.
Depending on which version of XenApp you have installed, Citrix XenApp Management Pack for MOM 2005, or Citrix XenApp Management Pack for Systems Center Operations Manager 2007 and Citrix XenApp Management Pack for Systems Center Operations Manager 2007 SP1 are included with your product.
824
825
826
The executable file for CitrixWMIService (ctxwmisvc.exe) Provider DLLs Various .fom files Managed Object Format files (.mof files)
827
828
829
Security Considerations
To display information about XenApp computers and server farms using a WMI consumer, access to the Root\Citrix namespace in the WMI configuration is required. The appropriate Citrix administration rights to display information about servers and server farms is also required. If you delegate areas of XenApp administration and server farm management to Citrix administrators, these administrators can monitor and control only the specific administration tasks for which they have permissions. For example, if a Citrix administrator can manage only published applications, only information about published applications is available to them from the XenApp Provider.
830
831
WMI Schema
This section contains diagrams of the WMI schemas for the XenApp Provider and Licensing Provider. The schema is the data that a WMI provider can supply and the methods it can execute in response to WMI requests. The following schema are shown:
q
Note: These diagrams represent typical WMI schemas, rather than providing a comprehensive list of all the data returned by the Providers. For more information about the data the XenApp Provider can supply, see the Citrix .mof files in the \WMI folder (for example: C:\Program Files\Citrix\System32\Citrix\WMI). For more information about the data the Licensing Provider can supply, see the Citrix .mof file in the \LicWMI folder (for example: C:\Program Files\Citrix\Licensing\LicWMI).
832
833
834
835
836
Load Management
You can set up, manage, and monitor server and published application loads in a server farm so that users can run the published applications they need quickly and efficiently. XenApp calculates the load on a server using load evaluators and rules. Each load evaluator contains one or more rules. Each rule defines an operational range for the server or published application to which its evaluator is assigned. When a client user selects a published application to run, the client contacts the server farm to locate the address of a server that hosts the published application. XenApp maintains a list of available host servers within the server farm. Upon receiving the clients request, XenApp selects the server with the lowest load and returns its address to the client. The client starts a session on that server and launches the published application. XenApp calculates a server load using the load evaluators attached to a server or published application. When any rule for any relevant load evaluator reports full load or exceeds its threshold, XenApp removes the load-managed server from the internal list of available servers. The next request for an ICA connection to a published application is routed to the next available load-managed server in the list. Every server running XenApp is included in the load calculation regardless of the network protocol unless the server reports full load. If a server reports full load, it is no longer available for load management until its load is reduced (for example, users log off from the server or server processes consume less CPU time). After the load is reduced, the server is added automatically to the list. Servers are continuously added to and removed from the list as server load and user activity fluctuate.
837
Default. XenApp attaches the Default load evaluator to each server after you add your license to the server farm. It contains two rules: Server User, which reports a full load when 100 users log on to the attached server; and Load Throttling, which specifies the impact that logging on has on load and limits the number of concurrent connection attempts the server is expected to handle. Advanced. This load evaluator contains the CPU Utilization Load, Memory Usage, Page Swaps, and Load Throttling rules. Important: You cannot delete the Citrix-provided Advanced or Default load evaluators.
You can create new load evaluators based on the rules available. Important: Each server or published application can have only one load evaluator attached to it. You can attach one load evaluator to a server and one load evaluator to each published application on the same server. For example, you can keep the Default load evaluator attached to your server and attach another load evaluator to each of your published applications on that server. When you select the Load Evaluators node in the left pane of the Delivery Services Console, the following tabs are displayed:
q
Load Evaluators displays all the load evaluators created for the farm in a list. Beneath this list, the Current Settings tab displays at-a-glance the state of all the available load evaluator rules. Usage by Application displays the load evaluators that are attached to the farm's published applications. Usage by Server displays the load evaluators that are attached to each server in the farm.
838
Default. XenApp attaches the Default load evaluator to each server after you add your license to the server farm. It contains two rules: Server User, which reports a full load when 100 users log on to the attached server; and Load Throttling, which specifies the impact that logging on has on load and limits the number of concurrent connection attempts the server is expected to handle. Advanced. This load evaluator contains the CPU Utilization Load, Memory Usage, Page Swaps, and Load Throttling rules. Important: You cannot delete the Citrix-provided Advanced or Default load evaluators.
You can create new load evaluators based on the rules available. Important: Each server or published application can have only one load evaluator attached to it. You can attach one load evaluator to a server and one load evaluator to each published application on the same server. For example, you can keep the Default load evaluator attached to your server and attach another load evaluator to each of your published applications on that server. When you select the Load Evaluators node in the left pane of the Delivery Services Console, the following tabs are displayed:
q
Load Evaluators displays all the load evaluators created for the farm in a list. Beneath this list, the Current Settings tab displays at-a-glance the state of all the available load evaluator rules. Usage by Application displays the load evaluators that are attached to the farm's published applications. Usage by Server displays the load evaluators that are attached to each server in the farm.
839
View the load evaluator properties Make your changes to the load evaluator properties
840
841
842
843
List of Load Management Rules Limits the number of concurrent connection attempts that a server handles. This prevents the server from failing when many users try to connect to it simultaneously. The default setting (High impact) assumes that logons affect server load significantly. This rule affects only the initial logon period, not the main part of a session. The Load Throttling rule can be applied only to a server, not to an individual application. Memory Usage Defines a range of memory usage by a server. The default full load value is 90. The default no load value is 10at that value this rule is ignored. This rule uses the Memory: % Committed Bytes in Use performance counter to determine load. Page Fault Defines a range of page faults per second for a selected server. A page fault occurs when the operating system tries to access data that was moved from physical memory to disk. The default full load value is 2000. The default no load value is 0at that value this rule is ignored. This rule uses the Memory: Page Faults/sec performance counter to determine load. Page Swaps Defines a range of page swaps per second for a selected server. A page swap occurs when the operating system moves data between physical memory and the swap file. The default full load value is 100. The default no load value is 0at that value this rule is ignored. This rule uses the Memory: Pages/sec performance counter to determine load. Scheduling Schedules the availability of selected servers or published applications. This rule sets the weekly days and hours during which the server or published application is available to users and can be load managed. Server User Load Limits the number of users allowed to connect to a selected server. The default full load value is 100 and represents the maximum number of users the system can support on a server. Load Manager user loads are calculated using active ICA sessions only.
844
845
846
847
Monitoring
Use Power and Capacity Management to observe and record utilization and capacity levels. Console monitoring and report generation provide valuable information, regardless of whether or not you enable power management and load consolidation.
848
Monitoring
Use Power and Capacity Management to observe and record utilization and capacity levels. Console monitoring and report generation provide valuable information, regardless of whether or not you enable power management and load consolidation.
849
Concentrator The concentrator is a Windows service and the central component of the Power and Capacity Management system. The concentrator coordinates system states and operations for the managed XenApp servers. You can have one or two concentrators; if you have two and one fails, the other assumes control. Database The database component is an instance of a Microsoft SQL Server database. It provides the common store for information such as managed server inventory, workload assignments, schedules, metric data, and configuration settings. Reporting Power and Capacity Management reports are hosted on Microsoft SQL Server Reporting Services. The administrator generates reports for historical system loads, capacities, and utilization summaries. Management Console The management console is a Microsoft Managed Console (MMC) snap-in you use to manage, monitor, and configure the Power and Capacity Management system. Agent
850
Power and Capacity Management System Components The agent is a Windows service installed on each XenApp server. The agent reports capacity and system states, and acts on operations and commands issued by the concentrator. The concentrator, database, reporting, and management console components are referred to as administration components.
851
Setpoints
A setpoint defines either a target capacity level (number of sessions) or a target number of online servers. You specify setpoints for each workload. Power and Capacity Management uses four setpoints.
q
The power controller, which powers servers on and off, uses all four setpoints. The load consolidator, which controls the load on online servers by enabling and disabling logons, uses only the minimum available servers setpoint. The load consolidator also uses a secondary optimal load value, which specifies how close to capacity a server can get before additional load should be directed to other servers.
Setpoint Descriptions
Online session reserve The online session reserve setpoint specifies the amount of online but unused capacity that must be maintained above the current load. As the load ebbs and flows throughout the day, the system maintains this buffer; this is termed a load following model. In practice, the Power and Capacity Management powers on the smallest number of servers that can hold the target online capacity. Minimum session capacity and maximum session capacity The minimum and maximum session capacity setpoints work as guards for the online session reserve. The online session reserve setpoint can raise and lower the online capacity, as long as it remains between the two guards.
q
The minimum session capacity setpoint causes servers to be powered up until the system has at least the amount of online capacity to meet or exceed the setpoint. After this setpoint is met or exceeded, the minimum session capacity has no effect; if the online session reserve setpoint drives online capacity above the minimum session capacity setpoint value, Power and Capacity Management ignores the minimum session capacity setpoint.
The maximum session capacity setpoint functions similarly to minimum session capacity; however, it causes servers to be powered off until the online capacity is at or below the setpoint. Although the maximum session capacity setpoint is used less frequently, it can be helpful when preparing for system maintenance. After online capacity is below the setpoint value, this setpoint has no effect. Minimum available servers
q
The minimum available servers setpoint works on a per-server basis (the other three setpoints are capacity based). Use this setpoint to ensure a minimum level of service availability, in terms of servers. This can be helpful in handling:
q
852
Setpoints
q
Logon rates: Logging on new sessions can quickly increase server load to the point where existing sessions are degraded or new logons take significantly longer to complete. In such cases, using this setpoint can ensure you have a sufficient number of servers online to load balance the logon load.
The power controller attempts to keep this many servers online, while the load consolidator attempts to keep this number of servers available to accept new sessions. You usually increase this setpoint just before and throughout the morning rush to ensure sufficient available servers for the high rate of incoming sessions. If you do not increase this setpoint for the morning rush, the capacity setpoints may ensure there are enough servers online to host the expected load, but the load consolidator may keep too many servers disabled. Therefore, the servers that are enabled may become overloaded while new sessions are logging on.
Default Setpoints
A new workload has default setpoint values that place the workload in the most available configuration all managed servers are online. Thus, a newly discovered workload cannot be power controlled until you define appropriate setpoints for it (and enable power management). Setpoint Online session reserve Minimum session capacity Maximum session capacity Default Infinite; all servers are kept online. The management console displays this value as an infinity symbol. Zero, which is equivalent to unset. infinite, which is equivalent to unset; the management console displays this value as an infinity symbol.
Minimum available servers Zero, which is equivalent to unset. You specify setpoints in a workload schedule. Set the secondary optimal load value in global configuration settings.
Setpoint Priorities
The system attempts to meet the online session reserve setpoint first. It then bounds the output using the minimum and maximum session capacity setpoints. Finally, the system checks and ensures that the resulting number of online servers meets the minimum available servers setpoint. Therefore, setpoints have the following order of importance, from highest to lowest:
q
Minimum available servers Maximum session capacity Minimum session capacity Online session reserve
853
To effectively handle demand, schedule the system to ramp up at 9:00 a.m. by setting the minimum available servers to 5, and the online session reserve to 300. After peak use (9:30 a.m.), schedule the setpoints to lower values at 10:30 a.m., with minimum available servers set to 2 and the online session reserve set to 100. After normal working hours, reduce these setpoint values further at 7:00 p.m., with minimum available servers set to 1 and the online session reserve set to 50.
After you initially set the online session reserve and minimum available servers setpoint values with scheduled changes throughout the day, observe server and session activity, and then fine-tune the schedule and setpoint values to optimize server capacity and use.
Manual Overrides
After you enable a workload for power management, you can manually override the schedule with different setpoint values. For example, a manual override can be useful when there is an unexpected surge in demand on the XenApp workload that is likely to continue for a few hours. Instead of changing the schedule, you can initiate an override. When the surge has subsided and the normal conditions have returned, you can cancel the override, and the scheduled setpoint values are reapplied. Using a manual override can be helpful when the schedule requires attention or maintenance. Manual override differs from disabling power management. During a manual override, power management is still active, but the setpoints are controlled by the administrator instead of the schedule. Disabling power management for a workload is equivalent to turning off the Power and Capacity Management feature for that workload.
854
Server Profiles
Within a workload, servers are grouped by profiles. A server profile comprises information the agent discovers and information you configure.
q
The agent discovers hardware information such as the CPU type and the amount of memory, and sends it to the concentrator. The concentrator creates a profile entry in the database for a new profile (or, if the profile values are the same as those in an existing profile, the existing profile is reused). Using the management console, you configure two server profile values that Power and Capacity Management uses (with other criteria) to measure server capacity:
q
Typical session capacity - specifies the number of XenApp sessions (on average) that server can host
Estimated session capacity limit - allows the dynamic session capacity feature to estimate capacity higher than the typical session capacity value when it detects spare computing resources In a server profile, you can also specify a power action timeout value, which is used when a power off or power on control is issued. If the operation does not complete successfully before the timer expires, Power and Capacity Management assumes the operation failed.
q
If the hardware configuration changes (for example, more RAM is added to a server), Power and Capacity Management creates a new profile. (The original profile is not altered, because other servers may still be using it. Also, when a hardware change occurs, server capacity can change.) As new servers connect and report their profiles, they inherit any existing configured capacity value if they have the same profile as an existing configured server.
855
Identity which XenApp servers host critical services and do not host XenApp sessions. Set the server control mode for these servers to unmanaged (or do not install a Power and Capacity Management agent on them). Identity which XenApp servers host critical services and host XenApp session. Set the server control mode for these servers to managed (base load).
Set the server control mode for existing servers in server properties, and for new servers in global configuration settings.
856
Concentrator Operations
You can install a Power and Capacity Management concentrator on two servers. This concentrator cluster has a master-slave relationship; one concentrator is the master and the other is a slave. All connections from agents on the XenApp servers go to the current master concentrator; there is no load balancing among multiple concentrators. Important: Multiple concentrators share a common database. Implement effective SQL Server database clustering and redundancy management. Concentrators negotiate for mastership and monitor the health of the current master via the database. If the current master stops updating the database, the slave concentrator becomes the master. Failover usually occurs within 60 seconds. You can explicitly force a running slave concentrator to become the master concentrator. This may be necessary when a master concentrator has planned maintenance. Each concentrator registers an Active Directory Service Connection Point (SCP) under the machine account where the concentrator is installed and records an entry in the database. When the agent on the XenApp server starts, it queries the SCP to discover all known concentrators. Each agent then tries to connect to each concentrator, looking for the master. The management console also performs the same discovery process and connection attempts. To change the port the agent uses to communicate with the concentrator (the default port is 11168), edit the PCMConcentrator.exe.config file in the Install directory, then restart the PCM Concentrator service.
857
If a match is found, the machine manager issues the appropriate XenAPI commands to the resource pool to start a virtual machine. If no virtual machine is found (because its machine manager has not been configured or connected, or because the server image is hosted on a physical machine), Power and Capacity Management broadcasts the Wake-on-LAN packet on the network. Then, the concentrator waits a prescribed interval (power control timeout) for the Power and Capacity Management agent on the appropriate XenApp server to establish connection to the concentrator.
858
859
860
861
Combined installer for the administration components (database, reports, concentrator, and management console) If you are not installing all the administration components at the same time on the same computer, install them in the following order: 1 Database 2 Reports (Reports is a subfeature of the database feature; therefore, you can install reports only if you are also installing the database component, or if you previously installed the database component) 3 Concentrator 4 Management console
Identify the XenApp servers you want in the Power and Capacity Management farm. For optimal operation, Power and Capacity Management should register (discover) all servers in the XenApp farm. You can then change the server control mode to unmanaged or managed (base load) for servers that are not power controlled. This practice prevents the possibility of session load being sent to XenApp farm servers that Power and Capacity Management is not aware of. Decide where to install the Power and Capacity Management components.
q
Install the agent on each XenApp server. You can install all the administration components on a single computer. You can also install one or more individual administration components on separate computers.
862
The XenApp servers on which you install the agent, and the computers on which you install the concentrator and management console must all belong to the same Active Directory domain. Install the database component either in the same Active Directory domain as the other components or in a trusted domain. You do not have to run the installation of the Power and Capacity Management database component on the server where Microsoft SQL Server is installed. You can either run the installation process physically on the SQL Server or you can run the installation from any domain member machine. If you run the installation of the database component from a different server than SQL Server, the server on which you install the database component does not need to stay powered on.
Choose a farm name and workload name. You specify the farm name when installing the concentrator and the agent, and the workload name when installing the agent.
863
Supported Platforms
The Enterprise and Platinum Editions of XenApp for Windows Server 2008 R2 support this version of XenApp Power and Capacity Management. The Power and Capacity Management farm can comprise physical and virtual XenApp servers:
q
Wake-on-LAN (WoL) power control is supported for physical XenApp servers on the same subnet. Power on commands to XenServer virtual computers hosting XenApp servers (in one or more XenServer clusters) are supported through the XenServer API.
You can host XenApp on Microsoft Hyper-V or VMWare platforms and install the Power and Capacity Management agent. However, only capacity monitoring, reporting, and load consolidation are supported; power management is not supported.
Component Requirements
Unless otherwise noted, 32-bit and 64-bit editions are supported. Component Support and Requirements
864
Microsoft .NET Framework 3.5 Microsoft SQL Server 2005, Microsoft SQL Server 2008, or Microsoft SQL Server 2008 R2; see CTX114501 for the latest supported versions Microsoft SQL Server Reporting Services Internet Information Services (IIS) 6.0 (required only if using Microsoft SQL Server 2005)
Use Microsoft Internet Explorer to view reports. Concentrator Supported operating system: Windows Server 2008 R2 (64-bit) Requirement: Microsoft .NET Framework 3.5 Agent Supported operating system: Windows Server 2008 R2 (64-bit) Requirements:
q
Management console
Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 (64-bit) Windows XP Windows Vista Windows 7
Requirements:
q
Microsoft .NET Framework 3.5 MMC 3.0 Update: http://support.microsoft.com/kb/907265 (pre-installed on Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems)
865
In a wizard-based installation, select the Do not grant DB access to concentrator check box. (This check box appears only when you are not installing the concentrator and the database at the same time.) In a silent installation, include the CTX_XAPCM_DO_NOT_ADD_ACCOUNT_TO_DB=yes property.
Then use SQL Server Management Studio to add the necessary permissions. To add permissions to the database: 1 Using SQL Server Management Studio, navigate to the main Security - Logins node. 2 Add a new login for the concentrator identity. If you are running the concentrator as the default network service, this is domain-name\computer-name$. (If you are entering a machine account, do not use the Search button; instead, type the machine account name.) 3 Navigate to the XenAppPCM database > Security > Users node. 4 Add a new user. Citrix recommends the User Name be the same as the Login Name you specified in step 2. In the role membership list, select ConcentratorRole.
866
867
868
Citrix administrator for the XenApp instance Log on as service Shut down the system
Query rights for Active Directory (to locate the "Citrix XenAppPCM" SCP for the farm assigned to this agent) If you specify this property, you must specify a domain account password with the CTX_XAPCM_AGENT_PASSWORD property. You must also supply a domain account with the CTX_XAPCM_CONCENTRATOR_ACCOUNT property when installing the concentrator (because the Concentrator service cannot use a built-in account if the Agent service is using a domain account and vice versa).
q
If you omit this property, the built-in "Local System" account is used. In this case, do not specify the CTX_XAPCM_AGENT_PASSWORD property. CTX_XAPCM_AGENT_PASSWORD=domain-account-password Password for the domain account. This property is valid only if you specified a domain account with the CTX_XAPCM_AGENT_ACCOUNT property.
A farm name of "my_farm" A workload name of "my_workload" The agent service running under the domain account "my_domain\my_user" with the password "my_password"
869
Silently Installing Components [CTX_XAPCM_DB_NAME=db-name] [CTX_XAPCM_REPORT_URL=report-url] [CTX_XAPCM_DO_NOT_ADD_ACCOUNT_TO_DB=yes] [CTX_XAPCM_CONCENTRATOR_ACCOUNT=domain-account] [CTX_XAPCM_CONCENTRATOR_PASSWORD=domain-account-password] CTX_XAPCM_ACCEPT_EULA=yes Accepts the license agreement. To read the EULA, launch the installation interactively and navigate to the license dialog. If you omit this property, or if the specified value is not "yes," the installation fails. ADDLOCAL=components Comma-separated list of components to be installed. Valid values are:
q
Console Reports is a subfeature of the database component; therefore, you can install reports only if you are also installing the database component, or if you previously installed the database component.
q
If you omit this property, the database, concentrator, and management console components are installed; reports is not installed. CTX_XAPCM_FARM_NAME=farm-name Use this property when installing the database component. Farm name, up to 80 characters, and cannot contain: backslash (\), single quote ('), forward slash (/), double-quote ("), less-than (<), greater than (>), pipe (|), or equal (=) . The collection of XenApp servers being managed by Power and Capacity Management is known as a farm. This farm may include some or all of the servers in a XenApp farm, or it may contain XenApp servers from different XenApp farms. The name must be unique. If you are installing the database component and omit this parameter, the installation fails. CTX_XAPCM_DB_INSTANCE=db-instance Use this property when installing the database, reports, and concentrator components. Database instance name.
q
If you are installing the database component, this property specifies the instance name of the SQL Server instance in which the Power and Capacity Management database schema is to be installed. If you are using the default SQL instance on this computer, specify "." (dot); otherwise, specify the computer and instance name (for example, SQLServer\instance1).
870
If you already installed the database component and are installing the concentrator, this property specifies the instance name of the SQL Server instance in which the schema is installed. If the default SQL instance on this computer was used, specify "." (dot); otherwise, specify the computer and instance name (for example, SQLServer\instance1").
If you omit this property, "." is used. CTX_XAPCM_DB_NAME=db-name Use this property when installing the database, reports, and concentrator components. Database name, up to 123 characters. and cannot contain: semicolon (;), question mark (?), colon (:), at (@), ampersand (&), equal (=), plus (+), dollar ($), backslash (\), asterisk (*), less-than (<), greater-than (>), pipe (|), double-quote ("), forward-slash (/), single-quote ('), back-tick (`), left square bracket ([), right square bracket (]). If you omit this property, "XenAppPCM" is used. CTX_XAPCM_REPORT_URL=report-url Use this property when installing the reports component. Report service URL, up to 512 characters.
q
If you are using the default SQL Server instance, specify the server URL http[s]://server_name/ReportServer. If you are using a named SQL Server 2005 instance, specify the server URL qualified with the instance name (http[s]://server_name/ReportServer$instance_name.
If you are using a named SQL Server 2008 instance, specify the server URL qualified with the instance name (http[s]://server_name/ReportServer_instance_name. If you omit this property, "http://local_machine_name/ReportServer" is used.
q
CTX_XAPCM_DO_NOT_ADD_ACCOUNT_TO_DB=yes Use this property when the person installing the concentrator does not have administrator rights to the database. In this case, the database administrator must manually add the correct account to the database. If you omit this property, or if the specified value is not "yes," the database is configured to accept connections from the concentrator. CTX_XAPCM_CONCENTRATOR_ACCOUNT=domain-account Use this property when installing the concentrator. Domain account with a userPrincipleName attribute within Active Directory with the following rights:
q
Log on as service Read/write rights for Active Directory (to create the "Citrix XenAppPCM" SCP for the farm this concentrator manages); for example, read/write access to the Active Directory concentrator computer container (CN)
871
Silently Installing Components If you specify this property, you must specify a password with the CTX_XAPCM_CONCENTRATOR_PASSWORD property. You must also supply a domain account for the CTX_XAPCM_AGENT_ACCOUNT property when installing the agent (because the Concentrator service cannot use a built-in account if the Agent service is using a domain account and vice versa). If you omit this property, the built-in "Network Service" account is used. In this case, do not specify the CTX_XPCM_CONCENTRATOR _PASSWORD property. CTX_XAPCM_CONCENTRATOR_PASSWORD=domain-account-password Use this property when installing the concentrator and only if you specified a domain account with the CTX_XAPCM_CONCENTRATOR_ACCOUNT property. Password for the domain account.
A farm name of "my_farm" The default SQL Server instance on a server named "my_db" with a database name of "my_dbname" Reporting services on "http://my_report_server/reportserver" The concentrator running under the domain account "my_domain\my_user" with the password "my_password"
msiexec /i XenAppPCMAdmin.msi /qn CTX_XAPCM_ACCEPT_EULA=yes ADDLOCAL=Concentrator,Console,DatabaseInstaller,Reports CTX_XAPCM_FARM_NAME=my_farm CTX_XAPCM_DB_INSTANCE=my_db CTX_XAPCM_DB_NAME=my_dbname CTX_XAPCM_REPORT_URL=http://my_report_server/reportserver CTX_XAPCM_CONCENTRATOR_ACCOUNT=my_domain\my_user CTX_XAPCM_CONCENTRATOR_PASSWORD=my_password
872
Removing Components
To remove Power and Capacity Management components, use Windows Add/Remove Programs.
873
Connect to a XenApp Power and Capacity Management farm to manage (required only if you have more than one Power and Capacity Management farm) Configure server profile properties Configure server properties Specify global configuration settings Add machine managers, if your Power and Capacity Management farm includes XenApp servers hosted on XenServer virtual machines Optionally, add sites, if your Power and Capacity Management farm includes XenApp servers hosted on XenServer virtual machines
After the initial setup, observe management console displays and generate reports. Using the collected information, you can then:
q
Column Workload
874
Configuring Power and Capacity Management Power Managed Indicates if power management is enabled or disabled for the system (All Workloads) and for each workload.
q
Checkmark = enabled ("override" indicates a manual override is in effect) x = disabled (with a notation if a workload does not have a schedule)
Load Consolidated
Indicates if load consolidation is enabled or disabled for the system (All Workloads) and for each workload.
q
Utilization
Current utilization shown in meter form and percent text (utilization is the ratio of: total active sessions/total session capacity available from all online servers) Current number of load, unused, and offline sessions, shown graphically and in absolute counts.
Sessions Servers
Current number of online and offline servers in the workload, shown graphically and in absolute counts. The tabs pane contains five tabs. Status Utilization, sessions, and servers information on the Status tab is equivalent to the information for the selected workload in the workloads pane above it.
q
When All Workloads is selected, the Status display also indicates if power management and load consolidation are globally enabled or disabled.
When a single workload is selected, the Status display also indicates if power management and workload load consolidation are enabled or disabled for that workload. With power management enabled, the display includes current setpoint values.
q q
For workloads with an empty schedule and no override, the display shows the default setpoint values When the power controller is following the schedule for a workload, the display shows the scheduled setpoint values
When the power controller is following override setpoints for a workload, the display shows those values Performance
q
The Performance tab displays metric graphs collected for a specific interval. After you select an interval, the display shows values collected throughout the interval for utilization, sessions, and servers, starting with the beginning of the selected interval, and ending with the current ("Now") value. Servers
875
Configuring Power and Capacity Management The Servers tab lists all servers in the workload selected in the workloads pane. Information for each server includes: Column Server Control mode State Utilization Sessions Content DNS name and server profile information. Power control mode, site (if there is more than one defined), and power controller preference. Online, offline, draining, powering on, or powering off. If you disable logons to a server, this field indicates Maintenance. Current utilization percentage in graphic and text forms. Current sessions counts in graphic and text forms. Hovering over an entry displays the current session count for that server and the current load consolidation activity, if any. An icon to the left of the graph represents the current load consolidation activity (when load consolidation is enabled for the server's workload):
q
Green triangle = server is accepting new connections and is below optimal load Yellow triangle = server is accepting new connections but is above optimal load Grey dot = logons are disabled for this server
The Sessions graphic fades for servers in drain mode. Session Capacity Hovering over an entry displays how the dynamic capacity estimate differs from the typical session capacity value configured in the server profile (the session capacity value indicates 'calculated').
Capacities The Capacities tab displays server profile information and the typical session capacity for each server profile (or Unset if the typical session capacity has not been configured). To display the DNS names of servers that use a profile, select the profile, then click the entry in the Servers column. Schedule The Schedule tab displays the current Monday through Sunday schedule for a workload. (This tab is not displayed when All Workloads is selected in the workloads pane.) The entry for each day indicates time and setpoint values.
876
Task Descriptions
When task instructions include selecting an entry in the Actions pane, there may be equivalent selections in the Action menu. Also, when the task instructions include selecting an entry in a workload or tabs pane and then selecting from the Actions pane, there may be equivalent selections in a right-click menu.
To configure server profile properties: 1 In the Actions pane, click Server Profile Properties. The Server Profile Properties dialog box appears. 2 Enter the typical session capacity value. A zero value is equivalent to unset. 3 Enter the power action timeout (seconds) value. 4 Enter the estimated session capacity limit in the range 0-1000 (0 = not set). This value must be greater than or equal to the typical session capacity value. To delete a server profile, click Delete Server Profile in the Actions pane. Confirm the deletion. You can delete a server profile only if it has no associated servers.
877
Task Descriptions 4 In the Server Properties dialog box, select the desired control mode and power controller preference.
Select the control mode for new servers added to the Power and Capacity Management farm. Select the optimal load percentage for servers. Enable or disable metrics data collection. Select the number of days to retain the collected metrics data. The default is 365 days (1 year).
Click Add. Specify a URL to the XenServer resource pool in the form http[s]://ip-or-hostname. For the type, leave Citrix XenServer 4.0 or newer selected. For the site, specify where the resource pool is located. For authentication, if you select the Authenticate with user name and password check box, specify the user name and password XenServer uses to authenticate. Do not select the checkbox if you want to use the domain credentials of the concentrator service to authenticate to XenServer (pass-through authentication).
Leave the Enable this machine manager checkbox selected. When modifying a virtual machine manager, select the machine manager and click Modify. Change values as needed.
q
When deleting a virtual machine manager, select the machine manager and click Delete. Confirm the deletion.
Important: Assign unique MAC addresses to virtual machines even across resource pools. This is typically done by using the auto-generate MAC option when creating the virtual machine.
878
Task Descriptions
q Select a power controller preference for servers that belong to this site. When modifying a site, select the site and click Modify. Change values as needed.
When deleting a site, select the site and click Delete. Confirm the deletion.
To create a schedule, select the Allow Edit checkbox. Edit the schedule for one or more days of the week. To copy the schedule from the previous day, click the Copy day's schedule in the day of the week area. To copy the entire workload schedule to another workload, ensure the workload being copied has focus, then select Copy Schedule To in the Actions pane. To delete a schedule, select Delete Schedule in the Actions pane. To delete an individual schedule item, select the leftmost cell in the item, then press the Delete key.
879
Task Descriptions
To generate a workload report, in the workloads pane, select a workload or All Workloads. In the Actions pane, click Generate Workload Report.
To generate a server report, click the Servers tab in the tabs pane and select a server. In the Actions pane, click Generate Server Report. 2 Select the report type, period of time the report covers, and the interval.
q
3 Select Generate Report. Important: The management console uses Microsoft Internet Explorer to display reports (overriding the user default browser setting). For optimal display, always use Microsoft Internet Explorer to view reports.
880
Task Descriptions
881
Task Descriptions
882
Secure Gateway
The Secure Gateway for Windows helps you to secure access to enterprise network computers running Citrix XenApp and provides a secure Internet gateway between Citrix XenApp and user devices. The Secure Gateway transparently encrypts and authenticates all user connections to help protect against data tampering and theft. All data traversing the Internet between a remote workstation and the Secure Gateway is encrypted using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. The Secure Gateway is an application that runs as a service on a server that is deployed in the demilitarized zone (DMZ). The server running the Secure Gateway represents a single point of access to the secure, enterprise network. The Secure Gateway acts as an intermediary for every connection request originating from the Internet to the enterprise network. For increased security, the Secure Gateway Proxy is used with the Secure Gateway in a double-hop DMZ deployment. The Secure Gateway is installed in the first DMZ and the Secure Gateway Proxy is installed in the second DMZ. The Secure Gateway Proxy acts as a conduit for traffic originating from the Secure Gateway to servers in the secure network, and from servers in the secure network to the Secure Gateway. The following table highlights references to typical administrative tasks and conceptual information:
Task Using the Secure Gateway with computers running XenApp Installing and configuring the Secure Gateway Learning more about the Secure Gateways performance counters and error logs Getting general recommendations about using network components such as load balancers, SSL accelerator cards, and firewalls Learning more about troubleshooting a Secure Gateway deployment Learning about digital certificates and certificate installation
See This Topic Planning a Secure Gateway Deployment Installing and Configuring the Secure Gateway and Secure Gateway Proxy Managing the Secure Gateway
883
884
885
886
Secure Gateway Features The Secure Gateway includes a new set of performance counters to analyze the usage and load on the Secure Gateway server. Based on Apache Technology The software code based on Apache technology is used as a foundation for building the Secure Gateway. Section 508 compliance Secure Gateway is compliant with Section 508 of the United States Workforce Rehabilitation Act of 1973. Session reliability Improvements in session reliability benefit both mobile and local users by having their work items remain open when network connectivity is lost, and then seamlessly resumed when connectivity is restored. This feature is especially useful for mobile users with wireless connections that are interrupted or dropped. When a session connection is interrupted, all open windows to published resources remain visible while reconnection is attempted automatically in the background. Relay mode Secure Gateway can be installed in relay mode for internal secure communications. Relay mode can be used in secure corporate environments such as intranets, LANs, and WANs. Relay mode is not recommended for external connections from the Internet to a server farm or server access farm. Supports single-hop or double-hop DMZ deployment The Secure Gateway can be installed to span a single-hop or a double-hop DMZ. If your DMZ is divided into two stages, install the appropriate Secure Gateway component in each DMZ segment to securely transport HTTP/S and ICA traffic to and from the secure network. Supports secure communication between the Secure Gateway components The Secure Gateway components support the use of digital certificates and the task of securing links by using SSL/TLS between components. Configuration, management, and diagnostic tools The Secure Gateway Management Console is a Microsoft Management Console (MMC) snap-in you can use to manage, analyze, and troubleshoot a Secure Gateway deployment. The Secure Gateway Diagnostics tool, available from the Secure Gateway Management Console, reports configuration values, certificate details, and the state of each configured component. Minimal client configuration User devices require no preinstalled software for security. Remote, secure access is easy to support, requiring little effort from IT staff. Certificatebased security
887
Secure Gateway Features The Secure Gateway uses standard Public Key Infrastructure (PKI) technology to provide the framework and trust infrastructure for authentication and authorization. Standard encryption protocols The Secure Gateway uses industry-standard SSL or TLS encryption technology to secure Web and application traffic between the client and server. Connections between clients and the Secure Gateway are encrypted using SSL or TLS protocols. You can further enhance security by forcing the Secure Gateway to restrict its use of ciphersuites to commercial or government ciphersuites certified for Federal Information Processing Standard (FIPS) 140 requirements. Authentication and authorization The Secure Gateway works with the Web Interface to facilitate authentication of users attempting to establish connections to a server farm. Authorization occurs when the Secure Gateway confirms that the user is authenticated by the enterprise network. The authorization process is entirely transparent to the user. Single point of entry The need to publish the address of every Citrix XenApp server is eliminated and server certificate management is simplified. The Secure Gateway allows a single point of encryption and access to computers running Citrix XenApp. Firewall traversal Connections from clients are secured with standard protocols using ports typically open on corporate firewalls. This allows easy traversal of firewalls without custom configuration. Ease of installation and management Adding the Secure Gateway to an existing server farm is relatively quick and simple, and requires minimal configuration, significantly reducing time and management costs. Reliability and fault tolerance The solution allows implementation of duplicate components to enable a redundant system. Large arrays can be built using industry-standard SSL load balancing systems for scalability. Even if hardware fails, the server farm remains protected. Scalable and extensible solution A single server running the Secure Gateway can support a small corporate site consisting of hundreds of users. You can support medium to large sites catering to thousands of users connecting to an array of load balanced servers running the Secure Gateway. The Secure Gateway components do not require special hardware devices or network equipment upgrades. Event and audit logging Critical and fatal system events are logged to the Secure Gateway application log, enabling administrators to help diagnose system problems. Logging levels are configurable and can be set from the user interface. Depending on the configured logging level, you can retrieve a complete record of network connection attempts to the Secure 888
Secure Gateway Features Gateway. You can also configure the Secure Gateway to omit log entries for polls from network equipment such as load balancers.
889
Operating Systems
You can install the Secure Gateway components on computers running Windows Server 2008 R2. Important: Secure Gateway runs as a 32-bit application on 64-bit Windows operating systems.
Hardware Requirements
The Secure Gateway requires the minimum hardware requirements for supported Windows operating systems, as specified by Microsoft. Important: For maximum security, Citrix recommends you reserve a standalone server for the Secure Gateway.
Citrix XenApp for Windows Server 2008 R2 Citrix XenApp for Windows Server 2008 Citrix XenApp for Windows Server 2003 Web Interface
You can use Secure Gateway installed on a computer running a different Windows operating system than XenApp servers in the same environment. The Secure Gateway is compatible with the following Citrix online plug-in software:
q
890
System Requirements for Secure Gateway Important: Secure Gateway and Secure Gateway Proxy do not support the Citrix offline plug-in.
User Devices
The following Microsoft operating systems are supported for user devices:
q
Windows 2000 Professional Windows XP Home Edition Windows XP Professional Windows Vista Windows Server 2003 Windows Server 2008 Windows Server 2008 R2
891
Certificate Requirements
All user devices and secure servers in a Secure Gateway deployment use digital certificates to verify each others identity and authenticity. The Secure Gateway supports the use of digital certificates. As the security administrator, you need to decide whether or not the communication links between the Secure Gateway and other servers in the DMZ or secure network need to be encrypted. See Digital Certificates and the Secure Gateway. Important: If you purchased server certificates from a commercial certificate authority (CA), support for root certificates for most commercial CAs is built into Internet Explorer and Windows server products. If you obtained server certificates from a private CA or commercial CA whose root certificates are not, by default, supported by the Windows operating system, you must install matching root certificates on all user devices and servers connecting to secure servers.
Root certificates on all user devices that connect to the server running the Secure Gateway. Root certificates on every Secure Gateway component that connects to a secure server. For example, a root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the server running the STA. A server certificate on the server running the Secure Gateway. Optional. A server certificate on the servers running the STA. The STA is installed by default when you install Citrix XenApp.
All Secure Gateway components support the use of digital certificates. Citrix recommends that the communication links between the Secure Gateway and other servers in the DMZ or secure network be encrypted.
892
Certificate Requirements
q
Root certificates on all user devices connecting to the server running the Secure Gateway. Root certificates on every Secure Gateway server that connects to a secure server or Web server. For example, an appropriate root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the Citrix XenApp server. A server certificate on the server running the Secure Gateway. Optional. A server certificate on the server(s) running the Secure Gateway Proxy. Optional. A server certificate on the server running the STA.
893
894
Root certificates on all user devices that connect to the server running the Secure Gateway. Root certificates on every Secure Gateway component that connects to a secure server. For example, a root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the server running the STA. A server certificate on the server running the Secure Gateway. Optional. A server certificate on the servers running the STA. The STA is installed by default when you install Citrix XenApp.
All Secure Gateway components support the use of digital certificates. Citrix recommends that the communication links between the Secure Gateway and other servers in the DMZ or secure network be encrypted.
Deploying the Secure Gateway in a Single-Hop DMZ WXYCo realizes installing the Secure Gateway allows them to provide secure Internet access to published resources on its server farms. Because the workforce is largely mobile, use of the Internet to connect to the enterprise network is expected to reduce remote access costs dramatically.
A secure server farm using a single-hop DMZ. This figure illustrates a secure enterprise network separated from the Internet by a single-hop DMZ. The enterprise network contains a server farm including one server running Citrix XenApp with the Secure Ticket Authority (STA). The firewall separating the secure network from the DMZ has ports 80, 443, and 1494 open. If session reliability is enabled, port 2598 is open on the internal firewall. The DMZ contains a single server running the Secure Gateway, and the Web Interface. Traffic to the Web Interface is proxied through the Secure Gateway which communicates with the Web Interface using HTTP. The DMZ is separated from the Internet by a firewall that has port 443 open. The mobile workforce carries notebook PCs running a 32-bit Windows operating system, Internet Explorer 5.5, and the Citrix online plug-in for 32-bit Windows. The security analyst recommends securing the communication link between the Secure Gateway and the STA. To do this, the company purchased two server certificates from a commercial certificate authority (CA). The server running the Secure Gateway and the Web Interface have root and server certificates installed. The server running Citrix XenApp has a server certificate installed. For more information about certificates, see Digital Certificates and the Secure Gateway.
896
Running the Web Interface behind the Secure Gateway in the Demilitarized Zone
In a single-hop DMZ deployment scenario, all incoming traffic is intercepted by the Secure Gateway. The Web Interface can be installed on the same server as Secure Gateway or on a separate server. All data exchanged between user devices and the Web Interface is relayed through the Secure Gateway. The firewall facing the Internet has port 443 open. Users connect to the Secure Gateway using a URL such as https://Secure Gateway FQDN/, where Secure Gateway FQDN is the fully qualified domain name for the server running the Secure Gateway.
Advantages Disadvantages
A single server certificate is required on the server running the Secure Gateway and the Web Interface. A single port, 443, must be opened on the firewall facing the Internet. The Web Interface cannot be contacted directly from the Internet and is more secure. Deploying the Secure Gateway in this configuration affects Web Interface functionality. When you deploy the Secure Gateway in this configuration, you lose some of the features available with the Web Interface, including the following: Smart Card Authentication. The Secure Gateway negotiates the SSL handshake and terminates the SSL connection before forwarding the client connection request to the Web Interface. Smart card authentication integrated with the Web Interface is unavailable because the Secure Gateway terminates the SSL connection before it reaches the Web Interface. Firewall and Proxy Settings Requiring Knowledge of the Client IP Address Are Ineffective. All communication from the user device to the Web Interface is proxied through the Secure Gateway. As a result, all client communications to the Web Interface originate from the IP address of the server running the Secure Gateway. Though you can still configure firewall and proxy settings on the Web Interface for specific client address prefixes, these settings must allow all client communications through the Secure Gateway to have the Web Interface IP address. You will not be able to distinguish between different user devices connecting through the Secure Gateway.
Citrix recommends deploying the Secure Gateway in this configuration if your network is small to medium sized, with a usage profile of hundreds of users. This type of deployment is optimal when users are connecting over the Internet to the Secure Gateway.
897
Running the Web Interface behind the Secure Gateway in the Demilitarized Zone If any of the limitations described above are a concern and you have a sizeable user base accessing the Secure Gateway over the LAN, consider deploying the Web Interface in the configuration described in Running the Web Interface Parallel with the Secure Gateway.
898
899
900
Setting Up the Web Interface and the Secure Gateway in a Single-Hop Demilitarized Zone
In this scenario, the Web Interface and the Secure Gateway are hosted on the same server in the DMZ. Install and configure the Web Interface before you install the Secure Gateway. 1 Install the Web Interface on the server reserved for the Secure Gateway and the Web Interface. 2 Add and configure server farms for use with the Web Interface. 3 Use a Web browser on a user device to connect and log on to the Web Interface. 4 Verify that you can launch published applications. 5 Configure the Secure Gateway and include the FQDN for the STA. The Secure Gateway is installed on the same server as the Web Interface in the DMZ. To install and configure the Secure Gateway, see Installing and Configuring the Secure Gateway and Secure Gateway Proxy. Ensure the user devices connecting to the Secure Gateway meet the compatibility requirements stated in System Requirements for Secure Gateway.
901
Root certificates on all user devices connecting to the server running the Secure Gateway. Root certificates on every Secure Gateway component that connects to a secure server or Web server. For example, an appropriate root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the server running Citrix XenApp. A server certificate on the server running the Secure Gateway. Optional. A server certificate on the server(s) running the Secure Gateway Proxy.
902
All Secure Gateway components support the use of digital certificates. Although not a requirement, Citrix recommends that the communication links between the Secure Gateway and other servers in the DMZ or secure network be encrypted.
This figure shows a Secure Gateway deployment used to secure a server farm in a double-hop DMZ environment. The secure enterprise network is separated from the Internet by a double-hop DMZ. The enterprise network contains a server farm including a server running Citrix XenApp with the Secure Ticket Authority (STA). The firewall separating the secure network from the second DMZ segment has port 443 open. If session reliability is enabled, port 2598 is open. The second DMZ segment contains a server running the Secure Gateway Proxy and a second server running the Web Interface. The firewall separating the first and second DMZ segments has port 443 open. The first DMZ segment contains a single server running the Secure Gateway. All traffic originating from the Secure Gateway to servers in the secure network is proxied through the Secure Gateway Proxy.
903
Deploying the Secure Gateway in a Double-Hop DMZ If the communications link between the Secure Gateway and the Secure Gateway Proxy is not secured, open port 1080 on the firewall between the first DMZ segment and the second. The Secure Gateway communicates directly with the server running the Web Interface in the second DMZ segment, which in turn communicates directly with servers in the secure network. The first DMZ segment is separated from the Internet by a firewall that has port 443 open. The mobile workforce carries notebook PCs running a 32-bit Windows operating system, Internet Explorer 5.5, and the Citrix online plug-in for 32-bit Windows.
904
Setting Up the Secure Gateway and the Secure Gateway Proxy in a Double-Hop DMZ
The Secure Gateway is installed on a standalone server in the first DMZ. The Secure Gateway Proxy is installed on a stand-alone server in the second DMZ. See Installing and Configuring the Secure Gateway and Secure Gateway Proxy.
1 Install the Web Interface on a standalone server in the second DMZ segment. 2 To secure communications between the Secure Gateway and the Web Interface, ensure you install a server certificate on the server running the Web Interface. 3 Add and configure server farms for use with the Web Interface. 4 Configure the Secure Gateway using the FQDN of the STA. 5 Use a Web browser on a user device to connect and log on to the Web Interface. 6 Verify that you can launch published applications.
905
Publishing the Web Address for the Secure Gateway in a Double-Hop Demilitarized Zone
Because all traffic to the Web Interface is proxied through the Secure Gateway, users should type one of the following default Web address to access the logon page or XenApp Web site: https://Secure Gateway FQDN/Citrix/AccessPlatform
https://Secure Gateway FQDN/Citrix/XenApp where Secure Gateway FQDN is the fully qualified domain name for the server running the Secure Gateway. In the case of WXYCo, the default Web address for the logon page or Web site is one of the following: https://www.gateway01.wxyco.com/Citrix/AccessPlatform/ https://www.gateway01.wxyco.com/Citrix/XenApp Alternatively, consider changing the default Web root directory in IIS on the server running the Web Interface to point to the Web Interface directory. This enables you to access the logon page or Web site by connecting directly to the root Web address; that is, https://Secure Gateway FQDN/. In this case, the Web address that employees of WXYCo use to access the logon page is: https://www.gateway01.wxyco.com/
906
Install and configure a server farm in the enterprise network. Install, configure, and publish applications on the server farm. Connect to the server farm using a user device and ensure you can access available published resources.
See the Citrix XenApp installation and administration topics for detailed instructions about performing these tasks.
907
908
909
Installing and Configuring the Secure Gateway and Secure Gateway Proxy
In addition to describing the Secure Gateway and Secure Gateway Proxy installation and configuration processes, this section also explains how to move to the current version of Secure Gateway from an installed earlier version. It also presents how to use a firewall with Secure Gateway and Secure Gateway Proxy. When Secure Gateway or Secure Gateway Proxy is installed on a supported 64-bit Windows operating systems, it installs in the 32-bit application location by default. Important: You must have access to administrative privileges to install and configure the Secure Gateway and use the management tools. If User Account Control (UAC) is enabled, you must run the installer program in elevated mode; that is, with administrative privileges enabled.
910
911
Using Firewall Software with the Secure Gateway or Secure Gateway Proxy
The firewall software included in your Microsoft Windows server operating system (such as Windows Firewall with Advanced Security) where the Secure Gateway or Secure Gateway Proxy is used might not automatically allow access to required ports. Non-Microsoft firewall software might also disallow port access by default. Also, the Secure Gateway or Secure Gateway Proxy does not automatically create an exception to allow access to the default SSL port 443, the default Secure Gateway Proxy port 1080, or any port number you select when configuring the software. Manually add or allow access to these ports to any firewall software you are using in your environment.
912
Install Citrix XenApp. Install root and server certificates on the appropriate computers. If using a double-hop DMZ, install the Secure Gateway Proxy in the second DMZ. If you are securing communications between the Secure Gateway and the Secure Gateway Proxy, ensure you install a server certificate on the server running the Secure Gateway Proxy. Install the Secure Gateway in the first, or only, DMZ.
Important: The Secure Gateway is designed to discover and verify the existence of the other Citrix components during configuration. For example, during configuration the Secure Gateway verifies that servers running the Web Interface and the Secure Ticket Authority (STA), if used, are functional. If a required component is not found, the Secure Gateway may fail to start. Ensure that you follow the recommended installation sequence. The installation sequence must be in this order: 1 Always install components within the secure network first. 2 Optional. If your network contains a double-hop DMZ, install components in the second DMZ segment next. 3 Install components in the first DMZ segment last.
913
914
The FQDN and path of the server running the STA The FQDN and path of the server running the Web Interface
To start the wizard manually, see To start the configuration wizard manually. See also Using Firewall Software with the Secure Gateway or Secure Gateway Proxy.
915
916
Standard Includes only the minimum set of parameters required to configure the Secure Gateway. The Secure Gateway Configuration wizard sets all remaining parameters to their default values, respectively.
Advanced Includes all of the Secure Gateways configurable parameters, for example, supported secure protocols and logging exclusions.
917
Standard Includes only the minimum set of parameters required to configure the Secure Gateway Proxy. The Secure Gateway Proxy Configuration wizard sets all remaining parameters to their default values, respectively.
Advanced
Includes all of the Secure Gateway Proxys configurable parameters, for example, supported secure protocols and logging exclusions. 2 Select the Secure traffic between the Secure Gateway and Secure Gateway Proxy option to secure communications between the Secure Gateway and the Secure Gateway Proxy servers using SSL or TLS. When this option is not selected, the connection between the Secure Gateway and Secure Gateway Proxy is not secured. To secure traffic between the Secure Gateway and Secure Gateway Proxy you must also:
q
Install a server certificate on the server running the Secure Gateway Proxy Install a client certificate on the Secure Gateway
918
Tasks
To select a server certificate To configure secure protocol settings To configure inbound client connections To configure outbound connections To add the Secure Ticket Authority details To configure connection parameters To configure logging exclusions To add the Web Interface server details To configure the logging parameters
919
Tasks
Standard Configuration Selected X Not available X X Not available Not available Not available X
To select a server certificate To configure secure protocol settings To configure inbound client connections To configure outbound connections To add the Secure Ticket Authority details To configure connection parameters To configure logging exclusions To configure the logging parameters
920
921
Transport Layer Security (TLSv1) Configure the Secure Gateway to use only TLS as its secure protocol. If you select this option, verify that all user devices support and are configured to use TLS as well.
Secure Sockets Layer (SSLv3) and TLSv1 Configure the Secure Gateway and Secure Gateway Proxy to use SSL and TLS as its secure protocols. This option is useful when deploying the Secure Gateway or Secure Gateway Proxy in an environment in which some clients support only SSL.
Note: If a user device supports both the SSL and TLS protocols, TLS is used to secure the data transmitted between the Secure Gateway/Secure Gateway Proxy and the client. 2 Select a cipher suite:
q
GOV You can configure the Secure Gateway/Secure Gateway Proxy to use the following government strength cipher suite: RSA_WITH_3DES_EDE_CBC_SHA or {0x00,0x0A}
COM You can configure the Secure Gateway/Secure Gateway Proxy to use the following commercial strength cipher suites: RSA_WITH_RC4_128_MD5 or {0x00,0x04}, RSA_WITH_RC4_128_SHA or {0x00,0x05}
ALL You can configure the Secure Gateway/Secure Gateway Proxy to use both the commercial and government strength cipher suites. This option is useful when deploying the Secure Gateway/Secure Gateway Proxy in an environment where some user devices support only COM while others support only GOV.
Note: When the Secure Gateway and a user device support both COM and GOV cipher suites, the Secure Gateway uses the COM cipher suite. 3 Click Next to proceed.
922
Typically, you would exclude dynamic IP addresses. When a dynamic IP address changes, new connections are not accepted on that address and the service can fail to start when the server is restarted.
923
Description Select this option to enable the Secure Gateway/Secure Gateway Proxy to establish connections to any server within the DMZ or secure network. Click Next to continue. This option is not available when configuring the Secure Gateway Proxy. Select this option when configuring the Secure Gateway in a double-hop environment. See To configure servers running the Secure Gateway Proxy. Select the Secure traffic between the Secure Gateway and the Secure Gateway Proxy check box to use HTTPS to secure communications between them. Select this option to create an access control list for the Secure Gateway/Secure Gateway Proxy. An access control list restricts the Secure Gateway/Secure Gateway Proxy to establishing connections to servers specified in the list. Click Configure to specify the start and end IP address range for allowed connections. See To configure an access control list for outbound connections.
Note: In a double-hop DMZ, configure outbound access control lists on the Secure Gateway Proxy server only.
924
Description Enter the IP address of a server that you want to add to the outbound access control list. When specifying an IP address range, enter the ranges start IP address. If you use an IP address range for multiple servers running XenApp, be sure that the servers you specify offer the full range of applications that you want to be available. Leave this field blank if you are creating an entry for a single server. Otherwise, enter the end address of the range. Enter the TCP port used by the server(s). To allow connections to any port on a server you can use the wild card asterisk character (*) in the TCP port field. You can use this wild card to allow one ACL entry for a range of IP addresses to permit connections using the ICA and Common Gateway Protocol (CGP) protocols. Select this option to use the default port used by the server for the protocol selected. Select this option to allow ICA/SOCKS connections to the selected servers. Typically, you would use ICA for servers running Citrix XenApp that accept ICA/SOCKS connections. This option is not available to the Secure Gateway Proxy.
End address
TCP port
Select this option to allow CGP connections to the selected servers. Typically, you would use CGP for servers running Citrix XenApp that accept CGP connections. CGP can provide session reliability if you enable session reliability on the selected servers. To allow CGP as well as ICA/SOCKS connections to the same servers, add a separate entry for each protocol. This option is not available to the Secure Gateway Proxy. 3 If you select the Server FQDN option, type or select the following information:
CGP
Options
Description
925
To configure an access control list for outbound connections FQDN TCP port Enter the fully qualified domain name of the server to which the Secure Gateway Proxy allows access. Enter the TCP port used by the server. To allow connections to any port on a server, you can use the wild card asterisk character (*) in the TCP port field.
Select this option to secure communications between the server and the Secure Gateway Proxy servers using SSL or TLS. When this option is not selected, the connection is not secured. 4 Click OK, then click Add to add another connection, or click OK to close the dialog box.
Secure traffic between the server and the Secure Gateway Proxy
926
Install a server certificate on the server running the Secure Gateway Proxy
927
ID
Secure traffic between the STA and the Secure Gateway TCP port Use default
928
Unlimited. Select this option to configure the Secure Gateway to support up to 1,920 concurrent client connections (250 connections are allocated to HTTP/S by default, leaving 1,670 ICA/CGP connections, including MAPI over CGP connections). The Secure Gateway stops accepting new connection requests if the number of concurrent client connections reaches 1,920. This setting overrides the value entered in Maximum connections. Maximum Connections. Specify the maximum number of concurrent ICA/CGP connections supported by the Secure Gateway. The Secure Gateway stops accepting new ICA/CGP connection requests when the number of concurrent connections equals the value entered in this field.
929
930
Indirect To access the Web Interface, users enter the URL of the Secure Gateway. Users connect to the Secure Gateway, which routes the request to the Web Interface. If the Web Interface is installed on the same computer as the Secure Gateway, select the Installed on this computer check box (this option is not available in a double-hop environment). If you configure your firewall to permit connections to the Secure Gateway only, the Web Interface is not exposed to the Internet, which is preferable in some enterprises. Configuring indirect access can be economical if you deploy the Web Interface on the Secure Gateway server. In that case, all that is required is one SSL certificate, one public IP address, and one server.
Direct
If you configure your firewall to permit connections to the Secure Gateway only, the Web Interface is not exposed to the Internet, which is preferable in some enterprises. Configuring indirect access can be economical if you deploy the Web Interface on the Secure Gateway server. In that case, all that is required is one SSL certificate, one public IP address, and one server. 2 If you do not select the Installed on this computer check box, type or select the following information in the Details area:
q
FQDN Enter the fully qualified domain name of the server running the Web Interface. If you selected Installed on this computer, this field is automatically populated with the value localhost.
TCP port
Enter the port number the Secure Gateway should use when communicating with the Web Interface. 3 Select the Secure traffic between the Web Interface check box to configure the Secure Gateway to use HTTPS when communicating with the Web Interface.
931
Fatal Events Only Fatal error messages are logged when an operational failure prevents the Secure Gateway Proxy from starting. Select this option to log only fatal events.
Error and Fatal Events Error messages are logged when a partial failure, such as the Secure Gateway Proxy being out of memory, occurs. Select this option to log errors and fatal events.
Warning, error, and fatal events Warning messages are logged when tickets time out, data packets are corrupted, and similar events occur. Select this option to log warnings, errors, and fatal events.
All events are logged, including informational messages resulting from client connections. Select this option to log all events and errors. Selecting this option will result in the Event Viewer window and event log filling up rapidly. 2 Click Next.
932
933
934
935
Session and connection information for the Web Interface that is currently running through the Secure Gateway. The sessions for the Web Interface have one connection for one session. An instance of the Windows Performance Monitor containing performance statistics applicable to the Secure Gateway. Review this list to obtain detailed information regarding the status of client connections running through the Secure Gateway.
The Secure Gateway Management Console also provides access to the following:
q
The Secure Gateway Configuration wizard The Secure Gateway Diagnostics tool
936
Viewing Session and Connection Information with the Secure Gateway Console
The Secure Gateway provides session and connection information in the Secure Gateway Management Console.
Description The IP address and port of the remote client. The current user associated with the session, if any. The network domain from which the current user is logged on. The time that this connection was established. The amount of time, in seconds, that elapsed since this connection was established.
937
Viewing Session and Connection Information with the Secure Gateway Console The information in the session information pane refreshes every five seconds. If you want to view details of a particular session, you may find it useful to turn off the automatic screen refresh feature. 1 From the Session Information pane, right-click any session entry and select All Tasks > Freeze Display. 2 From the Session Information pane, right-click any session entry and select All Tasks > Resume Display.
938
Understand the workload on the Secure Gateway and the corresponding effect it has on system resources Observe changes and trends in workloads and resource usage so you can plan system sizing and failover Test changes in configuration or other tuning efforts by monitoring the results Diagnose problems and target components or processes for optimization
Performance statistics include the data throughput rate in bytes per second across CGP, HTTP/S, SOCKS, and total client connections through Secure Gateway. The "Successful" counters indicate the number of users connections that have successfully completed since the Secure Gateway service was last started. Users can have multiple connections within each session. The Active counters indicate the number of active connections going through the Secure Gateway. The Secure Gateway System Monitor takes advantage of several of the features included in the Windows System Monitor, including customizing the display of counter information and saving counter data. You can use the System Monitor icons at the top of the pane or shortcut keys to customize the display. For a list of the shortcut keys, see the Windows System Monitor help.You can display the Windows Performance monitor from the Secure Gateway Management Console. Citrix recommends that you monitor performance of the Secure Gateway as part of your administrative routine.
939
You can use the Secure Gateway performance statistics to troubleshoot connections to the Secure Gateway. For example:
The Secure Gateway processor load might be too high because too many users are connected to the Secure Gateway server. You can look at the total active connections to check how many users are connected. Users might not be able to launch their published applications because the Secure Gateway cannot connect to the XenApp servers. The failed Backend connections counter is high if this is the problem.
1 Open the Secure Gateway Management Console. 2 In the tree view, select Secure Gateway Performance Statistics. Performance statistics for the Secure Gateway appear in the right pane. 3 Use the Windows Performance Console controls that appear at the top of the right pane to perform tasks such as switching views or adding counters.
940
CGP Successful Connections Client Connect Time: Average (in ms) Client Connect Time: Longest (in ms) Connections/Second Connections/Second: Peak Connections: Peak Active
941
Performance Counters Available for the Secure Gateway Connections: Total Active Connections: Total Successful The total number of client connections currently active. The total number of successful client connections. It is the sum of all successful connections for all protocols: CGP, HTTP/S, and SOCKS. Total number of client connection requests accepted, but not yet completed, by the Secure Gateway. Pending connections are still active and have not timed out or failed. The total number of backend connections that failed. Clients that successfully connect to the Secure Gateway may not successfully connect to backend servers, such as a Web server. These connections are not counted as part of the failed client connection count. The total number of client connection requests that were accepted but timed out before completing the protocol handshake. The total number of client connection requests that failed to connect to the Secure Gateway for any reason other than timing out or SSL handshake error. The total number of client connection requests that were accepted but did not successfully complete the SSL handshake. The total number of failed client connection requests. It is the sum of the Failed Connections (Timed Out), Failed Connections (SSL Error), and Failed Connections (General Client Error) counters. The total number of HTTP/S connections currently active. The data throughput rate (bytes per second) from all clients connected to the Secure Gateway using the HTTP/S protocol. The data throughput rate (bytes per second) from the Secure Gateway to all connected clients using the HTTP/S protocol. The total number of kilobytes sent from all clients connected to the Secure Gateway using the HTTP/S protocol. The total number of kilobytes sent from all connected clients to the Secure Gateway using the HTTPS protocol. The highest data throughput rate (bytes per second) from all clients connected to the Secure Gateway using the HTTP/S protocol.
Connections:Pending
Failed Connections: Client Timed Out Failed Connections: General Client Error
Failed Connections: SSL Client Handshake Error Failed Connections: Total Client
942
Performance Counters Available for the Secure Gateway HTTP/S Peak Bytes/Sec to Client The data throughput rate (bytes per second) from the Secure Gateway to all connected clients using the HTTP/S protocol. The total number of successful HTTP/S connections. The total number of kilobytes sent from all connected clients to the Secure Gateway. The total number of kilobytes sent from the Secure Gateway to all connected clients. The highest data throughput rate (bytes per second) from all connected clients to the Secure Gateway. The highest data throughput rate (bytes per second) from the Secure Gateway to all connected clients. The total number of SOCKS client connections currently active. The data throughput rate (bytes per second) from all clients connected to the Secure Gateway using the SOCKS protocol. The data throughput rate (bytes per second) from the Secure Gateway to all connected clients using the SOCKS protocol. The total number of kilobytes sent from all clients connected to the Secure Gateway using the SOCKS protocol. The total number of kilobytes sent from all connected clients to the Secure Gateway using the SOCKS protocol. The highest data throughput rate (bytes per second) from all clients connected to the Secure Gateway using the SOCKS protocol. The data throughput rate (bytes per second) from the Secure Gateway to all connected clients using the SOCKS protocol. The total number of successful SOCKS connections. Average length of time (in milliseconds) for an SSL handshake to complete. Length of time (in milliseconds) for the longest SSL handshake to complete. Number of successful SSL handshakes per second. Highest number of successful SSL handshakes per second. Number of SSL handshakes currently in progress between a client and the Secure Gateway.
HTTP/S Successful Connections Kilobytes from Client Kilobytes to Client Peak Bytes/Sec from Client
SOCKS Successful Connections SSL Handshake Time: Average SSL Handshake Time: Longest SSL Handshakes/Sec SSL Handshakes/Sec: Peak SSL Handshakes: Pending
943
Performance Counters Available for the Secure Gateway SSL Handshakes: Total Total number of SSL handshakes that completed successfully between a client and the Secure Gateway.
944
A registry or configuration value is present. A registry or configuration value is missing. A communication check for the component passed.
Failed check icon A communication check for the component failed. For any component marked with a warning or failed check icon, verify that you properly installed the component and provided all necessary configuration information.
945
946
Viewing the Secure Gateway Events The Secure Gateway error messages can be viewed using Windows Event Viewer. If a client is connected to the Secure Gateway and the Secure Gateway is restarted, the Secure Gateway does not generate service stop and service start event log messages. If a client is not connected and the Secure Gateway is restarted, Secure Gateway does generate these messages.
947
948
949
Configuring Firewalls for the Secure Gateway Ensuring High Availability of the Secure Gateway Coordinating Keep-Alive Values Between the Secure Gateway and Citrix XenApp Improving Security of the Secure Gateway Preventing Indexing by Search Engines
950
Impose any time-outs on ICA/SSL sessions, including idle, absolute, and data traffic time-outs Use the Nagle algorithm for ICA/SSL traffic Impose any other specific restrictions or filters on ICA/SSL traffic
951
953
954
955
956
Using Load Balancers and SSL Accelerator Cards with Secure Gateway Servers
Load balancing solutions available in the market today may feature built-in SSL accelerator cards. If you are using such a solution to load balance an array of servers running the Secure Gateway, disable the SSL acceleration for traffic directed at the servers running the Secure Gateway. Consult the load balancer documentation for details about how to do this. Presence of SSL accelerator cards in the network path before the server running the Secure Gateway means the data arriving at the Secure Gateway is decrypted. This conflicts with a basic function of the Secure Gateway, which is to decrypt SSL data before sending it to a Citrix XenApp server. The Secure Gateway does not expect nonSSL traffic and drops the connection.
957
Coordinating Keep-Alive Values Between the Secure Gateway and Citrix XenApp
If you enable TCP/IP keep-alive parameters on computers running Citrix XenApp, Citrix recommends that you modify the parameters on the server running the Secure Gateway in the same manner. In an environment containing the Secure Gateway, ICA and HTTP/S connections are routed through the Secure Gateway. TCP/IP keep-alive messages from the Citrix XenApp server to the remote client are intercepted, and responded to, by the server running the Secure Gateway. Similarly, TCP/IP keep-alive packets from the server running the Secure Gateway are sent only to the user device; the server running the Secure Gateway does not transmit keep-alives to the Citrix XenApp server. Setting the keep-alive values on the server running the Secure Gateway to match the values set on the Citrix XenApp server ensures that the server farm is aware of the client connection state and can either disconnect or log off from the connection in a timely manner.
958
959
The GOV ciphersuite is: SSL_RSA_WITH_3DES_EDE_CBC_SHA or {0x00,0x0A} Some organizations, including U.S. government organizations, require the use of government-approved cryptography to protect sensitive but unclassified data.
960
You must restart the Secure Gateway to let configuration changes take effect.
The Secure Gateway uses TLS Version 1 as the default Internet Explorer uses SSL Versions 2 and 3 as the default
You can restrict the Secure Gateway to accept only SSL Version 3 or TLS Version 1 connections. If you decide to change the default protocol setting on the Secure Gateway, modify protocol settings on the client Web browser as well as the Gateway Client to match the protocol setting on the server running the Secure Gateway. Citrix recommends against changing the default setting for the secure protocol used by the Secure Gateway.
961
Set appropriate ACLs on IIS to prevent unauthorized access to executable and script files. For instructions about locking down IIS, refer to current Microsoft product documentation and online resources available from the Microsoft Web site. Secure all the Secure Gateway components using SSL or TLS to ensure that data communications between all the Secure Gateway components is encrypted.
To maximize the security of the servers running the Secure Gateway components hosted by IIS, follow Microsoft security guidelines for locking down Internet Information Services on Windows Servers.
962
963
964
965
966
Client Connections Launched from IP Addresses in the Logging Exclusions List Fail
For security reasons, IP addresses configured in the logging exclusions list are not allowed to establish connections to the Secure Gateway. This measure blocks connections to the Secure Gateway that do not leave an audit trail. The logging exclusions list is designed to help keep the system log free of redundant data. Configure the IP address of load balancing devices in the Logging Exclusions list. Configuring an exclusions list enables the Secure Gateway to ignore polling activity from such devices and keeps the log free of this type of data.
967
Load Balancers Do Not Report Active Client Sessions if Connections Are Idle
Some load balancers stop reporting active client connections flowing through them if the connections are idle for a while because of the way in which certain load balancers treat idle connections. Connections that are idle for a certain amount of time stop being represented as active connections in the load balancers reporting tools even though the connections are still valid. Resolve this issue by modifying the keepalive settings in the Windows registry on the server(s) running the Secure Gateway. If you load balance an array of servers running the Secure Gateway, decrease the keepalive values to force packets to be sent after a period of session inactivity. For more information about configuring TCP/IP keepalive settings, see Coordinating Keep-Alive Values Between the Secure Gateway and Citrix XenApp.
968
Performance Issues with Transferring Files Between a User Device and a Citrix XenApp Server
Users may experience performance issues with data transfer using client drive mapping on high bandwidth, high latency connections. As a workaround, you can optimize throughput by increasing the value of TcpWindowSize in the Windows registry of your server running the Secure Gateway. Caution: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee resolution of problems resulting from the incorrect use of Registry Editor. Use Registry Editor at your own risk. To modify this setting, edit the following Windows Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\TcpWindowSize Citrix recommends setting the value of TCPWindowSize to 0xFFFF(64K). Be aware that this change incurs higher system memory usage. Citrix recommends increasing physical system memory on the server running the Secure Gateway to suit the typical usage profile of the network.
969
970
Failed Client Connections to the Secure Gateway Result in Duplicate Entries in the Secure Gateway Log
You may find duplicate entries for client connection attempts in the Secure Gateway application and performance logs. Duplicate entries can occur in the following situations:
q
SSL protocol mismatch between the user device and the server running the Secure Gateway Client automatically attempts to reconnect if the first connection attempts fails
The log entries are actually a record of client behavior. In these cases, the client attempts to reconnect if it fails the first time.
971
Placing the Secure Gateway Behind a Reverse Web Proxy Causes an SSL Error 4
If the Web Interface and the Secure Gateway are on the same server, it can create confusion if a reverse Web proxy is placed between the client and the Secure Gateway. Clients can communicate with the enterprise network using HTTPS but traffic for ICA/SSL is refused. When a combination of the Web Interface and the Secure Gateway is placed behind a reverse Web proxy server, users can log on using the Web Interface and enumerate application icons, which is all HTTP communications. When users launch a published application, they receive an SSL Error 4 because the ICA/SSL session is terminated by the reverse Web proxy, not by the Secure Gateway.
This graphic shows the incorrect placement of the Secure Gateway and Web Interface behind a reverse Web proxy. The Secure Gateway views the reverse Web proxy as a man in the middle that compromises the integrity of the ICA/SSL network stream. This causes the SSL handshake between the client and the Secure Gateway to fail. There are two possible solutions to correct this problem:
q
Run the Secure Gateway parallel to the reverse Web proxy Use a network address translator (NAT) in place of the reverse Web proxy
972
This graphic shows the correct placement of the Secure Gateway, which is parallel to the reverse Web proxy. Placing the Secure Gateway parallel to the reverse Web proxy provides a secure solution. Security policies that are defined on the reverse Web proxy continue to affect all Secure Gateway users. To cross the Secure Gateway, users must first satisfy the reverse Web proxy and log on to the Web Interface to get a ticket from the STA. Any access control rules that are defined on the reverse Web proxy affects users who are also trying to gain entry through the Secure Gateway.
973
This graphic shows the use of a network address translator instead of a reverse Web proxy. This approach has the disadvantage that some control must be sacrificed regarding the type of traffic that is permitted to cross the proxy. Incoming traffic must be routed directly to the Secure Gateway and the Web Interface without being decrypted, authenticated, or inspected. From a security standpoint, this is not much different from exposing the Secure Gateway server directly to the Internet. There is a logical SSL tunnel between the client and the Secure Gateway.
974
975
Understanding Cryptography
Cryptography is also used to authenticate the identity of a message source and to ensure the integrity of its contents. A message is sent using a secret code called a cipher. The cipher scrambles the message so that it cannot be understood by anyone other than the sender and receiver. Only the receiver who has the secret code can decipher the original message, thus ensuring confidentiality. Cryptography allows the sender to include special information in the message that only the sender and receiver know. The receiver can authenticate the message by reviewing the special information. Cryptography also ensures that the contents of a message are not altered. To do this, the sender includes a cryptographic operation called a hash function in the message. A hash function is a mathematical representation of the information, similar to the checksums found in communication protocols. When the data arrives at its destination, the receiver calculates the hash function. If the receivers hash function value is the same as the senders, the integrity of the message is assured.
976
Types of Cryptography
There are two main types of cryptography:
q
In cryptographic systems, the term key refers to a numerical value used by an algorithm to alter information, making that information secure and visible only to individuals who have the corresponding key to recover the information. Secret key cryptography is also known as symmetric key cryptography. With this type of cryptography, both the sender and the receiver know the same secret code, called the key. Messages are encrypted by the sender using the key and decrypted by the receiver using the same key. This method works well if you are communicating with only a limited number of people, but it becomes impractical to exchange secret keys with large numbers of people. In addition, there is also the problem of how you communicate the secret key securely. Public key cryptography, also called asymmetric encryption, uses a pair of keys for encryption and decryption. With public key cryptography, keys work in pairs of matched public and private keys. The public key can be freely distributed without compromising the private key, which must be kept secret by its owner. Because these keys work only as a pair, encryption initiated with the public key can be decrypted only with the corresponding private key. The following example illustrates how public key cryptography works:
q
Ann wants to communicate secretly with Bill. Ann encrypts her message using Bills public key (which Bill made available to everyone) and Ann sends the scrambled message to Bill. When Bill receives the message, he uses his private key to unscramble the message so that he can read it. When Bill sends a reply to Ann, he scrambles the message using Anns public key. When Ann receives Bills reply, she uses her private key to unscramble his message.
The major advantage asymmetric encryption offers over symmetric key cryptography is that senders and receivers do not have to communicate keys up front. Provided the private key is kept secret, confidential communication is possible using the public keys.
977
Bill wants to communicate secretly with Ann, so he obtains Anns public key. He also generates random numbers to use just for this session, known as a session key. Bill uses Anns public key to scramble the session key. Bill sends the scrambled message and the scrambled session key to Ann. Ann uses her private key to unscramble Bills message and extract the session key.
When Bill and Ann successfully exchange the session key, they no longer need public key cryptographycommunication can take place using just the session key. For example, public key encryption is used to send the secret key; when the secret key is exchanged, communication takes place using secret key encryption. This solution offers the advantages of both methodsit provides the speed of secret key encryption and the security of public key encryption.
978
Understanding Digital Certificates and Certificate Authorities The party that is identified by the certificate. Period of validity The certificates start date and expiration date Public key The subjects public key used to encrypt data. Issuers signature The CAs digital signature on the certificate used to guarantee its authenticity. A number of companies and organizations currently act as CAs, including VeriSign, Baltimore, Entrust, and their respective affiliates.
980
Certificate Chains
Some organizations delegate the responsibility for issuing certificates to resolve the issue of geographical separation between organization units, or that of applying different issuing policies to different sections of the organization. Responsibility for issuing certificates can be delegated by setting up subordinate CAs. The X.509 standard includes a model for setting up a hierarchy of CAs. In this model, the root CA is at the top of the hierarchy and has a self-signed certificate. The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the subordinate CAs.
This illustration shows the hierarchical structure of a typical digital certificate chain. CAs can sign their own certificates (that is, they are self-signed) or they can be signed by another CA. If the certificate is self-signed, they are called root CAs. If they are not self-signed, they are called subordinate or intermediate CAs.
981
Certificate Chains If a server certificate is signed by a CA with a self-signed certificate, the certificate chain is composed of exactly two certificates: the end entity certificate and the root CA. If a user or server certificate is signed by an intermediate CA, the certificate chain is longer. The following figure shows the first two elements are the end entity certificate (in this case, gwy01.company.com) and the certificate of the intermediate CA, in that order. The intermediate CAs certificate is followed by the certificate of its CA. This listing continues until the last certificate in the list is for a root CA. Each certificate in the chain attests to the identity of the previous certificate.
982
983
Whether or not your organization is a CA, which is likely to be the case only in very large corporations Whether or not your organization already established a business relationship with a public CA The fact that the Windows operating system includes support for many public Certificate Authorities The cost of certificates or the reputation of a particular public CA
Your organization provides corporate information so the CA can verify that your organization is who it claims to be. The verification process may involve other departments in your organization, such as accounting, to provide letters of incorporation or similar legal documents. Individuals with the appropriate authority in your organization are required to sign legal agreements provided by the CA.
984
The CA verifies your organization as a purchaser; therefore your purchasing department is likely to be involved. You provide the CA with contact details of suitable individuals whom they can call if there are queries.
985
When requesting a certificate, the greater the bit length, the higher the security. Citrix recommends that you select 1024 or higher. If you are specifying a bit length higher than 1024, ensure that the clients you deploy support it. For information about supported encryption strength on a user device, see the appropriate user devices documentation. Part of an initial request for a certificate involves generating a public/private key pair that is stored on your server. Because the public key from this key pair is encoded in your certificate, loss of the key pair on your server renders your certificate worthless. Make sure you back up your key pair data on another computer, a floppy disk, or both. Typically, the procedure for generating a key pair requires you to specify a password to encrypt the pair. The password prevents any person with access to the keypair data from extracting the private key and using it to decrypt SSL/TLS traffic to and from your server. Ensure that you store the password in a secure location. When you import a certificate, you copy the certificate from a file that uses a standard certificate storage format to a certificate store for your computer account. Use the
986
Obtaining and Installing Server Certificates proper procedures or wizard as specified by your operating system to place certificates in the correct store on local computers. Do not attempt to import the server certificate file by double-clicking or right-clicking the certificate file within Windows Explorer. Doing so places the certificate in the certificate store for the current user.
987
988
989
SmartAuditor
SmartAuditor allows you to record the on-screen activity of any users session, over any type of connection, from any server running XenApp. SmartAuditor records, catalogs, and archives sessions for retrieval and playback. SmartAuditor uses flexible policies to trigger recordings of XenApp sessions automatically. This enables IT to monitor and examine user activity of applications such as financial operations and healthcare patient information systems demonstrating internal control, thus ensuring regulatory compliance and successful security audits. Similarly, SmartAuditor also aids in technical support by speeding problem identification and time-to-resolution.
Benefits
Enhanced auditing for regulatory compliance. SmartAuditor allows organizations to record on-screen user activity for applications that deal with sensitive information. This is especially critical in regulated industries such as health care and finance, where compliance with personal information security rules is paramount. Trading applications and patient information systems are two prime examples. Powerful activity monitoring. SmartAuditor captures and archives screen updates, including mouse activity and the visible output of keystrokes in secured video recordings to provide a record of activity for specific users, applications, and servers. Organizations that use SmartAuditor have a better chance of proving criminal intent, where it exists, by using video evidence combined with traditional text-based eDiscovery tools. Faster problem resolution. When users call with a problem that is hard to reproduce, help desk support staff can enable recording of user sessions. When the issue recurs, SmartAuditor provides a time-stamped visual record of the error, which can then be used for faster troubleshooting.
990
SmartAuditor Database
Supported Windows operating systems:
q
Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003 with Service Pack 2 Microsoft Windows 2000 with Service Pack 4
Requirements:
q
Microsoft SQL Server 2008 (Enterprise and Express editions) Microsoft SQL Server 2005 (Enterprise and Express editions) with Service Pack 2 .NET Framework Version 3.5
SmartAuditor Server
Supported Windows on Microsoft Windows Server 2008 R2. Requirements:
q
.NET Framework Version 3.5. If the SmartAuditor Server uses HTTPS as its communications protocol, SSL. SmartAuditor uses HTTPS by default, which Citrix recommends.
991
SmartAuditor
q
Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HTTP support enabled.
Requirements:
q
Install the Microsoft IIS Management Console manually before installing the SmartAuditor Policy Console. Microsoft IIS Management Console
SmartAuditor Agent
Install the SmartAuditor Agent on every XenApp server on which you want to record sessions. Requirements:
q
XenApp 6 for Windows Server 2008 R2 Platinum edition server software Microsoft Windows Server 2008 R2 .NET Framework Version 3.5. Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HTTP support enabled
SmartAuditor Player
Supported Windows operating systems:
q
The SmartAuditor Player requires .NET Framework Version 3.5. The update contained in Microsoft Knowledge Base article 961118 is required if you are using .NET Framework Version 3.5 and installing the SmartAuditor Player on the same computer as a XenApp server. Install the update after installing .NET Framework. 992
Screen resolution of 1024 x 768 Color depth of at least 32-bit Memory: 1GB RAM (minimum)additional RAM can improve performance on large files
993
SmartAuditor Database
Supported Windows operating systems:
q
Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003 with Service Pack 2 Microsoft Windows 2000 with Service Pack 4
Requirements:
q
Microsoft SQL Server 2008 (Enterprise and Express editions) Microsoft SQL Server 2005 (Enterprise and Express editions) with Service Pack 2 .NET Framework Version 3.5
SmartAuditor Server
Supported Windows on Microsoft Windows Server 2008 R2. Requirements:
q
.NET Framework Version 3.5. If the SmartAuditor Server uses HTTPS as its communications protocol, SSL. SmartAuditor uses HTTPS by default, which Citrix recommends.
994
Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HTTP support enabled.
Requirements:
q
Install the Microsoft IIS Management Console manually before installing the SmartAuditor Policy Console. Microsoft IIS Management Console
SmartAuditor Agent
Install the SmartAuditor Agent on every XenApp server on which you want to record sessions. Requirements:
q
XenApp 6 for Windows Server 2008 R2 Platinum edition server software Microsoft Windows Server 2008 R2 .NET Framework Version 3.5. Microsoft Message Queuing (MSMQ), with Active Directory integration disabled, and MSMQ HTTP support enabled
SmartAuditor Player
Supported Windows operating systems:
q
The SmartAuditor Player requires .NET Framework Version 3.5. The update contained in Microsoft Knowledge Base article 961118 is required if you are using .NET Framework Version 3.5 and installing the SmartAuditor Player on the same computer as a XenApp server. Install the update after installing .NET Framework. 995
System Requirements for SmartAuditor For optimal results, install SmartAuditor Player on a workstation with:
q
Screen resolution of 1024 x 768 Color depth of at least 32-bit Memory: 1GB RAM (minimum)additional RAM can improve performance on large files
996
997
SmartAuditor Agent. A component installed on each XenApp server to enable recording. It is responsible for recording session data. SmartAuditor Server. A server that hosts:
q
The Broker. An IIS 6.0+ hosted Web application that handles the search queries and file download requests from the SmartAuditor Player, handles policy administration requests from the SmartAuditor Policy Console, and evaluates recording policies for each XenApp session.
The Storage Manager. A Windows service that manages the recorded session files received from each SmartAuditor-enabled computer running XenApp. SmartAuditor Player. A user interface that users access from a workstation to play recorded XenApp session files.
q
This illustration shows the SmartAuditor components and their relationship with each other: In the deployment example illustrated here, the SmartAuditor Agent, SmartAuditor Server, SmartAuditor Database, SmartAuditor Policy Console, and SmartAuditor Player all reside behind a security firewall. The SmartAuditor Agent is installed on a XenApp server. A second server hosts the SmartAuditor Policy Console, a third server acts as the SmartAuditor Server, and a fourth server hosts the SmartAuditor Database. The SmartAuditor Player is installed on a workstation. A client device outside the firewall communicates with the XenApp server on which the SmartAuditor Agent is installed. Inside the firewall, the SmartAuditor Agent, SmartAuditor Policy Console, SmartAuditor Player, and SmartAuditor Database all communicate with the SmartAuditor Server.
998
999
Deploy the SmartAuditor Agent on single XenApp server. Deploy the SmartAuditor Agent on multiple XenApp servers in a server farm.
1000
Note: For this deployment scenario, ensure that you install SQL Server on the same computer as the SmartAuditor Server.
1001
1002
Security Recommendations
SmartAuditor is designed to be deployed within a secure network and accessed by administrators, and as such, is secure. Out-of-the-box deployment is designed to be simple and security features such as digital signing and encryption can be configured optionally. Communication between SmartAuditor components is achieved through Internet Information Services (IIS) and Microsoft Message Queuing (MSMQ). IIS provides the web services communication link between each SmartAuditor component. MSMQ provides a reliable data transport mechanism for sending recorded session data from the SmartAuditor Agent to the SmartAuditor Server. Consider these security recommendations when planning your deployment:
q
Isolate servers running SmartAuditor components on a separate subnet or domain. Protect the recorded session data from users accessing other servers by installing a firewall between the SmartAuditor Server and other servers. Ensure servers running SmartAuditor components are physically secure. If possible, lock these computers in a secure room to which only authorized personnel can gain direct access. Strictly limit who is authorized to make recording policy changes and view recorded sessions. Install digital certificates, use the SmartAuditor file signing feature, and set up SSL communications in IIS. Use playback protection. Playback protection is a SmartAuditor feature that encrypts recorded files before they are downloaded to the SmartAuditor Player. By default, this option is enabled and is in the SmartAuditor Server Properties.
1003
Installing Certificates
On the computer on which the SmartAuditor Server is installed, the IIS Web server sends its server certificate to the client when establishing an SSL connection from the SmartAuditor Agent, SmartAuditor Player, or SmartAuditor Policy Console. When receiving a server certificate, the SmartAuditor Agent, SmartAuditor Player, or Policy Console determines which Certificate Authority (CA) issued the certificate and if the CA is trusted by the client. If the CA is not trusted, the certificate is declined and an error is logged in the Application Event log for the SmartAuditor Agent or an error message appears to the user in the SmartAuditor Player or Policy Console. A server certificate is installed by gathering information about the server and requesting a CA to issue a certificate for that server. You must specify the correct information when requesting a server certificate and ensure the server name is specified correctly. If the fully qualified domain name (FQDN) is used for connecting clients (SmartAuditor Agent, SmartAuditor Player, and Policy Console) the certificate information specified to the CA must use the FQDN of the server rather than the NetBIOS name. If you specify NetBIOS names, do not specify the FQDN when requesting a server certificate. Install the server certificate into the local servers certificate store. Install the issuing CA certificate on each connecting client. Your organization may have a private CA that issues server certificates that you can use with SmartAuditor. If you are using a private CA, ensure each client device has the issuing CA certificate installed. Refer to Microsoft documentation about using certificates and certificate authorities. Alternatively, some companies and organizations currently act as CAs, including VeriSign, Baltimore, Entrust, and their respective affiliates. All certificates have an expiration date defined by the CA. To find the expiration date, check the properties of the certificate. Ensure certificates are renewed before the expiration date to prevent any errors occurring in SmartAuditor. The SmartAuditor installation is configured to use HTTPS by default and requires that you configure the default Web site with a server certificate issued from a CA. If you need instructions for installing server certificates in IIS, consult your IIS documentation.
1004
Scalability Considerations
Installing and running SmartAuditor requires few additional resources beyond what is necessary to run XenApp. However, if you plan to use SmartAuditor to record a large number of sessions or if the sessions you plan to record will result in large session files (for example, graphically intense applications), consider the performance of your system when planning your SmartAuditor deployment.
Hardware Recommendations
Consider how much data you will be sending to each SmartAuditor Server and how quickly the servers can process and store this data. The rate at which your system can store incoming data must be higher than the data input rate. To estimate your data input rate, multiply the number of sessions recorded by the average size of each recorded session and divide by the period of time for which you are recording sessions. For example, you might record 5,000 Microsoft Outlook sessions of 20MB each over an 8-hour work day. In this case, the data input rate is approximately 3.5MBps. (5,000 sessions times 20MB divided by 8 hours, divided by 3,600 seconds per hour.) You can improve performance by optimizing the performance of a single SmartAuditor Server or by installing multiple SmartAuditor Servers on different computers.
Network Capacity
A 100Mbps network link is suitable for connecting a SmartAuditor Server. A gigabit Ethernet connection may improve performance, but does not result in 10 times greater performance than a 100Mbps link.
1005
Scalability Considerations Ensure that network switches used by SmartAuditor are not shared with third-party applications that may compete for available network bandwidth. Ideally, network switches are dedicated for use with the SmartAuditor Server.
A dual CPU or dual-core CPU is recommended A 64-bit processor architecture is recommended, but an x86 processor type is also suitable 2GB to 4GB of RAM is recommended
Database Scalability
The SmartAuditor Database requires Microsoft SQL Server 2005 or Microsoft SQL Server 2008. The volume of data sent to the database is very small because the database stores only metadata about the recorded sessions. The files of the recorded sessions themselves are written to a separate disk. Typically, each recorded session requires only about 1KB of space in the database, unless the SmartAuditor Event API is used to insert searchable events into the session. The Express Editions of Microsoft SQL Server 2005 and Microsoft SQL Server 2008 imposes a database size limitation of 4GB. At 1KB per recording session, the database can catalog about four million sessions. Other editions of Microsoft SQL Server have no database size restrictions and are limited only by available disk space. As the number of sessions in the database increases, performance of the database and speed of searches diminishes only negligibly. If you are not making customizations through the SmartAuditor Event API, each recorded session generates four database transactions: two when recording starts, one when the user logs onto the session being recorded, and one when recording ends. If you used the SmartAuditor Event API to customize sessions, each searchable event recorded generates one transaction. Because even the most basic database deployment can handle hundreds of transactions per second, the processing load on the database is unlikely to be stressed. The impact is light enough that the SmartAuditor Database can run on the same SQL Server as other databases, including the XenApp data store database. 1006
Scalability Considerations If your SmartAuditor deployment requires many millions of recorded sessions to be cataloged in the database, follow Microsoft guidelines for SQL Server scalability.
1007
To enable SmartAuditor components to communicate with each other, ensure you install them in the same domain or across trusted domains that have a transitive trust relationship. The system cannot be installed into a workgroup or across domains that have an external trust relationship. SmartAuditor does not support the clustering of two or more SmartAuditor Servers in a deployment. Due to its intense graphical nature and memory usage when playing back large recordings, Citrix does not recommend installing the SmartAuditor Player as a published application. The SmartAuditor installation is configured for SSL/HTTPS communication. Ensure that you install a certificate on the SmartAuditor Server and that the root certificate authority (CA) is trusted on the SmartAuditor components. If you install the SmartAuditor Database on a stand-alone server running SQL Server 2005 Express Edition or SQL Server 2008 Express Edition, the server must have TCP/IP protocol enabled and SQL Server Browser service running. These settings are disabled by default, but they must be enabled for the SmartAuditor Server to communicate with the database. See the Microsoft documentation for information about enabling these settings. Consider the effects of session sharing when planning your SmartAuditor deployment. Session sharing for published applications can conflict with SmartAuditor recording policy rules for published applications. SmartAuditor matches the active policy with the first published application that a user opens. After the user opens the first application, any subsequent applications opened during the same session continue to follow the policy that is in force for the first application. For example, if a policy states that only Microsoft Outlook should be recorded, the recording commences when the user opens Outlook. However, if the user opens a published Microsoft Word second (while Outlook is running), Word also is recorded. Conversely, if the active policy does not specific that Word should be recorded, and the user launches Word before Outlook (which should be recorded, according to the policy), Outlook is not recorded.
1008
Pre-Installation Checklist
Before you start the installation, ensure that you completed this list:
Step
Selected the computers on which to install each SmartAuditor component and ensured that each computer meets the hardware and software requirements for the component or components to be installed on it. If you use the SSL protocol for communication between the SmartAuditor components, install the correct certificates in your environment. Install any hotfixes required for the SmartAuditor components. The hotfixes are available from the Citrix Knowledge Center.
1009
To install SmartAuditor
Use the Autorun to install SmartAuditor components.
If you are installing all the Administration components on the same server, accept localhost in the Accessing user account for computer or localhost field.
If you are installing the SmartAuditor Server and the SmartAuditor Database on different servers, type the name of the computer hosting the SmartAuditor Server in the following format: domain\machine-name$. Ensure that the dollar symbol ($) follows the name. 5 Follow the wizards instructions to complete the installation.
q
To install SmartAuditor The SmartAuditor Player is installed on one or more workstations for users who view session recordings. 1 On the installation media, click autorun.exe. The Autorun menu launches. 2 Select Manually install components > Server Components > Miscellaneous > SmartAuditor > SmartAuditor Player. 3 Use the installation wizard to install SmartAuditor Player. After installing SmartAuditor, configure the components for your environment so you can record and play XenApp sessions.
To uninstall SmartAuditor
To remove SmartAuditor components from a server or workstation, use the uninstall or remove programs capability available through the Windows Control Panel.
1011
Automating Installations
To install Smart Auditor Agent on multiple servers, write a script that uses silent installation. The following command line installs the SmartAuditor Agent and creates a log file to capture the install information.
msiexec /i SmartAuditorAgent.msi smartauditorservername=yourservername smartauditorbrokerprotocol=yourbrokerprotocol smartauditorbrokerport=yourbrokerpor /l*v yourinstallationlog /q where: yourservername is the NetBIOS name or FQDN of the computer hosting the SmartAuditor Server. If not specified, this value defaults to localhost. yourbrokerprotocol is either HTTP or HTTPS, and represents the protocol that SmartAuditor Agent uses to communicate with SmartAuditor Broker; this value defaults to HTTPS if not specified. yourbrokerport is an integer representing the port SmartAuditor Agent uses to communicate with SmartAuditor Broker. If not specified, this value defaults to zero, which directs SmartAuditor Agent to use the default port number for the selected protocol: 80 for HTTP or 443 for HTTPS. /l*v specifies verbose mode logging yourinstallationlog is the location of the setup log file created. /q specifies quiet mode.
1012
Authorize users to play recordings Change the active recording policy to one that records sessions Configure SmartAuditor Player to connect to the SmartAuditor Server
1013
To configure SmartAuditor to play and record sessions 4 In the SmartAuditor Policy Console, expand Recording Policies. This displays the recording policies available when you install SmartAuditor, with a check mark indicating which policy is active:
q
Do not record. This is the default policy. If you do not specify another policy, no sessions are recorded. Record everyone with notification. If you choose this policy, all sessions are recorded. A pop-up window appears notifying the user that recording is occurring.
Record everyone without notification. If you choose this policy, all sessions are recorded. Users are unaware that they are being recorded. 5 Select the policy you want to make the active policy.
q
Note: SmartAuditor allows you to create your own recording policy. When you create recording policies, they appear in the Recording Policies folder within the SmartAuditor Policy Console.
1014
Player. Grants the right to view recorded XenApp sessions. There is no default membership in this role. PolicyQuery. Allows the servers hosting the SmartAuditor Agent to request recording policy evaluations. By default, authenticated users are members of this role. Policy Administrator. Grants the right to view, create, edit, delete, and enable recording policies. By default, administrators of the computer hosting the SmartAuditor Server are members of this role.
1015
1016
Do not record. If you choose this policy, no sessions are recorded. This is the default policy; if you do not specify another policy, no sessions are recorded. Record everyone with notification. If you choose this policy, all sessions are recorded. A pop-up window appears notifying the user that recording is occurring. Record everyone without notification. If you choose this policy, all sessions are recorded. Users are unaware that they are being recorded.
1017
Do not record. (Choose Disable session recording within the rules wizard.) This recording action specifies that sessions that meet the rule criteria are not recorded. Record with notification. (Choose Enable session recording with notification within the rules wizard.) This recording action specifies that sessions that meet the rule criteria are recorded. A pop-up window appears notifying the user that recording is occurring. Record without notification. (Choose Enable session recording without notification within the rules wizard.) This recording action specifies that sessions that meet the rule criteria are recorded. Users are unaware that they are being recorded.
For each rule, choose at least one of the following to create the rule criteria:
q
Users or Groups. You create a list of users or groups to which the recording action of the rule applies. Published Applications. You create a list of published applications to which the recording action of the rule applies. Within the rules wizard, choose the XenApp farm or farms on which the applications are available. Applications Servers. You create a list of XenApp servers to which the recording action of the rule applies. Within the rules wizard, choose the XenApp farm or farms where the servers reside.
When you create more than one rule in a recording policy, some sessions may match the criteria for more than one rule. In these cases, the rule with the highest priority is applied to the session. The recording action of a rule determines its priority:
q
Rules with the Do not record action have the highest priority Rules with the Record with notification action have the next highest priority Rules with the Record without notification action have the lowest priority
Some sessions may not meet any rule criteria in a recording policy. For these sessions, the recording action of the policies fallback rule applies. The recording action of the fallback rule is always Do not record. The fallback rule cannot be modified or deleted.
1018
1019
1020
To modify a policy
1 Log on to the server where the SmartAuditor Policy Console is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Policy Console. 3 If you are prompted by a Connect to SmartAuditor Server pop-up window, ensure that the name of the SmartAuditor Server, protocol, and port are correct. Click OK. 4 In the SmartAuditor Policy Console, expand Recording Policies. 5 Select the policy you want to modify. The rules for the policy appear in the right pane. 6 Add a new rule, modify a rule, or delete a rule:
q
From the menu bar, choose Action > Add New Rule. If the policy is active, a pop-up window appears requesting confirmation of the action. Use the rules wizard to create a new rule. Select the rule you want to modify, right-click, and choose Properties. Use the rules wizard to modify the rule. Select the rule you want to delete, right-click, and choose Delete Rule.
1021
To delete a policy
Note: You cannot delete a system policy or a policy that is active. 1 Log on to the server where the SmartAuditor Policy Console is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Policy Console. 3 If you are prompted by a Connect to SmartAuditor Server pop-up window, ensure that the name of the SmartAuditor Server, protocol, and port are correct. Click OK. 4 In the SmartAuditor Policy Console, expand Recording Policies. 5 In the left pane, select the policy you want to delete. If the policy is active, you must activate another policy. 6 From the menu bar, choose Action > Delete Policy. 7 Select Yes to confirm the action.
1022
To activate a policy
1 Log on to the server where the SmartAuditor Policy Console is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Policy Console. 3 If you are prompted by a Connect to SmartAuditor Server pop-up window, ensure that the name of the SmartAuditor Server, protocol, and port are correct. Click OK. 4 In the SmartAuditor Policy Console, expand Recording Policies. 5 Select the policy you want to make the active policy. 6 From the menu bar, choose Action > Activate Policy.
1023
After a rollover the policy will be: No change. The new policy takes effect only when the user logs on to a new session. Recording stops. Recording continues and a notification message appears. Recording stops. Recording continues. No message appears the next time a user logs on.
Do not record Record with notification Do not record Record without notification
1024
Note: When you install SmartAuditor, the active policy is Do not record (no sessions are recorded on any server). To begin recording, use the SmartAuditor Policy Console to activate a different policy.
1025
1026
1027
Use SmartAuditor Agent Properties to enable a setting on each server where you want to insert custom events. You must enable each server separately; you cannot globally enable all servers in a farm. Write applications built on the Event API that runs within each users XenApp session (to inject the data into the recording).
The SmartAuditor installation includes an event recording COM application (API) that allows you to insert text from third-party applications into a recording. You can use the API from many programming languages including Visual Basic, C++, or C#. The SmartAuditor Event API .dll is installed as part of the SmartAuditor installation. You can find it at C:\Program Files\Citrix\SmartAuditor\Agent\Bin\Interop.UserApi.dll.
1028
A digital signature cannot be assigned until recording is complete. If digital signing is enabled, you can view live playback sessions, but they are not digitally signed and you cannot view certificates until the session is completed. Playback protection cannot be applied until recording is complete. If playback protection is enabled, you can view live playback sessions, but they are not encrypted until the session is completed. You cannot cache a file until recording is complete.
By default, live session playback is enabled. 1 Log on to the computer hosting the SmartAuditor Server. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Server Properties. 3 In SmartAuditor Server Properties, click the Playback tab. 4 Select or clear the Allow live session playback check box.
1029
1030
1031
You can create file storage directories on the local drive, the SAN volume, or a location specified by a UNC network path. Network mapped drive letters are not supported. Do not use SmartAuditor with Network-Attached Storage (NAS), due to serious performance and security problems associated with writing recording data to a network drive.
1032
To specify where recordings are stored 4 In the Restore directory for archived files field, type the directory for the restored archive files.
1033
File size. When the file reaches the specified number of megabytes, SmartAuditor closes the file and opens a new one. By default, files roll over after reaching 50 megabytes; however, you can specify a limit from 10 megabytes to one gigabyte. Duration. After the session records for the specified number of hours, the file is closed and a new file is opened. By default, files roll over after recording for 12 hours; however, you can specify a limit from one to 24 hours.
SmartAuditor checks both fields to determine which event occurs first to determine when to rollover. For example, if you specify 17MB for the file size and six hours for the duration and the recording reaches 17MB in three hours, SmartAuditor reacts to the 17MB file size to close the file and open a new one. To prevent the creation of many small files, SmartAuditor does not rollover until at least one hour elapses (this is the minimum number that you can enter) regardless of the value specified for the file size. The exception to this rule is if the file size surpasses one gigabyte.
1034
Viewing Recordings
Use SmartAuditor Player to view, search, and bookmark recorded XenApp sessions. If sessions are recorded with the live playback feature enabled, you can view sessions that are in progress, with a delay of a few seconds, as well as sessions that are completed. Sessions that have a longer duration or larger file size than the limits configured by your SmartAuditor administrator appear in more than one session file. Note: A SmartAuditor administrator must grant users the right to access to recorded XenApp sessions. If you are denied access to viewing sessions, contact your SmartAuditor administrator. When SmartAuditor Player is installed, the SmartAuditor administrator typically sets up a connection between the SmartAuditor Player and a SmartAuditor Server. If this connection is not set up, the first time you perform a search for files, you are prompted to set it up. Contact your SmartAuditor administrator for set up information.
1035
This illustration shows the SmartAuditor Player with callouts indicating its major elements. The functions of these elements are described throughout this chapter.
1036
Perform a search using the Smart Auditor Player. Recorded sessions that meet the search criteria appear in the search results area. Access recorded session files directly from your local disk drive or a share drive. Access recorded session files from a Favorites folder
When you open a file that was recorded without a digital signature, a warning appears telling you that the origin and integrity of the file was not verified. If you are confident of the integrity of the file, click Yes in the warning pop-up window to open the file.
Double-click the session Right-click and select Play From the SmartAuditor Player menu bar, select Play > Play
1037
To open and play recordings 1 Log on to the workstation where SmartAuditor Player is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Player. 3 Do any of the following:
q
From the SmartAuditor Player menu bar, select File > Open and browse for the file Using Windows Explorer, navigate to the file and drag the file into the Player window Using Windows Explorer, navigate to and double-click the file If you created Favorites in the Workspace pane, select Favorites and open the file from the Favorites area in the same way you open files from the search results area
Using Favorites
Creating Favorites folders allows you to quickly access recordings that you view frequently. These Favorites folders reference recorded session files that are stored on your workstation or on a network drive. You can import and export these files to other workstations and share these folders with other SmartAuditor Player users. Note: Only users with access rights to SmartAuditor Player can download the recorded session files associated with Favorites folders. Contact your SmartAuditor administrator for access rights. To create a Favorites subfolder: 1 Log on to the workstation where SmartAuditor Player is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Player. 3 In the SmartAuditor Player, select the Favorites folder in your Workspace pane. 4 From the menu bar, choose File > Folder > New Folder. A new folder appears under the Favorites folder. 5 Type the folder name, then press Enter or click anywhere to accept the new name. Use the other options that appear in the File > Folder menu to delete, rename, move, copy, import, and export the folders.
1038
Enter a search criterion in the Search field. To assist you: Move the mouse pointer over the Search label to display a list of parameters to use as a guideline Click the arrow to the right of the Search field to display the text for the last 64 searches you performed
Use the drop-down list to the right of the Search field to select a period or duration specifying when the session was recorded. 4 Click the binocular icon to the right of the drop-down list to start the search.
q
1039
Common allows you to search by domain or account authority, server farm, group, zone, server, application, or file ID. Date/Time allows you to search date, day of week, and time of day. Events allows you to search on custom events that your SmartAuditor administrator inserted to the sessions.
Other allows you to search by session name, client name, client address, and recording duration. It also allows you to specify, for this search, the maximum number of search results displayed and whether or not archived files are included in the search. As you specify search criteria, the query you are creating appears in the pane at the bottom of the dialog box.
q
Tip: You can save and retrieve advanced search queries. Click Save within the Advanced Search dialog box to save the current query. Click Open within the Advanced Search dialog box to retrieve a saved query. Queries are saved as files with an .isq extension.
1040
Use the player controls to play, stop, pause, and increase or decrease playback speed Use the seek slider to move forward or backward
If you have inserted markers into the recording or if the recorded session contains custom events, you can also navigate through the recorded session by going to those markers and events. Note: During playback of a recorded session, a second mouse pointer may appear. The second pointer appears at the point in the recording when the user navigated within Internet Explorer 7.0 and clicked an image that was originally larger than the screen but was scaled down automatically by Internet Explorer 7.0. While only one pointer appears during the session, two may appear during playback. Note: This version of SmartAuditor does not support SpeedScreen Multimedia Acceleration for Citrix Presentation Server. When this option is enabled, playback displays a black square.
Pause playback.
Stop playback. If you click Stop, then Play, the recording restarts at the beginning of the file.
1041
To play recorded sessions Halve the current playback speed down to a minimum of one-quarter normal speed.
Key: Home End Right Arrow Left Arrow Move mouse wheel one notch down Move mouse wheel one notch up Ctrl + Right Arrow Ctrl + Left Arrow Page Down Page Up Ctrl + Move mouse wheel one notch down Ctrl + Move mouse wheel one notch up Ctrl + Page Down Ctrl + Page Up
Seek action: Seek to the beginning. Seek to the end. Seek forward five seconds. Seek backward five seconds. Seek forward 15 seconds. Seek backward 15 seconds. Seek forward 30 seconds. Seek backward 30 seconds. Seek forward one minute. Seek backward one minute. Seek forward 90 seconds. Seek backward 90 seconds. Seek forward six minutes. Seek backward six minutes.
Note: To adjust the speed of the seeks slider: From the SmartAuditor Player menu bar, choose Tools > Options > Player and drag the slider to increase or decrease the seek response time. A faster response time requires more memory.
1042
1043
1044
To insert a bookmark
1 Log on to the workstation where the SmartAuditor Player is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Player. 3 Begin playing the recorded session to which you want to add a bookmark. 4 Move the seek slider to the position where you want to insert the bookmark. 5 Move the mouse pointer into the Player window area and right-click to display the menu. 6 Add a bookmark with the default label Bookmark or create an annotation:
q
To add a bookmark with the default label Bookmark, choose Add Bookmark. To add a bookmark with a descriptive text label that you create, choose Add Annotation. Type the text label you want to assign to the bookmark, up to 128 characters. Click OK.
1045
To delete a bookmark
1 Log on to the workstation where SmartAuditor Player is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Player. 3 Begin playing the recorded session containing the bookmark. 4 Ensure that the events and bookmarks list is displaying bookmarks. 5 Select the bookmark in the events and bookmarks list and right-click to display the menu. 6 Choose Delete.
To go to an event or bookmark
Going to an event or bookmark causes the SmartAuditor Player to go to the point in the recorded session where the event or bookmark is inserted. 1 Log on to the workstation where the SmartAuditor Player is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Player. 3 Begin playing a session recording containing events or bookmarks. 4 Go to an event or bookmark:
q
In the area below the Player window, click the dot representing the event or bookmark to go to the event or bookmark. In the events and bookmarks list, double-click the event or bookmark to go to it. To go to the next event or bookmark, select any event or bookmark from the list, right-click to display the menu, and choose Seek to Bookmark.
1046
1047
Scale to Fit (Fast Rendering) shrinks the image while providing a good quality image. Images are drawn quicker than when using the High Quality option but the images and text are not as sharp. Use this option if you are experiencing performance issues when using the High Quality mode. Scale to Fit (High Quality) shrinks the image while providing high quality images and text. Using this option may cause the images to be drawn more slowly than the Fast Rendering option.
1048
1049
userprofile\LocalSettings\ApplicationData\Citrix\SmartAuditor\Player\Cache on Microsoft Windows XP userprofile\AppData\Local\Citrix\SmartAuditor\Player\Cache on Microsoft Windows Vista You can specify how much disk space is used for the cache. When the recordings fill the specified disk space, SmartAuditor deletes the oldest, least used recordings to make room for new recordings. You can empty the cache at any time to free up disk space.
To enable caching
1 Log on to the workstation where the SmartAuditor Player is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Player. 3 From the SmartAuditor Player menu bar, choose Tools > Options > Cache. 4 Select the Cache downloaded files on local machine check box. 5 If you want to limit the amount of disk space used for caching, select the Limit amount of disk space to use check box and specify the number of megabytes to be used for cache. 6 Click OK.
1050
To empty cache
1 Log on to the workstation where the SmartAuditor Player is installed. 2 From the Start menu, choose All Programs > Citrix > SmartAuditor > SmartAuditor Player. 3 From the SmartAuditor Player menu bar, choose Tools > Options > Cache. 4 Select the Cache downloaded files on local machine check box. 5 In the SmartAuditor Player, choose Tools > Options > Cache. 6 Click Purge Cache, then OK to confirm the action.
1051
1052
Troubleshooting SmartAuditor
This troubleshooting information contains solutions to some issues you may encounter during and after installing SmartAuditor components:
q
Components failing to connect to each other Sessions failing to record Problems with the SmartAuditor Player or SmartAuditor Policy Console Issues involving your communication protocol
1053
Note: Check the application event log for errors and warnings.
1054
1055
For HTTPS: https://servername/SmartAuditorBroker/RecordPolicy.rem?wsdl, where servername is the name of the computer hosting the SmartAuditor Server
For HTTP: http://servername/SmartAuditorBroker/RecordPolicy.rem?wsdl, where servername is the name of the computer hosting the SmartAuditor Server 3 If you are prompted for NT LAN Manager (NTLM) authentication, log on with a domain administrator account.
q
If you see an XML document within your browser, this verifies that the computer running the SmartAuditor Agent is connected to the computer hosting the SmartAuditor Server using the configure protocol.
For HTTPS: https://servername/SmartAuditorBroker/Player.rem?wsdl, where servername is the name of the computer hosting the SmartAuditor Server
For HTTP: http://servername/SmartAuditorBroker/Player.rem?wsdl, where servername is the name of the computer hosting the SmartAuditor Server 3 If you are prompted for NT LAN Manager (NTLM) authentication, log on with a domain administrator account.
q
If you see an XML document within your browser, this verifies that the computer running the SmartAuditor Player is connected to the computer hosting the SmartAuditor Server using the configure protocol.
1056
For HTTPS: https://servername/SmartAuditorBroker/PolicyAdminstration.rem?wsdl, where servername is the name of the computer hosting the SmartAuditor Server
For HTTP: http://servername/SmartAuditorBroker/PolicyAdminstration.rem?wsdl, where servername is the name of the computer hosting the SmartAuditor Server 3 If you are prompted for NT LAN Manager (NTLM) authentication, log on with a domain administrator account.
q
If you see an XML document within your browser, this verifies that the computer running the SmartAuditor Policy Console is connected to the computer hosting the SmartAuditor Server using the configure protocol.
1057
Invalid or missing certificates. If the server running the SmartAuditor Agent does not have a root certificate to trust the server certificate, cannot trust and connect to the SmartAuditor Server over HTTPS, causing connectivity to fail. Verify that all components trust the server certificate on the SmartAuditor Server. Inconsistent naming. If the server certificate assigned to the computer hosting the SmartAuditor Server is created using a fully qualified domain name (FQDN), then all connecting components must use the FQDN when connecting to the SmartAuditor Server. If a NetBIOS name is used, configure the components with a NetBIOS name for the SmartAuditor Server. Expired certificates. If a server certificate expired, connectivity to the SmartAuditor Server through HTTPS fails. Verify the server certificate assigned to the computer hosting the SmartAuditor Server is valid and has not expired. If the same certificate is used for the digital signing of session recordings, the event log of the computer hosting the SmartAuditor Server provides error messages that the certificate expired or warning messages when it is about to expire.
1058
The underlying connection was closed. Could not establish a trust relationship for the SSL/TLS secure channel. This exception means that the SmartAuditor Server is using a certificate that is signed by a CA that the server on which the SmartAuditor Agent resides does not trust, or have a CA certificate for. Alternatively, the certificate may have expired or been revoked. Resolution: Verify that the correct CA certificate is installed on the server hosting the SmartAuditor Agent or use a CA that is trusted.
The remote server returned an error: (403) forbidden. This is a standard HTTPS error displayed when you attempt to connect using HTTP (nonsecure protocol). The computer hosting the SmartAuditor Server rejects the connection because it accepts only secure connections. Resolution: Use SmartAuditor Agent Properties to change the SmartAuditor Broker protocol to HTTPS.
The SmartAuditor Broker returned an unknown error while evaluating a record policy query. Error code 5 (Access Denied). See the Event log on the SmartAuditor Server for more details. This error occurs when sessions are started and a request for a record policy evaluation is made. The error is a result of the Authenticated Users group (this is the default member) being removed from the Policy Query role of the SmartAuditor Authorization Console. Resolution: Add the Authenticated Users group back into this role, or add each server hosting each SmartAuditor Agent to the PolicyQuery role. The underlying connection was closed. A connection that was expected to be kept alive was closed by the server. This error means that the SmartAuditor Server is down or unavailable to accept requests. This could be due to IIS being offline or restarted, or the entire server may be offline. Resolution: Verify that the SmartAuditor Server is started, IIS is running on the server, and the server is connected to the network.
1059
The Express Edition of Mircosoft SQL Server 2005 or Microsoft SQL Server 2008 is installed on a stand-alone server and does not have the correct services or settings configured for SmartAuditor. The server must have TCP/IP protocol enabled and SQL Server Browser service running. See the Microsoft documentation for information about enabling these settings. During the SmartAuditor installation (administration portion), incorrect server and database information was given. Uninstall the SmartAuditor Database and reinstall it, supplying the correct information. The SmartAuditor Database Server is down. Verify that the server has connectivity. The computer hosting the SmartAuditor Server or the computer hosting the SmartAuditor Database Server cannot resolve the FQDN or NetBIOS name of the other. Use the ping command to verify the names can be resolved.
Logon failed for user NT_AUTHORITY\ANONYMOUS LOGON. This error message means that the services are logged on incorrectly as .\administrator. Resolution: Restart the services as local system user and restart the SQL services.
1060
Component connectivity and certificates. If the SmartAuditor components cannot communicate with each other, this can cause session recordings to fail. To troubleshoot recording issues, verify that all components are configured correctly to point to the correct computers and that all certificates are valid and correctly installed. Non-Active Directory domain environments. SmartAuditor is designed to run in a Microsoft Active Directory domain environment. If you are not running in an Active Directory environment, you may experience recording issues. Ensure that all SmartAuditor components are running on computers that are members of an Active Directory domain. Session sharing conflicts with the active policy. SmartAuditor matches the active policy with the first published application that a user opens. Subsequent applications opened during the same session continue to follow the policy that is in force for the first application. To prevent session sharing from conflicting with the active policy, publish the conflicting applications on separate XenApp servers or disable session sharing. For instructions about how to disable session sharing, refer to the Citrix Knowledge Center. When disabling session sharing, consider that this can also affect the total number of sessions on a server, clipboard mapping, and session logon time. Recording is not enabled. By default, installing the SmartAuditor Agent on a XenApp server enables the server for recording. Recording will not occur until an active recording policy is configured to allow this. The active recording policy permit recording. For a session to be recorded, the active recording policy must permit the sessions for the user, server, or published application to be recorded. SmartAuditor services are not running. For sessions to be recorded, the SmartAuditor Agent service must be running on the XenApp server and the SmartAuditor Storage Manager service must be running on the computer hosting the SmartAuditor Server. MSMQ is not configured. If MSMQ is not correctly configured on the server running the SmartAuditor Agent and the computer hosting the SmartAuditor Server, recording problems may occur.
1061
Access denied error. An access denied error can occur if the user was not given permission to search for and download recorded session files. Resolution: Assign the user to the Player role using the SmartAuditor Authorization Console. Search for recorded session files failed. The underlying connection was closed. Could not establish a trust relationship for the SSL/TLS secure channel. This exception is caused by the SmartAuditor Server using a certificate that is signed by a CA that the client device does not trust or have a CA certificate for. Resolution: Install the correct or trusted CA certificate workstation where the SmartAuditor Player is installed. The remote server returned an error: (403) forbidden. This error is a standard HTTPS error that occurs when you attempt to connect using HTTP (nonsecure protocol). The server rejects the connection because, by default, it is configured to accept only secure connections. Resolution: From the SmartAuditor Player menu bar, choose Tools > Options > Connections. Select the server from the SmartAuditors Servers list, then click Modify. Change the protocol from HTTP to HTTPS.
1062
Troubleshooting MSMQ
If your users see the notification message but the viewer cannot find the recordings after performing a search in the SmartAuditor Player, there could be a problem with MSMQ. Verify that the queue is connected to the SmartAuditor Server (Storage Manager) and use a Web browser to test for connection errors (if you are using HTTP or HTTPS as your MSMQ communication protocol). To verify that the queue is connected: 1 Log on to the server hosting the SmartAuditor Agent. 2 View the outgoing queues. 3 Verify that the queue to the computer hosting the SmartAuditor Server has a connected state.
q
If the state is waiting to connect, there are a number of messages in the queue, and the protocol is HTTP or HTTPS (corresponding to the protocol selected in the Connections tab in the SmartAuditor Agent Properties dialog box), perform Step 4.
If state is connected and there are no messages in the queue, there may be a problem with the server hosting the SmartAuditor Server. Skip Step 4 and perform Step 5. 4 If there are a number of messages in the queue, launch a Web browser and type the following address:
q q
For HTTPS: https://servername/msmq/private$/CitrixSmAudData, where servername is the name of the computer hosting the SmartAuditor Server
For HTTP: http://servername/msmq/private$/CitrixSmAudData, where servername is the name of the computer hosting the SmartAuditor Server If the page returns an error such as The server only accepts secure connections, change the MSMQ protocol listed in the SmartAuditor Agent Properties dialog box to HTTPS. Otherwise, if the page reports a problem with the Web sites security certificate, there may be a problem with a trust relationship for the SSL/TLS secure channel. In that case, install the correct CA certificate or use a CA that is trusted.
q
5 If there are no messages in the queue, log on to the computer hosting the SmartAuditor Server and view private queues. Select citrixsmauddata. If there are a number of messages in the queue (Number of Messages Column), verify that the SmartAuditor StorageManager service is started. If it is not, restart the service.
1063
1064
1065
1066
Command archive
Description Archives the session recording files older than the retention period specified. Use this command to archive files.
dormant
Displays or counts the session recording files that are considered dormant. Dormant files are session recordings that were not completed due to data loss. Use this command to verify if you suspect that you are losing data. You can verify if the session recording files are becoming dormant for the entire database, or only recordings made within the specified number of days, hours, or minutes.
import
Imports session recording files into the SmartAuditor database. Use this command to rebuild the database if you lose database records. Additionally, use this command to merge databases (if you have two databases, you can import the files from one of the databases).
1067
Reference: Managing Your Database Records locate Locates and displays the full path to a session recording file using the file ID as the criteria. Use this command when you are looking for the storage location of a session recording file. It is also one way to verify if the database is up-to-date with a specific file. remove Removes the references to session recording files from the database. Use this command (with caution) to clean up the database. Specify the retention period to be used as the criteria. You can also remove the associated physical file. removeall Removes all of the references to session recording files from the SmartAuditor Database and returns the database to its original state. The actual physical files are not deleted; however you cannot search for these files in the SmartAuditor Player. Use this command (with caution) to clean up the database. Deleted references can be reversed only by restoring from your backup. version /l /f /s /? Displays the SmartAuditor Database schema version. Logs the results and errors to the Windows event log. Forces the command to run without prompts. Suppresses the copyright message. Displays help for the commands.
1068
VM Hosted Apps
VM hosted apps allows you to deliver applications from virtual machines or physical computers, including blade servers, running Windows single-user desktop operating systems. Users access these applications through a Web browser, the Citrix online plug-in, or Citrix Receiver, just as they would applications hosted from XenApp servers running Remote Desktop Services. VM hosted apps allows you to deliver applications that otherwise must be installed locally or require extensive compatibility testing on XenApp servers. You can publish any Windows application as a VM-hosted application, but ideal candidates include applications that:
q
Are incompatible with or not supported by Remote Desktop Services Require special hardware devices, such as USB, special keyboards, or biometric devices Consume large amounts of computing or graphics resources Require a single-user environment
To use VM hosted apps, you create a VM hosted apps site and populate it with desktop groups configured with applications you want to deliver. Users access these applications but have no direct access to the desktops. You give users access to these applications using the Web Interface. Although VM hosted apps cannot share a farm with XenApp servers, a VM hosted apps site can share a Web Interface site with XenApp server farms. Applications from VM hosted apps sites and XenApp farms appear the same to users.
1069
VM Hosted Apps
The XenApp licenses required for the VM hosted apps feature are included with XenDesktop 5 Enterprise edition and XenDesktop 5 Platinum edition If you want to use VM hosted apps with a version of XenDesktop 5 that does not include XenApp licenses, you supply the XenApp licenses required
XenDesktop Controller. The XenDesktop Controller consists of services that authenticate users, manage the assembly of user virtual desktop environments, and broker connections between users and their virtual desktops. It controls the state of the desktops, starting and stopping them based on demand and administrative configuration. Desktop Studio. Provides wizards to guide you through the process of setting up your environment, creating your desktops, assigning desktops to users, and publishing applications on desktops. Virtual Desktop Agent. You install the Virtual Desktop Agent on the desktops in your VM hosted apps site. It manages communication between the desktops and the Controller and between the desktops and user devices.
1070
VM Hosted Apps
1071
All application settings available when publishing applications from a XenApp server (except application limits) are available when publishing VM-hosted applications, including content redirection from the user device using file type association. Multiple applications can be hosted on the same desktop. Applications hosted on the same desktop are shared in the same session when a user accesses them, unless session sharing is disabled. Session sharing causes applications launched in the same sessions to launch faster than they would in separate sessions and allows you to publish a greater number of applications without using more desktops. Applications can be configured to launch on a private desktop if one is available; if no private desktop is available, the application launches from a shared desktop. This ensures users have access to the application even when no private desktop is available. Applications can be made available through Citrix Dazzle with high definition icons. This version of VM hosted apps uses XenDesktop 5 infrastructure; the previous version of VM hosted apps used XenDesktop 4 infrastructure. For key differences between XenDesktop 5 and XenDesktop 4, see What's New in XenDesktop 5 and Key Differences in XenDesktop 5.
Known Issues
q
If session sharing is disabled using the SeamlessFlag value in the registry of a desktop hosting applications, attempts to launch a second application when another application is running might fail. [#236148] Session sharing might not work as expected if a user does not use the same browsers to access the applications to be shared in a session. If a user accesses an application using Internet Explorer 8 and then accesses another application from the same VM hosted apps site using Firefox 3.5, the session might disconnect when the second application is launched and then reconnect with both applications running in the same session. [#234765] Applying the Enabled property to an application desktop group has no effect the application's availability to users. Apply the Enabled property to the application itself to control its availability to users. [#234283]
For known issues for XenDesktop 5 that are not directly related to VM hosted apps, see these Known Issues.
1072
All application settings available when publishing applications from a XenApp server (except application limits) are available when publishing VM-hosted applications, including content redirection from the user device using file type association. Multiple applications can be hosted on the same desktop. Applications hosted on the same desktop are shared in the same session when a user accesses them, unless session sharing is disabled. Session sharing causes applications launched in the same sessions to launch faster than they would in separate sessions and allows you to publish a greater number of applications without using more desktops. Applications can be configured to launch on a private desktop if one is available; if no private desktop is available, the application launches from a shared desktop. This ensures users have access to the application even when no private desktop is available. Applications can be made available through Citrix Dazzle with high definition icons. This version of VM hosted apps uses XenDesktop 5 infrastructure; the previous version of VM hosted apps used XenDesktop 4 infrastructure. For key differences between XenDesktop 5 and XenDesktop 4, see What's New in XenDesktop 5 and Key Differences in XenDesktop 5.
Known Issues
q
If session sharing is disabled using the SeamlessFlag value in the registry of a desktop hosting applications, attempts to launch a second application when another application is running might fail. [#236148] Session sharing might not work as expected if a user does not use the same browsers to access the applications to be shared in a session. If a user accesses an application using Internet Explorer 8 and then accesses another application from the same VM hosted apps site using Firefox 3.5, the session might disconnect when the second application is launched and then reconnect with both applications running in the same session. [#234765] Applying the Enabled property to an application desktop group has no effect the application's availability to users. Apply the Enabled property to the application itself to control its availability to users. [#234283]
For known issues for XenDesktop 5 that are not directly related to VM hosted apps, see these Known Issues.
1073
1074
1075
Plan
At least one XenDesktop Controller. Adding more controllers to your site increases failover and scalability. A database. By default, a database is created locally when you install the Controller, but you can choose to use a database on a separate server. All VM hosted apps site information is stored on the database; controllers communicate only with the database and not with each other. At least one Desktop Studio. By default, this is installed on servers on which you install the Controller, but you can install it on a separate computer if you want to manage your deployment remotely. Desktop Director (optional). This Web-based tool enables level-1 and level-2 IT Support staff to monitor a VM hosted apps deployment and perform day-to-day maintenance tasks. By default, this is installed on servers on which you install the Controller, but you can choose to install it on a separate computer. A domain controller running Active Directory. Active Directory is required for the XenDesktop infrastructure used by VM hosted apps. Do not install either XenDesktop or the SQL Server database on a domain controller. For more information on Active Directory, see Active Directory Considerations. Virtual machines or physical computers hosting desktops. These desktops deliver applications to users. You install the Virtual Desktop Agent on these machines to manage communications and broker connections. Web Interface. VM hosted apps requires the version of Web Interface provided with it. XenApp farms and VM hosted apps sites can share the same Web Interface site. Access to a Citrix license server. A VM hosted apps site can use its own license server or share one with other VM hosted apps sites and XenApp server farms.
Separate them with firewalls Use separate hosting infrastructure and hypervisor pools
Secure the desktops in your VM hosted apps deployment as described in Security Planning for XenDesktop. When securing desktops for VM hosted apps:
q
Users who are administrators can install software on the desktop even though VM hosted apps does not provide direct access to the desktop
1076
Plan
q
Time zone considerations apply to applications that display the time of day Keep in mind that VM hosted apps does not support thin clients
1077
For information on setting up and using XenServer, see the XenServer documentation For information on setting up and using Microsoft System Center Virtual Machine Manager 2008, see Using Microsoft System Center Virtual Machine Manager 2008 with XenDesktop For information on setting up and using VMWware, see Using VMWare with XenDesktop
Perform the VM hosted app installation and set-up tasks in this order: 1 Install the server-side components of XenDesktop needed for your VM hosted apps deployments. 2 Configure the VM hosted apps site. 3 After you have configured a site you can add more controllers to it, if necessary. 4 To manage your deployment remotely, install Desktop Studio on additional computers. 5 Install the Virtual Desktop Agent on any base images, virtual desktops, and physical desktops that are part of your VM hosted apps deployment.
1078
XenDesktop Controller. The SDKs are automatically installed when you install the Controller. Desktop Studio. The SDKs are automatically installed when you install Desktop Studio. Desktop Studio configures the VM hosted apps site. Web Interface. VM hosted apps requires the version of Web Interface provided with it. Desktop Director. This Web-based tool enables level-1 and level-2 IT Support staff to monitor a VM hosted apps deployment and perform day-to-day maintenance tasks. Installation of Desktop Director is optional. License Server. A VM hosted apps site can use an existing license server.
Installing the server components requires local administration permissions. To install server components from the command line, see XenDesktopServerSetup.exe. The AutoSelect.exe file performs a wizard-based installation of some or all of these components, allowing you to select the components you want to install. By default, all components are selected. When AutoSelect.exe or XenDesktopServerSetup.exe installs the Web Interface:
q
The Web Interface's software prerequisites are install automatically Session sharing and workspace control are disabled by default
The Web Interface autorun provided with VM hosted apps does not install the software prerequisites or disable session sharing and workspace control.
1079
If you do not want AutoSelect.exe to install the Web Interface, clear Web Access.
If you want to use an existing license server for your VM hosted apps deployment, clear License Server. 5 Accept the default install location or choose another one.
q
6 Manage firewall configuration. If the Windows firewall is detected, the necessary ports can be opened automatically for you. If another firewall is detected, you are told which ports you need to open manually. 7 Follow the prompts to complete the installations. 8 If you installed the Desktop Studio, unless you clear Configure XenDesktop after closing on the last page of the installation wizard, Desktop Studio starts so that you can configure the VM hosted apps site. If Web Interface is not yet installed, install it before or after configuring the VM hosted apps site. Repeat these steps to install server components on other servers.
1080
Licensing the site. Specifying the edition of XenApp or XenDesktop for which you have licenses. Note: Use the XenDesktop SDK instead of Desktop Studio to configure the license edition for your VM hosted apps site if you are using VM hosted apps as a feature of XenDesktop, you want to deliver desktops and VM-hosted applications from the site, and your XenApp edition is different from your XenDesktop edition. Using the SDK, you can specify both a XenApp edition and a XenDesktop edition.
Setting up the site database. Important: If you plan to use an external database created manually, not created using Desktop Studio, ensure your database administrator uses the following collation setting when creating the database: Latin1_General_CI_AS_KS (where Latin1_General varies depending on the country; for example Japanese_CI_AS_KS). If this collation setting is not specified during database creation, subsequent creation of the XenDesktop service schemas within the database will fail, and an error similar to "<service>: schema requires a case-insensitive database" appears (where <service> is the name of the service whose schema is being created).
Providing information about your virtual infrastructure. If you are using XenServer, Citrix recommends using HTTPS to secure communication between XenDesktop and XenServer. To use HTTPS you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority.
To perform the initial configuration of your VM hosted apps site: 1 Start Desktop Studio if it has not started automatically after installation. 2 Select Application deployment. 3 Follow the prompts to complete the configuration:
Wizard page
What to do
1081
To configure a VM hosted apps site Site Enter a name for your VM hosted apps site. Specify license server information:
q
To configure a license server not installed on the XenDesktop Controller, specify the address as name:port, where name can be a DNS, NetBIOS, or IP address. To configure a license server installed on the XenDesktop Controller, specify the license file location.
If you configured a license server not installed on the XenDesktop Controller, specify the XenApp or XenDesktop edition for which you have licenses. Choose whether you want to use the default database or an existing database:
q
To use the locally installed copy of SQL Express to automatically create the site database on the controller on which you are working, select Use default database. To use an existing database, select Use specified database. The server location must be a DNS, NetBIOS, or IP address, without a port number.
Host
Specify the type of virtual infrastructure host (Citrix XenServer, Microsoft, or VMWare) your VM hosted apps site will connect to, if any. If you specified a virtual infrastructure host type, specify the address, user name, and password of the host. If you specified XenServer as your host type, and High Availability is enabled on XenServer, you can select servers for High Availability configuration. Citrix recommends that you select all servers in the pool to allow communication between XenDesktop and XenServer if the pool master fails. Specify whether you want to create virtual machines manually or use XenDesktop infrastructure to create virtual machines. Enter a name for the connection between the VM hosted apps site and the virtual infrastructure host.
1082
To configure a VM hosted apps site Resource This page appears if you are configuring the site to use XenDesktop infrastructure to create virtual machines. Add storage to use when creating virtual machines. If both local and shared storage are available on the hosting unit you must select a single type; you cannot mix them. For each host :
q
Specify the network the virtual machines reside on 4 To use Access Gateway, pass-through authentication, or smart card authentication with your VM hosted apps site, configure XenDesktop to trust XML services by running this Powershell SDK command:
q
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true After you configure the site, you can add more XenDesktop Controllers. See To add a controller. After the initial configuration, you can change licensing and host configuration settings by starting Desktop Studio and expanding the Desktop Studio > Configuration node.
1083
1084
1085
Reconfigure the firewall. If the Windows firewall is detected, the necessary ports can be opened automatically for you. If another firewall is detected, you are told which ports you need to open manually. You can also request to have the necessary ports opened for desktop shadowing and Windows Remote Management.
If this installation is running in a VM on a hypervisor, select Optimize XenDesktop Performance to have the VM automatically optimized for use with VM hosted apps. Optimization involves actions such as disabling offline files, disabling background defragmentation, and reducing the event log size. For full information on the optimization tool, see the Citrix Knowledge Center. A summary of what is going to be installed appears.
q
5 When installation is complete the default is to restart the machine; you must do this for the changes to take effect. Note: When you install the Virtual Desktop Agent, a new local user group for authorized RDP users is automatically created. The group is called Direct RDP Access Administrators. For further information on using protocols other than ICA, see the Citrix Knowledge Center. VM hosted apps requires desktops and controllers to have synchronized system clocks. This is required by the underlying Kerberos infrastructure that secures the communication 1086
Installing and Removing the Virtual Desktop Agent between the machines. You can use normal Windows domain infrastructure to ensure that the system time on all machines is correctly synchronized. To add or remove components, use the Windows control panel. Select Citrix Virtual Desktop Agent. You can then select to add, remove, or reconfigure components, or to remove the Virtual Desktop Agent completely. The Reconfigure Components option enables you to update the site and port numbers.
1087
%Program Files%\Citrix\ICAService\picaSvc.exe requires inbound TCP on port 1494. Because this connection uses a kernel driver, you may need to configure this setting as a port exception rather than a program exception, depending on your firewall software. If you are running Windows Firewall, you must configure this setting as a port exception. %Program Files%\Citrix\ICAService\CitrixCGPServer.exe requires inbound TCP on port 2598.
Note: Citrix recommends that you do not use TCP ports 1494 and 2598 for anything other than ICA and CGP, to avoid the possibility of inadvertently leaving administrative interfaces open to attack. Ports 1494 and 2598 are correctly registered with the Internet Assigned Number Authority (see http://www.iana.org/). For communication between controllers and virtual desktops: %Program Files%\Citrix\XenDesktop\WorkstationAgent.exe requires inbound HTTP (http.sys) on the TCP/IP port you configured at installation time. The default port is 80. Because this connection uses a kernel driver, you may need to configure this setting as a port exception rather than a program exception, depending on your firewall software. If you are running Windows Firewall, you must configure this setting as a port exception. Windows Remote Assistance requires ports TCP/135, TCP/3389, and DCOM. On Windows Vista and Windows 7 desktops you can configure these exceptions by enabling the built-in Remote Assistance exception. On Windows XP you must set additional exceptions: 1 Enable the Remote Assistance exception. 2 Add and enable the TCP 135 exception. 3 Add and enable the "%systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe" exception. 4 See http://support.microsoft.com/kb/555179. Windows Remote Management requires the following ports:
q
TCP/80 for Windows Remote Management 1.1 TCP/5985 for Windows Remote Management 2.0
1088
To deploy the Virtual Desktop Agent using Active Directory Group Policy Objects
If you are using Active Directory in your environment, you can deploy the Virtual Desktop Agent to all machines in a domain or Organizational Unit (OU) using Group Policy Objects(GPO). 1 Create a network share and copy the XDSAgent.msi file from the XenDesktop installation media to that share. Note that you must set permissions on that share to allow read access to the .msi file. 2 Create a new GPO for the Organizational Unit containing the computers on which you want to deploy the Virtual Desktop Agent. 3 Edit the GPO you created in Step 2 to add the XDSAgent.msi file, using the following guidelines:
q
Enter the full Universal Naming Convention (UNC) path of the .msi file. For example, \\x-desktop-svr6\SoftwareInstall\XDSAgent.msi
Choose Assigned as the deployment method After you save the new GPO, the Virtual Desktop Agent is installed on computers within the specified OU next time they are restarted.
q
You can restart computers in the OU remotely by running the #shutdown -r -m command. For more information about using Active Directory, see the Microsoft Active Directory documentation. Note: If you deploy the Virtual Desktop Agent using GPO, you must also set the Site GUID using GPO. For more information, see http://support.citrix.com/article/CTX121493.
1089
q HKLM\Software\Citrix\Metaframe Password Manager\Shell\OrigGinaDLL 2 Modify the registry entries so that the GINAs are called in the correct order:
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\GinaDLL This should point to the XenDesktop GINA; for example, C:\Program Files\Citrix\ICAService\picaGina.dll
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\CtxGinaDLL This should point to the Password Manager GINA; for example, C:\Program Files\Citrix\MetaFrame Password Manager\SSOGina\SSOGina.dll
1090
Create and manage application desktop groups and the applications they host. Manage your XenDesktop Controller environment. See the XenDesktop topic Managing Your Controller Environment for information on controller discovery, adding controllers, removing controllers, moving controllers between sites, and configuring the Secure Sockets Layer. Configure hosts and connections. See the XenDesktop topic Configuring Hosts and Connections. Enable users to use smart cards. See the XenDesktop topic Using Smart Cards with XenDesktop. VM hosted apps does not support thin clients. Use Citrix policies to control users access or session environment. See the XenDesktop topics Working with XenDesktop Policies and Policy Settings Reference Monitor your VM hosted apps deployment. See the XenDesktop topic Monitoring XenDesktop 5.
Most VM hosted apps management tasks are perform using Desktop Studio or the XenDesktop SDK. To use the SDK, see the XenDesktop topic About the XenDesktop SDK.
1091
Are virtual machines created by XenDesktop when the catalog containing them is created Discard the user's changes when the user logs off Can be shut down and started by the XenDesktop Controller Are virtual machines created by XenDesktop when the catalog containing them is created Discard the user's changes when the user logs off Can be shut down and started by the XenDesktop Controller Are virtual machines created by XenDesktop when the catalog containing them is created Retain the user's changes when the user logs off Can be shut down and started by the XenDesktop Controller
1092
Working With Machine Catalogs and Desktop Groups Existing machines are used to create private desktop groups
q
Are virtual machines that already exist when the catalog containing them is created Are not used with Provisioning services Can be configured to retain or discard the user's changes when the user logs off Can be shut down and started by the XenDesktop Controller Enable you to use the XenDesktop Controller to manage dedicated blade PCs in the data center Can be configured to retain or discard the user's changes when the user logs off Cannot be shut down or started by the XenDesktop Controller
q Streamed Are used with Provisioning services machines are q used to create Can be configured to retain or discard the user's changes when shared desktop the user logs off groups When you create application desktop groups:
You can create desktop groups from multiple catalogs with the same machine type You cannot create mixed desktop groups from catalogs with multiple machine types You cannot use a machine in more than one desktop group You can only create a desktop group if at least one machine remains unused in the catalog you select
1093
1094
To enable or disable maintenance mode. To find desktops, sessions, and desktop groups. You can find applications by selecting the Applications node in Desktop Studio and searching for the application name. To power manage machines. To shut down and restart desktops. To reallocate desktops. You can reallocate machines in a desktop group and reallocate individual desktops, but not change the number of desktops allocated to a users. To import and export user data. To remove desktops from desktop groups. To delete desktops from catalogs.
To delete an application desktop group, first remove all applications from the desktop group. See To modify applications.
1095
Color depth Encryption Audio quality Domain name User name Farm name Special folder redirection Virtual COM port mapping Display size Client printer port mapping Client printer spooling EnableSessionSharing TWIDisableSessionSharing
Applications that require different values for these settings cannot share sessions. To help determine if applications are compatible with each other for session sharing, use the Get-BrokerSessionSharingIncompatibleApplication cmdlet in the XenDesktop SDK.
1096
1097
To create an application
1 In Desktop Studio, select the Applications node in the left pane and click Create Application. 2 Use the Create Application wizard to create the application: Wizard page Desktop groups Location What to do Select existing desktop groups or create new desktop groups to host the application. Specify the application executable file. Optional: Specify the command-line and working directory to locate the application. Users Shortcut Specify users that can access the application. Specify how shortcuts to the application appears to users:
q
Select the icon displayed. Browse to the icon you want or accept the default icon. Optional: Specify a folder on the user device for the application shortcut, whether the shortcut appears on the user device Start menu and its location there, and whether it appears on the user device desktop.
1098
To allow connections through Citrix Access Gateway only, select Allow connections made through Access Gateway. To allow a subset of those Access Gateway connections: Select Any connection that meets any of the following filters, define the Access Gateway farm, and specify the SmartAccess strings that define the allowed user access scenarios for the desktop group.
SmartAccess is a feature of Access Gateway. For more information, see the Access Gateway documentation. Appearance. Specify the window size of the application (full screen, pixel size, or percent of display) and color depth. Content redirection. Select the file types you want to associate with the application to redirect content from the user device. Note: If the file types you want are not displayed, update the file types from an available desktop that is in maintenance mode.
Multimedia. Choose whether to enable legacy audio for the application. Resources. Set the application's CPU priority level and specify whether the application waits for printer creation on start-up. Security. Specify whether the user device is required to use a secure ICA connection. Selecting this option means the user device must connect to the application with a minimum encryption level of 128-bit RC-5 encryption. If the user device does not use this level of encryption, the application fails to launch.
Name
Specify the name displayed to users for the application. Optional: Type a description or tip displayed to users. Set the application's availability and visibility to users.
1099
To modify applications
Modifications made to an application might not take effect for users connected to the application until the users have logged off their sessions.
To add users or remove, click Edit Users. To remove users, select the users you no longer want to have access to the application and click Remove.
1100
To modify applications
1101
Select the Applications node. Select the application for the session you want to log off ot disconnect. Select the Sessions tab.
q Use Search to locate the session. 2 Select the session or machine and click Log off or Disconnect.
Select the Applications node. Select the application for the session you want to log off ot disconnect. Select the Sessions tab. Select the session for the user you want to send a message to.
q Use Search to locate the session. Select a session, desktop, or user. 2 Click Send message.
1102
1103
To use folders
1 To create a folder: a Select the Applications node or expand the node and select a folder within the node. b Click Create Folder. 2 To manage the folders and the applications:
q
Select the folder or application and use the right-click menu. To copy a folder or application, drag and drop it. To move a folder or application, hold the Shift key while dragging and dropping it.
To use tags
In VM hosted apps, tags let you categorize applications in Desktop Studio. Note: Tags used with VM hosted apps cannot be used to restrict access to machines or applications. To add tags to an application or edit tags added to an application: 1 In Desktop Studio, select the Applications node in the left pane. 2 Select an application and click Edit tags.
1104
Create additional administrators for the site, if necessary. See the XenDesktop topic Delegating Administration Tasks. XenDesktop full administrators and assignment administrators can create and edit VM-hosted applications. Set up any general Citrix policies that you require, including policies for printing. See the XenDesktop topic Working with XenDesktop Policies for details of configuring policies. Configure USB support. Configure HDX technologies to optimize users' audio and multimedia experience. See Enhancing the User Experience With HDX. Configure time zone settings to allow users to see their local time when using applications that display a time of day. See the XenDesktop topic Configuring Time Zone Settings. Configure connection timers to provide appropriate durations for uninterrupted connections, idle sessions, and disconnected sessions. See the XenDesktop topic Configuring Connection Timers. Configure workspace control to enable users to roam between different user devices. See the XenDesktop topic Workspace Control in XenDesktop.
q
Workspace control is enabled by default if you installed the Web Interface using the Web Interface autorun. Workspace control is disabled by default if you installed the Web Interface using AutoSelect.exe or XenDesktopServerSetup.exe. If a user accesses a VM-hosted application from a desktop hosted from the same VM hosted apps site as that application, workspace control is not supported.
1105
Note: Specialist keyboards and mice (for example, Bloomberg keyboards, and 3D mice) can be configured to use USB support. For more information, see http://support.citrix.com/article/ctx119722 in the Citrix Knowledge Center. By default, certain types of USB devices are not supported for remoting through VM hosted apps. For example, a user may have a network interface card attached to the system board by internal USB. Remoting this would not be appropriate. The following types of USB device are not supported by default for use in a VM hosted apps session:
q
Bluetooth dongles USB network interface cards USB hubs USB graphics adaptors
USB support allows hosted applications access to USB devices that are connected to the user device. In environments where security separation between client and hosted application is needed, users should connect only appropriate USB devices. You can also set policies at the desktop group and user device that restrict the types of USB devices that will be made available to the hosted application. For information on all USB devices supported, see http://support.citrix.com/article/ctx119861 in the Citrix Knowledge Center. Double-hop USB is not supported. That is, if a user connects to a VM hosted apps session for a hosted desktop, the VM hosted apps session does not have USB support.
1106
Enable the USB policy rule, which is in the USB Devices Policy Settings section of the ICA Policy Settings. Enable USB support when you install the online plug-in on user devices. If necessary, update the range of USB devices supported. To do this:
q
Edit the administrator override rules in the Virtual Desktop Agent registry on the computers hosting the desktops. The range specified in the Virtual Desktop Agent must correspond exactly to the range specified on the client; if it does not, then only the devices allowed in both ranges are allowed. The product default rules are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\GenericUSB Type=String Name="DeviceRules"
q
Do not edit the product default rules. The administrator override rules are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\PortICA\GenericUSB Type=String Name="DeviceRules" For details of the rules and their syntax, see http://support.citrix.com/article/ctx119722/ in the Citrix Knowledge Center. ADM files are included on the installation media to allow you to make changes to the client and the Virtual Desktop Agent through Active Directory Group Policy. The file for the client is: dvd root \os\lang\Support\Configuration\icaclient_usb.adm and the file for the Virtual Desktop Agent is: dvd root \os\lang\Support\Configuration\vda_usb.adm
1107
Name: HKEY_CURRENT_USER\Software\Citrix\ICA Client\USB\published application name\NewDevices published application name is the Desktop Group name in the VM Hosted Apps environment. Create this registry entry for each Desktop Group that supports USB devices.
Type: REG_SZ Value: Always or Never Setting this key to "Always" enables USB support for USB devices that are connected the user device while the application session is in progress.
Name: HKEY_CURRENT_USER\Software\Citrix\ICA Client\USB\published application name\ExistingDevices Type: REG_SZ Value: Always or Never Setting this key to "Always" enables USB support for USB devices that are present on the user device when the application session begins.
Edit the client registry (or the .ini files in the case of the Receiver for Linux). For information about how to do this, see the relevant client documentation. An ADM file is included on the installation media to allow you to make changes to the client through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\icaclient_usb.adm. Edit the administrator override rules in the Virtual Desktop Agent registry on the computer(s) hosting the desktops. Information about how to do this is included in the rest of this section.
Device rules are enforced on both the client and the Virtual Desktop Agent, so you must make changes on both sides otherwise devices may not be allowed through. An ADM file is included on the installation media to allow you to make changes to the Virtual Desktop Agent through Active Directory Group Policy: dvd root \os\lang\Support\Configuration\vda_usb.adm. The product default rules are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\GenericUSB Type=String Name="DeviceRules" The default policy configuration is as follows:
1108
Configuring USB Support for VM Hosted Apps DENY: class=02 # Communications and CDC-Control DENY: class=09 # Hub devices DENY: class=0a # CDC-Data DENY: class=0b # Smartcard DENY: class=e0 # Wireless controller ALLOW: # Otherwise allow everything else Do not edit the product default rules. The recommended way to change them is to use the GPO overrides described below, because these are evaluated before the default rules. The administrator override rules are stored in: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\PortICA\GenericUSB Type=String Name="DeviceRules" When you are creating new policy rules, refer to the USB Class Codes, available from the USB Web site at http://www.usb.org/. Policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by white space. The following tags are supported:
Description Vendor ID from the device descriptor Product ID from the device descriptor Release ID from the device descriptor Class from either the device descriptor or an interface descriptor Subclass from either the device descriptor or an interface descriptor
Protocol from either the device descriptor or an interface descriptor When creating new policy rules, be aware of the following:
q
Rules are case-insensitive. Rules may have an optional comment at the end, introduced by #. A delimiter is not required and the comment is ignored for matching purposes. Blank and pure comment lines are ignored. White space is used as a separator, but cannot appear in the middle of a number or identifier. For example, Deny: Class = 08 SubClass=05 is a valid rule; Deny: Class=0 Sub Class=05 is not. Tags must use the matching operator =. For example, VID=1230. Each rule must start on a new line or form part of a semicolon-separated list. Important: If you are using the Administrative (ADM) template, you must create rules on a single line, as a semicolon-separated list.
1109
Configuring USB Support for VM Hosted Apps This example shows a set of administrator-defined USB policy rules:
Allow: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive Deny: Class=08 SubClass=05 # Mass Storage
Feature Enabled by default Read-only access configurable Safe to remove device during a session
USB rule No No
Yes, provided users follow operating system recommendations for safe removal If both client drive mapping and the USB rule are enabled, then if a mass storage device is inserted before a session starts, it will be redirected using client drive mapping first, before being considered for redirection through USB support. If it is inserted after a session has started, it will be considered for redirection using USB support before client drive mapping. Automatic support of devices upon insertion, however, depends on the client being used and the individual user preferences; for further information, see the relevant client documentation.
1110
1111
Microsoft Windows Server 2008 (32-bit and 64-bit) Microsoft Windows Server 2008 R2
Requirements:
q
Computer running XenApp 6 Powershell SDK Configuration Manager site server Power and Capacity Management Concentrator
Microsoft Windows Server 2008 (32-bit and 64-bit) Microsoft Windows Server 2008 R2
Configuration Manager Console Extension requires Microsoft System Center Configuration Manager 2007 R2.
1112
Microsoft Windows Server 2008 (32-bit and 64-bit) Microsoft Windows Server 2008 R2
Requirements:
q
Computer running XenApp 6 Powershell SDK Configuration Manager site server Power and Capacity Management Concentrator
Microsoft Windows Server 2008 (32-bit and 64-bit) Microsoft Windows Server 2008 R2
Configuration Manager Console Extension requires Microsoft System Center Configuration Manager 2007 R2.
1113
Decide where to install XenApp Data Connector. Decide where to install Configuration Manager Console Extension. Configuration Manager Console Extension is installed on the same server as Microsoft System Center Configuration Manager 2007 R2 console. Identify the Configuration Manager site server. Ensure that the SMS Provider for the Configuration Manager site is installed on this computer. Identify the computer you plan to use as your XenApp Powershell host. This is the computer running XenApp6 PowerShell SDK that the XenApp Data Connector uses to manage XenApp servers and gather farm data. Ensure this computer is not managed by Power and Capacity Management.
Identify a server running the Power and Capacity Management Concentrator that XenApp Data Connector will use to manage power states and load consolidation. Install PowerShell and enable PowerShell remoting on the servers you plan to use for the following:
q q
XenApp Data Connector XenApp Powershell host Configuration Manager site server
Power and Capacity Management Concentrator You can enable PowerShell remoting through the cmdlets Enable-PSRemoting and Set-ExecutionPolicy with RemoteSigned in the 32- and 64-bit PowerShell windows.
q q
Enable XenApp Data Connector to communicate with these servers by opening default Windows Remote Management port 5985 on the firewalls or routers:
q
XenApp PowerShell host Server running the Power and Capacity Management Concentrator
Configuration Manager site server Ensure that you have the following sets of credentials, which permit XenApp Connector to write data to Configuration Manager and XenApp farms:
q q
1114
Power and Capacity Management administrator credentials Credentials required for Configuration Manager services and databases Credentials for an account that can initiate remote Powershell connections to the XenApp server, the Power and Capacity Management Concentrator, and the Configuration Manager site server
Fully qualified domain names for the XenApp PowerShell host, the server running the Power and Capacity Management Concentrator, and the Configuration Manager site server Site code of the Configuration Manager site Credentials that permit XenApp Connector to write data to Configuration Manager and XenApp farms Advertisement processing interval, which is how often XenApp Connector checks the Configuration Manager database for new advertisements targeted at the XenApp farm XenApp farm sync interval, which is how often XenApp Connector updates the Configuration Manager database with new, changed, or removed XenApp farm servers XenApp publication interval, which is how often XenApp Connector checks the Configuration Manager database for new or updated publication information XenApp power-on interval, which is how long in advance off-line servers are powered on to receive software updates Advertising wait settings, such as the number of days an advertisement waits before logging off connected users and the number of minutes after a maintenance notification message is sent until users are forced to log off
After installation, if you choose not to run the configuration wizard, you can do so later by running ConfigWizard.exe.
1115
1116
Enabling and Disabling Power and Capacity Management with XenApp Connector for Configuration Manager 2007 R2
XenApp Connector for Configuration Manager 2007 R2 uses the XenApp Power and Capacity Management feature to manage the power states and load consolidation of XenApp servers when sending Configuration Manager advertisements and installing applications. This enables XenApp Connector to install applications on servers managed by Power and Capacity Management with minimal disruption to user sessions. To allow Power and Capacity Management to manage power states and load consolidation of XenApp servers, XenApp Connector changes the servers' power controller preference and power control mode:
q
If no advertisements are pending for a XenApp server, the server's power controller preference remains at 1, the default ranking for servers managed by Power and Capacity Management. When you designate an online XenApp server to receive an advertisement, XenApp Connector:
q
Changes the power controller preference to 5 Sets the server state is to Maintenance just before the application is installed
Changes the power controller preference changes to 1 and enables users to log in, after advertisement processing completes When you designate an offline XenApp server to receive an advertisement, XenApp Connector:
q q
Changes the power controller preference to 6 Sets the server state to Maintenance and the server control mode to Unmanaged for the duration of the maintenance window or the processing of all pending advertisements, whichever occurs first
Changes the power controller preference changes to 1, after advertisement processing completes or the maintenance window closes The XenApp power-on interval, which is set when XenApp Connector is configured, determines how long in advance of processing advertisements offline servers are powered on.
q
XenApp Connector uses Power and Capacity Management to manage the installation of installed applications only and does not affect the deployment of Microsoft Application Virtualization (App-V) sequences.
1117
Enabling and Disabling Power and Capacity Management with XenApp Connector for Configuration Manager 2007 R2 Citrix recommends you document your current XenApp Power and Capacity Management server configuration before modifying it for XenApp Connector.
1118
XenApp Publications folder in Software Distribution XenApp Publication Container in Packages All folders named Programs for XenApp in the Programs folder in each package container
Refresh the Configuration Manager console to see the results of the uninstall. When you uninstall XenApp Connector, some items are not removed:
q
Log files are not removed. Items are not removed from the Configuration Manager database. When you reinstall XenApp Connector, items that were visible in the Configuration Manager console are visible again.
1119
If the application can be installed without restarting the server For applications that require restarting the server, if you plan to place all servers in the farm into maintenance at the same time to install the application
Otherwise, after creating the software distribution package and program, create and advertise a program for XenApp for the application. This program for XenApp enables you to deploy the application in a way that manages XenApp user connections so that the application is installed without disrupting user sessions. For Configuration Manager to manage a XenApp server, send it advertisements, and included it in publications, its information must be included in the Configuration Manager database.
1120
Deploying Applications to XenApp servers After creating a program for XenApp, advertise it to those XenApp servers on which you want to deploy it. 1 In the Configuration Manager console, expand the software distribution container for the application you want to deploy. 2 Within the Programs folder, right-click Program for XenApp for the program you want to advertise and select Advertize. 3 Select the collection of XenApp servers or worker groups on which you want to install the application. 4 To ensure users are not connected to the server during the installation schedule the advertisement. a Specify multiple mandatory assignments, one for each installation attempt. Create at least two mandatory assignment for each maintenance window. b Select Rerun if failed previous attempt as the program rerun behavior. Unlike other advertisements created in Configuration Manager, advertisements for XenApp have a timeout period after which the XenApp Connector notifies users and logs them off. You set the timeout period when you configure the XenApp Connector. To ensure that the last mandatory assignment logs users off and installs the application, ensure the period between the first and last mandatory assignments is longer than the timeout period. For XenApp servers that are configured to allow XenApp Connector to use Power and Capacity Management to manage their power states and load consolidation, XenApp Connector changes the servers' power controller preference to drain user connections from targeted servers that have not processed the advertisement.
1121
Whether the application you are publishing is an installed XenApp application or Microsoft Application Virtualization (App-V) sequence. Note: File type association is not supported for App-V sequences.
If you are certain that the application you are publishing is already installed on all the servers, specify a collection as the target. When you specify a collection as the target, the Connector configures all servers in the collection to give users access to the application. Using a collection as the target is best suited to publishing applications that are always installed on servers, such as Internet Explorer. If the application you are publishing may not already be installed on all servers, specify a package as the target. When you specify a package as the target, only after servers have processed the package advertisement and the application program do they give users access to the application. This ensures that users only access servers where the application is already installed.
1122
Contents output of the "XenApp Program and Package Service task output of the XenApp Publication Service task output of the XenApp and ConfigMgr Synchronization Service task
1123
Maintaining Log Files CitrixMsi-XAConfigMgrx32-(date & time) (32-bit) Citrix-XAConfigMgrSetup-(date & time) Setup (date & time) MSI information setup user interface information setup user interface information
1124
Adds settings to the Universal Printing Citrix policy setting that control:
q
Image and font caching, limits and defaults for print quality and image compression, and users' ability to modify these settings Adds options to the Session printers Citrix policy setting that control default printer settings for session printer
q
Adds options to the Printing driver mapping and compatibility Citrix policy setting that control default printer settings for mapped client printer drivers Adds dynamic printer discovery to automatically reenumerate and update XenApp session printers after roaming to a different location so that relaunching of XenApp sessions is no longer necessary. [#226929]
System Requirements
Server:
q
User devices:
q
Citrix online plug-in 12.1 for Windows Windows 7 (Home Premium, Professional, Enterprise, and Ultimate editions), 32-bit and 64-bit editions Windows Vista (Home Premium, Business, Enterprise, and Ultimate editions), 32-bit and 64-bit editions Windows XP Professional, 32-bit and 64-bit editions
1125
XenApp Printing Optimization Pack 1 Download the XenApp Printing Optimization Pack, XA6PrintPack.zip, from MyCitrix.com. This file contains:
q
XA600W2K8R2X64010.msp installs the XenApp Printing Optimization Pack printing functionality on the XenApp server
XenAppGPMX64.msi and XenAppGPMX86.msi each installs an updated version of the Citrix XenApp Group Policy Management Experience, allowing you to view and edit the policy setting added by the XenApp Printing Optimization Pack 2 Copy the file to a shared folder on the network and extract the compressed file.
q
3 Save XenAppGPMX64.msi and XA600W2K8R2X64010.msp on the XenApp server on which you want to install XenApp Printing Optimization Pack. 4 Run XA600W2K8R2X64010.msp. 5 To view and edit these policies using this server, run XenAppGPMX64.msi.
To view and edit these policies using another server, install XenAppGPMX64.msi or XenAppGPMX86.msi on that server.
Universal printing EMF processing mode. Controls whether to inject the EMF spool file into the spooler on the user device or reprocess the EMF records on the client. By default, EMF records are spooled directly to the printer. Spooling directly to the printer allows the spooler to process the EMF records without prompting the user for additional information, minimizing the occurrence of illegible output. Universal printing print quality limit. Specifies the maximum dots per inch (dpi) available for generating printed output in the session. By default, no limit is specified. Universal printing image compression limit. Defines the maximum quality and the minimum compression level available for images printed with the Universal printer driver. By default, the image compression limit is set to Best Quality (lossless compression). If No Compression is selected, compression is disabled for EMF printing only. Compression is not disabled for XPS printing. Universal printing optimization defaults. Specifies default settings for the Universal Printer when it is created for a session:
q
Desired image quality. Controls the level of image compression. By default, Standard quality is selected. Enable heavyweight compression. Enables or disables reducing bandwidth beyond the compression level set by Desired image quality, without losing image quality. By default, heavyweight compression is disabled.
1126
Allow caching of embedded images. Allows or prevents embedded images to be cached. By default, image caching is allowed. Allow caching of embedded fonts. Allows or prevents embedded fonts to be cached. By default, font caching is allowed. Allow non-administrators to modify these settings. Allows or prevents non-administrative users from modifying any of these options through the printer driver's printing preferences. By default, users cannot modify these options.
These options are supported for EMF printing. For XPS printing, only the Desired image quality option is supported. When Universal printing image compression limit and Universal printing optimization defaults are both used:
q
If the compression level in the Universal printing image compression limit setting is lower than the level defined in Universal printing optimization defaults setting, images are compressed at the level defined in the Universal printing image compression limits setting. If the Universal printing image compression limit setting is set to No Compression, the Universal printing optimization defaults setting's Desired image quality and Enable heavyweight compression options have no effect in the policy.
1127
XenApp Printing Optimization Pack You can set print quality, orientation, color, duplex, scale, copy count, TrueType option, and paper size. If you specify a printing option that the printer driver does not support, that option has no effect. 1 On the Printing driver mapping and compatibility settings page, select the name of the printer for which you want to modify the settings. 2 Click Settings. 3 Specify the printer settings.
Known Issues
q
Users cannot change the paper size of the Generic Citrix Universal Printer. However, you can set a default paper size for the server by editing the registry; see article CTX113148 in the Citrix Knowledge Center. [#247747]
[#238211]
1128
Single Sign-on
Citrix Single sign-on (formerly Citrix Password Manager) provides password security and single sign-on access to Windows, Web, and terminal emulator applications running in the Citrix environment as well as applications running on the desktop. For more information, see the Single sign-on node in eDocs.
1129
1130
1131
1132
1133
1134
1135