CXD 300 6I en StudentManual

ot
N
fo
rr
al
es
Deploying App and Desktop Solutions with

Citrix XenApp and XenDesktop 7.6
or
Citrix Course CXD-300-I
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
Copyright 2015 Citrix Systems, Inc.
Citrix Course CXD-300-I

August 2015
Version 6.2
ot
Deploying App and Desktop Solutions

with Citrix XenApp and XenDesktop
7.6
fo
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
Table of Contents
Module 1: Understanding the XenDesktop Architecture ................................................................ 17
ot
Understanding the XenApp and XenDesktop Architecture ........................................................................................... 19

Overview .................................................................................................................................................................. 19
XenApp or XenDesktop ........................................................................................................................................... 19
New Features .......................................................................................................................................................... 20
Deprecated Features ............................................................................................................................................... 21
Discussion Question ................................................................................................................................................ 22
XenApp and XenDesktop Virtualization Technologies ............................................................................................... 22
Hosted Applications ................................................................................................................................................ 23
Server OS Machines ................................................................................................................................................ 24
Desktop OS Machines ............................................................................................................................................. 25
Remote PC Access ................................................................................................................................................. 26
Streamed VHD ........................................................................................................................................................ 27
Local VM ................................................................................................................................................................. 27
Local Application Access ......................................................................................................................................... 28
Infrastructure Components ...................................................................................................................................... 29
Citrix Components ................................................................................................................................................... 32
Designing a XenApp and XenDesktop Implementation ............................................................................................ 36
Assess Phase .......................................................................................................................................................... 37
Design Phase .......................................................................................................................................................... 37
Deploy Phase .......................................................................................................................................................... 38
Maintain Phase ........................................................................................................................................................ 39
Design Document .................................................................................................................................................... 39
Reinforcement Exercise: Identifying Components .................................................................................................... 39
fo
al
es
rr
or
st
di
io
ut
rib
Module 2: Setting Up the Hypervisor ............................................................................................ 43

Setting Up the Hypervisor ............................................................................................................................................ 45
Overview .................................................................................................................................................................. 45
Installing the Hypervisor ........................................................................................................................................... 45
To Install XenServer ................................................................................................................................................. 46
Installing the Hypervisor Management Console ........................................................................................................ 49
To Install XenCenter ................................................................................................................................................. 49
Connecting the Management Console to the Hypervisor ......................................................................................... 50
To Connect XenCenter to the XenServer Host ......................................................................................................... 50
Configuring the Hypervisor ...................................................................................................................................... 51
Configuring the Virtual Networks .............................................................................................................................. 51
To Configure an External Network ........................................................................................................................... 52
Creating a Pool or Cluster of Hosts ......................................................................................................................... 53
To Create a New Pool in XenServer ......................................................................................................................... 53
ot
Configuring an ISO Library ....................................................................................................................................... 54

To Configure an ISO Library for XenServer .............................................................................................................. 54
Configuring Virtual Disk Storage .............................................................................................................................. 55
To Configure Virtual Disk Storage ............................................................................................................................ 55
Applying Updates and Hotfixes ................................................................................................................................ 57
To Upload and Apply a XenServer Hotfix ................................................................................................................. 57
Creating Templates ................................................................................................................................................. 58
Installing Windows Server 2012 R2 ......................................................................................................................... 59
To Install the Operating System on a VM in XenServer ............................................................................................ 59
Installing Hypervisor Tools ....................................................................................................................................... 60
To Install Hypervisor Tools on a VM in XenServer .................................................................................................... 61
Installing the .NET Framework 3.5 Features on Server 2012 R2 .............................................................................. 61
Running Sysprep on the Virtual Machine ................................................................................................................. 62
To Run Sysprep on the VM in XenServer ................................................................................................................. 62
Creating the Template ............................................................................................................................................. 63
To Create a Template in XenServer ......................................................................................................................... 63
Troubleshooting Hypervisor Setup Issues ................................................................................................................ 63
Reinforcement Exercise: Creating a Windows 7 Template ....................................................................................... 64
fo
es
rr
al
Module 3: Setting Up the Infrastructure Components ................................................................... 65
Setting Up the Infrastructure Components .................................................................................................................. 67

Overview .................................................................................................................................................................. 67
Setting Up the Domain Controller ............................................................................................................................ 67
Active Directory Domain Services ............................................................................................................................ 68
Troubleshooting AD DS Installation Issues ............................................................................................................... 68
Creating Organizational Units ................................................................................................................................... 68
To Create Organizational Units for a XenApp and XenDesktop Implementation ....................................................... 69
Adding Users and Groups ....................................................................................................................................... 69
To Create End-User Accounts and Groups ............................................................................................................. 70
Configuring Policies Using Group Policy .................................................................................................................. 71
To Configure Policies Using Group Policy ................................................................................................................ 72
Securing Service Accounts ...................................................................................................................................... 74
To Secure a Service Account .................................................................................................................................. 74
Setting Up the Dynamic Host Configuration Protocol ............................................................................................... 75
Installing and Configuring the DHCP Role ................................................................................................................ 75
Troubleshooting DHCP Installation Issues ................................................................................................................ 75
Setting Up A Certificate Authority ............................................................................................................................ 75
Installing the Certificate Services Role ...................................................................................................................... 76
To Install the Certificate Authority ............................................................................................................................. 76
Setting Up the File Server ........................................................................................................................................ 77
Creating a Computer Account for a New VM ........................................................................................................... 77
To Create a Computer Account ............................................................................................................................... 77
Creating the VM ...................................................................................................................................................... 77
To Create a VM Using a Custom Template ............................................................................................................. 78
Adding the File Server Role ...................................................................................................................................... 79
To Add the File Server Role to a VM ........................................................................................................................ 79
or
st
di
io
ut
rib
ot
Creating a Share for Folder Redirection ................................................................................................................... 79

To Create a File Share for Folder Redirection .......................................................................................................... 80
Creating a Folder Redirection Group Policy ............................................................................................................. 82
To Create a Folder Redirection Group Policy for Virtual Desktops ........................................................................... 82
Setting Up the Microsoft KMS License Server ......................................................................................................... 83
Setting Up SQL Server 2012 .................................................................................................................................. 83
Creating the Computer and Service Accounts for SQL Server 2012 ........................................................................ 83
To Create Computer and Service Accounts for SQL Server 2012 ........................................................................... 83
Installing SQL Server 2012 ...................................................................................................................................... 84
To Install SQL Server 2012 ...................................................................................................................................... 84
Configuring SQL Server and the Windows Firewall .................................................................................................. 85
To Configure SQL Server and the Windows Firewall to Accept Inbound Connections ............................................. 85
Setting Up SQL Server Mirroring .............................................................................................................................. 87
Installing the SQL Server Witness ............................................................................................................................ 88
Configuring SQL Server Mirroring ............................................................................................................................ 88
To Configure SQL Server Mirroring .......................................................................................................................... 88
Troubleshooting SQL Server Issues ......................................................................................................................... 91
Installing Anti-Virus Software .................................................................................................................................... 91
Setting up the DMZ ................................................................................................................................................. 92
Reinforcement Exercise: Redirecting Additional Folders ........................................................................................... 92
fo
es
rr
al
Module 4: Setting Up Citrix Components ..................................................................................... 93
Setting Up Citrix Components ..................................................................................................................................... 95

Overview .................................................................................................................................................................. 95
Architecture ............................................................................................................................................................. 95
Setting Up the Citrix License Server ........................................................................................................................ 96
Installing the Citrix License Server ............................................................................................................................ 97
To Install the Citrix License Server ........................................................................................................................... 97
Troubleshooting License Server Issues .................................................................................................................... 98
Allocating, Downloading, and Adding a License File ................................................................................................ 99
To Allocate, Download, and Import a License File ................................................................................................... 99
Discussion Question .............................................................................................................................................. 101
Adding License Administrators .............................................................................................................................. 101
To Add a License Administrator ............................................................................................................................. 101
Configuring Licensing Alerts .................................................................................................................................. 102
To Configure Licensing Alerts ................................................................................................................................ 102
Moving from XenApp 7.6 to XenDesktop 7.6 ......................................................................................................... 103
Setting Up the Delivery Controller .......................................................................................................................... 103
Installing the First Controller ................................................................................................................................... 104
To Install the First Controller .................................................................................................................................. 104
Configuring a Site .................................................................................................................................................. 106
To Configure a Site ................................................................................................................................................ 106
Editing Connection and Resource Settings ............................................................................................................ 108
To Edit Connection and Resource Settings ........................................................................................................... 108
Connecting to Resources ...................................................................................................................................... 108
Troubleshooting Studio .......................................................................................................................................... 109
Adding Delegated Administrators .......................................................................................................................... 109
To Add a Delegated Administrator ......................................................................................................................... 110
Setting Up a Second Controller ............................................................................................................................. 110
To Install a Second Controller ................................................................................................................................ 110
or
st
di
io
ut
rib
ot
Joining a Controller to a Site .................................................................................................................................. 112

To Join a Controller to an Existing Site .................................................................................................................. 112
Setting Up the Citrix Universal Print Server ............................................................................................................ 113
Installing the Universal Print Server ........................................................................................................................ 114
To Install the Universal Print Server ........................................................................................................................ 114
Configuring the Universal Print Server .................................................................................................................... 114
To Configure the Universal Print Server ................................................................................................................. 115
Creating Printers .................................................................................................................................................... 116
To Create Printers ................................................................................................................................................. 116
Setting Up StoreFront ............................................................................................................................................ 117
Installing Citrix StoreFront ...................................................................................................................................... 117
To Install StoreFront .............................................................................................................................................. 117
Requesting and Installing a Certificate on StoreFront ............................................................................................. 118
To Create and Install a Certificate on StoreFront ................................................................................................... 118
Configuring a Store ................................................................................................................................................ 119
To Configure a Store ............................................................................................................................................. 120
Creating a Store for Anonymous User Access ....................................................................................................... 120
To Create a Store for Anonymous User Access ..................................................................................................... 120
Setting Up a Second StoreFront Server ................................................................................................................. 121
To Install a Second StoreFront Server ................................................................................................................... 121
Setting Up Receiver ............................................................................................................................................... 124
Configuring DNS for Email-Based Account Discovery ............................................................................................ 124
To Configure a Service Location Locator Record for Email-based Account Discovery ........................................... 125
Installing and Configuring Receiver ........................................................................................................................ 126
To Install and Configure Receiver .......................................................................................................................... 126
Troubleshooting Receiver ...................................................................................................................................... 127
Reinforcement Exercise: Using the Receiver for Web Site ...................................................................................... 127
fo
al
es
rr
or
st
di
rib
Module 5: Setting Up XenDesktop Resources ............................................................................ 129
io
ut
Setting Up XenApp and XenDesktop Resources ....................................................................................................... 131

Overview ................................................................................................................................................................ 131
Resources ............................................................................................................................................................. 131
Preparing the Master Image Virtual Machine .......................................................................................................... 132
Creating the Master Image .................................................................................................................................... 133
Setting Up a Server OS Master Image ................................................................................................................... 133
To Set Up a Server OS Master Image ................................................................................................................... 133
Using a Virtual IP Address ..................................................................................................................................... 135
Installing and Configuring the Virtual Delivery Agent ............................................................................................... 135
To Install and Configure the VDA on a Server OS Master Image ............................................................................ 135
Installing and Configuring Third-Party Applications ................................................................................................ 137
To Install Third-Party Applications .......................................................................................................................... 137
Installing Anti-Virus Software .................................................................................................................................. 138
Troubleshooting Virtual Delivery Agent Issues ........................................................................................................ 138
Setting Up a Desktop OS Master Image ................................................................................................................ 139
To Set Up a Desktop OS Master Image ................................................................................................................ 139
Installing and Configuring the Virtual Delivery Agent ............................................................................................... 141
To Install and Configure the VDA on a Desktop OS Master Image ......................................................................... 141
Creating a Machine Catalog .................................................................................................................................. 143
Creating a Machine Catalog for Server OS and Hosted Applications ..................................................................... 143
8
To Create a Machine Catalog for Server OS and Hosted Applications ................................................................... 144
Creating a Machine Catalog for Desktop OS Machines ......................................................................................... 145
To Create a Desktop OS Machine Catalog ............................................................................................................ 146
Creating a Delivery Group ...................................................................................................................................... 148
Securing Connections ........................................................................................................................................... 148
To Create a Delivery Group to Provide Hosted Applications .................................................................................. 149
Creating a Delivery Group for Anonymous User Access ........................................................................................ 151
To Create a Delivery Group for Anonymous User Access ...................................................................................... 151
Organizing Applications in Folders ......................................................................................................................... 152
To Organize Applications in Folders ....................................................................................................................... 152
To Create a Delivery Group to Provide Desktops ................................................................................................... 152
Securing Connections ........................................................................................................................................... 154
Troubleshooting XenApp and XenDesktop Resource Issues .................................................................................. 155
Reinforcement Exercise: Adding Machines and Delivery Groups ........................................................................... 155
Module 6: Setting Up Policies ..................................................................................................... 157
ot
Setting Up Policies .................................................................................................................................................... 159

Overview ................................................................................................................................................................ 159
Installing the Group Policy Management Feature ................................................................................................... 160
To Install the Group Policy Management Feature ................................................................................................... 160
Configuring Printing Policies .................................................................................................................................. 160
Configuring the Universal Printer Driver .................................................................................................................. 160
To Configure the Universal Printer Driver ............................................................................................................... 161
Configuring Client Printer Auto-Creation ................................................................................................................ 161
To Modify the Printer Auto-Creation Behavior ........................................................................................................ 162
Configuring Session Printers .................................................................................................................................. 162
To Configure Session Printer Settings .................................................................................................................... 163
Optimizing Print Job Routing ................................................................................................................................. 164
Optimizing Printing Performance ............................................................................................................................ 165
To Optimize Printing .............................................................................................................................................. 165
Configuring Remote Assistance ............................................................................................................................. 166
To Configure Remote Assistance Permissions ....................................................................................................... 166
Prioritizing the Policies ........................................................................................................................................... 167
Changing the Priority of the Policy ......................................................................................................................... 169
To Change the Priority of a Policy .......................................................................................................................... 169
Running the Resultant Set of Policy ....................................................................................................................... 170
To Create a Resultant Set of Policy Using the Group Policy Management Console ............................................... 170
Troubleshooting Policies ........................................................................................................................................ 171
Setting Up Citrix Profile Management .................................................................................................................... 171
To Configure a Profile Management Share ............................................................................................................ 171
To Configure the Profile Management Settings ...................................................................................................... 172
Reinforcement Exercise: Configuring a Session Printer .......................................................................................... 175
fo
al
es
rr
or
st
di
io
ut
rib
Module 7: Setting Up Provisioning Services ................................................................................ 177

Setting Up Provisioning Services ............................................................................................................................... 179
Overview ................................................................................................................................................................ 179
Provisioning Services Architecture ......................................................................................................................... 179
Setting Up A Provisioning Services Server ............................................................................................................. 181
Creating a Service Account for Provisioning Services ............................................................................................ 181
ot
To Create a Service Account for Provisioning Services .......................................................................................... 181

Creating a Share for the Store ............................................................................................................................... 182
To Create the Share for the Store .......................................................................................................................... 183
Write Cache Considerations .................................................................................................................................. 183
Creating Windows Firewall Exceptions ................................................................................................................... 185
To Create Windows Firewall Exceptions ................................................................................................................ 185
Installing Provisioning Services .............................................................................................................................. 187
To Install Provisioning Services .............................................................................................................................. 187
Granting Database Permissions ............................................................................................................................. 190
To Grant Database Permissions to the Service Account ........................................................................................ 190
Installing the Provisioning Services Console ........................................................................................................... 191
To Install the Provisioning Services Console .......................................................................................................... 191
Configuring Boot from Network ............................................................................................................................. 192
To Configure DHCP (Options 66 and 67) for PXE Booting ..................................................................................... 192
Setting Up a Second Provisioning Services Server ................................................................................................ 192
To Configure a Second Provisioning Services Server ............................................................................................. 193
Configuring the Bootstrap File for High Availability ................................................................................................. 195
To Configure the Bootstrap File for High Availability ............................................................................................... 195
Configuring the Master Target Device .................................................................................................................... 196
Creating the Master Target Device ........................................................................................................................ 197
To Create a New Master Target Device ................................................................................................................. 197
Installing the Virtual Delivery Agent ......................................................................................................................... 199
To Install the Virtual Delivery Agent ........................................................................................................................ 199
Creating the vDisk ................................................................................................................................................. 201
To Convert the Hard Drive of the Master Target Device to a vDisk ........................................................................ 201
Setting the vDisk Mode ......................................................................................................................................... 203
To Set the vDisk Mode .......................................................................................................................................... 204
Assigning a vDisk to a Target Device ..................................................................................................................... 204
To Assign a vDisk to a Target Device .................................................................................................................... 204
Creating the Machine Catalog ............................................................................................................................... 205
To Create a Diskless Target Device Template ........................................................................................................ 205
To Create the Machine Catalog ............................................................................................................................. 206
Creating the Delivery Group ................................................................................................................................... 207
To Create the Delivery Group ................................................................................................................................ 207
Reinforcement Exercise: Creating BDM Target Devices ......................................................................................... 209
fo
al
es
rr
or
st
di
io
ut
rib
Module 8: Preparing the Environment for Rollout ........................................................................ 211

Preparing the Environment for Rollout ....................................................................................................................... 213
Overview ................................................................................................................................................................ 213
Testing a Service Account ..................................................................................................................................... 213
To Test a Service Account ..................................................................................................................................... 213
Testing the DHCP Scope ...................................................................................................................................... 214
To Verify IP Addresses Are within the DHCP Scope .............................................................................................. 214
Testing the Certificates .......................................................................................................................................... 215
To Verify Secure Communications with StoreFront ................................................................................................ 215
Testing the Provisioning Services Share ................................................................................................................ 215
To Verify the vDisk Storage Location ..................................................................................................................... 215
10
Verifying Internal Access to Hosted Applications .................................................................................................... 216

To Verify Internal Access to Hosted Applications ................................................................................................... 216
Verifying Internal Access to a Server OS Machine (PVS) ........................................................................................ 218
To Verify Internal Access to a Server OS Machine Streamed Using PVS ............................................................... 218
Verifying Internal Access to a Desktop OS Machine ............................................................................................... 221
To Verify Internal Access to a Desktop OS Machine with a Personal vDisk ............................................................ 221
Testing Remote Assistance ................................................................................................................................... 224
To Test Remote Assistance ................................................................................................................................... 224
Testing Delivery Controller High Availability ............................................................................................................ 226
To Test Delivery Controller High Availability ............................................................................................................ 227
Testing SQL Server Mirroring ................................................................................................................................. 228
To Test SQL Server Mirroring ................................................................................................................................ 228
Reinforcement Exercise: Verifying Internal Access to a Server OS Machine (MCS) ................................................ 230
Module 9: Setting Up NetScaler ................................................................................................. 231
ot
Setting Up NetScaler ................................................................................................................................................. 233

Overview ................................................................................................................................................................ 233
To Import the NetScaler Gateway VPX .................................................................................................................. 234
Creating the NetScaler VM .................................................................................................................................... 235
To Create a NetScaler VPX VM ............................................................................................................................. 235
Performing the Initial NetScaler Configuration ........................................................................................................ 235
To Perform the Initial Configuration of the First NetScaler ...................................................................................... 236
Configuring NTP .................................................................................................................................................... 237
To Synchronize the Time on the NetScaler ............................................................................................................ 237
Configuring NetScaler High Availability ................................................................................................................... 238
To Perform the Initial Configuration of the Second NetScaler ................................................................................. 238
To Configure a Second NetScaler for Redundancy ................................................................................................ 239
Setting Up DNS ..................................................................................................................................................... 241
To Configure DNS A Records for the NetScaler .................................................................................................... 242
Creating Certificates for NetScaler ......................................................................................................................... 242
Creating a Wildcard Certificate for Internal Resource Access ................................................................................. 243
To Create a Wildcard Certificate for the Domain .................................................................................................... 243
Creating a Certificate Signed by a Third-Party Certificate Authority ........................................................................ 245
To Create a Public Certificate for the NetScaler ..................................................................................................... 245
Load Balancing StoreFront Servers ....................................................................................................................... 247
To Load Balance StoreFront Servers ..................................................................................................................... 248
Configuring NetScaler for Remote Access ............................................................................................................. 250
To Create a Service Account for LDAP Authentication and the Security Group for Remote Access ...................... 250
Configuring Active Directory Integration ................................................................................................................. 252
To Configure Active Directory Integration with NetScaler ....................................................................................... 252
Redirecting HTTP Requests for StoreFront ............................................................................................................ 254
To Redirect HTTP Requests for StoreFront ........................................................................................................... 254
Modifying StoreFront to Integrate with NetScaler ................................................................................................... 255
To Modify StoreFront to Work with NetScaler ........................................................................................................ 255
Creating Beacons .................................................................................................................................................. 256
To Create a Beacon Point ..................................................................................................................................... 256
Enabling Remote Access to the Store ................................................................................................................... 257
To Enable Remote Access to the Store ................................................................................................................. 257
fo
al
es
rr
or
st
di
io
ut
rib
11
Propagating Settings to the StoreFront Server Group ............................................................................................ 258

To Propagate the StoreFront Settings ................................................................................................................... 258
Configuring ICA Proxy ........................................................................................................................................... 258
To Configure the NetScaler for ICA Proxy .............................................................................................................. 259
Configuring Pre-Authentication Policies ................................................................................................................. 260
Enabling XML Service Trust ................................................................................................................................... 261
To Enable XML Service Trust ................................................................................................................................. 261
Configuring a Pre-Authentication Policy ................................................................................................................. 261
To Configure a Pre-Authentication Policy ............................................................................................................... 262
Configuring NetScaler for Email-Based Account Discovery .................................................................................... 263
To Configure NetScaler for Email-Based Account Discovery ................................................................................. 263
Testing Access through NetScaler ......................................................................................................................... 263
To Test HTTP Redirection Requests for StoreFront Servers .................................................................................. 263
To Test External Access to the Environment .......................................................................................................... 264
To Test a Pre-Authentication Policy ....................................................................................................................... 266
Reinforcement Exercise: Scanning an Endpoint for a File ....................................................................................... 267
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
12
Credits
John Spina, Karla Stagray
Product Specialist:
Evin Safdia
Graphic Artist:
Tyler Fromma, Andres Mungarrieta
Managers:
Leslie Keelan, Brad Moczik, Patrick Quinlan
Editor:
Kathryn Morris
Translation Project Manager:
Tanya Brice
Publication Services:
Dustin Clark, Adrianna Cournoyer
CCI Enablement:
Christy Vega
Subject Matter Expert:
Jeff Apsley, Justin Apsley, Allen Furmanski, Dave Gunn,

James Hsu, David Jimenez, Arnd Kagelmacher, Christopher
Rudolph, Stacy Scott, Mark Simmons, Elisabeth Teixeira
ot
Instructional Designer:
fo
e
al
es
rr
or
st
di
n
io
ut
rib
Notices
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or use of this publication.
Citrix specifically disclaims any expressed or implied warranties, merchantability or fitness for any particular purpose. Citrix
reserves the right to make any changes in specifications and other information contained in this publication without prior
notice and without obligation to notify any person or entity of such revisions or changes.
Copyright 2015 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchasers
personal use, without express written permission of:
Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA http://www.citrix.com
The following marks are service marks, trademarks or registered trademarks of their respective owners in the United States
and other countries.
Mark
Owner
Adobe, Flash, Reader, Acrobat
Adobe Systems Incorporated
Apache Micro Peripherals, Inc.
ot
Apache
iPhone, Mac, QuickTime, iPhone, iPad
Apple, Inc.
fo
al
es
rr
Branch Repeater, Citrix, Citrix Access Gateway, Citrix

Citrix Systems, Inc.
Authorized Learning Center, Citrix Certified
Administrator, Citrix Certified Enterprise Administrator,
Citrix Certified Integration Architect, Citrix Education,
Citrix Receiver, EdgeSight, HDX, ICA, NetScaler,
MyCitrix, XenApp, XenDesktop , Provisioning Services,
XenCenter, SpeedScreen, CitrixReady, Citrix Developer
Network, XenServer, SecureICA, Citrix Workflow Studio,
Citrix Merchandising Server
or
Hewlett-Packard Development Company, L.P.
Chromebook, Android
Google, Inc.
Blackberry
Research in Motion
Intel, Xeon
Intel Corporation
Linux
Linus Torvalds
Active Directory, Internet Explorer, Microsoft, SQL

Server, Windows, Windows Mobile, Windows Server,
Win32, Access, Excel, Outlook, PowerPoint, Office,
Windows 7, Windows XP, Visual J#, Windows Vista,
SharePoint, Remote Desktop Services, PowerShell
Microsoft Corporation
Firefox, Mozilla
Mozilla Corporation
Novell, Novell Directory Services, NDS
Novell, Inc.
UNIX
The Open Group
Oracle
Oracle Corporation
Pearson VUE
Pearson Education, Inc.
RealPlayer
RealNetworks, Inc.
RC5, RSA
RSA Data Security, Inc.
st
di
HP, OpenView, LaserJet
io
ut
rib
Mark
Owner
Secure Computing, SafeWord
Secure Computing Corporation
SecurID
Security Dynamics Technologies, Inc.
Java, JavaScript
Sun Microsystems, Inc.
Toolwire
Toolwire
VMWare, ESX Server
VMware, Inc.
Other product and company names mentioned herein might be the service marks, trademarks or registered trademarks of
their respective owners in the United States and other countries.
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
16
Module 1
Understanding the
XenDesktop Architecture
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
18
Understanding the XenApp and XenDesktop Architecture

Overview
XenApp and XenDesktop empower you to deliver on-demand virtual desktops and applications anywhere your end users
work, anywhere your business takes you, to any type of device, bringing unprecedented flexibility and mobility to a workforce.
This release of XenApp and XenDesktop unifies hosted applications and Server OS machines (XenApp functionality) with
personalized desktops (XenDesktop functionality) within a single architecture and management experience.
XenApp comes in three editions: Advanced, Enterprise and Platinum. XenDesktop comes in three editions: VDI
Edition, Enterprise Edition (supports all XenDesktop virtualization technologies), and Platinum Edition (supports
all XenDesktop virtualization technologies and includes Cloud functionality).
By the end of this module, you will be able to:
ot
fo
Module timing: 1.5 hours
al
XenApp or XenDesktop
es
rr
Identify differences between XenApp and XenDesktop.

Identify new and deprecated features.
Explain the various ways in which Citrix XenApp and XenDesktop can be configured to provide desktops and
applications to your end users.
Identify the infrastructure components of a XenApp and XenDesktop implementation.
Identify the Citrix components of a XenApp and XenDesktop implementation.
Summarize the process used to design a XenApp and XenDesktop implementation.
Interpret the information provided in a XenApp and XenDesktop Design document.
or
XenApp and XenDesktop share a common architecture; where one or more Delivery Controllers are used to broker user
connections to sessions. Users connect to XenApp and XenDesktop sessions using the Citrix HDX protocol (formerly known
as ICA).
st
di
Sessions are hosted on physical or virtual machines running the Citrix Virtual Delivery Agent (VDA). A VDA can be installed
on Server OS and Desktop OS machines. The operating system on which you can run the VDA and the type of sessions
supported is dependent upon whether you bought XenApp or XenDesktop. The following table identifies the type of
machines and sessions available per product edition.
Server OS
Machines
Desktop OS
Machines
Sessions
Chart
XenDesktop XenDesktop XenDesktop

VDI
Enterprise
Platinum
XenApp
Advanced
XenApp
Platinum
io
XenApp
Enterprise
ut
XenApp
Advanced
rib
VDA Chart
XenApp
Enterprise
XenApp
Platinum
Server OS
X
Hosted Desktop
Server OS
Hosted
Applications

VDI
Enterprise
Platinum
Module 1: Understanding the XenDesktop Architecture
19
Sessions
Chart
XenApp
Advanced
XenApp
Enterprise
XenApp
Platinum
Desktop OS
Desktop

VDI
Enterprise
Platinum
X
Desktop OS
Applications
*XenDesktop VDI does not the support the use of physical machines.
Additional features and FlexCast models become available in the editions as you move from left to right in the table. For a
complete list of features, see the XenDesktop 7.6 and XenApp 7.6 Features and Entitlement document at
http://www.citrix.com/go/products/xendesktop/feature-matrix.html.
New Features
This release of XenApp and XenDesktop includes the following new features:
al
es
rr
fo
ot
Session prelaunch and session linger - These features enhance the user experience by starting sessions before they are
requested (session prelaunch) and keeping sessions active for a period of time after users close the applications (session
linger). These features are supported on Server OS machines only.
Support for unauthenticated users - This feature (formerly known as anonymous users in XenApp) supports
administrators granting access to sessions on Server OS machines to users with no credentials.
Connection leasing - This feature extends the Delivery Site database connection requirements beyond platform
redundancy by enabling Delivery Controllers to continue to broker users to the resources the users most often request
even when the site database is unavailable.
Application folders - This feature allows administrators to organize the applications created by Delivery Groups within
Citrix Studio. Using the Applications tab administrators can nest application organization into multiple tiers.
XenApp 6.5 migration - This feature enables administrators currently supporting a XenApp 6.5 farm to move to a
XenApp 7.6 site with a quick and efficient transition. Migration allows administrators to perform in place upgrades of
existing XenApp 6.5 workers to XenApp 7.6 Server OS machines running the VDA. For more information, see
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-upgrade-existing-environment/xad-xamigrate.html.
Citrix Customer Experience Improvement Program - This program allows administrators to work directly with Citrix
in design and development contributions. Enrollment allows Citrix to collect anonymous information about the
deployment. For more information, see http://www.citrix.com/cms/ws/ceip/.
Enhanced connection throttling settings - This feature optimizes the virtual machine performance for a site by limiting
actions, inventory updates, and other occurrences over the host connection to the hypervisor.
Enhanced reporting in Studio - This feature adds additional details about the action status, error reporting, licensing
and more to Studio.
SSL/TLS - This feature enables administrators to configure these secure protocols on the machines running the VDA.
Virtual IP and virtual loopback - This feature enables administrators to centralize applications that require unique IP
addresses on XenApp and XenDesktop servers running a server OS and VDA.
Remote PC Access - This feature has been optimized to enable administrators to prevent local users from disconnecting
a remote session without the permission of the remote user.
Citrix Director - This tool has been expanded to include clickable navigation between User Details, Machine Details,
Endpoint Details and Anonymous Sessions. In addition, it has been optimized to further assist support staff in gathering
detailed information about a user session when opening support tickets. Optimizations includes:
Licensing alerts to assist support staff in further awareness of issues that impact user connections.
View hosted application usage to allow support staff to view per Delivery Group lists of users who have access to
applications and view who is currently using an application.
Monitor hotfixes to allow support staff to view specific hotfixes per machine with the VDA installed.
or
io
ut
rib
st
di
This release of Citrix Director cannot be used to support sessions on versions of XenApp older than XenApp
6.5.
20
ot
AppDNA 7.6 - This tool assists administrators in the migration of applications to new implementations through rapid
analysis, automated application remediation and packaging, and daily application management.
Citrix StoreFront 2.6 - This component has been updated to include the following optimizations:
My Apps Folder View in Receiver for Web - This feature assists users during the transition from Web Interface to
StoreFront by allowing applications to be organized into folders.
Kerberos constrained delegation for XenApp 6.5 - This feature enables pass-through authentication and eliminates
the need for endpoints to run Windows with Receiver.
Single Fully Qualified Domain Name (FQDN) access - This feature gives administrators the ability to give resource
access internally and externally with a single FQDN.
XenApp Services Support smart card authentication - This feature enables administrators to provide support for
smart card access without requiring specific versions of Receiver and operating systems.
Receiver for Android, iOS, and Linux smart card authentication - This feature enables local and remote use of
smart cards for access to applications and desktops.
Extensible authentication - This feature provides a single customization point to be used with Worx Home and
Receiver for Web to authenticate with XenMobile, XenApp and XenDesktop for internal and external access
scenarios.
Citrix Connector 7.5 - This feature provides a bridge between Microsoft System Center Configuration Manager and
XenApp or XenDesktop to extend the use of Configuration Manager to Citrix environments.
Receiver for Chrome and Receiver for HTML5 - These components were updated to include the ability to:
Convert documents to PDF and view them on a local device or print them to locally attached printers.
Provide end-user metrics.
Track license usage for hosted applications.
Utilize additional clipboard operations.
HDX Real-Time Optimization Pack 1.5 for Microsoft Lync - This feature enables administrators to support Lync
certified USB phones, mixed Lync 2010 clients and Lync Server 2013 configuration, and asynchronous upgrades.
fo
al
es
rr
Deprecated Features
or
Some functionality that was available in previous releases of XenApp and XenDesktop is not available in this release. The
deprecated features include:
Secure ICA encryption below 128-bit - HDX (formerly known as ICA) has always supported encryption, but this
minimum level of encryption is no longer sufficient.
Legacy printing - Operating system incompatibilities make the following printing features unavailable:
DOS clients, 16-bit printers, and legacy client printer names.
Printers connected to Windows 95 and NT operating systems, enhanced and extended printer properties, and
Win32FavorRetainedSetting.
Ability to enable or disable auto-retained and auto-restored printers.
The DefaultPrnFlag registry setting for Server OS.
Secure Gateway - This component served releases of XenApp and XenDesktop prior to 7.x as a means of a secure
software HDX (ICA) secure proxy. This functionality is now available in NetScaler Gateway, which can be implemented
as a VPX.
Shadowing users - This functionality is now provided using Windows Remote Assistance and can be initiated from
Citrix Director.
Power and Capacity Management - This feature used to power manage virtual machines to lower the power costs during
off-peak usage times. This functionality is now available through Microsoft Configuration Manager.
Flash v1 Redirection - This feature allowed devices to render client-side flash, locally when possible. Version 1 has been
replaced by version 2 which provides the same functionality and supports second generation Flash.
Local Text Echo - This feature was used with earlier Windows application technologies as a session optimization feature
when user sessions were impacted by latency. Because of the graphic subsystem and HDX Super Codec included with the
VDA, this feature is no longer needed.
Smart Auditor - This feature enabled the recording of user sessions to video files for viewing later. This feature was
removed due to lack of demand.
st
di
io
ut
rib
21
ot
Single Sign-On (Password Manager) - This feature supports single sign on to Windows, Web, and Terminal-emulated
applications. This feature still works with Windows Server 2008 R2 and Windows 7 implementations, but is not available
for Windows Server 2012 and Windows 8 implementations due to dependencies on the operating systems.
Oracle database support for XenApp and XenDesktop databases has been removed. Citrix chose to simplify the platform
by consolidating all Citrix database requirements for XenApp, XenDesktop and their supporting features to one platform,
Microsoft SQL.
Health Monitoring and Recovery (HMR) was a built-in feature designed to assist administrators in monitoring mission
critical Citrix services running on machines hosting user sessions. This was in lieu of having a central means of managing
farms and sites. Citrix Director now provides insight into the entire infrastructure from a central console.
Custom ICA files enabled administrators to give users direct access to applications and desktops by bypassing both Web
Interface and the Zone Data Collector. This feature is still available in XenApp 7.x, but is disabled by default. A custom
ICA file can still be used for troubleshooting and for direct user connections when the Delivery Controller is unavailable.
Citrix recommends that you direct all user connections through StoreFront.
Management Pack for System Center Operations Manager (SCOM) 2007 is not supported on 7.x releases.
CNAME function was enabled, by default, prior to XenApp 7 and XenDesktop 7 to assist with FQDN re-routing. In
subsequent versions of XenApp and XenDesktop, 7.x, the Delivery Controller auto-update replaced the CNAME function
because it can dynamically update the list of Delivery Controllers and notify the distributed VDAs when Delivery
Controllers both join and leave the Delivery Site. Some administrators prefer to use the CNAME function. Those
administrators can use a Citrix policy to disable the dynamic updates and can re-enable the CNAME functions in the
registry.
Quick Deploy wizard was a XenDesktop 5.x feature designed to quickly create a Delivery Site and all of the server
components, including the catalog, Delivery Groups and more using one wizard. This wizard was created to enable
administrators to quickly setup a proof of concept deployment. Quick Deploy Delivery Sites had limitations and could
not be scaled. The refined configuration and workflow in XenDesktop 7.x renders this legacy deployment wizard
unnecessary.
Remote PC Service configuration file and PowerShell script for automatic administration was deprecated because
Remote PC is now integrated into Studio and the Delivery Controller with support for Wake-on-LAN.
Workflow Studio was a management feature that allowed administrators to manage multiple workflows (also known as
sets of code or scripts) from a Windows Server management console. This feature was removed due to lack of demand.
fo
or
Discussion Question
al
es
rr
st
di
An administrator at a local company was tasked with implementing a Citrix solution to host user resources centrally and
securely in the datacenter, enabling users to access resources from any user device over any Internet connection. The users
require access to the Microsoft Office Suite and a Windows 8.1 desktop. Which Citrix products and editions can the
administrator purchase and implement to meet the needs of this scenario?
rib
ut
XenApp and XenDesktop Virtualization Technologies
io
Different types of end users need different types of processing environments. Some end users may require simplicity and
standardization, while others may require high levels of performance and personalization. Implementing a single virtualization
model across an entire organization may lead to end-user frustration and reduced productivity. Instead, organizations need to
identify the functionality that is required and understand the technical differences between the various processing
environments and the virtualization components that provide that environment.
Discussion Question
What are some advantages of integrating hosted applications and desktops into a single architecture?
22
Hosted Applications
ot
N
fo
e
al
es
rr
or
With the Hosted Applications model, end users may not be provided with a virtual desktop; instead Windows applications are
centralized in the datacenter and instantly delivered through a multi-channel protocol. Hosted applications can be provided to
connected end users or configured to use Microsoft App-V technology to stream to end users for offline use. The Citrix
version of application streaming, is not supported in XenDesktop 7.6.
st
di
How can end users access hosted applications?
io
Discussion Question
ut
rib
Hosted applications on a Desktop OS were formerly known as VM Hosted Apps. Hosted applications on a Server
OS were formerly known as published applications.
23
Server OS Machines
ot
N
fo
e
al
es
rr
or
A Server OS machine was formerly known as a published desktop in Citrix XenApp 6.5. With the Server OS machine model,
multiple desktop sessions are hosted on a single server-based operating system. The Server OS machine model provides a lowcost, high density solution. Applications must be compatible with a server-based operating system. In addition, because
multiple users are sharing a single operating system end users are restricted from performing actions which may negatively
affect other end users, for example installing applications, changing system settings, and restarting the operating system.
st
di
io
ut
How can end users access Server OS machines?
rib
Discussion Question
24
Desktop OS Machines
ot
N
fo
e
al
es
rr
or
With the Desktop OS machine model, each end user is provided with a full desktop operating system, which provides
administrators with a granular level of control over the number of virtual processors and memory assigned to each desktop.
st
di
Desktop OS machines can be delivered as:
rib
RandomDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or
Citrix Provisioning Services. End users are dynamically connected to one of the desktops in the pool each time they log
on. Changes to the desktop image are lost when the machine is restarted.
StaticDesktops, which are based on a single master image and provisioned using Citrix Machine Creation Services or
Citrix Provisioning Services. End users are administratively assigned a virtual desktop or are allocated a virtual desktop
on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes to the desktop
image are lost when the machine is restarted unless persistent write cache or Personal vDisk is implemented. If high
availability/persistence of the end user's desktop personalization settings is required, use Static with Personal vDisk
Desktops.
Static with Personal vDiskDesktops are based on a single master image and provisioned using Citrix Machine Creation
Services (MCS) or Provisioning Services (PVS). End users are administratively assigned a virtual desktop or are allocated
a virtual desktop on first access. Once assigned, end users will always be connected to the same virtual desktop. Changes
to the desktop are stored on a Personal vDisk and retained between restarts. Desktops with a Personal vDisk cannot be
shared between multiple end users; each end user requires their own desktop. If high availability/persistence of the end
user's desktop personalization settings is required, the Personal vDisk must be stored on shared storage.
Existing refers to virtual desktops created from a manual build, a hypervisor template, cloning, or third-party tools. They
are not created using Citrix Machine Creation Services (MCS) or Citrix Provisioning Services (PVS). These desktops must
be managed manually with third-party desktop management tools.
io
ut
Desktop OS machines are delivered on a first-come, first served basis. An end user may get a different desktop
each time they log on.
25
Discussion Question
How can end users access Desktop OS machines?
Remote PC Access
ot
N
fo
al
es
rr
e
With Remote PC Access, end users are provided access to their physical workplace computers or laptops remotely using the
Citrix HDX protocol. This allows businesses to quickly benefit from a flexible work style without implementing virtual
desktops. Remote PC Access can be used as a stepping stone towards a full XenDesktop virtualization implementation. When
a company is ready, an established Remote PC Access environment can be converted to a full XenDesktop virtualization
infrastructure. Specialized physical computers such as CAD workstations, video editors, and high-security devices that need
physical FOBs for licensing and classified content are perfect candidates for Remote PC Access.
or
st
di
26
What do you need to configure for the Delivery Controller to enable Remote PC Access?
io
What do you need to install on the office PC to enable Remote PC Access?
ut
What do you need to install on the endpoint to enable Remote PC Access?
rib
Discussion Question
Streamed VHD
ot
N
fo
e
al
es
rr
or
With the Streamed VHD model, Provisioning Services provides desktop workloads based on a master image (either shared or
private) for each hardware type. In shared mode, changes to desktops are lost upon startup.
st
di
The Streamed VHD model allows any desktop workload to be run locally on the endpoint hardware. Streamed VHD is a
great solution for high-end hardware because it allows an existing corporate investment in high-end hardware to be used as
an asset in the XenDesktop environment. Streamed VHD requires a LAN connection between the desktop and the server
running Provisioning Services. The Provisioning Services server can be physical or virtual. If you only have one Provisioning
Services server, make it a physical Provisioning Services server. If all end user hardware is similar, then you can use a
common VHD. Each VHD must be customized to match the hardware of the endpoint.
io
ut
rib
Discussion Question
The Streamed VHD model allows you to use the computing power of the endpoint while still using desktop virtualization. In
order to use this computing power, what must the desktop image contain?
Local VM
27
You can create a VM and use the Synchronizer to deploy it to multiple XenClient devices. In addition, you can use the
Synchronizer to deploy an image to similar hardware in the event that a laptop is compromised, lost, or stolen.
All VMs must be created on the XenClient platform. A master image created in XenDesktop cannot be copied into the
Synchronizer because that master image (VDI) is dependent upon DOM0 to reach most of it's resources, whereas in a
XenClient deployment, each VM communicates directly with the hardware for all assets through the XenClient tools. The
XenClient tools must be installed on every VM on the laptop to facilitate access to all hardware assets.
XenDesktop (Enterprise and Platinum editions) includes the following Local VM solutions that allow XenDesktop
administrators to deliver desktops to users with offline capabilities, while still managing and enforcing security and
synchronization of backups:
XenClient works with PC-based laptops and desktops.

DesktopPlayer works with MacBooks.
XenClient consists of two components:
The XenClient Engine runs on users laptop or computer as a Type I bare-metal hypervisor that allows VMs to operate
the computers hardware.
The XenClient Synchronizer runs on a server and allows administrators to centralize and manage all distributed virtual
machines. A single Synchronizer can administer hundreds of XenClient Engines.
DesktopPlayer consists of two components:
ot
The DesktopPlayer for Mac runs on users MacBooks as a Type II hypervisor and enables Windows VMs to run on a
Mac host computer.
fo
For more information about DesktopPlayer, see www.citrix.com/desktopplayer.
rr
The Synchronizer runs on a server and allows administrators to centralize and manage all distributed virtual machines. A
single Synchronizer can control multiple DesktopPlayer machines.
al
es
The same Synchronizer management infrastructure is used for both XenClient and DesktopPlayer. You cannot
move a virtual machine from XenClient to XenServer or XenServer to XenClient. For more information about
XenClient, see www.citrix.com/xenclient.
or
st
di
Discussion Question
What is the purpose of XenClient, Receiver, and Synchronizer in the Local VM model?
io
ut
rib
Local Application Access
28
With the Local Application Access model, end users are provided with a Server OS machine or Desktop OS machine
delivered full screen. The end user has locally installed applications on the endpoint that they want to use within their virtual
desktop. Local Application Access allows you to make those locally installed applications available on the virtual desktop and
in the Start menu even when the desktop is running in locked-down full-screen mode. When the end user launches a local
application in the virtual desktop, the application window appears in the desktop session window even though it is actually
running on the endpoint. This is ideal for use-cases where desktops are being delivered full-screen and end users want to
simultaneously work with local applications like iTunes, CD burning software, video conferencing software, games, and more.
To use Local Application Access, Citrix Receiver must be installed. Local Application Access is enabled by default in Citrix
Receiver. In addition, you must enable Local Application Access using the Allow Local App Access (HDX) policy and apply it
to the Server OS and Desktop OS machines. Local Application Access is disabled by default in XenApp and XenDesktop.
Once enabled, you must publish the local applications using a Delivery Group in Studio.
Discussion Question
What is an advantage of providing Local Application Access to end users rather than installing the applications on the virtual
desktop?
Infrastructure Components
ot
A XenApp and XenDesktop implementation is only as good as the configuration of the infrastructure components on which
it is built. It is important that anyone tasked with deploying XenApp and XenDesktop in an environment understand the
purpose of each component in that infrastructure as it relates to XenApp and XenDesktop and understands how the
configuration of the infrastructure components affect the XenApp and XenDesktop implementation.
fo
rr
al
es
During this course, you will build an environment, similar to that shown in the following graphic, to produce a
pilot implementation of XenApp and XenDesktop. The pilot implementation will configure hosted applications,
Server OS machines, and Desktop OS machines for the Accounting, Human Resources, and IT departments at the
hospital. To accomplish this, you must set up not only the Citrix components and resources, but configure the
infrastructure that will support the deployment.
or
st
di
n
io
ut
rib
The following infrastructure components play a key role in the XenApp or XenDesktop solution:
29
Explanation
Domain Controller
The domain controller is a Windows server on which the

Active Directory Domain Services role is installed. Its role in
a XenApp and XenDesktop solution is to maintain
information about the objects (OUs, servers, groups, policies,
and end users) in the domain and authorize and authenticate
access to the domain. To ensure that the domain controller
service is highly available in your XenApp or XenDesktop
solution, you should configure at least two servers to serve as
domain controllers and both servers should be configured
with static IP addresses.
DNS
The DNS server role can be installed on the domain

controller in a domain. Its role in a XenApp and XenDesktop
solution is to resolve computer names to the IP addresses
assigned to the computers. This allows communications to be
sent to the IP address of the computer when the computer
name is entered. To ensure DNS is highly available in your
XenApp or XenDesktop solution, you should configure at
least two servers with the DNS server role.
DHCP
ot
Component
fo
Certificate Authority
al
es
rr
The DHCP server role can be installed on a Linux or

Windows server. Its role in a XenDesktop solution is to
manage the IP addresses and provide them automatically to
the computers in the environment that do not have them
statically assigned. DHCP can also be used by the
Provisioning Server component used by XenDesktop. To
ensure that the DHCP service is highly available in your
XenApp and XenDesktop solution, you should configure at
least two servers with the DHCP server role.
or
The Certificate Authority role can be installed on a Windows

server. Its role in a XenApp and XenDesktop solution is to
issue digital certificates that validate the identity of a
computer. In a XenApp and XenDesktop solution, an
internal Certificate Authority can be used to issue digital
certificates to components behind the firewall. Components
located in the DMZ and outside the domain should use
digital certificates provided by an external Certificate
Authority. To ensure that the Certificate Authority is highly
available, you should configure your Certificate Authority as
a cluster.
st
di
io
ut
rib
Deploying multiple Certificate Authorities instead of

clustering the Certificate Authorities only provides
redundant enrollment services. It does not allow for
recovery of the certificates in the event of a single node
failure.
File Server
30
A file server is a network accessible server that provides a

centralized location for storing data files. Its role in a
XenApp and XenDesktop solution is to host end-user profiles
and the redirected folders for end-users' data in the
environment. To ensure that your end users' profiles, data
files, and redirected folders are highly available, you should
configure at least two servers to serve in the file server role
through a DFS share or optimally through a file server
cluster.
Component
Explanation
SQL Server
The SQL Server is a relational database and management

system that can be installed on a Windows server. Its role in
a XenApp and XenDesktop solution is to store the Site,
configuration logging, and monitoring data for the
implementation. By default, XenApp and XenDesktop create
the required database on the SQL Server.
SQL Server Express cannot be configured for high
availability, so you should install and configure a full
SQL Server edition for use with XenApp and
XenDesktop.
To ensure that the XenApp and XenDesktop database is
highly available, two SQL Servers and a witness should be
configured for mirroring, or two or more SQL Server 2012
R2 servers should be configured to use the Always On
functionality.
ot
Storage
fo
e
al
es
rr
Hypervisor
Storage is required to store the VMs, ISOs, vDisks, Personal

vDisks, and write cache in your XenApp and XenDesktop
implementation. Types of storage include:
Local: Storage on the hard drive of a system
Shared: Storage that is network accessible
Both types of storage are required to implement XenApp and
XenDesktop. Storage is made available to the implementation
through the hypervisor. To ensure that storage is highly
available, use the best practices for the hypervisor and storage
vendors to implement and manage the storage.
or
A hypervisor is responsible for low-level tasks such as CPU

scheduling and memory isolation for VMs. The hypervisor
abstracts the hardware from the VMs. XenApp and
XenDesktop can run on a Citrix XenServer, Microsoft HyperV (through System Center Virtual Machine Manager), or
VMware hypervisor platform. To ensure that your XenApp
and XenDesktop implementation is highly available, you
should configure the selected hypervisor on more than one
server and configure your VMs to be agile.
st
di
ut
rib
Agile means that VMs can be moved from host to host.
io
The KMS License Server provides a way to automatically

activate volume license editions of Microsoft products
removing the need for end users to provide licensing
information or to connect to a Microsoft activation server.
This is important in a XenApp and XenDesktop environment
because desktops are provisioned on demand. A KMS Client
License is embedded in Microsoft products.
(Optional) Key Management Services (KMS) License Server
Installing individual licenses on VMs and Multiple

Activation Key (MAK) is another way to activate
Microsoft product licenses. With MAK licensing,
computers running Microsoft software are required to
connect to a Microsoft activation server at least once.
MAK licensing is not supported by XenApp and
XenDesktop 7.5 when using MCS. The KMS License
Server service can be placed on a server that provides
other services in the environment.
31
Component
Explanation
Endpoints
An endpoint is any device that the end user touches and can
support the use of the Citrix Receiver or the Receiver for
Web site to access XenApp and XenDesktop resources. This
includes PCs, Macs, laptops, servers, and mobile devices
running a variety of operating systems. Endpoints can be
located inside the network or be external to the network.
Print Server
A print server is a server that accepts print jobs from

networked computers for one or more printers. In addition,
it queues the print job and sends it to the correct print device
in the network. This enables multiple computers to use a
printer and eliminates the need for each computer to have a
printer physically attached to it. To ensure that the print
server function is highly available in your XenApp and
XenDesktop solution, you should configure at least two print
servers in a cluster.
ot
A print server may need to be restarted in order to

restart the Print Spooler. Therefore, the Windows Print
Services role should not be installed on a server that
must be always available.
fo
Demilitarized Zone (DMZ) or Perimeter Network
StoreFront can be deployed in either the internal

network or the DMZ.
al
es
rr
The DMZ is an area between two firewalls, one firewall

protects the internal network and the other firewall protects
the DMZ from the external network. Some XenApp and
XenDesktop components are located in the DMZ and others
are located in the internal network.
or
To ensure the security of your internal network, you should

consult with a security expert when configuring your DMZ.
st
di
io
Discussion Question
ut
rib
This course will take you through the steps required to set up a basic infrastructure to host a XenApp and
XenDesktop implementation. To ensure the security and the performance of your implementation, follow
Microsoft guidelines, your corporate guidelines, your customized XenApp and XenDesktop Design document, and
the advice of a security professional before rolling your implementation out to a production environment.
In the lab environment, you will use a single firewall that places the internal, DMZ, and external networks on different
network interfaces. This configuration is not optimal for a production environment. What are some weaknesses of this
solution and how might you improve the security?
Citrix Components
It is important that anyone tasked with deploying XenApp and XenDesktop in an environment understand the purpose of
each Citrix component in that implementation.
The following Citrix components play a key role in a XenApp and XenDesktop solution.
32
Component
Explanation
(Optional) Citrix XenServer
XenServer is a server virtualization platform (hypervisor) that

offers near bare-metal virtualization performance for a
XenApp and XenDesktop implementation. It allows each
virtual machine to run isolated from other virtual machines
on the server.
A hypervisor is required for XenApp and XenDesktop.
Microsoft Hyper-V (through System Center Virtual
Machine Manager) or VMware can be used as the
hypervisor instead of XenServer, if desired.
To ensure high availability, you should use the clustering
capability of the chosen hypervisor.
(Optional) Citrix XenCenter
The selected hypervisor requires a management console. The

management console you use is based on the hypervisor
selected. The management console can be Citrix XenCenter,
Microsoft SCVMM, or VMware vCenter.
ot
XenCenter is a Windows-based graphical management

console that enables you to deploy, manage, and monitor
virtual machines running on XenServer. XenCenter has
templates that make configuring your virtualized
environment fast and easy. XenCenter can be installed on
multiple Windows-based systems. This allows multiple
administrators to access and support the virtualized
environment.
fo
e
al
es
rr
Citrix Delivery Controller (Controller)
or
A Controller consists of services that communicate with the

hypervisor to make applications and desktops available,
authenticate and manage end-user access, and define the
connections between end users and their virtual desktops and
applications. The Controller controls the state of the
desktops, starting and stopping them based on demand and
administrative controls. To ensure that your XenApp and
XenDesktop implementation is highly available, you should
configure multiple Controllers in the environment.
st
di
Studio is the unified management console used to set up and

administer a XenApp and XenDesktop implementation.
Studio is used to manage Server OS machines, hosted
applications, Desktop OS machines, and Remote PC Access
through machine catalogs and Delivery Groups. To ensure
that Studio is highly available, you should install multiple
instances of Studio in the environment.
io
ut
rib
Citrix Studio
Studio can be installed on the Delivery Controllers.
Citrix Director
Director is a Web-based (read only) tool that enables IT

support and Help Desk teams to monitor an environment,
troubleshoot issues before they become system critical, and
perform support tasks for end users. To ensure that Director
is highly available, cluster the host on which Director is
installed.
33
Component
Explanation
Citrix License Server
The Citrix License Server stores and manages the license files
for all Citrix components within the XenApp and
XenDesktop architecture, with the exception of NetScaler
components, which are manually configured with license
files. If XenApp and XenDesktop is deployed across multiple
sites, each site should have its own license server with an
allocated license file to prevent slow logons resulting from
license acquisition. Citrix licenses have a 30-day grace period
during which XenApp and XenDesktop components will
continue to function normally should the license server
become unavailable. Because of this grace period, a single
license server can be used per site. Should the license server
fail, this grace period provides enough time to restore the
license files on another server without interrupting the
XenApp and XenDesktop implementation.
Citrix Receiver
ot
You can install the Citrix License Server on a physical

server or a VM. At this time, you cannot use the Citrix
License Server VPX to provide this functionality. Refer
to http://support.citrix.com for the latest information.
fo
StoreFront provides authentication and resource delivery

services for end users of Citrix Receiver. In addition,
StoreFront uses a local data file to keep track of end-users'
application subscriptions, shortcut names, and locations so
end users have a consistent experience across all of their
endpoints. To ensure that StoreFront is highly available, you
should install multiple StoreFronts. All StoreFronts will
automatically synchronize among themselves once they are
added to the server group.
al
es
rr
Citrix StoreFront
Receiver is platform-specific software that provides secure,

high-performance delivery of virtual desktops and
applications in a XenApp and XenDesktop environment.
Plug-ins for Receiver provide advanced features and
capabilities.
or
st
di
NetScaler is a secure application access solution that provides

granular application-level policy and action controls.
NetScaler provides a wide range of functions, including load
balancing, ICA proxy, and endpoint analysis that can control
remote access to the resources in your XenDesktop
environment.
io
ut
rib
Citrix NetScaler
To ensure that NetScaler is highly available, you should

deploy NetScaler in an HA pair.
34
Component
Explanation
Citrix Provisioning Services (PVS)
PVS allows machines to be provisioned and re-provisioned in

real-time from a single vDisk image. This eliminates the need
to manage and update individual virtual machines. To ensure
that PVS is highly available, you should deploy multiple PVS
servers and ensure that all servers can see the store or a
replicated store.
With PVS you install the required software on a Master
Target Device. Then you create a vDisk image of the
hard drive on the Master Target Device and save it to
the network. Once the vDisk is available from the
network, the target device no longer needs its local hard
drive to operate and starts up directly across the
network. PVS streams the contents of the vDisk to the
target device on demand, in real time. The target device
behaves as if it is running from its local hard drive.
Citrix Provisioning Services Console
ot
Provisioning Services Console is the management console for

PVS. It can be installed on any computer that can
communicate with the PVS database and the SOAP service
on the PVS servers. To ensure that the Provisioning Services
Console is highly available, you should install the console on
multiple servers.
fo
e
al
es
rr
Machine Creation Services (MCS)
or
Personal vDisk (PvD)
MCS is a collection of services that work together, from the

XenApp and XenDesktop Delivery Controllers, to create
virtual machines from a master image. One of the primary
benefits of MCS is the ease with which virtual desktops can
be updated. MCS provides many of the same single image
management benefits of Provisioning Services, but works
directly on the storage managed by the hypervisor without
the need to use PXE or BDM to start a target device.
st
di
PvD is a separate virtual disk attached to an end-user's

virtual machine. The PvD stores the end-user's
customizations and personally installed applications. When
an end user logs on to a Desktop OS machine (XenDesktop
only), the contents of the PvD are blended with the contents
of the desktop. This separation allows the administrator to
make changes to the master image without causing the end
user to lose their customizations and personally installed
applications.
io
ut
rib
If Citrix Profile Management is being used to store the

end-user's customizations, you can disable end-user
customizations in the PvD or vice versa.
Universal Print Server
The Universal Print Server allows Windows print servers to

use the compression and optimization capabilities of Citrix
Universal Printer Drivers for network printers. The Universal
Print Server has two parts: a Universal Print Client and a
Universal Print Server. The server part is loaded on existing
Windows print servers and the client part is included in the
Virtual Delivery Agent (VDA) software installation.
35
Component
Explanation
Citrix Profile Management
Profile Management (previously a separate component) is

integrated in the Enterprise and Platinum editions of
XenApp and XenDesktop as policies. It provides an easy way
to manage end-user personalization settings (profiles) and
provide end users with fast logons and logoffs. You can opt
to use Profile Management policies or another profile
management solution with XenApp and XenDesktop. Profile
Management policies offer several advantages over roaming
profiles including extended synchronization to eliminate lastwrite wins conflicts and profile bloat.
Virtual Delivery Agent (VDA)
A Virtual Delivery Agent (previously called a Virtual Desktop

Agent) enables virtual machines to register with Controllers.
In addition, the VDA manages the HDX connection between
the virtual machines and the endpoints. When an end user
logs on to a resource through Receiver, the Receiver on the
end-user's endpoint links to the Virtual Delivery Agent on
the virtual machine and establishes a session.
ot
N
Discussion Question
fo
The Delivery Controller, Studio, and Director can be installed on which operating systems?
rr
es
Designing a XenApp and XenDesktop Implementation
al
XenApp and XenDesktop allows you to start an implementation with a simple configuration, such as the one being taught
during this class, and add additional desktop virtualization models and end users at a later time. However, to realize the
immediate benefits and ensure the success of your implementation, it is imperative that you assess the needs of your
organization and then use that information to design a customized virtualization solution. Failure to thoroughly assess and
design a solution may cause your implementation to fail.
or
st
di
Properly executed Assess and Design phases will save hours in the Deploy phase. Design cannot be carried out in
a vacuum. You cannot design a solution until you understand the requirements of the organization and the end
users that will use your solution. A bad design cannot be remedied by administration. Some organizations will
need to ask for professional help during the Assess/Design phases.
rib
You can use the Citrix Virtual Desktop Handbook for XenDesktop to assist you in:
io
Assessing the needs of your organization.

Designing your desktop virtualization solution.
ut
The Citrix Virtual Desktop Handbook, available at http://support.citrix.com/article/CTX139331 follows the Citrix Consulting
Methodology. This proven methodology has been successfully employed across thousands of desktop virtualization projects.
Each phase includes guidance on the important questions to ask, what tools to use, and tips to help you succeed. The Citrix
Consulting Methodology consists of four phases.
36
To learn more about designing a XenApp and XenDesktop solution, you can attend the CXD-400 Designing App
and Desktop Solutions with Citrix XenDesktop 7 course.
ot
N
Assess Phase
fo
During the Assess phase, you identify the following information that is necessary for the design:
or
st
di
Discussion Question
io
ut
rib
al
Business Drivers identify the motivation and key drivers behind the desktop virtualization initiative. This information
allows you to focus your efforts on creating a solution that meets the needs of the business based on the priorities of the
business.
Data Capture identifies (inventories) the end users, applications, devices, and current infrastructure components. This
information allows you to segment end users, identify risks, and determine the capabilities of the current environment.
User Segmentation divides the end users into groups based on a common set of requirements. This information allows
you to assign the appropriate desktop virtualization model to each group without compromising performance or
functionality.
Application Assessment identifies the applications currently in use in the environment. The application list is
rationalized by justifying the removal of legacy applications, standardizing application versions, and removing nonbusiness applications. The remaining applications are then analyzed for compatibility issues.
Roadmap prioritizes the rollout to each user group by comparing implementation time/resources against business
objectives as defined by the business drivers. The results of this prioritization process are then used to update the project
plan. The project team that will implement the solution is then assembled according to the skillsets required.
es
rr
What is the main reason for understanding the top business drivers for moving to a desktop virtualization solution?
Design Phase
During the Design phase, you use the information gathered during the Assess phase to create a customized desktop
virtualization design.
37
ot
This graphic is based on the inputs provided during the Assess phase of a sample project. It depicts a logical
representation; looking at components within the Access, Desktop, and Control Layers. Ultimately all of the sizing
and scaling decisions are based on the hardware components that are selected to host the components within the
Hardware layer.
fo
User Group Layer documents the recommended endpoints and the required end-user experience functionality.
Access Layer shows how end users will connect to the desktops that are defined in the Desktop Layer. Local end users
will often connect directly to StoreFront while remote end users often connect through a DMZ that protects the internal
environment. To bridge the DMZ, remote end users will often connect through an SSL-VPN device (like Citrix
NetScaler). Disconnected end users using Citrix XenClient will need to synchronize their local images with the backend
store (Synchronizer) through a browser (not StoreFront). This requires additional access through the DMZ that separates
the internal and external environments.
Desktop Layer identifies the desktop virtualization model selected for each user group. The Desktop Layer is further
subdivided by Image, Applications, and Personalization. Within each sub-layer, specifics are documented that detail the
operating system, assigned policies, profile design, and application requirements.
Control Layer provides details about the controllers needed to manage and maintain the entire solution. The Control
Layer is further subdivided by Access Controllers, Desktop Controllers, and Infrastructure Controllers. The Access
Controllers manage the hardware needed to support the Access Layer. The Desktop Controllers provide details about the
components needed to support the Desktop Layer, which could include XenApp and XenDesktop, XenClient, or
Provisioning Services. Finally, the Infrastructure Controllers are responsible for providing the underlying resources
needed to support each component. These resources can include databases, license servers, and hypervisor controllers.
Hardware Layer provides the physical devices required to support the entire solution. It includes servers, processors,
memory, and storage devices.
al
es
rr
The design is accomplished using a five-layered approach that focuses the design process and ensures that all necessary
considerations are included in the design. The layers include:
st
di
io
ut
rib
or
Discussion Question
During the Design Phase, you document the recommended endpoints and the required end-user experience functionality
based on the information gathered during the Assess phase. What might influence the design of the User Group layer?
Deploy Phase
During the deploy phase the application and desktop virtualization solution is installed and configured as described in the
Design phase.
A pilot is performed to ensure that all requirements are addressed. In addition, the pilot helps determine the scalability
thresholds for the production environment. Key success criteria are identified for the pilot and the environment is then tested
38
by a subset of end users. Once the pilot is completed, the solution is rolled out to production. The rollout to production
includes technical assistance, deployment work plans, end-user training, and IT staff training.
Discussion Question
When building a XenApp and XenDesktop implementation, which of the five layers should be implemented first?
Maintain Phase
The Maintain phase occurs after the application and desktop virtualization solution has been rolled out to production.
During the Maintain phase, the following activities are performed:
ot
Monitoring enables administrators to address issues proactively. By having an in-depth understanding of the current and
expected behavior of the various components, administrators are better equipped to discover an issue before it impacts
the end-user community. Furthermore the data tracked during normal operations can be used for trending and capacity
planning.
Support fine tunes the pilot outputs in terms of proper staffing, organization, training, and tools required by technical
support to provide issue resolution for the production environment.
Testing and Change Control ensures that all upgrades and improvements are properly approved, tested, and validated by
appropriate parties. The change management process ensures that changes in production environments are deliberate,
proven, and accountable.
Ongoing Operations identifies routine operations and structures the responsibilities and assignments for maintenance,
issue prevention, and resolution in the production environment to reduce issues and their resolution times.
fo
es
rr
Discussion Question
or
Design Document
al
Which Citrix consoles can be used to maintain, monitor, and support a XenApp and XenDesktop implementation?
io
ut
Types of end users and their requirements

Types of devices and Citrix Receivers that will be used to access the XenApp and XenDesktop environment
XenApp and XenDesktop Site architecture
Operating system delivery methodology such as Streamed VHD, Server OS machines, and Desktop OS machines
Application delivery methods such as hosted applications, locally installed applications, and Streamed Applications (AppV)
End-user profile management and logon script management
Printing strategy/printing policies
User policies
Internal and external end-user access
Peripheral components required to support the XenApp and XenDesktop environment, such as the virtualization
infrastructure, hardware, network, storage, and Active Directory
Redundancy and continuity recommendations for disaster recovery purposes
rib
st
di
The Design document is used to deploy the virtualization solution. It contains the details for implementing the application
and desktop virtualization solution. It is created using the information gathered during the Assess and Design phases. Within
the Design document you will find information about the:
After the Design document is approved, you can use it to ensure that you configured the XenApp and XenDesktop
implementation to best meet the needs of the organization and ensure the success of the implementation.
Reinforcement Exercise: Identifying Components
Citrix Delivery Controller
39
Citrix Director
Demilitarized Zone
Desktop OS machines
File Server
Hosted Applications
SQL Server
Server OS machines
Term
Description
Supports the use of static desktops with a Personal vDisk.
Provides desktop sessions to multiple end users from a single
server.
ot
Uses the processing power of Server OS and Desktop OS

machines to run.
Stores redirected folders and end-user profiles.
fo
Contains the NetScaler appliances.
al
es
rr
Stores the Site, Configuration, and Monitoring data for

XenApp and XenDesktop.
Starts and stops desktops based on demand and

administrative controls.
or
io
Term
ut
Citrix Provisioning Services

Citrix Receiver
Citrix Studio
Hypervisor
Machine Creation Services
Personal vDisk
Virtual Delivery Agent
rib
st
di
Provides monitoring and support capabilities for XenApp

and XenDesktop.
Description
Provides the management interface for XenApp and
XenDesktop.
Delivers virtual desktops and applications to end users.
Uses a vDisk image to provision virtual machines.
Uses a master desktop image to create virtual machines.
40
Term
Description
Stores an end-user's customizations and installed applications
and is associated with a virtual machine.
Enables virtual machines to register with the Delivery
Controllers.
Abstracts the hardware from the virtual machines.
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
41
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
42
Module 2
Setting Up the Hypervisor
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
44
Setting Up the Hypervisor

Overview
A hypervisor allows multiple operating systems to run as virtual machines (VMs) on a single physical host. A hypervisor is
installed on a host computer that is dedicated entirely to the task of running the hypervisor and hosting VMs. It works by
allocating the resources of the host computer to the VMs running on it. The management console used to manage the
hypervisor can be installed on any system with a supported operating system. The management console allows you to create
VMs, take VM disk snapshots, and manage VM workloads.
Using a hypervisor rather than installing XenApp and XenDesktop components directly on physical hardware limits your
exposure to hardware failure and reduces the cost of deploying the solution. This cost reduction is the result of reduced
power consumption, increased utilization of existing hardware, fewer required servers, and decreased space and cooling
requirements. In addition, management becomes streamlined and efficient because you are managing the pool as a single unit
rather than managing each system separately.
The hypervisor should be the first component configured in the environment so that most or all of the components in the
environment can be virtualized.
ot
XenApp and XenDesktop can be used with Microsoft Hyper-V, Citrix XenServer, or VMware vSphere. Citrix
XenServer will be the virtualization platform used during this course, but any of the supported hypervisors could
have been used.
Install XenServer.
Install and configure the XenCenter management console.
Configure XenServer.
Create a virtual machine template.
Module timing: 3 hours
al
es
rr
fo
After completing this module, you will be able to:
or
At the beginning of this module, the VMs should be in following the states:
DomainController-1 = On
All other VMs = Off
st
di
rib
Installing the Hypervisor
io
ut
When you install a hypervisor on a bare-metal box, the hypervisor software installs a kernel. It installs a Linux kernel for
vSphere and XenServer and a Windows kernel for Hyper-V. The appropriate hypervisor tools (XenServer Tools, and VMware
Tools) need to be installed on the virtual machines to allow them to communicate optimally with the hardware and the
control domain. Hyper-V has its hypervisor tools (Integration Services) built into Microsoft Windows. The following graphic
illustrates this point.
Module 2: Setting Up the Hypervisor
45
Hardware-assist virtualization technologies are built into many central processing unit (CPU) chips
manufactured by both Intel and AMD. With hardware-assist virtualization, the guest operating system on the
virtual machine does not require modifications in order to have direct access to the server resources.
Hardware assist must be enabled through the BIOS on the host for XenServer.
Paravirtualization allows a guest operating system, such as Windows, to communicate with the hypervisor.
This direct communication improves performance and is enabled by installing paravirtualization tools such as
XenServer Tools or VMware Tools on the virtual machines.
ot
fo
es
rr
All hypervisors are composed of the following components:
st
di
Hardware Layer contains the physical server components, including memory, CPU, and disk drives.
Hypervisor is a thin layer of software that runs on top of the hardware. The hypervisor provides an abstraction layer that
allows each physical server to run one or more virtual machines, effectively decoupling the operating system and its
applications from the underlying hardware.
Control Domain manages the network I/O and storage I/O of all virtual machines. The control domain is a Linux virtual
machine for vSphere and XenServer, with higher priority to the hardware than other guest operating systems. In HyperV, the control domain is embedded in the hypervisor and is provided by the base installation of the server operating
system when the Hypervisor role is added to the base operating system.
Guest Operating System is the operating system that is installed on the virtual machines hosted by the hypervisor.
Linux Virtual Machines are accessed through the control domain, while CPU and memory are accessed through the
hypervisor directly to the hardware.
Windows Virtual Machines use paravirtualized drivers to access storage and network resources through the control
domain. XenServer is designed to use the hardware virtualization of Intel VT- or AMD-V-enabled CPUs.
or
al
Regardless of the hypervisor selected to support your XenApp and XenDesktop implementation, the installation basics are the
same. First, verify that the hardware and software requirements are met by the system on which you plan to install the
hypervisor. Second, make sure that you carefully follow the instructions to properly install and configure the hypervisor.
io
ut
rib
To Install XenServer
XenServer is pre-installed in the lab environment. To experience installing XenServer to support a XenApp and
XenDesktop implementation, we have provided an Installing XenServer exercise below. Click the following link
and use the steps in this course to complete the exercise:
Installing XenServer Exercise
You can access a list of all simulated exercises from the Student Resource Kit module located in this course.
1.
46
Insert the XenServer installation media in the drive of the computer and start the installation program.
During the XenServer installation, you will not be able to use a mouse to navigate.
Proceed to the next step since this has been competed within the simulation.
2.
Select the Keymap layout for the installation and then press Enter.
Verify that [qwerty] us is highlighted, press the spacebar, and then press Enter twice.
3.
Determine if a device driver needs to be loaded.

Press Enter on the Welcome to XenServer Setup screen to continue to install XenServer without loading additional
device drivers.
4.
Read and respond to the End User License Agreement (EULA).

Press the Left arrow key to select Accept EULA and then press Enter.
Specify the storage to use, whether the storage should be optimized for XenApp and XenDesktop, and then press Enter.
al
es
rr
c.
d.
Verify that sda-20 GB [ATA VBOX HARDDISK] is selected.

Press the Down arrow key to highlight Enable thin provisioning (Optimized storage for XenApp and
XenDesktop).
Press the spacebar to select Enable thin provisioning (Optimized storage for XenApp and XenDesktop).
Press Enter twice.
fo
a.
b.
ot
5.
If the server does not have Hardware Assist enabled in the BIOS, an error message will appear after you accept
the EULA. You can continue with the installation, but XenServer will have limited functionality until
Hardware Assist is enabled.
Thin Provisioning optimizes the utilization of available storage for XenApp and XenDesktop end users and
enables local caching to work properly.
or
6.
Select the installation media source and then press Enter.
st
di
Press the spacebar to select Local media as the installation source and then press Enter twice.
Determine if Supplemental Packs will be installed and then press Enter.
Press the Right arrow key to select No and then press Enter.
io
7.
ut
rib
Select Local media if you are installing XenServer from a CD. Select HTTP, FTP, or NFS if you are installing
XenServer using PXE. When Local media is selected, the installer will check the repository.
This step is only displayed if you selected Local media during the previous step. If you selected HTTP, FTP, or
NFS, you must configure networking so that the installer can connect to the XenServer installation media files
on the network.
8.
Determine if the integrity of the installation media should be verified before beginning the installation and then press
Enter.
Press the Up arrow key to select Skip verification and then press Enter twice.
If you select Verify installation source, the MD5 checksum of the package is calculated and checked against the
known value. Verification may take a few minutes.
47
9.
Specify the password to set for the root account on the XenServer and then press Enter.
a.
b.
c.
Type Password1 in the Password field and then press Enter.

Type Password1 in the Confirm field and then press Enter.
Press the Down arrow key and then press Enter.
10. Specify how networking should be configured, set up the primary management interface, and then press Enter.
You can get an IP address automatically using Automatic configuration (DHCP) or specify it yourself using
Static configuration.
a.
b.
c.
d.
e.
Press the Down arrow key to highlight Static configuration and then press the spacebar.
Press the Down arrow key to move to the IP Address field, type 192.168.10.24, and then press Enter.
Type 255.255.255.0 in the Subnet mask field and then press Enter.
Type 192.168.10.1 in the Gateway field and then press Enter.
Press the Down arrow key and then press Enter.
11. Specify the host name and DNS configuration and then press Enter.
Type xs1 in the Hostname field and then press Enter.

Type 192.168.10.3 in the DNS Server 1 field and then press Enter.
Press the Down arrow key twice and then press Enter.
ot
fo
a.
b.
c.
rr
al
es
To be part of a pool, XenServer hosts must have static IP addresses or be DNS addressable. When using
DHCP, ensure that a static DHCP reservation policy is in place. If you want to manually specify the host
name, use a short host name and not the fully qualified domain name (FQDN). Typing an FQDN may cause
external authentication to fail. At least one DNS server address must be specified. Adding a second and third
DNS address will ensure that XenServer can find other machines on the network based on their names if the
first DNS server is unavailable.
or
12. Select the geographical area and then press Enter.
Press the Down arrow key to select America for the time zone and then press Enter twice.
st
di
13. Select the city and then press Enter.
Type L, press the Down arrow key to select Los Angeles, and then press Enter twice.
rib
14. Specify how you would like the server to determine local time and then press Enter.
io
ut
Press the Down arrow key to select Manual time entry for the system time and then press Enter twice.
NTP (Network Time Protocol) requires an NTP server on the network. If you select Using NTP, you must
provide the address of the NTP server in your network. If your network does not have an NTP server, you
should select Manual time entry.
15. Press the Left arrow key to select Install XenServer and then press Enter.
16. Set the local time and date and then press Enter.
Press the Down arrow key to select OK and then press Enter to accept the default settings for the local time and date.
17. Press Enter when the installation completes to restart the server.
The XenServer Configuration screen appears once the server restarts.
Discussion Question
What is the minimum number of physical computers required for a redundant XenServer implementation?
48
Installing the Hypervisor Management Console

Hyper-V, XenServer, and vSphere hypervisors are command-line based software programs. Each of these hypervisors has a
management console that can be installed on a separate system to configure the hypervisor, create and configure virtual
machines, and monitor the resources available to the hypervisor.
ot
N
fo
al
es
rr
The management console is a GUI that allows you to see multiple settings at once. It should be used for daily maintenance
tasks and for tasks that are performed on an as-needed basis. Tasks that must be repeated on a regular basis should be
scripted to use the command-line interface instead of the management console for the hypervisor. For example, you can
create a script that takes a snapshot of a live running machine and then exports it as a backup. You can then run the script as
a scheduled task to create regular backups of a machine without shutting it down. Scripting is enabled by the XE commandline interpreter, which is installed wherever you install the XenCenter management console. For a comprehensive list of
commands that can be used for scripting, see Appendix A in the XenServer Administrator's Guide which is available from
http://docs.citrix.com.
or
st
di
To Install XenCenter
ut
rib
You can install XenCenter on any computer that has access to the servers running the XenServer hypervisor and has
Microsoft .NET Framework 3.5.1 installed on it. In this exercise, you will install XenCenter on a Windows 8.1 system called
MyLaptop.
io
XenCenter is pre-installed in the lab environment. To experience installing XenCenter to support a XenApp and
XenDesktop implementation, we have provided an Installing XenCenter exercise below. Click the following link
and use the steps in this course to complete the exercise:
Installing XenCenter Exercise
1.
Insert the XenServer installation media in the drive of the computer that has Microsoft .NET 3.5.1 installed on it and
start the installation program.
Proceed to the next step.
2.
3.
Click the File Explorer (folder icon) on the taskbar.

Select the drive containing the XenServer installation media.
Click CD Drive (G:) XenServer-6.1.0.
4.
5.
6.
Double-click the client_install folder.

Double-click the XenCenter Windows Installer file.
Click Next in the Welcome to Citrix XenCenter Setup Wizard screen.
49
7.
Specify the folder where you want to install XenCenter, determine if XenCenter should be installed for all users of the
system or just the currently logged on user, and then click Next.
Click AllUsers and then click Next to accept the default installation location.
8.
9.
Click Install to begin the installation.

Click Finish to close the Citrix XenCenter Setup Wizard after the installation completes.
Discussion Question
Why should you secure the XenCenter management console for your hypervisor? How can you secure the management
console?
Connecting the Management Console to the Hypervisor

Before you can begin using the console, you must first configure it to communicate with the hypervisor that you will be
managing and add a license for the hypervisor. Every time you launch the console, you must reconnect the console to the
hypervisor unless you choose to save the settings. The settings can be saved with or without a password.
ot
To Connect XenCenter to the XenServer Host
fo
XenCenter is pre-configured in the lab environment. To experience configuring XenCenter to connect to a

XenServer, we have provided a Connecting to XenServer exercise below. Click the following link and use the steps
in this course to complete the exercise:
Connecting to XenServer Exercise
es
rr
Log on to the system hosting XenCenter.

Open Citrix XenCenter.
Click Start on the lower-left corner of the screen.

Click Citrix XenCenter.
st
di
a.
b.
Click Add New Server.

Type the host name or IP address of the XenServer host in the Server field.
Press Tab and then type the user name for the administrator account on the server.
6.
Proceed to the next step to accept the default user name.
io
5.
ut
Type 192.168.10.24 in the Server field and then press Enter.
rib
3.
4.
or
2.
al
1.
Press Tab and then type the password for the administrator account.
7.
Click Add.
The XenServer environment will appear in the console and storage is automatically configured on the local
disk of the host. If XenServer is installed on additional servers, you can add them to the XenCenter console
using these steps.
8.
Close the XenCenter window.

Click the X in the upper-right corner of the XenCenter window.
50
Discussion Question
The management console for your hypervisor and the computer it was installed on are not available to you. What other
options are available to you to manage the hypervisor environment?
Configuring the Hypervisor

Hyper-V, XenServer, and vSphere hypervisors are highly customizable. For example, you can configure:
The network interfaces used by the hypervisor.

A library to host the ISO resources available to the VMs.
The virtual disk storage used by the VMs.
Templates for virtual machines.
Configuring the Virtual Networks
A virtual network provides flexibility to satisfy changes in security and application requirements quickly and efficiently. For
example, when someone needs a new virtual machine (VM) or application, you can add a new virtual network that can isolate
the VM from other VMs in the environment.
Physical interface (PIF) is the physical network interface card for each host.
Virtual interface (VIF) is a server-side software object that is a virtual representation of a computer network interface. A
virtual machine connects to a virtual interface to provide network connectivity to other virtual machines and the physical
network.
Network the control domain (DOM0) is used to bridge multiple virtual interfaces to a physical interface. Some
hypervisors refer to this as a virtual switch.
fo
ot
A virtual network consists of three pieces:
al
es
rr
Each of these three pieces has their own universally unique identifier (UUID). The UUID allows you to refer to the specific
object you want to act upon. For example, you can take a VIF and attach or unattach it using a script that references its
UUID. When typing the UUID in XenServer, you can type the first few characters and then press the Tab key to complete it.
or
st
di
n
io
ut
rib
NIC bonding is another network task that can be performed at the physical layer of the network. It combines one or more
NICs connected to the same physical network.
51
When you bond multiple NICs, a new virtual NIC is created. This is the bond master, and the bonded NICs are known as the
NIC subordinates. The NIC bond can then be connected to a network to allow virtual machine traffic and server management
functions to take place across that bond.
There are two NIC bonding modes:
Active-active mode provides load balancing of virtual machine traffic across the physical NICs in the bond. If one NIC
within the bond fails, all of the network traffic on the host is automatically routed over the second NIC.
Active-passive (active-backup) mode provides hot-standby capability. Only one NIC in the bond is active; the inactive
NIC becomes active if and only if the active NIC fails.
A XenServer with its management interface on a bonded network will have limited pool functionality. For example, the
"create a pool" and "join a pool" tasks will not be permitted. To get past this issue, you can temporarily attach the
management interface to a non-bonded network. Perform the management tasks and then reconnect the management
interface to the bonded network. This restriction also applies to management interfaces attached to tagged VLANs.
To Configure an External Network
ot
XenServer is pre-configured in the lab environment. To experience configuring virtual networks for XenServer, we
have provided an Adding a New Network exercise below. Click the following link and use the steps in this course
to complete the exercise:
Adding a New Network Exercise
fo
1.
Select the XenServer host in XenCenter to which you want to add a network.
or
3.

al
a.
b.
es
2.
rr
Verify that xs1 is highlighted in the left column under XenCenter.
st
di
4.
Click the Networking tab.
Click Add Network.

Select the type of network to add and then click Next.
7.
Verify that External Network is selected and then click Next.
io
5.
6.
ut
rib
XenServer automatically manages NICs as needed based on the related network, virtual interface, server
network, and bond configuration. You can view the available NICs, configure NIC bonds, and dedicate NICs
to a specific function from the NICs tab.
Specify the name of the new network and then click Next.
Type Network2 in the Name field, press Enter, and then click Next.
8.
Select the network interface to be used by the new network.

Select NIC 1 from the NIC field.
9.
Select a number to use for the VLAN on the network.

Accept the default value of 1 in the VLAN field.
10. Select the appropriate MTU value for your network.

Accept the default value of 1500 for the MTU.
52
Maximum transmission unit (MTU) identifies the maximum number of bytes of data the protocol can pass in
a packet. The larger the MTU the more efficient the throughput. The default MTU size for Ethernet is 1500.
11. Select Automatically add this network to new virtual machines.
12. Click Finish and then verify that the new network on VLAN 1 appears in the list.
13. Close the XenCenter window.
Discussion Question
A database application has recently emerged from the pilot phase. After the rollout to the production environment, end users
began complaining about slow access to the database. What should the administrator do to address this issue?
Creating a Pool or Cluster of Hosts
ot
A pool or cluster is comprised of multiple hosts, bound together as a single managed entity. When combined with shared
storage or local storage, a pool or cluster enables VMs to be created or started on one host and then dynamically moved to
another host in the pool or cluster, if the original host fails. This functionality in XenServer and vSphere is called High
Availability (HA). In Hyper-V this functionality is called HA Protection.
fo
es
rr
To Create a New Pool in XenServer
al
XenServer is pre-configured in the lab environment. To experience configuring a new pool for XenServer, we have
provided a Creating a XenServer Pool exercise below. Click the following link and use the steps in this course to
complete the exercise:
Creating a XenServer Pool Exercise
1.
or
st
di

2.
io
ut

rib
a.
b.
There are two XenServer hosts available in XenCenter. You are going to create a pool so VMs running on
these hosts can be dynamically moved from one host to the other.
3.
4.
Click New Pool in the XenCenter toolbar.

Type a name for the new pool.
Type Pool1 in the Name field and then press Enter.
5.
Select a server in the Master field.

Verify that xs1 is selected as the Master.
6.
Select one or more servers to place in the new pool from the Additional members list.
All available XenServer hosts are listed. If a host is not listed, it may be because it does not satisfy one or more
of the pool joining requirements.
53
Select xs2 as a member.

7.
8.
Click Create Pool to create the new pool.

Double-click the newly added pool to view the pool members.
Double-click Pool1.
9.

Discussion Question
What is required to implement a pool or cluster of hosts for a hypervisor environment?
Configuring an ISO Library
Network File System (NFS) share, which uses the Linux/Unix NFS protocol to share files and folders on the network.
Common Internet File System (CIFS) share, which uses the Windows CIFS protocol to share files and folders on the
network. A CIFS share is only available to Hyper-V and XenServer hypervisors.
fo
ot
An ISO is a disk image of a CD or DVD. An ISO library is a type of storage repository. It is used to store CD/DVD images in
the ISO format. Storing ISOs in a library makes them administratively accessible to any VM. An ISO library can be added
anytime to create a virtual collection of installation media. CD/DVD images in the ISO library can be shared and accessed by
VMs hosted by the hypervisor. An ISO library can be created as a:
rr
al
es
The share must be pre-created prior to creating the storage repository and all .ISO files must be at the root of the share. ISOs
stored in subfolders will not be enumerated and therefore cannot be seen.
To Configure an ISO Library for XenServer
or
st
di
XenServer is pre-configured in the lab environment. To experience configuring an ISO library for XenServer, we
have provided a Creating an ISO library exercise below. Click the following link and use the steps in this course to
Creating an ISO Library Exercise
1.
ut

a.
b.
3.
io
2.
rib
Select the XenServer host to which you want to attach the new storage repository.
Verify that xs1 is selected.
4.
5.
Click New Storage in the XenCenter toolbar to open the New Storage Repository wizard.
Select the type of ISO library you want to create and then click Next.
Select Windows File Sharing (CIFS) and then click Next.
6.
Type a name for the new storage repository in the Name field.
Type My-ISOs in the Name field and then press Enter.
54
7.
Type a description or allow XenCenter to automatically generate the description for the storage repository and then click
Next.
Click Next to allow XenCenter to automatically generate the description.
8.
Type the location of the share in the Share Name field.

Type \\WIN-V06KOCR56GO\ISO_Library in the Share Name field and then press Enter.
9.
Determine if different credentials should be used to connect to the share.

Different credentials may be necessary if the host instance does not have the necessary rights to the network
share.
a.
b.
c.
Click Finish to create the ISO storage repository.

Click the My-ISOs storage repository in the left pane of the XenCenter window.
Click the Storage tab to view the ISO files store in the share addressed by the storage repository.
ot
10.
11.
12.
13.
Select Use different user name.

Type Administrator in the User name field and then press Enter.
fo
es
rr
Discussion Question
al
You can perform Detach, Forget, and Destroy operations on a storage repository. What do each of these operations do and
when might you use each?
or
Configuring Virtual Disk Storage
st
di
Virtual disk storage is used to store the virtual disks used by the VMs. You can create additional virtual disk storage if
external storage is available. In Hyper-V virtual disk storage is referred to as a store; in vSphere it is called a data store; in
XenServer it is called a storage repository. You can set virtual disk storage up during the initial installation of the hypervisor
or at any time after the installation. If you create the virtual disk storage after installation, you must shut down the VMs and
move them manually to the storage. If you are using the most current version of a hypervisor, storage motion is available (this
allows a VM to be moved from local to external storage while the VM is active) but this operation can be time consuming.
ut
rib
io
To Configure Virtual Disk Storage
XenServer is pre-configured in the lab environment. To experience configuring additional virtual disk storage for
XenServer, we have provided a Adding Virtual Storage below. Click the following link and use the steps in this
course to complete the exercise:
Adding Virtual Storage Exercise
1.

2.

a.
b.

55
3.
Select the XenServer host to which you want to attach the new storage repository.
Verify that xs1 is selected.
4.
5.
Click New Storage to open the New Storage Repository wizard.

Select the type of virtual disk storage you want to attach to your host and then click Next.
Verify that NFS VHD is selected and click Next.
ot
NFS VHD storage repository stores VM images as thin-provisioned VHD format files on a shared NFS
target. Existing NFS servers that support NFS V3 over TCP/IP can be used as a storage repository for
virtual disks. NFS storage repositories can be shared, allowing any VMs with their virtual disks in an NFS
VHD storage repository to be migrated between servers in the same resource pool. Because virtual disks
on NFS storage repositories are created as sparse, you must ensure that there is enough disk space on the
storage repository for all required virtual disks to grow as they are used.
Software iSCSI storage repository uses a shared Logical Volume Manager on a SAN attached LUN over
iSCSI. iSCSI is supported using the open-iSCSI software iSCSI initiator or by using a supported iSCSI
Host Bus Adapter (HBA).
Hardware HBA storage repository connects to Fibre Channel (FC), Fibre Channel over Ethernet (FCoE),
or shared Serial Attached SCSI (SAS) LUNs via an HBA. Prior to configuring a Hardware HBA storage
repository, you need to expose the LUN because the wizard will automatically probe for and display a list
of all available LUNs found.
StorageLink storage repository uses an existing Network Appliance (NetApp), Dell EqualLogic storage
infrastructure, or Citrix StorageLink Gateway (CSLG) to access a range of different storage systems.
fo
Type a name for the new storage repository in the Name field.
Type a description or allow XenCenter to automatically generate the description for the storage repository and then click
Next.
or
7.
Use the default name provided.
al
6.
es
rr
Dynamic multipathing support is available for Software iSCSI and Hardware HBA storage repositories. By
default, multipathing uses round-robin mode load balancing, so traffic will be active on both routes
during normal operation. You can enable and disable storage multipathing in XenCenter using the
Multipathing tab in the Properties of the server.
8.
st
di
Click Next to allow XenCenter to automatically generate the description.
rib
Type the location of the share in the Share Name field or click Scan if you would like to re-attach an existing storage
repository.
Type WIN-V06KOCR56GO:/NFS_Share in the Share name field and then press Enter.
Determine if any advanced options should be applied to the storage repository.
io
Do not specify any advanced options and then proceed to the next step.
ut
9.
The advanced options available are based on the type of virtual disk storage selected.
10. Determine if a new storage repository will be created or an existing storage repository will be reattached and then click
Finish.
Verify that Create a new SR is selected and then click Finish.
11. Verify that the new storage repository is listed in the left pane of the XenCenter window.
Verify that NFS virtual disk storage is listed.
12. Close the XenCenter window.
56
Discussion Question
With which types of storage can you use a High Availability (HA) solution? The following is a list of different storage options
and their benefits:
Applying Updates and Hotfixes

To ensure optimal performance, stability and security, you should keep your operating systems, applications, and Citrix
components up to date. It is important to remember that all updates and hotfixes must be tested in a test environment prior
to rolling them out to a production environment. Once you decide to roll updates out to the production environment, ensure
that you apply them consistently across the components in the environment.
Updates come in many forms: service packs, hotfix rollup packs, security fixes, and general public hotfixes. Read the release
notes for the update to determine the criticality of the update and the applicability of the update to your environment to
determine whether or not to install it.
When applying an update to XenServer, you should:
ot
Log on as a user with full access permissions.

Update all hosts in a pool within a short period of time. Begin with the pool master. Running a pool with mixed versions
of XenServer hosts is not supported.
XenCenter will restart each host automatically before applying the update file, so move all VMs off of the host before
beginning the update. You can do this manually using the command line interface (CLI), or you can use the hostevacuate command. If you are using the CLI to apply the updates, you will have to restart the hosts manually before the
update.
Empty the CD/DVD drives of any virtual machine which will be suspended.
Disable high availability for the resource pool. Be careful if the pool master is offline.
fo
es
rr
al
To Upload and Apply a XenServer Hotfix
or
XenServer is pre-configured in the lab environment. To experience applying a hotfix to XenServer, we have
provided an Applying an Update exercise below. Click the following link and use the steps in this course to
Applying an Update Exercise
st
di
Follow these steps to open the Applying an Update exercise in the Student Resource Kit:
rib
1.


io
a.
b.
3.
4.
ut
2.
Click Tools > Check for Updates in the XenCenter menu bar.
Select the required update from the list and then click Download & Install to start the download process and perform
pre-checks on the servers.
Select XS61E017 and then click Download & Install.
5.
6.
Click Next to continue once all pre-checks have been resolved.

Determine if post-update tasks should be performed automatically or manually and then click Install update.
Verify Automatically perform post-update tasks after the update has been applied is selected and then click Install
update.
7.
8.
Click Finish when the update process is completed.

Click Close to close the Check for Updates window.
57
Updates that are applied to a XenServer host can be viewed in the General tab of the host. If you opted to
manually perform the post-update tasks, you should complete those tasks at this time.
9.

Discussion Question
What is the difference between a hotfix, a rollup/service pack, and a feature pack?
Creating Templates
A virtual machine (VM) is a software container that runs on a host and behaves as if it were a physical computer itself. VMs
consist of a guest operating system, CPU, memory (RAM), networking resources, and software applications. All of the
information about the virtual machine is stored in an image file. After the VM is created, an operating system and
applications can be installed on the virtual machine as if it were a physical computer.
ot
A template is a virtual machine encapsulated into a base image file and makes it possible to rapidly create new VMs. In
XenServer, once a VM is converted to a template, it cannot be reverted. This limitation does not apply to Hyper-V or
vSphere.
fo
The template creation process allows you to pre-create a library of base images from which new virtual machines can be
created very quickly without reinstalling the operating system or other applications. Templates can be created at any time.
When templates are used to create VMs, the VMs have increased consistency and reliability across the environment.
es
Create a virtual machine.

Install the operating system.
Install updates and fixes.
Install the hypervisor tools.
Run Sysprep on VM running a Windows operating system.
Convert to template.
al
or
st
di
1.
2.
3.
4.
5.
6.
rr
Steps required to create a template include:
io
ut
rib
Your virtual machines are hosted using Citrix XenServer. Each virtual machine is an independent system running
a guest operating system. Citrix XenCenter allows you to connect to the XenServer environment and administer
your VMs. Once you are connected to your XenServer system, you will notice a list of VMs in the left pane of
XenCenter. Selecting a VM will allow you to monitor and administer it. The Console tab allows you to see the
desktop of the VM. You can manipulate the console window to suit your preference. Useful functions for
XenCenter console screens are listed in the following table.
Control
Function
Send Ctrl+Alt+Del
Sends the Ctrl+Alt+Del sequence to the VM to access the

Windows Security screen.
Alt+Shift+U
Undock or redock (separate or join console screen).
Ctrl+Alt
Toggle full-screen mode.
Scale
Scale the VM windows to fit inside the console window.
DVD Drive
Select an ISO image to insert into the DVD drive for the
selected VM.
Switch to Remote Desktop/Switch to Default Desktop
Toggle between VNC connection and RDP connection.

Using RDP to connect can improve the performance of the
user interface.
58
Holding the Shift key will only capitalize the initial letter in a string of letters typed into a virtual machine. To
capitalize multiple letters in succession, use the Caps Lock key.
Discussion Question
Why do you need to Sysprep a VM before converting it into a template? And, why do you need to shut down the VM before
you convert the VM into a template?
Discussion Question
The hypervisor is often bundled with built-in templates. What is unique about these built-in templates?
Is it possible to create a template from a running virtual machine in XenServer?
Installing Windows Server 2012 R2
ot
A VM cannot start up without first installing an operating system on a virtual disk associated with the VM. The easiest way
to install the operating system on a VM is to attach a bootable ISO and start up the VM from that ISO.
fo
To Install the Operating System on a VM in XenServer
rr
1.
Open XenCenter.
al
es
A virtual machine in the lab environment is pre-configured with a new install of Windows 2012 R2. The following
steps were used to create the WinServer2012R2_template VM and can be used as reference.
Double-click Citrix XenCenter on the desktop, if XenCenter is not already open.

Select the virtual machine in XenCenter onto which the operating system will be installed.
st
di
Click the WinServer2012R2_template VM.

3.
or
2.
Click the Console tab.
Select the desired language, time and currency format, and keyboard or input method, and then click Next.
io
4.
ut
rib
If the VM fails to start, verify that the correct ISO is loaded in the DVD Drive 1 field. If the ISO image is nonbootable, the VM will not start. To correct this issue, select the correct ISO image and then click within the
Console page to start the VM.
Verify that:
a. English (United States) is selected in the Language to install field.
b. English (United States) is selected in the Time and currency format field.
c. US is selected in the Keyboard or input method field.
d. Click Next.
5.
6.
Click Install now.

Select the desired operating system and then click Next.
Select Windows Server 2012 R2 Standard (Server with a GUI) and then click Next.
Ensure you select the Server with GUI and not the Server Core Installation option. XenApp and XenDesktop
does not support the Server Core version.
59
7.
Read and respond to the license agreement.

Select I accept the license terms and then click Next.
8.
Determine the type of installation to perform.

Select Custom: Install Windows only (advanced).
9.
Select the drive on which to install Windows and then click Next.
Verify Drive 0 Unallocated Space is selected and then click Next.
It will take approximately 15 minutes to install the operating system.
10. Set the local administrator password and then click Finish.
Type Password1 in both the Password and Reenter password fields and then click Finish.
The user name is set to Administrator and cannot be changed at this point because this is the log on for the
local administrator.
ot
N
fo
11. Click Eject to the right of the DVD Drive 1 field to unload the Windows Server 2012 R2 ISO file.
12. Log on as the local administrator.
Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert), type Password1 in the Password field, and then press Enter.
rr
13. Verify that the time is correct.
al
es
The Server Manager dashboard is launched automatically. This dashboard provides access to many of the
setup and administrative tasks in Windows Server 2012 R2. You will be making extensive use of the Server
Manager in future exercises.
or
Do not change the date and time setting before adjusting the time zone, because the time will need to be
adjusted again to match the new time zone.
st
di
Click the time in the lower-right corner of the window and then click Change date and time settings.
Click Change time zone, select the correct time zone, and then click OK.
Click Change date and time, change the time, and then click OK.
Click OK.
Discussion Question
io
ut
rib
a.
b.
c.
d.
Windows Server 2012 R2 (64-bit) requires a minimum of 32 GB of hard disk space and 2048 MB of RAM. What will be the
effect on performance if you increase the amount of RAM and why?
Installing Hypervisor Tools

Hypervisor tools provide high performance drivers that significantly improve disk and network performance for XenServer
and vSphere VMs. Without these tools, you have limited lifecycle operations (start, stop, suspend) in the hypervisor and
limited performance monitoring.
You can find out if XenServer Tools are installed on a VM by looking at the Virtualization state field on the General tab for
the VM. Valid states include:
60
Optimized(version x installed) - the most up-to-date version of XenServer Tools is installed.

XenServer tools not installed - XenServer Tools are not currently installed on the VM. You can click the status field to
install the latest version from the XenServer Tools ISO.
Tools out of date (version x installed) - the VM has a version of XenServer Tools installed from an earlier XenServer
release.
To Install Hypervisor Tools on a VM in XenServer

1.
Open XenCenter.
2.
Select the virtual machine in XenCenter onto which XenServer Tools will be installed.
3.
Log on to the VM.

Log on to the VM using the Administrator and Password1 credentials, if not already logged on.
4.
Insert the XenServer Tools ISO in the DVD drive.

Select xs-tools.iso in the DVD Drive 1 field.
Click the File Explorer (folder icon) on the taskbar.
Double-click CD Drive (D:) XenServer Tools.
Click Next on the welcome screen of the XenServer Tools Wizard.
ot
5.
6.
7.
8.
fo
Select I accept the terms in the License Agreement and then click Next.
rr
9.
Specify where the XenServer Tools should be installed and then click Next.
es
Click Next to accept the default destination folder location.
or
Click Restart Now.
al
10. Click Install and then click Install Tools.

11. Determine if the VM should be restarted now.
st
di
The XenServer Tools are not installed until the VM is restarted.
rib
12. Log on to the VM with the local administrator credentials.
io
13. Click Eject to remove the XenServer Tools media from DVD Drive 1.
ut
Click Send Ctrl+Alt+Del, type Password1 in the Password field, and then press Enter.
In this lab environment there is only one XenServer, so leaving the ISO media in DVD Drive 1 would not
cause any issues. In a pooled environment, leaving an ISO image in a drive that is located on local storage
would prevent that VM from running on any other server in the pool. Ejecting the ISO makes the VM agile
once again.
14. Click Done to exit the installer.
15. Apply the recommended Microsoft updates to the operating system.
Discussion Question
Why is it necessary to install the hypervisor tools on a new virtual machine?
Installing the .NET Framework 3.5 Features on Server 2012 R2

Many components in our lab environment require .NET Framework 3.5 to function correctly. By installing .NET Framework
on the VM before converting the VM to a template, you can avoid installing it separately, when needed.
61
Discussion Question
Many applications require the installation of a .NET Framework version. What does .NET Framework do?
Running Sysprep on the Virtual Machine

The System Preparation, or Sysprep tool is used to change Windows VMs to a generalized state. When you use the Sysprep
tool to generalize an image, Sysprep removes all system-specific information and resets the operating system. The next time
the VM starts, you can add user-specific information through the Out-Of-Box Experience (OOBE). You can run Sysprep as
either a command-line tool or a graphical user interface (GUI) tool. Sysprep removes any SID-related settings and allows you
to rename the VM so it is not seen as a clone, but as a new entity.
To Run Sysprep on the VM in XenServer

1.
Open XenCenter.
2.
Select the virtual machine in XenCenter on which Sysprep will be run.

Log on to the VM.
ot
3.
fo
Log on to the VM using the Administrator and Password1 credentials, if not already logged on.
rr
Click the File Explorer icon on the taskbar and then click This PC.
Browse to the C:\Windows\System32\Sysprep directory.
Double-click the Sysprep application to open the System Preparation Tool.
Verify that Enter System Out-of Box Experience (OOBE) is selected for the System Cleanup Action.
al
es
4.
5.
6.
7.
or
The System Cleanup options are OOBE and Audit mode. OOBE enables end users to customize their
Windows operating system, create user accounts, select a computer name, and other tasks. Audit mode enables
you to add additional drivers or applications to Windows. You can also test an installation of Windows before
you send the installation to an end user.
st
di
8.
Select Generalize.
Select Shutdown in the Shutdown Options field.
io
9.
ut
rib
Generalize prepares the Windows installation to be imaged. Sysprep removes all unique system information
from the Windows installation and resets the security ID (SID), clears any system restore points, and deletes
Event Logs.
Shutdown Options include Quit, Reboot, and Shutdown. Quit closes the Sysprep tool without displaying onscreen confirmation messages. This option can be used if you automate the Sysprep tool. Reboot restarts the
VM and is used to audit the VM and verify that the first-run experience operates correctly. Shutdown shuts
down the VM after Sysprep finishes running.
10. Click OK.
A window will appear indicating that Sysprep is working and then it shuts down the VM when Sysprep is
completed. Sysprep will add a new SID to the VM when the VM is restarted. Do not restart the VM at this
time.
Discussion Question
What should you take into account when specifying the amount of memory to assign to a VM or VM template?
62
Creating the Template

A VM template contains preconfigured hardware and software settings. A VM template can be used to create new VMs with
the same settings quickly and easily. Once a VM is converted to a template, it cannot be reverted back to a VM.
To Create a Template in XenServer

1.
Open XenCenter.
2.
Select the virtual machine in XenCenter on which Sysprep was run.

Do not start the VM. Starting the VM will undo Sysprep and you will need to rerun Sysprep before you
convert the VM to a template.
3.
Right-click the VM that you want to make a template and then click Convert to Template.
Right-click the WinServer2012R2_template VM and then click Convert to Template.
ot
4.
Click Convert to begin the process.
fo
al
Discussion Question
es
rr
When conversion is complete, the VM disappears from the Resources pane and reappears as a new custom
template at the bottom of the pane. The new custom template can now be used to create new VMs in the
same way as any other template.
Which virtual machines can be used to create additional virtual machines?
or
st
di
Troubleshooting Hypervisor Setup Issues

The following table provides resolutions for hypervisor setup issues.
rib
Resolution
VMs can communicate with each other but not with the
hypervisor.
The VMs have private or cross-private networks. Attach

a network to the VM that can communicate with the
hypervisor.
The DHCP service is offline and the VMs are configured
for DHCP. Turn the DHCP service on.
io
The management console does not connect to the host.
ut
Issue
Use ping to test the connectivity between the XenCenter

computer and the XenServer host. If the ping fails,
correct the network settings.
Ensure that:
The host name or IP address of the XenServer host
is correctly specified.
The administrator credentials for the XenServer host
are correctly specified.
The option to install XenServer Tools on a virtual machine is XenServer Tools are already installed on the virtual machine.
unavailable.
63
Issue
Resolution
You receive a fatal error message when attempting to run the The VM is corrupted. This error message is designed to
Sysprep tool.
prevent the deployment of a corrupted VM. You cannot
correct the problem within the VM, you must recreate the
VM.
Reinforcement Exercise: Creating a Windows 7 Template

During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you must use
what you have learned to complete it. This exercise is designed to take your newly acquired knowledge and
discover if you can perform a task you have never done before. You are encouraged to try things out. If you have
a question or need help, ask the instructor or a fellow student for assistance.
In this module, you learned how to:
Install XenServer.
Install and configure the XenCenter management console.
Configure XenServer.
Create a virtual machine template.
ot
Now you are ready to see if you can apply what you have learned.
Use the existing Windows 7 (32-bit) VM called Win7_template to create a new Windows 7 32-bit template.
Install the hypervisor tools on the virtual machine.
Make sure to set the time on the VM to the current date and time.
al
es
1.
2.
3.
rr
To complete this exercise, you must:
fo
Approximate time to complete: 20 minutes
If the time is not set properly, this may create future lab problems for any VMs created from this template.
XenServer stores a time offset for each VM, so the incorrect time will persist.
or
Run Sysprep.
Convert the virtual machine into a template named Win7_template so it can be used to build additional virtual
machines.
st
di
4.
5.
rib
It is not necessary to install .NET 3.5 Framework on this template.
io
ut
64
Module 3
Setting Up the Infrastructure

Components
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
66
Setting Up the Infrastructure Components

Overview
The infrastructure on which Citrix components will be installed plays a key role in the success of a XenApp and XenDesktop
implementation. At a minimum, the infrastructure components required are:
Domain Controller
Domain Name Services (DNS) server
Dynamic Host Configuration Protocol (DHCP) server
Certificate Authority (CA)
File Server
SQL Server
You may need to install and configure additional components to support your specific organizational needs.
Set up and configure a domain controller and DNS.
Configure a Dynamic Host Configuration Protocol (DHCP) server.
Configure a private Certificate Authority server.
Set up and configure a file server.
Set up and configure SQL Server mirroring.
ot
fo
es
rr
al
During this module, you will be performing procedures in XenCenter. You will be instructed when to start VMs.
At the beginning of this module, the VMs should be in the following state:
All other VMs = Off
or
st
di
Setting Up the Domain Controller
rib
At least one domain controller must exist in an environment before XenApp and XenDesktop can be configured. Domain
controllers are used to store and manage settings that enforce authentication, authorization, auditing, and accounting. All
infrastructure servers should be joined to a domain.
io
ut
A server running Active Directory functions as a domain controller and relies on a properly configured DNS. With DNS
installed, the domain controller provides both domain name resolution services as well as directory services.
Module 3: Setting Up the Infrastructure Components
67
A domain controller should be a dedicated server. Do not install any XenApp and XenDesktop component or SQL
Server on a domain controller.
Active Directory Domain Services

Administrators can use Active Directory Domain Services (AD DS) to organize elements of a network such as end users,
computers, and other devices into a hierarchical containment structure. This structure includes: the Active Directory forest,
domains in the forest, and organizational units (OUs) in each domain. When you want to create a new forest, domain, or
additional domain controller in an existing domain, install AD DS on the server.
The AD DS role should be added before any XenApp and XenDesktop components are installed in the environment. As part
of the AD DS role installation, you should configure DNS. DNS is a service that translates domain names into IP addresses in
an environment.
Once the AD DS role is installed, the name of the server should not be changed. Doing so could be problematic
and could impact the performance of the domain controller for up to 24 hours.
ot
You should install and configure multiple domain controllers in a XenApp and XenDesktop environment. When multiple
domain controllers exist, they synchronize their information and provide high availability to optimize Active Directory
functionality.
fo
Discussion Question
rr
XenApp and XenDesktop can be used with domain controllers running which versions of Windows Server?
es
Why should you use Active Directory Domain Services with XenApp and XenDesktop?
al
Troubleshooting AD DS Installation Issues
or
The following table identifies common AD DS installation issues and resolutions.
st
di
Resolution
After installing the domain controller VM, you do not see

the Promote this server to domain controller link in Server
Manager.
There may be critical alerts that need to be attended to

before the link appears. Click the red flag in Server Manager
to view the alerts and get additional information.
The installation of roles and features fails.
ut
rib
Issue
io
Click the red flag in the Server Manager window to view

messages. Reinstall the roles and features again using
Server Manager after all critical alerts have been
addressed.
Ensure that all the required source files are on the server.
You cannot add servers to the domain.
The installation of the AD role has not completed.

The administrator account being used to add the servers
to the domain does not have domain administrator
rights.
Creating Organizational Units

Organizational units are Active Directory containers into which you can organize end user accounts, groups, computers, and
other organizational units. An organizational unit cannot contain objects from other domains. OUs are the smallest unit to
which you can assign Group Policy settings. All required OUs have been pre-created in our lab environment.
68
ot
N
fo
This graphic shows the organizational units configured for use in the lab environment.
es
rr
A well-designed organizational unit structure (OU) is an important piece for a XenApp and XenDesktop environment.
al
To Create Organizational Units for a XenApp and XenDesktop

Implementation
or
This procedure is for informational purposes only. All organizational units required in the lab environment have
been pre-created. You do not need to perform this procedure in class.
st
di
1.
2.
rib
Log on to the domain controller with the domain administrator credentials.

Click Tools in the upper-right corner of the Server Manager window and then click Active Directory Users and
Computers.
4.
5.
Right-click the domain and then click New > Organizational Unit to create the organizational units for the
infrastructure servers and virtual desktops in the environment.
Type a name for the organizational unit in the name field and then click OK.
Close Active Directory Users and Computers after all OUs have been created.
3.
io
ut
If the Server Manager does not appear, move the mouse pointer to the lower-left corner of the taskbar and
then click the Server Manager icon that resembles a server tower and toolbox.
Discussion Question
What are some benefits of using OUs?
Adding Users and Groups

A group is a collection of end user and computer accounts, contacts and other groups that can be managed as a single unit.
End user accounts and computers that belong to a particular group are referred to as group members. Once end user
accounts and groups are created in Active Directory, they can be granted or denied access to services, desktops, and
applications. When assigning permissions to resources, assign them to groups rather than individual end-user accounts. If you
69
assign permissions to groups, assignments are updated automatically when you add or remove end-user accounts from the
group. When permissions are assigned to groups, enumeration is more efficient than when they are assigned to individual
end-user accounts and objects.
To Create End-User Accounts and Groups

Many of the end-user accounts required in the lab environment have been pre-created. You will use the following
procedure to create two new accounts for administrators at Training.
1.
Log on to the first domain controller using local administrator credentials.

Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials.
2.
Click Tools in the upper-right corner of the Server Manager window and then click Active Directory Users and
Computers.
If the Server Manager does not appear, move the mouse pointer to the lower-left corner of the taskbar and
then select the Server Manager icon.
3.
Browse to the OU containing your domain users.
ot
Double-click Training.lab > Training Users and then double-click IT.
fo
4.
Right-click the OU and then click New > User to create a new end-user account.
es
rr
Right-click the IT OU and then click New > User.
5.
al
You can right-click an OU and then click New > Group to add new groups. This isn't necessary in our lab
environment, because all required groups have been pre-created. The pre-created groups are: Accounting,
Contractors, Human Resources, and IT.
Specify the details for the user account in the New Object - User window and then click Next.
or
Type Admin1 in the First Name field and in the User Logon name field and then click Next.
Type the password for the new user account in the Password and Confirm password fields.
st
di
6.
Type Password1 in both the Password and Confirm password fields.
Select the desired password behaviors, click Next, and then click Finish.
rib
7.
ut
Deselect User must change password at next logon, select Password never expires, click Next and then click Finish.
io
In most cases, you should not select Password never expires. Additionally, if you create an account for an end
user, it is recommended to leave the User must change password at next logon option selected. This allows the
account password to be known only by the end user and not by IT.
8.
Right-click the newly created end-user account and then click Add to a group.
Right-click Admin1 in the IT OU and then select Add to a group.
9.
Type the name of the group to which this end user will be a member in the Enter the object names to select field.
Type Domain Admins in the Enter the object names to select field.
10. Click Check Names and then click OK twice.

You can add multiple groups at the same time by using a semicolon to separate each group name.
11. Right-click the newly added end user account and then click Copy to use it as a template to create a new account.
70
Right-click Admin1 and then click Copy.
12. Specify the details that are different for the new user account in the New Object - User window and then click Next.
Type Admin2 in the First Name field and in the User Logon name field and then click Next.
13. Type a password for the new account in the Password and Confirm password fields and then click Next.
Type Password1 in both the Password and Confirm password fields and then click Next.
The desired password behavior is already configured to match the account from which the copy was made.
14. Click Finish.

15. Double-click the group to which the newly created accounts were added.
Click Users and then double-click Domain Admins.
16. Select the Members tab and verify that the accounts were added to the group.
ot
Select the Members tab and verify that the Admin1 and Admin2 accounts are present.
fo
These new administrator accounts now have the same domain administrator rights as the
TRAININGAdministrator account.
rr
Discussion Question
al
es
17. Click Cancel to close the properties window.

18. Click the X in the corner of the Active Directory Users and Computers window to close the window.
or
st
di
When providing end users with access to resources, why is it better to specify groups rather than individual end-user
accounts?
rib
Configuring Policies Using Group Policy
io
ut
Policies can be set and applied using the Microsoft Group Policy Management Console. Group Policy Objects (GPOs) are
created to hold policies and settings which will be applied to end users or computers. The GPOs are then linked to either the
domain, organizational unit (OU) or site.
You should use GPOs linked to the domain mainly for policies that must be applied to all end users and
computers in order to comply with corporate security policies, industry-specific best practices, or general security
best practices.
71
ot
N
fo
The majority of GPOs will be linked to OUs rather than directly to the domain. The policy then will apply only to the end
users or computers within that OU or any child OUs. Policies are inherited from the parent of an object. All OUs, by default,
inherit GPOs linked to the domain as the domain is the parent of all OUs.
rr
es
GPOs are the most efficient and consistent method of controlling connection, security, and bandwidth settings. You can
create them for specific groups of end users, devices, or connection types. Each GPO can contain multiple settings.
al
Citrix HDX policies can be managed through both Group Policy Objects in Microsoft Windows or within the Citrix Studio
console in XenApp and XenDesktop. The console or tool you use depends on whether you have the appropriate permissions
to manage GPOs, where policies will be stored, and how policies will be maintained. Using Group Policy Objects is usually
preferred over creating policies in Citrix Studio when it is organizationally possible to do so.
or
1.
st
di
To Configure Policies Using Group Policy
Log on to the first domain controller using domain administrator credentials.
rib

Click Tools in the Server Manager and then click Group Policy Management.
io
ut
2.
You can use a non-administrative account that has Group Policy edit permissions or use Run as administrator
to give you higher-level permissions when creating policies. In this lab, you will use a domain administrator
account to create the group policies.
3.
Browse to the Domain and create a policy to configure the Account Lockout settings.
Browse to Forest: Training.lab > Domains > Training.lab.
4.
Right-click the domain and then click Create a GPO in this domain, and Link it here.
Right-click the Training.lab domain and then click Create a GPO in this domain, and Link it here.
5.
Name the policy and then click OK.

Type Account Lockout in the Name field and then click OK.
6.
Right-click the new policy and then click Edit.

Click the Linked Group Policy Objects tab, right-click the Account Lockout policy and then click Edit.
7.
72
Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies >
Account Lockout Policy.
8.
Configure the Account Lockout setting.

a.
b.
c.
d.
e.
Double-click Account lockout threshold.

Select Define this policy setting.
Type 3 in the invalid logon attempts field.
Click OK.
Click OK in the Suggested Value Changes window to accept the suggest lockout duration of 30 minutes.
9. Close the Group Policy Management Editor.

10. Browse to the OU containing your virtual desktops.
Double-click Forest: Training.lab > Domains > Training.lab > Training Virtual Desktops.
In many cases it is preferable to link a GPO to a specific OU rather than to the entire domain. For example, if
there is a setting that you want to apply to all infrastructure servers, you could apply the policy to the OU that
contains only the infrastructure servers.
11. Right-click the OU for the virtual desktops and then click Create a GPO in this domain, and Link it here.
Right-click Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.
ot
12. Type a name for the policy in the Name field and then click OK.
Type Enable User Group Policy Loopback Processing in the Name field and then click OK.
fo
13. Right-click the new policy and then click Edit.
rr
Right-click the Enable User Group Policy Loopback Processing policy and then click Edit.
al
es
14. Click Computer Configuration> Policies > Administrative Templates > System > Group Policy.
15. Double-click Configure user Group Policy loopback processing mode.
To reorder the Group Policy settings so that they appear in alphabetical order, click the Setting heading in the
right pane.
or
st
di
16. Select Enabled and then select Merge in the Mode field.
17. Click OK.

19. Close the Group Policy Management Console.
io
ut
rib
This setting will be needed by other GPOs you will create, such as the one for folder redirection. GPOs, by
default, only apply to end users or computers in the OU they are linked to or child OUs. User Group Policy
Loopback Processing is a way to link GPOs with user settings to an OU containing computer objects and have
the settings apply to end users who log on to those computers. It will only be applied to the end users when
they log on to computers in that OU. This is different than having a GPO with end user settings linked to the
OU containing the end user object because in that scenario, the policy would be applied to the end user
regardless of which computer is being logged on to.
To ensure that the policy is applied to a specific computer or end user, you can run the gpupdate /force
command from a command prompt on that computer.
Discussion Question
By default, how often does Active Directory refresh Group Policies for computers and end users?
73
Securing Service Accounts

A service account is a machine account used by a server, service, or program. Once a service account is created, it should be
secured to prevent service outages caused by security policies being applied to a service account inappropriately and from
creating a larger attack surface for your network. Your organization can set a password change policy for service accounts, but
procedures should be put in place to change passwords in a way that does not cause service outages.
To Secure a Service Account

This procedure is for informational purposes only. The Service Accounts - Deny logon locally policy is preconfigured in the lab environment. The follow steps were used to create the policy and can be used as reference.
You do not need to perform this procedure in class.
1.
Log on to a domain controller using domain administrator credentials.

2.
3.
Click Tools in Server Manager and then click Active Directory Users and Computers.
Browse to the domain name in the left pane.
4.
ot
Click Training.lab in the left pane.

Create a group to which all service accounts will be added and then click OK.
es
rr
5.
Browse to the Training Service Accounts OU.

Verify that the Service Accounts group exists.
Close the Active Directory Users and Computers window.
fo
a.
b.
c.
Click Tools in the top-right corner of the Server Manager window and then click Group Policy Management.
al
The Service Accounts - Deny Logon Locally policy has been created. that disallows the right to log on locally
using any account that is a member of the service accounts group has been .
or
6.
Right-click the domain name and then click Create a GPO in this domain, and Link it here.
7.
Name the newly created policy and then click OK.
st
di
Right-click Training.lab and then click Create a GPO in this domain, and Link it here.
rib
Type Service Accounts - Deny logon locally as the name and then click OK.
Right-click the newly created policy and then click Edit.
Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User
Rights Assignment.
10. Double-click Deny log on locally and then click Define these policy settings.
11. Click Add User or Group and then click Browse.
12. Type the name of the group that contains the service accounts and then click Check Names.
9.
io
Right-click Service Accounts - Deny logon locally and then click Edit.
ut
8.
Type Service Accounts in the Enter the object names to select field and then click Check Names.
13. Click OK three times.
14. Close the Group Policy Management Editor and Group Policy Management Console.
Discussion Question
John configured a GPO to "Allow log on locally" and then applied it to the Everyone group. Kelly configured a GPO to "Deny
log on locally" and then set it for the Service Accounts group. What effect will these group policies have on the Everyone and
Service Accounts groups?
74
Setting Up the Dynamic Host Configuration Protocol

All devices in the XenApp and XenDesktop environment require an IP address in order to communicate with other resources
in the environment. You can manually configure each device with an IP address, but the task quickly becomes unmanageable
as devices enter and leave the environment. To facilitate the distribution of IP addresses to new devices in the environment
and to reclaim IP addresses from devices no longer in the environment, you can configure the Dynamic Host Configuration
Protocol (DHCP).
DHCP automatically provides a unique IP address to each device in the network from a pool of IP addresses. Each IP address
distributed by DHCP is leased for a period of time to that device. When the lease period expires, the IP address is
automatically returned to the pool. In our lab environment, you are assigning all infrastructure components a static IP
address. DHCP will be used to provide internal endpoints and virtual desktops with IP addresses.
Installing and Configuring the DHCP Role

DHCP can be implemented as a Linux appliance or added as a role on a Windows server. With the exception of the DNS
role, domain controllers should not host other roles. After the DHCP service is installed, configurations can include setting up
one or more scopes and a scope or server options. The range of IP addresses that are available to be leased is called a scope.
One scope should be set up for each subnet in the environment.
ot
In our lab environment, the DHCP role is pre-configured on the domain controller to accommodate lab
environment constraints.
fo
rr
Troubleshooting DHCP Installation Issues
Issue
All end users are experiencing slow start times.
Resolution
Check the DNS entries for errors.
or
IP address conflicts appear.
al
es
The following table identifies DHCP installation issues and resolutions.
st
di
Determine if a statically assigned IP address is not properly

excluded from the scope or if someone has statically assigned
an IP address that has already been assigned to another
server.
ut
rib
Setting Up A Certificate Authority

You should use a:
io
You can use certificates from a public or private Certificate Authority (CA) to secure the communications in your XenApp
and XenDesktop deployment.
Public Certificate Authority:
When communications need to be secured between the internal network and an external network, a public certificate
must be requested and purchased from a public CA such as VeriSign. An external or public certificate should be acquired
before remote access to the environment is configured. When a public certificate is used, the following occurs:
The public CA issues the certificate.

The certificate is installed on an externally-accessible service or Web server.
The certificate is used by the externally-accessible service or Web server to secure its communications.
The client makes sure the certificate is authentic by verifying it was legitimately issued by a CA it trusts.
Private Certificate Authority:
When communications need to be secured within the internal network, a private CA can be implemented by installing
the Certificate Authority role on a server in the environment.
75
Installing the Certificate Services Role

Installing the Active Directory Certificate Services role allows you to add the Certification Authority and the Certification
Authority Web Enrollment features that are part of your public key infrastructure (PKI) and bind the public key with the user
identity for the digital certificate.
To Install the Certificate Authority

1.
Log on to the server that will host the Certificate Authority using your domain administrator credentials.
2.
3.
4.
5.
6.
Click Add roles and features in the Server Manager.

Click Server Selection and then click Server Roles in the left pane.
Select Active Directory Certificate Services.
Click Add Features and then click Next.
Select the desired features on the Select features page and then click Next.
Click Next to accept the defaults.
Click Next on the Active Directory Certificate Services page.

Verify that Certification Authority is selected and then select Certification Authority Web Enrollment.
Click Add Features and then click Next.
Click Next on the Web Server Role (IIS) page.
Select the role services to install and then click Next.
ot
fo
rr
7.
8.
9.
10.
11.
12. Click Install to begin the installation of the role.
This installation may take several minutes.
al
es
Click Next to install the default role services.
or
st
di
13. Click Close when the installation completes.

14. Click the yellow warning icon at the top of the Server Manager.
15. Click Configure Active Directory Certificate Services on the destination server.
rib
The AD CS Configuration wizard may launch behind the Server Manager window.
io
ut
16. Verify that the correct domain administrator account name appears in the Credentials field and then click Next.
Verify that TRAINING\Administrator appears and then click Next.
17. Select Certification Authority and Certification Authority Web Enrollment and then click Next.
18. Select the setup type and then click Next.
Select Enterprise CA as the setup type and then click Next.
19. Select the certificate type and then click Next.
Select Root CA and then click Next.
20. Specify whether to use an existing private key or to create a new one and then click Next.
Select Create a new private key and then click Next.
21. Select the hash algorithm to use for signing certificates and the key length and then click Next.
Verify SHA1 is selected for the hash algorithm and 2048 is entered for the key length and then click Next.
76
22. Specify a name for the Certificate Authority and then click Next.
Use the default value for the CA name and then click Next.
23. Specify the validity period for the certificates and then click Next.
Accept the default expiration period and then click Next.
24. Specify a location for the certificate database and then click Next.
Accept the default database location and then click Next.
25. Review the CA settings and then click Configure on the Confirmation screen.
26. Click Close when the configuration is completed.
Discussion Question
What two components are required for SSL encryption?
How does the client determine whether to trust the server certificate?
ot
Which kind of certificate would need to be installed to allow for communication between an internal endpoint and
StoreFront?
fo
Setting Up the File Server
es
rr
A file server provides a central location on your network where you can store your end-users' intellectual property. Shares can
be created to allow end users to share files with other end users across your network. When end users require an important
file such as a project plan, they can access the file stored on the file server from a XenApp and XenDesktop resource.
al
Creating a Computer Account for a New VM
or
Every component in an implementation should have an account created in Active Directory. This account can be created
before the component is created or after. Creating the account prior to creating the component eliminates the need to go back
and move the component into the proper OU later.
st
di
To Create a Computer Account
rib
3.
4.
5.
Log on to the domain controller with domain administrator credentials.

Click Tools in the upper-right corner of the Server Manager window and then select Active Directory Users and
Computers to create a computer account for the server in the proper OU in Active Directory.
Expand the domain and browse to the OU that will host the server.
Right-click the OU and then select New > Computer.
Type a name for the server in the Computer name field and then click OK.
1.
2.
io
ut
The computer account for the file server has already been created in the lab environment. These steps are
provided for informational purposes only. You do not need to complete this procedure in the lab environment.
Doing this before you create the server VM will prevent you from having to go back to the domain controller
after joining the server to the domain in order to move the computer account into the proper OU.
Creating the VM
In order to virtualize a server or a desktop, a VM must be created that identifies the number of virtual CPUs, amount of
memory, network interface cards (NICs), and hard drive space allocated to it. In addition, an operating system must be
installed on the VM, network settings must be configured, and the VM must be joined to the domain.
77
If a built-in template is used to create the VM, then you must install an operating system on the VM before it can be used. If
a custom template is used, then the operating system may already be installed on the VM during the custom template
creation process.
The following procedure assumes that a custom template was used. The steps for creating a VM are the same regardless of the
purpose of the VM. However, the steps can vary based on the operating system installed on the VM. The following procedure
can be used to create additional VMs for the environment.
To Create a VM Using a Custom Template

The file server VM has already been created in the lab environment to save time. These steps are provided for
informational purposes only. You do not need to complete this procedure in the lab environment.
1.
2.
3.
Right-click a custom template containing the desired operating system in XenCenter and then select New VM wizard.
Verify that the appropriate template is selected and then click Next.
Provide a name for the virtual machine and then click Next.
This name will appear in XenCenter. Use a name that helps you identify its purpose.
ot
N
Set the DVD drive selection to <empty> and then click Next.
Determine if the VM will be assigned to a home server and then click Next.
Specify the number of vCPUs and memory to allocate and then click Next.
Configure the storage settings and then click Next.
Configure the network settings and then click Next.
Verify that Start the new VM automatically is selected and then click Finish.
Select the new VM and then click the Console tab in XenCenter.
fo
al
es
rr
4.
5.
6.
7.
8.
9.
10.
Wait while the VM goes through its initial startup.
or
n
io
ut
78
Read and respond to the license terms.

Configure the region and language settings for this computer and then click Next.
Type the password for the local administrator and then click Finish.
Click Send Ctrl+Alt+Del and then log on using the local administrator credentials.
Move your mouse pointer to the bottom-right corner of the taskbar to display the Charms bar and then click Search.
Type Control and then select Control Panel.
Click Network and Internet, click Network and Sharing Center, and then click Ethernet.
Click Properties in the Ethernet status page and then double-click Internet Protocol Version 4 (TCP/IPv4).
Select Use the following IP address and then type the appropriate values into the fields.
Click OK two times and then click Close.
Click Control Panel Home in the Network and Internet window.
Click System and Security and then click System.
Click Change settings in the Computer name, domain, and workgroup settings section, and then click Change in the
System Properties window.
Change the computer name to a name consistent with your corporate naming scheme.
Click Domain, type the name of the domain, and then click OK.
Type the domain administrator credentials into the appropriate fields and then click OK.
Click OK in the Welcome to the domain message.
Click OK and then click Close.
Click Restart Now.
rib
24.
25.
26.
27.
28.
29.
st
di
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
Adding the File Server Role

The File Server role manages shared folders and enables end users to access files on this server from the network.
To Add the File Server Role to a VM

1.
Start the file server.

Right-click FileServer-1 and then click Start.
2.
Log on to the file server using domain administrator credentials.

Log on to FileServer-1 using the TRAINING\Administrator and Password1 credentials.
3.
Click Add roles and features in the Server Manager to open the Add Roles and Features wizard.
Click the Server Manager icon in the taskbar, if Server Manager is not already open.
Click Next in the Before You Begin page.

Select the type of installation that will be used to configure the server and then click Next.
ot
4.
5.
Verify that Role-based or feature-based installation is selected and then click Next.
fo
6.
es
rr
The role or feature-based installation option is used to configure a single server. The Remote Desktop Services
installation option is used for a Virtual Desktop Infrastructure (VDI) to create a virtual machine-based or
session-based desktop deployment.
Verify that Select the server from the server pool and that the proper destination server are selected and then click Next.
al
Verify that Select the server from the server pool and FS-1.Training.lab are selected and then click Next.
The destination server can be a server from the server pool or a virtual hard disk.
or
st
di
7.
8.
Click the arrow to the left of File and Storage Service (Installed) in the center pane to expand the nodes.
Click the arrow to the left of File and iSCSI Services, select File Server, and then click Next.
rib
9. Click Next in the Select features page.

10. Click Install in the Confirm installation selections page.
11. Wait for the installation to complete and then click Close.
io
ut
When the File Server role is selected, File and iSCSI Services is automatically selected for installation because it
is the parent role.
Discussion Question
What tools can you use to centrally manage the file servers in your environment?
Creating a Share for Folder Redirection

Active Directory allows folders, such as the Application Data or Documents folder to be saved (redirected) to a network
location. Thus, the contents of those folders are stored in the designated location and not included within the end-user
profile, which reduces its size. Depending on the version of Active Directory in use, the specific folders that can be redirected
vary.
79
Configuring folder redirection allows end users to save some settings, files, and other data while still enabling the benefits of
mandatory profiles. As a general guideline, you should enable folder redirection for all end-user data that is not accessed
regularly within a session, if network bandwidth permits.
Redirected folders contain personal information such as documents so it is important to protect this data by:
Creating a security group for end users who have redirected folders on a particular share and limiting access only to
those end users.
Creating a hidden share by putting a dollar sign ($) after the share name so the share is not visible on the network. For
example, use Home$ as the share for home directories.
Using the proper system variable in the creation of the policy. For example, use %Username% to create the account
directories.
Granting end users the minimum set of permissions required to access their data.
To Create a File Share for Folder Redirection

1.

Click File and Storage Services in the left pane of the Server Manager and then click Shares.
2.
ot
If the Server Manager is not open, click the Server Manager icon in the Windows taskbar.
fo
Click Tasks in the middle pane of the window and then click New Share.
Select the desired file share profile and then click Next.
es
rr
3.
4.
Select SMB Share - Quick and then click Next.
al
The different file share profiles are:

SMB Share - Quick is a basic profile and is the quickest way to create an SMB share that is typically used
with Windows-based computers.
SMB Share - Advanced is an advanced profile that provides more options to configure an SMB file share
like setting folder owners, folder data classification for management and access policies, and setting
quotas.
SMB Share - Applications creates an SMB file share with settings appropriate for Hyper-V, certain
databases, and other server applications.
NFS Share - Quick is the quickest way to create an NFS file share that is typically used with UNIX-based
systems.
NFS Share - Advanced offers additional options to configure an NFS file share like setting folder owners
for access-denied assistance, default classification of data in the folder for management and access policies,
and setting quotas.
or
st
di
io
ut
rib
5.
Select the server where the share will be added, select the volume, and then click Next.
Verify FS-1 is selected, select volume E:, and then click Next.
A volume is drive space on the local file system.
6.
Type a name for the share in the Share name field.

Type users$ as the share name.
The dollar sign at the end of the share name hides the share from being browsed on the network.
80
7.
Type a description for the share in the Share description field and then click Next.
Type For folder redirection as the share description and then click Next.
When you type the share name, the corresponding local path and remote path to the share are automatically
completed. For example: Share name: users$ Local path to share: E:haresusers$ Remote path to share: FS1users$
8.
Configure the share settings and then click Next.

Deselect Allow caching of share, select Enable access-based enumeration, and then click Next.
Access-based enumeration displays only the files and folders that an end user has permissions to access.
9.
10.
11.
12.
Click Customize permissions.

Click Disable inheritance and then click Remove all inherited permissions from this object.
Click Add to add permissions.
Click Select a principal and then type System in the Enter the object name to select field.
ot
The System account is used by the operating system and Windows services.
fo
Click Check Names and then click OK.

Select Full control for the Basic permissions and then click OK.
Click Add and then click Select a principal.
Type Domain Admins in the Enter the object name to select field.
Select Full control for the Basic permissions and then click OK.
Type Creator Owner in the Enter the object name to select field.
Select Subfolders and files only in the Applies to field, select Full control for the Basic permissions, and then click OK.
Type Everyone in the Enter the object name to select field.
Select This folder only in the Applies to field.
Click Clear all to clear all permissions and then click Show advanced permissions.
Select the following advanced permissions for the account:
Traverse folder / execute file
List folder / read data
Read attributes
Create folders / append data
29. Click OK to add the permissions and then click OK to close the Advanced Security Settings for the share.
al
es
rr
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
or
st
di
io
ut
rib
You are setting the permissions on the share such that only end users can access their folders, and new folders
can be created dynamically for new end users. For more information, see
http://support.microsoft.com/kb/274443.
30. Click Next and then click Create.
31. Click Close when the process is completed.
81
Creating a Folder Redirection Group Policy

A folder redirection group policy allows end users to access the shared folder created for the redirected profiles. Folder
redirection is not a default setting. It must be configured in a policy prior to managing the end users' profiles. End-user
settings and files are typically stored in the local end-user profile in the Users folder. The files in local end-user profiles can be
accessed only from the current endpoint, which makes it difficult for end users who use more than one endpoint to work
with their data and synchronize settings between them. Folder redirection allows administrators to redirect the path of a
folder to a new location. The location can be a folder on the local endpoint or on a network file share.
To Create a Folder Redirection Group Policy for Virtual Desktops

1.
Log on to a domain controller with domain administrator credentials.

2.
Click Tools in the top-right corner of the Server Manager window and then click Group Policy Management.
If the Server Manager is not open, click the Server Manager icon in the toolbar to open it.
3.
Browse to the OU for the virtual desktops.
ot
Double-click Forest: Training.lab > Domains > Training.lab > Training Virtual Desktops.
fo
4.
Right-click the OU and then click Create a GPO in this domain, and Link it here.
Type a name for the policy and then click OK.

Type Folder Redirection and then click OK.
6.
al
es
5.
rr
Right-click the Training Virtual Desktops OU and then click Create a GPO in this Domain, and Link it here.
Double-click User Configuration > Policies > Windows Settings > Folder Redirection to browse to the Desktop folder.
Right-click the Desktop folder and then select Properties.
Set the folder redirection properties for the Desktop folder.
st
di
7.
8.
9.
or
Right-click the Folder Redirection policy and then click Edit.
Type \\FS-1\users$ in the Root Path field and then click OK.
11. Click Yes in the warning message.

12. Right-click the Documents folder and then select Properties.
13. Set the folder redirection properties for the Documents folder.
io
ut
10. Set the folder redirection path and then click OK.
rib
Select Basic - Redirect everyone's folder to the same location in the Setting field.
Select Basic - Redirect everyone's folder to the same location in the Setting field.
14. Set the folder redirection path for each end user and then click OK.
Type \\FS-1\users$ in the Root Path field and then click OK.
15. Click Yes in the warning message.
16. Close the Group Policy Management Editor window and Group Policy Management Console.
Discussion Question
What must the administrator consider when setting up folder redirection?
What does the $ do when added to the folder redirection path?
82
Setting Up the Microsoft KMS License Server

A Key Management Server (KMS) is used to centralize the activation of licenses for Microsoft products in a local network.
This makes it easier to manage licenses by connecting to one license server versus connecting each computer in the network
to Microsoft. A single KMS host can support an unlimited numbers of KMS clients; however, Microsoft recommends
deploying a minimum of two KMS hosts for failover.
In this class, you will be pointing your servers to a preconfigured KMS License Server, instead of setting up a KMS
License Server in the lab environment.
Setting Up SQL Server 2012

SQL Server is a relational database engine. The primary function of a SQL Server is to store and retrieve structured data as
requested. A SQL Server can manage multiple databases. XenApp and XenDesktop stores Site, configuration logging, and
monitoring data in a dedicated SQL Server database, by default. The XenApp and XenDesktop configuration logging and
monitoring information can be moved to separate databases after the initial configuration is completed.
ot
SQL Server Express can be installed during the XenApp and XenDesktop installation for use with pilot implementations of
XenApp and XenDesktop. However, a full edition of SQL Server should be installed for use in a production environment.
Regardless of the edition selected for use, you cannot configure XenApp and XenDesktop (create a Site) until SQL Server is
installed.
fo
Creating the Computer and Service Accounts for SQL Server 2012
rr
al
es
You can create the computer accounts required by the Primary, Mirror, and Witness SQL Servers prior to joining them to the
domain. This removes the need to move the computers into the correct OU at a later time. In addition, during the installation
of SQL Server 2012, you will be asked to provide the name of the account that will be used to access the database engine. If
you create the service account prior to the installation, you will not need to change the account after the installation is
completed.
or
To Create Computer and Service Accounts for SQL Server 2012
st
di
The computer and service accounts for SQL Server 2012 are already created in the lab environment. The following
procedure is provided for informational purposes only. You do not need to complete this procedure in the lab
environment.
Log on to a domain controller with domain administrator credentials to create the computer and service accounts that
will be used with SQL Server.
Browse to the OU hosting the SQL Servers.
Right-click the OU and then select New > Computer to create a new computer account within the OU.
Name the computer account and then click OK.
io
ut
2.
3.
4.
5.
rib
1.
Doing this now will prevent you from having to go back to the domain controller after joining the SQL Server
to the domain in order to move the computer account into the proper OU.
6.
7.
8.
9.
10.
11.
12.
13.
Browse to the OU hosting the service accounts.

Repeat Steps 4 through 6 to create computer accounts for the other SQL Servers.
Right-click the OU and then click New > Group to create a SQL security group.
Name the group and then click OK.
Right-click the newly created OU.
Click New > User to create a new account.
Type the account name and user logon name and then click Next.
Type the password in the Password and Confirm password fields.
83
14. Set the password requirements and then click Next.

15. Click Finish.
The password you set should be a strong, and relatively randomized password. You should not allow accounts
with non-expiring passwords to log on locally. Windows Server 2008 R2 and 2012 R2 can be used to create
managed service accounts where the passwords are automatically changed. For further information, see
http://technet.microsoft.com/en-us/library/jj128431.aspx. In addition, Windows Server 2012 R2 added the ability
to create group managed service accounts. For more information, see http://technet.microsoft.com/enus/library/hh831782.aspx.
16. Right-click the newly created service account and then click Add to a group.
17. Type the group names to which this account will be a member and then click Check Names.
18. Click OK.
Adding the account to the service accounts group is what will prevent the service account from being used to
log on locally because you created a Group Policy Object that disallows log on locally to that group.
Installing SQL Server 2012
ot
You can install SQL Server 2012 using the Installation Wizard or the command line on a dedicated server. A SQL Server
should be configured to be highly available because no new users can connect to the environment if connectivity to the
database is lost. This configuration requires that multiple SQL Servers be installed in the environment. You can configure SQL
Server 2012 to use mirroring, clustering, or Always On. In our lab environment, you will configure SQL Server 2012 to use
mirroring.
fo
rr
or
To Install SQL Server 2012
al
es
SQL Server is already installed on the Primary, Mirror and Witness SQL Servers in the environment. The
following procedure is provided for informational purposes only. You do not need to install SQL Server in the lab
environment.
This procedure was used to create the Primary, Mirror, and Witness SQL Server VMs in the lab environment.
Create a Windows Server 2012 R2 virtual machine using the Creating a VM steps covered previously.
Insert the ISO file for Microsoft SQL Server 2012 into the DVD drive.
Click the File Explorer (file folder) icon in the taskbar.
Click Computer.
Double-click the CD Drive containing the installation media and then click Yes in the User Account Control message.
Click Installation in the left column of the window and then click New SQL Server stand-alone installation or add
features to an existing installation.
Ensure that the Setup Support Rules run successfully and then click OK.
io
ut
rib
7.
st
di
1.
2.
3.
4.
5.
6.
Verify that the bar is green with a message: Operation completed - 0 Failed.
8.
Type the product key and then click Next.

The customer must purchase a product license.
9. Read and respond to the license agreement.

10. Ignore the warning in the Product Updates page and then click Next.
84
This message appears if you do not have Internet access.
11.
12.
13.
14.
15.
16.
17.
18.
19.
ot
fo
rr
20.
21.
22.
23.
24.
25.
26.
Wait for the setup files to be installed, review the Setup Support Rules page, and then click Next.
Verify that SQL Server Feature Installation is selected and then click Next.
Select Database Engine Services >SQL Server Replication >Management Tools - Basic, and then click Next.
Click Next on the installation Rules page.
Click Next on the Instance Configuration page.
Click Next on the Disk Space Requirements page.
Click the entry under Account Name for SQL Server Database Engine service and then select Browse to change the SQL
Server Database server to use the new SQL Server service account.
Type the name associated with the newly created service account, click Check Names, and then click OK.
Type the appropriate password for the SQL Server service account in the Password column for the SQL Server Database
Engine and then click Next.
Click Add and then type the names of the SQL Server administrators.
Click Next in the Database Engine Configuration page.
Click Next in the Error Reporting page.
Click Next in the Installation Configuration Rules page.
Wait for the installation to finish and then click Close.
al
es
This may take several minutes.
27. Close the SQL Server Installation Center.

28. Click Eject to eject the installation media.
29. Repeat these steps to configure the Mirror and Witness SQL Servers.
or
st
di
Discussion Question
ut
rib
Does SQL Server need to be installed before you install XenApp and XenDesktop?
io
Configuring SQL Server and the Windows Firewall
Firewalls help prevent unauthorized access to computer resources. However, if a firewall is turned on but configured
incorrectly, attempts to connect to the SQL Server might be blocked. To allow communications with the SQL Server through
a firewall, you must configure the firewall for each server that is running SQL Server. The easiest way to do this is to apply a
GPO to the OU hosting the SQL Servers in the environment. This eliminates the need to open the inbound ports on each
SQL Server.
To Configure SQL Server and the Windows Firewall to Accept Inbound

Connections
The following steps are provided for informational purposes only and do not need to be performed in the lab
environment, because the firewalls are already turned off. However, students without this experience are
encouraged to perform this exercise.
1.
Start the primary SQL Server.

Right-click SQLServer-1 and then click Start.
85
2.
Log on to the SQL Server using domain administrator credentials.

Log on to SQLServer-1 using the TRAINING\Administrator and Password1 credentials.
3.
4.
5.
6.
7.
8.
9.
Click the Windows Start button.

Type SQL Server Configuration Manager
Click SQL Server Configuration Manager.
Click the arrow to the left of the SQL Server Network Configuration node and then click Protocols for MSSQLSERVER.
Verify that TCP/IP is enabled and then double-click TCP/IP.
Click the IP Addresses tab, note the TCP Port that is set, click Cancel, and then close the SQL Server Configuration
Manager.
Log on to the domain controller using domain administrator credentials.
Log on to DomainController-1 using the TRAINING\Administrator and Password1 credentials, if not already
logged on.
10. Click Tools in the Server Manager and then click Group Policy Management.
11. Browse to the OU hosting the SQL Servers.
Double-click Forest: Training.lab > Domains > Training.lab > Training Servers > SQL.
12. Right-click the OU and then click Create a GPO in this domain, and Link it here.
ot
Right-click the SQL OU and then click Create a GPO in this domain, and Link it here.
fo
13. Type a name for the GPO and then click OK.
rr
Type Windows Firewall - SQL Rules in the Name field and then click OK.
es
14. Right-click the newly created policy and then select Edit.
al
Right-click Windows Firewall - SQL Rules and then click Edit.
15. Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with
Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
16. Right-click Inbound Rules and then click New Rule.
17. Click Port and then click Next.
18. Specify the ports that will be used to communicate with the SQL Server and then click Next.
or
st
di
Verify that TCP is selected, type 1433, 5022 in the Specific local ports field, and then click Next.
rib
Port 1433 is for regular SQL Server communications and Port 5022 is for mirroring.
io
ut
Verify that Allow the connection is selected and then click Next.
Click Next in the Profile page to apply this rule to the Domain, Private, and Public firewall profiles.
Type SQL in the Name field and then click Finish.
Right-click Inbound Rules and then click New Rule to configure a rule that allows inbound Windows file sharing.
19.
20.
21.
22.
This inbound rule will be useful when you set up SQL Server Mirroring later on.
23.
24.
25.
26.
27.
Click Predefined, click File and Printer Sharing in the Predefined field and then click Next.
Click Next on the Predefined Rules page.
Click Finish.
Close the Group Policy Management Editor and the Group Policy Management Console.
Log on to the first SQL Server using domain administrator credentials.
Log on to SQLServer-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.
86
28. Move the mouse pointer to the bottom-right corner of the taskbar to display the Charms bar.
29. Select Search, type cmd, and then press Enter to open a command prompt window.
You can also open a command prompt window by selecting the Start icon, typing cmd or command, and then
pressing Enter.
30. Type gpupdate /force and then press Enter to force an update.
31. Type exit and then press Enter to close the command prompt window.
Discussion Question
Is it a good practice to disable the Windows firewall on a SQL Server?
Setting Up SQL Server Mirroring
ot
Mirroring the SQL Server database is a solution for creating redundancy of XenApp and XenDesktop settings. By mirroring
the database, you are ensured that, if the active database server fails, the mirrored SQL Server will be available to replace it.
This automatic failover process happens in a matter of seconds, so that end users are generally unaffected.
fo
e
al
es
rr
or
st
di
n
io
ut
rib
Mirroring requires a primary SQL Server, a secondary SQL Server, and a SQL Server witness. Mirroring is an active/passive
arrangement. All activity takes place on the primary SQL Server. In the event of a primary failure, the secondary SQL Server
assumes the primary role. The witness determines when a failure occurs. Mirroring does not protect data integrity - only the
database engine is protected. If data corruption occurs, the preferred method of recovery is rollback. Therefore, it is
imperative to follow appropriate backup procedures for the SQL Server database.
Discussion Question
SQL Server is used to store the XenApp and XenDesktop database. Why is database redundancy so important with XenApp
and XenDesktop?
87
Installing the SQL Server Witness

To support the mirroring of a SQL Server database, three SQL Servers are required. Two of the servers contain a copy of the
XenApp and XenDesktop database. The third server is known as the witness and does not contain the XenApp and
XenDesktop database. The sole purpose of the witness is to monitor the health of the primary and secondary SQL Servers.
The witness determines when to initiate an automatic failover. Microsoft calls this configuration mirrored with high-safety.
The primary and secondary SQL Servers rely on the witness to determine which is the primary and which is the secondary
(mirror).
A SQL Server Witness can be installed using the procedure for installing SQL Server 2012. A SQL Server Witness
is already installed in the lab environment.
Discussion Question
Does the SQL Server Witness need to use the same version and edition of SQL Server as the mirroring partners?
Configuring SQL Server Mirroring
ot
In order for SQL Server mirroring to work, you must first make a backup of the primary database and restore it on the
secondary SQL Server. This ensures that both SQL Servers contain the same database structure. Once they are configured,
they will synchronize the database. This synchronization takes place in a transactional manner. Any change made to the
primary database is synchronized to the secondary database immediately.
rr
The principal and mirror server instances must exist and be running the same edition of SQL Server.
A recent backup of the principle database must be available to restore to the mirror database.
The same domain user account must exist for all server instances.
al
es
fo
To configure database mirroring:
You can choose to use a database on a separate server. If you intend to use an external database created manually,
that is, one that is not created using Studio, ensure that the database administrator uses the following collation
setting when creating the database: Latin1_General_100_CI_AS_KS (where Latin1_General varies depending on
the country; for example Japanese_100_CI_AS_KS). If this collation setting is not specified during database
creation, subsequent creation of the XenApp and XenDesktop service schemas within the database will fail, and an
error similar to "<service>: schema requires a case-insensitive database" appears (where <service> is the name of
the service whose schema is being created).
or
st
di
2.
Right-click SQLServer-1 in XenCenter and then click Start.

Wait for the VM to start before proceeding to the next step.
a.
b.
io
Start the primary SQL Server if it is not already running.
ut
1.
rib
To Configure SQL Server Mirroring
Start the secondary SQL Server if it is not already running.

Right-click SQLServer-2 in XenCenter and then click Start.
3.
Start the SQL Server Witness.

Right-click SQLServer-Witness in XenCenter and then click Start.
SQLServer-1, SQLServer-2, and SQLServer-Witness must be started in order to complete this procedure.
4.
Switch to the primary SQL Server.

Click SQLServer-1 in XenCenter.
88
5.
Log on to the primary SQL Server using domain administrator credentials.

Log on to the SQLServer-1 VM using the TRAINING\Administrator and Password1 credentials, if you are not
already logged on.
6.
7.
8.
9.
Click the Windows Start button.

Type SQL Server Management Studio.
Right-click SQL Server Management Studio and then click Run as administrator.
Specify the name of the SQL Server in the Server name field and then click Connect.
Verify that SQL-1 is in the Server name field and then click Connect to connect to the local database instance. If the
connection to SQL-1 fails, verify that the SQL Server Management Studio was launched as an administrator. If the
connection continues to fail, reboot the SQL-1 server
10. Right-click the Databases node and then click New Database.
11. Type a name for the database in the Database name field.
Type CitrixMain Site in the Database name field.
12. Click Options in the left pane.
13. Select the Latin1_General_100_CI_AS_KS for the Collation and then click OK.
ot
Ensure that you select the correct Collation option. Many of the options are very similar. If you accidentally
choose the wrong collation for the lab environment, the Delivery Controller Site will not be able to use the
database. You will need to go through this procedure again, because the database will be mirrored but may be
unusable.
fo
rr
es
14. Expand the Databases node.

15. Right-click the database and then click Tasks > Back Up.
Right-click CitrixMain Site and then click Tasks > Back Up.
al
Click View > Refresh if the database does not appear.
or
st
di
16. Verify that Full appears in the Backup type field and then click OK.
17. Wait for the backup process to complete and then click OK.
18. Copy the SQL backup file from the Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup
folder on the first SQL Server (Primary) to the backup SQL Server (Mirror).
rib
a.
b.
c.
d.
e.
f.
io
ut
If the Windows Firewall is enabled, firewall exceptions need to be added to the SQL Servers either manually or
through a GPO to grant this access. This has already been done for the lab environment. Ensure that the
SQLServer-2 VM is running before continuing with this exercise.
Click the File Explorer icon in the taskbar of SQLServer-1.
Browse to C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup.
Right-click the CitrixMain Site.bak file and then click Copy.
Click the right side of the Address field at the top of the window, type \\SQL-2\C$ and then press Enter.
Right-click below the folders in the c$ window and then click Paste.
Close the c$ window.
19. Click the Connect menu in the Object Explorer of the Microsoft SQL Server Management Studio and then click
Database Engine.
20. Type the name of the backup SQL Server in the Server name field and then click Connect.
Type SQL-2 and then click Connect.
21. Right-click Databases under the backup SQL Server instance and then click Restore Database.
Right-click Databases under the SQL-2 instance and then click Restore Database.
89
22. Select Device and then click the ... button to the right of the Device field.
23. Click Add, browse to the backup file, and then click OK.
Click Add, click C:, click CitrixMain Site.bak, and then click OK.
24. Click OK in the Select backup devices window.
25. Verify that the check box in the Restore column is selected.
26. Click Options in the left pane, select RESTORE WITH NORECOVERY in the Recovery state field and then click OK.
Ensure that you select RESTORE WITH NORECOVERY before you click OK. Failure to do so will result in
errors later in the procedure in the lab environment.
27. Click OK in the message when the restore successfully completes.
28. Right-click the database you want to mirror on the primary SQL Server and then select Tasks > Mirror.
Right-click CitrixMain Site under the SQL-1 instance and then click Tasks > Mirror.
Click Configure Security.
Click Next on the first screen.
Verify that Yes is selected and then click Next on the Include Witness Server screen.
Verify that Witness server instance is selected and then click Next on the Choose Servers to Configure screen.
Click Next on the Principal Server Instance screen to accept the defaults for the primary (principal) SQL Server.
ot
29.
30.
31.
32.
33.
fo
SQL-1 is the principal SQL Server.
es
rr
34. Click Connect to the right of the Mirror server instance field to connect to the SQL Server that will be the mirror.
al
SQL-2 is the mirror SQL Server.
or
st
di
35. Click Connect on the Connect to Server dialog and then click Next in the Configure Database Mirroring Security wizard
to proceed.
An error will appear at the bottom of the wizard. This is normal.
ut
rib
36. Click the Witness server instance drop-down and then click Browse for more.
io
Ensure that SQLServer-Witness is running before continuing with the next step in this exercise.
37. Type the name of the SQL Server that will be the witness and then click Connect.
Type SQL-W and then click Connect in the Connect to Server window.
38. Click Next in the Configure Database Mirroring Security wizard.
39. Type the name of the SQL service account in the Principal, Witness, and Mirror fields in the Service Accounts screen and
then click Next.
Type TRAINING\SQLAcct1 in each of the fields and then click Next.
This service account was pre-created for you in the lab environment.
40. Review the settings and then click Finish.

41. Click Close when the configuration of the endpoints is completed.
90
42. Click Start Mirroring in the Database Properties message and then click OK.
If you receive an error stating that SQL-1 cannot be reached on port 5022, delete the database for SQL-1 and
SQL-2 and start again with Step 10 in this procedure.
The SQL Server witness must remain running after mirroring is configured. The databases may become
inaccessible if the server is shut down.
Discussion Question
Why is SQL Server mirroring a better high-availability solution for the Site database than using the high-availability feature of
the hypervisor?
Troubleshooting SQL Server Issues

The following table identifies SQL Server issues and resolutions.
ot
N
Issue
Resolution
fo
You cannot connect to the database engine.
al
es
rr
or
Verify that the SQL database is configured to accept remote

connections. To correct this issue:
Use SQL Server Management Studio, open the properties
for the local server, click Connections and then verify
that TCP Port 1433 is open for SQL traffic on the
firewall.
Open Windows Firewall Advanced Security to verify or
create an Inbound rule for the SQL Server ports.
Verify that the settings contained in the DSN file are
appropriate and that the DSN file is not corrupted. If the
file is corrupted, recreate the DSN file or copy the DSN
file from a server that can connect to the database.
st
di
Delete the SQL Server mirror database and start again by

right-clicking Databases under the mirror SQL Server
instance and then click Restore Database. Continue to follow
the steps to configure the mirror database.
Installing Anti-Virus Software
io
ut
rib
You receive an error stating that the primary SQL Server

cannot be reached on port 5022.
You should install anti-virus software to detect and remove computer viruses from your corporate environment. Computing
resources are often subjected to malicious code that can negatively impact normal operations. Anti-virus should be installed
where appropriate and the anti-virus signatures should be updated regularly. You should select an anti-virus software
application that is appropriate for the computing resource. In addition, you should configure the anti-virus software for
appropriate inclusions and exclusions in anti-virus scans. The configuration of an anti-virus software solution is beyond the
scope of this course. Refer to a security specialist to ensure that your environment is properly protected.
Discussion Question
You installed anti-virus software on all of the infrastructure servers in your environment and now performance is slow and
the operating systems on the servers are having reliability problems. What can you do to correct the problem?
91
Setting up the DMZ

A Demilitarized Zone (DMZ) is a buffer between the trusted (internal) environment and the untrusted (external)
environment. Its primary purpose is to protect the production environment from outside threats. The DMZ typically consists
of two firewalls separated by a private subnet. The objects placed in the DMZ, such as NetScaler, need to be hardened and
they must not contain any corporate intellectual property.
All components in the lab environment use a single network. The configuration of the DMZ is beyond the scope
of this course. Refer to a security specialist to ensure that your implementation is properly protected.
Discussion Question
Which services might be appropriate for deployment in the DMZ?
Reinforcement Exercise: Redirecting Additional Folders
ot
During this exercise, you will not be given step-by-step instructions for performing the task. Instead, you are asked
to use what you have just learned to complete it. This exercise is designed to take your newly gained knowledge
and stretch it to determine if you can apply that knowledge to perform a task you've never done before. In most
instances the default value/choice will be the best choice, but we encourage you to explore and try things out. If
you have a question or get stuck, ask the instructor or a fellow student for assistance.
rr
Set up and configure a domain controller and DNS.

Configure a Dynamic Host Configuration Protocol (DHCP) server.
Configure a private Certificate Authority server.
Set up and configure a file server.
Set up and configure SQL Server mirroring.
al
es
fo
Now that you know how to:
or
You are ready to try your hand at editing an existing group policy to redirect additional folders to the users' shares on the file
server.
st
di
Here is what you need to do:
Edit the existing Folder Redirection policy that you created for the virtual desktops in the domain.
Add the Pictures, Favorites, and Downloads folders to the policy.
Configure the properties for the folders so that the information from all users is redirected to the same location.
Redirect the folders to the users$ share on FileServer-1.
io
92
ut
1.
2.
3.
4.
rib
Children's Charitable Hospital (Training) wants you to redirect the Pictures, Favorites, and Downloads folders for all users of
virtual desktops. This will keep the information off of the virtual desktops and store it safely on the network.
Module 4
Setting Up Citrix
Components
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
94
Setting Up Citrix Components

Overview
Once the non-Citrix infrastructure components required by XenApp and XenDesktop are in place, you can begin to
implement the Citrix components.
Install
Install
Install
Install
Install
and
and
and
and
and
configure the Citrix License Server.

configure Citrix Delivery Controller, Citrix Studio, and Citrix Director.
configure the Citrix Universal Print Server.
configure Citrix StoreFront.
configure Citrix Receiver.

the beginning of this module, the VMs should be in following the states:
FileServer-1 = On
SQLServer-1 = On
SQLServer-2 = On
SQLServer-Witness = On
All other VMs = Off
ot
al
es
rr
Architecture
fo
At
XenApp and XenDesktop relies on the following Citrix components to provide server-hosted desktops and applications, and
desktop-hosted desktops and applications to end users.
or
st
di
n
io
ut
rib
Citrix License Server stores and manages the license files for all components within the XenApp and XenDesktop
architecture with the exception of NetScaler components, which require the license files to be installed directly on them.
Delivery Controller consists of services that communicate with the hypervisor to distribute applications and desktops,
authenticate and manage user access, and broker connections between end users and their virtual desktops and
applications.
Studio is the management console used to set up and administer a XenApp and XenDesktop implementation.
Director is a Web-based tool that enables IT support and Help Desk teams to monitor an environment, troubleshoot
issues before they become critical, and perform support tasks for end users.
Universal Print Server extends universal printing support to network printers.
StoreFront provides authentication and resource delivery services for users of Citrix Receiver. StoreFront uses a local
configuration data file to keep track of end users' application subscriptions, shortcut names, and locations so end users
have a consistent experience from all of their endpoints.
Module 4: Setting Up Citrix Components
95
Receiver provides end users with access to hosted applications and virtual desktops.
The Citrix components rely on the following infrastructure components that were installed during the last module:
SQL Server stores the configuration data for the XenApp and XenDesktop Site and its resources.
Hypervisor hosts all virtual machines in the environment as well as the resources provided to end users.
Active Directory provides authentication, authorization, and auditing for all components within the environment.
The following components and resources will be configured in future modules:
ot
Provisioning Services(PVS) creates virtual disks (vDisks) from a Master Target Device. PVS uses PXE, DHCP, BDM and
the Stream Service to provide vDisks to target devices. PVS supports both virtual target devices and physical target
devices.
Machine Creation Services(MCS) is a collection of services that work together to create virtual desktops from a master
image. MCS provides many of the same single-image management benefits as Provisioning Services, but works directly
on the storage managed by the hypervisor, without the need to use PXE or BDM to start a target device.
Hosted applications are the applications that are installed on a Server OS machine or Desktop OS machine and made
available to users of Citrix Receiver.
Server OS machines are virtual desktops running a Windows Server operating system.
Desktop OS machines are virtual desktops running a Windows workstation operating system.
NetScaler is an appliance that provides a wide range of functions including: load balancing, proxy service, and endpoint
analysis.
fo
Discussion Question
al
es
rr
The network onto which XenApp and XenDesktop is placed must be resilient, robust, and reliable. You can configure all
components perfectly and still have a failed implementation if the network doesn't meet the needs of the environment. What
constitutes a resilient, robust and reliable network?
Setting Up the Citrix License Server
or
The Citrix License Server manages the Citrix licenses for Citrix products, except for Citrix NetScaler. Each time a Citrix
product starts up, it opens a connection to the license server and checks out a startup license. The license server can be
installed on a physical server or a virtual server. A Citrix License Server can reside on server that hosts other roles or on a
server completely dedicated to storing and managing Citrix licenses.
st
di
ut
rib
At this time, the Citrix License Server VPX is not supported for use with XenApp and XenDesktop. This may
change in the future. Refer to www.citrix.com for further information.
io
Citrix licenses are stored in a file that must be added to the license server. The license file is initially acquired from My
Account on the www.citrix.com Web site or by using Citrix Studio.
All components must be configured to communicate with the license server. This communication is configured from the
Citrix product. The default port for communication is 27000. The license server then uses the vendor daemon with a default
port of 7279 to deliver the license. The License Administration Console communicates with the Citrix License Server on port
8082. All ports can be configured from within the License Administration Console. After a license is installed for use with
XenApp and XenDesktop, all license management is done through the Web-based License Administration Console or Citrix
Studio.
The License Administration Console lets you manage and monitor your Citrix licenses. The availability of a license is
determined by the number of available licenses on the license server when a session is requested. If a license is not available,
the session is denied.
You can track license usage using the Licensing node in Citrix Studio or the EdgeSight License Server Monitoring
tool which provides license reporting and is a free download from the
www.citrix.com/downloads/licensing/components Web site. This tool works for all products regardless of the
product edition.
Citrix licensing can be configured in the License Administration Console or Citrix Studio to use a license that supports:
96
A Concurrent licensing model, which checks a license out when an end user requests a session and checks the license
back in when the end user logs off or disconnects from the session. A concurrent license is not tied to a specific end user.
License consumption is based on:
If a single end user is running multiple sessions on a single endpoint, a single license is consumed.
If a single end user is running sessions on multiple endpoints, multiple licenses are consumed.
User/Device licensing model, which checks a license out for a device when an end user makes a connection and keeps the
license for 90 days after the end user ends the session on the device. License consumption is based on:
If a single end user is running multiple sessions on a single endpoint, a single license is consumed (User licensing
model).
If a single end user is running multiple sessions on multiple endpoints, a single license is consumed (User licensing
model). A licensed end user requires a unique user ID, such as an Active Directory entry. When assigned to an end
user, the license allows the end user to connect to the desktops and applications with multiple endpoints, such as a
desktop computer, laptop, netbook, smartphone, or thin client concurrently.
If multiple end users are running multiple sessions from a single endpoint, a single license is used (Device licensing
model). A licensed device requires a unique device ID and is authorized for use by any end user to access desktops
and hosted applications. This licensing model can be used for shared devices, such as in a classroom or hospital
because it allows an unlimited number of end users per device.
ot
The license server determines how to minimize license consumption based on whether the licenses installed are
User/Device or Concurrent and how the environment is configured. For example, with concurrent licensing, load
balancing of the license server can affect license consumption, as can multiple product editions in the
environment. For a detailed description of how the various license models work, see the "Types" topic under
Licensing Your Product on the http://docs.citrix.com Web site.
fo
rr
Installing the Citrix License Server
es
al
The Citrix License Server can be installed using the software on the XenApp and XenDesktop installation media or
downloaded from www.citrix.com. The license server software should be installed before any other XenApp and XenDesktop
component. This allows you to point the Delivery Controller to the license server during the installation and initial
configuration. If the license server software is not installed prior to the installation of XenApp and XenDesktop, a trial license
can be selected and used for up to 30 days.
or
st
di
Citrix products store a replica of the licensing information from the license server, including the number and type of licenses.
Citrix products and the license server exchange "heartbeat" messages every five minutes to indicate to each other that they are
still up and running. If the product and the license server fail to send or receive heartbeats, the product lapses into the
licensing grace period and the product licenses itself through cached information. The Citrix products continue operations as
if they were still in communication with the license server. Citrix products update their grace period information every hour.
rib
io
ut
High availability of the license server can be accomplished with clustering. Clustering the license server allows users to
continue working during failure situations without interrupting access to critical applications. When the active node in a
cluster-enabled license server suffers from hardware failure, failover occurs automatically. Resources are available again in a
few seconds to a few minutes. If clustering will be used, you should register the name of the cluster, not the individual names
of the servers when allocating the license on the My Account site or in Citrix Studio. Another way to provide high availability
for the license server is at the hypervisor layer. For more information about clustering license servers, see the "Clustered
license servers" topic on the http://docs.citrix.com Web site.
To Install the Citrix License Server

1.
Start the license server VM.

Right-click CitrixLicenseServer-1 in XenCenter, click Start, and then click the Console tab.
2.
Log on to the license server with domain administrator credentials.

Log on to CitrixLicenseServer-1 using the TRAINING\Administrator and Password1 credentials.
3.
Insert the XenApp and XenDesktop media in the DVD drive.

Select XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
4.
5.
Click the File Explorer icon in the taskbar and then click This PC.
Double-click CD Drive (D:) to start the installation wizard.
97
If the installation wizard does not start, double-click AutoSelect.
6.
7.
8.
Click Start in next to XenDesktop.

Click Citrix License Server under Extend Deployment on the right.
Select I have read, understand, and accept the terms of the license agreement and then click Next.
9. Click Next on the Core Components screen to accept the default installation location setting.
10. Select the method to use for port configuration.
Verify that Automatically is selected on the Firewall page and then click Next.
You should select Automatically, if you are using the default ports for communication with your license server.
If you are using custom ports, select Manually. Changing the licensing port after licenses are installed might
cause the "No such product or vendor exists: CITRIX" message to appear on the License Administration
Console dashboard instead of the installed licenses.
ot
11. Click Install and wait for the installation to complete.

12. Click Finish.
13. Eject the XenApp and XenDesktop media from the DVD drive.
fo
Click Eject to the right of the DVD Drive 1 field to eject the media from the drive.
es
rr
al
Troubleshooting License Server Issues
The following table provides resolutions for Citrix License Server issues.
or
Resolution
The license server will not start or an upgrade of the license

server fails.
Run the License Server Configuration tool from C:Program

FilesCitrix LicensingLSresourceLSPostConfigTool.exe. If the
License Server Configuration tool fails for any reason,
uninstall and reinstall the license server.
The installation fails when localized characters are used in

the installation path.
Accept the default installation path or use only ASCII

alphabetic characters for the installation path.
The 30-day free trial license is the only license available.
Verify that a license for the product edition has been added
to the license server. Accept the trial license and then use
Studio to change the license information after installation.
A read-only administrator receives the following message in

Studio after the Citrix License Server software is uninstalled
and then reinstalled: "You do not have permissions to
perform this operation."
Have a full license administrator log on and access the

License node in Studio to initiate a trust with the new license
server.
Newly added licenses are not appearing in the License

Administration Console.
Do one of the following:

Re-read the license file using the Vendor Daemon
Configuration tab in the License Administration
Console.
Restart the Citrix Licensing Service on the license server.
Restart the license server.
st
di
Issue
io
ut
rib
98
Allocating, Downloading, and Adding a License File

After you install the licensing components, you are ready to obtain your Citrix license files from My Account on the
www.citrix.com Web site or Citrix Studio. You can generate a license file, download it to the license server, and then import
the license file using the License Administration Console, Citrix Studio, or a web browser.
Before allocating a license, you need the following information:
ot
The license code. You can find this code on the XenApp and XenDesktop installation media pack, in an email you
receive from Citrix, or from the Subscription Advantage Management-Renewal-Information system (SAMRI).
Your user ID and password for My Account on the www.citrix.com Web site. You can register for this password on the
Web site.
The name of the server on which you installed the licensing software. The entry field for this name is case-sensitive, so
ensure that you copy the name exactly as it appears on the server. You can find the license server host name and Ethernet
address in the License Administration Console in the Administration area on the System Information tab. You can also
run the hostname command at a command prompt on the license server.
The number of licenses you want to include in the license file. You do not have to download all of the licenses you are
entitled to at once, if you are using My Account from the www.citrix.com Web site. If you are using Citrix Studio to
allocate the licenses, you must allocate all licenses in the file at one time in this version of XenApp and XenDesktop. For
example, if your company purchases 100 licenses, you can choose to allocate and download only 50 at this time if you are
using My Account. At a later date or time, you can allocate the rest in another license file. You can have more than one
license file. This cannot be done from Citrix Studio.
fo
To Allocate, Download, and Import a License File
al
es
rr
A Citrix License Server is preconfigured for use in the lab environment with licenses already allocated to it. To
experience allocating, downloading and adding a license file from My Account, we have provided a Downloading,
Allocating, and Importing License Files exercise below. Click the following link and use the steps in this course to
Downloading, Allocating, and Importing License Files Exercise
or
1.
2.
Click My Account (Log in) in the upper-right corner of the www.citrix.com Web site page.
Click Create Account.
st
di
Use the mouse to move between fields in this exercise.
rib
Click Create Customer Account.
ut
3.
io
If your company already has an account, you would use the existing account rather than create a new one.
4.
Complete the form to create an account and then click Continue.

The form has been completed with generic information. Click Continue.
5.
Create a new Login ID and password and then click Continue.

Verify that CitrixStudent is in the Login ID field, type Password1 in the New Password and Confirm Password fields,
and then click Continue.
6.
7.
Click Activate and Allocate Licenses under the Licensing heading on the page.
Click the Single Allocation tab.
If you currently have available licenses, they will appear within the Activate and Allocate Licenses tab.
99
8.
Type the license code into the Enter license code field and then click Continue.
Type CTXLF-12345-67890-12345-67890 and then click Continue.
9.
Click Continue on the Host Name Warning Page.

Not all licenses for Citrix products are allocated based on the host name of the license server.
10. Type the case-sensitive name of the Citrix License Server that will host the license in the Host ID field.
Type LS-1 into the Host ID field.
Make sure that students do not type CLS-1 as the host name. CLS-1 is the host name of the Citrix License
Server that the students created in the lab environment, but is not the host name used in this exercise.
11. Click the Quantity/Available field, type the license quantity, and then click Continue.
Click the Quantity/Available field, type 5, and then click Continue.
ot
You can always come back to reallocate and re-download your licenses should they become corrupt, lost, or
you need to specify a different allocation of your licenses using the Reallocate and Redownload tabs from My
Account on the www.citrix.com Web site.
fo
Verify that the information is correct and then click Confirm.

Click OK in the message stating that the allocation was successful.
Click Download.
Click the down arrow next to Save and then click Save as.
al
es
rr
12.
13.
14.
15.
The name of the license file can be changed, but the contents within the file cannot be changed without
corrupting the license file.
or
Click Save in the Save As window to download the license file to the Downloads folder.
Click Log Out in the upper-right corner of the window.
Close the browser window.
Click the Start button on the bottom-left corner of the screen.
Type Citrix License and then click the Search icon.
Click Citrix License Administration Console.
Click Administration in the upper-right corner of the License Administration Console.
Log on as a license administrator.
st
di
io
ut
rib
16.
17.
18.
19.
20.
21.
22.
23.
Type TRAINING\Administrator in the User Name field, Password1 in the Password field, and then click Submit.
24. Click Vendor Daemon Configuration in the lower-left corner of the License Administration Console.
25. Click Import License.
26. Click Browse to the right of the License File from Your Local Machine field to browse to the recently downloaded license
file.
27. Select the recently downloaded license file and then click Open.
Select FID_15.lic in the Downloads folder and then click Open.
28. Click Import License.
29. Click OK.
In order to view the active licenses within the dashboard, you must restart the license server or reread the
license file.
100
30. Verify that the licenses have been allocated.

Click Dashboard and then click Citrix XenDesktop Enterprise|Concurrent.
31. View the allocated licenses and then click X in the upper-right corner of the window to close the dashboard.
Discussion Question
When downloading the license for the first time from My Account on the www.citrix.com Web site, you are asked to allocate
the licenses. What does allocate mean?
Adding License Administrators

A default administrator account is created during the installation of the License Administration Console. To delegate license
administration to other users, you need to configure accounts on the license server using the License Administration Console.
The License Administration Console can use License Administration users, local Windows users and groups, and Active
Directory users and groups. The Simple License Service used by the License Administration Console can use local Windows
users and groups as well as Active Directory users and groups.
ot
Active Directory users and groups are part of an Active Directory/network authentication system. To support
Active Directory users and groups, the license server must be a member of a Microsoft Active Directory domain.
fo
Start the management system VM.
es
1.
rr
To Add a License Administrator

Right-click StudentManagementConsole-1 in XenCenter, click Start, and then click the Console tab.
al
The StudentManagementConsole-1 (SMC-1) is a system specifically set up in the lab environment for you to
use to administer components in the environment. In the real-world, it is more realistic that administrators
use an endpoint to administer their environments than to log on directly to the servers in the environment.
or
Log on to the management system using domain administrator credentials.
st
di
2.
Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials.

Double-click the Mozilla Firefox icon on the desktop.
Type the FQDN and port number of the License Administration Console into the Address field and then press Enter to
access the License Administration Console.
Type cls-1.training.lab:8082 in the Address field and then press Enter.
Click Administration in the upper-right corner of the console.

Log on to the License Administration Console using the credentials you used to install the Citrix License Server software.
5.
6.
io
ut
rib
3.
4.
Log on using the TRAINING\Administrator and Password1 credentials.

If you are in a domain, the account of the end user who installed the license server is automatically added as
the administrator. If you were logged on with a different account when you installed the Citrix License Server,
you must either use that account to log on to the console to create new administrators or any account that is a
member of the BUILTINAdministrators group (including the Domain Admins Security group).
7.
8.
Click User Configuration.

Click New User.
You should not include a backslash for a locally managed administrator (for example, tester1). If you do, you
will be unable to delete that account.
101
9.
Select a role for the new Citrix License administrator.

Select Domain Administrator in the Role field.
10. Type the name of an end user or group in the User name field in the form of domain\username or domain\group and
then click Save.
Type TRAINING\Admin2 and then click Save.
11. Verify that the new account appears on the User Configuration page.
12. Click Log Out on the top right of the License Administration console.
Discussion Question
What steps are required to recover from a catastrophic failure of the license server?
Configuring Licensing Alerts
ot
A licensing alert can be set to notify an administrator when an important event concerning Citrix licensing occurs. There are
two types of alerts: critical and important. All alerts are triggered at one minute intervals except the Vendor Daemon alert
which is triggered immediately. You can set alerts for Subscription Advantage expiration, license expiration, Vendor Daemon
has stopped, and concurrent license usage. For example, an important alert for concurrent license usage can be set to 90%,
and a critical alert can be set to 98% consumption.
fo
To Configure Licensing Alerts
1.
al
es
rr
Alerts and license usage are displayed on the first page of the License Administration Console. By default, to view
information on the first page of the License Administration Console, you do not need log on credentials. You can
change this behavior and require log on.
Log on to the management system using domain administrator credentials.
or
Log on to StudentManagementConsole-1 using the TRAINING\Administrator and Password1 credentials, if not

already logged on.
st
di
2.
3.
Type cls-1.training.lab:8082 in the Address field and then press Enter.

Click Administration in the upper-right corner of the console.
io
ut
4.
rib
Double-click the Mozilla Firefox icon on the desktop.

Type the FQDN and port number of the License Administration Console into the Address field and then press Enter to
access the License Administration Console.
If the Log On screen does not appear, click Log Out at the top of the console and then click Administration.
5.
Log on to the License Administration Console using Citrix License administrator credentials.
Log on to the License Administration Console using the TRAINING\Admin2 and Password1 credentials.
6.
7.
Click Alert Configuration on the left side of the console.

Select an alert to display on the Dashboard, determine the threshold you want to set to trigger the alert, and then click
Save.
Select Concurrent threshold exceeded, set the alert to 80%, and then click Save.
8.
Deselect an alert to remove it from the Dashboard and then click Save.
Deselect Overdraft license issued and then click Save in the lower-right corner of the console.
9. Click Dashboard in the upper-right corner of the console to view the Dashboard.
10. Click Citrix Start-up License|Server to expand and view the license.
102
The alerts, if any, will be displayed in the left pane of the console.
11. Click the yellow triangle to view the Important alerts.

There should not be any alerts at this time because you do not have any Citrix products installed.
12. Click the red circle to view the Critical alerts.

13. Click the X in the upper-right corner of the License Administration Console to close the window.
You can shut down the CitrixLicenseServer-1 VM to free up lab environment resources. You will be using a
centralized license server in the classroom.
Moving from XenApp 7.6 to XenDesktop 7.6

An edition of XenApp 7.6 to another.
An edition of XenDesktop 7.6 to another.
An edition of XenApp 7.6 to an edition of XenDesktop 7.6.
fo
rr
ot
XenApp and XenDesktop now share a unified architecture. This makes it possible to simply upload a license to move an
implementation from:
al
es
Once the license is uploaded and the edition is selected, all of the features available in the edition become available to the
administrator.
Setting Up the Delivery Controller
or
The Delivery Controller (Controller) is responsible for managing end user access, load balancing connections, and optimizing
connections. The Delivery Controller relies on Machine Creation Services (MCS) to create multiple VMs from a single virtual
image.
st
di
The Controller:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
io
ut
rib
XenApp supports Server OS-based applications and desktops. XenDesktop supports Server OS-based applications
and desktops and Desktop OS-based applications and desktops along with other FlexCast models. The installation
media for XenDesktop contains options for installing XenApp 7.6 or XenDesktop 7.6. The installations are the
same with the exception of branding. The licenses you upload determine the features and functions available to
you. For example, if you choose to install XenApp 7.6 and then upload XenDesktop licenses, your installation will
be XenDesktop.
Receives authentication requests from end users and queries Active Directory.
Interacts with the database to retrieve the list of resources for the end user.
Communicates with StoreFront to make the resources available for selection.
Receives requests from the end user to access a resource.
Load balances the request for a resource.
Prepares the resource to be delivered to the end user via the hypervisor.
Sends load balancing information to StoreFront, where a connection file is created.
Prepares the VM for connection.
Retrieves the client license and issues it to the started resource.
Monitors the connection state throughout the duration of the session.
The Controller provides the following services:
Communicates with the hypervisor to distribute hosted applications and virtual desktops.
Manages connection options using Delivery Groups.
103
Manages virtual desktops, hosted applications, and Remote PC Access through machine catalogs.
Manages the power state of VMs.
To provide high availability so that end users can continue to access and use their resources in the event of a Controller
failure, you should configure more than one Controller per site.
To add a Controller, you need the securityadmin or db_owner database server role permission for the XenApp
and XenDesktop database.
Installing the First Controller

During the installation of the first Controller, you can point to a database server or install a SQL Server Express instance.
After the Controller is installed, it must be configured using Studio. You will install Studio on this VM later in this module.
The license server should be installed before the Controller is installed. This will simplify the registration of the
Controller with the license server.
1.
ot
To Install the First Controller

Right-click the Controller VM, click Start, and then click the Console tab.
fo
Right-click Controller-1, click Start, and then click the Console tab.
rr
2.
Log on to the Controller using domain administrator credentials.
Insert the XenApp and XenDesktop installation media into the DVD drive.
al
3.
es
Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials.

or
4.
5.
st
di
io
ut
Click Start on next to XenDesktop.

Click Delivery Controller.
Read and respond to the licensing agreement.
rib
6.
7.
8.
9.
Specify the components to install and then click Next.

Deselect License Server and StoreFront and then click Next.
If you are deploying a Proof of Concept or small implementation that will not grow, you can install the
Controller, Studio, and Director on the same server.
10. Specify whether or not to install Microsoft SQL Server 2012 Express or Remote Assistance and then click Next.
Deselect Install Microsoft SQL Server 2012 Express, verify that Install WindowsRemote Assistance is selected, and
then click Next.
104
Microsoft SQL Server 2012 Express does not need to be installed on the server because we will be using a
mirrored instance of SQL Server 2012. If a SQL Server installation was not available in the environment, SQL
Server Express could be selected and installed automatically from the installation media. Windows Remote
Assistance is selected for installation because you are installing Director on this server. Director can be used by
Help Desk personnel to assist end users, so Windows Remote Assistance is needed.
11. Select the port configuration method to use and then click Next.
Verify that Automatically is selected and then click Next.
If the Controller will use the default ports for communications, select Automatically. If the Controller will use
alternate port assignments, select Manually to configure the ports after the installation.
12. Review the installation summary and then click Install.
Based on the components that are selected for installation in the lab environment and the number of VMs
running, you can expect the installation to take approximately 15 minutes.
ot
13. Wait for the installation to complete, deselect Launch Studio, and then click Finish.
14. Click Eject to the right of the DVD drive field to eject the media from the drive.
15. Click Tools at the top of the Server Manager window and then click Internet Information Services (IIS) Manager to
begin the process of requesting and installing a certificate on the first Delivery Controller.
16. Click the name of the Delivery Controller in the left pane.
fo
rr
Click C-1 in the left pane.
es
17. Respond to the Internet Information Services (IIS) Manager message.

Click No.
al
18. Double-click Server Certificates in the center pane under the IIS heading.
19. Click Create Domain Certificate in the Actions pane on the right.
20. Specify the appropriate distinguished name properties and then click Next.
or
io
ut
rib
b.
Use the following information:

Common name: c-1.training.lab
Organization: Training
Organizational Unit: IT
City/locality: Ft Lauderdale
State/province: Florida
Country/region: US
Click Next.
st
di
a.
The Common name must match the FQDN that will be used to access the Site.
21. Click Select, select the Certificate Authority, and then click OK.
Click Select, select training-AD-CA, and then click OK.
22. Type a friendly name for the certificate and then click Finish.
Type c-1.training.lab and then click Finish.
23. Double-click Sites > Default Web Site in the left pane.
24. Click Bindings in the right pane.
25. Click Add and then select https in the Type field.
105
26. Select the newly created certificate from the SSL certificate field, click OK, and then click Close.
Select c-1.training.lab in the SSL certificate field, click OK, and then click Close.
27. Close the Internet Information Services (IIS) Manager.
Discussion Question
In previous versions of XenApp and XenDesktop, device drivers were installed during the installation of the Controller. This
is no longer the case. Why is it an important advancement that device drivers are no longer installed on the Controller?
How are Virtual Delivery Agents (VDAs) notified of available Controllers?
Configuring a Site
A Site is the management scope for a XenApp and XenDesktop environment and encompasses all of the components needed
for the deployment of XenApp and XenDesktop. All management is done at the Site level. All administrators are configured
at the Site level. A Site must be named during the configuration phase of the first Controller. Components contained in a Site
must be able to communicate with each other and are managed by the Controller.
ot
Studio is the GUI interface used to manage the Site. During the configuration of the Site, you configure communications
between the Controller, Citrix License Server, database, and the hosting environment. Studio can be installed on the
Controller, on an administrator's desktop, on a Server OS machine, or made available as a hosted application.
rr
Log on to the VM hosting Studio using domain administrator credentials.
es
1.
fo
To Configure a Site
Log on to Controller-1 using the TRAINING\Administrator and Password1 credentials, if not already logged on.
Open Studio.
Click Start, type Studio and then click Citrix Studio.
al
2.
or
Click Deliver applications and desktops to your users.

Verify that A fully configured, production-ready Site (recommended for new users) is selected.
Type a Site name and then click Next.
io
Type MainSite in the Name your Site field and then click Next.
ut
rib
3.
4.
5.
st
di
Studio will open automatically at the end of the Controller installation by default, if Studio was selected for
installation.
Semantically, the Site name should make sense in the context of the overall architecture or be relevant to the
groups or Controller residing on the Site.
6.
Type the database server location and the name of the database in the appropriate fields.
Type sql-1.training.lab in the Database server location field and verify that CitrixMainSite appears in the Database
name field.
7.
Click Test connection.

An information message will appear at this point because you created the database during the SQL mirroring
exercise and the database is empty. This is the expected behavior and is okay.
8.
9.
106
Click OK in the message.

Click Close and then click Next.
10. Type the License Server IP address, host name, or FQDN and then click Connect.
Type license.edutestsite.com in the License server address field and then click Connect.
You are not using the CitrixLicenseServer-1 VM during this class to provide licenses for XenApp and
XenDesktop. Instead, you are connecting to an external license server to provide the licenses.
11. Select Connect me and then click Confirm.
12. Select the proper license and then click Next.
Select Citrix XenDesktop Platinum: User/Device and then click Next.
13. Select the Connection type (hypervisor).
Select Citrix XenServer.
14. Type the Connection address.
Type the address of the XenServer management network. To locate this address, open XenCenter, select the XenServer
host, and then click the Networking tab.
ot
It is recommended that HTTPS connections be used to communicate with XenServer. HTTPS prevents the
XenServer password from being transmitted over the network in plain text. Certain tools are able to read plain
text user names and passwords in HTTP (unencrypted) network packets, which creates a security risk for
users. A certificate is not installed on the XenServer host in the lab environment.
fo
rr
15. Type the user name and password for the host connection.
Type the user name and password provided by the instructions at the beginning of the lab.
al
es
16. Specify a name for the connection.
Type XenServer in the Connection name field.
17. Determine which provisioning tool will be used to create VMs for XenApp and XenDesktop and then click Next.
or
Verify that Studio tools (Machine Creation Services) is selected and then click Next.
st
di
18. Type a name for the virtualization settings in the Enter a name for the Resources field, select the desired networks for the
VMs to use, and then click Next.
ut
19. Select the storage device and type of storage to use.
rib
Type XenApp and XenDesktop Network in the Enter a name for the Resources settings field, select Internal, verify
that all other networks are deselected, and then click Next.
io
Select Local from the storage devices drop down list. Verify that Local Storage is selected.
When Shared and NFS virtual disk storage are selected, you can specify whether or not IntelliCache will be
used to reduce the load on the shared storage device. This option is not valid for Local storage. To learn more
about IntelliCache, see http://support.citrix.com/article/CTX129052.
20. Determine where Personal vDisks will be stored and then click Next.
Verify that Use same storage for virtual machines and Personal vDisk is selected and then click Next.
21. Determine if App-V publishing will be used, specify the appropriate information, and then click Next.
Verify that No is selected on the App-V Publishing page and then click Next.
22. Click Finish.
You can expect the Site configuration to take approximately 10 minutes because the primary and mirror
database schemas are being created for the new Site.
23. Verify that a green check mark appears next to Step 1 and then click the Test site configuration button.
107
24. Click Show report to review the test results.

25. Close the Site Configuration Testing Report and then click Finish.
Some warnings may appear. The warnings will not affect the lab environment, but should be addressed in a
real-world implementation. In our database, Read Committed Snapshot is disabled. This means that the
database engine will not modify information in the database while a transaction is reading that information.
When Read Committed Snapshot is enabled, versioning is used to allow reading and writing of the
information at the same time.
Editing Connection and Resource Settings

Resource settings are the connection information used by your XenApp or XenDesktop Delivery site to communicate with the
underlying hypervisor technology.
You can improve the performance of a XenApp or XenDesktop site, by further optimizing the Delivery site connection to the
host for XenServer, vSphere, and Hyper-V. After you specify the host connection in Citrix Studio, you can use the properties
to modify the connection settings.
The connection settings allow you to specify the maximum number of simultaneous actions, simultaneous Personal Storage
inventory updates, and the number of actions per minute that can occur on a host connection.
ot
For more information about connection settings and connection throttling, see http://docs.citrix.com/en-us/xenappand-xendesktop/7-6/xad-connections.html.
fo
rr
To Edit Connection and Resource Settings
es
1.
Open Studio.
2.
al
Edit the Hosting connection settings.
ut
4.
Click Hosting.
Verify XenServer is selected.
Click Edit Connection in the Actions pane.
io
View the options to improve the performance of the XenApp and XenDesktop Delivery site by enhancing the connection
throttling settings.
Click the Advanced tab.
5.
rib
a.
b.
c.
st
di
3.
or
Click Cancel.
Citrix recommends that you only adjust these advanced connection properties under the guidance of a Citrix
Support representative.
Connecting to Resources
Site outages and interruptions in communications between the Delivery Controller and the site database can result in resource
availability issues for users. Connection leasing enables Delivery Controllers to continue to broker users to sessions in the
event the site cannot communicate with the site database. This connection brokering relies on a cache on each Delivery
Controller. User sessions brokered for the last two weeks are cached on the Delivery Controller.
Connection leasing is not a database redundancy solution. Citrix recommends that XenApp and XenDesktop implementations
use SQL mirroring or clustering to protect and provide failover for the site database. Connection leasing is a XenApp and
XenDesktop feature that supplements a SQL Server high availability solution.
108
In most large deployments, connection leasing will likely never be used because the SQL clustering options will
prevent the loss of connection to the site database.
Example: An end user has accessed Microsoft Word within the last two weeks, but has not accessed Microsoft PowerPoint.
During the site outage, the connection leasing feature allows the Delivery Controllers to broker that users request to
Microsoft Word, but not to Microsoft PowerPoint, because Microsoft PowerPoint is not in the cache. Connection leasing is
enabled by default and is limited to user sessions accessing server-hosted applications, server desktops and static (assigned)
desktops; it is not supported for random (pooled) desktops. Connection leasing can be turned on or off using the PowerShell
SDK or the Windows registry.
When the Delivery Controller enters into lease connection mode during a database connection failure:
ot
Studio, Director and the PowerShell console cannot be used.

Workspace control is not available, so users will not be automatically reconnected to disconnected sessions.
If new sessions are created just before the database becomes unavailable, users may not be able to access the resources in
those sessions if the Delivery Controllers did not have a chance to sync with the database.
Users roaming from an external to internal HDX connection may not be able to reconnect to a session established from a
different network.
Power managed, powered off static (assigned) desktops remain unavailable until the database connection is restored.
New sessions will not prelaunch and session lingering timeouts are not used.
Server-based connections are routed to the most recently used VDA, and all server-based load balancing is ignored.
Only VDAs that are 7.6 minimum version are supported.
fo
al
Discussion Question
es
rr
For more information about connection leasing, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xadconnection-leasing.html.
When might you consider adding an additional Controller to the environment?
or
st
di
Troubleshooting Studio
The following table identifies resolutions for issues related to Studio.
rib
Resolution
There is a delay when starting Studio.
Verify that there is an Internet connection prior to starting

Studio. If no connection is available, you must disable the
Authenticode signature checking feature as described in
http://support.citrix.com/article/CTX120115.
Studio sometimes shows completed tasks as "In progress."
This issue is cosmetic and can be ignored if you are certain

that the task has been completed. You should not restart
Studio if a long-running task is genuinely active because it
will cause the task to remain in an incomplete state.
io
ut
Issue
Adding Delegated Administrators

You cannot create an administrator account using Studio. Instead, you use Studio to assign administrative privileges to users
and groups created in Active Directory. You should only assign administrative privileges to those users and groups that
require them and you should avoid compromising Site security by providing excessive privileges. You can remove
administrative privileges for one administrator, but that administrator account may also be a member of a group that was
assigned those privileges. As a result, the account still has those privileges.
The default administrator is the account that was used to install the Controller and configure the Site. To avoid configuration
frustration, you should always use a domain account, rather than a local account to install the Controller and configure the
109
Site. This ensures that the same account can be used with each component in the XenApp and XenDesktop environment,
such as the license server, Provisioning Services, hosting environment, and SQL Server database. In addition, you should keep
the number of simultaneous administrators using Studio to a minimum to avoid overwriting each other's configuration
changes. The "last write wins" concept applies to changes to the database.
To Add a Delegated Administrator

1.

2.
Open Studio.
3.
4.
5.
Expand Configuration in the left pane and then click Administrators.

Click Create Administrator in the right pane.
Click Browse and then type the name of the user or group to be added in the Enter the object name to select field.
Click Browse and then type HelpDesk into the Enter the object name to select field.
Only one user or group can be added at a time.
ot
fo

Select a scope and then click Next.
rr
6.
7.
al
es
Select All for the scope and then click Next.
If you create a new scope, refresh the console so new administrators can create a new connection or resource
without encountering an error. If the console is not refreshed, the new connection/hosting scope will not be
available to new administrators.
Select the role and then click Next.
or
8.
9.
st
di
Select Help Desk Administrator and then click Next.
Verify that Enable Administrator is selected and then click Finish.
ut
rib
Discussion Question
io
The administrator account used to install the Controller and configure the Site has Full Administrator privileges. What
happens if you delete that account from Studio?
Setting Up a Second Controller

A second Controller is required for high availability of the XenApp and XenDesktop environment. Because the second
Controller is joining an existing Site, and is being added to the existing database, database configuration is minimal during
the installation. The second Controller can be installed at any time after the first Controller is configured. Once installed, any
instance of Studio can be used to manage multiple Controllers for a Site.
To Install a Second Controller

1.
Right-click the second Controller VM, click Start, and then click Console.
Right-click Controller-2, click Start, and then click Console.
110
2.
Log on to the second Controller using domain administrator credentials.

3.
4.
5.
6.
7.
8.
Click Start next to XenDesktop.

Click Delivery Controller.
9.
Specify the components to install and then click Next.
Deselect License Server and StoreFront and then click Next.
ot
fo
If you are deploying a Proof of Concept or small implementation that will not grow, you can install the
Controller, Studio, and Director on the same server.
rr
es
10. Specify whether or not to install Microsoft SQL Server 2012 Express or Windows Remote Assistance and then click Next.
al
Deselect Install Microsoft SQL Server 2012 Express, verify that Install Windows Remote Assistance is selected, and
then click Next.
or
Microsoft SQL Server 2012 Express does not need to be installed on the server because you already have a
mirrored instance of SQL Server 2012. The same database must be used for both the first Controller in the
environment and all subsequent Controllers in the environment. If Windows Remote Assistance was selected
for installation on the first Controller, it must be selected for all subsequent Controllers to ensure that it is
available to Director.
st
di
ut
rib
io
If the Controller will use the default ports for communications, select Automatically. If the Controller will use
alternate port assignments, select Manually to configure the ports after installation completes.
13. Wait for the installation to complete, deselect Launch Studio, and then click Finish.
14. Click Eject to the right of the DVD drive field to eject the media from the drive.
15. Click Tools at the top of the of the Server Manager window, select Internet Information Services (IIS) Manager to
begin the process of requesting and installing a certificate on the second Delivery Controller server.
16. Click the name of the Delivery Controller in the left pane.
Click C-2 in the left pane.
Click No.
111
19. Click Create Domain Certificate in the right pane.
a.
b.

Common name: c-2.training.lab
Country/region: US
Click Next.
ot
Click Select, select training-AD-CA, and then click OK.

fo
Type c-2.training.lab and then click Finish.
rr
Double-click Sites > Default Web Site in the left pane.

Click Bindings in the right pane.
Click Add and then select https in the Type field.
Select the newly created certificate in the SSL certificate field, click OK, and then click Close.
al
es
23.
24.
25.
26.
Select c-2.training.lab in the SSL certificate field, click OK, and then click Close.
or
st
di
Joining a Controller to a Site
io
ut
rib
By default, the configuration phase of a Controller takes place immediately after the installation of the Controller. In some
instances, you may want to move a Controller from one Site to another, such as from a test Site to a production Site. In this
case, you only need to rerun the Configuration utility (this task), not reinstall the Controller. When you run the
Configuration utility you have the opportunity to create a new Site (new database), or join an existing Site (existing database).
As a best practice, you should locate each Controller VM on a different physical hypervisor hosts for high
availability purposes.
To Join a Controller to an Existing Site

This procedure assumes that you installed Studio on each Controller in the environment.
1.
Log on to the second Controller with domain administrator credentials.

2.
3.
112
Click Start, type Studio, and then click Citrix Studio.

Click Connect this Delivery Controller to an existing Site.
4.
Type the FQDN of the first Controller and then click OK.
Type c-1.training.lab and then click OK.
5.
6.
7.
Click Yes when prompted to update the database automatically.

Select Controllers from the Configuration node in the left pane of Studio.
Verify that both Controllers are listed.
Verify that C-1.training.lab and C-2.training.lab are listed.
You can shut down the Controller-2 and SQLServer-2 VMs to free up lab resources.
Discussion Question
You added multiple Controllers to your implementation, but discover that you do not need all of them. You decide to use the
Remove Controller option in Studio to remove the extra Controllers. What impact will this have on the remaining
implementation and on the removed Controllers?
ot
Setting Up the Citrix Universal Print Server
fo
The Citrix Universal Print Server extends XenApp and XenDesktop universal printing support to network printing. The Citrix
Universal Print Server eliminates the need to install numerous non-native printer drivers on the virtual desktops and on the
servers that host desktops and applications.
rr
es
The Universal Print Server includes a client component and a server component:
al
The client component (Universal Print Client) is installed on the resources hosting desktops and applications and on the
objects located in a Machine Catalog that provide network printers that use the Universal Printer Driver. The client
component is installed during the installation of the Virtual Delivery Agent on the resource.
The server component (Universal Print Server) is installed on each Windows print server that provisions session network
printers and uses the Universal Printer Driver for the session printers (regardless of whether or not the session printers
are centrally provisioned).
or
Install the Universal Print Client software.

Install the Universal Print Server software.
Configure a policy to enable the use of the Universal Print Server. The policy can be a local policy or a group policy.
io
ut
rib
1.
2.
3.
st
di
To configure the Universal Print Server:
113
After the Universal Print Server components are installed and policy settings are configured, an end user can add and
enumerate network printers through the Windows Print Provider and Citrix Print Provider interfaces. The Citrix Print
Provider does not support client-side rendering.
Installing the Universal Print Server

The Universal Print Server must be installed on the print servers in the environment. During the installation of the Universal
Print Server, the Print and Document Services role is installed on the server as are runtime libraries and client-side
extensions. The client-side extensions are required to retrieve and configure Universal Print Server policy settings. You should
not attempt to install the Universal Print Server on a server on which XenApp and XenDesktop components are installed
because the components are already installed.
To Install the Universal Print Server

1.
Start the Citrix Universal Print Server VM.

Right-click UniversalPrintServer-1 in XenCenter, click Start, and then click Console.
2.
Log on to the Citrix Universal Print Server VM using domain administrator credentials.
Log on to UniversalPrintServer-1 using the TRAINING\Administrator and Password1 credentials.
ot
3.
es
rr
4.
5.
fo
al
st
di

Click Universal Print Server.
or
6.
7.
8.
Determine where the Citrix Universal Print Server will be installed and then click Next.
io
10. Click Install and then wait for the installation to complete.
11. Click Finish.
ut
Click Next to accept the default location.
rib
9.
Discussion Question
What is the maximum number of concurrent print streams allowed when using the Universal Print Server?
Configuring the Universal Print Server

The Universal Print Server provides simplified print management to allow network printing from any device by provisioning
network session printers. If you want to change the values for the Universal Print Server policy settings specified below, you
can add them to a policy. If the settings are not included in a policy, the default settings will be used.
114
Universal Print Server enable (default=disabled) (Computer Configuration)

Universal Print Server data stream (CGP) port (default=Port 7229) (Computer Configuration)
Universal Print Server web service (HTTP/SOAP) port (default=SOAP port 8080) (Computer Configuration)
Universal Print Server print stream bandwidth limit (default=0 kilobits per second which means unlimited bandwidth)
(User Configuration)
You must include the Universal Print Server enable setting in a policy to enable the use of the Universal Print
Server.
To Configure the Universal Print Server

1.
Log on to a VM that is hosting Studio with domain administrator credentials.

In our lab environment, Studio is hosted on the Controller VMs. You will not be using Studio during this
procedure, but you must use a VM with Studio installed on it or install the Citrix HDX policy extensions on a
system in order to access the Citrix HDX policies provided by XenApp and XenDesktop. The Citrix HDX
policy extensions can be installed from the x64Citrix Policy folder on the XenApp and XenDesktop media or
downloaded from the www.citrix.comdownloads site.
Click the Server Manager icon in the taskbar and then click Add roles and features.
Click Server Selection and then click Features.
Select Group Policy Management.
ot
fo
2.
3.
4.
Click Next on the Select features screen.

Click Install.
Wait for the installation to complete and then click Close.
Click Tools in Server Manager and then click Group Policy Management.
al
or
5.
6.
7.
8.
es
rr
By default, the Group Policy Management feature is only installed on a domain controller. You can install the
feature on any server. The Group Policy Management feature gives you the ability to create and manage
GPOs.
Browse to the OU that contains the virtual desktops.
rib
9.
st
di
The Group Policy Management Console may be behind the Server Manager window.
ut
Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops.
io
You can determine which OU contains the virtual desktops using Active Directory Users and Computers on
the domain controller.
10. Right-click the OU containing your virtual desktops and then click Create a GPO in this domain, and Link it here.
Right click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here.
11. Type a descriptive name in the Name field and then click OK.
Type Enable and configure Universal Print Server Service and then click OK.
12. Right-click the newly created GPO and then click Edit.
Right-click Enable and configure Universal Print Server Service and then click Edit.
13.
14.
15.
16.
Double-click Computer Configuration > Policies > Citrix Policies.

Click Edit and then click the Settings tab to add settings to the unfiltered policy.
Select Printing in the Categories field.
Click Add to the right of the Universal Print Server enable setting.
115
17. Select Enabled with fallback to Windows' native remote printing in the Value field and then click OK.
The Universal Print Server is disabled by default. When you enable Universal Print Server, you choose
whether to use the Windows Print Provider if the Universal Print Server is unavailable. After you enable the
Universal Print Server, a user can add and enumerate network printers through the Windows Print Provider
and Citrix Print Provider interfaces.
18. Click OK in the Edit Policy window.
19. Close the Group Policy Management Editor and Group Policy Management windows.
Discussion Question
To which OU must the Universal Print Server policy be applied?
Creating Printers
You can use the Print Management utility to automatically discover and create printers that are on the same subnet as the
Universal Print Server. Once the printers are discovered, you can configure the printers by installing the printer drivers,
setting up the print queues and sharing the printers.
ot
Printers are already created in the lab environment, but will not work because there are no printer devices in the
environment. You can verify which printers exist in the lab environment using the following steps:
1. Log on to UniversalPrintServer-1 using the TRAININGAdministrator and Password1 credentials.
2. Click Tools > Print Management in the Server Manager.
3. Select Printers in the left pane and then verify that the following network printers exist:
Accounting (HP Color LaserJet Enterprise cm4549 MFP PCL6 Class Driver)
Color Laser Printer (HP Color LaserJet 1600 Class Driver)
Human Resources (HP Color LaserJet CP4005 PCL6 Class Driver)
4. Close the Print Management window.
fo
al
es
rr
or
st
di
To Create Printers
Log on to the Citrix Universal Print Server using domain administrator credentials.
Click Tools in the Server Manager window and then click Print Management.
Expand Print Servers, right-click the Universal Print Server, and then click Add Printer.
Select the printer installation method and then click Next.
Click Next on the Printer Driver page.
Select a printer manufacturer in the left column, a printer in the right column, and then click Next.
Type a name for the printer in the Printer Name and Share Name fields and then click Next.
Click Next in the Printer Found page.
Click Finish.
io
ut
1.
2.
3.
4.
5.
6.
7.
8.
9.
rib
The following steps are provided for informational purposes only and are not to be performed in the lab
environment.
Discussion Question
You want to automatically add the network printers through discovery, but the Print Management utility is not available.
What must you do to add printers?
116
Setting Up StoreFront
StoreFront is the replacement for Web Interface. StoreFront authenticates end users to Sites hosting resources (desktops and
applications) that end users access. When an end user's credentials have been validated, the authentication service handles all
subsequent interactions to ensure that the end user only needs to log on once.
StoreFront uses centralized enterprise stores to deliver desktops, applications, and other resources to end users on any
endpoint. End users access stores through Citrix Receiver. If Citrix Receiver is not installed on the endpoint, end users can
download Citrix Receiver using the Receiver for Web site. By default, the Receiver for Web site attempts to determine
whether Citrix Receiver is installed on Windows and MAC OS X systems. If a suitable client cannot be detected, end users are
prompted to download and install Citrix Receiver.
StoreFront records details of end users' application subscriptions, plus associated shortcut names and locations in a local
configuration data file on the StoreFront server. When an end user accesses a store, the application synchronization feature
automatically updates the subscribed applications to match the configuration stored in the StoreFront local configuration data
file to ensure that end users have a consistent experience across all their endpoints. When multiple StoreFront servers are
configured, the local configuration data file on each StoreFront server is automatically synchronized to contain the same
information and does not require any administration.
When planning your StoreFront deployment, Citrix recommends the following considerations:
ot
Host StoreFront on a dedicated instance of IIS. Installing other web applications on the same IIS instance as StoreFront
could have security implications for the overall StoreFront infrastructure.
Use HTTPS to secure communication between the StoreFront and end user devices.
StoreFront servers must reside within the same Microsoft Active Directory forest as the XenApp and XenDesktop Servers
hosting end user resources. All the StoreFront servers in a group must reside within the same domain. To enable smart
card and user certificate authentication, end user accounts must be configured within the Active Directory forest
containing the StoreFront Servers.
Implement multiple StoreFront servers to ensure high availability if the primary server hosting StoreFront fails.
Configure the external load balancer, (such as Citrix NetScaler) to fail over between the servers to ensure end users have
uninterrupted access to their applications and desktops.
fo
Discussion Question
st
di
Installing Citrix StoreFront
or
How do you create a Receiver for Web site?
al
es
rr
io
ut
rib
StoreFront is typically installed on an IIS server and can be installed using the XenApp and XenDesktop installation media.
StoreFront and its prerequisites can also be installed from a command line. StoreFront should be installed after a Site is
configured but before end users are given access to the environment. StoreFront can be located in the DMZ or the internal
network if NetScaler Gateway (formerly known as Access Gateway) is installed between the end user and the StoreFront.
To Install StoreFront
1.
Right-click the Citrix StoreFront VM, click Start, and then click Console.
Right-click StoreFrontServer-1, click Start, and then click Console.
2.
Log on to Citrix StoreFront using domain administrator credentials.

Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials.
3.
4.
5.
117
6.
7.
8.

Click Citrix StoreFront.
9.
Determine where StoreFront will be installed and then click Next.

10. Select the firewall rule configuration method to use and then click Next.
If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use
ot
fo
rr
es
12. Wait for the installation to complete.

13. Deselect Open the StoreFront Management Console and then click Finish.
al
If you decide to open the StoreFront Management Console, and you receive an Add Snap-in error, click
Cancel in the End Snap-in message and the console will open. Do not click End Now because it will close the
console.
or
rib
Discussion Question
st
di
Requesting and Installing a Certificate on StoreFront
io
ut
Do the StoreFront servers need to be a member of the same domain as the Controllers?
You should use HTTPS between the end user device and the StoreFront. This is accomplished using a certificate. The
certificate should be installed on the StoreFront server before any end users are given access to the environment. Server
certificates are used for machine identification and transport security in StoreFront. If you decide to enable ICA file signing,
StoreFront can also use certificates to digitally sign ICA files.
Authentication services and stores each require certificates for token management. StoreFront generates a self-signed
certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be
used for any other purpose.
To Create and Install a Certificate on StoreFront

1.
Log on to the StoreFront server using domain administrator credentials.

Log on to StoreFrontServer-1 using the TRAINING\Administrator and Password1 credentials, if not already logged
on.
2.
118
Click Tools in the Server Manager window and then click Internet Information Services (IIS) Manager.
3.
Click the name of the StoreFront server in the left pane.

Click SFS-1 in the left pane.
4.
Respond to the Internet Information Services (IIS) Manager message.

Click No.
5.
6.
7.
Double-click Server Certificates in the center pane under the IIS heading.
Click Create Domain Certificate in the right pane.
Specify the appropriate distinguished name properties and then click Next.
a.
ot
b.

Common name: sfs-1.training.lab
Country/region: US
Click Next.
fo
rr
8.
Click Select, select your Certificate Authority, and then click OK.
Type a friendly name for the certificate and then click Finish.
al
9.
es
Click Select, select Training-AD-CA, and then click OK.
Type sfs-1.training.lab and then click Finish.
Double-click Sites >Default Web Site in IIS Manager.

Select the newly created certificate from the SSL certificate field, click OK, and then click Close.
or
st
di
10.
11.
12.
13.
Discussion Question
io
ut
rib
Select sfs-1.training.lab in the SSL certificate field, click OK, and then click Close.
XenApp and XenDesktop 7.6 does not support the use of SSL Relay to secure communications between StoreFront servers
and the Controllers. What other option is available to secure those communications?
Configuring a Store
StoreFront requires that you create a store to provide resources to end users. You can create as many stores as you need. For
example, you can create one store for Engineering and another store for Sales. StoreFront automatically establishes a trust
relationship between each configured store and the authentication service. Each store that is configured requires its own local
configuration data file on the StoreFront server. When multiple StoreFront servers are configured for a store, each local
configuration data file is replicated among all StoreFront servers.
When a store is configured, a URL is assigned to it. End users can access the resources in the store using the Receiver for
Web site or by using a Receiver that is installed on the endpoint (not a browser).
119
To Configure a Store
1.
Log on to the StoreFront server using domain administrator credentials.

Log on to the StoreFrontServer-1 VM using the TRAINING\Administrator and Password1 credentials, if not already
logged on.
2.
3.
4.
Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console.
Click Create a new deployment.
Verify that the URL for the StoreFront server is correct for your deployment and then click Next.
Verify that https://sfs-1.training.lab appears in the Base URL field and then click Next.
It may take a few minutes for the deployment to be created.
5.
Specify a name for the store and then click Next.

Type Store-1 in the Store name field and then click Next.
Add the XenDesktop, XenApp, and XenMobile 9.0 Enterprise (AppController) deployments that will provide the
resources that you want to make available in the store and then click Next.
Configure the remote access and then click Create.
or
Verify that None is selected and then click Create.
al
es
rr
7.
Click Add and then type XenApp and XenDesktop in the Display name field.
Verify that XenApp 7.5 (or later), or XenDesktop is selected.
Click Add, type c-1.training.lab and then click OK.
Click Add, type c-2.training.lab, and then click OK.
Verify that HTTPS is selected as the Transport type.
Click OK and then click Next.
fo
a.
b.
c.
d.
e.
f.
ot
6.
st
di
You have not yet set up the NetScaler component, so at this stage you are not setting up remote access. You
will configure remote access in Module 9. Based on the components that are selected for configuration in the
lab environment and the number of VMs running, you can expect the configuration to take approximately 10
minutes.
rib
Click Finish.
Click Stores in the left pane of the StoreFront console and then verify that the store was successfully created.
io
Click Stores and then verify that Store-1 appears in the center pane.
ut
8.
9.
Creating a Store for Anonymous User Access

Delivery Groups can be configured for use with both authenticated and unauthenticated (Anonymous) users. To support both
types of users accessing sessions using XenApp or XenDesktop, you must create separate stores for the authenticated users
and the unauthenticated users in StoreFront.
Stores created for unauthenticated users do not support remote access through NetScaler Gateway.
To Create a Store for Anonymous User Access

1.
Log on to the primary StoreFront server using domain administrator credentials.

Log on to the StoreFrontServer-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
120
2.
3.
Click Start, type StoreFront, and then click StoreFront.

Click Yes on the User Account Control window, if it appears.
Click Cancel if the End Snap-in window appears.
4.
5.
6.
Select the Stores node and then click Create Store for Unauthenticated Users.
Click Next in the Information screen.
Specify the store name and the click Next.
Type Anonymous Store and then click Next.
7.
8.
Click Add on the Delivery Controllers page.

Type the name of the Delivery Controller.
Type Delivery Controller as the display name.
9. Select XenApp 7.5 (or later), or XenDesktop.

10. Click Add.
11. Type the server name or IP address of a Delivery Controller in the environment.
Type c-1.training.lab.
ot
12. Click OK and then click Add.

13. Type the server name or IP address of another Delivery Controller in the environment.
fo
Type c-2.training.lab.
es
rr
14. Click OK.

15. Select the types of connections from the Transport type list that StoreFront will use to communicate with the Delivery
Controllers.
al
Verify HTTPS is selected to use an secure connection.
16. Specify the port for StoreFront to use for connections to the XenApp or XenDesktop site.
or
Verify that 443 is specified in the Port field.
st
di
17. Click OK.

18. Click Create. It may take several minutes to create the store.
19. Click Finish.
rib
ut
Discussion Question
io
The Citrix Broker Service runs on each Controller in the environment. You should secure data sent over the connection using
HTTPS or make other arrangements to secure connections to the store. To secure Citrix Broker Service on the Controllers,
what must be configured?
Setting Up a Second StoreFront Server

For high availability, you should install more than one StoreFront server in an environment. Multiple StoreFront servers are
members of a single server group. A server group is the management container located and configured in the StoreFront
console. An authorization code is required from the authorizing server in order to add additional StoreFront servers to
existing StoreFront deployments. The authorizing server is the first StoreFront server configured for the Site. The
authorization code can be obtained from the StoreFront console on the first StoreFront server.
To Install a Second StoreFront Server

1.
Right-click the second StoreFront VM, click Start, and then click Console.
Right-click StoreFrontServer-2, click Start, and then click Console.
121
2.
Log on to the second StoreFront server using domain administrator credentials.

Log on to StoreFrontServer-2 using the TRAINING\Administrator and Password1 credentials.
3.
4.
5.
6.
7.
8.

Click Citrix StoreFront.
9.
Determine where StoreFront will be installed and then click Next.
ot
10. Select the firewall rule configuration method to use and then click Next.
fo
rr
al
es
If the StoreFront will use the default ports for communications, select Automatically. If the StoreFront will use
or
st
di
Wait for the installation to complete.

Deselect Open the StoreFront Management Console and then click Finish.
Click Eject to the right of the DVD drive field to eject the media from the drive.
Click Tools at the top of the of the Server Manager window, and then click Internet Information Services (IIS)
Manager to begin the process of requesting and installing a certificate on the second StoreFront server.
16. Click the name of the StoreFront server in the left pane.
Click SFS-2 in the left pane.
io
ut
rib
12.
13.
14.
15.

Click No.
19. Click Create Domain Certificate in the right pane.
122
a.
b.

Common name: sfs-2.training.lab
Country/region: US
Click Next.
The Common name must match the FQDN that will be used to access the site.
Click Select, select training-DC-1-CA, and then click OK.
ot
Type sfs-2.training.lab and then click Finish.

Double-click Sites > Default Web Site.
Select the newly created certificate from the SSL certificate field, click OK, and then click Close.
fo
es
rr
23.
24.
25.
26.
al
Select sfs-2.training.lab in the SSL certificate field, click OK, and then click Close.

28. Log on to the first Citrix StoreFront VM using domain administrator credentials.
or
Switch to the StoreFrontServer-1 and log on using the TRAINING\Administrator and Password1 credentials, if not
already logged on.
st
di
rib
29. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console.
30. Right-click Server Group in the left pane and then click Add Server.
31. Record the authorizing server and authorization code.
io
ut
This code will be typed into the StoreFront console on the second Citrix StoreFront server to join it to the
server group. To assist in entering the code, you can launch notepad from server desktop the lab XenCenter is
running on; copy and paste the code into notepad; copy and paste into the field for StoreFrontServer-2.
32. Leave the Add Server screen containing the authorizing server and authorization code open until the second server has
successfully joined the server group.
This window will automatically close when the server joins and the propagation of the configuration data is
completed.
33. Return to the second Citrix StoreFront VM.
Switch to the StoreFrontServer-2 VM.
34. Click Start, type StoreFront, and then click Citrix StoreFront to access the StoreFront console.
35. Click Join existing server group in the Welcome to StoreFront screen.
36. Type the authorizing server and authorization code noted earlier into the appropriate fields in the Join Server Group
window and then click Join.
Type SFS-1 in the Authorizing server field, type the code you wrote down into the Authorization code field, and then
click Join.
123
37. Wait for the "Join Server Group" task to complete.

Based on the number of VMs actively running, you can expect the join task to take approximately 10 minutes.
38. Click OK in the "Joined Successfully" message on the second Citrix StoreFront server.
39. Return to the first Citrix StoreFront server.
Switch to the StoreFrontServer-1 VM.
40. Click OK in the message.
Discussion Question
When you add additional StoreFront servers to a deployment, where should you manage those additional servers?
Setting Up Receiver
Citrix Receiver provides:
fo
Simple, self-service access to virtual desktops, hosted applications, and IT services.

High-definition user experience (HDX) on any network or device.
Instant updates to end users with IT control and visibility.
Easier management of enterprise data, applications, desktops, and SaaS applications through secure, centralized
deployment to any endpoint.
al
es
rr
ot
Citrix Receiver is a universal software client that provides secure, high-performance delivery of virtual desktops and hosted
applications.
In order for users to make use of the HDX (ICA) features at the endpoint, a Receiver must be installed. If Receiver is not
installed, then the HTML 5 proxy can be used and the HDX features will be between the StoreFront and the desktop or
hosted application only. HDX features are enabled in policies. HTML 5 must be enabled in StoreFront for the Receiver for
Web Site in order to use it.
io
6.
ut
3.
4.
5.
When end users connect from inside your network or a remote location and install Receiver, they provide their email
address or the StoreFront URL.
Receiver then queries the appropriate DNS server, which responds with the StoreFront or NetScaler URL. The URL
depends on whether end users connect from the internal network or a remote location.
Users then log on to Receiver with their user name, password, and domain.
If end users connect from a remote location, NetScaler provides the StoreFront URL to Receiver.
Receiver gets the account information from StoreFront. If end users connect through NetScaler, the appliance performs
single sign-on to StoreFront. If more than one account is available, end users receive a list of accounts from which to
choose.
When end users log on to an account, a list of resources appear in Receiver. End users can then select resources to add to
their Receiver or open a resource that was already added to their Receiver.
rib
2.
st
di
1.
or
The process for end-user connections is:
To enable email-based account discovery for internal end users connecting directly to StoreFront, you must install
a valid server certificate on the StoreFront server. The full chain to the root certificate must also be valid.
Configuring DNS for Email-Based Account Discovery

You can configure email-based account discovery to enable internal end users who install Citrix Receiver on an endpoint to
set up their accounts by providing their email addresses. During the initial configuration process, Citrix Receiver prompts end
users to enter either an email address or a server URL. When an internal end user enters an email address, Citrix Receiver
contacts the DNS server for the domain specified in the email address to obtain a list of available stores from which the end
user can select.
124
To enable Citrix Receiver to locate available stores on the basis of end users' email addresses, you must configure Service
Location (SRV) locator resource records for StoreFront on your DNS server. As a fallback, you can also deploy StoreFront on
a server named "discoverReceiver.domain," where domain is the domain containing your end users' email accounts. If no SRV
record is found in the specified domain, Citrix Receiver searches for a machine named "discoverReceiver" to identify a
StoreFront server.
To Configure a Service Location Locator Record for Email-based Account

Discovery
1.

At this time, email-based account discovery cannot be used by remote end users.
2.
3.
Click Tools in Server Manager and then click DNS.

Browse to your domain in the Forward Lookup Zones in the left pane of DNS Manager.
Double-click DC-1 > Forward Lookup Zones and then click training.lab.
ot
4.
Right-click the forward lookup zone for your domain and then click Other New Records.
fo
Right-click training.lab and then click Other New Records.
rr
Select Service Location (SRV) and then click Create Record in the Resource Record Type screen.
Type _citrixreceiver in the Service field.
Type _tcp in the Protocol field.
Type the port number used by StoreFront in the Port number field.
Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network
only).
or
9.
Type 443 in the Port number field.
al
es
5.
6.
7.
8.
st
di
Type sfs-1.training.lab in the Host offering this service field.
ut
rib
You are specifying the FQDN of the first StoreFront server.
io
10. Click OK.
The StoreFront FQDN must be unique and different from the NetScaler virtual server FQDN. Using the same
FQDN for StoreFront and the NetScaler virtual server is not supported. Citrix Receiver requires that the
StoreFront FQDN is a unique address that is only resolvable from endpoints connected to the internal
network. If this is not the case, Receiver for Windows users cannot use email-based account discovery.
11.
12.
13.
14.
Select Service Location (SRV) and then click Create Record in the Resource Record Type dialog box.
Type _citrixreceiver in the Service field.
Type _tcp in the Protocol field.
Type the port number used by StoreFront in the Port number field.
Type 443 in the Port number field.
15. Specify the fully qualified domain name (FQDN) of the StoreFront server (to support end users in the local network
only).
Type sfs-2.training.lab in the Host offering this service field.
16. Click OK.
17. Click Done.
125
18. Close the DNS Manager window.
Installing and Configuring Receiver

End users who want to access XenApp and XenDesktop resources can use Citrix Receiver to access those resources. During
the installation of the VDA on a desktop machine, you have the option to install Receiver. End users that will not be using a
desktop machine can install Citrix Receiver on their endpoints to access resources such as hosted applications.
Citrix Receiver for Windows can be installed in the following ways:
By an end user downloading the CitrixReceiver.exe package from Citrix.com or your download site and then running the
package. During the installation, the end user can set up an account using an email address, a server URL, or by
downloading a provisioning file.
From Receiver for Web site. During the installation, the end user can set up an account using an email address, a server
URL, or by downloading a provisioning file using the Activate option.
This installation method does not provide automatic updates.
Using an Electronic Software Distribution (ESD) tool. During the installation, the user can set up an account using an
email address, a server URL, or by downloading a provisioning file using the Activate option.
ot
fo
When an email address is specified, Receiver contacts the StoreFront server associated with the email address and then
prompts the end user to log on and continue the installation. When a server URL is specified, Receiver is configured to point
to that server and then prompts the end user to log on and continue the installation. Once the end user provides their
credentials in Receiver, Receiver is configured for use by that end user on the endpoint. If additional end users log on to the
endpoint, they will need to configure Receiver for their use. This can be done using the Receiver for Web site.
es
rr
al
To Install and Configure Receiver
The following procedure is being performed on an internal endpoint to demonstrate email-based account discovery. Emailbased account discovery cannot be performed from an external endpoint at this time.
or
1.
Right-click the internal endpoint, click Start, and then click Console.
2.
Log on to the internal endpoint using domain user credentials.
st
di
Right-click Endpoint-Internal in XenCenter, click Start, and then click Console.
rib
Log on to EndPoint-Internal using the TRAINING\HRUser1 and Password1 credentials.
3.
Insert the XenApp and XenDesktop installation media in the DVD drive.
io
ut
You do not need administrator credentials to install Citrix Receiver unless Receiver will be configured to use
pass-through authentication. In addition, each end user that logs on to an endpoint must configure Receiver in
order to use it.

4.
5.
6.
7.
8.
9.
10.
Right-click the CD Drive (D:) and then click Open.
Double-click Citrix Receiver and Plug-ins > Windows > Receiver.
Double-click CitrixReceiver.
Click Install on the Welcome screen.
Click Add Account in the Installed successfully screen to configure Receiver using an email address.
Type the end user's email address or the URL of the StoreFront server in the Enter your work email or server address
field and then click Next.
Type hruser1@training.lab and then click Next.
11. Click Continue in the Add Account message.
126
12. Determine if you want Receiver to optimize your access.

Click Yes.
13. Click Finish.
Click Eject to the right of DVD Drive 1 field.
15. Log on to Receiver using the end user's account credentials.
Log on to Receiver using the TRAINING\HRUser1 and Password1 credentials.
16. Click the + sign in the left portion of the Receiver window to view the applications that are available in the store.
No applications aside from GoToMeeting, GoToTraining, and GoToWebinar will be available. You will add
applications to the store in the next module.
17. Click the down arrow to the right of the user name at the top of the Receiver window and then click Log Off.
18. Close the Receiver window.
ot
Click the X in the corner of the Receiver window to close it.

You can also shut down the EndPoint-Internal VM to save lab resources.
fo
es
rr
Discussion Question
al
Can you make a connection from an endpoint to a XenApp and XenDesktop resource without a Receiver installed on the
endpoint?
or
Troubleshooting Receiver
st
di
The following table identifies resolutions for Citrix Receiver issues.
Resolution
rib
Issue
Open a PowerShell command prompt and run the following

command on the Delivery Controller servers: Set-BrokerSite TrustRequestsSentToTheXmlServicePort $True
Receiver for HTML5 is not available to end users.
io
ut
Receiver for Windows end users cannot log on to stores

using pass-through authentication, even though the domain
pass-through authentication method is enabled in the
StoreFront authentication service.
Enable Receiver for HTML5 in StoreFront and propagate

the settings to all StoreFront servers in the environment.
Ensure that a supported browser is being used.
Supported browsers include Internet Explorer version 10,
Safari version 6, Chrome version 23, and Firefox version
17.)
Reinforcement Exercise: Using the Receiver for Web Site

127
Install
Install
Install
Install
Install
and
and
and
and
and
configure
configure
configure
configure
configure
the Citrix License Server.

Citrix Delivery Controller, Citrix Studio, and Citrix Director.
the Citrix Universal Print Server.
Citrix StoreFront.
Citrix Receiver.
You are ready to try your hand at using the Citrix Receiver for Web Site to install Citrix Receiver.
You just finished setting up your Citrix infrastructure components in the Training environment. When you configured the
store in StoreFront, it automatically created a Receiver for Web site. You want to test its ease of use and use it to install Citrix
Receiver on another Windows 8.1 system in your environment to determine if it is a better option than using the XenApp
and XenDesktop installation media.
1.
Log on to the domain controller and use Active Directory Users and Computers to identify an Administrator account
and a non-administrator account that you can use for this exercise.
ot
All user accounts use Password1.
Log on to the StoreFront-1 server using an administrator account.

Open the StoreFront console to discover the URL for the Receiver for web site.
Log on to the StudentManagementConsole-1 VM with an administrator account.
Use Internet Explorer to access the Receiver for Web site.
Install Citrix Receiver from the Receiver for Web site.
Configure Citrix Receiver using the server address (FQDN) of the StoreFront server for the selected user account. Do
not use an email address.
fo
al
es
rr
2.
3.
4.
5.
6.
7.
or
If you receive an SSL error within Firefox, this can be safely ignored.
st
di
n
io
ut
rib
128
Module 5
Setting Up XenDesktop
Resources
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
130
Setting Up XenApp and XenDesktop Resources

Overview
XenApp and XenDesktop provide desktops and hosted applications to endpoints in a secure and reliable fashion. To do this,
the XenApp and XenDesktop resources need to be configured appropriately and tested. High availability also needs to be
addressed at the resource level. Good planning minimizes risks associated with a single point of failure and improperly scaled
environments.
Configure a master image for Server OS machines and hosted applications.

Configure a master image for Desktop OS machines and hosted applications.
Create a machine catalog for hosted applications installed on Server OS machines.
Create a machine catalog for Desktop OS machines.
Create a Delivery Group to deliver hosted applications.
Create a Delivery Group to deliver desktops.
ot
All of these resources will be configured using Machine Creation Services. For information about using
Provisioning Services, see Module 7. For information on managing Machine Catalogs and Delivery Groups, attend
the CXD-203 Managing App and Desktop Solutions with Citrix XenApp and XenDesktop 7.6 course.
Controller-1 = On
FileServer-1 = On
SQLServer-1 = On
StoreFrontServer-1 = On
StudentManagementConsole-1 = On
UniversalPrintServer-1 = On
All other VMs = Off
al
es
or
st
di
io
ut
rib
Resources
rr
At
fo
XenApp and XenDesktop provide a variety of virtualization models that can be used to provide the end-user with access to
virtual desktops and hosted applications. XenApp and XenDesktop virtualization models include:
Server OS machines and hosted applications are provided via Remote Desktop Services (formerly Terminal Services) on
a Windows Server operating system. Remote Desktop Services allows multiple user sessions to be hosted on a single
system.
Desktop OS machines and hosted applications are provided on virtual machines running a workstation operating
system.
Remote PC Access provides direct access to any physical PC located in the environment. Installing the Virtual Delivery
Agent on the office PC enables it to register with the Delivery Controller. In addition, it manages the HDX (ICA)
connection between the machine and endpoints. The Citrix Receiver running on the endpoint provides access to all of the
applications and data on the office PC. An end user can be provided access to more than one physical PC or a
combination of physical PCs and virtual desktops.
Module 5: Setting Up XenDesktop Resources
131
ot
This graphic shows that the information from Active Directory is used to create the Delivery Groups, which are
then used to determine which end users will be allowed to use the machines. The Master Images (VMs) contain
the resources (desktops and hosted applications) that will be delivered to end users. These VMs are used by MCS
or PVS to create the machines in a machine catalog. The machine catalog is then used by the Delivery Group to
provide resources to end users.
fo
es
rr
Discussion Question
al
You want to provide four applications to over 50 end users, but you do not want to provide those end users with a desktop.
In addition, you want to run and deliver the applications from only two systems. Which XenApp and XenDesktop
virtualization model should you implement to meet these requirements?
or
Preparing the Master Image Virtual Machine
st
di
Optimize the hard drive.

Delete end-user specific information.
Update the operating system and applications installed on the master image to the current standard.
Install all required drivers.
Install the appropriate XenApp and XenDesktop tools (such as Virtual Delivery Agent, HDX 3D Pro Virtual Desktop
Agent, P2V, or V2V).
io
ut
rib
XenApp and XenDesktop uses a master image (in VHD format) to create the machines that will be delivered to end users.
The master image virtual machine contains the operating system and applications (resources) that will be delivered to end
users. The master image can be prepared from a physical or virtual machine. To prepare the master image, you should:
You should only install the HDX 3D Pro Virtual Desktop Agent if the master image has a desktop OS
installed on it and the image will have access to a Graphical Processing Unit (GPU). You should install the
P2V (Physical to Virtual) tool if you are converting a physical machine to a virtual machine image. You
should install the V2V (Virtual to Virtual) tool if you are converting a Xen-based virtual machine to a Citrix
XenServer virtual machine.
132
Install core applications that are appropriate for general distribution and that the majority of users of the machines
created from the image will need. Examples include anti-virus and alternate browsers.
Install the Citrix Receiver and plug-ins that are needed such as the Microsoft App-V plug-in if applications will be
streamed to the VDA on the machine.
Creating the Master Image

You should keep the number of master images in the environment to a minimum to reduce administrative overhead. If the
requirements of the end users are different, it may warrant creating separate master images. Application requirements are not
enough of a reason to create a separate master image. Application requirements can be met using hosted applications.
Installing Locales and Language Packs is not the best method for the localization of your master image. It is best
to create a separate master image for each language group. That way, the operating system, applications, and data
match the selected language group.
The operating system in the master image is used to provide:
A Windows Server environment for Server OS machines, hosted applications, or Server OS machines with hosted
applications. Applications can be tested using AppDNA to determine compatibility with the operating system and the
multi-user nature of the master image.
A Windows Desktop environment to provide Desktop OS machines, hosted applications, or Desktop OS machines with
hosted applications.
ot
Make sure that you configure the amount of hard disk space in the master image to allow sufficient room for the
operating system, applications, and updates. The amount of hard disk space allocated is difficult to change later.
Remember that the amount of write cache space needed is equal to the amount of empty space on the master
image. Specifying a large empty disk space can cause problems with your storage. For example, in Provisioning
Services, if a master image has 100 GB of free space, and you deploy it to 1000 end users, you will need 1000
multiplied by the free space just for the write cache. Machine Creation Services has a differencing disk and an
identity disk for each end user and also scales using the same formula.
fo
es
rr
Discussion Question
al
You created a master image and used it to create a machine catalog consisting of 100 machines. One of your co-workers
deleted the master image from the hypervisor. What will be the effect of this deletion on the XenApp and XenDesktop
environment?
or
Setting Up a Server OS Master Image
st
di
Some of your master images will be based on a Windows Server operating system. These images will be used to deliver Server
OS machines and server-based hosted applications. A master image must exist before a machine catalog can be created.
ut
1.
rib
To Set Up a Server OS Master Image
io
Log on to the domain controller using domain administrator credentials to create a computer account for the new master
image.
Log on to DomainController-1 with the TRAINING\Administrator and Password1 credentials.

2.
3.
Click Tools in the Server Manager and then click Active Directory Users and Computers.
Expand the domain and OU that will contain the Windows Server OS VM.
Browse to training.lab > Training Virtual Desktops > Servers.
4.
Right-click the OU and then click New > Computer.

Right-click the Servers OU and then click New > Computer.
5.
Type a name for the computer in the Computer name field and then click OK.
Type Win2012R2Master and then click OK.
To see existing accounts or view the newly added account, click the Servers OU and view the account names
in the right pane.
6.
133
7.
Right-click a Windows Server 2012 R2 template in XenCenter and click New VM wizard.
Right-click the WinServer2012R2_template in XenCenter and then click New VM wizard.
You are using a template that already has the hypervisor tools installed. If you were creating the VM from
scratch, you would need to install the hypervisor tools on the VM before you use the master image to create a
machine catalog.
8.
9.
Click Next.
Type a name for the new VM and then click Next.
Type Win2012R2Master in the Name field and then click Next.
10. Verify that no ISO files are mounted in the DVD drive and then click Next.
11. Determine if the VM will be assigned to a home server and then click Next.
Select Place the VM on this server and then click Next.
12. Specify the CPU and memory usage for this server and then click Next.
Verify that 2 vCPU and 2048 MB of memory are allocated for this VM and then click Next.
13. Specify the vDisk storage and properties for this VM and then click Next.
ot
Accept the default vDisk storage device, select Use storage-level fast disk clone, and then click Next.
fo
14. Specify one or more virtual network interface cards and then click Next.
rr
Verify that Internal is selected for the Network interface card and then click Next.
15. Review the selected settings and then click Create Now.
es
Verify that Start the new VM automatically is selected and then click Create Now.
al
16. Click the Windows 2012 R2 Server VM and then click the Console tab.
Click Win2012R2Master in XenCenter and then click the Console tab in the center pane.
or
It may take a few minutes for the server to start.
st
di
rib
17. Specify the region, language, and keyboard settings and then click Next.
Verify that United States, English, and US are selected and then click Next.
io
ut

Click I accept.
19. Type a password for the local administrator in the Password and Confirm password fields and then click Finish.
Type Password1 in both password fields and then click Finish.
20. Log on using the local administrator credentials.
Log on with the Administrator and Password1 credentials.
The local administrator account is the only account available because the server has not been joined to the
domain. If the Windows Security window appears, be sure to sign on as the local administrator.
21. Click Local Server in the Server Manager to access the System Properties.
22. Click the link to the right of Computer name and then click the Change button in the System Properties window.
23. Type a name for the server in the Computer name field.
Type Win2012R2Master in the Computer name field.
134
24. Select Domain, type the name of the domain, and then click OK.
a.
Select Domain, type training.lab, and then click OK.
25. Type a domain administrator name and password and then click OK.
Type Administrator in the Username field and Password1 in the Password field, and then click OK.
26. Click OK in the Computer Name/Domain Changes message.
27. Click OK in the restart message.
28. Click Close in the System Properties window, and then click Restart Now to restart the VM and apply the changes.
Using a Virtual IP Address

Virtual IP and virtual loopback allow XenApp and XenDesktop administrators hosting application sessions on Server OS
machines running Server 2008 R2 and later to host IP dependent applications. By default, each application running on a
Server OS machine shares the IP address of that machine.
The virtual IP address feature allows you to provide a unique and unused IP address to an application session running on a
Server OS machine. The virtual loopback feature allows you to assign a session an IP address from the localhost 127.0.0.1
range. These features are implemented using Citrix policies and are independent; you do not have to enable both.
ot
In larger environments, depending upon the class of network and the number of devices and applications
supported, it may be possible to run out of unique IP addresses.
fo
al
es
rr
Applications that might require the use of the virtual IP and virtual loopback features for addressing, licensing, and
identification, include CRM and Computer Telephone Integration (CTI). For more information about virtual IPs and virtual
loopback, see http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-deliver-virtual-ip.html.
Installing and Configuring the Virtual Delivery Agent
or
The Virtual Delivery Agent (VDA) is required on all Server OS master images. The VDA enables connectivity to the Server
OS machine from any endpoint that has Citrix Receiver installed. The Virtual Delivery Agent enables the Server OS machine
to register with Delivery Controllers and manage the HDX (ICA) connection between the Server OS machine and the
endpoint. HDX (ICA) technology supports the communication and collaboration tools and high-quality multimedia that end
users need to work productively. It examines screen activity and determines how best to display responses, graphics and
media, and whether to render locally or remotely in real-time.
st
di
rib
io
ut
In addition, when the Virtual Delivery Agent is installed on a Server OS machine, the Remote Desktop Services role is
installed and the Remote Desktop Session Host is activated. This allows you to host multiple end-user sessions for desktops
and hosted applications on a single server. The Virtual Delivery Agent should be installed prior to any applications being
installed on the server.
Remote Desktop Services (Terminal Services) is no longer required on servers running the Delivery Controller;
however, Remote Desktop Licenses are still required.
The VDA is configured to discover the Delivery Controllers during the installation of the VDA.
The HDX 3D Pro VDA is not available for installation on a Server OS operating system.
To Install and Configure the VDA on a Server OS Master Image

The installation steps for installing a VDA on a Server operating system are different than those used to install the
VDA on a Desktop operating system.
135
1.
Log on to the VM on which you want to install the VDA using domain administrator credentials.
Log on to Win2012R2Master using the TRAINING\Administrator and Password1 credentials.
2.
3.
4.
5.
Click the File Explorer icon on the taskbar.

Click This PC.
6.
7.
8.
9.
Click Start next to XenDeskop.

Click Virtual Delivery Agent for Windows Server OS.
Select Create a Master Image and then click Next.
Determine if Citrix Receiver will be installed and then click Next.
ot
Verify that Citrix Receiver is selected and then click Next.

10. Determine how Delivery Controller locations will be specified and then click Next.
fo
Select Let Machine Creation Services do it automatically and then click Next.
rr
al
es
When Machine Creation Services is used to provision the desktop or hosted applications, you can use choose
to manually enter the location of the Delivery Controllers or allow Machine Creation Services to do it for you.
When Provisioning Services is being used to provision the desktop or hosted applications, you must enter the
location of the Delivery Controllers manually.
11. Select the features you want to install and then click Next.
Verify that all features are selected and then click Next.
or
io
ut
Optimize performance: Enables or disables optimization for VDAs running in a VM on a hypervisor.

VM optimization includes disabling offline files, disabling background defragmentation, and reducing the
Event Log size. For more information about the optimization tool, see CTX125874. You should not enable
this option for Remote PC Access.
Use Windows Remote Assistance: Enables or disables Windows Remote Assistance for use with Director.
When this feature is enabled, Windows automatically opens TCP port 3389 in the firewall (even if you
choose to open firewall ports manually on the next wizard page).
Use Real-Time Audio Transport for audio: Enables or disables the use of UDP for audio packets.
Enabling this feature can improve audio performance.
rib
st
di
Features include:
12. Determine how the firewall ports will be configured and then click Next.
These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to
configure the ports after installation completes.
13. Review the installation settings and then click Install.
You can change the settings by clicking the Back button.
14. Click Close and then wait for the master image to restart.
136
The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the
XenApp and XenDesktop media from the DVD drive. Doing so will cause the installation of the VDA to be
incomplete and result in desktops created from the image to fail to register.
15. Wait while the VM updates.
This will take approximately 5 minutes.
16. Log on to the VM on which you installed the VDA using domain administrator credentials to complete the configuration
of the VDA.
17. Wait while the prerequisites and selected core components are installed and initialized.
ot
18. Verify that Restart machine is selected and then click Finish.
19. Wait while the VM restarts.
20. Log on to the VM using domain administrator credentials.
fo
rr
al
es
Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media.
Installing and Configuring Third-Party Applications
or
Install any third-party applications or tools that you want to include in the master image. These applications may include:
Windows applications, antivirus software, electronic software distribution agents, configuration services, Windows Update
software, and more.
st
di
rib
You should virtualize applications to significantly reduce the number of master images you need to support the
end users in the environment and to reduce the administrative overhead required to support multiple master
images when application updates need to be installed.
To Install Third-Party Applications

1.
io
ut
When configuring the applications, you should ensure that you use settings appropriate for the end users and the machine
type, as these configurations will be propagated to end users from the master image. Compatibility testing should be
conducted before you install any application on a master image that will be released to the production environment.
Log on to the VM that will be used as the master image using domain administrator credentials.
2.
3.
Click Desktop.
Insert the ISO image of the third-party application into the DVD drive.
Select Microsoft_Office_2010_Professional_SP1_English.iso in the DVD Drive 1 field.
4.
5.
Double-click CD Drive (D:).
If the installation wizard does not start, double-click setup.
137
6.

Select I accept the terms of this agreement and then click Continue.
7.
Determine which applications to install on the master image.

Be aware that if you select a Standard install, all Microsoft Office applications will be installed which requires
additional disk space as well as the time to complete the download and installation.
ot
Click Customize and then do the following:

a. Click the down arrow to the left of Microsoft Access and then click Not Available.
b. Click the down arrow to the left of Microsoft InfoPath and then click Not Available.
c. Click the down arrow to the left of Microsoft OneNote and then click Not Available.
d. Click the down arrow to the left of Microsoft Outlook and then click Not Available.
e. Click the down arrow to the left of Microsoft Publisher and then click Not Available.
f. Click the down arrow to the left of Microsoft SharePoint Workspace and then click Not Available.
g. Click the down arrow to the left of Microsoft Visio Viewer and then click Not Available.
h. Click the down arrow to the left of Office Shared Features and then click Not Available.
i. Click the down arrow to the left of Office Tools and then click Not Available.
fo
Microsoft Excel, Microsoft PowerPoint, and Microsoft Word will be the only applications installed on the
master image.
rr
Click Install Now.
es
8.
al
You can expect the installation to take approximately 15 minutes.
Click Close when the installation is completed.
or
9.
st
di
The operating system and applications installed on the master image should be licensed before the master
image is used to create a machine catalog. Once armed, you do not need to rearm Microsoft Office or
Microsoft Windows if you are using XenServer 6.1, XenServer 6.2, vSphere, or SCVMM with Machine
Creation Services.
io
ut
Installing Anti-Virus Software
rib
10. Click Eject next to the DVD drive field to eject the ISO image.
Antivirus software is a common sense, generally accepted requirement in most corporate environments. Once you have
determined which anti-virus platform you will standardize upon, install the anti-virus software on the master image. You
should configure anti-virus software with the appropriate inclusions to and exclusions from anti-virus scans. This topic is
beyond the scope of this class and you should consult with the proper security specialist in your company to ensure machines
are properly protected.
Discussion Question
You are providing desktops to four end-user groups in your environment. Each of the end user groups requires a set of
common applications. In addition each end user group requires that a set of job-specific applications be available to them
from their desktop. How many master images will you need to create to support the four end-user groups?
Troubleshooting Virtual Delivery Agent Issues

The following table identifies VDA configuration issues and resolutions.
138
Issue
Resolution
The VDA installation stops responding.
Check behind the VDA installation window to see if an error

message is halting the installation. If an error message is
present, address the issue in the error message and then click
OK in the error message to continue installing the VDA.
A common error is "Printer - The arguments are
invalid". This error message appears when the Print
Spooler Service is not started. The VDA requires the
Printer Spooler Service to be running. You can
manually start the Print Spooler Service or wait for it to
start.
Setting Up a Desktop OS Master Image
ot
Some of your master images will be based on a Windows Desktop operating system and will be used to provide Desktop OS
machines and hosted applications to end users. The steps for Desktop OS master images are similar to the steps used to create
Server OS master images.
To Set Up a Desktop OS Master Image
fo
1.
rr
Log on to the domain controller using domain administrator credentials to create a computer account for the new master
image.
Click Tools in the Server Manager and then click Active Directory Users and Computers.
Expand the domain and OU that will contain the Windows 8 master image VM.
al
2.
3.
es
Log on to DomainController-1 with the TRAINING\Administrator and Password1 credentials.
Browse to training.lab > Training Virtual Desktops > Desktops.
or
4.
Right-click the OU and then click New > Computer.
5.
st
di
Right-click the Desktops OU and then click New > Computer.
Type a name for the computer in the Computer name field and then click OK.
rib
Type Win8Master and then click OK.
6.
7.

Right-click a Windows 8 template in XenCenter and then click New VM wizard.
io
ut
To see existing accounts or view the newly added account, click the Desktops OU and view the account names
in the right pane.
Right-click the Win8_Template VM in XenCenter, select New VM wizard, and then click Next.
scratch, you would need to install the hypervisor tools on the VM before you could use the master image to
create a machine catalog.
8.
Specify a name for the new VM and then click Next.

Type Win8Master in the Name field and then click Next.
9. Verify that no ISO files are mounted in the DVD drive and then click Next.
10. Determine if the VM will be assigned to a home server and then click Next.
139
11. Specify the CPU and memory usage for this VM and then click Next.
Verify that 2 vCPU and 2048 MB of memory are allocated for this VM and then click Next.
12. Specify the vDisk storage and properties for this VM and then click Next.
Accept the default vDisk storage device, verify Use storage-level fast disk clone is selected, and then click Next.
13. Specify one or more virtual network interface cards and then click Next.
Accept the default network interface card Network 0 and then click Next.
14. Review the selected settings and then click Create Now.
Verify that Start the new VM automatically is selected and then click Create Now.
15. Select the new VM in XenCenter and then click the Console tab.
Select the Win8Master VM in XenCenter and then click the Console tab.
17. Specify the region, language, and keyboard settings and then click Next.
Verify that United States, English, US, and Pacific Time are selected and then click Next.
ot
18. Read and respond to the license terms for Windows.

Click I accept.
fo
19. Type a name for the desktop and then click Next.
rr
Type Win8Master and then click Next.
es
The name provided at this point is irrelevant. It will be replaced later.
or
Click Use express settings.
al
20. Select the PC connection services for this desktop.
st
di
The settings selected at this point will be replaced later.
rib
io
ut
21. Click Create a new account on the "Sign in to your Microsoft account" screen.
22. Click Sign in without a Microsoft account on the "Create a Microsoft account" screen.
23. Type an end-user name and the password information, and then click Finish.
Type CitrixUser in the Username field, Password1 in the password fields, First Password in the Password Hint field,
and then click Finish.
Windows configuration will continue for a few minutes.
24. Log on using the local credentials if the Windows Security window appears.
Log on using CitrixUser and Password1 credentials.
25.
26.
27.
28.
140
Click the Desktop icon on the Start screen.

Click the File Explorer (folder) icon on the taskbar.
Right-click This PC and then click the Properties.
Click the Change settings link and then click the Change button.
29. Type a name for the master image virtual machine.

Verify that Win8Master is in the Computer name field.
30. Select Domain, type the name of the domain, and then click OK.
31. Type a domain administrator name and password and then click OK.
Type Administrator in the Username field, Password1 in the Password field, and then click OK.
32. Click OK in the Computer Name/Domain Changes message.
33. Click OK in the restart message.
34. Click Close in the System Properties window, and then click Restart Now to restart the VM and apply the changes.
Installing and Configuring the Virtual Delivery Agent
ot
The VDA is required on all Desktop OS master images. The VDA enables connectivity to the Desktop OS machine from any
endpoint using Citrix Receiver. The VDA enables the Desktop OS machine to register with the Delivery Controllers and
manage the HDX (ICA) connection between the Desktop OS machine and the endpoint. The VDA is configured to discover
the Delivery Controllers during the installation of the VDA.
fo
You cannot upgrade the Virtual Desktop Agents running on Windows XP or Windows Vista operating systems to
XenDesktop 7 Virtual Delivery Agents. You must upgrade these VDAs to the Windows XP or Windows Vista
version provided by the installer, or upgrade them using XenDesktop Version 5.6 Feature Pack 1.
rr
al
es
There are two different VDAs available for installation on a Desktop operating system: Standard VDA and HDX 3D Pro
VDA. The HDX 3D Pro VDA allows the desktop to take advantage of the Graphical Processing Unit on the hardware
running the virtual desktop.
To Install and Configure the VDA on a Desktop OS Master Image

Log on to the VM on which you want to install the VDA using domain administrator credentials.
or
1.
Log on to Win8Master using the TRAINING\Administrator and Password1 credentials.
st
di
2.
Click Desktop on the Start screen and then click the File Explorer icon on the taskbar.
Click This PC.

5.
Click XenApp_and_XenDesktop7_6.iso in the DVD Drive 1 field.
io
3.
4.
ut
rib
You may need to complete the mini tutorial before you are allowed to click the Desktop icon.

6.
7.
8.
9.

Click Virtual Delivery Agent for Windows Desktop OS.
Verify that Create a Master Image is selected and then click Next.
Determine which version of the Virtual Delivery Agent should be installed and then click Next.
Verify No, install the standard VDA is selected and then click Next.
141
The HDX 3D Pro VDA should not be installed in the lab environment.
10. Determine if Citrix Receiver will be installed and then click Next.
Verify that Citrix Receiver is selected and then click Next.
11. Determine how Delivery Controllers locations will be specified and then click Next..
Click Let Machine Creation Services do it automatically in the How do you want to enter the locations of your
Delivery Controllers field and then click Next..
When Machine Creation Services is used, you can use choose to manually enter the location of the Delivery
Controllers or allow Machine Creation Services to do it for you. When Provisioning Services is being used,
you must enter the location of the Delivery Controllers manually.
12. Select the features you want to install and then click Next.
Select Personal vDisk, verify that all features are selected, and then click Next.
Features include:
ot
fo
Optimize performance: Enables or disables optimization for VDAs running in a VM on a hypervisor.

VM optimization includes disabling offline files, disabling background defragmentation, and reducing
Event Log size. For more information about the optimization tool, see CTX125874. You should not enable
this option for Remote PC Access.
Use Windows Remote Assistance: Enables or disables Windows Remote Assistance for use with Director.
When this feature is enabled, Windows automatically opens TCP port 3389 in the firewall (even if you
choose to open firewall ports manually on the next wizard page).
Use Real-Time Audio Transport for audio: Enables or disables the use of UDP for audio packets.
Enabling this feature can improve audio performance.
Personal vDisk: Retains the single image management of static (Machine Creation Services) and streamed
(Provisioning Services) Desktop OS machines while allowing users to install applications and change
desktop settings. If Personal vDisk is selected, the Personal vDisk Update tool must be the last thing run
on the master image before the master image is used to create a machine catalog.
al
es
rr
or
st
di
13. Determine how the firewall ports will be configured and then click Next.
rib
14. Review the installation settings and then click Install.

io
ut
These are the ports used by the VDA. If the VDA will use alternate port assignments, select Manually to
configure the ports after installation completes.
The machine will restart automatically after a few seconds and the VDA will be configured. Do not eject the
XenApp and XenDesktop installation media from the DVD drive. Doing so will cause the installation of the
VDA to be incomplete and desktops that are created from the image will fail to register.
17. Wait while the VM starts.
18. Log on to the VM using domain administrator credentials.
Log on to Win8Master using the TRAINING\Administrator and Password1 credentials.
142
Click Eject to the right of the DVD Drive 1 field to remove the XenApp and XenDesktop media.
20. Install the desired applications on the master image.
Do not install any applications in the class.
21. From the Start screen, type Update, and then click Update Personal vDisk.
This step is only necessary if Personal vDisk was selected in Step 13. Failure to run the Update Personal vDisk
tool when Personal vDisk is selected will result in a desktop that cannot be accessed by end users. It will take
approximately 10 minutes for the Personal vDisk inventory update to complete. If you plan to make additional
changes to the master image, you can wait and run the Update Personal vDisk tool later. If you forgot to select
the Personal vDisk option, you can enable it by running the Update Personal vDisk tool in the VM.
Discussion Question
What is meant by the term registration?
ot
Creating a Machine Catalog
fo
A machine catalog is a collection of virtual machines or physical machines managed as a single entity. Machine catalogs
specify the virtual machines or physical computers available to host applications or desktops.
es
rr
There are many machine types available for master images running a Desktop operating system, including: random, static,
and existing. Each machine type requires a separate machine catalog. You can update a machine catalog and all its virtual
machines by updating the master image.
al
The existing machine type enables you to use XenApp and XenDesktop to manage and deliver desktops that you have already
migrated to VMs in the datacenter. As with traditional local desktops, changes and updates are permanent and must be
managed on an individual basis or collectively using third-party electronic software distribution (ESD) tools.
or
st
di
n
io
ut
rib
A machine catalog is a collection of machines that have something in common such as random desktops, provisioned
desktops, static desktops, physical, same operating system, and so on. A Delivery Group is a collection of end users that have
been given access to a machine catalog.
Creating a Machine Catalog for Server OS and Hosted Applications

The machine catalog type defines the hosting infrastructure for desktops and applications, and the level of control that end
users have over their environment. Server OS machines can provide a Windows Server desktop and hosted applications that
are shared by a large numbers of end users. Machine catalogs based on a Server OS can provide desktops that are:
143
Allocated to end users on a per-session, first-come, first-serve basis.

Deployed on standardized machines.
Machine catalogs based on a Server OS can also be used to provide hosted applications that:
Are available to end users through Citrix Receiver.

Run on the Server OS machine.
Use App-V to stream the application to the VDA on the Server OS machine.
To Create a Machine Catalog for Server OS and Hosted Applications

1.
Shut down the master image VM for the Server OS and then click Yes to confirm the shutdown.
Right-click the Win2012R2Master VM, click Shut Down, and then click Yes.
2.
3.
Wait for the icon to turn red.

Log on to the VM that is hosting Studio using domain administrator credentials.
ot
You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp
and XenDesktop to create the Active Directory computer accounts for the machines in the catalog.
Select the Machine Catalogs node in the left pane.
Click Create Machine Catalog in the right pane.
fo
es
rr
4.
5.
6.
Click Next on the Introduction page.
or
7.
al
If this is the first machine catalog you have created, the Machine Catalog node will not be visible until you
have completed one of the initial configuration tasks presented when you first start Studio.
You can avoid seeing this page when creating additional machine catalogs by selecting Don't show this again.
st
di
Select the type of machine catalog you want to create and then click Next.
Select Windows Server OS and then click Next.
9.
Windows Desktop OS provides individual and customizable desktops based on a workstation operating
system.
Windows Server OS provides a standardized desktop based on a Server operating system.
Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC
Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine
catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages
the HDX connections between the machine and the endpoints. The Receiver running on the endpoint
provides the end user with access to all of the applications and data on the office PC.
io
Options include:
ut
rib
8.
Determine how the infrastructure will be built and managed and then click Next.
Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then
click Next.
10. Select a virtual machine to use as the master image and then click Next.
Select Win2012R2Master and then click Next.
144
11. Specify the number of VMs to create, the number of virtual CPUs and the amount of memory for each VM, and then
click Next.
Verify that 2 is specified in the Number of virtual machines needed field, 2 is specified in the vCPUs field, 2048 is
specified in the Memory (MB) field, and then click Next.
Because of the limited storage in the lab environment, you are only creating two machines. In a real-world
environment, you would create enough machines to satisfy the needs of the end users in the environment.
12. Determine whether to use existing Active Directory accounts or to create new ones.
Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops >
Servers in the Active Directory location for computer accounts section.
If you are creating new accounts, you must specify the OU where they should be created. The Active Directory
organizational units must be created before you complete this step.
13. Create an account-naming scheme, specify the format for the numbering, and then click Next.
ot
Type Server2012R2-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next.
The ## in the naming scheme will be replaced with numbers or letters. If a large number of machines will be
needed, you can add additional # signs to the end of the Account naming scheme.
fo
rr
14. Type a machine catalog name and description and then click Finish.
al
es
Type Windows 2012 R2 Servers-Apps in the Machine Catalog name field, Win 2012 R2 Servers with Apps in the
Description field, and then click Finish.
The master image will be copied, then differencing disks and identity disks will be created for each VM. If you
click the Hide progress button during the creation of the machine catalog, the progress bar becomes visible as
a green bar in the name of the machine catalog on the Machine Catalog screen. The green bar will grow in
size as the machine creation progresses. You can expect the configuration to take approximately 15 minutes.
You can continue to use Studio while the machine creation process runs.
or
st
di
rib
Discussion Question
io
ut
You created a master image with 1 vCPUs, and 2048 MB of memory and then installed Windows Server 2012 R2 on the VM.
Next you created a machine catalog using the master image. During the configuration of the machine catalog, you changed
the number of vCPUs to 2 and the amount of memory to 1024 MB. Which settings will be used?
Creating a Machine Catalog for Desktop OS Machines
The Desktop OS machine catalog type lets you provide individual desktop environments and hosted applications for each end
user as well as customizable desktops that include Personal vDisks (PvD). The types of machines that can be configured in a
machine catalog for Desktop OS machines include:
Random machines (formerly known as pooled) provide desktops to end-users on a per-session, first-come, first-serve
basis. They are arbitrarily assigned to end users at each logon and returned to the pool when the end users log off.
Static machines (formerly known as assigned) provide desktops that are assigned to individual end users that usually
need to install their own applications on their desktops. Machines can be assigned manually or they can be automatically
assigned to the first end user to connect to the machine. Whenever end users request a desktop, they are always
connected to the same machine. This allows end users to personalize their desktops to suit their needs.
Static machines and streamed machines that use Personal vDisks to support end users that need to personalize their
desktops and store their changes to a separate vDisks so the changes are available at the next log on. If Personal vDisks
are used, the Update Personal vDisk tool must be run on the master image to update the Personal vDisk inventory
whenever you make changes to the master image. Failure to update the Personal vDisk inventory can result in machines
that cannot be accessed by end users or the Personal vDisk being unavailable in machines based on the master image.
145
Streamed machines refer to virtual machines provided by Provisioning Services. Provisioning Services will be
covered later in this course.
To Create a Desktop OS Machine Catalog

1.
Shut down the master image VM for the Desktop OS and then click Yes to confirm the shutdown.
Verify the Win8Master VM is shut down. If the Win8Master VM is not shut down, it is probably still updating the
personal vDisk. Do not force the shut down, allow the process to continue and it will shut down when it is finished.
2.
3.
Wait until the icon turns red.

Log on to the VM that is hosting Studio using domain administrator credentials.
You must log on to the VM hosting Studio with a domain administrator account if you plan to use XenApp
and XenDesktop to create the Active Directory computer accounts for the machines in the catalog.

Select the Machine Catalogs node in the left pane.
Click Create Machine Catalog in the right pane.
ot
fo
4.
5.
6.
Click Next on the Introduction page.
al
7.
es
rr
If this is the first machine catalog you have created, the Machine Catalog node is not visible until you have
completed one of the initial configuration tasks presented when you first start Studio.
You can avoid seeing this page when creating additional machine catalogs by selecting Don't show this again.
or
Select the type of machine catalog you want to create and then click Next.
st
di
8.
Verify that Windows Desktop OS is selected and then click Next.
9.
io
Windows Desktop OS provides individual and customizable desktops based on a workstation operating
system.
Windows Server OS provides a standardized desktop based on a Server operating system.
Remote PC Access enables end users to log on remotely to a physical PC from anywhere. The Remote PC
Service must be installed on the Delivery Controller VM in order to place physical PCs in a machine
catalog. Once installed, the VDA on the office PC enables it to register with the Controller and manages
the HDX connections between the machine and the endpoints. The Receiver running on the endpoint
provides the end user with access to all of the applications and data on the office PC.
ut
rib
Options include:
Determine how the infrastructure will be built and managed and then click Next.
Verify that Machines that are power managed and Citrix Machine Creation Services (MCS) are selected and then
click Next.
The infrastructure can be built using either virtual machines or physical hardware. The machine images can be
managed using: Machine Creation Services, Provisioning Services (PVS), or a service or technology other than
Citrix (existing images).
10. Select a user experience in the Desktop Experience page.

Select I want users to connect to the same (static) desktop each time they log on.
146
You can configure the desktop experience to use a new (random) desktop each time the user logs on, or use
the same (static) desktop each time the user logs on.
11. Determine whether user changes will be saved to a Personal vDisk, to the local disk, or discarded, and then click Next.
Select Yes, save changes on a separate Personal vDisk and then click Next.
The Desktop Experience page is not available if you are configuring a Server OS machine catalog or Remote
PC Access. In addition, Personal vDisk is not available if you are configuring a machine catalog for:
A Windows Desktop OS that will deliver a new (random) desktop each time the user logs on.
Windows Server OS.
Remote PC Access.
Personal vDisk is only available for machine catalogs providing static Desktop OS desktops.
12. Select a virtual machine to use as the master image and then click Next.
Select Win8Master and then click Next.
13. Specify the number of VMs to create, the number of virtual CPUs, and the amount of memory for each VM.
ot
Verify that 1 is specified in the Number of virtual machines needed field, 1 is specified in the vCPUs field, and 2048 is
specified in the Memory (MB) field.
fo
es
rr
Because of the limited storage in the lab environment, you are only creating a single machine. In a real-world
environment, you would create enough machines to satisfy the needs of the end users in the environment.
14. Specify the size and the drive letter to use for the Personal vDisk and then click Next.
al
Type 5 in the Personal vDisk size (GB) field and then click Next.
or
The default drive size is 10 GB and the default drive letter is P. You should not reduce the size of the Personal
vDisk below 3 GB.
st
di
15. Determine whether to use existing Active Directory accounts or to create new ones.
rib
Verify that Create new Active Directory accounts is selected and then double-click Training Virtual Desktops >
Desktops in the Active Directory location for computer accounts section.
io
ut
16. Create an account-naming scheme, specify the format for the numbering, and then click Next.
Type Static-PvD-## in the Account naming scheme field, verify that 0-9 is selected, and then click Next.
The ## in the naming scheme can be replaced with numbers or letters. If a larger number of machines will be
needed, you can add additional # signs to the end of the Account naming scheme.
17. Type a machine catalog name and description, and then click Finish.
Type Windows 8 Desktops in the Machine Catalog name field, type Static Win 8 desktops with PvD in the
Description field, and then click Finish.
147
The master image will be copied onto each VM created in the machine catalog. If you click the Hide progress
button during the creation of the machine catalog, the progress bar becomes visible as a green bar in the name
of the machine catalog on the Machine Catalog screen. The green bar will grow in size as machine creation
progresses. You can expect the configuration to take approximately 15 minutes. When the configuration
completes, one machine in the machine catalog will start automatically to initialize the disks. Once the disks
have been initialized, the machine will automatically shut down. You can continue to use Studio while the
machine creation process runs.
Discussion Question
During the creation of a machine catalog, you are prompted to use existing computer accounts or create new computer
accounts in Active Directory. What permissions must you have in order for XenApp and XenDesktop to create new computer
accounts?
Creating a Delivery Group
Delivery Groups identify the end users that have access to the desktops and hosted applications provided by machine catalogs.
You can configure multiple Delivery Groups for a single machine catalog in Citrix Studio. Active Directory integration allows
you to select specific groups and grant them access to desktops and applications.
ot
Session prelaunch and session linger are user session experience optimizations. The session prelaunch and session linger
features help users quickly access applications by starting sessions before they are requested (session prelaunch) and keeping
application sessions active after a user closes all applications (session linger). These features are supported for Server OS
machines only.
fo
rr
es
By default, session prelaunch and session linger are not used; a session starts (launches) when a user starts an application, and
remains active until the last open application in the session closes. Session prelaunch and session linger settings are
configured in the settings for a Delivery Group.
io
ut
rib
st
di
or
The Delivery Group must support applications, and the Server OS machines must be running a Server VDA version 7.6
or later.
Users must be using a Citrix Receiver for Windows that is configured with additional settings. For more information
about these additional settings, search http://docs.citrix.com for session prelaunch for the specific Receiver for Windows
version.
When using session prelaunch:
Physical client machines cannot use the suspend or hibernate power management functions.
Users can lock their end-user devices but should not log off.
Prelaunched and lingering sessions consume a license, but only when connected. Unused prelaunched and lingering
sessions disconnect after 15 minutes by default. This value can be configured in PowerShell using the New/SetBrokerSessionPreLaunch cmdlet.
al
Considerations:
Careful planning and monitoring of your users activity patterns are essential to tailoring these features to
complement each other. Optimal configuration balances the benefits of earlier application availability for users
against the cost of keeping licenses in use and resources allocated.
Securing Connections
Many administrators are faced with compliance with company security requirements and ensuring that all company traffic
(internal and external) is secure. To ensure that communications are properly encrypted, administrators typically add
certificates to Delivery Controllers, StoreFront servers, NetScaler appliances and more.
The SSL to VDA feature allows you to secure communications between users and the Virtual Delivery Agents (VDAs) with
SSL. To configure SSL to VDA, you:
148
Manually configure SSL on the machines containing the VDA using the Microsoft Management Console or use the
Enable-VdaSSL.ps1 PowerShell script located on the installation media.
The PowerShell script configures SSL on static VDAs; it does not configure SSL on random (pooled) VDAs
that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets
on each restart.
Configure SSL in the Delivery Groups containing the VDAs using the Get-BrokerAccessPolicyRule and SetBrokerAccessPolicyRule PowerShell scripts in Studio.
Before you configure the SSL to VDA communications, you should be aware of the following considerations:
SSL connections between users and VDAs are valid only for sites in XenApp 7.6 and XenDesktop 7.6 or later versions.
SSL configuration in the Delivery Groups and on the machines containing the VDA is done after you create the Delivery
site, create the machine catalogs, and create the Delivery Groups.
Only Full Administrators have the permissions required to configure SSL in the Delivery Groups and change the Delivery
Controller access rules.
Only Windows administrators on the machines containing the VDA have the necessary permissions to configure SSL on
those machines.
If SSL Relay was installed on a machine, it must be uninstalled before installing the VDA on the machine. This is
applicable to machines being upgraded from a previous version of XenApp or XenDesktop.
ot
For more information about securing internal communications using the SSL to VDA feature, see
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html.
fo
To Create a Delivery Group to Provide Hosted Applications
rr
es
This procedure will make applications installed on Server OS machines available to end users through a Delivery
Group. This functionality was formerly provided by Citrix XenApp, but is now integrated in XenApp and
XenDesktop.
Log on to the computer hosting Citrix Studio using domain administrator credentials.
or
1.
al
This procedure could also be performed on a Desktop OS machine to provide hosted applications to users,
although some choices may be slightly different. This functionality was formerly known as VM Hosted Apps.
rib
Click Start and then click Citrix Studio.

Select the Delivery Groups node in the left pane.
Click Create Delivery Group in the right pane.
st
di
2.
3.
4.
Click Next in the Getting Started with Delivery Groups page.
5.
io
ut
If the Create Delivery Group option is not available, make sure the Delivery Group tab is selected in the center
pane.
If you previously selected Don't show this again, this page will not appear.
6.
Select a machine catalog, determine the number of machines in the catalog that this Delivery Group will consume, and
then click Next.
Select Windows 2012 R2 Servers-Apps, type 1 in the Choose number of machines to add field, and then click Next.
Because of the limited storage in the lab environment, you only have a single machine available in the machine
catalog. In a real-world environment, you would create enough machines to satisfy the needs of the end users
in the environment.
7.
Select the resource to deliver in the Delivery Type screen and then click Next.
Select Applications and then click Next.
149
The options include:

a. Desktops: Presents end users with an entire Windows Server desktop when they log on.
b. Applications: Publishes specific applications and delivers only those applications to end-users.
c. Desktops and applications: Provides a combination of the previous two options.
8.
Click Add users to specify which end users will be part of the Delivery Group.
Only those end users added to the Delivery Group will be able to access the selected resource (desktop,
applications, or desktop and applications).
9.
Type the names of the end users or groups, click Check Names, and then click OK.
Type Human Resources; Accounting; in the Enter the object names to select field, click Check Names and then click
OK.
10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next.
Verify that TRAINING\Human Resources and TRAINING\Accounting appear and then click Next.
11. Select the applications to publish and then click Next.
Select Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010, and then click Next.
ot
fo
The Virtual Delivery Agent on the image identifies all of the applications on the machine and presents them
for hosting. If no applications appear, verify that the machines in the machine catalog are in a registered state.
If the machines fail to register, ensure that the VDA installation completed successfully on the master image
prior to creating the machine catalog.
rr
al
es
Keep in mind that the VDA installation on a Server OS machine requires several restarts with the installation
media still in the drive. Once the master image restarts, log on to the image, eject the media and restart the
master image one more time to ensure that the VDA installation is completed.
12. Type a descriptive name for the Delivery Group in the Delivery Group name field.
st
di
This is the name that the administrator sees.
or
Type Office Apps in the Delivery Group name field.
rib
13. Click Finish.
14. Shut down the newly created VM, if it is started.
io
ut
The end users added to the Delivery Group can now use Citrix Receiver to access the hosted applications, but
not the server hosting the applications. If Desktop and Applications had been selected in Step 8, the end users
would be able to access both the hosted applications and the Server OS desktop using Citrix Receiver.
Right-click Server2012R2-01 in XenCenter and then click Shut Down.

You are shutting down the VM only to save lab environment resources.
15. Optimize the Hosted Applications Delivery Group with Session Prelaunch and Session Lingering.
Select the Office Apps Delivery Group and then click Edit Delivery Group in the Actions pane.
16. Configure Application Prelaunch.
150
a.
b.
c.
a. Click on Application Prelaunch and then select Prelaunch when any user in the delivery group
logs on to Receiver for Windows.
Select Minutes and set the number to 15.
Click Apply.
17. Configure Application Lingering.

a.
b.
c.
Click Application Lingering and select Keep sessions active until.

Select Minutes and set the number to 15.
Click Apply and then click OK.
Creating a Delivery Group for Anonymous User Access

In some scenarios, administrators may want to allow non-domain users to access company resources from non-domain joined
computers such as kiosks at libraries, schools and trade shows. You can configure Delivery Groups containing Server OS
machines to allow users to access applications and desktops without presenting credentials to StoreFront or Citrix Receiver.
Considerations:
ot
Unauthenticated user support is configured through Delivery Groups. Each machine in the Delivery Group must have a
Server VDA version 7.6 or later installed and a store must be specifically configured in StoreFront for use by
unauthenticated users.
fo
Users requiring sessions on Desktop OS machines must log on using authenticated user credentials.
es
rr
An Anonymous Users Group is created when you install the Delivery Controller.
al
Some applications might still require credentials even though the StoreFront store and Citrix Receiver do not.
e
Unauthenticated user accounts are created on demand when a session is launched. User accounts are named AnonXYZ,
in which XYZ is a unique three-digit value.
Unauthenticated user sessions have a default idle timeout of 10 minutes and are logged off automatically when the user
device disconnects. Reconnection, roaming between user devices, and Workspace Control are not supported.
st
di
or
rib
Log on to a machine that has Citrix Studio installed on it.
io
1.
ut
To Create a Delivery Group for Anonymous User Access
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
2.
Open Citrix Studio.

Double-click the Citrix Studio icon on the desktop.
3.
4.
5.
6.
Select the Delivery Groups node.

Click Create Delivery Group.
Click Next on the Getting started with Delivery Groups screen.
Select the machine catalog and the number of machine to add.
Select Windows 2012 R2 Server-Apps machine catalog and select 1 machine
7.
8.
.
Click Next.
Select Applications and then click Next.
151
9.
Add the unauthenticated (anonymous) users.

Select Give access to unauthenticated (anonymous) users; no credentials are required to access StoreFront.
10. Click Next.

11. Add the applications to the Delivery Group and then click on Next.
Select Paint, and then click Next.
12. Verify that all of the details on the Summary page are correct and then specify a Delivery Group name.
Type Anonymous Access as the Delivery Group name.
13. Click Finish.
Organizing Applications in Folders

Application folders allow XenApp and XenDesktop administrators to organize applications in the Delivery Groups without
affecting how users access the applications. This organization is accomplished during the creation of the Delivery Group or
afterwards using Citrix Studio.
ot
By default all applications specified in a Delivery Group are organized under the default application folder named
Applications. Application folders can be nested up to five times by dragging and dropping applications and folders.
Log on to a machine that has Citrix Studio installed on it.
rr
1.
fo
To Organize Applications in Folders
2.
es
Log on to the Controller-1 virtual machine using the TRAINING\Administrator and Password1 credentials.
Open Citrix Studio.
al
Click Start, type Studio, and then click on Citrix Studio.
or
Select the Delivery Groups node.

View the default Application organization.
3.
4.
5.
Create a new Application folder.
st
di
Click the Applications tab, and note that Excel, Power point, Word and, Paint are all listed under the default
Applications folder. This complete list of applications reflects multiple delivery groups.
rib
Organize the Office Applications.
io
6.
ut
Right click the Applications blue bar to the left of the applications list and select Create Folder. Name the new folder
Productivity.
Click Show all and then drag-and-drop Word and Excel and Power point into the Productivity folder.
7.
Verify that all Office applications are in the Productivity folder.

Click the Productivity folder and verify that Excel, Power point and Word are listed.
To Create a Delivery Group to Provide Desktops

This exercise will make Desktop OS desktops available to end users through a Delivery Group. This exercise could
also be used to make Server OS desktops available to end users through a Delivery Group, although some choices
may be slightly different.
1.
Log on to the VM hosting Citrix Studio using domain administrator credentials.

2.
3.
152
Click Start and then click Citrix Studio.

4.

pane.
5.
6.
Click Next in the Getting Started with Delivery Groups screen.

then click Next.
Select Windows 8 Desktops, type 1 in the number of machines to add field, and then click Next.
in the environment.
7.
Select the resource to deliver in the Delivery Type screen and then click Next.
Select Desktops and then click Next.
ot
The choices include:

Desktops: Allows you to provide end users with a desktop.
Applications: Allows you to publish applications found on the master image, applications provided on an
App-V server, or applications located on other network locations. You can also edit the properties of
those applications.
Desktops and Applications: Provides a combination of the previous two choices. This choice is only
available for random desktops, not static desktops.
fo
es
rr
Click the Add users button to specify which end users can access the desktops.
Type the name of the end user or group, click Check Names, and then click OK.
al
8.
9.
Type Accounting in the Enter the object names to select field, click Check Names, and then click OK.
or
10. Verify that the appropriate end users and groups appear in the Assign users field and then click Next.
Verify that TRAINING\Accounting appears and then click Next.
st
di
11. Determine how Receiver will be configured on the machines.
Select Automatically, using the StoreFront servers selected below.
rib
io
ut
If you select Manually, end users will need to add the server address of a StoreFront server to Receiver on
their virtual desktop before Receiver can be used to access resources.
Click Add new and then type SFS-1 in the Name field.
12. Click Add new and then type a name for the first StoreFront server in the Name field.
If the URLs for the StoreFront servers appear in the Receiver StoreFront URL list, you can proceed to Step 18.
13. Type a description in the Description field, type the URL for the first StoreFront server, and then click OK.
Type First StoreFront in the Description field, type https://sfs-1.training.lab in the URL field, and then click OK.
14. Click Add new.
15. Type a name for the second StoreFront in the Name field.
Type SFS-2 in the Name field.
153
16. Type a description in the Description field, type the URL for the second StoreFront server, and then click OK.
Type Second StoreFront in the Description field, type https://sfs-2.training.lab in the URL field, and then click OK.
17. Select the StoreFront URLs that will be used by Receiver and then click Next.
Select https://sfs-1.training.lab and https://sfs-2.training.lab and then click Next.
18. Type a name for the Delivery Group that administrators will see in the Delivery Group name field.
Type Win8-Accounting.
19. Type a name for the Delivery Group that end users will see in the Display name field.
Type Win8 Desktop.
20. Type a description for the machine that end users will see and then click Finish.
Leave the description field blank and then click Finish.
Discussion Question
Windows 8 Desktop OS (random)
Windows 8 Desktop OS (static)
ot
You have the following machine catalogs created in Studio:
fo
es
rr
Each of these machine catalogs has 5 machines that have not been allocated to users using a Delivery Group. You want to
allocate all of the remaining desktops to the Accounting group. How many Delivery Groups will you need to create to provide
the Accounting group with these desktops?
al
You have the following machine catalogs created in Studio:

Windows 2012 Server OS with Microsoft Office installed
Windows 2012 Server OS with no apps installed
or
Each of these machine catalogs has 7 machines that have not been allocated to users using a Delivery Group. You want to
allocate these machine catalogs to users in the Contractors group. How many Delivery Groups will you need to create to
provide the Contractors group with all of the machines in these machine catalogs?
st
di
Securing Connections
rib
ut
Many administrators are faced with compliance with company security requirements and ensuring that all company traffic
(internal and external) is secure. To ensure that communications are properly encrypted, administrators typically add
certificates to Delivery Controllers, StoreFront servers, NetScaler appliances and more.
io
The SSL to VDA feature allows you to secure communications between users and the Virtual Delivery Agents (VDAs) with
SSL. To configure SSL to VDA, you:
Manually configure SSL on the machines containing the VDA using the Microsoft Management Console or use the
Enable-VdaSSL.ps1 PowerShell script located on the installation media.
The PowerShell script configures SSL on static VDAs; it does not configure SSL on random (pooled) VDAs
that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets
on each restart.
Configure SSL in the Delivery Groups containing the VDAs using the Get-BrokerAccessPolicyRule and SetBrokerAccessPolicyRule PowerShell scripts in Studio.
Before you configure the SSL to VDA communications, you should be aware of the following considerations:
154
SSL connections between users and VDAs are valid only for sites in XenApp 7.6 and XenDesktop 7.6 or later versions.
SSL configuration in the Delivery Groups and on the machines containing the VDA is done after you create the Delivery
site, create the machine catalogs, and create the Delivery Groups.
Only Full Administrators have the permissions required to configure SSL in the Delivery Groups and change the Delivery
Controller access rules.
Only Windows administrators on the machines containing the VDA have the necessary permissions to configure SSL on
those machines.
If SSL Relay was installed on a machine, it must be uninstalled before installing the VDA on the machine. This is
applicable to machines being upgraded from a previous version of XenApp or XenDesktop.
For more information about securing internal communications using the SSL to VDA feature, see
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html.
Troubleshooting XenApp and XenDesktop Resource Issues

The following table contains resolutions for XenApp and XenDesktop resource configuration issues.
Issue
Resolution
Applications installed on a master image do not appear

during the creating of the Delivery Group for a machine
catalog.
Verify that at least one of the newly created VMs is started

and registered. Verify that the VDA was installed completely.
Type the fully qualified name of the Delivery Controller in

the Test connection field during the VDA installation.
StoreFront servers do not appear during the creation of a

Delivery Group even though "Automatically, using the
StoreFront servers selected below" is selected.
Use the Add new button during the creation of the Delivery
Group to add the URL of each StoreFront server using the
appropriate format for your environment: http://FQDN or
https://FQDN
ot
A red X appears next to the Delivery Controller address

when testing the Controller connection.
fo
es
rr
al
Reinforcement Exercise: Adding Machines and Delivery Groups
or
rib
Configure a master image for Server OS machines and hosted applications.

Configure a master image for Desktop OS machines and hosted applications.
Create a machine catalog for hosted applications installed on Server OS machines.
Create a machine catalog for Desktop OS machines.
Create a Delivery Group to deliver hosted applications.
Create a Delivery Group to deliver Desktop OS machines.
io
ut
st
di
You are ready to try your hand at adding machines to an existing machine catalog and configuring a Delivery Group to
provide the Contractors group with access to the new machines.
Training is growing. The hospital just hired a group of contract IT personnel. You need to provide the contractors with access
to Server OS desktops so they can use them to test applications prior to making them available to hospital personnel.
1.
Add one new machine to the existing machine catalog for the Windows 2012 R2 Servers-Apps.
Because of the limited storage and memory in the lab environment, you should only add a single machine to
the machine catalog. In a real-world environment, you would create enough machines to satisfy the needs of
the end users in the environment.
155
2.
3.
4.
5.
6.
7.
Create new Active Directory accounts in the Training Virtual Desktops > Servers OU using the same account naming
scheme as was previously used for the Server 2012 R2 machines.
Create a new Delivery Group that will provide the TRAINING\Contractors group with access to the Server OS machines
in the machine catalog.
Configure a Delivery Group to provide the Contractors group with access to the desktop of the server, but not hosted
applications.
Add both StoreFront servers to the Delivery Group.
Use Win2012R2-Contractors as the Delivery Group name.
Use Win2012R2 Desktop as the Display name.
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
156
Module 6
Setting Up Policies
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
158
Setting Up Policies
Overview
HDX (ICA) policy settings directly affect the efficiency of the HDX (ICA) protocol and the channels that are contained in
each HDX (ICA) packet. Proper configuration of these settings ensures that the end user has an optimal work experience and
that corporate mandates such as bandwidth, storage, and security are satisfied. If HDX policies are configured using Studio,
they are applied only to HDX (ICA) connected XenApp and XenDesktop sessions. If HDX policies are configured using the
Group Policy Management Console (GPMC), global settings will be applied to all connected XenApp and XenDesktop
sessions regardless of the protocol being used.
Policies are the most efficient method of controlling connection settings, security settings, bandwidth settings, and some
feature settings such as Profile Management in a XenApp and XenDesktop environment.
Each policy can contain multiple settings. You can work with policies through Studio or the Group Policy Management
Console.
ot
N
Determine which console will be used to create or modify the policy.
rr
1.
fo
To create policies:
or
io
ut
Configure printing policies.

Configure Remote Assistance.
Prioritize the policies.
Run the Resultant Set of Policies (RSOP).
Configure Citrix Profile Management settings.
rib
st
di
5.
Create the policy from scratch or by using a template.

Configure the settings for the policy.
Prioritize the policy to address conflicting policies. For example, one policy removes a printer, while another policy
provides a printer. Which one should prevail? The one with the highest priority.
Run a Resultant Set of Policy to analyze the policies/filters/prioritization settings.
2.
3.
4.
al
es
If the Group Policy Management Console is used to create the policy, the policy is applied to the selected OU.
If Citrix Studio is used to create the policy, the policy is applied based on the OU, and the filters you configure
after the policy settings are added.
Module Timing: 2.5 hours

At
Controller-1 = On
FileServer-1 = On
SQLServer-1 = On
Static-PvD-01 = On
All other VMs = Off
Module 6: Setting Up Policies
159
Installing the Group Policy Management Feature

The Group Policy Management Console is a tool that can be used to create, edit, and manage group policy objects, and model
policies to simulate the Resultant Set of Policy. The Group Policy Management feature can be used to add the Group Policy
Management Console to a non-domain controller. In order to use the Group Policy Management Console to create, edit, and
manage policies provided by XenApp and XenDesktop, you must install the Group Policy Management Console on a system
running Studio.
Policies can also be created using Studio. If the same policy settings are configured in both the Group Policy Management
Console and in Studio, the policy settings configured in the Group Policy Management Console will take precedence. An
exception to this rule is the Session printer policy settings. If Session printer policy settings are configured in both consoles,
the settings will be merged to produce the Resultant Set of Policy.
To Install the Group Policy Management Feature

The Group Policy Management feature has already been installed on Controller-1 (the VM hosting Citrix Studio
in our lab environment.) You do not need to complete this procedure in the lab environment. The steps are being
provided for informational purposes only.
Log on to a computer hosting Citrix Studio using domain administrator credentials.
Click Add roles and features in the Server Manager.
Click Server Selection > Features in the left pane.
Select Group Policy Management.
Click Next on the Select features screen.
Click Install.
Wait for the installation to complete and then click Close.
ot
fo
Configuring Printing Policies
al
es
rr
1.
2.
3.
4.
5.
6.
7.
When a session is being established, XenApp and XenDesktop:
st
di
Determines which printers to provide to the end user. This is known as printer provisioning.
Restores the end-user's printing preferences.
Determines which printer is the default for the session.
rib
or
In a XenApp and XenDesktop environment, all printing is initiated (by the end user) on machines through applications. Print
jobs are redirected through the network print server or endpoint to the printing device.
Configuring the Universal Printer Driver
io
ut
You can customize how XenApp and XenDesktop performs these tasks by configuring options for printer provisioning, print
job routing, printer property retention, and driver management.
The Universal Print Server uses the Universal Printer Driver. This solution enables you to use a single driver to allow network
printing to any device. The Universal Printer Driver is installed when the VDA is installed on the Server OS machine or
Desktop OS machine and can be configured for use using a policy.
By default, the Universal Print Server uses a Universal Printer Driver only if the requested driver is unavailable. Other options
include:
Use only printer model specific drivers, if the printer model-specific driver is unavailable, the printer will not be
created.
Use universal printing only, if a suitable universal driver is unavailable, the printer will not be created.
Use printer model specific drivers only, if universal printing is unavailable. If a universal driver is available it will be
used, otherwise a printer model-specific driver will be used.
If the default setting works for your environment, you do not need to create a policy to configure Universal Printer Driver
usage.
160
The following procedure is provided for informational purposes only. You do not need to configure Universal
Printer Driver usage for the lab environment.
To Configure the Universal Printer Driver

1.
ot
fo
Discussion Question
al
es
rr
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Log on to a VM with the Group Policy Management feature and Citrix Studio installed using domain administrator
credentials.
Click Tools in the Server Manager window and then click Group Policy Management.
Browse to the OU where you want to create and link the policy.
Type a descriptive name in the Name field and then click OK.
Double-click User Configuration > Policies > Citrix Policies.
Click Edit to open the Unfiltered policy.
Click the Settings tab in the Edit Policy window.
Select Printing > Drivers in the Categories field.
Select Add to the right of the Universal printer driver usage setting.
Select the appropriate value from the drop-down list box and then click OK.
Click OK to close the Edit policy window.
Close the Group Policy Management Editor window.
Where is the Citrix Universal Print Server software installed and how is it installed?
Where is the Citrix Universal Printer Driver installed and when is it installed?
or
st
di
Configuring Client Printer Auto-Creation
ut
rib
The Auto-create policy setting specifies the client printers that are auto-created and enables you to limit the number or type
of printers that are auto-created. During printer auto-creation, if a new local printer connected to an endpoint is detected, the
resource is checked for the required printer driver. By default, if a Windows-native driver is not available, the Universal
Printer Driver is used. This setting overrides the default client printer auto-creation settings and takes effect only if the Client
printer redirection setting is present and set to Allowed.
Other options include:
Auto-create all client printers creates all printers on the endpoint.
io
By default, XenApp and XenDesktop auto-creates all printers available on the endpoints.
The Client printer redirection setting should also be enabled if this option is selected so client printers can be
mapped. By default, the Client printer redirection setting is enabled.
Do not auto-create client printers turns off printer auto-creation when end users log on.
Auto-create the client's default printer only automatically creates only the printer selected as the client's default printer.
Auto-create local client printers only automatically creates only printers directly connected to the endpoint through
LPT, COM, USB, or another local port.
If the default setting works for your environment, you do not need to create a policy to configure printer auto-creation.
161
At the start of an end-user session, XenApp and XenDesktop auto-creates all printers available on the endpoint, by
default. Locally attached printers (i.e. USB) as well as network-based printers (i.e. via print server) can be
connected to the endpoint. This process is also referred to as local printer mapping. In environments with a large
number of printers per end user, you should only auto-create the default printer. Auto-creating a smaller number
of printers creates less overhead (memory/CPU) and can reduce end-user logon times.
To Modify the Printer Auto-Creation Behavior

1.
credentials.
2.
The Group Policy Management console may open behind the Server Manager window.
3.
ot
4.
fo
Right-click Training Virtual Desktops and then click Create a GPO in this domain, and Link it here.
rr
5.
Type a descriptive name for the policy in the Name field and then click OK.

Select Printing in the Categories field.
Click Add to the right of the Auto-create client printers setting.
Select the appropriate value and then click OK.
or
st
di
n
io
13. Click OK to close the Edit Policy window.

14. Close the Group Policy Management Editor window.
ut
Select Auto-create the client's default printer only and then click OK.
rib
7.
8.
9.
10.
11.
12.
Right-click Print Settings and then click Edit.
al
6.
es
Type Print Settings and then click OK.
Discussion Question
How is the default printer determined for a session?
Configuring Session Printers

The Session printers setting enables administrators to control the assignment of network printers so that administratively
assigned printers are created within each session and presented to the end user, based on the location of the endpoint (also
known as proximity printing). Network printers created with the Session printers policy setting in Citrix Studio can vary
according to where the session was initiated by using filters based on geographic indicators such as IP address or client name.
For example: You can filter Session printer policies by IP address to enable end users within a specified IP address range to
automatically access the network printing devices that exist within that same range. When proximity printing is configured
and an employee travels from one department to another, no additional printing device configuration is required. Once the
162
endpoint is recognized within the IP address range of the new department, it will have access to all network printers within
that range. Proximity printing is provided by the Citrix Universal Printer Driver.
Session printers are an optimal configuration for scenarios where:
Users roam between locations using the same endpoint (i.e. laptop).
Thin clients are used, which do not have the ability to connect to network based-printers directly.
Specific printers are required to fulfill corporate policy, such as assigning a fax printer to all end users.
Printer provisioning is typically handled dynamically. That is, the printers that appear in a session are not predetermined and
stored, rather they are assembled, based on policies, as the session is built during log on and reconnection. As a result, the
printers can change according to policy, end-user location, and network changes, provided they are reflected in policies. Thus,
end users who roam to a different location might see different printers. For example, if a health care worker disconnects from
an endpoint in the emergency room of a hospital and then logs on to an endpoint in the X-ray laboratory, the policies,
printer mappings, and client drive mappings appropriate for the session in the X-ray laboratory go into effect at the session
startup. By default, printers are available in sessions by creating all printers configured on the endpoint automatically,
including locally attached and network printers.
This policy can also be created using the Group Policy Management Console, but is being performed in Citrix
Studio to demonstrate how policies are created in Citrix Studio. Administrators that do not have permission to
create policies in Active Directory can create policies using Citrix Studio.
ot
To Configure Session Printer Settings

Ensure that a Print Server with printers defined on it is started.
fo
1.
Log on to a VM with Citrix Studio installed on it using your domain credentials.
es
2.
rr
Right-click the UniversalPrintServer-1 VM and then click Start, if not already started.
al

Click the Policies node in Citrix Studio and then click Close to close the Welcome screen.
Click Create Policy in the right pane of the console.
Select Printing in the All Settings field.
Click Select to the right of the Session printers setting.
or
st
di
3.
4.
5.
6.
7.
Click Add in the Edit Setting window.

Type the UNC path to the Print Server and then click Browse.
Type \\UPS-1 and then click Browse.
io
8.
9.
ut
rib
This setting identifies the network printer to be auto-created in a session. You can add printers to the list, edit
the settings of a list entry, or remove a printer from the list. The printers listed are merged with any other
"Session printers" settings applied in other policies.
10. Browse to the printer location on the Print Server, select the desired printer, and then click OK twice.
Double-click Entire Network > UPS-1, select Color Laser Printer, and then click OK twice.
11. Click OK to close the Edit Setting window.
12. Click Next in the Select settings window.
13. Determine to which objects the policy will be assigned and then click Assign to the right of the filter.
Click Assign to the right of the Client IP address filter.
14. Type the IP address range in the IP address field, determine if the IP addresses within the specified range will be allowed
or denied access, and then click OK.
Verify Allow is selected in the Mode field, type 192.168.10.60-192.168.10.80 in the IP address field, and then click
OK.
163
Upon session initialization, the session printer will be created for any resource accessed by an endpoint within
the specific address range. In our lab environment, this will create the printer for those IP addresses, but it will
not enable proximity printing because we do not have multiple subnets and DHCP scopes to demonstrate the
feature with.
When specifying an IP address range, do not add any spaces between the starting IP address, the hyphen, and
the ending IP address.
15. Click Next in the Assign policy to user and machine objects window.
16. Type a name and description for the policy and then click Finish.
Type Session Printers in the Policy name field, type Assigns Color Laser Printer to 192.168.10.60 - 192.168.10.80 in
the Description field, and then click Finish.
17. Click Session Printers in Citrix Studio and then click each of the tabs (Overview, Settings, and Assigned to) to view
information about the policy.
Discussion Question
Which configurations must be in place in order to enable proximity printing?
ot
Optimizing Print Job Routing
fo
In a XenApp and XenDesktop environment, you can control how print jobs destined for network printers are routed using
policies. Jobs can take two paths to a network printing device, the client printing pathway or the network printing pathway. If
the job is being routed to the endpoint, the print job is sent using the HDX (ICA) protocol (client printing pathway). If the
job is being routed directly to the print server, the print job is sent using RPC over SMB (network printing pathway). If you
want to manage printing bandwidth or compression, the print job must be sent using the HDX (ICA) protocol. There is no
Citrix policy that controls the bandwidth or compression when a print job is sent using Microsoft's network printing.
al
es
rr
or
st
di
n
io
ut
rib
The client printing pathway (dashed line) takes a print job from the virtual desktop using a virtual channel in the HDX
protocol and sends it to the endpoint where it is removed from the HDX packet and forwarded via TCP/IP onto the print
server. This behavior must be configured in a policy. If it is not configured, XenApp and XenDesktop routes the print jobs
directly to the print server (solid line).
Routing jobs along the network printing pathway (solid line) is ideal for fast local networks and when you want users to have
the same end-user experience that they have on their local endpoint (that is, when you want the printer names to appear the
same in every session). However, print jobs relayed using the network printing pathway are not suitable for WANs unless the
job is being routed to a Universal Print Server which compresses the job by up to 90%. The routing of print jobs to a nonUniversal Print Server using the network printing pathway uses more bandwidth than using the client printer pathway.
Consequently, end users might experience latency while the print jobs are printing over the WAN when a non-Universal
Print Server is being used. Also, the print job traffic from the server to the print server is treated as regular network traffic,
164
competing with normal HDX (ICA) traffic. When printing across a WAN, you should keep the printer traffic in the HDX
(ICA) packet printer channel when printing to a non-Universal Print Server.
If XenApp and XenDesktop and the print server are on different domains, XenApp and XenDesktop automatically routes the
print job through Receiver (client printing pathway).
HDX (ICA) can use multiple virtual channels. When print jobs are delivered over an HDX (ICA) virtual channel, other
virtual channels (such as video) may compete for bandwidth leading to decreased performance. To prevent this, you can
create a policy to manage the printer bandwidth in the virtual channel. Printer bandwidth limits can be set using the
following settings:
The Printer redirection bandwidth limit setting specifies the fixed bandwidth that is used for printing in kilobits per
second (kbps).
The Printer redirection bandwidth limit percent setting specifies a percentage of the available bandwidth that is used
for printing.
The printing virtual channel will consume bandwidth only when a print job is being sent.
Optimizing Printing Performance

The following practices can improve printing performance:
Use a Universal Print Server and a Universal Printer Driver.

Lower the image quality. The default setting is Standard quality.
ot
fo
In environments where image quality is crucial, lowering the image quality may not be an option.
rr
Enable heavyweight compression.

Ensure that Image Caching and Font Caching settings are enabled. This is the default setting.
To Optimize Printing
or
1.
al
es
st
di
credentials.
rib
2.
3.
Right-click the OU or right-click an existing policy and then click Edit.
Right-click the Print Settings policy and then click Edit.
io
4.
ut
You created the Print Settings policy earlier in this module. If you do not see the policy right-click Training
Virtual Desktops OU and click refresh.
5.
6.
7.
8.
9.

Select Printing from the Categories field.
Click Add to the right of the Universal printing optimization defaults setting.
165
10. Configure the desired settings and then click OK.

a.
b.
c.
d.
e.
Verify that Standard quality is selected in the Desired image quality field.
Select Enable heavy weight compression.
Verify that Allow caching of embedded images is selected.
Verify that Allow caching of embedded fonts is selected.
Click OK.
11. Click OK to close the Edit Policy window.

12. Close the Group Policy Management Editor and Group Policy Management Console windows.
Discussion Question
Print jobs sent along the client printing pathway use less bandwidth than print jobs sent along the network printing pathway.
If this is true, why might end users experience latency in their XenApp and XenDesktop sessions when print jobs are printing
using the client printing pathway?
ot
Configuring Remote Assistance
fo
Windows Remote Assistance allows an administrator to monitor and control another end-user's session remotely. It is most
commonly used to troubleshoot issues on endpoints. Windows Remote Assistance is always installed during the installation of
Director, but is disabled and should remain disabled for security purposes. In addition, Remote Assistance is installed during
the installation of the VDA on machines. TCP port 3389, which is used by Remote Assistance, is opened on the firewall
during the VDA installation.
rr
al
es
In order for IT administrators, Help Desk personnel, and others to initiate Windows Remote Assistance using the Shadow
button in Director, you must enable Remote Assistance using a policy and grant the appropriate administrator groups the
required permissions using a Group Policy Object.
In XenApp 6.5 and earlier, administrators set policies to control ICA based user-to-user shadowing. These policies
have been removed. In this release of XenApp and XenDesktop, Windows Remote Assistance replaces this
functionality. In order for shadowing to work properly, you must configure the Remote Assistance feature on any
server used to remotely assist end users. This feature is configured within the lab environment.
or
st
di
To Configure Remote Assistance Permissions
rib
1.
Log on to a VM with the Group Policy Management feature installed using domain administrator credentials.
io
2.
3.
ut
4.
Right-click the Training Virtual Desktops OU and then click Create a GPO in this domain, and Link it here.
5.
Type a descriptive name in the Name field and click OK.

Type Remote Assistance in the Name field and then click OK.
6.

Right-click the Remote Assistance policy and then select Edit.
7.
8.
166
Double-click Computer Configuration > Policies > Administrative Templates > System and then double-click Remote
Assistance.
Double-click the Configure Offer Remote Assistance setting and then select Enabled.
9.
Specify the level of remote control that will be provided to the helpers.
Verify Allow helpers to remotely control the computer is selected in the Permit remote control of this computer
drop-down menu.
10. Click Show.

11. Type the domain users (domain\username) and domain user groups (domain\group) that will have permission to
remotely control endpoints and then click OK.
a.
b.
c.
d.
e.
f.
Type TRAINING\HelpDesk in the Value field.

Press Tab.
Type TRAINING\XenDesktop Admins.
Press Tab.
Type TRAINING\Domain Admins.
Click OK.
12. Click OK to close the Configure Offer Remote Assistance window.

13. Close the Group Policy Management Editor and Group Policy Management Console windows.
ot
Discussion Question
fo
You enabled the "Configure Offer Remote Assistance" setting for the OU containing the virtual desktops and added the
HelpDesk, XenDesktop Admins, and Domain Admins groups to the policy as directed. In addition, the VDA has been
installed on all of the master images used to create the Desktop OS and Server OS machines in the environment. Your
manager calls you directly and asks for your help. You use a Web browser to access Director and attempt to Shadow the
session, but you get an error. What could be causing the issue?
al
es
rr
Prioritizing the Policies
or
Over time, policies will accrue in an environment. Sometimes these policies will conflict. When a conflict occurs, the priority
of the policy will dictate which settings will prevail.
st
di
When working in an environment with multiple policies, you need to determine how to prioritize them, how to create
exceptions, and how to view the effective settings when policies conflict. In general, policies override similar settings
configured for the entire site, for specific controllers, or on the endpoint.
io
ut
rib
167
ot
N
fo
al
es
rr
e
Policies are processed in the following order:

1. End user logs on to an endpoint using domain credentials.
2. Credentials are sent to domain controller.
3. AD applies all policies (user, device, organizational unit, and domain).
4. End user logs on and accesses a XenApp and XenDesktop resource.
5. Citrix and Microsoft policies are processed for the end user and endpoint.
6. AD determines precedence for policy settings and applies them to the registries of the endpoint and XenApp
and XenDesktop machine.
7. End user logs off of the hosted resource. Citrix (HDX) policies for the end user and end-user's endpoint are
no longer active.
8. The end user logs off the endpoint, which releases the GPO user policies.
9. The end user powers down the device, which releases the GPO computer policies.
or
st
di
io
ut
rib
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The process used to
evaluate policies is as follows:
1.
2.
When an end user logs on, all policies that match the assignments for the connection are identified.
The identified policies are sorted into priority order and multiple instances of any setting are compared. Each setting is
applied according to the priority ranking of the policy.
You prioritize policies by changing the priority number. By default, new policies are given the lowest priority. If policy
settings conflict, the setting in the policy with a higher priority (a priority number of 1 is the highest) overrides the setting in
a policy with a lower priority. Settings not configured in a policy are ignored. If a setting is configured in a lower-ranking
policy and not configured in a higher-ranking policy, then the setting in the lower-ranking policy will take effect.
In the Group Policy Management Console, the priority of multiple policies bound to the same OU can be
modified.
168
When you create policies for groups of end users, endpoints, or servers, you may find that some members of the group
require exceptions to some policy settings. You can create exceptions by:
Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the
policy for the entire group.
Using the Deny mode for an assignment added to the policy.
An assignment with the mode set to Deny applies a policy only to connections that do not match the assignment criteria. For
example, a policy contains the following assignments:
1.
2.
Assignment A is a Client IP address assignment that specifies the range 208.77.88.* and the mode is set to Allow.
Assignment B is a User assignment that specifies a particular end-user account and the mode is set to Deny.
The policy is applied to all end users who log on to the farm with IP addresses in the range specified in Assignment A.
However, the policy is not applied to the end user logging on to the farm with the user account specified in Assignment B,
even though the end-user's endpoint is assigned an IP address in the range specified in Assignment A.
Changing the Priority of the Policy
ot
You can use multiple policies to customize the environment to meet end-users' needs based on their job functions, geographic
locations, or connection types. Sometimes the settings in one policy conflict with the settings in another policy. For example,
for security reasons you may need to place restrictions on end-user groups who regularly work with highly sensitive data. You
can create a policy that prevents all end users from saving sensitive files on their local client drives. However, if some people
in the end-user group need access to their local drives, you can create another policy for only those end users.
fo
You can rank or prioritize the policies to control which one takes precedence. Settings in policies with a higher priority take
precedence over conflicting settings in policies with a lower priority. When using multiple policies that contain conflicting
settings, you need to know how to prioritize them.
rr
al
es
You can change the priority of a policy in Citrix Studio by selecting the Policy node, selecting the policy in the
Policies pane, and then selecting the Higher Priority or Lower Priority option in the Actions pane on the right.
credentials.
st
di
1.
or
To Change the Priority of a Policy
rib
Browse to the OU where you want to prioritize the policies.
ut
2.
3.
4.
The policies attached to the OU appear in the right pane.
io
Select the policy in the right pane in the Linked Group Policy Objects tab whose priority needs to be changed.
Select the Remote Assistance policy.
5.
Select the up or down arrow to the left of the list of policies to increase or decrease the priority of the policy.
Select the up arrow on the left side of the policies list to increase the priority of the Remote Assistance policy.
This is only being done to illustrate how to change the priority of policies. Moving this policy will have no
effect, because none of the policies have conflicting settings.
6.
Close the Group Policy Management Console.
169
Discussion Question
One of your team members created an unfiltered policy that enables the integration of locally installed applications on the
desktops of Server OS and Desktop OS machines and linked it to the OU containing all virtual desktops. When end users
launch one of these locally-installed applications using the desktop shortcut, the application appears to be running on the
virtual desktop even though it is running on the local device. Members of the Accounting department are utilizing the Bring
Your Own Computer (BYOC) initiative at work. The Accounting manager wants to remove locally-installed application
integration for members of the Accounting department. What can you do to accomplish this?
Running the Resultant Set of Policy

When multiple policies settings are configured in an environment, it can be difficult to determine the effect of those settings
on a resource or end user. You can model the outcome of the policy settings on a connection using the Citrix Group Policy
Modeling Wizard. With the Citrix Group Policy Modeling Wizard, you can specify conditions for a connection scenario such
as domain controller, end users, Citrix policy assignment evidence values, and simulated environment settings such as slow
network connection. The report that the wizard produces lists the policies that would likely take effect in the scenario.
The Citrix Group Policy Modeling Wizard can be run from Studio and from the Group Policy Management Console. If you
created policies using:
ot
fo
Studio only, you should use the Citrix Group Policy Modeling Wizard from Studio.
Studio and the Group Policy Management console, you should use the Citrix Group Policy Modeling Wizard from
Studio.
Group Policy Management Console only, you should use the Citrix Group Policy Modeling Wizard from the Group
Policy Management Console.
rr
Log on to a Delivery Controller with administrator credentials.
1.
al
es
To Create a Resultant Set of Policy Using the Group Policy Management

Console
Right-click Citrix Group Policy Modeling and then click Citrix Group Policy Modeling Wizard.
Click Next in the Welcome screen.
Specify the domain controller that will process the Resultant Set of Policy.
8.
Click Next to use AD.training.lab.
io
ut
5.
6.
7.
rib
Expand the Forest: training.lab node.
st
di
Click Tools in Server Manager.

Click Group Policy Management.
Expand the Forest node.
or
2.
3.
4.
Specify the OU containing the end users or computers you want to model and then click OK.
a.
b.
c.
Click Browse to the right of Container in the Computer Information field.

Double-click Training > Training Virtual Desktops > Servers.
Click OK.
9. Click Next on the User and Computer Selection screen.

10. Specify the filter criteria to use and then click Next.
Click Next.
11. Specify the advanced simulation options and then click Next.
Click Next.
12. Click Run.
170
13. Click Close in the Completing screen to view the report .

14. Review the policy modeling report to determine which policies were applied and have an effect on the selected end users
or computers.
15. Close the modeling results window.
Discussion Question
You opened the Group Policy Management Console, but cannot find the Citrix Group Policy Modeling wizard. What might
be the issue?
Troubleshooting Policies
The following table provides resolutions for policy issues.
Resolution
A new policy does not get applied.
Run the gpupdate /force command to process and apply all

group policies to a computer or end user.
ot
Issue
Verify that:
The policies that you want to apply to those connections
are enabled.
The policies have the appropriate settings configured.
The priority of a policy with conflicting settings does not
have a higher priority.
Policy settings configured in Group Policy Management
are not overriding the settings in a policy created in
Studio.
fo
Policies applied to hosted applications and desktops under

conditions that match the policy evaluation criteria are not
affected by any policy settings.
al
es
rr
or
st
di
Setting Up Citrix Profile Management
To Configure a Profile Management Share

1.
io
ut
rib
End-user profiles contain properties and settings for each end user accessing resources using XenApp and XenDesktop. When
end users access a resource (desktop or application), their profile is loaded. You can elect to use a third-party profile
management solution, Group Policy Objects, or Citrix Profile Management to configure profile settings. In this version of
XenApp and XenDesktop, Citrix Profile Management is integrated into XenApp and XenDesktop as policy settings. Citrix
Profile Management provides 78 policy settings that allow you to finely control your end-user profiles. Earlier in the course,
you configured folder redirection. It is common to use both folder redirection and Citrix Profile Management in an
environment.

2.
3.
4.
5.
Click Server Manager and then click File and Storage Services.
Click Shares and then click Tasks > New Share.
Verify SMB Share - Quick is selected and then click Next.
Select the volume that will host the profile management share and then click Next.
Select E: in the Volume column and then click Next.
6.
Type a name for profile management share and then click Next.
Type UPM$ in the Share name field and then click Next.
171
7.
Configure the share settings and then click Next.

Deselect Allow caching of share, select Enable access-based enumeration, and then click Next.
Access-based enumeration displays only the files and folders that an end user has permissions to access.
8.
9.
10.
11.
Click Customize permissions.

Click Disable inheritance and then click Remove all inherited permissions from this object.
Click Add to add permissions.
Click Select a principal and then type System in the Enter the object name to select field.
The System account is used by the operating system and Windows services.

Select Full Control for the Basic permissions and then click OK.
Type Domain Admins in the Enter the object name to select field.
Select Full Control for the Basic permissions and then click OK.
Type Creator Owner in the Enter the object name to select field.
Select Subfolders and files only in the Applies to field, select Full Control for the Basic permissions, and then click OK.
Type Everyone in the Enter the object name to select field.
Select This folder only in the Applies to field.
Click Clear all to clear all permissions and then click Show advanced permissions.
Select the following advanced permissions for the account:
Traverse folder / execute file
List folder / read data
Read attributes
Create folders / append data
28. Click OK to add the permissions and then click OK to close the Advanced Security Settings for the share.
ot
fo
al
es
rr
or
st
di
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
io
ut
rib
You are setting the permissions on the share such that end users can access their folders only, and new folders
can be created for new end users dynamically. For more information, see
http://support.microsoft.com/kb/274443.
29. Click Next and then click Create.
30. Click Close when the process is completed.
To Configure the Profile Management Settings

This procedure only implements a few of the policy settings. You should evaluate your end-user and
environmental requirements and configure your profile management settings accordingly. For more information
about properly configuring Profile Management, see http://blogs.citrix.com/ and search for "Citrix Profile
Management and VDI". Include the quotes in the search to limit the search results.
172
1.
credentials.
2.
3.
Click Tools in the Server Manager window and then select Group Policy Management.
Browse to the OU containing the desktops to create a policy to enable Citrix Profile Management.
You want a set of common profile settings to apply to both Server OS and Desktop OS machines and custom
profile settings for Server OS and Desktop OS machines so the profiles for the end users will go to different
sub-directories.
4.
Right-click the OU containing the virtual desktops and then click Create a GPO in this domain, and Link it here.
Right-click Training VirtualDesktops and then click Create a GPO in this domain, and Link it here.
5.
Type a name for the policy and then click OK.

Type Citrix Profile Management - Common Settings in the Name field and then click OK.
6.

Click Edit and then click the Settings tab to edit the unfiltered policy.
Select Profile Management > Basic settings in the Categories field.
Determine if Profile Management should be enabled and then click OK.
fo
es
rr
7.
8.
9.
10.
ot
Right-click Citrix Profile Management - Common Settings and then click Edit.
Click Add to the right of the Enable Profile management setting, select Enabled, and then click OK.
al
By default to facilitate deployment, Profile Management does not process logons or logoffs. You can turn on
processing by enabling a policy setting. If the policy setting is not configured, the value from the .ini file is
used. If the policy setting is not configured here or in the .ini file, Profile Management does not process
Windows end-user profiles in any way.
or
st
di
11. Determine if you want to enable Active write back and then click OK.
Click Add to the right of the Active write back setting, select Enabled, and then click OK.
rib
io
ut
With active write back:

Files and folders (but not Registry entries) that are modified can be synchronized to the end-user store in
the middle of a session, before the end user logs off.
If this setting is not configured here, the value from the .ini file is used.
If this setting is not configured here or in the .ini file, active write back is disabled.
12. Select Profile Management > Streamed user profiles in the Categories field.
13. Determine if end-user profiles will be streamed and then click OK.
Click Add to the right of the Profile streaming setting, select Enabled, and then click OK.
With profile streaming:
End-user profiles are synchronized on the local computer only when they are needed.
Registry entries are cached immediately, but files and folders are only cached when accessed by end users.
173
16. Browse to the OU containing Desktop OS machines.

Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops > Desktops in the Group
17. Right-click the OU for the Desktop OS machines and then click Create a GPO in this domain, and Link it here.
Right-click Desktops and then click Create a GPO in this domain, and Link it here.
18. Type a name for the policy and then click OK.
Type Citrix Profile Management - Desktops path to user store in the Name field and then click OK.
19. Right-click the newly created policy and then click Edit.
Right-click Citrix Profile Management - Desktops path to user store and then click Edit.
20.
21.
22.
23.

Specify the path to the user store for end users of Desktop OS machines.
Click Add to the right of the Path to user store setting.
Verify that Enabled is selected.
Type \\FS-1\UPM$\%USERNAME%.%USERDOMAIN%\Win8 in the text box below Enabled and then click
OK.
ot
a.
b.
c.
fo
es
rr

26. Browse to the OU containing Server OS machines.
al
Double-click Forest: training.lab > Domains > training.lab > Training Virtual Desktops > Servers in the Group
27. Right-click the OU for the Server OS machines and then click Create a GPO in this domain, and Link it here.
or
Right-click Servers and then click Create a GPO in this domain, and Link it here.
st
di
28. Type a name for the policy and then click OK.
Type Citrix Profile Management - Servers path to user store in the Name field and then click OK.
rib
29. Right-click the newly created policy and then click Edit.

Determine if a path to the user store for end users of Server OS machines should be specified.
io
30.
31.
32.
33.
ut
Right-click Citrix Profile Management - Servers path to user store and then click Edit.
a.
b.
c.
Click Add to the right of the Path to user store setting.

Verify that Enabled is selected.
Type \\FS-1\UPM$\%USERNAME%.%USERDOMAIN%\Win2012 in the text box below Enabled and then
click OK.

35. Close the Group Policy Management Editor and the Group Policy Management Console.
Discussion Question
Citrix Profile Management is installed during which XenApp and XenDesktop component installations?
174
Reinforcement Exercise: Configuring a Session Printer

Configure printing policies.

Configure Remote Assistance.
Prioritize the policies.
Test the Resultant Set of Policies (RSOP).
Configure Citrix Profile Management settings.
You are ready to try your hand at creating a policy that provides members of the Accounting group with access to a network
printer.
ot
Training wants you to provide members of the Accounting group with a network printer. This end-user group already has
access to the Color Laser Printer that you configured in a policy named Session Printers using Studio. However, the
Accounting group needs to print documents on large sheets of paper, so they require access to a special printer. You have
Active Directory permissions, so you decide to create the session printer using Group Policy Management.
rr
Create a new policy named Accounting Session Printers using Group Policy Management.
Attach the policy to the Training Users > Accounting OU.
Edit the Unfiltered policy under User Configuration > Policies > Citrix Policies.
Add the Accounting printer from the UPS-1 Print Server to the Unfiltered policy.
al
es
1.
2.
3.
4.
fo
or
st
di
n
io
ut
rib
175
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
176
Module 7
Setting Up Provisioning
Services
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
178
Setting Up Provisioning Services

Overview
Provisioning Services allows multiple virtual machines to start up from the same virtual disk (vDisk). This many-to-one
relationship simplifies disk management and storage requirements. Provisioning Services improves the scalability of the
environment by allowing the instant provisioning of resources on demand.
Install and configure Provisioning Services.

Install the Provisioning Services Console.
Configure DHCP Options 66 and 67.
Configure the bootstrap file for high availability.
Create a vDisk and assign it to a target device.
Create a machine catalog from Provisioning Services.
Create a Delivery Group for the machine catalog created with Provisioning Services.
Controller-1 = On
FileServer-1 = On
SQLServer-1 = On
All other VMs = Off
fo
al
es
rr
or
At
ot
st
di
Provisioning Services Architecture
io
ut
rib
Provisioning Services works differently than Machine Creation Services to provide resources to users. Provisioning Services
allows computers to be provisioned and re-provisioned in real-time from a single shared vDisk. In doing so, administrators
can completely eliminate the need to manage and update individual systems. Instead, all image management is done on the
master vDisk. The local hard-disk drive of each system may be used for runtime data caching or, in some scenarios, removed
from the system entirely, which reduces power usage, system failure rates, and security risks.
Module 7: Setting Up Provisioning Services
179
ot
MCS and PVS are two mechanisms that do basically the same thing in different ways. While MCS is all about storage, PVS
relies on network. With PVS, you start off with a Master Target Device, capture the disk as a new vDisk and then target
devices use the vDisk. The AD-identity comes from an additional disk in MCS, while PVS uses database entries for this.
fo
The Provisioning Services infrastructure is based on software-streaming technology. After installing and configuring
Provisioning Services components, a vDisk can be created by imaging a hard disk that contains the operating system with
applications installed to a vDisk file on the network. A device that is used to create the vDisk is called the Master Target
Device. The devices that use the vDisk are called target devices. Writes with MCS are saved to a Differencing Disk, while
writes with PVS are saved to a Write Cache.
es
rr
al
The target device downloads a boot file from a Provisioning Services server, and then uses that boot file to start. Based on the
device boot configuration settings, the appropriate vDisk is located, and then mounted on the Provisioning Services server.
The software on the vDisk is streamed by the Provisioning Services server to the target device as needed. To the target device,
it appears like a regular hard drive.
or
Instead of immediately pulling all of the vDisk contents down to the target device (as is done with traditional or imaging
deployment solutions), the data is brought across the network in real-time, as needed. This approach allows a target device to
get a completely new operating system and set of software in the time it takes to restart, without requiring an administrator to
visit the endpoint. This approach dramatically decreases the amount of network bandwidth required by traditional disk
imaging tools; making it possible to support a larger number of target devices on the network without impacting overall
network performance.
st
di
io
ut
rib
Provisioning Services can be explained using a hard drive controller card replacement analogy:
180
1.
2.
3.
4.
Target device A powers on and uses TFTP to download a driver called the bootstrap file (ARDBP32.BIN). This driver
provides the target device with the connection required to get its vDisk (virtual hard drive).
Target device A uses the bootstrap file to request that Provisioning Services send the boot sector from the vDisk.
Provisioning Services accesses the vDisk from storage and dynamically merges the boot sector with the SQL Server data
to apply the appropriate SID based on the MAC address of the target device.
As the target device starts up, further requests for additional sectors from the vDisk are accessed in the same method, but
I/O requests are made directly to the vDisk. With Provisioning Services, the entire vDisk is not streamed to the target
device. Instead, sectors are sent to the target device as needed.
Discussion Question
What is meant by the terms Master Target Device and target device?
Setting Up A Provisioning Services Server
A Provisioning Services server is used to stream vDisk sectors as needed, to target devices. In some implementations, vDisks
reside directly on the Provisioning Services server. In larger implementations, Provisioning Services servers access the vDisk
from a shared-storage location on the network.
ot
Provisioning Services servers use an SQL Server database to store and retrieve configuration information.
fo
Creating a Service Account for Provisioning Services
rr
al
es
A service account is used by two services in Provisioning Services, the Citrix PVS SOAP Server and the Citrix PVS Streaming
Service. The service account can be a local system account, network service account, or a named user account. The service
account is not required for installation.
To Create a Service Account for Provisioning Services
or
In this procedure, you will create a named user account for the Provisioning Services service account.
st
di
1.
Browse to the service account OU for the domain.
Double-click training.lab > Training Service Accounts.
Right-click the service account OU and then click New > User.
4.
io
ut
2.
3.
rib
Right-click the Training Service Accounts OU and then click New > User.
5.
Type the name for the new service account into the First name and User logon name fields and then click Next.
Type PVS_svc in the First name field and the User logon name field and then click Next.
6.
Type the desired password for the service account into both password fields.
Type Password1 in the Password and Confirm password fields.
7.
Configure the password rules for the service account and then click Next.
Deselect User must change password at next logon, select User cannot change password and Password never
expires, and then click Next.
8.
Click Finish.
181
This account does not need domain administrator permissions because you will be using a share for
Provisioning Services that allows this account access to it.
9.
Add the newly created service account to the service accounts group.
a.
b.
Right-click PVS_svc and then click Add to a group.

Type Service Accounts, click Check Names, and then click OK twice.
Adding this account to the Service Accounts group in our lab environment prevents interactive logon because you
created a Group Policy Object in Module 3 that disallows logon locally permissions for the Service Accounts
group.
Creating a Share for the Store

Provisioning Services requires at least one store to provide booting target devices with a vDisk. A store is the logical name for
the physical location of PVS vDisks or golden images. The Provisioning Services service account must be granted
read/write/create privileges to the store share.
ot
When vDisks are created in the Provisioning Services Management Console, they are assigned to a store. Within a site, one or
more Provisioning Services servers are given permission to access a store in order to serve vDisks to target devices. A
Provisioning Services server checks the database for the store name and the physical location where the vDisk resides, in
order to provide a vDisk to the target device.
fo
rr
In a highly available implementation, if the active Provisioning Services server in a site fails, the target device can get its vDisk
from another Provisioning Services server that has access to the store and permissions to serve the vDisk.
al
es
There are three locations administrators can choose to place the store: local storage to the Provisioning Services server, local
storage on multiple Provisioning Services servers with replication, and shared storage like a SAN or SMB share.
or
st
di
io
ut
rib
The following considerations explain the locations to choose for the vDisk Store:
vDisk Store Location
Considerations
The vDisk Store can be placed on the

local storage of the Provisioning
Services Server.
The vDisks reside on a local folder on a

single PVS server. High-availability is
not supported with this model.
The vDisk Store can be placed on the

local storage of multiple Provisioning
Services Servers with the latest version
of each vDisk replicated across the
server.
In order to support high availability

these replicated vDisks must be
identical. Replication can be done
manually or using solutions like DFS
replication. Note that the *.vhd, *.avhd,
and *.pvp files for each vDisk should be
replicated, but not *.lok which specifies
its location.
The vDisk can be placed on shared

storage.
This model requires a single vDisk

without replications, but requires shared
storage.
182
Diagram Label
To Create the Share for the Store

1.
Log on to the file server where the share will be created using domain administrator credentials.
2.
3.
4.
Click File and Storage Services in the left pane of the Server Manager and then click Shares.
Click Tasks in the center pane and then select New Share.
Select a File share profile and then click Next.
Verify SMB Share - Quick is selected and then click Next.
5.
Select the drive on the file server where the share will be created and then click Next.
Select E: in the Select by volume section and then click Next.
6.
Type a descriptive name for the share in the Share name field and then click Next.
Type vDisks in the Share Name field and then click Next.
7.
8.
Deselect Allow caching of share and then click Next on the Configure Share Settings screen.
Click Customize permissions and then configure the permissions for the share.
ot
Click Customize permissions, click Disable inheritance, and then click Remove all inherited permissions from this
object.
fo
9. Click Add, click Select a principal, type System, click Check Names, and then click OK to add a principal to the share.
10. Select Full Control and then click OK.
11. Click Add, click Select a principal, type the name of the Provisioning Services administrators, click Check Names, and
then click OK to add a principal to the share.
es
rr
Click Add, click Select a principal, type TRAINING\Administrator, click Check Names, and then click OK.
al

13. Click Add, click Select a principal, type the name of the service account created for Provisioning Services, click Check
Names, and then click OK to add a principal to the share.
or
Click Add, click Select a principal, type PVS_svc, click Check Names, and then click OK.
io
ut
rib
Write Cache Considerations
st
di

15. Click OK and then click Next.
16. Click Create and then click Close.
When the Provisioning Services vDisk is in standard image mode a write cache is required to store any machine writes. The
write cache location is flexible and can be placed in several places: Target Device hard drive, Target Device RAM, Target
Device RAM with overflow to hard drive, or on the Provisioning Services server.
183
The following considerations explain the locations to choose for the Write Cache:
Diagram Label
Considerations:
The Write Cache can be placed on the

target device hard drive.
This option limits the network

communication to reads only on the
standard vDisk. This option requires no
additional software to enable this
feature. In this case the write cache file
is temporary.
ot
Write Cache Location
fo
es
rr
target device RAM.

target device RAM with overflow on
hard disk (only available for Windows 7
and Server 2008 R2 and later).
This option frees up the Provisioning

Services Server and limits the network
standard vDisk. This option uses target
device paged pool memory when it is
available and overflows the write cache
is the local disk when required. This
option allows for both optimal
performance without a large memory
requirement.

Provisioning Services Server disk.
In this option both reads and writes are

handled by the Provisioning Services
Server, which causes an increase disk
I/O and Network traffic. The write
cache on server disk is temporary
between server reboots.

Provisioning Services Server disk
persisted.
In this option both reads and writes are

handled by the Provisioning Services
Server, which causes an increase disk
I/O and Network traffic. The write
cache on server disk is persistent
between reboots.
al
or
st
di
This option frees up the Provisioning

Services Server and limits the network
standard vDisk. This option provides
the fastest method of disk access since
memory access is always faster than disk
access. It requires sufficient memory for
the machine to remain operational.
io
ut
rib
184
Citrix leading practice is to use the RAM cache with overflow to the hard disk method for storing the write cache whenever
possible.
Reference the following URL for more information on write cache locations: http://docs.citrix.com/enus/provisioning/7-1/pvs-product-wrapper-6-2/pvs-technology-overview-write-cache-intro.html.
Discussion Question
Where can vDisks be stored for use with Provisioning Services?
Creating Windows Firewall Exceptions

Provisioning Services uses UDP and TCP for the following communications:
ot
fo
al
es
rr
Provisioning Services server to Provisioning Services server - at least five ports must exist in the port range selected. Ports
must be selected from the following range: UDP ports 6890 - 6909.
Provisioning Services server to target devices over the Stream Service: UDP ports 6910 - 6930. UDP ports 6910-6912 are
reserved for Provisioning Services.
Target devices to Provisioning Services servers: UDP 6901, 6902, 6905. These ports cannot be changed.
Target devices communications with the write cache: UDP ports 10802 - 10803.
Provisioning Services Console communications via the SOAP Server: TCP ports 54321 - 54322.
TFTP communications: UDP port 69.
TSB Boot Device Manager communications: UDP port 6969.
PXE (DHCP) communications: UDP port 67.
Alternate boot service: UDP port 4011.
To enable Provisioning Services communications, you must open up these inbound ports on the firewalls of the servers
hosting these components. You can open these ports manually on each server or use a group policy to simplify the process.
or
To Create Windows Firewall Exceptions
st
di
ut
1.
rib
In the lab environment the firewalls are turned off using a policy, so these exceptions will have no impact. Turning
off the firewall in a production environment is not recommended. You are encouraged to perform these steps in
the lab environment for practice purposes and to uncover any questions you might have about the procedure.
Browse to the OU that will contain the Provisioning Services servers.
2.
3.
io
Double-click Forest: training.lab > Domains > training.lab > Training Servers > PVS.
4.
Right-click the OU for the Provisioning Services servers and then click Create a GPO in this domain and Link it here.
Right-click PVS and then click Create a GPO in this domain and Link it here.
5.
Specify a name for the new group policy object and then click OK.
Type PVS Firewall Exceptions and then click OK.
6.
Right-click the newly created Group Policy Object and then click Edit.
Right-click PVS Firewall Exceptions and then click Edit.
7.
Double-click Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with
Advanced Security > Windows Firewall with Advanced Security.
185
8.
Click Inbound Rules under the Windows Firewall with Advanced Security setting in the left pane, right-click Inbound
Rules, and then click New Rule.
9. Select Port and then click Next.
10. Select UDP and then verify that Specific local ports is selected.
11. Type 6890-6930, 10802-10803 in the Specified local ports field and then click Next.
These ports are used by the Stream Service. For more information about the ports, see the
http://docs.citrix.com/en-us/provisioning/6-1.html and http://support.citrix.com/article/CTX101810 articles.
12. Verify Allow the connection is selected and then click Next.
13. Verify that all profiles are selected and then click Next.
14. Type a descriptive name for the Stream Service ports in the Name field and then click Finish.
Type PVS - Stream Service and then click Finish.
Right-click Inbound Rules and then click New Rule.
Select Port and then click Next.
Verify that TCP and Specific local ports are selected.
Type 54321-54322 and then click Next.
ot
15.
16.
17.
18.
These ports are used by the SOAP Server.
fo
rr
Type PVS - SOAP Service and then click Finish.

Select UDP and then verify that Specific local ports is selected.
Type 67 in the Specified local ports field and then click Next.
or
st
di
22.
23.
24.
25.
al
es
19. Verify that Allow the connection is selected and then click Next.
21. Type a descriptive name for the SOAP Server ports in the Name field and then click Finish.
ut
rib
This port is used for PXE (DHCP) communications. If an alternate service other than DHCP will be used, you
can specify UDP port 4011.
io
28. Type a descriptive name for the PXE Service ports in the Name field and then click Finish.
Type PVS - PXE Service and then click Finish.
29.
30.
31.
32.

Select UDP and then verify that Specific local ports is selected.
Type 69 in the Specified local ports field and then click Next.
This port is used for TFTP communications.
186
35. Type a descriptive name for the TFTP Service ports in the Name field and then click Finish.
Type PVS - TFTP Service and then click Finish.
36. Close the Group Policy Management Editor and Group Policy Management windows.
You should have created four inbound rules.
Discussion Question
Why does Provisioning Services use UDP for Citrix Streaming Services?
Installing Provisioning Services
Provisioning Services streamlines the management of vDisk images (VDI) and provides scalability of the XenApp and
XenDesktop environment. For example, after configuring a Server OS machine to host applications, you can easily use that
machine as a Master Target Device to create a vDisk that can expand to multiple instances instantly using Provisioning
Services.
ot
Provisioning Services consists of two required services: the Citrix PVS SOAP Server, and the Citrix PVS Stream Service. TFTP
is an optional service that can be installed if an existing TFTP server is not currently implemented in the environment. TFTP
is only used to deliver the ARDBP32.BIN file to the target device that is starting up. The difference between FTP (file
transport protocol) and TFTP (trivial file transfer protocol) is that FTP is based on TCP/IP and TFTP is based on UDP.
fo
rr
es
The Citrix PVS SOAP Server is the management service that enables administrative functionality and communication with the
database. The Citrix PVS Stream Service uses the UDP protocol to deliver requested sectors of a vDisk to the target device.
1.
al
To Install Provisioning Services
Right-click the first Provisioning Services VM, click Start, and then click Console.
or
Right-click ProvisioningServicesHost-1, click Start, and then click Console.

Log on to the first Provisioning Services VM using domain administrator credentials.
st
di
2.
Log on to ProvisioningServicesHost-1 using the TRAINING\Administrator and Password1 credentials.
rib
3.
Insert the Provisioning Services installation media in the DVD drive.
Click File Explorer in the taskbar.

Click This PC and then double-click CD Drive (D:).
If the installation wizard does not start, double-click autorun.
6.
7.
8.
io
4.
5.
ut
Select Citrix_ProvisioningServices_7_6_English.ISO in the DVD Drive 1 field.
Select Server Installation in the wizard window.

Click Install to begin the installation of Provisioning Services.
Click Yes in the message to install SQLncx64, if it is presented.
SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client
is already on the system, you will not be presented with this message.
9.
Wait for the Citrix Provisioning Services wizard to appear and then click Next.
187
If the wizard does not appear on the screen, check the taskbar.

Select I accept the terms in the license agreement and then click Next.
11. Specify your customer information, determine for whom the application will be installed, and then click Next.
Click Next to accept the default information.
12. Specify a destination folder and then click Next.
Click Next to accept the default Destination folder.
13.
14.
15.
16.
17.

Click Finish.
Click OK in the message concerning the PVS Console.
Click Next in the Provisioning Services Configuration wizard screen.
Specify where DHCP is running and then click Next.
Select The service that runs on another computer and then click Next.
ot
fo
DHCP will be used to provide instructions for starting vDisks from the network. Options 66/67 contain the
settings required for PXE booting. Options 66/67 are configured within the DHCP Manager.
rr
es
18. Specify where the PXE Service is running and then click Next.
al
19. Decide whether to create a new farm or join an existing farm and then click Next.
Select Create farm and then click Next.
or
If this is the first Provisioning Services server in the environment, you must create a new farm.
st
di
io
21. Specify a name for the Provisioning Services database and a name for the farm.
ut
Type SQL-1 in the Server name field and then click Next.
rib
20. Specify, in the Server name field, the name of the database server that will host the Provisioning Services database and
then click Next.
Type PVS_db in the Database name field and then verify that Farm is specified in the Farm name field.
22. Specify a site name and a collection name.
Verify that Site is specified in the Site name field and Collection is specified in the Collection name field.
23. Determine which groups will be used for security and then click Next.
Verify that Use Active Directory groups for security and training.lab/Builtin/Administrators are selected, and then
click Next.
24. Type a name for the Provisioning Services store.
Verify that Store is specified as the store name.
25. Specify where the vDisks will be stored.
Type \\FS-1\vDisks and then click Next.
188
vDisks must be stored in a shared directory if multiple Provisioning Services servers will access the same vDisk
simultaneously. You created the FS-1vDisks share earlier in this module.
26. Specify the license server in the License server name field.
Type license.edutestsite.com.
27. Select Validate license server version and communication and then click Next.
28. Select the account to use for the Stream Services and SOAP Server and then click Next.
a.
b.
c.
d.
e.
Select Specified user account.

Type PVS_svc in the User name field.
Type training.lab in the Domain field.
Type Password1 in the password fields.
Click Next.
29. Verify that Automate computer account password updates is selected and then click Next.
ot
This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned
endpoints before the computer accounts expire in Active Directory.
30. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next.
fo
es
rr
Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click
Next.
You will use the network cards on this Provisioning Services server (192.168.10.31) in the lab environment.
al
or
31. Select Use the Provisioning Services TFTP service and then click Next.
32. Specify the boot servers that target devices can contact to complete their start up process and then click Next.
Click Next to accept the default Stream Servers Boot List.
st
di
33. Verify that Automatically Start Services is selected and then click Finish.
34. Click OK in the Windows Firewall message.
rib
The message will always appear even if the firewall is turned off.
io
ut
35. Wait while the configuration completes and then click Done.
36. Click Exit and then eject the Provisioning Services media from the DVD drive.
Click Exit and then click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation
media.
37. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services.
Service startups can fail in high-latency environments. You should configure the following Recovery settings
for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these
services start.
38. Right-click Citrix PVS Soap Server and then click Properties.
39. Click the Recovery tab, select Restart the Service in the First failure, Second failure, and Subsequent failures fields, and
then click OK.
40. Right-click Citrix PVS Stream Service and then click Properties.
then click OK.
189
42. Right-click Citrix PVS TFTP Service and then click Properties.
then click OK.
44. Close the Services window.
Discussion Question
How does Provisioning Services simplify the management of updating target devices?
Granting Database Permissions

Before installing the Provisioning Services Console, the service account specified for use with the Provisioning Services Stream
Service and SOAP Service must be configured with db_datareader and db_datawriter permissions to the database. This is
done automatically by the XenApp and XenDesktop Configuration wizard, if the service account has securityadmin
permissions.
The service account configured to access the database does not have securityadmin permissions in the lab
environment, so you must perform the following procedure.
ot
N
Log on to the first SQL Server using domain administrator credentials.
rr
1.
fo
To Grant Database Permissions to the Service Account
2.
es
Log on to SQLServer-1 using the TRAINING\Administrator and Password1 credentials.

Click Start, type SQL Server Management Studio, and then click SQL Server Management Studio.
al
If SQL Server Management Studio does not appear in the Start menu, you probably did not install SQL Server using
the TRAINING\Administrator account. You should log off and log on again using the credentials used to install SQL
Server.
or
3.
Select the first SQL Server in the Server name field and then click Connect.
4.
st
di
Select SQL-1 in the Server name field and then click Connect.
Double-click the first SQL Server and then double-click Security > Logins in the left pane.
ut
rib
Double-click SQL-1 > Security > Logins.
5.
6.
7.
8.
Right-click Logins and then click New Login.

Click Search.
Click Object Types, verify that Users is selected, and then click OK.
Click Locations, double-click Entire Directory and the domain name, and then click OK.
io
If SQL-1 does not appear in the left pane, click Connect above the left pane, select Database Engine, select
SQL-1 in the Server name field, and then click Connect.
Click Locations, double-click Entire Directory> training.lab, and then click OK.
9.
Specify the service account, click Check Names, and then click OK.
Type PVS_svc, click Check Names, and then click OK.
10. Click Server Roles in the left pane and then verify public is selected in the right pane to grant server-wide security
privileges to the specified user.
11. Click User Mapping in the left pane, select the database, and then select db_owner.
Click User Mapping, select PVS_db, and then select db_owner for the role membership.
190
Public must remain selected.
12. Click OK.

13. Verify that the service account appears in the Security > Logins node.
Click Security > Logins and verify that TRAINING\PVS_svc appears.
14. Close the Microsoft SQL Server Management Studio.
Installing the Provisioning Services Console

The Provisioning Services Console is an MMC snap-in used to manage the sites, Provisioning Services servers, target devices,
target device collections, and the lifecycle of the vDisk images. To install the console on a system, PowerShell 2.0 must be
available on that system. In addition, the SOAP Server must be running on a Provisioning Services server in order to
communicate with the console.
Log on to the Provisioning Services VM using domain administrator credentials.
ot
1.
To Install the Provisioning Services Console

fo
2.
rr
Select Citrix_ProvisioningServices_7_6.iso in the DVD Drive 1 field.
es
Click File Explorer in the taskbar.

Click This PC and then double-click CD Drive (D:).
al
3.
4.
or
Click Console Installation and then click Next in the wizard.
st
di
5.
6.
7.
rib
Select I accept the terms of the license agreement and then click Next.
Specify customer information, determine for whom the application will be installed, and then click Next.
ut

Select a destination folder and then click Next.
Click Next to accept the default destination folder.
9.
io
8.
Determine which components will be installed and then click Next.

Verify that Complete is selected and then click Next.
10.
11.
12.
13.
Click Install to begin the installation of the Provisioning Services Console.

Click Finish.
Click Exit.
Click Eject to eject the installation media from the DVD drive.
Click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services media.
191
Discussion Question
The Console uses the SOAP Server to communicate with which two components of the Provisioning Services
implementation?
Configuring Boot from Network

Pre-Execution Environment (PXE) booting is a method used to start a target device from the network. It relies on TFTP and
the PXE service. DHCP Options 66 and 67 need to be configured in the Scope or Server options on the DHCP server to
enable PXE booting from the network using a bootstrap file.
Option 66 is the address or name of the TFTP server. Option 67 is the name of the bootstrap file (ARDBP32.BIN).
An alternate method of network startup is available via Boot Device Manager. With Boot Device Manager, a small partition is
automatically created on the vDisk (VHD) file by Provisioning Services. The small partition contains all of the information
needed to start the target device.
1.
ot
To Configure DHCP (Options 66 and 67) for PXE Booting

Log on to the VM hosting the DHCP server role using domain administrator credentials.
fo
rr
Click Tools > DHCP in Server Manager to open the DHCP console.
Double-click the server name and then double-click IPv4 > Server Options.
es
2.
3.
Double-click AD.training.lab and then double-click IPv4 > Server Options.
al
Right-click Server Options and then click Configure Options.

Select 066 Boot Server Host Name in the Available Options list on the General tab.
Type the IP address of the TFTP server in the String value field.
Type 192.168.10.31 in the String value field.
or
4.
5.
6.
st
di
This is the IP address of the Provisioning Service server in our lab environment.
io
ut
Select 067 Bootfile Name in the Available Options list on the General tab.
Type ARDBP32.BIN in the String value field and then click OK.
Close the DHCP console.
rib
7.
8.
9.
Discussion Question
Why might you opt to use BDM rather than PXE?
When might PXE be a better option than BDM?
Setting Up a Second Provisioning Services Server

A single instance of Provisioning Services is a single point of failure. If that instance fails, all of the running target devices will
stop because they will experience a hard drive failure due to their vDisk becoming unavailable. You should always configure
an additional Provisioning Services server for high-availability protection. Remember that each Provisioning Services server
can only be a member of one site at a time. If you want to move a Provisioning Services server to another site, you need to
rerun the Configuration wizard on the server being moved.
Configuring a second Provisioning Services server is similar to installing the first instance. The administrator must ensure that
the second Provisioning Services server has access to the store via shared storage to see the existing vDisks.
192
To Configure a Second Provisioning Services Server

1.
Right-click the second Provisioning Services VM, click Start, and then click Console.
Right-click ProvisioningServicesHost-2, click Start, and then click Console.
2.
Log on to the second Provisioning Services VM using domain administrator credentials.

3.

4.
5.
Select Server Installation in the wizard window.

Click Install to begin the installation of Provisioning Services on the VM.
Click Yes in the message to install SQLncx64, if it is presented.
ot
6.
7.
8.
fo
SQLncX64 is the SQL native client and is required if you are using database mirroring. If the SQL native client
is already on the system, you will not be presented with this message.
rr
Wait for the Citrix Provisioning Services wizard to appear and then click Next.
es
9.
al
If the wizard does not appear on the screen, check the taskbar.
or
st
di
11. Specify customer information, determine for whom the application will be installed, and then click Next.

Click Finish when the installation is completed.
Click OK in the message concerning the PVS Console.
Click Next in the Provisioning Services Configuration wizard screen.
Specify where DHCP is running and then click Next.
io
13.
14.
15.
16.
17.
ut
rib
This is done so provisioned machines (vDisks) know where to get instructions to start from the network.
Options 66/67 contain the settings required for PXE booting. Options 66/67 are configured within the DHCP
Manager.
18. Specify where the PXE Service is running and then click Next.
193
You will point to the VM that hosts the bootstrap file which tells the provisioned machines (target devices) to
start up from the network. In the lab environment, the bootstrap file is stored on this Provisioning Services
server.
19. Decide whether to create a new farm or join an existing farm and then click Next.
Select Join existing farm and then click Next.
If this is not the first Provisioning Services VM in the environment, you probably want to join a farm instead
of create a new farm.
20. Specify the name of database server that is hosting the database to be used by Provisioning Services and then click Next.
Type SQL-1 and then click Next.
21. Select the Provisioning Services farm that this server will join and then click Next.
Verify that PVS_db:Farm is specified in the Farm name field and then click Next.
ot
In the lab environment, PVS_db is the name of the Provisioning Services database and Farm is the name you
gave the Provisioning Services farm.
22. Specify the site to be used by the Provisioning Services server and then click Next.
fo
Verify that Existing site is selected and then click Next.
rr
In the lab environment, Site is the name you gave the Provisioning Services site.
al
es
23. Specify the vDisk store to be used by the Provisioning Services server and then click Next.
Verify that Existing store is selected and then click Next.
or
In the lab environment, Store is the name you gave the Provisioning Services store.
st
di
io
Select Specified user account.

Type PVS_svc in the User name field.
Type training.lab in the Domain field.
Type Password1 in the password fields.
Click Next.
ut
a.
b.
c.
d.
e.
rib
24. Select the account to use for the Stream Services and SOAP Server and then click Next.
25. Verify Automate computer account password updates is selected and then click Next.
This ensures that Provisioning Server resets the Active Directory computer accounts of the provisioned
endpoints before the computer accounts expire in Active Directory.
26. Specify the network card to be used for streaming and management, specify the ports to use, and then click Next.
Verify that 6890 is specified as the First communications port, 54321 is specified as the Console port, and then click
Next.
27. Select Use the Provisioning Services TFTP service and then click Next.
28. Specify the boot servers that target devices can contact to complete their start up process and then click Next.
Click Next to accept the default Stream Servers Boot List.
194
29. Verify that Automatically Start Services is selected and then click Finish.
30. Click OK in the Windows Firewall message.
This message will always appear even if the firewall is turned off.
31. Wait while the configuration completes and then click Done.
32. Click Exit and then eject the installation media from the DVD drive.
Click Exit and then click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation
media.
33. Click the Server Manager icon in the taskbar of the Provisioning Services server and then click Tools > Services.
Service startups can fail in high-latency environments. You should configure the following Recovery settings
for the Citrix PVS SOAP Server, Citrix PVS Stream Service, and Citrix PVS TFTP Service to ensure that these
services start.
ot
34. Right-click Citrix PVS Soap Server and then click Properties.
then click OK.
36. Right-click Citrix PVS Stream Service and then click Properties.
then click OK.
38. Right-click Citrix PVS TFTP Service and then click Properties.
then click OK.
40. Close the Services console.
fo
al
es
rr
Discussion Question
or
st
di
You have virtualized your first Provisioning Services server and then added a second Provisioning Services server for
redundancy to prevent a single point of failure. Everything seems to be working as planned. One day, the Help Desk lines
light up with numerous calls from end users complaining that their desktops are not available. What might be causing the
issue?
rib
Configuring the Bootstrap File for High Availability
ut
io
The bootstrap file contains connection information used by the starting target device to locate the Provisioning Services
servers. Adding all Provisioning Services servers to the bootstrap file provides the ability for the starting target device
connections to be load-balanced among the Provisioning Services servers and to identify the next available Provisioning
Services server upon failure of the currently connected Provisioning Services server.
After a Provisioning Service server is added, you must update the server information in the bootstrap file (ARDBP32.BIN)
using the Provisioning Services Console. Once the bootstrap file is updated, subsequent connections to Provisioning Services
are load-balanced between all Provisioning Services servers. An administrator can rebalance the target device connections at
any time using the console without impacting VM performance.
To Configure the Bootstrap File for High Availability

1.
Log on to the first Provisioning Services VM using domain administrator credentials.

2.
3.
Click Start, type Provisioning Services Console, and then click Provisioning Services Console.
Right-click Provisioning Services Console in the left pane and then click Connect to Farm.
195
4.
Type the NetBIOS name or IP address of the first Provisioning Services server in the Server Information Name field and
then click Connect.
Type PVS-1 and then click Connect.
If you cannot access the farm, restart the Provisioning Services server and try again.
This will connect the console to the first Provisioning Services server so you can see information about the
farm, the sites, and the stores.
5.
Double-click the farm name > Sites > site name, and then click Servers.
Double-click Farm > Sites > Site > Servers.
6.
Right-click the name of the first Provisioning Services server in the Servers node and then click Configure Bootstrap.
Right-click PVS-1 and then click Configure Bootstrap.
7.
Click Read Servers from Database, and then click OK.
8.
ot
The bootstrap file for the first Provisioning Services server will now include the IP addresses of all
Provisioning Services servers in the farm.
Right-click the name of the second Provisioning Services server in the Servers node and then click Configure Bootstrap.
fo
Right-click PVS-2 and then click Configure Bootstrap.
rr
9.
Click Read Servers from Database, and then click OK.
es
10. Close the Provisioning Services Console.
al
The bootstrap file for the second Provisioning Services server will now include the IP addresses of all
Provisioning Services servers in the farm.
or
You can shut down the ProvisioningServicesHost-2 VM to conserve lab resources.
st
di
n
io
Configuring the Master Target Device
ut
How many Provisioning Services servers can be specified in the bootstrap file?
rib
Discussion Question
A Master Target Device refers to a target device from which a hard disk image is built and stored on a vDisk. Provisioning
Services then streams the contents of the vDisk created from the Master Target Device to other target devices.
In order to support a single vDisk, that is shared by multiple target devices, those devices must have certain similarities to
ensure that the operating system has all required drivers. The three key components that must be consistent include the:
Motherboard
Network card
Video card
The Provisioning Services Common Image Utility allows a single vDisk to simultaneously support different
motherboards, network cards, video cards, and other hardware devices.
If target devices will be sharing a vDisk, the Master Target Device serves as a template for all subsequent diskless target
devices as they are added to the network. It is crucial that the hard disk of the Master Target Device is prepared properly and
that all software is installed on it in the following order:
196
1.
2.
3.
4.
5.
Windows Operating System

Device Drivers
Service Packs Updates
Target Device Software
Applications, which can be installed before or after the Target Device Software is installed
Creating the Master Target Device

Using Provisioning Services, administrators prepare a Master Target Device for imaging by installing an operating system and
software on the device. A vDisk image is then created from the hard drive on the Master Target Device and saved to shared
storage.
ot
N
fo
e
al
es
rr
or
st
di
Once the vDisk image is available from the network, the target device no longer needs its local hard drive to operate; the
target device starts up directly from the network. The Provisioning Services server streams the contents of the vDisk to the
target device on demand, in real time. The target device behaves as if it is running from its local hard drive. However, unlike
thin-client technology, all processing takes place on the target device.
io
Use a physical machine with a configured desktop as the Master Target Device, load the Provisioning Services utilities on
the physical machine, and then use the utilities to convert the workload of the physical device to a vDisk (VHD) file.
Use a virtual machine with a configured desktop as the Master Target Device, load the Provisioning Services utilities on
the virtual machine, and then use the utilities to convert the workload of the virtual machine to a vDisk (VHD) file.
Use a headless virtual machine (a machine without a hard drive), associate it with a Provisioning Services server to attach
a blank vDisk to it, and then install an operating system and software on the blank vDisk to create the vDisk (VHD) file.
You do not need to convert the workload of the virtual machine because it is already a VHD file.
ut
rib
When creating a vDisk for use with Provisioning Services, you can:
In this procedure, you will create a virtual machine that will become the Master Target Device. You will then use
the utilities to convert the workload of the Master Target Device to a vDisk (VHD) file.
To Create a New Master Target Device

1.
Right-click the Windows Server template in XenCenter and then click New VM wizard to create a VM that will used to
create the target devices and vDisks for use with Provisioning Services.
Right-click the WinServer2012R2_template template in XenCenter and then click New VM wizard.
2.
Verify that the correct template is selected and then click Next.
Verify that WinServer2012R2_template is selected and then click Next.
197
scratch, you would need to install the hypervisor tools on the VM before you use the VM to create a vDisk.
3.
Type the desired name for the VM in the Name field and then click Next.
Type MasterTargetDevice-1 in the Name field and then click Next.
4.
Verify <empty> is selected in the DVD drive field and then click Next.
You do not need to install an operating system on this VM, because the selected Windows Server 2012 R2
template has the operating system installed on it.
5.
Determine on which XenServer the VM should start and then click Next.
6.
Specify the number of vCPUs and memory to allocate to the VM and then click Next.
Verify that 2 vCPU and 2048 MB memory is allocated and then click Next.
ot
The number of vCPUs depends on the workload and should not exceed the logical cores within the hardware.
The limit is 16 vCPUs per VM. A typical Provisioning Services VM should have 2 vCPUs. A typical
Provisioning Services VM should have 2 GB or more of memory allocated for a 64-bit operating system.
Specify the storage settings for this VM and then click Next.
fo
7.
Select the network interfaces that will be used and then click Next.
es
8.
rr
Accept the default storage settings and then click Next.
Verify that <autogenerated MAC> Internal is selected and then click Next.
Review the settings for this VM for accuracy.
al
9.
or
If changes need to be made, use the Previous button to return to previous pages.
st
di
10. Determine if you want to start the VM at this time and then click Create Now.
rib
Verify that Start the virtual machine automatically is selected and then click Create Now.
11. Click the new Master Target Device in the left pane of XenCenter and then click the Console tab.
After the VM restarts, you will perform an initial configuration of the VM.
io
ut
Click MasterTargetDevice-1 and then click the Console tab.
12. Select the appropriate region, language, and keyboard layout settings, and then click Next.
a.
b.
Verify that:
United States is selected in the Country/Region field.
English (United States) is selected in the Language field.
US is selected in the Keyboard layout field.
Click Next.

Click I accept.
198
14. Type a password for the local administrator account and then click Finish.
Type Password1 in both the Password and Reenter password fields and then click Finish.
15. Log on to the VM using local administrator credentials.
Log on using the Administrator and Password1 credentials.
16. Click Local Server in Server Manager and then click the link next to Computer Name.
17. Click Change in the System Properties window.
18. Type a name for the new Master Target Device in the Computer name field.
Type MTD-1 in the Computer name field.
19. Select Domain, type the name of the domain in the Domain field, and then click OK.
20. Type the domain administrator credentials in the Computer Name/Domain Changes window and then click OK.
Type the Administrator and Password1 credentials and then click OK.
ot
21. Wait while the computer joins the domain and then click OK twice.
22. Click Close and then click Restart Now.
fo
Installing the Virtual Delivery Agent
al
es
rr
The Virtual Delivery Agent (VDA) is required to make HDX (ICA) connections to the vDisk from the target device and must
be installed on the Master Target Device prior to creating the vDisk and assigning the vDisk to a target device. The Virtual
Delivery Agent was formerly known as the Virtual Desktop Agent in previous releases of XenDesktop.
To Install the Virtual Delivery Agent
or
In this procedure, you will be installing the standard VDA.
st
di
1.
Log on to the Master Target Device using your domain administrator credentials.
2.
rib
Log on to MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials.

Click the File Explorer icon in the taskbar.

Click This PC.
io
3.
4.
5.
ut
6.
7.

Click Virtual Delivery Agent for Windows Server OS.
The Virtual Delivery Agent for Desktop OS is not available because a Server operating system was detected on
the VM.
8.
9.
Select Create a Master Image and then click Next.

Verify Citrix Receiver is selected and then click Next.
199
10. Specify how the location of the Delivery Controllers will be configured.
Select Do it manually.
You cannot allow Machine Creation Services to specify the Delivery Controller locations, because Provisioning
Services is being used to deliver the vDisk.
11. Type the FQDN of the first Delivery Controller in the Controller address field, click Test connection, and then click
Add.
Type c-1.training.lab in the Controller address field, click Test connection, and then click Add.
12. Type the FQDN of the second Delivery Controller in the Controller address field, click Test connection, and then click
Add.
Type c-2.training.lab in the Controller address field, and then click Add.
You are not testing the connection to Controller-2 (c-2.training.lab) in the lab environment, because it is
currently shutdown.
ot
13. Click Next after all Delivery Controllers have been added.
14. Select the features to install and then click Next.
fo
Verify that all features are selected and then click Next.
rr
es
If you are installing the Virtual Delivery Agent on a workstation OS machine, you will have the option to
install Personal vDisk functionality. If you opt to install the Personal vDisk, keep in mind that you must run
the Update Personal vDisk tool after the Virtual Delivery Agent installation is completed.
al
or
If the VDA will use the default ports for communication, select Automatically. If the VDA will use alternate
port assignments, select Manually to configure the ports after installation.
st
di
rib
16. Click Install.

17. Click Close and then wait for the Master Target Device to restart.
18. Wait while the Master Target Device updates and automatically restarts again.
io
ut
The Master Target Device will restart automatically after a few seconds if you do not click Close. The VDA is
configured after the VM is restarted. Do not eject the XenApp and XenDesktop media from the DVD drive.
Doing so will cause the installation of the VDA to be incomplete and result in desktops created from the
image to fail to register.
19. Log on to the Master Target Device on which you installed the VDA using domain administrator credentials to complete
the configuration of the VDA.
200

23. Log on to the Master Target Device using domain administrator credentials.
Log on to the MasterTargetDevice-1 using the TRAINING\Administrator and Password1 credentials.
Click Eject to the right of the DVD Drive 1 field to remove the XenDesktop media.
25. Install applications on the Master Target Device, if desired.
Do not complete this step, or the next step within the lab environment, because you will not be using the Personal
vDisk feature in this environment.
Creating the vDisk

After the operating system and desired software are installed on the Master Target Device, you must convert the hard drive of
the Master Target Device into a vDisk file. The resultant vDisk file is stored on a Provisioning Service server or shared storage
so it can be accessed by any Provisioning Services server that will provide the vDisk to target devices.
1.
ot
To Convert the Hard Drive of the Master Target Device to a vDisk

Log on to the Master Target Device using your domain administrator credentials.
fo
rr
2.
Insert the Provisioning Services installation media in the DVD Drive.
Click Desktop and then click the File Explorer icon in the taskbar.
Click This PC.
al
3.
4.
5.
es
or
st
di
Click Target Device Installation and then click Target Device Installation again.
Click Next on the Welcome screen of the Installation wizard.
Type the customer information in the appropriate field, determine for whom the application is being installed, and then
click Next.
9.
io
ut
rib
6.
7.
8.
Click Next to accept the default selections.

11.
12.
13.
14.
Click Install and wait while the installation completes.

Verify that Launch Imaging Wizard is selected and then click Finish.
Click Next on the Welcome screen of the Imaging wizard.
Type the IP address of the first Provisioning Services VM and then click Next.
Type 192.168.10.31 and then click Next.
15. Determine whether a new or existing vDisk will be used and then click Next.
Select Create new vDisk and then click Next.
201
16. Type a name for the new vDisk.

Type Win2012R2vDisk.
17. Select the vDisk type and then click Next.
Select Dynamic and then click Next.
The Fixed vDisk type allocates 100% of the space allocated for the vDisk immediately. The Dynamic vDisk
type allocates space as it is needed. A Dynamic vDisk starts out small and then grows up to the maximum
amount of space allocated as it is needed.
18. Select the Volume Licensing method to be used with the vDisk and then click Next.
Select Key Management Service (KMS) and then click Next.
19. Define the size of each volume and then click Next.
Click Next to accept the default volume sizes.
20. Type a name for the target device and then click Next.
Type Win2012R2TD and then click Next.
ot
21. Click Optimize for Provisioning Services, click OK, and then click Finish.
22. Click No in the Reboot message and then click No again.
fo
Do not restart the VM at this point.
es
rr
al
23. Click Exit in the Provisioning Services installation program.

24. Eject the installation media from the DVD drive.
Click Eject to the right of the DVD Drive 1 field to eject the Provisioning Services installation media.
or
25. Click the General tab for the Master Target Device VM in XenCenter and then click Properties.
Click MasterTargetDevice-1 in XenCenter, click the General tab, and then click Properties.
st
di
rib
26. Click Boot Options and then select Network.

27. Move Network to the top of the list to force the VM to start up from the network instead of from the hard drive and
then click OK.
io
ut
Click Move Up until the Network option is at the top of the list; deselect DVD-Drive and Hard Disk, and then click
OK.
Recall that the PXE boot option was set during the initial Provisioning Services installation.
n
28. Right-click the Master Target Device VM in XenCenter and then click Reboot.
Right-click MasterTargetDevice-1 and then click Reboot.
29. Click Yes in the Reboot VM message.
30. Log on to the Master Target Device VM using your domain administrator credentials.
Log on to MasterTargetDevice-1 VM using the TRAINING\Administrator and Password1 credentials.
After you log on, you will see the XenConvert progress window for the vDisk capture process. Do not restart
the VM until the XenConvert process completes. This process takes around 30-45 minutes.
31. Wait while the XenConvert process completes and then click Finish.
202
32. Shut down the Master Target Device VM.

Right-click MasterTargetDevice-1, click Shut Down, and then click Yes to confirm.
33. Log on to the first Provisioning Services VM using the domain administrator credentials.
34. Click Start, type Provisioning Services Console, and then click Provisioning Services Console.
35. Type the NetBIOS name or IP address of the first Provisioning Services server in the Name field and then click Connect.
Type PVS-1 and then click Connect.
36. Double-click the farm name > Sites > site name > vDisk Pool in the left pane of the Provisioning Services Console.
Double-click Farm (PVS-1) > Sites > Site > vDisk Pool.
37. Verify that the newly created vDisk is listed.
Verify that Win2012R2vDisk is listed.
38. Double-click Device Collections > Collection in the left pane of the Provisioning Services Console.
39. Verify that the newly created target device is listed.
Verify that Win2012R2TD is listed.
ot
40. Double-click Stores > store name in the left pane of the Provisioning Services Console.
fo
Double-click Stores > Store.
rr
41. Verify that the newly created vDisk is listed.
st
di
Setting the vDisk Mode
or
What does XenConvert do?
Discussion Question
al
es
Verify that Win2012R2vDisk is listed.
ut
rib
In order to understand the vDisk mode, you must first understand the concept of VHD types. There are two types of VHD
files: static and dynamic. A static VHD file will physically be the full size of the configured vDisk. A dynamic VHD file will
only be as large as the amount of data written to the vDisk. You can set the VHD type during the XenConvert process.
io
For example, if you configure a VHD file for 40 GB, but install only 10 GB of operating system and applications on it and
then set the type as static, the VHD will have a foot print of 40 GB. If you set the 40 GB VHD file as dynamic, it will have a
foot print of 10 GB. Target devices will see a 40 GB hard drive regardless of the type of VHD file to which they connect.
A vDisk can be placed in one of two modes: standard or private. Only one mode can be applied to a vDisk at a time. Any
vDisk can be changed from one mode to another as long as there are no current connections to the vDisk. You set the vDisk
mode in the Properties of the vDisk using the Provisioning Services Console.
A vDisk in private image mode is read/write. In private image mode, only one target device can start up from the vDisk at a
time, and that vDisk is most likely dedicated to a specific target device. Because a private vDisk is read/write, there is no need
for a write-cache; all system write backs are written directly to the VHD file.
A vDisk in standard image mode is read only. In standard image mode, multiple target devices can start up from the same
vDisk. Because a vDisk in standard image mode is read only, it requires a write cache file for each started target device.
The write-cache contains the information that the system would typically write back to a hard drive. If the hard drive is read
only, you need to have a place for the write back information. As a general rule, a write-cache size of 300 - 500 MB per end
user should cover mostly text-based workloads and daily restarts. Graphic-based workloads will require a considerably larger
write cache. The size of the write cache should be determined using a workload analysis for the organization. If the write
cache is placed on the local disk of each Provisioning Services server, there may not be a smooth transition to the remaining
Provisioning Services servers in the event of failover, because the write cache will be inaccessible. Therefore, server-side
caching on the local disk is not recommended for fault tolerance. Target device RAM provides the best performance for the
write cache, but has limited space and is not persistent.
203
To Set the vDisk Mode

1.

2.
3.
Click Start, type Provisioning Services Console and then click Provisioning Services Console.
Type the NetBIOS name or IP address of a Provisioning Services server in the Name field and then click Connect.
Verify that PVS-1 appears in the Name field and then click Connect.
4.
Double-click the farm name > Stores > store name to display the contents of the store.
Double-click Farm (PVS-1) > Stores > Store.
5.
Right-click the vDisk in the store and click Properties.

Right-click Win2012R2vDisk and then click Properties.
6.
Specify the access mode and write cache type on the General page and then click OK.
Click Standard Image (multi-device, read-only access) in the Access mode field and and click Cache in device RAM
with overflow on hard diskin the Cache type field. Click OK.
ot
You cannot manage the vDisk properties if the vDisk is in use by any target device. The vDisk will appear
locked and must first be unlocked. Unlocking a vDisk that is in use by any device runs the risk of corrupting
data on the vDisk.
fo
es
rr
Discussion Question
al
In Provisioning Services, private image mode identifies a vDisk as being available to only one target device. What term is used
in Machine Creation Services to specify that a VM is dedicated to a single end user?
In Provisioning Services, standard image mode identifies a vDisk as being available to many target devices. What term is used
in Machine Creation Services to specify that a VM can be used by many end users?
or
st
di
Assigning a vDisk to a Target Device
Manually create the target device in the Provisioning Services console and assign it a vDisk.
Import a comma-delimited file with a list of MAC addresses.
Auto-add the target device to the Provisioning Services server. This will automatically add the default vDisk to the target
device.
io
ut
rib
Whenever a new target device is added to the environment, you must assign a vDisk to it. There are multiple ways to assign a
vDisk to a target device:
When a vDisk is assigned to a target device, the MAC address of the target device is mapped to the vDisk. A vDisk in
standard image mode can have multiple mappings (multiple target devices/one-to-many). A vDisk in private image mode can
have only a single mapping. Target devices are always identified by the MAC address. If you clone a target device and do not
randomize the MAC address, you will have multiple target devices with the same MAC address and you will have conflicts in
the environment.
To Assign a vDisk to a Target Device

The following procedure is provided for information purposes only. You do not need to complete this procedure
in the lab environment.
1.
2.
3.
204
Log on to a Provisioning Services VM using domain administrator credentials.

4.
5.
6.
7.
Double-click the farm name > Sites > site name >Device Collection > collection name.
Right-click the name of a target device in the right pane and then click Properties.
Click the vDisks tab.
Click Add, select the vDisk to add, and then click OK twice.
You can remove a vDisk from a target device using the Properties of the target device.
Discussion Question
What happens if more than one vDisk is assigned to a target device?
Creating the Machine Catalog
ot
The XenApp and XenDesktop Setup Wizard can be used to create machine catalogs of target devices from the Master Target
Device and Provisioning Services. Machine catalogs created with the XenApp and XenDesktop Setup Wizard are displayed in
Citrix Studio and are managed like machine catalogs created using Machine Creation Services.
To Create a Diskless Target Device Template
fo
1.
es
rr
Prior to creating a machine catalog for use with a vDisk, you must have a template that you can use to create the
diskless target devices that start from the network rather than a hard drive. The target devices created from this
template will use PXE or BDM to start and will be associated with a vDisk using Provisioning Services.
Create a new template or make a copy of an existing template in XenCenter.
al
Right-click WinServer2012R2_template and then select Copy.

Type TD with no storage_template in the Name field and then click Copy.
a.
b.
or
You are using an existing template to simplify the template creation process.
st
di
Click the template in XenCenter and then click the General tab.
rib
2.
6.
7.
8.
Click Properties.
Click Boot Options in the left pane.
Select Network and then click Move Up until Network is the first item listed. Deselect the DVD and Hard Disk options
as well.
Click OK.
Click the Storage tab to remove the hard drive from the target device so you can use PXE or BDM to start and use a
vDisk.
Select the virtual disk, click Delete, and then click Yes in the Delete System Disk message.
3.
4.
5.
io
ut
Click the TD with no storage_template VM in XenCenter and then click the General tab.
Select WinServer2012R2_template, click Delete, and then click Yes in the Delete System Disk message.
205
To Create the Machine Catalog

1.

2.
3.
Verify that PVS-1 appears in the Name field and then click Connect.
4.
Double-click farm name > Sites.

Double-click Farm (PVS-1)>Sites.
5.
Right-click the site name and then click XenDesktop Setup Wizard.
Right-click Site and then click XenDesktop Setup Wizard.
6.
7.
Click Next on the Welcome screen.

Type the name of a Delivery Controller in the XenDesktop Controller address field and then click Next.
Type C-1 and then click Next.
Select the host network and then click Next.
ot
8.
Select XenApp and XenDesktop Network and then click Next.
fo
9.
Type the log on credentials of the host (XenServer) and then click OK.
rr
Type root in the Username field, type the Password provided to you in the beginning of the lab and then click OK.
es
10. Select a VM template to use for the Master Target Devices and then click Next.
al
Select TD with no storage_template and then click Next.
11. Select a Standard image mode vDisk and then click Next.
or
Select Store\Win2012R2vDisk and then click Next.
12. Determine if a new or existing catalog will be used and then click Next.
st
di
Select Create a new catalog, type Win2012R2PXE in the Catalog name field, and then click Next.
Select Windows Server Operating System and then click Next.
ut
rib
13. Specify the type of operating system machines to create in the catalog and then click Next.
io
You must be careful to select the correct type of desktop at this point. Selecting the incorrect OS will result in
an unusable machine catalog.
14. Specify the virtual machines preferences for vCPUs, memory, Personal vDisk size and drive letter, and startup mode, and
then click Next.
a.
b.
c.
d.
e.
Select 1 in the Number of virtual machines to create field.

Select 2 in the vCPU field.
Select 2048 MB in the Memory field.
Select PXE boot (requires a running PXE service).
Click Next.
Personal vDisk is not available, because you are creating a machine catalog based on the Windows Server OS.
206
15. Determine whether to use existing Active Directory accounts or to create new ones for the new target device machines in
the machine catalog and then click Next.
Verify that Create new accounts is selected and then click Next.
16. Specify the domain and OU to which the new target devices in the machine catalog will be added in Active Directory.
Select training.lab in the Domain field and then double-click training.lab > Training Virtual Desktops > Servers.
17. Determine the account naming scheme and then click Next.
Type Win2012R2PXE-##, verify that the 0-9 enumeration scheme is selected, and then click Next.
This will be the naming scheme associated with the target devices that will use the Win2012R2vDisk vDisk.
ot
18. Click Finish and wait for the VMs (target devices) to be created in the machine catalog.
19. Verify that the new target devices appear in XenCenter and then click Done.
Verify that Win2012R2PXE-01 appears in XenCenter and then click Done.
fo
20. Log on to a computer hosting Studio using domain administrator credentials.
rr
al
es
21. Click Start, type Citrix Studio and then click Citrix Studio.
22. Click Machine Catalogs and then verify that the newly created catalog appears.
Click Machine Catalogs and verify that Win2012R2PXE appears in the list.
e
or
Discussion Question
rib
Creating the Delivery Group
st
di
Personal vDisk can only be used with which type of desktop?
io
ut
Creating a Delivery Group is not a Provisioning Services function, but in order for end users to connect to the newly created
machine catalog of target devices, you can use Studio to create a Delivery Group. Alternatively, if a Delivery Group already
exists, you only need to associate that Delivery Group with the new machine catalog.
To learn more about administering XenApp and XenDesktop, attend the CXD-203 Managing App and Desktop
Solutions with Citrix XenApp and XenDesktop 7.6 course or search http://docs.citrix.com for the relevant topic.
To Create the Delivery Group

1.
Log on to the computer hosting Citrix Studio using domain administrator credentials.
2.
3.
4.
Click Start, type Citrix Studio, and then click Citrix Studio.
207
pane. If you receive an error message stating: "There are no available machines in a compatible Machine
Catalog. You must create a new Machine Catalog or add machines to an existing one." Use Studio to verify
that a machine catalog exists and contains machines that have not been assigned to a Delivery Group. If the
machine catalog was newly created and none of its machines have been assigned through a Delivery Group
yet, the problem could be that the machine catalog did not create correctly. Create a new machine catalog and
delete the corrupted one.
5.
Click Next in the Getting Started with Delivery Groups page.

If you previously selected Don't show this again, this page will not appear.
6.
then click Next.
Select Win2012R2PXE, type 1 in the Choose number of machines to add field, and then click Next.
7.
ot
in the environment.
Select the service to deliver in the Delivery Type screen and then click Next.
Click Add users to specify which end users will be part of the Delivery Group.
rr
8.
fo
Select Desktops and then click Next.
Type the name of the user or group, click Check Names, and then click OK.
9.
al
es
Only those users added to the Delivery Group will be able to access the selected service (desktops, applications,
or desktops and applications).
or
Type HelpDesk in the Enter the object names to select field, click Check Names, and then click OK.
10. Verify that the appropriate end users appear in the Assign users field and then click Next.
st
di
Verify that TRAINING\HelpDesk appears and then click Next.
io
Select Automatically, using the StoreFront servers selected below.

Select https://sfs-1.training.lab.
Select https://sfs-2.training.lab.
Click Next.
ut
a.
b.
c.
d.
rib
11. Determine how to provide the StoreFront server address to Citrix Receiver and then click Next.
12. Type a name for the Delivery Group in the Delivery Group name field that administrators will see.
Type Win2012R2Server-HD.
13. Type a Display name in the Display name field that end users will see.
Type Win2012R2 Server.
14. Type a description for the machine that end users will see and then click Finish.
Leave the description field blank and then click Finish.
15. Right-click the machine associated with the Delivery Group and then click Shut Down.
Right-click Win2012R2PXE-01 in XenCenter and then click ShutDown.
208
You are shutting down the VM only to save lab environment resources.
Discussion Question
Delivery Groups are used to assign end users and groups to machines. What methods are available for selecting the end users?
Reinforcement Exercise: Creating BDM Target Devices

Install and configure Provisioning Services.
Install the Provisioning Services Console.
Configure DHCP Options 66 and 67.
Configure the bootstrap file for high availability.
Create a vDisk and assign it to a target device.
Create a machine catalog.
Create the Delivery Group.
ot
fo
es
rr
al
You are ready to try your hand at creating a machine catalog and a Delivery Group using a vDisk created in Provisioning
Services.
or
You created a machine catalog for Windows 2012 R2 servers using PXE, but now Training wants you to create a machine
catalog that uses the Boot Device Manager (BDM) and a vDisk. Once you create this new machine catalog, Training wants to
provide these machines to the XenDesktop Admins group of users at Training.
Ensure that MasterTargetDevice-1 is shutdown.
Use the XenDesktop Setup Wizard in Provisioning Services to create a new machine catalog called Win2012R2BDM.
Use root and Password1 as the credentials for the host (XenServer).
Base the machine catalog on the TD with no storage_template and Win2012R2vDisk VMs that you created earlier.
Create a single target device and set it to start using BDM.
Create new accounts for the target devices in the training.lab > Training Virtual Desktops > Servers OU.
Use the default account naming scheme for the target devices.
Create a new Delivery Group that assigns Desktops to the XenDesktop Admins group from the newly created target
device.
9. Specify both StoreFront servers.
10. Set the name of the Delivery Group to Win2012R2Desktop-XDA (Admin view).
11. Set the Display name to Win2012R2 Desktop (End-user view).
io
ut
rib
1.
2.
3.
4.
5.
6.
7.
8.
st
di
209
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
210
Module 8
Preparing the Environment

for Rollout
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
212
Preparing the Environment for Rollout

Overview
Prior to rolling the XenApp and XenDesktop environment out for the pilot implementation to internal end users, you should
validate that the environment behaves as expected. So far in this course, you have configured a basic implementation of
XenApp and XenDesktop to provide internal end users with access to XenApp and XenDesktop resources. Now, you want to
test your implementation to ensure that it works correctly before you move on and configure the environment so external end
users can access XenApp and XenDesktop resources.
fo
Controller-1 = On
FileServer-1 = On
ProvisioningServicesHost-1 = On
SQLServer-1 = On
All other VMs = Off
al
or
st
di
io
ut
rib
At
es
rr
ot
Verify the service account.

Verify the DHCP scope.
Verify SSL communications with StoreFront.
Verify the Provisioning Services vDisks storage location.
Verify the end-user environment for:
Hosted applications.
Server OS machines created from a vDisk.
Desktop OS machines containing a Personal vDisk.
Verify the Remote Assistance configuration.
Verify Delivery Controller high availability.
Verify SQL Server mirroring.
Testing a Service Account
In Module 3, you create a policy and applied it to the Training Service Accounts OU in Active Directory to restrict the service
accounts used by Provisioning Services (PVS_svc) and SQL Server (SQLAcct1) from being used to log on locally to
infrastructure servers. You want to validate that a service account cannot be used to log on locally to any server in the
environment.
To Test a Service Account

1.
Verify that you are not using the Remote Desktop mode in XenCenter.
a.
b.
Switch to the ProvisioningServicesHost-1 console.

Verify that Switch to Remote Desktop appears to the right of the DVD Drive 1 field in XenCenter, If it does
not appear, click Switch to Default Desktop.
Module 8: Preparing the Environment for Rollout
213
Do not perform this test using Remote Desktop, because the log on may fail because the service account is not
a member of the Remote Desktop Users group, not because the service account cannot be used to log on
locally. Performing this test using Remote Desktop is not a valid test of the ability to log on locally using a
service account.
2.
Log on to the first Provisioning Services VM using the service account credentials.
Log on to ProvisioningServicesHost-1 using the Training\PVS_svc service account and Password1 credentials.
3.
Verify that you receive the following message "The sign-in method you're trying to use isn't allowed. For more
information, contact your network administrator." and then click OK to return to the logon screen.
If you are able to log on, run gpupdate /force from a command line on the server and then retry the log on.
4.
5.
Repeat the test on other servers in the environment, if time permits.

Repeat the test using a different service account, if time permits.
Repeat the test using the SQLAcct1 account, if time permits.
N
ot
Discussion Question
Why should you deny a service account the ability to log on locally?
fo
es
rr
Testing the DHCP Scope
al
In Module 3, you installed DHCP and configured a scope that provided IP addresses to systems that do not have a static IP
address assigned to them in the training.lab domain. You specified IP addresses in the range of 192.168.10.60 - 192.168.10.80.
In addition, you created a policy in Module 6 that assigned session printers to systems with IP addresses within the DHCP
scope. You want to validate that all dynamically assigned IP addresses are within the specified scope to ensure that your
session printer policy will be applied correctly.
or
1.
st
di
To Verify IP Addresses Are within the DHCP Scope
Select any newly created VM in XenCenter that does not have a static IP address assigned to it.
2.
io
ut
You do not need to start the VM.
rib
Click Win8-Master in XenCenter and then click the Networking tab.
View the IP Address field to determine if the IP address is within the defined DHCP scope.
View the IP Address field and determine if the address is within the 192.168.10.60 - 192.168.10.80 address range.
This is the IP address that was assigned to the machine when it was started. If the machine is on, this is the IP
address currently being used by the machine. If the machine is off, this is the IP address that was assigned
when it was last started. A different IP address may be assigned to the machine when it starts again.
3.
Click the Console tab to return to the console of the VM.
Discussion Question
What is the benefit of assigning session printers based on IP addresses?
214
Testing the Certificates

In Module 3, you installed the Certificate Authority role on the domain controller and then created certificates to secure
communications. You want to validate that certificates have been applied to the StoreFront servers and that communications
between StoreFront servers and end users are secure.
To Verify Secure Communications with StoreFront

1.
Start an internal endpoint that has Citrix Receiver installed and then log on using domain end-user credentials.
Double-click the EndPoint-Internal VM in XenCenter and then log on using the Training\HRUser1 and Password1
credentials.
2.
3.
4.
5.
Type Receiver on the Start screen and then click Citrix Receiver.
Click Log On on the top of the Receiver window.
Click Secure connection at the bottom of the Citrix Receiver log on screen.
Verify that the certificate was applied to StoreFront by a known Certificate Authority and then click OK.
Click the Internet Explorer icon in the taskbar of the internal endpoint.
ot
6.
Verify that sfs-1.training.lab (our first StoreFront server) and Training-AD-CA (our internal Certificate Authority)
appear in the Secure connection dialog box, click OK, and then click Cancel.
Click Internet Explorer in taskbar of the Endpoint-Internal VM.
fo
7.
Type the URL for the Receiver for Web site in the Address field and then press Enter.
rr
Verify that the Citrix Receiver log on page appears and that https: appears in the URL in the Address field.
Close all open windows.
al
8.
9.
es
Type https://sfs-1.training.lab/citrix/store-1Web in the Address field, press Enter, and then click OK in the Security
Alert and accept all pop-ups.
or
Discussion Question
st
di
For which communications must StoreFront have a valid certificate?
rib
Testing the Provisioning Services Share
To Verify the vDisk Storage Location

1.
io
ut
In Module 3, you created a file server and a share on which vDisks created in Provisioning Services would be stored. In
Module 7, you created a vDisk from a Master Target Device. You want to validate that Provisioning Services was able to
successfully store the Win2012R2vDisk in the proper location on the file server.
Log on to any system in the domain using domain administrator credentials.

Log on to StudentManagementConsole-1 using the Training\Administrator and Password1 credentials.
2.
3.
Click the File Explorer icon in the taskbar.

Type the UNC path to the shared folder for the vDisks on the file server and then press Enter.
Type \\FS-1\vDisks in a blank portion of the location bar at the top of the window and then press Enter.
4.
Verify that the vDisk is listed in the folder.

Verify that Win2012R2vDisk appears in the folder.
215
5.
The
The
The
The
WriteCache folder contains the writes made to the vDisk.

.lok file is the vDisk lock.
.pvp file contains the properties associated with the vDisk.
.vhd file is the actual vDisk.
Close all open windows.
Discussion Question
How might you back up a vDisk?
Verifying Internal Access to Hosted Applications

In Module 4, you installed Receiver on an internal endpoint. In Modules 5 and 7, you configured applications and desktops
for the end users in the environment, and in Module 6, you configured policies that configure the environment. You want to
validate that internal end users can use Receiver to access hosted applications and that the end users' changes are saved
appropriately to a profile or to a file share.
ot
Citrix Receiver is installed and configured per end user. If a different end user logs on to an endpoint, the end
user must configure Citrix Receiver before it can be used. You can install Citrix Receiver from the Receiver for
Web site page.
fo
rr
To Verify Internal Access to Hosted Applications
es
1.
Select an end-user account that has been granted access to hosted applications.
al
In Module 5, you granted AcctUser1, AcctUser2, HRUser1, and HRUser2 access to hosted applications using a
Delivery Group.
or
2.
Log on to the internal endpoint using the selected end-user account.
3.
Verify that an end user can log on to Citrix Receiver.
rib
Type Receiver on the Start screen of the internal endpoint and then click Citrix Receiver.
Log on to Receiver using the Training\HRUser1 and Password1 credentials.
io
ut
a.
b.
c.
st
di
Log on to EndPoint-Internal using the Training\HRUser1 and Password1 credentials.
Citrix Receiver appears because you previously installed Citrix Receiver for the TrainingHRUser1 end user.
4.
Verify that hosted applications are available to the end user from within Receiver.
In Module 5, you installed applications on the Win2012R2-Master VM which was used to create
Server2012R2-01 and then published the applications as hosted applications by creating a Delivery Group.
a.
b.
216
Click the + sign on the left side of the screen and then click All Applications to add resources to Receiver for
the logged on end user.
Select Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010.
5.
Verify that a hosted application will start.

a.
b.
c.
d.
Click Microsoft Word 2010 in Receiver.

Wait while the application starts.
Click OK in the Enter your initials window, which may be behind the Receiver window.
Select Don't make changes in the Welcome to Microsoft Office 2010 screen and click OK.
This may take several minutes if the VM hosting the application is off. The Delivery Controller must start the
VM. Watch as Server2012R2-01 is started. This is the VM that has the Microsoft applications installed and
published. When the rotating circle beneath the application icon in Receiver disappears, the application has
successfully started. Look in the taskbar if the application does not appear on the screen.
6.
Verify that a change to a hosted application will be saved to the end-user's profile.
In Module 6, you enabled Profile Management in a policy and configured the location where end-users' profile
settings would be saved.
Right-click anywhere in the Microsoft Word icon ribbon.

Click Show Quick Access Toolbar Below the Ribbon.
Click the down arrow in the Quick Access Toolbar.
Click E-mail to add the email icon to the Quick Access toolbar.
Close Microsoft Word to save the changes to the end-user's profile.
Select the down arrow to the right of HRUser1 and then click Log Off.
ot
fo
rr
a.
b.
c.
d.
e.
f.

Click Microsoft Word 2010 in Citrix Receiver to re-open the application.
Verify that the Quick Access Toolbar is located below the icon ribbon and that the E-mail icon is included
on the Quick Access Toolbar proving that the end-user's changes were saved.
or
st
di
g.
h.
i.
j.
al
es
Due to session lingering, you must wait several minutes prior to logging on to test this
functionality.
ut
rib
Verify that a file saved to the Documents folder or the Desktop will be redirected to the corresponding folders on the file
server.
io
7.
In Module 3, you configured a share and permissions on the file server and then configured a policy to
redirect files that end users saved to their local Documents folder and the local Desktop to folders on the
share. To the end user, it will appear as if the file was saved locally even though it is being saved to the share.
217
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
8.
Type This is a test.

Click File > Save.
Click the Desktop folder in the left pane.
Type FolderRedirectionTest in the File name field and then click Save.
Click the File Explorer icon in the taskbar of EndPoint-Internal.
Click in a blank portion of the Address field.
Type \\FS-1\Users$\HRUser1 and then press Enter.
Double-click the Desktop folder.
Verify that the FolderRedirectionTest file appears in the folder proving that folder redirection is working.
Close the File Explorer window.
Verify that a session printer is available to the end user.

In Module 4, you configured the Universal Print Server to provide printers. In Module 6, you created a
Session printers policy that specified that any resource in the 192.168.10.60 - 192.168.10.80 IP address range
would be provided with a Color Laser Printer.
ot
fo
Close the Microsoft Word application without printing the document.
Discussion Question
al
es
rr
9.
Click File > Print in Microsoft Word.

Click the down arrow for the Printer field.
Select Color Laser Printer on ups-1 proving that the session printer was allocated to an endpoint in the
DHCP scope.
a.
b.
c.
What methods can be used to provide applications to end users using XenApp and XenDesktop?
e
or
Verifying Internal Access to a Server OS Machine (PVS)
st
di
for the end users in the environment, and in Module 6, you configured policies that customize the environment. You want to
validate that internal end users can use Receiver to access a Server OS machine created from a vDisk and that the end-users'
changes are saved appropriately to a profile or a file share.
rib
io
ut
Web site page.
To Verify Internal Access to a Server OS Machine Streamed Using PVS

1.
Select an end-user account that has been granted access to a Server OS machine.
In Module 7, you granted HDUser1 and HDUser2 access to a Server OS machine that boots using PXE.
2.
Log on to the internal endpoint using the selected end-user account.

Log on to EndPoint-Internal using the Training\HDUser1 and Password1 credentials.
3.

If this is the first time the end user has logged on to the endpoint, you will need to configure Citrix Receiver
for that end user.
218
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
Click Desktop on the Start screen.

Click Internet Explorer in the taskbar. Do not use Internet Explorer from the Start screen.
Type https://sfs-1.training.lab/citrix/store-1Web in the Address field and then press Enter.
Click OK in the Security Alert message, if it appears.
Select I agree with the Citrix license agreement and then click Install.
Select Save in the message that appears at the bottom of the window.
Click Run in the message that appears when the download is completed.
Click Install.
Click Finish and then click Log on.
Type the Training\HDUser1 and Password1 credentials and then click Log On.
If you do not install Citrix Receiver, an .ICA file will be downloaded to the endpoint. You will not be able to
open the .ICA file, because Receiver is not installed on the endpoint.
4.
Verify that a Windows Server OS machine is available to the end user within Receiver and that it can be started.
ot
There may be a delay after Step 4a while the Win2012R2PXE-01 VM is started by the Controller. You may
need to click Win2012R2 Server a second time if the spinning animation stops and the desktop does not
launch.
fo
Click Win2012R2 Server.

Click Allow in the Internet Explorer Security window, if it appears.
Click Save in the message that appears on the bottom of the window.
Click Open in the Downloads window.
Wait while the desktop starts.
Verify that HDUser1 appears in the upper-right corner of the Start screen.
Click Read/write access on the HDX File Access window.
al
es
rr
a.
b.
c.
d.
e.
f.
g.
or
If the Start screen is not visible, click the Windows Server desktop icon in the taskbar.
st
di
Verify that changes to the Windows Server OS machine are saved to the end-user's profile.
rib
5.
a.
b.
6.
io
ut
In Module 6, you configured a share for Profile Management and configured a policy to direct end-user's
changes to a Win2012 folder on the share.
Type WordPad on the Start screen.

Right-click WordPad and then click Pin to taskbar to trigger changes to the end-user's profile.
server.
share. To the end user, it will appear as if the file was saved locally.
219
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
7.
Click WordPad to open it.

Type Just a Test into the file.
Click File > Save.
Type FolderRedirectionTest2 in the Filename field and then click Save.
Click the File Explorer icon in the taskbar of Win2012R2 Server.
Click the Desktop folder to verify that it appears to the end user that the FolderRedirectionTest2 file was
saved locally.
Click to the left of the down arrow in the Address field.
Type \\FS-1\Users$\HDUser1 and then press Enter.
Double-click the Desktop folder.
Verify that the FolderRedirectionTest2 file appears in the folder, proving that folder redirection is working.
Verify that a session printer is available to the end user.
ot
Session Printer policy that specified that any resource in the 192.168.10.60 - 192.168.10.80 IP address range
would be provided with a Color Laser Printer.
If you closed WordPad, click the WordPad icon in the taskbar of the Win2012R2 Server to open it.
al
es
8.
Click the Win2012R2 Server desktop icon in the taskbar of Endpoint-Internal.

Click File > Print in WordPad.
Select Color Laser Printer on ups-1 in the Select Printer section of the window, proving that the session
printer was allocated to an endpoint in the DHCP scope.
Click Cancel to close the Print window.
rr
d.
fo
a.
b.
c.
or
Verify that a file saved to a folder other than those that are redirected will be copied to the end-user's network copy of
their profile.
st
di
redirect files that end users saved to the Desktop and the Documents folders on the file server in a UPM$
folder under %username%.%domain%. You did not redirect the My Music folder. Content saved to folders
that are not redirected are saved to the end-user's profile. You configured Citrix Profile Management to
manage the profiles and to use Active Writeback. Without Active Writeback, files in an end-user's profile are
only copied to the network share on log off.
Click File > Save As in WordPad.
Click This PC and then click the Music folder.
Type Song List in the Filename field and then click Save.
Close WordPad.
Click the File Explorer icon in the taskbar of EndPoint-Internal.
Click to the left of the arrow in the Address field of the File Explorer window.
Type \\FS-1\UPM$\HDUser1.Training and then press Enter.
Double-click Win2012 > UPM_Profile and then double-click the Music folder.
Verify that the Song List file exists, proving that content saved to folders that are not redirected are saved to
the end-user's profile and then copied to the network because of the use of Citrix Profile Management and
Active Writeback.
io
j.
ut
rib
a.
b.
c.
d.
e.
f.
g.
h.
i.
The Song List file may take a moment or two to appear. Either wait up to two minutes for Citrix Profile
Management Active Writeback to copy the file to the end-user's network copy of their profile or sign out of
Win2012R2-Server to force the entire profile to be copied to the network.
220
9.
Verify that the end user can successfully log off of a Windows Server OS machine and Citrix Receiver.
a.
b.
Click Start in the lower-left corner of the Win2012R2 Server desktop.

Click HDUser1 on the Start screen and then click Sign out.
Closing the desktop window without signing the end user out, disconnects the desktop. The desktop continues
to run.
10. Verify that customizations made to an application were saved to the end-user's profile.
a.
b.
c.
d.
e.
f.
g.
Click Win2012R2 Server.

Click Allow in the Internet Explorer Security window, if it appears.
Click Save in the message that appears on the bottom of the window.
Click Open in the Downloads window.
Wait while the desktop starts.
Click Desktop on the Start screen or click the Windows Server desktop icon in the taskbar.
Verify that WordPad appears in the taskbar, proving that customizations make to an application are saved to
the end-user's profile.
Click Start in the lower-left corner of the Win2012R2 Server desktop.

Click HDUser1 on the Start screen and then click Sign out.
Click HDUser1 at the top of the Citrix Receiver window and then click Log off.
fo
al
Discussion Question
es
rr
a.
b.
c.
ot
11. Log off of the Windows Server OS machine and Citrix Receiver.
or
You want to provide some end users with a Server OS machine and other end users with hosted applications but not a server
desktop. What is the most effective way of doing this?
st
di
Verifying Internal Access to a Desktop OS Machine
ut
rib
for the end users in the environment, and in Module 6, you configured policies that configure the environment. You want to
validate that internal end users can use Receiver to access a Desktop OS machine containing a Personal vDisk and that the
end-users' changes are saved appropriately to a profile, to a file share, or the Personal vDisk.
io
Web site page.
To Verify Internal Access to a Desktop OS Machine with a Personal vDisk

1.
Select an end-user account that has been granted access to a Desktop OS machine.
In Module 5, you granted AcctUser1 and AcctUser2 access to a Desktop OS machine configured to use a
Personal vDisk.
2.
Log on to the internal endpoint using the selected domain end-user account.
Log on to EndPoint-Internal using the Training\AcctUser1 and Password1 credentials.
3.
221
If this is the first time the end user has logged on to the endpoint, you will need to configure Citrix Receiver
for that end user.
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
4.
Click Desktop on the Start screen.

Click Internet Explorer in the taskbar. Do not use Internet Explorer from the Start screen.
Type https://sfs-1.training.lab/citrix/store-1Web in the Address field and then press Enter.
Click OK in the Security Alert message, if it appears.
Select I agree with the Citrix license agreement and then click Install.
Select Save in the message that appears at the bottom of the window.
Click Run in the message that appears when the download is completed.
Click Install.
Click Finish and then click Log on.
Type Training\AcctUser1 in the User name field.
Type Password1 in the Password field and then press Enter or click Log On.
Verify that a Windows Desktop OS machine can be started.
Click Win8 Desktop.

Click Save and then click Open.
Verify that AcctUser1 appears in the upper-right corner of the Start screen.
ot
fo
a.
b.
c.
rr
The logon credentials were passed through from Citrix Receiver to the Windows Desktop OS.
al
es
5.
Verify that changes to the Windows Desktop OS are saved to the end-user's profile.
or
In Module 6, you enabled Profile Management in a policy and configured the location where end users' profile
settings would be saved.
Type WordPad on the Start screen.

Right-click WordPad and then click Pin to taskbar to trigger changes to the end-user's profile.
rib
6.
st
di
a.
b.
ut
server.
io
share. To the end user, it will appear as if the file was saved locally. If the file does not appear in Step 6g,
verify that File Explorer was opened on the Win8 Desktop and not on the Endpoint-Internal VM.
222
a.
b.
c.
d.
e.
f.
g.
h.
Click WordPad to open it.

Type Just a Test into the file.
Click File > Save.
Type FolderRedirectionTest3 in the Filename field and then click Save.
Click the File Explorer icon in the taskbar of Win8 Desktop.
Click Read/write access on the HDX File Access window if it appears.
Click the Desktop folder to verify that it appears to the end user that the FolderRedirectionTest3 file was
saved locally.
i. Click to the left of the down arrow in the Address field.
j. Type \\FS-1\Users$\AcctUser1 and then press Enter.
k. Double-click the Desktop folder.
l. Verify that the FolderRedirectionTest3 file appears in the folder, proving that folder redirection is working.
m. Close the File Explorer window.
7.
Verify that a session printer that you applied in a policy is available to the end user.
ot
Session printers policy that specified that any resource in the 192.168.10.60 - 192.168.10.80 IP address range
would be provided with a Color Laser Printer. If you closed WordPad, click the WordPad icon in the taskbar
of the Win8 Desktop to open it before proceeding.
al
es
Verify that a file saved to a folder other than Documents or Desktop will be redirected to the end-user's Personal vDisk.
8.
Click File > Print in WordPad.

Select Color Laser Printer on ups-1 in the Select Printer section of the window, proving that the session
printer was allocated to an endpoint in the DHCP scope.
Click Cancel to close the Print window.
rr
c.
fo
a.
b.
or
redirect files that end users saved to the Desktop and the Documents folders on the share. You did not
redirect the My Music folder. Content saved to folders that are not redirected are saved to the end-user's
profile.
Click File > Save as in WordPad.
Click This PC and then click the Music folder in the left pane.
Type Song List 2 in the Filename field and then click Save.
Close WordPad.
Click the File Explorer icon in the taskbar of Win8 Desktop.
Click This PC.
Double-click Citrix Personal vDisk (P:) to open the drive.
Double-click the Users > AcctUser1 > Music folders.
Verify that Song List 2 appears in the folder.
Click AcctUser1 and note that folders that are redirected such as the Desktop folder are not present.
io
ut
rib
9.
st
di
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
Verify that a file saved to a folder other than those that are redirected will be copied to the end-user's network copy of
their profile.
redirect files that end users saved to the Desktop and the Documents folders on the share. You did not
redirect the My Music folder. Content saved to folders that are not redirected are saved to the end-user's
profile. We configured Citrix UPM to manage the profiles and to use Active Writeback. Without Active
Writeback, files in an end-user's profile are only copied to the network share on log off.
a.
Click to the left of the down arrow in the Address field of the File Explorer window.
223
b.
Type \\FS-1\UPM$\AcctUser1.Training and then press Enter.

In Module 3, you configured Profile Management settings in a group policy to save the profile changes
to the file server in a UPM$ folder under %username%.%domain%.
c.
d.
Double-click Win8 > UPM_Profile and then double-click the My Music folder.
Verify the Song List 2 file exists, proving that content saved to folders that are not redirected are saved to the
end-user's profile.
e. Close the File Explorer window.
10. Verify that the end user can successfully log off of the desktop.
a.
b.
Click Start in the lower-left corner of the Win8 Desktop.

Click AcctUser1 on the Start screen and then click Sign out.
Closing the desktop window without signing the end user out, disconnects the desktop. The desktop continues
to run.
fo
st
di
Testing Remote Assistance
or
What is the Update Personal vDisk tool?
Discussion Question
al
es
rr
d.
e.
Click Win8 Desktop.

Click Desktop on the Start screen of the Win8 Desktop.
Verify that WordPad appears in the taskbar, proving that customizations made to an application are saved to
the end-user's profile.
Click Start in the lower-left corner of the Win8 Desktop.
Click AcctUser1 on the Start screen and then click Sign out.
ot
a.
b.
c.
11. Verify that customizations made to an application were saved to the end-user's profile.
ut
rib
In Module 6, you create a policy that granted members of the Training Users\IT group the ability to use Remote Assistance.
You want to validate that a member of this group can access Director and use it to shadow an end-user's session and assist in
correcting an issue that the end user may be having.
io
You will be using two accounts that are very similar: HRUser1 (Human Resources) and HDUser1 (HelpDesk) and
playing the role of the end user and the Help Desk administrator. To avoid issues with this test, verify that you are
using the correct system and end-user account.
To Test Remote Assistance

1.
Log on to Endpoint-Internal using the Training\HRUser1 and Password1 credentials.

If another end user is logged on the Endpoint-Internal VM, click Start, click the end-user name in the upperright corner of the window, and then click Sign out.
2.
3.
Type Receiver, and then press Enter.

Log on to Receiver using an end-user account.
224
If a message appears stating that some apps are no longer available, click Remove.
4.
Click Microsoft Word to start the application.

The environment is now ready for you to begin the test.
If Microsoft Word does not appear, click + > All Applications > Microsoft Word to add it.
5.
Log on to a VM using the authorized Remote Assistance account credentials of an end user that was added to the Remote
Assistance policy.
Log on to StudentManagementConsole-1 using the Training\HDUser1 and Password1 credentials.
6.
Open a browser.
ot
If another end user is logged on to the StudentManagementConsole-1 VM, click Start, click the end-user name
in the upper-right corner of the window and then click Sign out.
fo
Click Internet Explorer in the taskbar.
rr
Do not use Internet Explorer on the Start screen.
al
es
Click Ask me later, if a Windows Internet Explorer 10 message appears.
Type the URL for Director into the Address field of the browser and then press Enter.
7.
8.
or
Type https://c-1.training.lab/Director in the Address field and then press Enter to open Director.
Type the Training\HDUser1 and Password1 credentials.

Click Log On.
Click Not for this site if the message appears to store your password.
ut
rib
a.
b.
c.
st
di
9. Click OK, if a Security Alert message appears.

10. Log on to Director using authorized Remote Assistance account credentials.
Type HRUser1 in the Search for users field and then press Enter.
io
11. Type the end-user account to assist in the Search for users field and then press Enter.
12. Click Shadow, click Save, and then click Open in the Invite.msrcincident message.
13. Switch to the VM being used by the end user you are assisting and then click Yes in the Windows Remote Assistance
message.
Switch to the Endpoint-Internal VM and then click Yes in the Windows Remote Assistance message.
This is the message that the end user will see whenever a Remote Assistance session is started by an
authorized helper. In Module 6, you set up a policy to allow members of the TrainingHelpDesk,
TrainingXenDesktop Admins, and TrainingDomain Admins groups to be helpers.
14. Verify that you can see the end-user's screen from Director.
Switch to the StudentManagementConsole-1 VM and verify that you can see the Microsoft Word document and the
Windows Remote Assistance toolbar.
15. Click Request control at the top of the Windows Remote Assistance window.
225
16. Switch to the VM being used by the end user, and then click Yes in the "Would you like to allow <username> to share
control of your desktop?" message.
Switch to Endpoint-Internal and then click Yes in the "Would you like to allow HDUser1 to share control of your
desktop?" message.
If the end user selects No, the Help Desk person will be able to view the screen, but not use the mouse or
keyboard within the end-user's session.
17. Switch to the system that is logged on with Director and move the Windows Remote Assistance toolbar out of the way.
Switch to the StudentManagementConsole-1 VM and move the Windows Remote Assistance toolbar out of the way
by dragging it lower on the screen.
18. Show HRUser1 how to do something in the application or desktop.
a.
b.
c.
Click the down arrow in the gray bar directly above the blank Word page.
Select Spelling & Grammar from the menu.
Point out the ABC icon that is now in the Quick Access toolbar.
19. Switch to the end-user's VM and verify that the change is visible.
ot
Switch to the Endpoint-Internal VM and verify that the ABC icon is available in the Quick Access toolbar.
fo
20. Click Stop sharing in the Windows Remote Assistance window.
es
rr
If the Windows Remote Assistance window is not visible, click the icon in the Windows taskbar.
al
21. Close the Windows Remote Assistance window on the end user's machine.
22. Close the Windows Remote Assistance window on the helper's machine.
Switch to the StudentManagementConsole-1 VM and then close the Windows Remote Assistance window.
or
23. Log off of Director.
rib
Discussion Question
st
di
Click Log Off on the top right of the Director page and then close Internet Explorer.
Testing Delivery Controller High Availability
io
ut
You need to assist an end user using Remote Assistance. When you attempt to start the Remote Assistance session, the
Microsoft Remote Assistance (.msra) file does not open. What might be the issue?
In Module 4, you configured redundancy to protect your XenApp and XenDesktop environment in the event that one of your
Delivery Controller servers went down. For this test, you will assume that the redundant servers are on different hosts. You
need to validate that when one of the Delivery Controllers becomes unavailable, the other server will continue to provide
resources without impacting your end users. In addition, you want to verify that once a connection is brokered by a Delivery
Controller, the connection will continue to run even though the Delivery Controller is no longer available.
In our lab environment, the redundant servers were installed on the same XenServer host due to lab constraints.
This means that if the host goes down, the redundant servers in the environment would not provide high
availability. In a real-world environment, you would implement your redundant servers (domain controllers,
Delivery Controllers, StoreFront servers, Provisioning Services servers, etc.) on different hosts.
226
To Test Delivery Controller High Availability

1.
Verify that the first Delivery Controller is running.

Verify that Controller-1 is running.
2.
Shut down the second Delivery Controller.

Verify Controller-2 is not running.
You are shutting down Controller-2 to force the next connection to start using Controller-1.
3.
Log on to an internal endpoint using the credentials of an end user that has resources made available to them through
XenApp and XenDesktop.
Log on to EndPoint-Internal using the Training\HRUser1 and Password1 credentials.
4.
5.
Type Receiver on the Start screen and then click Citrix Receiver.
Log on to Receiver using the credentials of the end user selected in Step 3.
6.
ot

Start a resource in Receiver.
Wait while the resource starts.
rr
7.
fo
Click Microsoft Word 2010 in Receiver to start the application through Controller-1.
8.
Start the second Delivery Controller.
al
es
This may take several minutes if the VM hosting the application or desktop is off because the Delivery
Controller must start the VM first. Watch as Server2012R2-01 is started. When the rotating circle beneath the
application icon in Receiver disappears, the application or desktop has successfully started. Look in the taskbar
if the application or desktop does not appear on the screen.
Wait for the second Delivery Controller to complete its startup and then log on using domain administrator credentials.
st
di
9.
or
Right-click Controller-2 and then click Start.
Log on using the Training\Administrator and Password1 credentials.
ut
rib
10. Click Start, type Studio, and then click Citrix Studio on Controller-2.
11. Shut down the first Delivery Controller to force the next connection to be brokered through the second Delivery
Controller and to verify that the original end-user's resource continues to work.
12. Verify that the resource is still running on the internal endpoint.
io
Right-click Controller-1, click Shut Down, and then click Yes in the Shut Down VM message.
Click EndPoint-Internal and then verify that Microsoft Word is still running which proves that a Delivery Controller
is not needed once the connection is brokered.
13. Close the resource and then open another resource.
Close Microsoft Word 2010, and then click Microsoft PowerPoint 2010 in Receiver to start the application
through Controller-2.
14. Shut down the second Delivery Controller VM.
Shut down Controller-2.
227
15. Verify that the resource is still running on the internal endpoint even though no Delivery Controllers are running in the
environment.
Click EndPoint-Internal and then verify that Microsoft PowerPoint 2010 is still running which proves that a
Delivery Controller is not needed once the connection is brokered.
16. Close the resource.
Close Microsoft PowerPoint 2010.
17. Start the first Delivery Controller.

Right-click Controller-1, click Start and then log on using the Training\Administrator and Password1 credentials.
Discussion Question
Why is it important that you configure more than one Delivery Controller in your environment?
ot
Testing SQL Server Mirroring
fo
In Module 3, you configured SQL Server mirroring to protect your XenApp and XenDesktop environment in the event that
one of your SQL Servers went down or became unavailable. For this test, you will assume that the SQL Servers are on
different hosts. You need to validate that when one of the SQL Servers goes down, the SQL Server Witness will immediately
notify the other SQL Server to take over. To test this, you need to shut down one of the SQL Servers, make a change in Citrix
Studio, and then verify that the information is available to the other SQL Server when it comes back online.
es
rr
al
In our lab environment, the SQL Servers were installed on the same XenServer host due to lab constraints. This
means that if the host goes down, all of the SQL Servers would be unavailable and XenApp and XenDesktop
would fail. In a real-world environment, you would implement your SQL Servers on different hosts.
Shut down the second SQL Server.

Verify SQLServer-2 is not running, if it is then shut it down.
st
di
1.
or
To Test SQL Server Mirroring
rib
Verify that the first SQL Server and the SQL Server witness are running.
Verify that the SQLServer-1 and SQLServer-Witness VMs are running.
2.
io
ut
You are shutting down SQLServer-2 to ensure that the change is being reflected on SQLServer1. Remember
that the Delivery Controller stores all information in the SQL Server database.
If they are not running, start them before proceeding.
3.
Log on to a Delivery Controller using domain administrator credentials.

Log on to Controller-1 using the Training\Administrator and Password1 credentials.
4.
5.
6.
Click Start > Citrix Studio on the Delivery Controller.

Click Delivery Groups in the left pane of Citrix Studio.
Right-click a Delivery Group and then click Rename Delivery Group.
Right-click the Office Apps Delivery Group and then click Rename Delivery Group.
228
7.
Type a new name for the Delivery Group and then click OK.
Type Office 2010 Apps in the Specify new name field and then click OK.
8.
Verify that the new name appears in the Delivery Groups node on the Delivery Controller proving that the SQL Server
database is available.
Verify that Office 2010 Apps appears in the Delivery Groups node.
9.
Start the second SQL Server.

Right-click SQLServer-2 and then click Start.
10. Wait for the second SQL Server to start.

Wait for the SQLServer-2 to complete its startup.
11. Log on to the first SQL Server, open SQL Server Management Studio, type the name of the first SQL Server in the
Server name field, and then click Connect.,
Log on to SQLServer-1 as Training\Administrator.
Open SQL Server Management Studio.
Type SQL-1 in the Server name field and then click Connect.
a.
b.
c.
ot
12. Expand Databases, right-click your XenApp and XenDesktop database, and then select Tasks > Launch Database
Mirroring Monitor.
fo
Expand Databases.
Right-click CitrixMain Site and then select Tasks > Launch Database Mirroring Monitor.
rr
a.
b.
es
13. Verify that both SQL Servers have green check marks for the Mirroring State and Witness Connection.
al
It may take a couple of minutes for the check marks to appear. Do not proceed to the next step until the check
marks are green on both SQL Servers.
or
14. Return to the first Delivery Controller and then click Refresh.
st
di
Return to Controller-1 and then click Refresh in the right pane of the Delivery Groups node to refresh the
information on the screen.
15. Verify that the new name for the Delivery Group appears.
rib
Verify that Office 2010 Apps appears.
ut
16. Shut down the first SQL Server.
17. Wait for the icon for the first SQL Server to turn red in XenCenter.
18. Click Refresh in the console of the first Delivery Controller.
io
Right-click SQLServer-1, click Shut Down, and then click Yes in the Shut Down VM message.
Return to Controller-1 and then click Refresh in the right pane of the Delivery Groups node to refresh the
information in the screen.
19. Verify that the new name for the Delivery Group appears, proving that SQL Server mirroring is working.
Verify that Office 2010 Apps appears.
20. Change the name of the resource back to its original name.
a.
b.
Right-click the Office 2010 Apps Delivery Group and then click Rename Delivery Group.
Type Office Apps in the Specify new name field and then click OK.
21. Verify that the original name appears in the Delivery Groups node on the Delivery Controller proving that the SQL
Server database is available.
Verify that Office Apps appears in the Delivery Groups node.
229
Discussion Question
In addition to using SQL Server mirroring, what other options are available for protecting the XenApp and XenDesktop and
Provisioning Services databases?
Reinforcement Exercise: Verifying Internal Access to a Server OS Machine

(MCS)
Verify a service account.
Verify a DHCP scope.
Verify SSL communications with StoreFront.
Verify Provisioning Services vDisks storage location.
Verify the end-user environment for:
Hosted applications.
Server OS machines created from a vDisk.
Desktop OS machines containing a Personal vDisk.
Verify the Remote Assistance configuration.
Verify Delivery Controller high availability.
Verify SQL Server mirroring.
ot
fo
al
es
rr
You are ready to try your hand at testing a Server OS machine created using Machine Creation Services to see if you can
apply what you have learned.
or
st
di
During the Reinforcement Exercise in Module 5, you created a Server OS machine for Training using Machine Creation
Services. You granted Contractor1 and Contractor2 access to the desktop using a Delivery Group. Now you need to verify
that members of the Contractors group can access a Server OS machine and that the end-user experience is as expected.
rib
If you did not complete the Reinforcement Exercise in Module 5, you will not be able to complete this exercise.
5.
6.
7.
8.
9.
230
1.
2.
3.
4.
io
ut
Log on to Endpoint-Internal using the Training\Contractor1 and Password1 credentials.

Install Citrix Receiver from the Receiver for Web site (https://sfs-1.training.lab/citrix/store-1Web).
Verify that Contractor1 can start a Win2012R2 Server desktop.
server.
Verify that a file saved to a folder other than Documents or Desktop will be redirected to the end-user's share.
Verify that the Color Laser Printer on ups-1 session printer is available to the end user.
Pin WordPad to the taskbar.
Verify that the change to the Windows Server OS machine (WordPad pinned to the taskbar) is saved to the end-user's
profile and are available at next log on.
Log off of the Win2012R2 Server desktop, logoff of Citrix Receiver and then close Citrix Receiver.
Module 9
Setting Up NetScaler
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
ot
N
fo
e
al
es
rr
or
st
di
n
io
ut
rib
232
Setting Up NetScaler
Overview
The Configure NetScaler Gateway for Enterprise Store wizard should not be used with the NetScaler version being
used in the lab environment (NetScaler 10.1 Build 123.9). Using this wizard will result in http being used instead
of https even though you selected https in the wizard. For this reason, you should follow the steps provided in the
exercises rather than use the wizard. The steps in the exercises will bypass this issue.
The Citrix NetScaler product line optimizes delivery of applications over the Internet and private networks, combining
application-level security, optimization, and traffic management into a single, integrated appliance. You can install a NetScaler
appliance in the DMZ and route all connections from the endpoints to your managed servers through it. The NetScaler
features that you enable and the policies you set are then applied to incoming and outgoing traffic.
The features available in NetScaler are based on the license installed.
A NetScaler Gateway Platform license allows an unlimited number of end users to access internal XenApp and
XenDesktop resources using ICA proxy without compromising the security of your internal network.
A NetScaler Gateway Universal license enables a full VPN tunnel, endpoint analysis, policy-based SmartAccess, and
clientless access to Web sites and file shares in your internal network.
ot
For more information about NetScaler licensing, search www.citrix.com for "netscaler-data-sheet.pdf".
fo
Perform the initial NetScaler configuration.

Configure NetScaler high availability.
Load balance StoreFront servers through NetScaler.
Enable remote access to the StoreFront store.
Configure HDX (ICA) proxy.
Configure a pre-authentication policy to scan an endpoint.
Configure NetScaler for email-based account discovery.
al
es
or
rr
st
di
n
io
ut
rib
Module 9: Setting Up NetScaler
233
ot
Please perform the following steps to ensure that you will have sufficient lab environment resources available to
complete this module.
Shut down the following VMs:
Win2012R2PXE-01 (Wait for this VM to completely shut down before proceeding.)
ProvisioningServicesHost-1
Server2012R2-01
UniversalPrintServer-1
EndPoint-Internal
Start the following VMs:
Controller-2
EndPoint-External
StoreFrontServer-2
Verify that the following VMs are started before proceeding:
Controller-1 = On
Controller-2 = On
EndPoint-External = On
FileServer-1 = On
SQLServer-2 = On
Static-PvD-01 = On
All other VMs should be off.
fo
al
es
rr
or
To Import the NetScaler Gateway VPX
st
di
ut
rib
The NetScaler VPX has already been imported into the lab environment. You should use the pre-created VMs
instead of downloading and importing the NetScaler appliance. To experience importing the NetScaler VPX, we
have provided an exercise below. Click the following link and use the steps in this course to complete the exercise:
Importing NetScaler VPX Exercise
Click File > Import in the XenCenter console.

Click Browse and then browse to the location of the NetScaler VPX image file.
io
1.
2.
Click Browse.
3.
Select the image file and then click Open.

Select the NSVPX-XEN-10.0-54.7_nc.xva image file and then click Open.
4.
5.
Click Next.
Select the location where the imported VM will be placed.
Select the XS1 XenServer and then click Next.
6.
Select the local storage repository on which to store the virtual appliance and then click Import to begin the import
process.
Select NFS virtual disk storage and then click Import.
234
7.
Select the network interface to be used by the VM image and then click Next.
Verify that Network 0 is selected on Interface 0 and then click Next.
8.
Review the import settings and then click Finish to complete the import process.
The imported NetScaler VPX appears in XenServer after the import is finished. The imported NetScaler VPX
will be configured in an exercise later in this module.
9.

Click the X in the upper-right corner of the XenCenter window to close the exercise.
Discussion Question
When is the default IP address of 192.168.100.1 / 255.255.255.0 used to configure a NetScaler?
Creating the NetScaler VM
ot
The NetScaler resides in the DMZ between the endpoints and the servers, so that requests for resources and the server
responses pass through it. In a typical installation, virtual servers (vServers) configured on the NetScaler provide connection
points that endpoints use to access the resources behind the firewall.
fo
es
rr
The NetScaler VMs are already created in the lab environment. The following procedure is provided for
informational purposes only. You do not need to create NetScaler VMs in the lab environment.
Open XenCenter.
Right-click the NetScaler template in XenCenter and then click New VM wizard.
or
1.
2.
al
To Create a NetScaler VPX VM
st
di
The NetScaler template in XenCenter was created by converting the imported NetScaler VPX appliance into a
template.
rib
Verify that the NetScaler template is selected and then click Next.
Type a name for the NetScaler in the Name field.
Determine the home server for the VM and then click Next.
Specify the vCPU and memory to allocate to the VM and then click Next.
Specify the vDisks to use and then click Next.
Click Properties, select the DMZ network, and then click OK.
Click Next and then click Finish.
io
ut
3.
4.
5.
6.
7.
8.
9.
Discussion Question
How many concurrent end-user connections can a NetScaler VPX support?
Performing the Initial NetScaler Configuration

NetScaler uses FreeBSD as its OS. The NetScaler kernel can be accessed through a browser or an SSH connection. The
command-line interface (CLI) on Console 0 is used for the initial configuration of the NetScaler including the network
configuration and device name. All other configuration is performed using the SSH client or the NetScaler Configuration
utility.
235
You should pay close attention whenever you are asked to type anything into the NetScaler interface. Check and
then double-check everything before moving to the next step in all NetScaler procedures. This can reduce the
amount of troubleshooting you need to do later.
To Perform the Initial Configuration of the First NetScaler

1.
Right-click the NetScaler VM in XenCenter and then click Start.

Right-click NetScaler-1 and then click Start.
2.
3.
Click the Console tab.

Type the IPv4 address that you want to assign to the NetScaler at the prompt and then press Enter.
Type 192.168.10.33 and then press Enter.
4.
Type the subnet mask for the IP address at the prompt and then press Enter.
5.
Type the default gateway address at the prompt and then press Enter.
Type 4 to save the configuration and then press Enter.

Wait approximately 60 seconds for the initialization to finish.
Log on to a system that has Java installed to access the NetScaler Configuration utility.
fo
6.
7.
8.
ot
rr
Log on to the StudentManagementConsole-1 VM using the TRAINING\Administrator and Password1 credentials.
es
Open a browser.
Double-click Firefox on the desktop.
or
9.
al
The StudentManagementConsole-1 VM is being used in this lab to access a browser. Any system with Java
installed could be used at this point.
st
di
Do not use Internet Explorer to manage the NetScaler in this lab environment.
rib
10. Type the IP address that you assigned to the first NetScaler VM into the Address field and then press Enter.
11. Type the user name and password into the appropriate fields and then click Login.
Type nsroot in both fields and then click Login.
io
ut
Type 192.168.10.33 into the Address field and then press Enter.
12. Wait for the Setup Wizard to open.

If you receive an error about Java, close the error window, and then restart the Setup Wizard.
13. Verify that the NetScaler IP Address is correct.

Verify that the NetScaler IP address is 192.168.10.33
14. Type the Subnet IP (SNIP) in the Subnet IP Address field.

Type 192.168.10.34 in the Subnet IP Address field.
236
15. Type the Subnet IP Address Netmask in the Subnet IP Address NetMask field.
16. Type a host name in the Host Name field.
Type NS-1 in the Host Name field.
17. Select the correct time zone in the Time Zone field.
Select GMT-5:00-EST-America/Jamaica.
18. Select Change Administrator Password.
19. Type the new password in both password fields.
Type Password1 in both password fields.
20. Click Continue.
21. Click Browse in the Update Licenses section.
22. Browse to the location where the license file is stored.
Type \\AD\lab_resources in the File Name field and then press Enter.
23. Click the license file and then click Open.
ot
Click ns_license.lic and then click Open.
fo
24. Click Continue.

25. Click Done.
26. Click Yes in the Confirm message to restart the NetScaler.
al
es
rr
Discussion Question
How do you access the NetScaler Configuration utility?
or
Configuring NTP
st
di
ut
rib
Network Time Protocol (NTP) uses a time server to provide all devices in an environment with an authoritative source from
which to synchronize their local clocks. The time server can be private or public. If the servers in the environment do not
have their local clocks set consistently, Kerberos authentication may fail and Event Logs may not be time stamped properly.
NTP configuration should be configured on the NetScaler immediately after the initial configuration is completed. NTP
servers that have been retired or are no longer accessible should be removed from the NetScalers.
io
In the lab, you are using the domain controller to provide the NTP service.
To Synchronize the Time on the NetScaler

1.
Log on to a system that has Java installed using domain administrator credentials.
Log on to StudentManagementConsole-1 with the TRAINING\Administrator and Password1 credentials.
2.
Open a browser, type the IP address of the NetScaler, and then press Enter.
Open Firefox, type 192.168.10.33, and then press Enter.
3.
Log on to the NetScaler with the NetScaler credentials.

Type nsroot and Password1 and then press Enter.
4.
Click System > NTP Servers and then click Add at the top of the NTP Servers tab.
237
5.
Type the IP address of the NTP server in the NTP Server field and then click Create.
Type 192.168.10.11 in the NTP Server field and then click Create.
This step can be repeated to add additional NTP servers. One of the NTP servers can also be set as preferred.
6.
7.
8.
Click Close.
Right-click NTP Servers in the left pane and then click NTP Synchronization.
Select the desired state and then click OK.
Select Enabled and then click OK.
9. Right-click NTP Servers in the left pane and then click NTP Parameters.
10. Set the desired parameters and then click OK.
Deselect Authentication and then click OK.
ot
Discussion Question
What will happen if the time server configured to provide NTP services to the NetScaler becomes unavailable?
fo
rr
Configuring NetScaler High Availability
al
es
A high availability deployment of two NetScalers can provide uninterrupted operation to any transaction. In a highavailability pair configuration, only one system is active. This system, which is known as the primary, actively accepts
connections and manages servers. All shared IP addresses are active on the primary system only.
The secondary system monitors the health of the primary system. If the secondary system senses a failure on the primary
system, then the secondary system assumes the role of the primary with all of the primary settings. This process prevents
downtime and ensures that the services provided by the NetScaler system remain available even if one system ceases to
function.
or
1.
Verify that each NetScaler has a unique NSIP (NetScaler IP address.) The NSIP is used to determine which NetScaler is
the primary and which is the secondary system. The two NetScalers communicate with each other using the NSIP and a
heartbeat packet is sent every 200 milliseconds via UDP port 3003 to determine the health of the systems.
Configure one of the NetScalers with the NSIP of the other NetScaler.
Enable the HA pair to complete the configuration.
io
ut
rib
2.
3.
st
di
To set up a NetScaler HA pair:
To Perform the Initial Configuration of the Second NetScaler

1.
Right-click the NetScaler VM in XenCenter and then click Start.

Right-click NetScaler-2 and then click Start.
2.
Log on to a system that has Java installed to access the NetScaler Configuration utility.
Log on to the StudentManagementConsole-1 VM using the TRAINING\Administrator and Password1 credentials.
The StudentManagementConsole-1 VM is being used in this lab to access a browser. Any system with Java
installed could be used at this point.
3.
Open a browser.
Double-click Firefox on the desktop.
238
Do not use Internet Explorer to manage the NetScaler in this lab environment.
4.
Type the IP address assigned to the NetScaler VM into the Address field and then press Enter.
Type 192.168.10.35 into the Address field and then press Enter.
5.
Type the user name and password into the appropriate fields and then click Login.
Type nsroot in both fields and then click Login.
6.
Wait for the Setup Wizard to open.

If you receive an error about Java, close the error window, and then restart the Setup Wizard.
7.
Verify that the NetScaler IP Address is correct.

Verify that the NetScaler IP address is 192.168.10.35
ot
N
8.
Type the Subnet IP (SNIP) in the Subnet IP Address field.
Type the Subnet IP Address Netmask in the Subnet IP Address NetMask field.
rr
9.
fo
es

10. Type a host name in the Host Name field.
al
Type NS-2 in the Host Name field.
11. Select the correct time zone in the Time Zone field.
or
Select GMT-5:00-EST-America/Jamaica.
rib
Type Password1 in both password fields.
st
di
12. Select Change Administrator Password.

13. Type the new password in both password fields.
Type \\AD\lab_resources in the File Name field and then press Enter.
io
ut
14. Click Continue.

15. Click Browse in the Update Licenses section.
16. Browse to the location where the license file is stored.
17. Click the license file and then click Open.

Click ns_license.lic and then click Open.
18. Click Continue.
19. Click Done.
20. Click Yes in the Confirm message to restart the NetScaler.
To Configure a Second NetScaler for Redundancy

1.
Start the first NetScaler VPX, if it is not started.

Double-click the NetScaler-1 VM in XenCenter.
239
2.
Start the second NetScaler VPX and wait for it to complete its startup process.
Double-click the NetScaler-2 VM and wait for approximately 60 seconds for it to complete its startup.
3.
4.
Open a browser, type the IP address of the first NetScaler, and then press Enter.
5.
Log on to the first NetScaler using the NetScaler credentials.

Log on to NetScaler-1 using the nsroot and Password1 credentials.
6.
Expand the System > Network node on the first NetScaler, select IPs, and then write down the NetScaler IP (NSIP)
address.
This is the IP address of the first NetScaler and must be unique in the environment.
ot
8.
Click the Interfaces node in the left pane, scroll to the right in the Interfaces pane, and then verify that HA Monitoring
is enabled on interface 1/1.
Open another tab in the browser, type the IP address for the second NetScaler, and then press Enter.
7.
Log on to the second NetScaler using the NetScaler credentials.
rr
9.
fo
Open another tab in Firefox, type 192.168.10.35, and then press Enter.
es
al
10. Expand the System > Network node on the second NetScaler, select IPs, and then write down the NetScaler IP (NSIP)
address.
This is the IP address of the second NetScaler and must be unique in the environment.
or
st
di
11. Click the Interfaces node in the left pane, scroll to the right in the Interfaces pane, and then verify that HA Monitoring
is enabled on interface 1/1.
12. Click the tab in the browser for the first NetScaler, browse to the System > High Availability node, and then click Add
at the top of the Nodes tab to open the High Availability Setup window.
rib
13. Activate the Java plugin if it is being blocked by your browser.
io
ut
Performing this procedure on the wrong NetScaler will result in the first NetScaler becoming the secondary
node.
Click the red icon that appears to the left of the URL, click Allow and remember and then click Run.
14. Type the NSIP address of the second NetScaler in the Remote Node IP Address field.
Type 192.168.10.35.
15. Verify that Configure remote system to participate in High Availability setup and Turn off HA Monitor on
interfaces/channels that are down are both selected.
16. Click OK and then click OK in the Information dialog box.
17. Click the Refresh icon at the top of page for the first NetScaler to refresh the high-availability information.
This is not the refresh button for the browser, but a button on the Web page itself.
240
18. Verify that the IP address of the first NetScaler appears as the primary system, the IP address of the second NetScaler
system appears as the secondary system, and that both Node states are Up.
Verify that 192.168.10.33 appears as the primary NetScaler, 192.168.10.35 appears as the secondary NetScaler, and
that both Node states show as Up.
19. Click the tab in the browser for the second NetScaler and then browse to the System > High Availability node.
20. Click the Refresh icon to refresh the high availability information.
This is not the refresh button for the browser, but a button on the Web page itself.
21. Verify that the IP address of the first NetScaler appears as the primary system, the IP address of the second NetScaler
system appears as the secondary system, and that both Node states are Up.
Verify that 192.168.10.33 appears as the primary NetScaler, 192.168.10.35 appears as the secondary NetScaler, and
that both Node states show as Up.
Discussion Question
ot
In the lab environment you configured the NetScalers with one node acting as the primary node and the other acting as the
secondary node. What do these roles mean?
fo
rr
Setting Up DNS
es
NetScaler uses DNS for name resolution. In this procedure, you are adding DNS entries for the virtual servers configured on
the NetScaler and configuring NetScaler to use a DNS server for name resolution.
al
An Address (A) record is an entry in DNS that maps a fully qualified domain name (FQDN) to an IP address. You must set
up an A record for the NetScaler and the load-balanced StoreFront servers because you will be creating SSL certificates and
the common name will be the FQDN.
or
st
di
n
io
ut
rib
1.
2.
3.
4.
5.
XenApp and XenDesktop components are installed on physical or virtual machines.

Each machine that will be load balanced needs a "server" entity to be created on the NetScaler.
"Service" entities are created and associated with each "server" entity.
Load balancing "virtual servers" are created for each set of "services" you want to load balance. The "services" are bound to
the appropriate "virtual server".
A monitor is configured for each "service" on the NetScaler to determine if the actual system to be load balanced, as
defined in the "service" and "server" entities, is up and ready to accept connections. If it is offline or experiencing issues,
the monitor flags the "service" as down so that the load balancing "virtual server" does not direct communications to it.
241
To Configure DNS A Records for the NetScaler

1.

2.
3.
Click Tools at the top right of the Server Manager window and then click DNS.
Browse to the forward lookup zone for the domain.
Browse to ad > Forward Lookup Zones > training.lab.
4.
Right-click the domain name and then click New Host (A or AAAA) to create an A record for the NetScaler.
Right-click training.lab and then select New Host (A or AAAA).
5.
Type a name for the new NetScaler host in the Name field and then type the IP address of the host.
Type access in the Name field and then type 192.168.10.50 in the IP Address field.
6.
7.
Click Add Host and then click OK.

Type a name for the new StoreFront host in the Name field and then type its IP address.
Type sf and then type 192.168.10.51 in the IP Address field.
ot
You will create a virtual server tied to this IP address later.
fo
es
rr
8. Click Add Host and then click OK.

9. Click Done.
10. Log on to a system that has Java installed using domain administrator credentials.
al

11. Open a browser, type the IP address of the first NetScaler, and then press Enter.
or
st
di
12. Log on to the first NetScaler using the NetScaler credentials.
16. Click Close.
io
Type 192.168.10.11 in the IP Address field and then click Create.
ut
rib
13. Expand the Traffic Management > DNS > Name Servers nodes in the left pane of the first NetScaler.
14. Click Add to add a new Name Server.
15. Type the IP address of the DNS server in the environment into the IP Address field and then click Create.
Discussion Question
If you add another StoreFront server to the environment, how many more virtual servers (vServers) do you need to add to
NetScaler?
Creating Certificates for NetScaler

Certificates can be issued by a third-party CA or be self-signed. A self-signed certificate guarantees its own trust and security
but has no one to "vouch" for it. A third-party certificate is signed by a trusted third-party Certificate Authority root
certificate indicating that the third party "vouches" for it. The root certificates from some large third-party Certificate
Authorities are automatically marked as trusted by Web browsers and programs. This is important because browsers check to
determine if an encrypted HTTPS connection has a certificate signed by a trusted root certificate. If a certificate is not trusted
or is not signed by a trusted root certificate, then end users will be warned that the site should not be trusted. For this reason,
all external-facing components in the environment should use certificates signed by a third-party Certificate Authority.
242
Internal components should be signed by certificates issued by an internal enterprise Certificate Authority. The root certificate
of the internal Certificate Authority should be trusted by all internal devices. When using the Microsoft Enterprise Certificate
Authority role in an Active Directory infrastructure, the root certificate is automatically distributed to and trusted by all
domain-joined machines running a Microsoft operating system. These certificates would not be appropriate to use on
external-facing services as the majority of browsers that come across the certificate will not trust it and will present a warning.
Creating a Wildcard Certificate for Internal Resource Access

Wildcard SSL certificates are processed in the same way as regular SSL certificates. Placing a wildcard character before the
domain name (for example, *.training.lab), will secure any FQDN ending in .training.lab, but not its subdomains.
The wildcard character only covers one full stop (period) in the address. For example, while the certificate would
secure the accounts.training.lab and hr.training.lab FQDNs, it would not secure the new.accounts.training.lab
FQDN.
If you use a third-party and assign it to the domain, you would need to purchase additional certificates for each FQDN. This
could become expensive if you have multiple sub-domains. In addition, you would have to manage the expiration and
replacement of multiple certificates instead of just one.
1.
ot
To Create a Wildcard Certificate for the Domain

Open a browser, type the IP address of the first NetScaler, and then press Enter.
rr
2.
fo
Log on to the first NetScaler with the NetScaler credentials.
al
3.
es
Expand the Traffic Management node in the left pane.

Right-click SSL and then click Enable Feature in the NetScaler Configuration utility.
or
4.
5.
st
di
While this step is not a part of creating a certificate, SSL must be enabled on the NetScaler in order to use the
certificate that you are creating.
rib
Click SSL in the left pane and then click Create RSA Key in the SSL tab.
Type a name in the Key Filename field.
Type an appropriate key size in the Key Size (bits) field.
8.
io
Type wildcard_training_lab.key in the Key Filename field.
ut
6.
7.
Type 2048 in the Key Size (bits) field.

9.
Select a key format and a PEM encoding algorithm.

Select PEM for the key format and then select DES3 for the PEM encoding algorithm.
10. Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK.
Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK.
11. Click Create CSR (Certificate Signing Request) in the SSL tab.
12. Type a name in the Request File Name field.
Type wildcard_training_lab.csr in the Request File Name field.
13. Click Browse to the right of the Key Filename field and then double-click the name of the key file created earlier.
Click Browse to the right of the Key Filename field and then double-click wildcard_training_lab.key.
243
14. Type the password in the PEM Passphrase field.

Type Password1 in the PEM Passphrase field.
15. Select the country and then type the state or province to use for the certificate.
Select United States in the Country field and then type Florida in the State or Province field.
16. Specify a name for the organization in the Organization Name field.
Type Training in the Organization Name field.
17. Type the FQDN of the company or Web site in the Common Name field and then click OK.
Type *.training.lab in the Common Name field and then click OK.
You are creating a wildcard certificate, so you are using a wildcard character in the FQDN.
18. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab.
19. Click Yes to confirm refresh, if a prompt appears.
20. Select the certificate signing request that you created and then click View at the bottom of the window.
ot
Select the wildcard_training_lab.csr file and then click View.
fo
Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate
request.
es
rr
Select Internet Explorer in the taskbar of StudentManagementConsole-1.

Type http://AD/certsrv/ and then press Enter to access the Certificate Authority.
Type TRAINING\Administrator in the User name field, Password1 in the Password field, and then click
OK.
or
24. Use the certificate signing request to request the certificate.
st
di
a.
b.
c.
al
21. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard.
22. Click Close and then click Close again.
23. Browse to the internal Certificate Authority issuer and follow their steps to generate a certificate.
rib
d.
e.
f.
g.
h.
i.
j.
k.
l.
244
Click Request a certificate.

Click advanced certificate request.
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal
request by using a base-64-encoded PKCS #7 file.
Click within the Saved Request field and then press Ctrl+V to paste the certificate into the field.
Select Web Server in the Certificate Template field and then click Submit.
Select Base 64 encoded.
Click Download certificate.
Click the down arrow next to Save at the bottom of the Internet Explorer window.
Click Save as and then click Desktop.
Type wildcard_training_lab in the File name field.
Click Save.
Close Internet Explorer.
a.
b.
c.
io
ut
Every Certificate Authority has slightly different steps. The lab environment uses Microsoft Enterprise
Certificate Authority Web Enrollment.
25. Click Traffic Management > SSL >Certificates in the left pane of the NetScaler Configuration utility on the first
NetScaler.
26. Click Install.
27. Type a name in the Certificate-Key Pair Name field.
Type wildcard_training_lab.certkey in the Certificate-Key Pair Name field.
28. Click the down arrow to the right of the Browse button for the Certificate File Name field and then select Local.
29. Browse to where the certificate file was saved and then double-click the certificate file.
Click Desktop and then double-click wildcard_training_lab.cer.
30. Click Browse to the right of the Key Filename field and then double-click the name of the key file you created earlier.
Click Browse and then double-click wildcard_training_lab.key.
31. Type the password for the private key in the Password field.
Type Password1 in the Password field.
32. Click Create.
ot
There is no confirmation message. If you prematurely click Create before all of the information has been
entered, you can delete the certificate by selecting the certificate and then clicking Remove in the Traffic
Management > SSL > Certificates window.
fo
33. Click Close.
es
rr
Discussion Question
Which two fields on a certificate are used to verify the chain of trust?
al
Creating a Certificate Signed by a Third-Party Certificate Authority
or
st
di
A third-party certificate signed by a public Certificate Authority should be installed on the NetScaler for the public facing
services to allow remote end users to communicate via SSL. In this procedure, you are creating and installing a public
certificate on the NetScaler.
To Create a Public Certificate for the NetScaler
1.
io
ut
rib
You will be using an internal Certificate Authority instead of a public Certificate Authority in this procedure,
because of lab environment and monetary constraints.

2.
Open a browser, type the IP address of the NetScaler, and then press Enter.
Open Firefox (located on the desktop), type 192.168.10.33, and then press Enter.
3.
Log on to the first NetScaler using the NetScaler credentials.

4.
5.
Click Traffic Management > SSL in the left pane and then click Create RSA Key.
Type a name in the Key Filename field.
Type access_training_lab.key in the Key Filename field.
245
6.
Type an appropriate key size in the Key Size (bits) field.

Type 2048 in the Key Size (bits) field.
7.
Select a key format and a PEM encoding algorithm.

Select PEM for the key format and then select DES3 for the PEM encoding algorithm.
8.
Type a passphrase in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK.
Type Password1 in the PEM Passphrase and Confirm PEM Passphrase fields and then click OK.
9. Click Create CSR (Certificate Signing Request) in the SSL tab.

10. Type a name in the Request File Name field.
Type access_training_lab.csr in the Request File Name field.
11. Click Browse to the right of the Key Filename field and then double-click the key file.
Click Browse to the right of the Key Filename field and then double-click access_training_lab.key.
12. Type the password in the PEM Passphrase field.
Type Password1 in the PEM Passphrase field.
ot
13. Select the country and then type the state or province to use for the certificate.
Select United States in the Country field and then type Florida in the State or Province field.
fo
14. Type a name in the Organization Name field.
rr
Type Training in the Organization Name field.
es
15. Type the FQDN in the Common Name field and then click OK.
al
Type access.training.lab in the Common Name field and then click OK.
16. Click Manage Certificates / Keys / CSRs in the Tools section of the SSL tab.
17. Click Yes to refresh the configuration, if a prompt appears.
18. Select the certificate signing request that you created and then click View at the bottom of the window.
or
st
di
Select the access_training_lab.csr file and then click View.
ut
rib
Selecting the wrong file will result in you receiving an "ASN1 bad tag value met" error during the certificate
request.
io
19. Press Ctrl+A and then press Ctrl+C to copy all of the text to the clipboard.
20. Click Close and then click Close again.
21. Browse to the third-party certificate issuer and follow their steps to generate a certificate.
Every third-party Certificate Authority has slightly different steps. The lab environment does not have a thirdparty Certificate Authority available. In the real world, the NetScaler certificate should use a trusted thirdparty Certificate Authority. In the lab environment, you will receive a warning when an external endpoint
attempts to access a resource through the NetScaler. You will use the Enterprise Certificate Authority Web
Enrollment for the domain to simulate this using the following steps.
a.
b.
246
Select Internet Explorer in the toolbar of StudentManagementConsole-1

Type http://ad/certsrv/ and then press Enter to access the Certificate Authority.
22. Obtain the third-party certificate.

a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
Click Request a certificate.

Click advanced certificate request.
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal
request by using a base-64-encoded PKCS #7 file.
Click in the Saved Request field and then press Ctrl+V to paste the certificate into the Saved Request field.
Select Web Server in the Certificate Template field and then click Submit.
Select Base 64 encoded.
Click Download certificate.
Click the down arrow next to Save at the bottom of the Internet Explorer window.
Click Save as and then click Desktop.
Type access_training_lab in the File name field.
Click Save.
Close Internet Explorer.
ot
23. Click Certificates under Traffic Management > SSL in the left pane.
24. Click Install.
25. Type a name in the Certificate-Key Pair Name field.
Type access_training_lab.certkey in the Certificate-Key Pair Name field.
fo
rr
26. Select the down arrow next to the Browse button for the Certificate File Name field and then select Local.
27. Browse to where the certificate file was saved and then double-click the certificate file.
es
Click Desktop and then double-click access_training_lab.cer.
al
28. Click Browse to the right of the Key File Name field and then double-click the key file.
Click Browse to the right of the Key File Name field and then double-click access_training_lab.key.
Type Password1 in the Password field.
or
29. Type the password for the private key in the Password field.
st
di
30. Click Create.

There is no confirmation message.
ut
rib
n
io
31. Click Close.

32. Click the diskette in the upper-right area of the window and then click Yes to save the NetScaler configuration.
Load Balancing StoreFront Servers

One of the built-in features of NetScaler is the ability to load-balance backend resources to provide high availability in a
XenApp and XenDesktop environment. In this procedure, you will load balance the StoreFront servers that end users rely on
to access their XenApp and XenDesktop resources. Once load balancing is configured, it is a simple task to add StoreFront
servers to the load-balancing configuration.
247
1.
ot
To Load Balance StoreFront Servers

Log on to a system that ha

Язык

Добро пожаловать в Scribd!

CXD 300 6I en StudentManual

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Описание:

Авторское право:

Доступные форматы

CXD 300 6I en StudentManual

Загружено:

Описание:

Авторское право:

Доступные форматы

Похожие издания

ot

Deploying App and Desktop Solutions with

Citrix Course CXD-300-I

Copyright 2015 Citrix Systems, Inc.

Citrix Course CXD-300-I

Deploying App and Desktop Solutions

Copyright 2015 Citrix Systems, Inc.

Understanding the XenApp and XenDesktop Architecture ........................................................................................... 19

Module 2: Setting Up the Hypervisor ............................................................................................ 43

Configuring an ISO Library ....................................................................................................................................... 54

Module 3: Setting Up the Infrastructure Components ................................................................... 65

Setting Up the Infrastructure Components .................................................................................................................. 67

Copyright 2015 Citrix Systems, Inc.

Creating a Share for Folder Redirection ................................................................................................................... 79

Module 4: Setting Up Citrix Components ..................................................................................... 93

Setting Up Citrix Components ..................................................................................................................................... 95

Copyright 2015 Citrix Systems, Inc.

Joining a Controller to a Site .................................................................................................................................. 112

Module 5: Setting Up XenDesktop Resources ............................................................................ 129

Setting Up XenApp and XenDesktop Resources ....................................................................................................... 131

Copyright 2015 Citrix Systems, Inc.

Module 6: Setting Up Policies ..................................................................................................... 157

Setting Up Policies .................................................................................................................................................... 159

Module 7: Setting Up Provisioning Services ................................................................................ 177

To Create a Service Account for Provisioning Services .......................................................................................... 181

Module 8: Preparing the Environment for Rollout ........................................................................ 211

Copyright 2015 Citrix Systems, Inc.

Verifying Internal Access to Hosted Applications .................................................................................................... 216

Module 9: Setting Up NetScaler ................................................................................................. 231

Setting Up NetScaler ................................................................................................................................................. 233

Copyright 2015 Citrix Systems, Inc.

Propagating Settings to the StoreFront Server Group ............................................................................................ 258

Copyright 2015 Citrix Systems, Inc.

Tyler Fromma, Andres Mungarrieta

Leslie Keelan, Brad Moczik, Patrick Quinlan

Translation Project Manager:

Dustin Clark, Adrianna Cournoyer

Subject Matter Expert:

Jeff Apsley, Justin Apsley, Allen Furmanski, Dave Gunn,

Adobe, Flash, Reader, Acrobat

Adobe Systems Incorporated

Apache Micro Peripherals, Inc.

iPhone, Mac, QuickTime, iPhone, iPad

Branch Repeater, Citrix, Citrix Access Gateway, Citrix

Hewlett-Packard Development Company, L.P.

Active Directory, Internet Explorer, Microsoft, SQL

Novell, Novell Directory Services, NDS

The Open Group

Pearson Education, Inc.

RSA Data Security, Inc.

HP, OpenView, LaserJet

Secure Computing, SafeWord

Secure Computing Corporation

Security Dynamics Technologies, Inc.

Sun Microsystems, Inc.

VMWare, ESX Server

Copyright 2015 Citrix Systems, Inc.

Copyright 2015 Citrix Systems, Inc.

Understanding the XenApp and XenDesktop Architecture