XenApp 6.0 - Student Manual

Basic Administration for Citrix XenApp 6
Citrix Course CXA-204-1I June 2010
Table of Contents
Module 1: Introduction and Course Overview..............................19
Overview.........................................................................................................................................21 Course Outline................................................................................................................................23 Citrix Education...............................................................................................................................27 Course Evaluation and Completion Certificate.................................................................................30
Module 2: Introducing XenApp.......................................................33

Overview.........................................................................................................................................35 XenApp 6 Editions..........................................................................................................................36 XenApp 6 Features.........................................................................................................................37 XenApp Architecture.......................................................................................................................41 XenApp Components..................................................................................................................42 Single and Multiple Farm Environments.......................................................................................43 Data Store...................................................................................................................................43 Data Store Updates and the Local Host Cache...........................................................................44 Independent Management Architecture.......................................................................................44 Data Collectors............................................................................................................................45 Data Collector Election................................................................................................................45 Zones..........................................................................................................................................46 Additional XenApp Components..................................................................................................47 Delivery Services Console...............................................................................................................49 Practice: XenApp Components.......................................................................................................51 Review............................................................................................................................................52
Module 3: Licensing XenApp..........................................................53

Overview.........................................................................................................................................55 XenApp Licensing...........................................................................................................................56 Licensing Communication...........................................................................................................56 License Communication Process................................................................................................57 License Types.............................................................................................................................57 Citrix License Server....................................................................................................................58 Microsoft Remote Desktop Services............................................................................................58 Additional Licensing Considerations............................................................................................59 License Administration Console......................................................................................................61 Port Configuration.......................................................................................................................62 Delegated Administrators in the License Administration Console.................................................63 Installing Licensing..........................................................................................................................65 Manual Installation and Configuration..........................................................................................65 Uninstalling Licensing..................................................................................................................66 License Server Considerations....................................................................................................66 License File Management................................................................................................................68 Obtaining License Files................................................................................................................68 Importing License Files................................................................................................................68 Subscription Advantage..............................................................................................................69
High Availability Considerations.......................................................................................................71 Additional License Server Processes...........................................................................................71 License Server Clustering............................................................................................................72 Review............................................................................................................................................73
Module 4: Installing XenApp...........................................................75

Overview.........................................................................................................................................77 XenApp Server Role Manager.........................................................................................................78 Unattended Installation and Configuration.......................................................................................79 Hardware Requirements.................................................................................................................80 Software Requirements...................................................................................................................81 Installation Decisions.......................................................................................................................83 XenApp Configuration Options........................................................................................................84 Which Farm or Zones Will Be Used in the Environment?..............................................................84 Which License Server Will Be Used for the Server Farm?............................................................84 Which Database Engine Will Be Used for the Data Store Database?...........................................85 Will Shadowing Be Enabled?.......................................................................................................85 On Which Port Will the Citrix XML Service Run?..........................................................................86 When Will Users Be Added to the Local Remote Desktop Users Group?....................................86 Which Pass-through Client Will Be Used in the Environment?......................................................87 Will Pass-through Authentication Be Used in the Environment?...................................................87 Will Information in the Data Store and Configuration Logging Databases Be Protected with IMA Encryption?.88 Web Interface Installation Decisions................................................................................................89 Review............................................................................................................................................90
Module 5: Configuring XenApp Administration............................91

Overview.........................................................................................................................................93 Worker Groups...............................................................................................................................94 Publishing Applications to Worker Groups...................................................................................94 Prioritizing Worker Groups...........................................................................................................95 Filtering Policies to Worker Groups..............................................................................................95 Administrator Privilege Levels..........................................................................................................96 Creating Administrator Accounts.................................................................................................96 Configuring Administrator Permissions .....................................................................................100 Configuring Folder Permissions ................................................................................................101 Delegating Administration..........................................................................................................102 Configuration Logging...................................................................................................................105 Creating the Configuration Logging Database...........................................................................105 Configuration Logging Database Settings..................................................................................106 Enabling Configuration Logging.................................................................................................107 Review..........................................................................................................................................108
Module 6: Installing and Configuring Web Interface..................109

Overview.......................................................................................................................................111 Web Interface Communications....................................................................................................112 Web Interface Communication Process.....................................................................................113 Web Interface Installation..............................................................................................................115 Installing Web Interface.............................................................................................................116 Site Creation.................................................................................................................................117 Creating a Web Interface Site....................................................................................................117
Copyright 2010 Citrix Systems, Inc.
Site Creation Considerations.....................................................................................................118 XenApp Web Site Configuration Options...................................................................................119 XenApp Services Site Configuration..........................................................................................122 Web Interface Site Modification.....................................................................................................124 Modifying the Web Interface Configuration File..........................................................................124 Using the Web Interface Management Console.........................................................................125 Specifying Citrix Plug-in Backup URLs..........................................................................................126 Site Appearance...........................................................................................................................127 Site Customization Options.......................................................................................................128 Practice: Site Customization......................................................................................................129 Session Preferences..................................................................................................................130 Session Options........................................................................................................................131 User Options.............................................................................................................................133 Workspace Control.......................................................................................................................135 Workspace Control Functionality...............................................................................................135 Workspace Control Configuration Options.................................................................................136 Workspace Control User Customization....................................................................................137 Configuring Workspace Control.................................................................................................138 Citrix Plug-ins and Web Interface..................................................................................................140 Plug-in Deployment Options......................................................................................................140 Automatically Detecting Plug-ins...............................................................................................141 Client Detection.........................................................................................................................141 Client for Java...........................................................................................................................145 Authentication Configuration.........................................................................................................147 Authentication Options..............................................................................................................148 Generic RADIUS Support..........................................................................................................149 Explicit Authentication...............................................................................................................149 Pass-through Authentication.....................................................................................................157 Smart Card Authentication........................................................................................................159 Citrix XML Service Trust Relationships.......................................................................................160 Practice: Authentication Configuration.......................................................................................161 Secure Access Configuration........................................................................................................163 Access Methods.......................................................................................................................163 Network Address Translation.....................................................................................................165 Network Address Translation Access Types..............................................................................166 Client-side Proxy Settings.............................................................................................................167 Configuring Client-side Proxy Settings.......................................................................................168 Server Configuration.....................................................................................................................169 Configuring Multiple Server Farms.............................................................................................169 Adding Farms............................................................................................................................170 Configuring Load Balancing.......................................................................................................171 Enabling Fault Tolerance...........................................................................................................172 Specifying the XML Communication Port...................................................................................172 Ticket Expiration Settings..........................................................................................................174 Web Interface Site Removal..........................................................................................................175 Troubleshooting Web Interface Issues...........................................................................................176 Review..........................................................................................................................................177
Module 7: Delivering Applications and Content.........................179

Overview.......................................................................................................................................181
Publishing Resources....................................................................................................................182 Published Resource Types........................................................................................................183 Resource Name and Location...................................................................................................184 Server Assignment....................................................................................................................185 Configured or Anonymous Accounts.........................................................................................185 Users and Groups.....................................................................................................................186 Resource Publishing Settings....................................................................................................186 Practice: Publishing Resources.................................................................................................187 VM Hosted Apps..........................................................................................................................188 Components of VM Hosted Apps..............................................................................................189 Organizing Published Resources for Users....................................................................................191 Advanced Published Resource Settings........................................................................................193 Access Control..........................................................................................................................193 Content Redirection..................................................................................................................194 Implementing Resource Limits and Client Options.....................................................................200 Configuring Resource Appearance............................................................................................202 Published Resource Configuration................................................................................................204 Managing Connections to Resources........................................................................................204 Disabling or Hiding a Published Resource.................................................................................205 Troubleshooting Application Delivery Issues..................................................................................207 Review..........................................................................................................................................208
Module 8: Streaming Applications...............................................211

Overview.......................................................................................................................................213 Application Streaming...................................................................................................................214 Application Streaming Components..........................................................................................216 Application Streaming Communication Process........................................................................218 Streaming App-V Packages......................................................................................................219 Citrix Offline Plug-in.......................................................................................................................220 Citrix Offline Plug-in Cache........................................................................................................221 Citrix Offline Plug-in Installation..................................................................................................221 Citrix Streaming Profiler.................................................................................................................222 Profiling Process.......................................................................................................................222 Installing the Citrix Streaming Profiler.........................................................................................223 Creating a Profile.......................................................................................................................223 Profile Security Setting..............................................................................................................223 Targets......................................................................................................................................224 Inter-Isolation Communication...................................................................................................229 Profile Preference Settings........................................................................................................232 Profile System Requirements.....................................................................................................232 Profile Installation Types............................................................................................................233 Profile Properties.......................................................................................................................233 Known Limits for Profiling Applications......................................................................................238 Target Properties.......................................................................................................................239 Upgrading an Application in a Target.........................................................................................243 Application Delivery Methods........................................................................................................245 The Benefits of Streaming with Dazzle.......................................................................................246 The Web Delivery Method.............................................................................................................247 Streaming to Servers....................................................................................................................248 Publishing a Streamed Application................................................................................................249
Specifying an Alternate Profile for a Published Application.........................................................250 Enabling the Least-Privileged User Account..............................................................................251 Configuring Sites for Streaming Applications.................................................................................253 Support for Both Remote and Streaming Applications...............................................................254 Offline Access Management..........................................................................................................255 Indirect Membership to the Offline Access List..........................................................................255 Providing Offline Access............................................................................................................256 Offline Access Period................................................................................................................257 Renewing Offline Access Period................................................................................................257 Application Caching..................................................................................................................258 Pre-Deployment of Streaming Applications ...............................................................................259 Troubleshooting Streaming Issues................................................................................................260 Review..........................................................................................................................................261
Module 9: Configuring Policies....................................................263

Overview.......................................................................................................................................265 Group Policy Integration................................................................................................................266 IMA-based Group Policies.........................................................................................................267 Group Policy Extensions............................................................................................................268 Group Policy Architecture..........................................................................................................269 Policy Evaluation...........................................................................................................................271 Policy Application Process........................................................................................................271 Policy Processing and Precedence............................................................................................272 Policy Rules..................................................................................................................................276 Policy Filtering...............................................................................................................................301 Policy Modeling and Troubleshooting............................................................................................303 Review..........................................................................................................................................304
Module 10: Configuring Load Management...............................305

Overview.......................................................................................................................................307 Load Manager..............................................................................................................................308 Load Balancing.............................................................................................................................309 Load Balancing Process............................................................................................................310 Load Calculation...........................................................................................................................312 Load Calculations......................................................................................................................312 Load Evaluator Configuration........................................................................................................318 Creating Custom Load Evaluators.............................................................................................320 Thresholds for Load Management.............................................................................................321 Assigning Load Evaluators to Servers and Applications.............................................................322 Practice: Load Evaluators..........................................................................................................323 Load Balancing Policies................................................................................................................324 Creating Load Balancing Policies..............................................................................................325 Force Application Streaming......................................................................................................327 Preferential Load Balancing...........................................................................................................329 Preferential Load Balancing Considerations...............................................................................330 Troubleshooting Load Management Issues...................................................................................332 Review..........................................................................................................................................333
Module 11: Optimizing the User Experience...............................335

Overview.......................................................................................................................................337
Optimizing Session Performance..................................................................................................338 Enabling Display Settings..........................................................................................................339 HDX Broadcast Session Reliability................................................................................................341 Enabling HDX Broadcast Session Reliability...............................................................................341 Understanding HDX Broadcast Session Reliability Considerations.............................................342 HDX RealTime...............................................................................................................................343 Enabling HDX RealTime.............................................................................................................344 Understanding HDX RealTime Design Considerations...............................................................345 HDX Plug-n-Play...........................................................................................................................346 Enabling HDX Plug-n-Play.........................................................................................................347 Understanding HDX Plug-n-Play Design Considerations............................................................348 HDX MediaStream Multimedia Acceleration..................................................................................349 HDX MediaStream Multimedia Acceleration Benefits.................................................................349 Enabling HDX MediaStream Multimedia Acceleration ...............................................................350 HDX MediaStream for Flash..........................................................................................................352 Enabling HDX MediaStream for Flash........................................................................................352 SpeedScreen Latency Reduction..................................................................................................355 Enabling SpeedScreen Latency Reduction................................................................................355 HDX 3D Image Acceleration..........................................................................................................357 Enabling HDX 3D Image Acceleration........................................................................................357 HDX 3D Progressive Display.........................................................................................................359 Enabling HDX 3D Progressive Display.......................................................................................360 Practice: Determining the Session Optimization Technology.........................................................362 User Profiles.................................................................................................................................363 Differentiating User Profile Types...............................................................................................363 Redirecting User Data...............................................................................................................364 Managing User Profiles..............................................................................................................364 Enabling Profile Management....................................................................................................365 Understanding the Profile Management Logon Process............................................................366 Troubleshooting User Experience Issues.......................................................................................368 Review..........................................................................................................................................369
Module 12: Configuring Self-Service Applications.....................371

Overview.......................................................................................................................................373 Citrix Receiver...............................................................................................................................375 Citrix Receiver for Windows.......................................................................................................375 Citrix Receiver for Macintosh.....................................................................................................376 Citrix Merchandising Server...........................................................................................................377 Citrix Merchandising Server Architecture...................................................................................378 Citrix Dazzle..................................................................................................................................379 Citrix Dazzle Communication Process.......................................................................................380 Plug-ins........................................................................................................................................382 Plug-in Delivery..........................................................................................................................383 Citrix Online Plug-in for Windows...............................................................................................385 Citrix Online Plug-in for Mac......................................................................................................387 Client for Java...........................................................................................................................388 Citrix Receiver for Linux.............................................................................................................389 Troubleshooting Self-Service Application Issues............................................................................391 Review..........................................................................................................................................392
Module 13: Configuring Printing..................................................393

Overview.......................................................................................................................................395 Printing Concepts.........................................................................................................................396 Printing Definitions.....................................................................................................................396 Printer Types.............................................................................................................................397 Printing Security........................................................................................................................398 Default Printing Behavior...............................................................................................................400 Altering the Default Printing Behavior.........................................................................................400 Printer Provisioning.......................................................................................................................402 User Self-Provisioning...............................................................................................................403 Printer Auto-Creation.................................................................................................................404 Printing Pathways.........................................................................................................................408 Network Printing Pathway.........................................................................................................408 Client Printing Pathway..............................................................................................................412 Printing Pathway Demonstration................................................................................................415 Printer Drivers...............................................................................................................................416 Printer Driver Types...................................................................................................................416 Practice: Printer Drivers.............................................................................................................421 Citrix Universal Printing.................................................................................................................422 Enhanced MetaFile Format........................................................................................................423 Print Preview.............................................................................................................................424 Citrix Universal Printer...............................................................................................................425 Configuring Citrix Universal Printing...........................................................................................426 Administrator-Assigned Network Printers......................................................................................429 Adding a Network Printer..........................................................................................................429 Editing Network Printer Settings ...............................................................................................430 Specifying the Default Printer.....................................................................................................431 Workspace Control and Proximity Printing....................................................................................432 Configuring Proximity Printing....................................................................................................434 Printing Preferences......................................................................................................................435 Printing Properties.....................................................................................................................435 Printing Preference Hierarchy....................................................................................................436 Configuring Printer Property Retention.......................................................................................437 Printing Bandwidth........................................................................................................................439 Practice: Printing Definitions..........................................................................................................441 Troubleshooting Printing Issues....................................................................................................442 Review..........................................................................................................................................444
Module 14: Securing XenApp.......................................................445

Overview.......................................................................................................................................447 XenApp Security Solutions............................................................................................................448 SecureICA....................................................................................................................................450 Citrix SSL Relay............................................................................................................................451 SSL Relay Communication........................................................................................................452 Configuring SSL Relay...............................................................................................................453 Access Gateway...........................................................................................................................454 Access Gateway Deployment Scenarios...................................................................................454 Access Gateway Communications............................................................................................456 Digital Certificates......................................................................................................................457
Securing Access to Hosted Applications...................................................................................459 SmartAccess.............................................................................................................................460 Practice: Security Solutions...........................................................................................................462 Web Interface Configuration..........................................................................................................463 Access Methods.......................................................................................................................463 Access Gateway Settings..........................................................................................................464 Configuring Web Interface for Access Gateway Connections....................................................465 Security Configuration Best Practices...........................................................................................467 Troubleshooting Access Gateway with XenApp............................................................................468 Review..........................................................................................................................................471
Module 15: Monitoring..................................................................473

Overview.......................................................................................................................................475 Health Monitoring and Recovery...................................................................................................476 EdgeSight Monitoring....................................................................................................................479 EdgeSight Components............................................................................................................479 EdgeSight Communication........................................................................................................482 License Usage Monitoring.............................................................................................................487 Configuring License Alerts.........................................................................................................488 Viewing License Usage..............................................................................................................488 Viewing Historical License Data.................................................................................................488 Workflow Studio Overview............................................................................................................489 Workflow Studio Architecture....................................................................................................490 Workflow Automation Use Cases..............................................................................................491 Accessing the Server Farm using PowerShell................................................................................493 Administering the Server Farm using Commands..........................................................................495 Review..........................................................................................................................................497
Module 16: Additional Components............................................499

Overview.......................................................................................................................................501 SmartAuditor................................................................................................................................502 SmartAuditor Components........................................................................................................503 Session Recording Process.......................................................................................................504 Single Sign-on..............................................................................................................................505 Single Sign-on Components......................................................................................................505 Single Sign-on Process.............................................................................................................506 EasyCall Voice Services................................................................................................................507 EasyCall Components...............................................................................................................507 EasyCall Process.......................................................................................................................507 Branch Optimization.....................................................................................................................509 Branch Repeater Components..................................................................................................509 Branch Optimization Process for the Plug-in..............................................................................510 Provisioning Services....................................................................................................................512 Provisioning Services Components...........................................................................................513 Power and Capacity Management................................................................................................515 Power Management..................................................................................................................516 Load Consolidation...................................................................................................................516 Power and Capacity Management Components.......................................................................517 Power Setpoints........................................................................................................................517 XenServer.....................................................................................................................................519
10
XenServer Components............................................................................................................519 Review..........................................................................................................................................520
Appendix A: Review Questions and Answers.............................521

Module 2 Introducing XenApp: Review Answers...........................................................................523 Module 3 Licensing XenApp: Review Answers..............................................................................524 Module 4 Installing XenApp: Review Answers...............................................................................525 Module 5 Configuring XenApp Administration: Review Answers....................................................526 Module 6 Installing and Configuring Web Interface: Review Answers............................................527 Module 7 Delivering Applications and Content: Review Answers...................................................529 Module 8 Streaming Applications: Review Answers......................................................................531 Module 9 Configuring Policies: Review Answers...........................................................................533 Module 10 Configuring Load Management: Review Answers........................................................535 Module 11 Optimizing the User Experience: Review Answers.......................................................537 Module 12 Configuring Self-Service Applications: Review Answers...............................................539 Module 13 Configuring Printing: Review Answers..........................................................................540 Module 14 Securing XenApp: Review Answers.............................................................................542 Module 15 Monitoring: Review Answers........................................................................................543 Module 16 Additional Components: Review Answers....................................................................544
Appendix B: Practice Questions and Answers...........................545

Module 2 Introducing XenApp: Practice Answers..........................................................................547 Module 5 Administrative Configuration: Practice Answers.............................................................548 Module 6 Installing Web Interface: Practice Answers.....................................................................550 Module 7 Delivering Applications and Content: Practice Answers.................................................552 Module 10 Configuring Load Management: Practice Answers......................................................554 Module 11 Optimizing the User Experience: Practice Answers......................................................555 Module 13 Configuring Printing: Practice Answers........................................................................556 Module 14 Securing XenApp: Practice Answers............................................................................557
Glossary.........................................................................................559
11
Notices
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or use of this publication. Citrix specifically disclaims any expressed or implied warranties, merchantability or fitness for any particular purpose. Citrix reserves the right to make any changes in specifications and other information contained in this publication without prior notice and without obligation to notify any person or entity of such revisions or changes.
Copyright 2010 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchasers personal use, without express written permission of: Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA http://www.citrix.com The following marks are service marks, trademarks or registered trademarks of their respective owners in the United States and other countries. Mark Flash, Flex, Reader Apple, iPhone, Mac Avaya Bloomberg Cisco Owner Adobe Systems Incorporated Apple, Inc. Avaya, Inc. Bloomberg Finance L.P. Cisco Systems, Inc.
Branch Repeater, Citrix, Citrix Access Gateway, Citrix Citrix Systems, Inc. Application Firewall, Citrix Authorized Learning Center, Citrix Certified Administrator, Citrix Certified Enterprise Administrator, Citrix Certified Integration Architect, Citrix EasyCall, Citrix Education, Citrix Receiver, Dazzle, EdgeSight, FlexCast, HDX, ICA, NetScaler, MyCitrix, WANScaler, XenApp, XenDesktop Android Linux Google Linus Torvalds
Mark
Owner
Active Directory, Internet Explorer, Microsoft, Microsoft Microsoft Corporation Internet Explorer, SQL Server, Windows, Windows Mobile, Windows Server, Win32, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio Firefox UNIX Oracle Pearson VUE Blackberry Skype Java Mozilla Corporation The Open Group Oracle Corporation Pearson Education, Inc. Research In Motion Limited Skype Limited Sun Microsystems, Inc.
Other product and company names mentioned herein might be the service marks, trademarks or registered trademarks of their respective owners in the United States and other countries.
Course Conventions
This courseware uses the following typographic conventions to emphasize information. Convention UPPERCASE Usage Commands such as DIR and COPY Filename extensions such as .COM and .INI Drive letters such as A: and C: Case-sensitive items are the only exception to the usage listed. lowercase Command line parameters such as /w and -r URL addresses such as http://finance.yahoo.com Internet addresses such as www.citrix.com Domain names such as education.ctx Email addresses such as training@citrix.com
Case-sensitive items are the only exception to the usage listed. Bold Initial Capitalization Words or terms that are defined Interface items that are selected, deselected, clicked, double-clicked or right-clicked such as options and menu items in lab exercises Case-sensitive items are the only exception to the usage listed. ITALIC UPPERCASE A variable in a system name such as XenAppX and ClientX A variable in a user name such as UserX and AdminX Variable drive letters such as z: and x: Variable directory names such as %systemroot% and dir_name Case-sensitive items are the only exception to the usage listed.
italic lowercase
This courseware uses the following icons. The Note icon identifies additional relevant information.
The Important icon identifies prerequisite information for a given task.
The Tip icon identifies information that can save time and effort.
The Warning icon identifies information that must be heeded in order to prevent harm to systems or users. The following table provides a list of updated Citrix product and component names used throughout the course. New Name Delivery Services Console License Administration Console Citrix online plug-in Citrix offline plug-in Old Name Access Management Console License Management Console Citrix XenApp Plugin for Hosted Apps Citrix XenApp Plugin for Streamed Apps
Credits
Instructional Designers: Lab Developer: Jeremy Boehl, Ben Colborn, Lydia Kellman, George Komoto, Brad Moczik, Meghan Myers, Adam Pallesen, Karla Stagray Andrew Garfield
Education Media Specialists: Joshua Jack, Nathan Jackson Education Project Manager: Leah Thompson Editor: Subject Matter Experts: Kathryn Morris Neil Alhadeff, Jenny Berger, Rob Blincoe, Ronald Brown, Blaise Cacciola, Victor Cataluna, Dave Coleman, Michael Delaguardia, Dan Feller, Jo Harder, Ann Harmison, James Hsu, Mark Ma, Abhishek Mandhana, Mike Melton, Robert Morris, Sridhar Mullapudi, Joseph Nord, Jan Penovich, Elisabeth Reynolds, Daniel Romig, Andrea Rutherford, Stacy Scott, Mark Simmons, Lenny Soletti, Wayne Stillson, Jay Tomlin, Danny Van Dam, Sharin Yeoh, Andy Zhu Rob Blincoe, James Hsu, Mark Simmons
Special Thanks:
Module 1
Introduction and Course Overview
20
Module 1: Introduction and Course Overview
Overview
This module provides you with an opportunity to become familiar with the facilities, course materials, Citrix offerings and to meet your fellow students.
Facilities
Use the following space to document details about the facilities, classroom policies and contact information: Parking
Restroom and phone locations
Class policies
Break and lunch schedules
Emergency information
Course Materials
The following materials are included with your student kit: Name card. Write your name on both sides of the name card so students in front and behind you will know who you are.
21
Student workbook and lab guide. Use the student workbook and lab guide to follow along with the instructor, to document notes and to perform the lab exercises during the class. After the class, take the courseware with you. Reference materials. Do not remove reference materials, such as product documentation from the classroom. These materials are for classroom use only. Online Student Resources. Access these resources after the class. The courseware includes an eLearning voucher code for accessing the Online Student Resources, which contain materials such as answers to review and practice questions and the slide deck from the manual. For information on accessing the Online Student Resources, see the letter at the back of this book.
Course Prerequisites
To complete this course successfully, you must have the following knowledge: Working knowledge of Microsoft Windows Server 2008 with Terminal Services or Microsoft Windows Server 2008 R2 with Remote Desktop Services Basic knowledge of installing applications Basic network security principles
Student Introductions
When asked by the instructor, introduce yourself to the class. Include the following information in your introduction: Name and company Job title and responsibility Networking experience Citrix experience Class expectations
22
Course Outline
Day One
The following table provides an overview of the agenda for the first day of class. Module Description
Module 1: Introduction Provides essential introductory information regarding course and Course Overview materials, prerequisite experience, course content, courseware exercises, Citrix information and the course evaluation and completion certificate Module 2: Introducing XenApp Provides an introduction to Citrix XenApp By the end of this module, you will be able to identify the components included in Citrix XenApp 6, its architecture and communications, features and management consoles. Provides information and requirements about licensing Citrix XenApp By the end of this module, you will be able to configure Citrix licensing for XenApp 6 in a Windows Server 2008 R2 environment. Module 4: Installing XenApp Provides information about the Citrix XenApp hardware and software requirements and the decisions an administrator must make when installing XenApp By the end of this module, you will be able to install XenApp in a Windows Server 2008 R2 environment. Module 5: Configuring Provides information about configuring administrator accounts XenApp Administration for the management of a XenApp 6 environment By the end of this module, you will be able to add administrators to a server farm, delegate administration through folders and permissions and enable and test configuration logging. This module concludes on Day Two.
Module 3: Licensing XenApp
23
Day Two
The following table provides an overview of the agenda for the second day of class. Module Description
Module 6: Installing and Provides information about the Web Interface architecture and Configuring Web communications, site creation and customization Interface By the end of this module, you will be able to create Web Interface sites, customize the site appearance, workspace control settings, authentication methods, and server settings and remove a Web Interface site. Module 7: Delivering Applications and Content Provides information about publishing, customizing and managing resources in a server farm By the end of this module, you will be able to publish applications, content and server desktops, configure content redirection and manage sessions. Provides information about streaming applications, including creating profiles, target requirements, as well as publishing, updating and troubleshooting streamed applications By the end of this module, you will be able to install the Streaming Profiler and create a streaming profile for single and multiple target operating systems, link profiles for inter-isolation communication and publish an App-V application. This module concludes on Day Three.
Module 8: Streaming Applications
Day Three
The following table provides an overview of the agenda for the third day of class. Module Description
Module 9: Configuring Provides information on the functionality of policies, how and when Policies to configure policies and the results of implementing policies in a XenApp 6 environment
24
Module
Description By the end of this module, you will be able identify the policy rules, configure policies, apply policies using filters, prioritize policies and create a shadow policy.
Module 10: Configuring Load Management
Provides information on the administrative processes for managing server load in a XenApp 6.0 environment By the end of this module, you will be able to create and assign load evaluators, assign CPU resource preference to servers and users and configure session connection failover by using load balancing policies.
Day Four
The following table provides an overview of the agenda for the fourth day of class. Module Module 11: Optimizing the User Experience Description Provides information on optimizations that XenApp administrators can perform to optimize the user experience in a XenApp 6.0 environment By the end of this module, you will be able to configure various components that optimize the user experience, including display and HDX technology settings. Module 12: Configuring Provides information about the various plug-ins and the methods Self-Service Applications used to install and configure them, including enabling self-service application delivery By the end of this module, you will be able to install the Citrix Receiver and Citrix plug-ins on a client device, and configure self-service application delivery. Module 13: Configuring Provides information on configuring printers for use in XenApp Printing sessions By the end of this module, you will be able to install and manage printer drivers, configure printing policies and assign network printers to users.
25
Day Five
The following table provides an overview of the agenda for the fifth day of class. Module Module 14: Securing XenApp Description Provides information on configuring a security solution for XenApp 6, including avoiding or resolving common security configuration missteps By the end of this module, you will be able to secure XenApp using SSL Relay and Citrix Access Gateway, and identify the components of a comprehensive XenApp security solution. Module 15: Monitoring XenApp Provides information on monitoring XenApp license usage over time By the end of this module, you will be able to track the usage of XenApp licenses. Module 16: Additional Provides information on additional Citrix components that can be Components implemented as part of XenApp Platinum Edition and other Citrix products that can be used in conjunction with XenApp By the end of this module, you will be able to identify the key features of SmartAuditor, Single sign-on, EasyCall, Branch Optimization, Provisioning Services, Power and Capacity Management and XenServer.
26
Citrix Education
Citrix Training Benefits
Available as instructor-led training, 24/7 self-paced online training or a combination of both, Citrix training courses provide you with the knowledge you need to exceed your business goals. Benefits to organizations include: Maximum Return on Investment (ROI) for Citrix products through proper implementation and support Improved reliability and efficiency of Citrix environments while decreasing downtime Increased expertise of in-house staff, reducing implementation and support costs as more problems can be resolved faster by internal staff Greater employee job satisfaction, leading to higher levels of customer satisfaction Benefits to IT professionals include: Tools and knowledge that can be directly applied on the job to optimize and maintain Citrix environments Enhanced credibility by keeping skills and knowledge current with advances in technology Improved work performance, which increases employee value Citrix training is essential for your organization to ensure successful product implementation and maintenance. Visit www.citrixeducation.com and navigate to the Training section to explore the current Citrix training offerings.
Citrix Certification Benefits

Ranked among the hottest certifications in the industry, Citrix Certified Administrator (CCA) certifications and advanced certifications, including the Citrix Certified Advanced Administrator (CCAA), Citrix Certified Enterprise Engineer (CCEE) and Citrix Certified Integration Architect (CCIA), address the entire Citrix Project Lifecycle and train individuals to deliver the most efficient solutions in the Citrix Delivery Center. Benefits to organizations include: Peace of mind and assurance that certified staff have mastered the skills necessary to do their jobs Valuable credentials to offer as incentives to top performers which are sought after in prospective employees
27
Competitive business advantage with staff that is trained and certified on a regular basis Benefits to IT professionals include: Demonstrated competency in Citrix products to employers and clients The most current skills and knowledge necessary to do your job Enhanced marketability and competitive edge by possessing a recognized and respected IT credential Investing in Citrix certification will help organizations and IT professionals realize their business goals. Get started now by visiting the Certification section of the www.citrixeducation.com web site.
Key Resources
To obtain detailed and up-to-date information on Citrix instructor-led training (ILT), self-paced online training, exams and certifications, visit the www.citrixeducation.com web site. Resource Description
Instructor-led Training To view course descriptions, or to search schedules and register for (ILT) courses additional ILT courses in your area, including customized training, visit the Training section of the www.citrixeducation.com web site. You may also contact your Citrix Authorized Learning Center (CALC) representative. Self-paced Online Training Courses Exams To search, view course descriptions and register for self-paced online training courses, visit the Training section of the www.citrixeducation.com web site. To download Exam enablement guides, visit the Exam section of the www.citrixeducation.com web site. To register for Citrix exams administered by Pearson VUE, contact the provider directly: Pearson VUE Web: www.pearsonvue.com Telephone: 1-800-931-4084 (Americas) For a list of phone numbers by region, visit the http://vue.com/citrix/contact web site. Certification Manager To track your certification progress and publish your Citrix credentials, visit the www.citrixcertmanager.com web site. The following table lists additional resources.
28
Resource Citrix eDocs
Description To access product documentation, visit the support.citrix.com/proddocs/index.jsp web site. provides access to product documentation along with links to the Citrix Knowledge Center, Citrix communities, blogs and forums. To access Citrix blogs, labs, partner communities, the Citrix Developer Network, Support Forums and more, visit the community.citrix.com web site. To view a wide variety of videos that address Citrix products and technology, visit the www.citrix.com/tv web site.
Citrix Community
Citrix TV
29
Course Evaluation and Completion Certificate

Course Evaluation Survey
Course evaluation is integral to developing an Education program that provides an effective learning environment and the skills necessary to improve job performance and enhance the return on investment of Citrix products. Your instructor will carefully guide you through the course evaluation process and ask that you submit an electronic survey at the conclusion of the course. This valuable feedback will assist Citrix Education in expanding our robust curriculum of instructor-led training, self-paced online training courses and challenging certification tracks.
Course Completion Certificate

A course completion certificate is available to those students who complete the course evaluation survey. Carefully review the following steps to ensure that you successfully obtain your course completion certificate. 1. Midway through the final day of class, your instructor will direct you to complete an electronic course evaluation survey. Your candid and objective feedback is essential to the advancement of Citrix Education and allows us to ensure that the training you receive is impactful to your job function. 2. During this time, your instructor will provide you with the URL for the web-based survey. Simply go to the link and complete the requested information. The evaluation will take no more than five minutes to complete. For classrooms where Internet access is not available, you may access the survey after training by visiting the following link: www.metricsthatmatter.com/citrixeval. Please have your course number available in order to launch the survey. 3. Upon submission of your course evaluation, the system will automatically generate an electronic version of your course completion certificate. Enter your name and select the option to print, email or save to HTML prior to closing the page. You may select more than one of the options provided to receive your course completion certificate. When printing the certificate, choose "Landscape" in order to format the page
30
properly. If you elect to email the course completion certificate, click the Back button from the email page to return to the certificate and select an alternative method. If your classroom is not equipped with a printer, we strongly recommend that you email or save to HTML. You will not be able to re-access your course completion certificate after you close the page.
31
32
Module 2
Introducing XenApp
34
Module 2: Introducing XenApp
Overview
Citrix XenApp 6 for Windows Server 2008 R2 is an on-demand application delivery solution that enables any application to be virtualized, centralized and managed in the datacenter and instantly delivered as a service to users anywhere on any device. XenApp reduces the cost of application management by up to 50 percent, increases IT responsiveness when delivering an application to distributed users and improves application and data security. XenApp also enables IT to centrally manage a single instance of each application and virtualize them for delivery to users for online and offline use, while providing a high definition experience. At the end of this module, you will be able to: Identify the features of XenApp. Identify the basic architecture of XenApp and the server farm components. Identify the functionality provided by the Delivery Services Console.
35
XenApp 6 Editions
Citrix XenApp 6 is available in three editions: Advanced Edition Provides the fundamental functionality for delivering applications to client devices in very basic environments Contains all of the features of Advanced Edition and adds capabilities that help manage more complex user and application environments Contains all of the features of Enterprise Edition and adds capabilities that enhance security and performance management Platinum Edition provides a comprehensive, end-to-end application delivery system for instantly providing any application to any user, on any device, over any network.
Enterprise Edition
Platinum Edition
36
XenApp 6 Features
XenApp 6 contains a robust set of features that provides administrators and users with the best functionality possible for an end-to-end application delivery solution. For a comprehensive list of all features, see the www.citrix.com web site. Features are covered in more depth throughout the course. The features in the following table are available in all editions of XenApp. Feature Citrix Receiver Description Provides a single client interface that automatically installs on and configures client devices to access applications and resources meant specifically for authenticated users For more information on Receiver, see the "Configuring Self-Service Applications" module of this course. Citrix Dazzle Allows users to define a list of favorite or frequently used applications for fast access IT can configure featured applications for easy access to mission-critical programs. Users can also subscribe to the application required for work using a simple drag and drop interface. For more information on Dazzle, see the "Configuring Self-Service Applications" module of this course. Citrix Streaming Streams and runs multiple online and offline applications and integrated Windows services on Windows desktops in an isolated environment without system conflicts For more information on Citrix Streaming, see the "Streaming Applications" module of this course. Support for Microsoft App-V Active Directory Group Policy Integration Delivers applications to Windows devices for offline access with Microsoft App-V application virtualization technology Enables IT to configure application availability and delivery using familiar Active Directory Group Policies and Local Group Policies This enables fine-level control of applications and allows for easy control of thousands of applications delivered to thousands of users on thousands of servers.
37
Feature
Description For more information, see the "Configuring Policies" module of this course.
Web Interface
Provides a browser-based interface for accessing applications and offers built-in support for two-factor authentication, simple customization through the management console and multilingual support Integration with most third-party portals is seamless. For more information on Web Interface, see the "Installing and Configuring Web Interface" module of this course.
Citrix HDX Technology
Delivers a high performance, high definition user experience through virtualized applications- even those that are graphic-rich and contain multimedia content Users have a seamless experience with zero downtime and higher overall productivity. For more information on specific HDX features, see the www.citrix.com web site and the "Optimizing the User Experience" module of this course.
EasyCall Voice Services Workflow Studio Orchestration
Uses the corporate telephony system instead of personal phone to initiate calls from anywhere, and includes call redirection, conference calling, and helpdesk support features Uses visual scripting to help automate common IT tasks and orchestrate the collaborative function of Citrix XenApp, XenDesktop, XenServer and NetScaler For more information on Workflow Studio scripts, see the support.citrix.com web site.
The features in the following table are only available in the Enterprise and Platinum Editions of XenApp. Feature VM hosted applications Description Allows applications to run on a centralized Windows XP, Vista and Windows 7 virtual or physical system (32 or 64-bit) in the datacenter Session virtualization technology remotely displays the applications to users' desktops and devices, while screen updates, keystrokes and mouse clicks traverse the network. Installation Manager Enables IT to automatically and remotely install applications across multiple servers simultaneously
38
Feature Profile Management
Description Auto-detects and stores modified profile settings, prevents unintentional overwriting, and loads user profile settings on-demand Administrators can specify rules for downloading and caching large profile components to reduce logon time and accelerate application access. For additional profile management information, see the www.citrix.com web site and the "Optimizing the User Experience" module in this course.
Power and Capacity Management
Allows for creation of system policies that manage server power consumption and optimize server capacity Automatically brings capacity online to maintain expected user performance and access and retires capacity when it is no longer needed.
Health Monitoring and Recovery
Performs continuous server health checks and automatically initiates recovery procedures, minimizing the need for administrator intervention
The features in the following table are only available in the Platinum Edition of XenApp. Feature Provisioning Services Description Allows administrators to virtualize the entire XenApp farm of application hosting servers, both physical and virtual, from a single, standardized server image For more information on Provisioning Services, see the "Additional Components" module of this course. SmartAccess with Citrix Provides granular access control policies and integrated endpoint Access Gateway analysis for users accessing applications using an SSL VPN Administrators have a single point of access control for all applications and resources, not just XenApp traffic. HDX Broadcast Branch Powered by Citrix Branch Repeater, automatically adapts and tunes Optimization WAN communications, TCP flow and data compression for optimal performance. For more information on Citrix Branch Repeater and HDX Broadcast Branch Optimization, see the www.citrix.com web site. Service Monitoring with Enables IT to quickly pinpoint and troubleshoot server, network Citrix EdgeSight and application performance issues that impact the user experience
39
Feature Preferential Load Balancing Single sign-on and Password Management
Description Enables administrators to prioritize a user, group and application based on pre-established requirements. Ensures sessions are properly balanced to provide an enhanced user experience Secures application logons and enhances the security of all password-protected Windows, web and terminal emulator applications Additional functionality exists for managing password policies, auto-application password change and self-service reset.
SmartAuditor
Provides powerful application session recording for improving regulatory compliance, risk mitigation and accelerated problem resolution
40
XenApp Architecture
A XenApp server farm is a logical group of servers that can be managed as a single entity. Applications can be made available by installing or streaming them to a server or client device. The primary architectural components of a XenApp server farm are: XenApp servers Data collector Data store database License server Web Interface servers Worker groups Zones
41
XenApp Components
XenApp 6 is composed of several components. The primary architectural components include the following: XenApp servers XenApp servers deliver online and offline (hosted and streamed) applications on demand. Data collectors keep track of dynamic data in a zone, such as session and server load information. In farms with more than one zone, data collectors also act as communication gateways between the zones. The data store database is a repository of persistent XenApp server farm information, including configuration data for the farm, published applications, servers, administrators and printers. The license server checks out licenses to XenApp, which places the request on behalf of connecting users. The License Administration Console is a browser-based utility that allows administrators to manage licenses. Web Interface provides users access to resources published in one or more server farms through a web browser or the Citrix online plug-in. An administrator can configure the Web Interface to download plug-in software to client devices and perform user authentication checks using RSA SecurID, RADIUS or Secure Computing SafeWord. Worker groups, which consist of servers or domain OUs, allow multiple servers to be grouped together to ease administration. They provide the ability to manage published applications and policies on multiple servers at the same time. XenApp servers added to a worker group automatically inherit the group settings. Zones can enhance performance in farms distributed across WANs by grouping geographically related servers together. Zones collect data from member servers in a hierarchical structure and efficiently distribute changes to all servers in the farm. Each zone contains a server designated as the data collector.
Data collector
Data store database
License server
Web Interface servers
Worker groups
Zones
42
Single and Multiple Farm Environments

When installing XenApp, an administrator has the option to create a new farm or join an existing farm. The following list details the characteristics of each environment. Single Farm All XenApp servers use the same data store. Servers can be grouped into a single zone or multiple zones. Applications can be load-balanced across servers in the farm.
Multiple Farms
Each farm has its own data store. Applications can be load balanced across all servers in a farm but cannot be load balanced across multiple farms
The business decisions for an organization can help an administrator determine which farm configuration is needed.
Data Store
All XenApp servers in a farm use a single, centralized database called the data store to maintain persistent farm data. This database enables the entire farm and individual server settings to be centrally managed. The data store may be a Microsoft SQL Server Express database on a XenApp server or an enterprise-level database on a separate server running Microsoft SQL Server or Oracle. The data store contains static information for the farm such as: Farm configuration information Published application configurations Server configurations Farm management security Printer configurations License server name and port For more information on installing, maintaining, recovering and migrating a data store, see "Data Store Database Reference" on the http://support.citrix.com web site.
43
Data Store Updates and the Local Host Cache

A subset of the data contained in the data store is stored in the local host cache on each XenApp server. The local host cache contains information about: All servers in the farm and their basic information All applications published within the farm and their properties All Windows network domain trust relationships within the farm This information allows the XenApp server to continue to enumerate applications and resolve requests for published resources if the server loses contact with the XenApp data store database. The Independent Management Architecture (IMA) service polls the data store database every 30 minutes or whenever a configuration change is made to the farm. If a change has been detected, the IMA service sends only the changed information to the XenApp servers to update their local host cache.
Independent Management Architecture

The Independent Management Architecture (IMA) provides the framework for all server-to-server communication that occurs in a XenApp farm. The IMA service is a Windows service and the key communication component of a farm. IMA includes a collection of functional subsystems made up of dynamic link library (.DLL) files. The IMA service: Provides a centralized framework used by administrative tools for XenApp Delivers subsystems that collectively provide functionality to current and future Citrix products Runs on all servers with XenApp installed and is enabled by default during installation Communicates through messages sent over TCP port 2512, by default, for server-to-server communication
44
Data Collectors
XenApp servers must be load balanced to ensure a quality user experience. Load balancing determines which servers are least busy and can best run an application. A single XenApp server in each zone, called the data collector, maintains dynamic farm information and communicates this information to data collectors in other zones. The Independent Management Architecture (IMA) provides the framework for all server-to-server communication that occurs in a XenApp farm, including session information. The data collector is responsible for load balancing decisions based on the following criteria: Server load data User session status In a large XenApp farm environment, it is recommended to restrict the data collector from delivering applications, thereby dedicating its function. A dedicated data collector speeds up load balancing decisions and improves session logon time.
Data Collector Election

The data collector maintains dynamic data for servers in the zone. Therefore, each server must be able to contact the data collector for the zone. If the data collector is unavailable, an election occurs and another server in the zone takes over the role of the data collector. The data collector election process automatically initiates in the event that the existing data collector is unavailable or new servers were added to the farm. By default, XenApp uses the following criteria to determine which server wins the election and becomes the data collector:
45
1. Highest XenApp version (also referred to as Host Record Version) - Servers with the most recent software, XenApp 6, will have a Host Record of 1, which is the highest. 2. XenApp server ranking - XenApp servers can be configured with the following rankings using the Set Election Preference menu in the Delivery Services Console: Most Preferred (1) Preferred (2) Default Preference (3) Not Preferred (4) The Set Election Preference menu is located in the task pane of the Delivery Services Console under XenApp > Name of Farm > Zones > Name of Zone > Set Election Preference. When XenApp is installed, the first server in the farm is given a preference setting of Most Preferred. Each additional server added to the farm has a data collector setting of Default Preference. The first server continues to be the data collector unless an administrator changes its setting from Most Preferred to a lower preference setting, or a server with a newer version of XenApp joins the farm. Mixed farms are not supported with XenApp 6.
If the primary data collector is down or unavailable, an election is held to designate another server in the zone to act as the data collector. The newly-elected data collector gathers all necessary data within 30 seconds. As a best practice, configure one server with the Preferred ranking in the event that the server with the Most Preferred ranking becomes unavailable. This will ensure that the proper XenApp server becomes the new data collector should an election occur. 3. Host ID number - Host ID numbers are assigned at random during installation. In the event that all XenApp servers have the same preference setting, the election winner would be determined by the highest Host ID number. An administrator can use the QUERYHR command line utility to view the Host ID numbers for all the servers in the farm. For more information about the data collector election process, see Citrix Knowledge Base article CTX112525 on the http://support.citrix.com web site.
Zones
A logical group of XenApp servers communicating with a single data collector is called a zone. Zones are typically based on subnets.
46
During the installation of XenApp on a server, the server must join a zone. The first XenApp server installed in a farm defines the initial zone and becomes the data collector for the zone. The default name of the first zone is Default Zone. After the installation is complete, an administrator can create additional zones and move servers into the different zones. The first XenApp server moved into a zone becomes the data collector for that zone. Zones can be used to designate physical or logical groupings. If a XenApp server is moved to another zone, a restart of the moved XenApp server is required. The moved XenApp server will not respond to application requests until after the restart.
Sharing Data Across Zones

By default, the data collector for each zone in the farm shares all information. When a plug-in makes a request for a published resource, the data collector identifies the least busy server in the farm. Sharing data across zones can cause an increase in bandwidth consumption. As a best practice, keep the number of zones to a practical minimum. One zone is optimal.
Additional XenApp Components

XenApp contains additional components that enhance the functionality of the solution, including the following: Load Manager Load Manager ensures that each user connects to the server that has the lightest load and can best handle the connection. Load Manager applies load evaluators that consist of rules that govern the way Load Manager determines the resource load. Resource Manager is based on Citrix EdgeSight functionality and provides an administrator with the ability to monitor, report and collect server resource metrics for all servers in a farm. Access Gateway VPX virtual appliance provides secure access for applications and desktops with all of the functionality of a physical appliance on any industry standard server. For more information about the Access Gateway VPX, see the www.citrix.com web site.
Resource Manager (powered by EdgeSight) Access Gateway VPX
47
Citrix XenApp Provider
The Citrix XenApp Provider provides support for health information systems, such as Microsoft Systems Center Operations Manager (SCOM). For more information about the Citrix XenApp Provider, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Delivery Services Console
The Delivery Services Console is a Microsoft Management Console (MMC) snap-in that allows administrators to configure administrative permissions, server and farm properties through policies, published resources and much more. It is the primary administrative utility for XenApp. The License Administration Console is a browser-based utility that allows administrators to manage licenses, track license usage and configure licensing alerts. Citrix plug-ins make it possible for users to access published resources regardless of the operating system installed on the client device. The Citrix plug-ins related to XenApp include: Citrix online plug-in Citrix offline plug-In Client for Java Citrix Receiver (versions exist for Windows, Mac, Java and Linux) For more information on specific Citrix plug-ins, navigate to the www.citrix.com web site and select Downloads > Clients.
License Administration Console Citrix Plug-ins
48
The Delivery Services Console is the primary administrative utility for XenApp. All tasks in the Delivery Services Console can be automated using PowerShell, which replaces MFCOM. The console is organized around the tasks related to: Administrators Applications Policies Zones Add administrators and set permissions Publish and organize online and offline applications Create and manage policies Manage and monitor zones and servers in zones
XenApp 6 seamlessly integrates with Microsoft management tools. Administrators can manage XenApp servers and farms using Active Directory Group Policies.
49
The Delivery Services Console can also be used for the following tasks: Create and assign load evaluators to servers and published applications. Set the edition on the XenApp server. Connect to a server desktop. Configure and view hotfix information for Citrix products. View server health information. If two administrators are using the Delivery Services Console at the same time to change the same information in a farm, only the changes entered last are maintained in the data store database.
50
Practice: XenApp Components

Match the components of XenApp in the following table with the description that best identifies its function. Issue Resolution a. Stores dynamic farm information Worker groups b. Makes it possible for users to access published resources Resource Manager c. Allows multiple servers to be grouped together to ease administration d. Provides the ability to monitor, report and collect server resource metrics for all servers in a farm e. Allows administrators to configure administrative permissions and published resources f. Ensures that each user connects to the server most capable of handling the connection g. Provides users access to published resources in one or more server farms through a web browser or the Citrix online plug-in
Load Manager
Web Interface
Data collector
Delivery Service Console
Citrix Plug-ins
51
Review
1. Which are the editions of XenApp? a. b. c. d. Standard, Enterprise, Custom Advanced, Essential, Platinum Basic, Intermediate, Advanced Advanced, Enterprise, Platinum
2. Which feature of XenApp delivers a high performance, high definition user experience through virtualized applications from any device, on any network? a. b. c. d. SSL Relay SNMP Monitoring Citrix HDX technology Support for Microsoft App-V
3. Which component is not one of the primary architectural components of XenApp? a. b. c. d. Data collector License server Data store database Desktop Delivery Controller
4. Which statement about Independent Management Architecture is true? a. b. c. d. Communicates with XenApp using TCP port 25000 Delivers crucial systems that collectively leverage additional Citrix products Runs on designated XenApp servers and is enabled in the Delivery Services Console Provides the framework for all server-to-server communication that occurs in a XenApp farm
52
Module 3
Licensing XenApp
54
Overview
Citrix XenApp requires product licenses to function properly. Two major components of the Citrix licensing process are the license server and the License Administration Console. The licensing model applies to several products. This module provides information on the major components as well as additional relevant information for licensing XenApp. XenApp provides organizations with the ability to install, publish and manage applications and content from one centralized location. These published resources can then be securely accessed by users from anywhere, anytime, using any device over any connection. At the end of this module, you will be able to: Explain XenApp licensing communications and license types. Configure License Administration Console ports and administrators. Install the Citrix License Server and import license files into the console. Explain how the license server can be made highly available.
55
XenApp Licensing
Citrix XenApp requires licenses for users to connect successfully.
Licensing Process Overview

An administrator can use the following process to ensure that licensing components are set up correctly for implementation: 1. Install licensing components. 2. Obtain a license file from the www.MyCitrix.com web site. 3. Add the license file to the license server. When a Citrix product is first installed, there is an out-of-box grace period of 96 hours during which two users can run any product before an administrator installs any licenses. After a license server and licenses are installed, servers can lose contact with the license server for up to 30 days without the loss of functionality.
Licensing Communication
The following table outlines the components that an administrator must consider when deploying licensing. Component License Server License File Stores the licenses Keeps the license information for the product Contains vital information such as the product edition, number of users and any expiration dates applicable Is stored on the license server. License Administration Console Allows an administrator to maintain the license server and license files for XenApp servers using a web-based interface Description
56
Licensing Communication Overview

Citrix products depend on communication with the license server. An administrator must perform the following tasks for a license server to accept connection and license requests: Add a license file to the license server. Configure the farm to use a specific license server.
License Communication Process

The following steps describe the licensing communication process for checking out a license for a client device: 1. A user connects to Farm A. 2. A server in Farm A requests a license from License Server 1. 3. License Server 1 grants the requests and checks out a license for the client device. Additional connections from the user on the client device to a different XenApp server in Farm A will only consume the original license if both XenApp servers use the same XenApp product edition. 4. The same users connects to Farm B. 5. A server in Farm B requests a license from License Server 1. 6. License Server 1 grants the requests and uses the existing license for the client device.
License Types
XenApp uses concurrent user licenses, which are licenses that are not tied to specific users. When a server requests a license, it is reserved for a specific client device/user combination. When the user logs off from the session, the license is returned to the license pool and made available for another user. Users connecting from multiple devices will consume multiple licenses. In addition, if some servers in a farm are configured to connect to a different license server, users opening applications from both server groups will consume a license from each license server.
57
Citrix License Server
Citrix XenApp 6 can use any license server version 11.6.1 or above. The version can be verified in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\LicenseServer\Install.
The version number appears in the format: 11.6.1 build 10007. Any license server, version 11.x and above, can be upgraded. After the upgrade is completed, the License Server configuration tool will launch. Configuration, for settings such as the administrator password and license server ports, is required. Additionally, after the upgrade is completed, the previous report log (REPORTLOG.RL) will be disabled because license reporting is now available only in Citrix EdgeSight.
Microsoft Remote Desktop Services

XenApp extends the functionality of Microsoft Remote Desktop Services (formerly Terminal Services), which is a presentation virtualization platform for Windows Server. XenApp 6 leverages Windows Server 2008 R2 security enhancements and Remote Desktop Services architecture to add dimensions of flexibility, manageability, security and performance, thereby providing an end-to-end application delivery solution that is cost-effective and secure.
58
Microsoft requires client access licenses (CALs) and RDS CALs for each system that connects through Remote Desktop Services and provides a grace period of 120 days for an administrator to acquire the proper licenses. Remote Desktop licensing must also be installed. For more information on Microsoft licensing requirements, see the www.microsoft.com web site.
Remote Desktop Licensing

Remote Desktop licensing (formerly Terminal Services licensing) manages the licenses that are required for each device or user to connect to a Remote Desktop Session (RDS) Host server (formerly a Terminal Server). Administrators must configure a Remote Desktop Licensing server in the environment to distribute Remote Desktop licenses. To avoid adding the Remote Desktop Licensing server to each new Remote Desktop Services server that joins the domain, administrators can configure an Active Directory group policy to automatically assign the Remote Desktop Licensing server to each new server that joins the domain. Additional updates and considerations include the following: Automatic license server discovery is no longer supported. The specific license server or servers must be specified in the RDS Host configuration utility. Microsoft does not recommend installing the RDS session host on a domain controller. License servers are registered as Service Connection Points in Active Directory to allow them to be displayed during manual configuration. Administrators can configure an Active Directory group policy to automatically assign the Remote Desktop Licensing server to new RDS Hosts. Remote Desktop Client Access Licenses (RDS CALs) are new licenses introduced with Windows Server 2008 R2. RDS CALs are considered equivalent to Terminal Server Client Access licenses (TS CALs). Both will allow connections to an RDS Host server. However, as of January 2010, only RDS CAL licenses are sold and Windows Server 2008 or later is required. RDS CAL licenses include streaming applications to RDS servers with App-V. For more information on Remote Desktop licensing, see the www.microsoft.com web site.
Additional Licensing Considerations

Additional licensing considerations include: Different connections can consume multiple licenses.
59
When analyzing the number of licenses required in an environment, an administrator must consider whether users employ various types of clients to connect to product servers. For example, users connecting to XenApp using a Citrix plug-in and Remote Desktop Services connection simultaneously consume multiple licenses. The license server considers Remote Desktop Services connections as separate from the Citrix plug-in connection and even though the connection may be from the same user, XenApp consumes two licenses. Remote Desktop Services connections made to a console, however, do not consume a license. Most application manufacturers require user licenses for their products. An administrator must adhere to these licensing requirements whether users connect directly to the desktop or launch individual published applications. Licensing practices may vary from company to company, as well as in an RDS environment as compared with a traditional networking environment. Citrix recommends that an administrator contact each manufacturer to verify the specifications to ensure compliance with licensing requirements.
60
License Administration Console

The License Administration Console is a required, web-based interface that allows an administrator to maintain the license server and manage license files for that license server. The License Administration Console uses an integrated Apache web server that is part of the license server process (LMADMIN.EXE). An administrator cannot install the License Administration Console on a server other than the license server but can launch it through XenApp or over the Internet. The following table provides a brief description of the features available with licensing using the License Administration Console. Feature Tracking License Usage Reporting Description Tracks concurrent license information Creates reports based on current license usage Historical reporting on license usage uses Citrix EdgeSight technology (with EdgeSight Server 5.3 and EdgeSight Agent 5.2) and is not part of the License Administration Console. EdgeSight components are available to all customers regardless of XenApp product edition. Configuring Alerts Configuring Delegated Administrators Creates and displays alerts based on license usage and expiration dates Assigns rights to administrators to limit capabilities and ensure proper license management
To open the License Administration Console from the server on which it is installed, click Start > All Programs > Citrix > Management Consoles > License Administration Console. To open the License Administration Console using a web browser, type: http://servername:webserviceport in the Address field of the web browser. For example, if the server is Server1, type http://Server1:8082. Additional considerations include the following:
61
It is a best practice that administrators install and configure Secure Sockets Layer (SSL) and configure Secure HTTP(S) when accessing the License Administration Console using a browser on a UNIX workstation or in an unsecure environment. For more information on securing the License Administration Console with SSL, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site. If the vendor daemon stops running, vendor daemon services can be restarted in the License Administration Console, which is less intrusive than restarting the server. It is a best practice to use a Virtual Private Network (VPN) when accessing the License Administration Console from outside the network. The license server does not use a Windows Server account. The console requires authentication except to view the Dashboard. A default "Admin" account is created during installation and a password is configured for the account after the installation. If the password is forgotten, the license server must be reinstalled.
Port Configuration
Port configurations in the license files are no longer supported. The Citrix Licensing Support service searches for existing port configurations in license files and removes them. The Citrix vender daemon port (default: 7279), license server manager port (default: 27000) and License Administration Console port (default: 8082) can all be configured using the following methods: License Administration Console Configuring ports in the License Administration Console requires a restart of the Citrix Licensing service.
62
License Server Configuration Tool MSIEXEC command line argument
Delegated Administrators in the License Administration Console
The original administrator can add delegated administrators to the License Administration Console. These administrators can have full or partial control of the License Administration Console, as designated by the original administrator. An administrator can also add a domain user within the License Administration Console. When adding the new user, an administrator must choose to allow or deny them certain features. Therefore, an administrator can choose to add users to perform specific tasks in the License Administration Console with no ability to view other areas.
Identifying Delegated Administrator Roles

Two roles are available in the License Administration Console: User and Administrator. The following table describes each right available in the License Administration Console.
63
Right Current Usage Configuration User Administration
Description The ability to view current license usage, the complete license inventory and any alerts concerning these areas The ability to add new license files, manage files related to the License Administration Console and configure alert thresholds The ability to add new delegated administrators and assign them roles
64
Installing Licensing
The installation of the license server software automatically installs the licensing prerequisites with the exception of the following items: Microsoft Visual C++ 2008 Redistributable Microsoft MSI utility version 3.x Additional considerations for installing licensing include the following: It is a best practice to install the license server first. If licensing is installed after XenApp, a policy must be configured to point to the license server. Licensing can exist on a separate server or can share a server with another component.
Manual Installation and Configuration
Installation and configuration of the license server is divided into two separate processes. Post-installation configuration is performed using the License Server Configuration tool. This
65
tool is used to configure the console "Admin" password and port numbers and automatically launches after the initial installation or an upgrade is completed. The tool can only be run once. Multiple attempts to run the tool will produce an error. Unattended installation is also supported, but only by using MSIEXEC at the command line. The Admin password and port numbers are also configurable using the MSIEXEC command during an unattended installation. Active Directory and transform files are no longer supported for deploying licensing. For more information about the MSIEXEC command line arguments, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Uninstalling Licensing
An administrator may need to uninstall licensing for a variety of reasons, including moving the component to another system or renaming the system. Some of the files that are not deleted during the uninstall process include the following: Options file (CITRIX.OPT) License file (LICENSE_NAME.LIC) A new license server with a valid license file must be ready to accept connections from the Citrix product within a 30-day recovery period of removing the original license server. If the server is unable to establish communication within this time frame, users cannot connect. When the license file is moved to a server with a different name from the current hostname, the license file must be returned to Citrix and exchanged for a license file that indicates the new server name. This process is called reallocating and is completed on the www.MyCitrix.com web site.
License Server Considerations

XenApp does not need to be on the same system as the license server. General guidelines and considerations for license server deployment include the following: For fewer than 200 product servers, a shared license server is recommended. For between 200 and 5,000 product servers, a dedicated license server is recommended. For more than 4,000 product servers, a dedicated license server for each Citrix product is recommended. The majority of transactions between the servers, published applications and the license server are very small (less than 1KB); however, in environments that have a large number
66
of license checkouts, these transactions may tax the network bandwidth. In these cases, the license server should reside on the same LAN as the servers.
67
License File Management

Citrix requires each organization that uses Citrix products to purchase licenses for the product. The licenses allow client devices to connect to the product and use the features enabled in the product version. License files store the company license information in a plain text format with authenticated content. Each license file can store information for one or more licenses; a license server can store one or more license files. The license file is stored on a license server in the %PROGRAMFILES%\CITRIX\LICENSING\MYFILES\ directory. Examples of different types of license usage include the following: A parent company maintains the license server and license files for its child companies. Each child company must submit its own purchase order for its share of the licenses. An administrator can add the licenses for each child company to a single license file. An administrator purchases 50 licenses for XenApp. Six months later, an administrator deploys XenApp to two more company branches and purchases an additional 100 licenses. The license server now stores two license files for the same product, one for 50 licenses and the other for 100 licenses.
Obtaining License Files

The www.MyCitrix.com web site issues the license files. An administrator can allocate some or all of the licenses to one or more license servers. Therefore, an administrator is not obligated to allocate all licenses simultaneously and can choose where to use the remainder at a later date. This administration design allows companies to purchase licenses in bulk and then split them up as needed for various licenses servers, production farms, test farms or other schema that fit the environment. For example, if an administrator purchases a single 100-count license, the 100-count license could be split into several license files. To obtain a license file, an administrator must log on to the MyCitrix web site using personalized credentials. To create a new account, simply click on the New User link and follow the instructions.
Importing License Files

The License Administration Console is used to import a license file. Administrators can use the following procedure: 1. Launch the console and click Administration. 2. Log on and click the Vendor Daemon Configuration tab. 3. Click Import License.
68
4. Browse to the license file. 5. (Optional) Select the Overwrite License File on the License Server check box if the file has the same name as the existing file. 6. Click Import License and then OK. The import process copies the file from the existing location into the MyFiles directory where it can be read by the license server. 7. Click the Administrator link in the Citrix vendor daemon line. 8. Click Reread License Files to allow the license server to recognize the new file.
Subscription Advantage
Citrix products include a one-year membership to Subscription Advantage. This membership provides major releases, minor releases and product update downloads through the MyCitrix web site. The membership includes email notifications concerning the account and new items available for members. Members can view, update and obtain benefit information and privileges on MyCitrix at any time. Organizations can renew Subscription Advantage at the end of a one-year membership. For each major product release, Citrix issues at least one minor release; these releases are available free of charge with a Subscription Advantage membership. Customers who have let their membership lapse prior to the availability of a new product are unable to obtain the minor product releases. The license itself, however, continues to function at its current platform level and does not expire. The product version date in the license file must be the same as or newer than the product version date of the installed product, whether a major or minor release. Citrix issues new license files with updated Subscription Advantage expiration dates on the MyCitrix web site after membership renewal. Administrators can obtain and install major and minor releases after the Subscription Advantage membership expires, as long as the products were released while the membership was still valid. The following table describes several possible scenarios and how they affect product functionality. Subscription Status Valid Product Release Date Prior to Subscription Advantage expiration date Product Functionality Product functions properly
69
Subscription Status Expired Expired
Product Release Date Prior to Subscription Advantage expiration date After Subscription Advantage expiration date
Product Functionality Product functions properly Product does not function properly
License File Maintenance and Resources

The MyCitrix web site allows an administrator to quickly view Subscription Advantage information for the licenses of their organization, renew the membership and obtain new product releases. Administrators can find help in online documents located on the MyCitrix web site, as well as by contacting Customer Care. Customer Care contact information is located on the www.citrix.com web site.
70
High Availability Considerations

When working in a production environment, an administrator must always plan for unexpected circumstances that could cause the network or license server to become unavailable. The Citrix licensing design provides several easy-to-use solutions for disaster recovery and high availability.
Duplicate License Server

A duplicate license server is one option for creating a backup license server. The backup license server must duplicate such essential information as the hostname and the server IP address. This is especially important if the farm or servers are pointing to an IP address instead of the server name to resolve to the license server. Creating a duplicate license server requires planning and resources to build; however, the process can be implemented quickly in the event that a production license server becomes unavailable. To set up a duplicate license server, an administrator duplicates or images the production license server and stores the backup license server off the network or powers off the server. Storing the backup server off the network or powering it down prevents communication interferences between the farm and the production license server. When the production license server must be decommissioned or becomes unavailable, administrators can start the backup server or bring it into the network. The servers within the farm will automatically detect the license server and resume normal communication.
Additional License Server Processes

Additional processes for backing up the license server may be necessary. For example, administrators also have the following options: Enabling a replacement license server - Administrators shut down or remove the production license server from the network and rename the second license server to the exact name as the original production license server. Connecting to a different license server - The farm, or individual servers within the farm, can point to another license server at any time to retrieve licenses. Considerations include the following: Configurations: An administrator must configure each farm or server to point to a different license server. When the original license server is available again, the
71
administrator must change the farm or server configurations to point to the original license server. Bandwidth: Although bandwidth consumption is minimal, network resources are a consideration when additional servers connect to a license server. License availability: License availability is important because it affects financial decisions for the organization and ultimately, user connectivity. The license reserve diminishes faster than it does under normal circumstances when there are additional users making license requests. For this reason, an adequate number of licenses must be available for all users who typically connect to the farm, as well as the new users. Replacing the license server - Administrators can rebuild or replace the license server in the event that a backup license server becomes unavailable or when the production license server becomes inoperable prior to setting up a backup license server. The new license server can use the same license file as long as the hostname remains the same. If the hostname of the replacement license server is different from that of the original license server, administrators must obtain a new license file from the MyCitrix web site. License files are case sensitive; therefore, if the hostname is spelled the same but the case is different, the license file will need to be replaced.
License Server Clustering

Licensing provides administrators with a 30 day recovery grace period. To ensure high availability of the license server beyond the 30 day recovery grace period, licensing supports Microsoft clustering. Clustering the license server provides users with continuous access to applications in failure situations. A server cluster is a group of independent servers running as a cluster service and working collectively as a single system. All servers in the cluster have a single identity and the data is consistent across nodes. Licensing supports the two-node Microsoft cluster in Active/Passive configuration. The Microsoft cluster environment must be fully functional before configuring Licensing for Microsoft Clustering. Also, the license file hostname must reflect the name of the cluster, not the name of the individual nodes in the cluster. For more information, see Citrix Knowledge Base article CTX104878 or search the www.microsoft.com web site for information about Microsoft Clustering.
72
Review
1. After a license server is installed and licenses added, servers can lose contact with the license server for up to how many days without the loss of functionality? a. b. c. d. 5 30 90 96
2. Which type of licensing manages the licenses that are required for each device or user to connect to a Remote Desktop Session (RDS) Host server? a. b. c. d. Citrix licensing XenApp licensing Microsoft plug-in licensing Remote Desktop licensing
3. Complete the following sentence. When implementing XenApp, It is a best practice to install the license server _______. a. b. c. d. After installing XenApp Before installing XenApp On the same server as XenApp On the same server as the Web Interface
4. What should an administrator do to obtain a license file? a. b. c. d. Call Citrix Technical Support Copy a file from a previous XenApp implementation Log on to the MyCitrix web site using personalized credentials Run the License Generation Wizard from the Delivery Services Console
73
74
Module 4
Installing XenApp
76
Module 4: Installing XenApp
Overview
Citrix XenApp 6 installation is only supported on Microsoft Windows Server 2008 R2 operating systems. XenApp 6 can be installed using a wizard. When the wizard is used, the prerequisites are automatically installed by the wizard during the installation. When XenApp 6 is installed using a command line or an unattended installation, the administrator must manually install the prerequisites prior to installing XenApp 6. XenApp 6 is not supported for installation on a domain controller.
At the end of this module, you will be able to: Identify the methods that can be used to install XenApp. Identify the XenApp hardware and software requirements. Make installation decisions appropriate for an environment.
77
XenApp Server Role Manager
The XenApp Server Role Manager can be used to install and configure XenApp 6. The XenApp Server Role Manager allows the administrator to choose what to install. Administrators can add server roles as needed as the wizard guides the administrator through the installation. Roles available with XenApp include the following: Citrix License server XenApp Server The Citrix online plug-in and Citrix offline plug-in are installed automatically with the XenApp Server role. Web Interface Server Single sign-on services (Platinum Edition only) Power and Capacity Management Administration (Enterprise and Platinum Editions only) EdgeSight Server (Platinum Edition only) Provisioning Services (Platinum Edition only)
78
Unattended Installation and Configuration

Administrators have the option of performing an unattended, scripted installation by using the XENAPPSETUPCONSOLE.EXE file at the command line. Administrators can also perform an unattended, scripted configuration using the XENAPPCONFIGCONSOLE.EXE file. For more information such as specific syntax or help installing or configuring XenApp 6 from the command line, see the XenApp 6 documentation on the http://support.citrix.com/proddocs/index.jsp web site. Administrators can also enter "\?" in the command line interface to view the available commands. Provisioning tools and disk imaging can also be leveraged for XenApp installation and configuration. Startup scripts can install, configure or modify a configuration of XenApp. For more information about provisioning and imaging Citrix products, see the Provisioning Services documentation on the http://support.citrix.com web site.
79
Hardware Requirements
Most servers running Microsoft Windows Server 2008 R2 meet the hardware requirements for XenApp with ample processing power to host user sessions accessing the published resources. However, additional research may be needed to determine if the current hardware meets the requirements. The following table details requirements for XenApp 6. Technology CPU Requirement 64-bit architecture with Intel Pentium Xeon family with Intel Extended Memory 64 Technology AMD Opteron family AMD Athlon 64 family Compatible processor
Memory Disk space Web Interface
512MB RAM (minimum) 32GB (minimum) 6MB free disk space without the copied plug-ins 120MB free disk space with the copied plug-ins 3.5MB for each Web Interface site
80
Software Requirements
The components of XenApp require specific software in order to function correctly. An administrator can use the information in the following table to determine the software requirements for the installation stages of XenApp. Installation Stage Requirements
Delivery Services One of the following operating systems: Console Windows Server 2008 R2 Windows Server 2008 x86 and x64 Windows Server 2003 (Standard, Datacenter and Enterprise Editions) x86 SP2, x64, R2 x86 and x64 SP2 Windows XP Professional x86 SP3 Windows XP Professional x64 SP2 Windows Vista (Business, Enterprise and Ultimate Editions) x86, x64 SP1 Windows 7 x86 and x64 .NET Framework 3.5 SP1 (automatically installed) MMC 3.0 MS Visual C++ 2005\2008 SP1 Redistributable x64 (automatically installed) 25MB free disk space Web Interface One of the following operating systems: Windows Server 2008 R2 Windows Server 2008 x86 and x64 Windows Server 2003 with SP2 Internet Information Services (IIS) (automatically installed) Windows Authentication Client Certificate Mapping Authentication ASP.NET 3.5 Visual J# .NET Framework (automatically installed)
81
The following installation prerequisites are automatically enabled during the XenApp Server Role Manager wizard-based installations: Microsoft .NET 3.5 SP1 Windows Application Server Role Group Policy Management Console (GPMC) The Group Policy Management Console is only installed if the Delivery Services Console is selected for installation. Additionally, the Citrix Group Policy Engine, is added as a new service in XenApp 6. Microsoft Remote Desktop Services "Session Host" role The following installation prerequisites are automatically installed during wizard-based installation: Microsoft Visual C++ 2005\2008 SP1 Redistributable (and x64 edition) Microsoft Primary Interoperability Assemblies 2005
82
Installation Decisions
As a best practice, an administrator should review the configuration options available during the XenApp installation process prior to installing the product. By reviewing the options, the administrator can determine in advance how to configure XenApp so that it meets the needs of the organization. Administrators must be members of the Administrators group before installing or configuring XenApp. Individuals cannot elevate their privileges to local administrator through User Account Control to gain membership. Licensing should not be overlooked during the installation phase. Administrators are required to maintain proper licensing for: XenApp Operating system Remote Desktop Services (RDS) All applications For more information about Windows Server 2008 R2 and RDS licensing, see the www.microsoft.com web site.
83
XenApp Configuration Options

The questions and answers on the following pages describe some of the decisions that can be made during the configuration of XenApp.
Which Farm or Zones Will Be Used in the Environment?

Farms
A farm is a group of XenApp servers that can be managed as a single entity, can use a single data store database and can balance the load resulting from requests for published resources in the farm. During XenApp configuration, the administrator must decide whether a new farm will be created, the server will be added to an existing farm, or the server will be removed from a farm. In general, a single farm meets the needs of most environments. However, business reasons sometimes dictate the need for multiple farms.
Zones
A zone is a logical grouping of servers within a farm. Single zones work best when all XenApp servers are located in the same geographic location. Multiple zones work best when XenApp servers are separated geographically. If the administrator does not specify a zone name during installation, "Default Zone" will be used as the name of the zone. The administrator can create a custom zone name by selecting the checkbox and entering the name.
Which License Server Will Be Used for the Server Farm?

The license server component of XenApp can be installed on a dedicated server, or functionality can be shared with another server. XenApp must be aware of the location of the license server, which is specified during configuration. To use an existing license server, administrators enter the license server name or IP address. Administrators have the option to defer specifying license server information, if necessary.
84
The following information is required in order for XenApp to connect to the license server: License server name or IP address License server port number (default is port 27000) Server daemon port number (default is port 7279) If a license server from a previous version of XenApp will be used, it must be upgraded to use the license server software included with XenApp 6 or later.
Which Database Engine Will Be Used for the Data Store Database?
The data store database is used to store static information about the servers and published applications in a farm. When creating a farm, the Server Configuration Tool installs the Microsoft SQL Server Express database automatically, with the instance name CITRIX_METAFRAME and the database name MF20. This database uses Windows authentication. A Microsoft SQL Server Express data store database can already exist on a XenApp server, but the server must be restarted prior to the installation of XenApp. Farms can use the following databases as the data store: SQL 2008 SP1 (x32, x64 and Express versions) SQL 2008 (x32, x64 and Express versions) SQL 2005 SP3 (x32 and x64 versions) Oracle 11g R2
It is a best practice to install the database software on a non-XenApp server. The account used to install XenApp must have db_owner permissions to the database. Additionally, if XenApp will be configured from the command-line, the Data Source Name (DSN) file for the SQL Server database must be created prior to the XenApp configuration. Support for Microsoft Access and IBM DB2 has been removed for XenApp 6 on Windows Server 2008 R2. For additional information about supported database software versions, see the XenApp product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Will Shadowing Be Enabled?

Shadowing allows authorized users to view and interact remotely with user sessions for the purpose of diagnosis, training and technical support. The default shadowing settings which allow shadowing are recommended for most farms.
85
The following table describes the options available when enabling shadowing. Option Prohibit remote control Description Prohibits the shadower from remotely controlling a users keyboard and mouse during shadowing sessions
Force a shadow acceptance popup Displays a shadowing acceptance message on the client device Log all shadow connections Keeps a log of all shadowed sessions
If shadowing is prohibited during XenApp installation, it can only be enabled at a later time by reinstalling XenApp. In some regions, shadowing is forbidden by industry or government regulations. If XenApp will be used in such a region, shadowing should be disabled during the installation.
On Which Port Will the Citrix XML Service Run?

The Citrix XML Service can be used to communicate the least busy server in the farm and the names of published resources to client devices running Citrix Plug-ins for Windows. By default, port 80 is used for this communication, but an administrator can specify a different port during or after the installation. If IIS is installed on the server, IIS and the Citrix XML Service can share port 80. Sharing the default port with IIS requires that XenApp has access to the virtual Scripts directory on the server. If the security settings on the server prevent this access, the administrator can relax the security settings during the installation. If this is not desired, a separate port should be used for the Citrix XML Service.
When Will Users Be Added to the Local Remote Desktop Users Group?
During the installation of XenApp, the existing users and groups and the anonymous user accounts created by XenApp can be added to the local Remote Desktop Users group on the server. Members of the local Administrators group have a built-in right to shadow. They do not need to be a member of the local Remote Desktop Users group. All others must be added to the group.
86
The following table describes the options available when adding users to the local Remote Desktop Users group. Option Add the Authenticated Users Add the list of users from the Users group Add Anonymous users Description Adds all authenticated users Adds groups and users from the Users group Adds anonymous users
Which Pass-through Client Will Be Used in the Environment?

A pass-through client gives users of older, less feature-rich clients access to the features of the Citrix online plug-in. Users open the pass-through client from a published server desktop or as a published application and then connect to their published applications from within the pass-through client. If the Citrix online plug-in is selected for installation, it will be used as the pass-through client and the installation program will attempt to locate the web server running the XenApp Services site using "localhost." If the web site is not running on the local system, the administrator must specify the URL of the web server during the installation using the \\servername.domain.name format.
Will Pass-through Authentication Be Used in the Environment?

Pass-through authentication allows XenApp to automatically authenticate the user, based on the credentials used to log on to Windows. When pass-through authentication is enabled, the user does not need to explicitly log on through the plug-in software to access published resources. Pass-through authentication should not be implemented in organizations with heightened security requirements. If pass-through authentication is not enabled during the installation and is later desired on the server, the plug-in software must be reinstalled on the server before pass-through authentication can be used.
87
Will Information in the Data Store and Configuration Logging Databases Be Protected with IMA Encryption?
XenApp can be configured to encrypt the credentials used by IMA to send information to the data store and configuration logging databases. This encryption can add a layer of security to the sensitive data stored in these databases. When IMA encryption is enabled on one server, it must be enabled on each server in the farm. IMA encryption is no longer part of the XenApp installation and must be manually configured using the CTXKEYTOOL command, following installation.
88
Web Interface Installation Decisions

The IIS Management Console is not installed during the Web Interface installation. If an administrator wants to configure IIS on the server, it can be installed by navigating to the Server Manager > Web Server (IIS) menu and selecting "Add Role Services." During the installation, administrators must make decisions about how the Web Interface will be installed. The following questions and answers address some of the decisions that must be made. Where will the Web Interface components be installed? Will the Citrix plug-ins be copied to the server? An administrator needs to select a destination folder for installation of the Web Interface components. The default folder is C:\PROGRAM FILES\CITRIX\WEB INTERFACE. Citrix plug-ins can be copied to the server for distribution to client devices through the Web Interface. Plug-ins do not need to be copied to the server during the installation of the Web Interface if the administrator does not want to make the plug-ins available for download through the Web Interface.
89
Review
1. True or False: An individual can elevate their privilege to local administrator through User Account Control to gain membership to the local administrators group. a. True b. False 2. Which item is not available as a role in the XenApp Server Role Manager? a. b. c. d. Data collector XenApp server Web Interface server Provisioning services
3. Complete the following sentence. When configuring XenApp, to use an existing license server, administrators enter the license server name or __________. a. b. c. d. IP address license key MAC address administrator credentials
4. Complete the following sentence. If pass-through authentication is not enabled during the installation and is later desired on the server, the plug-in software __________. a. b. c. d. cannot be configured to use pass-through authentication automatically configures upon reboot for pass-through authentication must be reinstalled on the server before pass-through authentication can be used can be copied from another XenApp environment that contains pass-through authentication
90
Module 5
Configuring XenApp Administration
92
Module 5: Configuring XenApp Administration
Overview
Organizations use XenApp to provide users with the resources they need to accomplish their jobs. Because all organizations are different, XenApp must be customized to take full advantage of its capabilities. By the end of this module, given an environment containing XenApp, you will be able to: Add and configure worker groups. Add and configure administrative accounts and permissions. Identify the components required for configuration logging. Log administrative changes made to a XenApp farm environment.
93
Worker Groups
XenApp servers can be organized and managed as a single unit known as a worker group. Administrators can configure a worker group to contain servers based on OU membership within Active Directory or assign individual farm servers to a worker group. Worker groups can be used to: Reduce the time needed to publish an application to several farm servers by organizing servers based on hosted application type Prioritize the groups of servers that users can access Filter policies to apply settings to a specific group of farm servers
Publishing Applications to Worker Groups

When publishing an application, a worker group can be used to identify the group of servers that will host the application rather than assigning individual farm servers. Servers that are
94
later added to the worker group, or Active Directory OU, are automatically added to the properties of the published applications. An administrator must ensure that each application published to a worker group is installed on every server in the worker group. If the application is not installed on one or more farm servers in the worker group, the application will not launch and an error is logged to the Application event log on the data collector.
Prioritizing Worker Groups

Administrators can create a worker group preference list to prioritize the groups of servers that users can access. When launching an application, users are first directed to the worker group with a priority setting of 1. If the servers in the highest priority worker group have reached maximum capacity, or are offline, users will be redirected to farm servers in a lower priority worker group. Users cannot be redirected to a worker group not included in the worker group preference list.
Filtering Policies to Worker Groups

Administrators can filter Citrix policies to worker groups and apply settings to sessions hosted on a specific set of farm servers. Servers that are later added to the worker group, or Active Directory OU, automatically inherit policy settings. Worker groups are identified as a filter by name only. If the worker group is renamed or deleted, XenApp cannot recognize the filter and the policy is not applied to the sessions.
95
Administrator Privilege Levels

Administrators are responsible for managing and monitoring XenApp servers and server farms. During the initial installation of XenApp, an administrator account is created. This administrator account has full administration rights and the authority to create new administrator accounts and grant permissions to the accounts. Each administrator account can be assigned one of the following privilege levels: Full Administration View Only Custom Each administrator should be given a different account with permissions specific to the access needed to perform required tasks. Specifying permissions for each administrator provides greater security and exact data on who made changes within the farm when configuration logging is enabled. Restricting access to areas of farm management may not prevent administrators from running some command line utilities available with XenApp.
Creating Administrator Accounts

Administrator account management considerations include: Administrators with View Only and Custom privileges cannot connect to XenApp sessions unless the license server has a valid XenApp license file. Groups and individual users can be granted administrator permissions. An administrator whose account is disabled will still be able to log on to the Delivery Services Console if a group to which the administrator belongs is granted permissions to it. An administrator account can be deleted from the farm by right-clicking the administrator name and clicking Delete. It is a best practice to add a group with full permissions and a group for local administrators as soon as possible after installing XenApp.
96
Administrator Account Selection
An administrator can configure users from the following locations with administrative permissions: Citrix User Selector Adds a new administrator from the Windows users and groups within the domain Adds a new administrator from the local users and groups on the server A domain administrator can also be selected, but appropriate credentials must be provided before permission to browse the list of Active Directory users is granted.
Operating System User Selector
97
Administrator Account Creation Settings
An administrator with full permissions can configure additional administrator accounts using the following settings: View Only Provides the administrator account permission to view all areas of XenApp using the Delivery Services Console and command line utilities, but the administrator cannot make modifications using these consoles or tools Provides the administrator account full access to view and modify all areas of XenApp using the Delivery Services Console and command line utilities The account specified during the XenApp installation becomes the default administrator with full administration privileges. These administrators can also:
Full Administration
98
Add and delete administrators. Grant permissions to other administrators. Create and delete server and application folders.
Custom
Provides the administrator account with limited permissions to view and modify XenApp using the Delivery Services Console and command line utilities A full administrator must configure the areas of XenApp to which a custom administrator has access.
Disable Citrix Administrator accounts
Disables the selected administrator account If the logon permission to a console is disabled, the administrator will not be able to perform administrative tasks using the Delivery Services Console.
Disabling an Administrator Account Example

A senior administrator adds an account for a new junior administrator and configures it with custom privileges. Because the new junior administrator will be attending three weeks of training before working at full capacity in the IT staff role, the senior administrator disables the administrator account for the junior administrator. This prevents the junior administrator from making changes to the server farm before being fully trained. After training is complete, the senior administrator can easily enable the account for the junior administrator.
99
Configuring Administrator Permissions
Creating an administrator account with custom privileges allows an administrator to delegate the administration of one or more particular areas of the farm. During the creation of a custom administrator account, the privilege level and permissions for the administrator account are specified. When the administrator uses the Delivery Services Console, only the console tree nodes and folders to which the administrator has permissions to administer are displayed. Permissions can be granted to custom administrators: During the creation of the custom administrator account Through the Administrator properties in the Delivery Services Console Through the Permissions option for application and server folders in the Delivery Services Console Delegated Administration Example CompanyA has a local IT staff and a help desk. The local IT staff is responsible for managing and maintaining the server farm. The help desk is responsible for providing the first level of support to all users. The IT staff must have full administration privileges, while the help desk needs the following custom privileges and permissions:
100
View only permissions for: Administrators (as well as Log on to the Management Console) Farm Management Printers and Printer Drivers Published Applications and Content Server Information
Full administration permissions for: Sessions (located in the Servers and Applications nodes) Policies By delegating these administrative permissions for the farm, the help desk personnel are only able to: View all areas of the Delivery Services Console. Perform session tasks and user policy tasks related to their jobs.
Configuring Folder Permissions

Folders can be created for applications and servers within the Delivery Services Console. Only an administrator account with full administration privileges can create folders. By creating folders and placing resources into the folders, an administrator can: Easily locate the desired objects during routine administration. Improve browsing performance of the Delivery Services Console because only the contents of the expanded folders are enumerated and only the folders to which an administrator has access are displayed. Support a more granular delegated administration configuration. Delegated administrators must have view permissions to parent folders in order to access child folders. The folder structure created in the Delivery Services Console is not related to or reflected in the folder structure displayed to users of self-serviced applications powered by Dazzle, the Citrix Receiver and the Web Interface. The application folder structure displayed to users is dictated in the properties of the published resource. Folder Use Example An administrator of a large farm must configure the published applications used by the HR department to meet the following criteria: The office users require high color depth, audio and shortcuts to the applications placed seamlessly on their existing client devices.
101
The remote users require reduced color depth and no audio support in order to reduce bandwidth requirements. The application administrator must only be allowed to manage the published applications and user sessions connecting to the published applications and must not have permissions to perform any other administrative tasks in the farm. To meet these requirements, an administrator with full administration privileges for the farm: Creates folders named OFFICE_HR and REMOTE_HR Publishes the required applications with the appropriate settings so all office users are assigned to the applications, and the applications are placed in the OFFICE_HR folder Publishes the same applications with the appropriate settings so all remote users are assigned to the applications, and the applications are placed in the REMOTE_HR folder Modifies the permissions for the OFFICE_HR and REMOTE_HR folders to allow the application administrator to perform both published application and session-related administrative tasks
Delegating Administration
102
The administration of application and server folders can be delegated to specific administrators and groups of administrators. This delegated administration is configured through the permissions assigned to the folders. These permissions can be: Copied from the parent folder to the child subfolder during the creation of the folder By default, any permission changes to the parent folder are not automatically copied to the subfolders. A full administrator can select, in the permissions of the parent folder, Copy the permissions of all administrators for this folder to its subfolders to propagate all changes to the subfolders. Specified or modified after the folder is created An administrator should be aware of the following considerations when configuring delegated administration for a folder: The administration of the folders can be simplified by assigning groups of administrators instead of individual users. The use of groups allows the administrator to grant or deny permissions by adding administrators to or removing administrators from the groups. When granting session management permissions such as Disconnect Users to an application or server folder, remember that disconnecting the session for one application will cause all other applications within the session to disconnect.
Practice: Delegating Administration

Use your knowledge of folders and permissions to provide the answers to the following scenarios. Scenario 1: An administrator with full administration privileges (full administrator) grants an administrator with custom privileges (custom administrator) access to the Applications node in the Delivery Services Console. The custom administrator is given full permissions to the following: Publish Applications and Edit Properties All Application Sessions tasks Six months later, the full administrator creates a folder within the Applications node of the Delivery Services Console to better manage the published applications in the farm. When creating the new folder, the full administrator chooses to copy permissions from the parent folder. Which permissions does the custom administrator have to the new folder? ______________________________________________________ ______________________________________________________
103
Scenario 2: An administrator with full administration privileges (full administrator) grants an administrator with custom privileges (custom administrator) access to the Applications node in the Delivery Services Console. The custom administrator is given full permissions to the following: Publish Applications and Edit Properties All Application Sessions tasks Six months later, the full administrator creates a folder within the Applications node of the Delivery Services Console to better manage the published applications in the farm. When creating the new folder, the full administrator chooses not to copy permissions from the parent folder. Which permissions does the custom administrator have to the new folder? ______________________________________________________ ______________________________________________________ ______________________________________________________ Scenario 3: CompanyA has a farm that consists of ten servers: five located in Quebec and five located in Hong Kong. The administrators in each location must have permission to manage only the servers in their geographic region. To accomplish this task, the full administrator creates two folders under the Servers node in the Delivery Services Console (QB_Servers and HK_Servers). The full administrator then moves the servers into the respective folders. What else must the full administrator do to ensure that administrators can only manage the servers in their geographic region? ______________________________________________________ ______________________________________________________ ______________________________________________________
104
Configuration Logging
In many organizations, a large number of administrators are responsible for configuring and administering XenApp. It can be beneficial to know which administrators made changes, what the changes were and when the changes were made. Configuration Logging provides a means for tracking administrative changes made to the XenApp farm environment, including: Who performed the change The date and time the change was made The object to which the change was made Details about whether the change was successful or not
An administrator can create configuration log reports using the Get-CtxConfigurationLogReport PowerShell command after Configuration Logging is enabled. The most useful information is logged when each administrator has a separate account.
Creating the Configuration Logging Database

When Configuration Logging is enabled, all changes made to the farm using the Delivery Services Console, command line utilities and tools custom built with SDKs are recorded to a Configuration Logging database. The Configuration Logging database can be configured to use one of the following database software versions: Microsoft SQL Server 2005 or 2008, with ddl_admin or db_owner permissions Oracle Database 11g Release 2 with Connect role, Resource role and Unlimited tablespace system privileges The roles and privileges listed are necessary for the user account responsible for creating, modifying and clearing the Configuration Logging database. The Configuration Logging database can be protected using the IMA encryption feature, which encrypts the credentials used to access the database. If IMA encryption will be used with the Configuration Logging database, the database must be configured to use encryption and IMA
105
encryption must be enabled on all servers in the farm. Administrators will be unable to access the IMA-encrypted data if the encryption for the farm is later disabled. The CTXKEYTOOL command can be used to enable and disable the IMA encryption feature and generate, load, replace, enable, disable and back up farm key files.
Configuration Logging Database Settings
The Delivery Services Console is used to specify the database that XenApp will use to log configuration changes. A Configuration Logging database must be created before Configuration Logging can be enabled. A Configuration Logging database can only support information for one farm. To store Configuration Logging information for a second farm, a second Configuration Logging database must be created. The following settings can be used to create the Configuration Logging database: SQL Server An administrator should select this setting to choose SQL Server as the Configuration Logging database type. If SQL Server is selected, the
106
administrator must provide the following information before proceeding with the configuration process: The name of the database server which is found in the Server name drop-down list The authentication mode used with the SQL Server database
Oracle
An administrator should select this setting to choose Oracle as the Configuration Logging database type. If Oracle is selected, the administrator must provide the network service name of the Oracle server.
Enabling Configuration Logging

Administrators with permission to edit Configuration Logging settings can enable and disable Configuration Logging for the farm and customize Configuration Logging settings. Configuration Logging settings include: Log administrative tasks to Configuration Logging database Allow changes to the farm when logging database is disconnected Logs all administrative tasks to the Configuration Logging database Allows configuration changes to be made to the farm when the Configuration Logging database is not available Requires database credentials when clearing the configuration log Caution should be taken when determining who has permission to clear the configuration logging database because important information logged to the database might be removed.
Require administrators to enter database credentials before clearing the log
107
Review
1. Which privileges can be granted to a XenApp administrator account? a. b. c. d. Full, View Only, Guest Read Only, Write Only, Add/Update View Only, Full Administration, Custom Create Accounts, Delete Accounts, Update Accounts
2. Which statement about folders in the Delivery Services Console is true? a. b. c. d. All administrators can create folders. Permissions can be assigned to individual applications in folders. Folders can be used to delegate the administration of applications and servers. Changes to permissions on a parent folder are automatically copied to all subfolders.
3. If IMA encryption is enabled, which effect will it have on the Configuration Logging database? a. b. c. d. All data in the Configuration Logging database will be backed up. Credentials to the Configuration Logging database will be encrypted. Only an Oracle database can be used for the Configuration Logging database. Only a SQL Server database can be used for the Configuration Logging database.
4. Which statement about worker groups is true? a. The first XenApp server moved into a worker group becomes the zone data collector. b. Farm servers in a worker group with a priority setting of 3 are considered the highest priority. c. A farm server added to a worker group will automatically inherit the policy configurations for the worker group. d. A farm server added to a worker group does not need to have an application installed locally to be able to inherit the published application configurations of the worker group and host the application.
108
Module 6
Installing and Configuring Web Interface
110
Module 6: Installing and Configuring Web Interface
Overview
The Web Interface provides users with access to published resources and content through a standard web browser or through Citrix plug-ins. The Web Interface employs Java and .NET technology to present users with a dynamically-created HTML depiction of farm resources. An administrator can create standalone web sites for resource access or integrate a web site into a corporate portal. Additionally, an administrator can configure settings for users accessing resources through the Citrix plug-ins. Web Interface sites are configured using the Web Interface Management console. The Web Interface is not a single point of failure. The options and configurations presented in this module pertain to Web Interface 5.3. By the end of this module, given an environment containing XenApp, you will be able to: Describe the Web Interface communication process. Install and configure the Web Interface. Create and configure XenApp Web and XenApp Services sites. Configure client delivery and customizations. Configure explicit, pass-through and smart card authentication. Configure secure access settings for the Web Interface. Configure the Web Interface to communicate with XenApp farms. Remove a Web Interface site.
111
Web Interface Communications

The following table describes the ports that are used in communication with the Web Interface. Port 80 Description This port is used by plug-ins using the TCP+HTTP protocol to communicate with servers. This port must be opened on firewalls for inbound packets from plug-ins to locate servers. This port is used by Citrix SSL Relay to secure communications between the Web Interface web server and the farm.
443
112
Web Interface Communication Process
The following process provides an overview of how a XenApp Web site communicates with client devices and XenApp servers to initiate a session: 1. A user submits logon credentials through a Web Interface logon page. 2. The Web Interface forwards the logon credentials to the Citrix XML Service on the XenApp server. 3. The credentials are forwarded to a domain controller for authentication. 4. The Citrix XML Service retrieves a list of applications from the IMA subsystem. 5. The Web Interface presents the applications in a web page on the client device. The user clicks an application icon on the web page. 6. The Web Interface contacts the Citrix XML Service to locate the least busy server in the farm. The Citrix XML Service requests a secure ticket for the user from the least busy server.
113
7. The Citrix XML Service returns the address of the least busy server and the secure ticket for the user to the Web Interface. The Web Interface server dynamically generates a customized ICA file (LAUNCH.ICA) and sends it to the web browser on the client device. If bookmarking is enabled, a LAUNCHER.HTML file will be created instead of the LAUNCH.ICA file. 8. The client device initiates a connection with the server specified in the connection information of the ICA file.
114
Web Interface Installation

An administrator can automatically copy the plug-ins from the Citrix XenApp 6 for Windows Server 2008 R2 DVD to the web server during the installation of the Web Interface. Copying the plug-ins from the Citrix Receiver and Plug-ins folder to the web server allows for automatic deployment of the plug-ins to client devices. Older plug-in versions are compatible with Web Interface 5.3; however, the 12.x version of the plug-in is required in order to take full advantage of the features in Web Interface 5.3. The following web browsers can be used to log on to the Web Interface: Internet Explorer 7.x Internet Explorer 8.x Safari 3.x Mozilla Firefox 3.x Mozilla 1.7
Not all features are supported by all browsers. For information about supported features for the plug-ins, see Knowledge Base article CTX104182 on the www.citrix.com web site. For security and performance, the Web Interface should not be installed on a XenApp server. Client devices accessing XenApp Web sites must have a web browser and supported plug-in to connect to the Web Interface site. For additional security, the Web Interface can be installed on the internal network . If the Web Interface is placed in the demilitarized zone (DMZ), it is a best practice to use Citrix SSL Relay to secure Citrix XML traffic. This requires the use of a digital certificate.
115
Installing Web Interface
An administrator can use the XenApp Server Roles Manager to install the Web Interface. For more information about installing the Web Interface, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
116
Site Creation
An administrator can create the following types of Web Interface sites using the Web Interface Management console: XenApp Web A XenApp Web site allows users to access remote applications, virtualized applications and content using a web browser. A XenApp Services site allows users to access remote applications, virtualized applications and content using a Citrix online plug-in.
XenApp Services
The Web Interface Management console guides an administrator through the process of creating each site type and allows an administrator to specify the IIS site, the configuration source location, user authentication settings and server farm settings for the site. After the site is created, it is added to the Web Interface Management console.
Creating a Web Interface Site
117
An administrator can use the Create Site option in the Web Interface Management console to create a XenApp Web or XenApp Services site.
Site Creation Considerations
The configuration information for a site is stored on the local server. An administrator can configure the site using the Web Interface Management console on the local server or by editing the WEBINTERFACE.CONF file on the local server. When specifying the point of authentication, an administrator can choose between the following options: At Web Interface (default), which enables built-in authentication methods such as explicit, pass-through and smart card authentication At Microsoft Active Directory Federation Services account partner, which enables authentication to take place at a client organization that wants to use the applications on the site At Access Gateway, which enables authentication to take place at the Access Gateway and pass the credentials through to the web site At third party using Kerberos, which uses a third-party federation or single sign-on product to authenticate users and map identities to Active Directory accounts so Kerberos can be used for single sign-on to the web site At Web server, which enables the authentication of users using Kerberos
118
XenApp Web Site Configuration Options

XenApp Web sites are used to display published resources to users through a web browser. During the configuration of a XenApp Web site, the administrator must specify: The farm name, XML servers, XML service port and transport type to use for the site Authentication settings and domain restrictions, if any The logon screen appearance The published resource types to be provided by the site
XenApp Web Site Authentication Settings
When specifying authentication settings for a XenApp Web site, an administrator can choose from the following options: Explicit (default), which requires credentials be typed Pass-through, which passes the credentials specified at Windows logon to the web site
119
Pass-through with smart card, which passes the credentials specified at Windows logon to the web site. If a XenApp Services site is being accessed, the smart card PIN number must be provided Smart card, which prompts for the smart card PIN number regardless of the type of web site and for every application request Anonymous, which requires no typed credentials When Explicit, Pass-through or Pass-through with smart card are selected, the configuration wizard allows the administrator to restrict access to the site to users from specific domains. Active Directory Federation Services Users can also access published applications using Active Directory Federation Services (ADFS). ADFS extends the existing Active Directory infrastructure to provide access to resources offered by trusted partners across the Internet. ADFS support for the Web Interface enables the partner of an ADFS deployment to use XenApp in conjunction with the Web Interface. By enabling ADFS, the administrator in the resource partner's domain can create sites for users in the account partner's domain. The users in the account partner's domain will have single sign-on access to published applications in the resource partners domain. Sites configured to use ADFS, support authentication using ADFS only. Other methods of authentication are not supported. After a site configured to use ADFS is created, the administrator cannot configure that site to use built-in authentication or access through Access Gateway.
Logon Screen Appearance

During the configuration of the XenApp Web site, an administrator must specify the style to use for the Logon screens. The administrator can set the Logon screens to: Minimal Full Displays only the logon fields Displays the header area, navigation bar, logon fields, along with the Preferences and Messages tabs
120
Published Resource Types
Administrators can select the following published resource types for XenApp Web and XenApp Services sites: Online, which allows users to access published applications, content and desktops hosted on XenApp servers Offline, which allows users to access virtualized applications from their client device and open them locally using the Citrix offline plug-in Dual mode, which allows users to access offline virtualized applications and online published applications, content and desktops from the same web site If Dual mode is selected as the published resource type, XenApp attempts to virtualize the application to the client device first. If it is unable to virtualize the application to the client device, the published resource is accessed from the server.
121
XenApp Services Site Configuration
A XenApp Services site is used to deliver applications and resources to users through the Start menu, the Windows desktop or through the Citrix online plug-in icon displayed in the Windows notification area on the client device. The administrator can perform an initial configuration of the XenApp Services site using the Create Site option in the Web Interface Management console to create the CONFIG.XML configuration file in the \INETPUB\WWWROOT\CITRIX\PNAGENT\CONF\ directory on the Web Interface web server. During the configuration of a XenApp Services site, the administrator must specify: The farm name, XML servers, XML service port and transport type to use for the site The published resource types to be provided by the site For more information, see the Published Resource Types topic in this module.
122
CONFIG.XML File
An administrator can also configure a XenApp Web and XenApp Services site by editing the following parameters in the CONFIG.XML file: FolderDisplay, which specifies the location of published resource icons DesktopIntegration, which specifies whether or not shortcuts are added to the Start menu, Windows desktop or system tray ConfigurationFile, which facilitates moving published resource requests to a different server running the Web Interface Request, which specifies where the plug-in should request published application data from and how often to refresh the information Failover, which specifies a maximum of five backup server URLs to contact if the primary URL is unavailable Logon, which specifies the logon method to use UserInterface, which specifies whether to hide or display certain groups of options to the user as part of the online plug-in ReconnectOptions, which specifies whether or not workspace control functionality is available to users FileCleanup, which specifies whether or not shortcuts are deleted when a user logs off of the online plug-in ICA_Options, which specifies the display and sound options for the connections AppAccess, which specifies the types of applications available to users
123
Web Interface Site Modification

An administrator can modify a Web Interface site using one of the following methods: Web Interface configuration file, which allows administrators to modify the Web Interface parameters and settings directly in the WEBINTERFACE.CONF file stored on the local web server Modifying the local configuration file directly is an uncommon method. In order to back up a Web Interface site, the WEBINTERFACE.CONF and the CONFIG.XML files must be copied. Citrix Web Interface Management console, which allows administrators to modify the settings stored in the local configuration file
Modifying the Web Interface Configuration File
124
An administrator can directly modify the Web Interface site parameters and settings by editing the \INETPUB\WWWROOT\CITRIX\XENAPP\CONF\WEBINTERFACE.CONF file on the local web server with a text editor. The Web Interface uses a .NET Watcher feature that recognizes and automatically re-loads any changes made to the configuration file. The server running the Web Interface does not need to be restarted in order for changes to take effect.
Using the Web Interface Management Console
Administrators can use the Web Interface Management console to perform daily Web Interface administration tasks quickly and easily. The right pane of the console contains the actions that can be used to edit the settings of the selected Web Interface site. New administrators and administrators with limited experience modifying the WEBINTERFACE.CONF file parameters should use the Web Interface Management console to configure the Web Interface.
125
Specifying Citrix Plug-in Backup URLs
An administrator can specify URLs of backup servers to contact if the online plug-in cannot access the primary XenApp Services web site. A maximum of five backup URLs can be configured for each site. An administrator can use the Server Settings option in the Web Interface Management console to specify backup URLs for a XenApp Services site.
126
Site Appearance
Overall site appearance, layout, branding, application windows and the welcome area of a XenApp Web site are options that the administrator can configure through the Web Interface Management console to meet the needs of an organization. The Web Interface features a breadcrumb trail for navigation through the list of applications. The navigation bar allows users to access different screens within the Web Interface with well-defined labels to enhance the user experience. Users can add /m or /mobile to the end of the Web Interface URL to access available mobile pages on the site. The mobile pages also feature breadcrumb navigation, user-selectable views, a navigation bar, tabbed view and an application or resource search.
127
Site Customization Options
An administrator can use the Web Site Appearance option in the Web Interface Management console to customize the appearance of a XenApp Web site. The following list describes the options available for customizing the appearance of a XenApp Web site, including the pre-logon, logon, applications and messages screens for the site. Option Layout Description Allows an administrator to specify: The overall screen layout Display settings Whether or not users will be allowed to customize the layout of the site The number of application tabs that are displayed in the site
Appearance Allows an administrator to specify: View mode for the logon screen Minimal mode is the default view; it removes the header, ability to read messages and ability to change user preferences.
128
Option
Description Full mode provides users with full functionality, including the ability to read messages and change preferences before logon. The color used for the background, text and overall branding The header image, background image or color Navigation bar background image or color Content area background image or color
Content
Allows an administrator to specify: The default language and additional languages for the local area Standard language code allows an administrator to select standard languages from a list. User-defined language code allows custom language strings and requires the administrator to type the appropriate language code. XenApp Web sites change language settings based on the language settings of the browser. Custom text for the welcome message, footer, pre-logon message, logon screen text, application screen text, message screen text and footer text on all screens
Practice: Site Customization

Match the scenarios in the following table with the customization option used to address the scenario. Choose from the three customization options to fill in the six blanks in the table. Layout Appearance Content Customization Option Scenario Change the number of tabs displayed in the site.
Change the standard language of the site to Spanish for users in Mexico.
129
Add the company logo to the header area of the site.
Add the "Welcome to the Marketing Department" welcome message to the site. Allow users to customize the screen layout on the client device. Add the company logo.
Session Preferences
An administrator can configure the following session preferences for a XenApp Web site: Whether kiosk mode is enabled or disabled Whether the Preferences button in the Web Interface site is displayed to users The length of time a user session can be inactive before the session is logged off Whether browser bookmarks can be used to access resources Whether bandwidth control is enabled and users can configure settings to optimize the performance of their remote sessions Whether font smoothing can be used and users can control the window size in their remote sessions Whether users can customize local resource mappings such as key combinations, PDA settings and special folder redirection Whether or not the XenApp Web site should override the user device name
130
Configuring Session Preferences
An administrator can use the Session Preferences option in the Web Interface Management console to configure the session preferences for a XenApp Web site. Session preferences are not available for XenApp Services sites.
Session Options
An administrator can configure the following session options for a XenApp Services site: The window size Whether font smoothing is allowed The color quality and sound quality allowed Where key combinations can be used Whether special folder redirection is provided and whether users are allowed to customize it
131
How workspace control is configured for the site For more information about workspace control, see the Workspace Control topic later in this module.
Configuring Session Options
An administrator can use the Change Session Options menu in the Web Interface Management console to configure the session options for a XenApp Services site. Session options are not available for XenApp Web sites.
132
User Options
When connected to a XenApp Web site, users can select the view used to display their applications and resources in the site. The Select view drop-down list in the right corner of the Applications tab allows the user to select from the following views: Icons Details List Tree Groups
Users are also provided with: Hints that appear at the bottom of the Applications tab. These hints appear below the applications in the Applications tab and contain helpful information about using the site more efficiently. A low-end graphics mode for users with a hand-held device or bandwidth-challenged connections. This option appears below the Applications tab when it is available for use. Inline help to explain possible problem areas. This information is displayed above the Applications tab.
133
A search capability to assist in finding applications and resources. The Search field appears in the upper-right corner of the screen and the search results are displayed in the Search Results tab to the right of the Applications tab.
134
Workspace Control
The workspace control feature allows users to disconnect and reconnect to sessions as they move between different client devices. For example, in a health care environment, as doctors move around the hospital, they may require access to the same sessions from different locations. Using workspace control, the doctors are able to quickly reconnect to application sessions. The following requirements must be met to use workspace control: XenApp must be installed and configured. The Web Interface must be installed. At least one Web Interface site must be configured. Workspace control works with both XenApp Web and XenApp Services sites but cannot be used with Remote Desktop Connection software. Workspace Control Example Dr. Jones has an active PowerPoint session open on Device #1. When Dr. Jones starts his rounds, he leaves Device #1 and opens a session in the hospital patient data application on Device #2 to record patient data. Both the PowerPoint and patient data applications are opened on Device #2. When he finishes, he clicks the Disconnect button and continues his rounds in another location in the hospital. Next, Dr. Jones logs on to Device #1 and decides to reconnect to both his active and disconnected sessions. The doctors PowerPoint session on Device #1 is automatically disconnected by the Web Interface and reconnected on Device #3. The disconnected session on Device #2 is reconnected on Device #3. In addition to the applications, workspace control can automatically provide the printers for the sessions based on the client device and policy settings.
Workspace Control Functionality

Workspace control: Only reconnects users to existing sessions on XenApp servers. If a session is logged off, workspace control cannot reconnect to it Cannot reconnect anonymous users to applications after they disconnect Prompts smart card users for their PINs for each reconnected session if pass-through authentication with smart cards is enabled
135
Requires that the Web Interface site be set to override the client name setting in the Manage Session Preferences task (default setting) Workspace control functions are disabled if no trust relationship exists between the Web Interface server and the XenApp servers and pass-through or smart card authentication methods are used. For more information about this trust relationship, see the Citrix XML Service Trust Relationships topic later in this module.
Workspace Control Configuration Options

The following table lists the workspace control options that can be configured for a Web Interface site to allow users to reconnect to active or disconnected sessions. Option Description
Automatically Set the automatic reconnection of sessions to: reconnect to Reconnect to all sessions, which allows users to automatically sessions when users reconnect both disconnected and active sessions log in Reconnect only to disconnected sessions, which allows users to automatically reconnect to disconnected sessions Allow user to customize, which allows users to change this setting Enable the Reconnect button Sets the automatic reconnection of sessions after the user logs on and clicks the Reconnect button to: Reconnect to all sessions, which allows users to automatically reconnect both disconnected and active sessions Reconnect only to disconnected sessions, which allows users to automatically reconnect to disconnected sessions Allow users to customize, which allows users to change this setting Logoff Sets the behavior of the logoff activity to: Log off active sessions when users log off from the site, which automatically logs off the session when the user logs off the site Allow users to customize, which allows users to change this setting The Logoff options are only available for XenApp Web sites.
If an organization has a strict no-disconnected-sessions policy for the farm, an administrator should disable workspace control.
136
Workspace Control User Customization
After an administrator configures a XenApp Web site to allow user customizations for the workspace control settings, the Logon options become available in the Preferences tab of the Web Interface site. The Logon options allow a user to change the workspace control settings.
137
Configuring Workspace Control
An administrator can use the Workspace Control option in the Web Interface Management console to configure workspace control settings for a XenApp Web site.
138
An administrator can use the Change Session Options menu in the Web Interface Management console to configure the workspace control settings for a XenApp Services site.
139
Citrix Plug-ins and Web Interface

Access to resources through a Web Interface site requires that a client device has a supported web browser and a plug-in. A plug-in can be installed on the local client device or embedded within the web browser used by the Web Interface site. In addition, the Web Interface site can be used to deploy the required plug-in. Administrators can configure the Web Interface site to: Deploy and install the appropriate plug-in to user devices through installation captions. Automatically deploy the native client. Specify which plug-ins the users can use to start an application. Enable users to choose how their applications are started. Specify the packages included in the Client for Java deployment or allow users to select the required packages.
Plug-in Deployment Options

A Web Interface site can be used to distribute plug-ins to users. The following table identifies the plug-ins that can be made available to users. Option Native plug-in Description By default, published resources are presented in seamless windows that can be resized. If users access applications through a Windows mobile device, the native plug-in must be enabled. The native plug-in may be a Windows, UNIX or Mac OS client. Both seamless and fixed window modes are available for native plug-ins. This plug-in can be used on client devices with a web browser and Java Runtime Environment installed. Published resources are presented in seamless windows that can be resized. This plug-in cannot be used to access ADFS integrated sites and cannot be used on Windows CE or Windows mobile devices. The Client for Java deploys automatically when a user connects from a Macintosh platform using a Safari web browser. Remote Desktop This client can be used on 32-bit Windows systems running Internet Connection Explorer to access their resources. If users are unable to use any other
Client for Java
140
Option
Description clients, the client detection and deployment process checks whether the Remote Desktop Connection software is available and helps users to enable the Remote Desktop ActiveX Control, if necessary.
Automatically Detecting Plug-ins

If the plug-ins are copied to the server during the installation of the Web Interface or later, then a Web Interface site on that server can be configured to automatically detect and deploy the native plug-in to users running a supported web browser. The Web Interface site can also be configured to automatically update the plug-ins on Windows-based client devices. In addition, the Client for Java can be deployed automatically if a plug-in is not installed or cannot be installed on the local client device. If User Account Control is enabled, Windows Vista and Windows 7 will seek confirmation of the installation and will not install without user intervention. If users have administrative rights on their client devices, they can select whether to install any or all of the native plug-in components. If users do not have administrative rights, the plug-in automatically installs into the local user profile because it cannot be installed on the client device. If Prohibit User Installs is enabled in the Windows Installer option in the console tree of the Group Policy Management Console, users will not be able to install a plug-in on their client devices.
Client Detection
The Client Detection option can be configured to check client devices during the logon to the XenApp Web site to determine if an appropriate plug-in is installed. If a plug-in is not detected or a more appropriate plug-in is available, an installation caption can be displayed on the Web Interface screen. The installation caption provides an easy method for users to download and install the required plug-in software. A display notification message can be configured to display: Whenever a plug-in is needed or an upgraded plug-in is available Only if resources cannot be accessed Never
141
Configuring Client Detection
An administrator can use the Client Deployment option in the Web Interface Management console to configure the client detection settings for a XenApp Web site.
142
Fallback Behavior
An administrator can specify which client (plug-in) will be deployed when the native plug-in software is not detected on the client device. An administrator can choose from the following options: Deploy a native client to download and deploy the appropriate native plug-in software. This is the default setting. Deploy a native client and allow user to choose between this and the Client for Java to allow users without a native plug-in to be offered the Client for Java and only be prompted to download and deploy a native plug-in if they cannot use the Client for Java. Automatically fall back to the Client for Java to allow users without a native plug-in to be prompted to download and deploy the Client for Java.
143
Citrix Offline Plug-in
The Citrix offline plug-in is required on a user's client device in order for an application to be able to stream to client, even if the user is online. The offline plug-in communicates with the server farm through a URL. An administrator can choose from the following offline plug-in configuration options: Automatically detect session URL Specify session URL This is the default setting
In instances in which both HTTP and HTTPS are used to access the site or the domain of the web server cannot be resolved, an administrator may need to specify the URL for use by the offline plug-in in the following format: http://servername:port/Citrix/XenApp/rade.aspx
144
Client for Java

The Client for Java is a cross-platform compatible applet and can be deployed using a XenApp Web site and any Java-compatible web browser. An administrator can choose to deploy the Client for Java in low-bandwidth networks for greater security or in situations in which the permanent installation of plug-in software is neither desired nor permitted. An administrator can configure the Client for Java as a smaller download by removing unwanted component packages or by allowing users to control which component packages they require. The Client for Java: Is customizable by administrators and users Supports most Citrix Plug-in for Windows functionality including client drive mapping and SSL Has a zero footprint
Additional Packages to Include with Client for Java

Several packages can be included with the Client for Java. The size of the Client for Java download to memory is determined by the packages included in the download. The fewer packages selected, the smaller the download. The following table describes the packages available with the Client for Java. Package Audio Clipboard Description Enables server-based applications to play sounds through a client-based sound device Enables users to copy text and graphics between server-based applications and applications running locally on the client device Accelerates the display of input text on the client device Secures communication using SSL/TLS Provides strong encryption to increase the privacy of connections Enables users to access their local drives from within a session Enables users to print to their local or network printers from within a session Enables users to configure the Client for Java
Local text echo SSL/TLS Encryption Client drive mapping Printer mapping Configuration UI
145
Package
Description
Allow user to select packages Allows users to control which components are required
Configuring the Client for Java
An administrator can use the Client Deployment option in the Web Interface Management console to configure the Client for Java settings for a XenApp Web site.
146
Authentication Configuration
Authentication to a Web Interface site takes place when a user logs on using the Web Interface logon page or a Citrix online plug-in. The Web Interface passes the user's credentials to XenApp, which passes the credentials to the appropriate authentication authority. If authentication is successful, the Web Interface displays the application set for the user. Users can only log on using the authentication methods made available by the administrator. If two authentication methods are made available for the site and one method fails, the user can attempt to log on using the other authentication method. Web Interface sites can also be configured to use anonymous logon. Anonymous logon allows users to access the site without supplying a user name or password. Anonymous logon should not be widely used because security can be compromised.
147
Authentication Options
The following list identifies the authentication options that are available for XenApp Web and XenApp Services sites. Explicit Authentication to the site requires users to supply a user name and password. User Principal Names (UPN), Microsoft domain-based authentication and Novell Directory Service (NDS) are available for both XenApp Web and XenApp Services sites. In addition, RSA SecurID, RADIUS and Secure Computing SafeWord authentication are available for XenApp Web sites. Pass-through Authentication to the site occurs using the credentials that users provided when they logged on to their Windows desktop. The users do not need to re-enter credentials to log on to the site and their application set is displayed automatically. Additionally, Kerberos authentication can be used to connect to servers. If Kerberos authentication is specified and Kerberos fails, pass-through authentication will also fail, and users will not be able to authenticate. Pass-through with smart card This option is only available for use with the Citrix online plug-in and requires configuration of smart cards in the environment. Authentication to Windows is accomplished by inserting a smart card into a smart card reader attached to the client device and specifying the PIN. After the initial logon to Windows, authentication to the site is accomplished using the smart card and the cached PIN information. If a XenApp Services site is also configured to use Kerberos authentication, it can be used to connect to the site. If the Kerberos authentication fails, the pass-through authentication of the cached PIN will also fail. Kerberos Delegated Authentication or Kerberos Ticketing simplifies user authentication by eliminating the need for client-side configuration to enable pass-through authentication. Kerberos Ticketing also reduces logon points and ensures the integrity of the logon chain for increased security.
Smart card
Authentication to the site is accomplished by inserting a smart card into a smart card reader attached to the client device. The user is prompted for a
148
PIN. Smart cards must be configured in the environment to select this option. Anonymous Anonymous logon allows users to access the site without supplying a user name or password. Anonymous logon should not be widely used, especially if Secure Gateway or Access Gateway is being used, because security can be compromised.
Generic RADIUS Support

The Web Interface supports two-factor authentication using Generic RADIUS. RADIUS settings include: Additional Explicit Authentication RADIUS Request Timeout RADIUS Servers Bypass Failed RADIUS Server Duration Enable RADIUS Server Load Balancing For more information about RADIUS support, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Explicit Authentication
When explicit authentication is implemented, users authenticate by specifying a user name, password and domain. An administrator must take into account the following considerations when enabling explicit authentication for a Web Interface site: Whether or not domain restrictions will be specified Which authentication type will be used for explicit authentication. Valid authentication types include: Microsoft Windows domain-based authentication NIS (UNIX) authentication Novell Directory Services authentication Whether or not two-factor authentication will be implemented What the password change and expiry notification settings will be
149
Whether or not users will be allowed to reset their passwords for the Web Interface site using Citrix Single sign-on.
Domain Restriction Configuration
An administrator can use the domain list field in the web site properties to specify the domains that are authorized to access a XenApp Web or XenApp Services site.
150
Windows or NIS (UNIX) Authentication Configuration
An administrator can configure a Web Interface site to use Windows or NIS (UNIX) authentication with one of the following credential formats for user logons: Domain user name and UPN When this credential format is selected, the administrator can specify: Whether or not the Domain field in the Logon page is automatically displayed so users can type the domain name into the field Whether or not the Domain field is pre-populated with a list of domains from which users can choose Which domains are authorized to access the Web Interface site These domains appear in the Domain field in the Logon page. The domain order can also be specified by an administrator. Whether or not all UPN suffixes are permitted By default, all UPN suffixes are permitted. The UPN suffixes that will be accepted and the suffix order
151
Domain user name only When this credential format is selected, the administrator can specify: Whether or not the Domain field in the Logon page is automatically displayed so users can type the domain name into the field Whether or not the Domain field is pre-populated with a list of domains from which users can choose Which domains are authorized to access the Web Interface site These domains appear in the Domain field in the Logon page. The domain order can also be specified by an administrator. UPN only When this credential format is selected, the administrator can specify: Whether or not all UPN suffixes are permitted By default, all UPN suffixes are permitted. The UPN suffixes that will be accepted and the suffix order A User Principal Name (UPN) is a unique name in Windows Active Directory given to each user. Users are identified by the UPN, which consists of a principal name and a domain name or domain alias that identifies the user. The UPN has an email address format. For example: JohnSmith@company.com
152
Novell Directory Services Configuration
An administrator can configure a Web Interface site to use the Novell Directory Services authentication type for the explicit logon. When Novell Directory Services is selected, an administrator must specify the tree name and context restrictions, if applicable. More than one context name can be supplied. The order in which the names are specified determines the sequential search order.
Two-Factor Authentication Configuration

An administrator can configure a Web Interface site to use two-factor authentication with explicit authentication. The following two-factor authentication methods are available: RSA SecurID This two-factor authentication method uses numbers generated by an RSA SecurID token and a PIN number to create a passcode. In addition to
153
providing domain credentials, users must also provide their RSA SecurID passcode during logon. Prior to enabling RSA SecurID authentication, the RSA ACE/Agent for Windows version 6 or later must be installed, followed by the installation of the Web Interface. SafeWord This two-factor authentication method uses alpha-numeric codes generated by a SafeWord token to create a passcode. In addition to providing domain credentials, users must also provide their SafeWord passcode during logon. Prior to enabling SafeWord authentication, the SafeWord Web Agent must be installed on the web server after the Web Interface has been installed. RADIUS This authentication method uses the Remote Authentication Dial-in User Service (RADIUS) authentication protocol, as opposed to proprietary agent software. Both SafeWord and RSA SecurID can be installed and configured to be presented as a RADIUS server. For Web Interface for Java Application Servers, RADIUS authentication is the only two-factor authentication option available.
154
Password Settings Configuration
When explicit authentication is enabled, an administrator can configure the password settings for a Web Interface site that determine: Whether or not users are permitted to change their logon passwords When users are permitted to change their logon passwords Whether or not a message is sent to users when their password is about to expire and how frequently the message is sent
155
Account Self-Service Configuration
Account Self-Service allows users to reset their network passwords and unlock their account by answering a series of simple security questions. An administrator can configure the Account Self-Service settings for a Web Interface site when: Citrix Single sign-on is installed in the environment (Platinum Edition only). The site is configured to use explicit authentication. The site is configured to allow users direct access. Account Self-Service is not available for sites accessed using Access Gateway with Advanced Access Control. The site is configured to use only one Single sign-on service. The site is configured to allow users to change their password when password reset functionality is enabled.
156
Configuring Explicit Authentication
An administrator can use the Authentication Methods option in the Web Interface Management console to configure explicit authentication for a XenApp Web or XenApp Services site.
Pass-through Authentication
Pass-through authentication allows users to authenticate to a Web Interface site using the credentials provided during logon to the client device. Users do not need to re-enter their credentials in the Web Interface logon page; their application set is automatically displayed. The following requirements must be met prior to enabling pass-through authentication: All servers and client devices must be part of the same domain, trusted domain or federated trust.
157
Client devices must run Internet Explorer 6.0 or later. Pass-through authentication should only be enabled in environments that are secure or trusted to prevent user credentials from being misrouted to an unauthorized or counterfeit server.
Configuring Pass-through Authentication
An administrator can use the Authentication Methods option in the Web Interface Management console to configure XenApp Web and XenApp Services sites to use pass-through or pass-through with smart card authentication. The ICACLIENT.ADM administrative template must also be configured to enable pass-through authentication. XenApp Services sites can also be configured to use Kerberos in conjunction with pass-through authentication. After the Web Interface site is configured for authentication, the administrator must enable authentication for the plug-ins. An administrator can use the Group Policy Management
158
Console and the ICACLIENT.ADM file to configure plug-ins to use pass-through or pass-through with smart card authentication by configuring the Local user name and password setting. For more information about using the ICACLIENT.ADM file to configure plug-ins, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Smart Card Authentication

Users can authenticate to the Web Interface by inserting a smart card into a smart card reader attached to the client device. Smart card authentication can be configured for use in two ways: smart card only or pass-through with smart card. Smart card only This option allows users to authenticate to a Web Interface site using a smart card and a PIN. This option allows users to authenticate to Windows using a smart card and a PIN. After the initial logon to Windows, authentication to the Web Interface site and published applications is accomplished using the smart card and the cached PIN information.
Pass-through with smart card
The following requirements must be met prior to enabling smart card authentication: The web server must have Secure Sockets Layer (SSL) enabled and a valid server certificate. Windows Service smart card must be enabled. Client devices must run Internet Explorer 5.5 or later and a Windows-based plug-in (version 6.30 or later). The ICACLIENT.ADM administrative template must be configured The environment must have a cryptographic service provider. Smart card authentication is not available on UNIX platforms.
Configuring Pass-through Authentication

An administrator can use the Authentication Methods option in the Web Interface Management console to configure XenApp Web and XenApp Services sites to use pass-through or pass-through with smart card authentication.
159
After the Web Interface site is configured for authentication, the administrator must enable authentication for the plug-ins. An administrator can use the Group Policy Management Console and the ICACLIENT.ADM file to configure plug-ins to use pass-though or pass-through with smart card authentication by configuring the Local user name and password setting. For more information about using the ICACLIENT.ADM file to configure plugins, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Citrix XML Service Trust Relationships

The Citrix XML Service communicates information about published applications between the Web Interface and XenApp servers. When pass-through or smart card authentication methods are used, Web Interface is responsible for authenticating the users. In order for the Web Interface to authenticate users, there must be a trust relationship between the Web Interface server and the XenApp servers. If pass-through or smart card authentication methods are not used in the environment, a Citrix XML Service trust relationship is not necessary. The following table lists the authentication methods that require a Citrix XML Service trust relationship. Authentication Method Pass-through Smart card Pass-through with smart card Explicit Anonymous X X X X X Trust Required No Trust Required
160
Enabling Trust Relationships
An administrator can use the Trust XML requests policy in the Group Policy Management Console to configure a XenApp server to trust the requests sent to the Citrix XML Service from the Web Interface. Trust relationships must be enabled on the XenApp servers that are running the Citrix XML Service and are directly contacted by the Web Interface. Typically, a server designated as the data collector for the zone would be the server running the Citrix XML Service. An administrator can view the list of the servers running the Citrix XML Service that are contacted by the Web Interface site by selecting Server Farms in the Web Interface Management console. To avoid security risks when setting up trust relationships, IPSec, firewalls or any other technology that ensures that only trusted services communicate with the Citrix XML Service should be used.
Practice: Authentication Configuration

Fill in the blanks to complete the following sentences. 1. A __________ Name is a unique name in Windows Active Directory given to each user as an identifier and consists of a principal name and a domain name or domain alias. 2. When __________ authentication is implemented, users do not need to enter their credentials to access their application set. 3. A __________ card can be used to authenticate users to a Web Interface site.
161
4. An administrator can select __________, NDS or NIS authentication for explicit logon to a Web Interface site. 5. When Novell Directory Services is selected for explicit authentication, a __________ name and context name must be specified. 6. Both _________ and __________ two-factor authentication methods use a token and a PIN number to create a passcode. 7. When Single sign-on is integrated with the Web Interface, the __________ feature can be enabled to allow users to reset their network password.
162
Secure Access Configuration

If a company is using Access Gateway, the Secure Gateway or a firewall in a deployment containing XenApp, an administrator can configure a Web Interface site to include the appropriate security settings. For example, an administrator can configure a Web Interface site to provide an alternate address if the server is configured with an alternate address and the firewall is configured for Network Address Translation.
Access Methods
An administrator must configure the appropriate access method in order for users to access resources through the Web Interface. An administrator can choose from the following access methods if the connection will not be directed through Secure Gateway or Access Gateway: Direct access Direct access is typically configured in situations in which internal users connect from trusted environments, such as corporate intranets, and there is no need for address translation or for keeping the address of the XenApp server private. Direct is the default access method and requires no configuration. Alternate access is configured in situations in which the IP address of the server running XenApp must be kept private from users. A second IP address is required. An administrator must configure XenApp to use an alternate address by using the ALTADDR command on each target XenApp server. Selecting alternate access signifies that the address translation takes place on the XenApp server. Translated access Translated access is configured in situations in which the IP address of the server running XenApp must be kept private from users, and multiple servers in the farm are used to provide application access. With translated access, the firewall is configured to perform the address translation. Translated access is more commonly selected than direct or alternate. However, when selecting translated access, the configuration must be done in accordance with firewall rules. If firewall rules change, the translated addresses must be maintained. After selecting translated access, administrators should configure the server address translation map.
Alternate access
163
Administrators should also configure the firewall for Network or Port Address Translation.
If users will access resources in the farm through a Secure Gateway or Access Gateway connection, the Gateway direct, Gateway alternate or Gateway translated access method should be configured for those connections. For more information about these access methods, refer to the Security module in this course. Secure Access Methods Example
An administrator can configure a XenApp Web site to support external users with alternate addressing and still allow users on the internal subnet to use normal addressing. When configuring address translation, the XenApp Web site must be configured to define mappings from internal server IP addresses to external IP addresses and ports. These mappings allow users to open applications if the address and port of the server are translated at the internal firewall.
164
Network Address Translation
An administrator should deploy the servers running the Web Interface inside the internal firewall. By default, the Direct access method is used to connect all users to a Web Interface site. An administrator can configure exceptions to the Default access method by providing a specific IP address and subnet mask to ensure that when the user connects from a client device with a matching subnet address the connection is made using the associated access method. If a firewall is used with XenApp, an administrator can configure the Web Interface site to include the appropriate IP address in the client files. It is important to configure addressing correctly for the Web Interface site so that internal IP addresses are not exposed externally. Exposing internal IP addresses provides a security weakness that can be avoided by implementing alternate addressing or translated addressing with or without Secure Gateway or Citrix Access Gateway.
165
Network Address Translation Access Types
An administrator can select the following access types when mapping between an internal address and external address: User device route translation The plug-in uses the translated address to connect to the server. The Secure Gateway server or Citrix Access Gateway uses the translated address to connect to the server. Both the plug-in and the Secure Gateway server or Citrix Access Gateway use the translated address to connect to the server.
Gateway route translation
User device and gateway route translation
166
Client-side Proxy Settings

Proxy servers are used to control access into and out of a network and act as an intermediary between the client devices and the XenApp servers. Web Interface sites allow an administrator to configure whether or not users communicate with XenApp servers through a client-side proxy server. An administrator can define exceptions for controlling proxy behavior by mapping the IP address and subnet mask of the client device. If the web browser connects to the Web Interface through a proxy server or firewall that hides the IP address of the client device, the client subnet address value must specify the address of the client device as the Web Interface sees it. For example, if a web browser connects through a proxy server, an administrator should specify the external address of the proxy server in the IP address field. The following table lists the available proxy settings. Option Description
Users browser setting The plug-in auto-detects the proxy based on the configuration of the client device web browser. Auto proxy detection is typically used in organizations with multiple proxy servers. The details of the proxy server are determined when the plug-in communicates with the local web browser. This is the most common setting. Web Proxy Auto Detect Client defined The plug-in auto-detects the web proxy using the Web Proxy Auto Discovery protocol. The proxy setting of the plug-in is used by the Web Interface site. This option requires the proxy settings to be configured on the client device. No proxy is used. No proxy server is explicitly mapped and the administrator must provide a proxy server address (IP address or DNS) and a proxy port. The proxy server is explicitly mapped and the administrator must provide a proxy server address (IP address or DNS) and a proxy port.
None SOCKS Secure (HTTPS)
167
Configuring Client-side Proxy Settings
An administrator can use the Client Side Proxy option in the Web Interface Management console to configure the client-side proxy settings for a Web Interface site.
168
Server Configuration
An administrator can configure XenApp Web and XenApp Services sites to communicate with one or more farms. An administrator can add and edit farm names, specify the order in which the farms are used for load balancing, and configure communication settings and ticketing settings. Enabling multiple farms through the Web Interface is particularly useful during migration to a new farm. The migrated delivery of multiple farms is seamless and transparent to users.
Configuring Multiple Server Farms
The Manage Server Farms screen identifies the farms that communicate with the site. When specifying a farm, the administrator can: Add a new farm entry Edit an existing farm entry After a farm has been specified, an administrator can configure the settings for each farm individually.
169
A Web Interface site acquires application data from all farms before displaying applications. Each farm is contacted in the order that it appears in the Farms field. As a result, a farm that is slow to respond impacts overall responsiveness when obtaining application sets because of the sequential nature of this process. The impact on the response time is compounded as more farms are specified.
Adding Farms
An administrator can use the Server Farms option in the Web Interface Management console to add farms that will provide published resources to the Web Interface site. If a secure connection (SSL Relay or HTTPS) is planned between the Web Interface and the servers in the farm, the server name must be specified as an FQDN and must match the name on the certificate exactly. The order in which the servers are specified is important for fault tolerance.
170
Configuring Load Balancing
An administrator can use the Server Farm option in the Web Interface Management console to specify multiple servers to be used to service XML requests for the farm. When multiple servers are specified for a farm and the Use the server list for load balancing option is enabled, the Web Interface site sends Citrix XML Service requests to the listed servers in a round-robin sequence. If a listed server cannot be contacted, it is removed from the list for one hour by default or for another period or interval as specified by the administrator. This load balancing feature has no impact on load balancing connections to the servers in the farm. All servers specified for a farm must be running the Citrix XML Service and use the same port for that service.
171
Enabling Fault Tolerance
An administrator can use the Server Farm option in the Web Interface Management console to enable fault tolerance among servers running the Citrix XML Service for each farm defined for the Web Interface site. If an error occurs while communicating with a XenApp server, the failed server is bypassed for a specified time, and communication continues with the remaining servers that are listed in the Servers (in failover order) field. By default, a failed server is bypassed for one hour; however, this value can be modified by an administrator. If a server running the Citrix XML Service fails, the Web Interface site will not attempt to communicate with the failed server until the time specified in the "Bypass any failed server for field" has elapsed. If all servers in the list fail to respond, the Web Interface site retries the servers every 10 seconds.
Specifying the XML Communication Port

The Web Interface communicates with the Citrix XML Service. The port number used by the Citrix XML Service is specified during the installation of XenApp. By default, that port number is TCP/IP port 80. If Citrix XML Service is configured to port share with IIS, then the
172
administrator must ensure that all servers in the farm have the Citrix XML Service configured to use the same port. An administrator can use the XML service port policy rule in the Group Policy Management Console or the CTXXMLSS command to change the port number for the Citrix XML Service on a server.
Protocol Transport Type

An administrator can use the Server Farm option in the Web Interface Management console to specify the protocol used to transport the Web Interface data between the web server and the XenApp servers. The following table lists the protocols available. Protocol HTTP Description This protocol sends data over a standard HTTP connection and should only be used when other provisions have been made for the security of the connection or for troubleshooting purposes. After troubleshooting is complete, another protocol should be selected to secure the data. This protocol sends data over a secure HTTP connection using SSL or TLS. The Citrix XML Service must be set to share its port with IIS, and IIS must be configured to support HTTPS. This protocol sends data over a secure connection that uses Citrix SSL Relay to perform host authentication and data encryption. SSL Relay can also secure Citrix XML traffic, which is especially important if the Web Interface is located in the DMZ.
HTTPS
SSL Relay
173
Ticket Expiration Settings
Ticketing provides enhanced authentication security for explicit logons by eliminating user credentials from the client files sent from the web server to the client devices. Each Web Interface ticket has a configurable expiration time which is set to 200 seconds by default. An administrator can use the Server Farms option in the Web Interface Management console to configure the ticket expiration settings for a farm.
174
Web Interface Site Removal
An administrator can use the Site Maintenance option in the Web Interface Management console to uninstall a Web Interface site when it is no longer needed. Uninstalling a site completely removes it from the system. Prior to uninstalling a Web Interface site, any custom files used for the site should be backed up if they will be used to create other Web Interface sites. It is also best practice to back up the CONFIG.XML and WEBINTERFACE.CONF files.
175
Troubleshooting Web Interface Issues

An administrator can use these solutions to address Web Interface issues. Issue The ActiveX control required by the Web Interface is not allowed to run with the current Internet Explorer settings. Resolution Add the Web Interface site to the Trusted Sites within Internet Explorer using the Default security settings for the zone.
Pass-through authentication fails after Use the CTX1222207 Knowledge Base article known good credentials are entered from a on the www.citrix.com web site to enable Windows XP Professional client device. NTLMv2 on the client device. Pass-through authentication or pass-through Use the CTX123836 Knowledge Base article on with smart card fails with the message "An the www.citrix.com web site to configure the authentication error has occurred." required server roles. Server-side ticketing fails in mixed farm environments with XenApp 4 or earlier. An error occurs while trying to access a published resource in the Web Interface. Upgrade to newer version of XenApp or downgrade the version of Web Interface. Use the CTX122613 Knowledge Base article on the www.citrix.com web site to change the address resolution type in the WEBINTERFACE.CONF file.
176
Review
1. Which authentication method is not recommended in secure environments? a. b. c. d. Smart card Anonymous Single sign-on Novell Directory Services
2. Which feature allows users to disconnect and reconnect to ICA sessions as they move between client devices? a. b. c. d. Workspace control Explicit authentication Pass-through authentication Pass-through with smart card authentication
3. Which two types of Web Interface sites can an administrator create? (Choose two.) a. b. c. d. XenApp Web XenApp Plug-in XenApp Services XenApp Advanced Configuration
4. Which three protocols can be used to transport Web Interface data between the web server and XenApp servers? (Choose three.) a. b. c. d. HTTP HTTPS IPX/SPX SSL Relay
5. Which statement is true when using network address translation in a Web Interface deployment? a. b. c. d. The alternate IP address of a XenApp server is included in the client files The alternate IP address of a Secure Gateway server is included in client files. The ALTADDR command is used to change the IP address of the Web Interface server. The internal IP address of a XenApp server is mapped to the external IP address of the Web Interface server.
6. The Client for Java should be used in which two situations? (Choose two.) a. A web browser does not exist on the client device. b. Permanent installation of plug-in software is desired.
177
c. Permanent installation of plug-in software is not permitted. d. A Java-compatible web browser exists on the client device. 7. When the Citrix online plug-in is used to access published applications, which statement is correct? a. b. c. d. A XenApp Web site is required. A XenApp Services site is required. Pass-through authentication cannot be used. A web browser is used to communicate with the Web Interface site.
178
Module 7
Delivering Applications and Content
180
Module 7: Delivering Applications and Content
Overview
Publishing resources gives administrators the ability to provide users with access to applications, content and desktops. XenApp offers three, complementary options for delivering applications. Server hosted applications Server hosted applications are centrally stored on the server and provide the lowest total cost of ownership, the highest level of security and access on any device even across low bandwidth connections. Local applications use application streaming to deliver the application into an isolated environment on the users client device to eliminate application conflicts and provide users with a seamless experience even when offline. Application streaming is covered in a separate module.
Local applications
VM hosted apps
VM hosted apps are delivered from a virtual desktop to provide reduced validation cycles and a faster time to market, even with problem applications.
Administrators manage how resources are delivered to users, the configuration of the applications and the user experience by managing and customizing settings. At the end of this module, you will be able to: Publish applications, content and server desktops for users. Identify the components of VM hosted apps. Identify advanced published resource settings. Organize published resources for users. Disable and hide published resources.
181
Publishing Resources
The administrator can publish resources in two phases using the Publish Application wizard. These two phases include: Basic In this phase, the administrator: Names the resource Identifies the type of resource to be published Specifies where the resource is located Identifies which servers in the farm will host the resource Identifies the users who will be allowed to access the resource (Optional) Specifies where to place the shortcut on the client device
When the Basic phase is completed, the administrator has the option to disable the resource temporarily, publish the resource immediately or proceed to the Advanced phase of the resource publishing process. Advanced In this phase, the administrator: Specifies whether published resources can be used with Citrix Access Gateway Associates file types with the published resource Specifies the application limits and CPU priority level for the published resource Specifies options that control audio, encryption and printer initialization on the client device Configures the appearance of the published resource The configuration of the properties in the Advanced phase of resource publishing is optional.
The properties available in the Basic and Advanced phases of the resource publishing process change depending on the type of resource being published.
182
The following table describes the resource types that can be published in XenApp. Resource Type Server Desktop Description Provides users access to a desktop of a XenApp server and the resources available on the server. Published desktops allow users unlimited access to the resources on a server which can result in configurations and settings being changed, causing server vulnerabilities. Administrators should mitigate this risk by setting strict policies through Active Directory. Application Provides users access to applications installed on the XenApp server, streamed to the XenApp server or streamed to client devices Hosted and streamed applications are both managed from the Delivery Services Console. VM hosted apps are hosted in a separate farm and therefore are managed in a separate console.
183
Resource Type Content
Description Provides users access to data files, such as documents, spreadsheets, media files and other data that users access by means of a published UNC path or URL. The following examples identify the content types that can be published: HTML web site For example: http://www.citrix.com File on a web server For example: https://www.citrix.com/edu/certification.doc Directory on an FTP server For example: ftp://ftp.citrix.com/edu/ File on an FTP server For example: ftp://ftp.citrix.com/edu/readme.txt Universal Naming Convention (UNC) file path For example: \\servername\sharename\filename UNC directory path For example: \\servername\sharename Users can open published content using either: An associated local application A published application installed on a XenApp server A published application streamed to a XenApp server or a client device
Resource Name and Location

During the publishing of a resource, the administrator must provide information in the following fields: Display name The display name specifies the name by which users identify the published resource. The display name and the icon are visible to users from within the Web Interface and the shortcuts provided by the Citrix online plug-in. Special characters cannot be included in the display name of an application.
184
Application description
The application description specifies additional information about the published resource such as the version number or service pack level. The command line identifies the location of the application on the server. If the application will be available from multiple servers in the farm, the application should be located in the same location on each server. The working directory identifies where working files created by the application are stored. The working directory is not used to store users' files created with the published application.
Command line
Working directory
Server Assignment
The administrator must also specify which servers in the farm will host the published application or server desktop. The administrator can select a single server, multiple servers or a worker group and add them to the Selected items list. If the application is published to multiple servers, XenApp can load balance the application requests across all assigned servers. If the application is published to only one server, all users who open the application will connect to that server.
Configured or Anonymous Accounts

The administrator must decide, based on the needs in the environment, which users will be allowed to access the published resource. Published resources can be made available to the following types of accounts: Configured account access This type of account requires that users authenticate with a user name and password before accessing published resources. When the user logs off, the user session ends but the user information is persistent. The desktop settings, security settings and other information from the session are retained in the user profile for use in future sessions. This type of account is created on the server during the installation of XenApp. Anonymous account access eliminates the need for users to authenticate before accessing published resources. Anonymous users are configured with guest permissions. When the anonymous user session
Anonymous user accounts
185
ends, no user information is retained. The server does not maintain any information that was configured for the session. When anonymous user access is enabled, administrators cannot provide access to configured users. Anonymous user accounts might be warranted when a resource can be used by anyone and tracking is not necessary. Anonymous user accounts should not be used in a highly secure environment.
Users and Groups

When specifying configured account access for a published resource, an administrator can type a list of names manually, by using the "Add List of Names" option, or by browsing the domains and local server for user accounts and groups to add to the published resource. By default, only groups are displayed for selection. To select individual users within the groups, the administrator can select "Show Users" in the Select Users or Groups screen. When assigning users and groups to applications, consider the following: If a user is added to an existing group, the user automatically receives access to each published resource that is configured for access by the existing group. Administrators can grant or revoke user or group access to any published resource at any time by configuring the properties of the published resource. If access is changed, existing connections to published resources are not impacted. Published resources should be assigned to groups rather than individual users in order to simplify ongoing administrative maintenance.
Resource Publishing Settings

The following table provides a list of settings an administrator can configure when publishing a resource. Setting Accessed from a server Description Provides users with access to an application installed on or streamed to a server
186
Setting Streamed if possible, otherwise access from server
Description Streams the application to the client device whenever possible When the application cannot be streamed to the client device, the application is accessed from the server.
Streamed-to-client Installed application Streamed-to-server Allow anonymous users Allow only configured users Disable application initially Configure advanced application settings now
Streams the application to the client device only Provides access to an application already installed on a server Streams an application to a server for access by the user Allows anonymous users to access the published resource Allows specific users and groups to access the published resource Disables the application so users cannot access it Configures advanced application settings before publishing the application
Practice: Publishing Resources

Identify which statements are true and which statements are false. Correct the false statements to make them true. 1. ___ The display name for the published resource is auto-generated. The display name is important because it is the name that the plug-in uses to identify the published resource. 2. ___ An administrator can stream an application to XenApp servers and to the desktops of client devices using the application streaming feature in XenApp. 3. ___ After the basic settings have been configured for a published resource, an administrator can publish the resource immediately without configuring the advanced settings. 4. ___ Installing an application on servers in a different directory on each server in the server farm will make accessing published applications easier for the users. 5. ___ The user profile information is persistent for configured user accounts.
187
VM Hosted Apps
VM hosted apps allows administrators to isolate applications and host them from virtual machines or physical computers, including blade servers, running a Windows desktop operating system. Users access these applications just as they would applications from XenApp servers. VM hosted apps allows administrators to host applications that otherwise must be installed locally or require extensive compatibility testing on XenApp servers. VM hosted apps uses Citrix XenDesktop technology to deliver applications hosted on desktops, but unlike XenDesktop, gives users no direct access to the desktops themselves. To use VM hosted apps, administrators create a VM hosted apps farm and populate it with desktop groups configured with applications they want to deliver. Then, users access those applications using the Web Interface. Although VM hosted apps cannot share a farm with XenApp servers, a VM hosted apps farm can share a Web Interface site with XenApp server farms. Applications from both types of farms appear the same to users.
188
Components of VM Hosted Apps
VM hosted apps require the following components: Desktop Delivery Controller The Desktop Delivery Controller authenticates users, manages the assembly of user virtual desktop environments and brokers connections between users and their virtual desktops. It controls the state of the desktops, starting and stopping them based on demand and administrative configuration. VM hosted apps includes two management consoles. The following management consoles are installed on the Desktop Delivery Controller: VM Hosted Apps Console Delivery Services Console
Management Consoles
189
Administrators use this console to create, update and manage desktop groups in VM hosted apps farms. This is a separate Delivery Services Console than the one used to manage the XenApp server farm.
Virtual Desktop Agent
This agent communicates with the Desktop Delivery Controller and the Citrix Receiver on the client device. The Virtual Desktop Agent must be installed on each virtual machine that will host an application.
190
Organizing Published Resources for Users

An administrator can organize the way published resources are presented to users by changing the default icon, organizing the resource into a folder and deciding where to place the resource shortcuts.
Application Set
An application set contains the permitted user resources that are published in the server farm. The process of publishing a resource automatically adds the resource to the application set for the server farm. The published resources within an application set are available to users through plug-ins. An administrator can organize the published resources in an application set by placing the published resources in folders during the resource publishing process or afterwards by editing the properties of the published resource.
Folders
By default, all resources are published to the root folder of the application set. An administrator can organize the published resources into folders. This can be useful in helping users quickly locate the applications they need. For example, Microsoft Word, Excel and PowerPoint are published in a server farm along with many other applications. An administrator can place the Microsoft applications into a folder called Microsoft Office to make it easier for users to locate their published resources.
Application Icon
An application icon identifies the published resource. An administrator can change the icon using the Change Icon button during the resource publishing process or afterwards by editing the properties of the published resource. An administrator may decide to change an icon to enhance a user's ability to visually differentiate between published resources. For example, published content typically uses the icon associated with the application that is used to open the content. If several published content resources use the same application, an administrator might decide to change the icons to make it easier for users to differentiate between the resources.
191
Shortcut Presentation Placement
Users can access published resources by authenticating through the online plug-in. Some plug-ins allow shortcuts to be placed on the client device so that users can easily access the published resources. The following table provides a list of settings an administrator can configure when organizing a published resource on the client device. Setting Change icon Client application folder Add to the clients Start menu* Place under Programs folder* Add shortcut to the clients desktop* *Unnecessary if using Dazzle Description Changes the icon of the published application Specifies the folder location of the application in the Citrix online plug-in and Web Interface Creates a shortcut to the application in the Start menu of the client device Creates a shortcut in the Programs folder of the Start menu on the client device Creates a shortcut to the application on the desktop of the client device
192
Advanced Published Resource Settings

During the Advanced phase of the resource publishing process, the administrator can: Configure properties that allow the published resource to be used with Citrix Access Gateway. Associate file types with the published resource. Specify the application limits and CPU priority level for the published resource. Specify options that control audio, encryption and printer initialization on the client device. Configure the appearance of the published resource. The configuration of the properties in the Advanced phase of resource publishing is optional. These settings can be configured during the publishing of a resource or by modifying the properties of an existing published resource.
Access Control
Administrators can configure the Access Control settings to further specify which sessions are allowed to connect to published resources through the Citrix Access Gateway. Citrix Access Gateway provides users with controlled access to enterprise resources. Citrix Access Gateway allows the administrator to control who can access resources, such as web sites, file shares, email resources and published resources, and which actions they can perform with these resources. The following table identifies and describes the settings an administrator can configure using Access Control. Setting Any connection Description Allows all connections made through the Access Gateway
Any connection that meets any of the Allows only connections that meet one or more of the following filters selected Access Gateway filters Allow all other connections Allows all connections other than those made through Access Gateway
193
Content Redirection
Content redirection allows an administrator to specify whether users can access published content, applications, browsers and media players from applications that are running locally on the client device or published on a server. The two types of content redirection are: Client-to-server content redirection Server-to-client content redirection Occurs when a user accesses local files using a published application Occurs when a user accesses a URL link in a published application using an application installed on the client device
File Type Association

When a user authenticates to the farm using the Citrix online plug-in, the file type associations in the published applications of the application set are copied to the registry of the client device. This allows the user to open files with extensions that are associated with a published application. When the user logs off the Citrix online plug-in, the file type associations in the registry of the client device for hosted published applications are no longer valid because the applications are no longer available. However, the file type associations in the registry for the streamed applications that are configured for offline use are still valid. When the user logs on again to the Citrix online plug-in, the file type associations in the registry are updated for all hosted and streamed published applications. An administrator can select a subset of the file extensions available for a published application to enable client-to-server redirection for only certain file types.
Content Redirection and Published Content

Content redirection can be used with published content. When content is published, it can be opened using: A published application, if a published application is configured with a file type association for the content type and the user is configured to access the published application
194
A local application, if no published application is configured with a file type association for the content type or the user is not configured to access the published application Content redirection with published content generates an ICA session and consumes server resources.
Client-to-Server Content Redirection
The client-to-server content redirection feature allows users of the online plug-in to use a published application to access files residing on the local client device. If a user double-clicks a file with an extension associated with a published application, the online plug-in starts the published application and opens the selected file in the published application. This functionality is enabled by configuring file type associations.
195
By default, when a published application is configured with file type associations, all users of the online plug-in who are configured to access the published application can use it for content redirection. Content redirection can be implemented for a limited portion of users who access the published application in two ways. The administrator can: Publish two instances of the same application and enable separate file type associations for each instance. Publish a single instance of the application and specify file type associations. Deploy the online plug-in to the users who require the content redirection feature.
Client-to-Server Content Redirection Example The diagram in this section illustrates the client-to-server content redirection process when file type associations are configured for a published resource. A user double-clicks an email attachment with a .DOC file extension in an email program that is running locally on the client device. The file opens in Microsoft Word that is published on a XenApp server and is associated with the .DOC file type.
Configuring Client-to-Server Content Redirection

Administrators should perform the following tasks for a XenApp Services site to configure content redirection from client to server. 1. Enable content redirection on the Web Interface site by clicking Server Farms > Advanced > Enable content redirection. 2. Associate file types with the application by clicking Application properties > Content redirection > Show all available file types for this application and then selecting all desired file type extensions. Client drive mapping must be enabled so that the local content can be accessed by the application on the server. If drive mapping is not enabled, the published application opens and displays an error because the application is unable to access the local content that initially triggered the application to start.
196
Server-to-Client Content Redirection
Server-to-client content redirection allows embedded URLs in published applications to be resolved using an application installed on the client device. When a user clicks a URL in an application running in a XenApp session, the URL is redirected to the client device to be displayed by a local application. After the embedded URL is opened in the browser on the client device, all links in the browser open on the local client device. There is no way to link back to the XenApp session from the local client browser even though that XenApp session remains open and available for continued use. Server-to-client content redirection can be configured through policies. By enabling server-to-client content redirection, an administrator can prevent applications that are published on the XenApp servers from processing requests that require access to web browsers or media
197
players. When server-to-client content redirection is enabled, the following URL types are opened locally by the plug-ins: HTTP(S) RTSP (Real Player and QuickTime) RTSPU (Real Player and QuickTime) PNM (Legacy Real Player) MMS (Microsoft Media Server) If server-to-client content redirection is not enabled, Internet Explorer opens in a XenApp session on the server, if available, instead of on the client device. Server-to-client content redirection cannot be disabled by users. Server-to-Client Content Redirection Example The diagram in this section illustrates how server-to-client content redirection works when a user clicks a URL link in a message from inside a published email application. The URL is opened by Internet Explorer on the local client device.
Configuring Server-to-Client Content Redirection
198
Administrators should perform the following tasks to configure content redirection from server to client. 1. Create or edit a policy within User Configuration > Citrix Policies of the Group Policy Management Console or the Delivery Services Console. 2. Enable ICA> File Redirection > Host to client redirection. This setting is disabled by default, which results in content being opened on the server. 3. Apply the policy. 4. Publish the content file in the Delivery Services Console.
Practice: Content Redirection

Match each scenario in the following table with the content redirection method that should be implemented. Each method is used once. Server-to-client content redirection Client-to-server content redirection Published content with client-to-server content redirection Content Redirection Method Scenario Once a month, a published version of a listing of employee events is made available to all employees. Because employees have a range of client devices, HR wants employees to view the document using a published application. Alisha wants to access a published version of a web-based accounting tool using a web browser installed locally on her client device.
The Operations team wants to view its weekly log reports (.XLS files) using a published version of Excel.
199
Implementing Resource Limits and Client Options

By default, users can run an unlimited number of instances of published applications and server desktops. Restricting the number of instances is useful for enforcing licensing requirements for a particular published application. Connection controls in XenApp allow an administrator to restrict the number of instances of a published application or server desktop: That are allowed to run at one time That specific users are allowed to run at one time
Application Importance
An administrator can improve the performance of a published resource by assigning it with additional CPU cycles. By default, all published applications and server desktops are set to use an importance level of Normal. If an administrator sets a published resource to use an importance level of: High More CPU cycles are allotted to the resource and the performance of the published resource improves, but fewer CPU cycles are available for other published resources and server processes Fewer CPU cycles are allotted to the resource, and the performance of the published resource degrades, but more CPU cycles are available for other published resources and server processes
Low
If Preferential Load Balancing is configured, the application importance level together with the session policy importance level determine the resource allotment of the session. The higher the resource allotment of the session, the higher the percentage of CPU cycles allotted to the session. Connection Controls Example CompanyA has several applications installed in its environment; one application is resource-intensive. The farm is sized and configured to allow all required groups to connect to at least one instance of the resource-intensive application with satisfactory application performance. The administrator of this farm faces a challenge: users who have several client devices are opening several copies of the resource-intensive application concurrently. Although the servers are sized to support the load of the application and expected users, many users complain that application performance is extremely slow, not only for the resource-intensive application but for all applications in the farm.
200
Based on this information, the administrator configures the connection controls for the farm to allow only one instance of the application for each user. As a result, users can no longer open several instances of the resource-intensive application, farm-wide resource consumption returns to expected levels and performance improves.
Resource Limits and Client Options

The following table describes the resource limits and client options that can be configured for a published resource during the Advanced phase of the Publish Application wizard or by modifying the application properties of an existing published resource. Option Limit instances allowed to run in server farm Description Specifies the maximum number of instances of the resource that can run concurrently in the server farm
Allow only one instance of Prevents users from opening or connecting to more than one application for each user instance of the resource Application importance Changes the number of CPU cycles allotted to the published resource The application importance is configured by selecting a priority level in the Application importance drop-down list. Enable legacy audio Allows audio support for applications to which HDX MediaStream Multimedia Acceleration does not apply If the "Minimum requirement" option is enabled in the Client audio settings, the client system must have a sound card installed or the published application will fail to launch on the client device. Enable SSL and TLS protocols Encryption Requests the use of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for plug-ins connecting to the published resource Controls which plug-ins are allowed to connect based on their encryption level: basic (with a non-RC5 algorithm); RC5 128-bit logon only; RC5 40-bit; RC5 56-bit or RC5 128-bit encryption The basic encryption level should not be used in a secure environment.
201
Option
Description
Start this application Controls whether published resources wait for client printers without waiting for printers to create before opening or open immediately to be created
Configuring Resource Appearance

Administrators can configure the appearance of a published application or server desktop by configuring the window size, color depth and startup settings during the Advanced phase of the Publish Application wizard or by modifying the application properties.
Resource Appearance Considerations

An administrator can configure the following settings for published applications and server desktops: Session window size Specifies the size of the window in which the published resource will be displayed in the XenApp session An administrator can choose from preset window sizes, a percent of the client desktop, full screen or specify a custom height and width for the window. Maximum color quality Identifies the resolution that will be used by the published resource in the XenApp session If the resolution specified for a published resource exceeds the capabilities of the client device, the highest resolution supported on the client device is used. Application startup settings Specifies whether or not the title bar for the published resource is displayed and the resource is maximized to encompass the entire screen at startup If an administrator hides the title bar and maximizes the published resource on startup, users are prevented from minimizing or closing the application or server desktop because there is no title bar available for them to access the window controls.
202
Session Sharing
Session sharing is a mode in which more than one hosted application runs on a single connection. Session sharing occurs when a user has an open session and launches another application that is published on the same server; the result is that the two applications run in the same session. For session sharing to occur, both applications must be hosted on the same server with the same published application settings. Session sharing is configured by default. If a user runs several applications with session sharing, the session counts as one connection. All applications in a shared session must be published with the same settings. Inconsistent results may occur when applications are configured for different requirements, such as encryption or screen resolution. Session sharing always takes precedence over load balancing. That is, if users launch an application that is published on the same server as an application they are already using but the server is at capacity, XenApp still opens the second application on the server. Load management does not transfer the user's request to another server where the second application is published.
203
Published Resource Configuration

After a resource is published and made available to users, an administrator can use the Delivery Services Console to view the following information: Information Alerts Servers Configured users Contains general information about the published resource Contains all alerts related to the published resource Contains a list of the servers on which the resource is published Contains a list of users who were granted access to the published resource Contains a list of the configured properties related to the published resource
Current settings
An administrator can view only information, alerts, configured users and current settings for published content. Connected user information is not available.
Managing Connections to Resources

When an administrator selects a session, different options become available in the Delivery Services Console. From the Connected Users screen, an administrator can manage each connection to the published resource and perform the following tasks: Reset the session Log off the session Disconnect the session Send a message to the user Shadow the session, if shadowing is enabled through a policy Administrators can choose to reset a user's session to terminate all running processes in the case of a session error.
204
Disabling or Hiding a Published Resource
It may be necessary to temporarily disable a published resource in order to apply updates or address an issue with the resource. In cases in which the resource must be made unavailable (for reconfiguration or troubleshooting), an administrator can use the application properties in the Delivery Services Console to disable or hide the application from users. An administrator can configure the following options for each published resource by clicking Application properties > Name. Disable application Prevents users from opening the published resource even though the published resource continues to appear in the users' application sets When users attempt to access the disabled application, they receive the following message: ERROR: The application you have requested is not enabled. For more information, contact your Citrix administrator. Hide disabled application Prevents the published resource from appearing in the users' application sets while the application is disabled The administrator can notify current published resource users prior to disabling it. Any users connected to the resource before it is disabled can
205
continue to use the resource. If the users log off while the resource is disabled, they will no longer be able to access the resource until it is reenabled. If the users disconnect from the resource while it is disabled, they can still access the resource by reconnecting to the disconnected sessions.
206
Troubleshooting Application Delivery Issues

An administrator can use the solutions provided in the following table to address application delivery issues. Issue Resolution
Client-to-server content redirection opens Verify that client drive mapping is enabled. the published application but does not open the local content. File types for a published application do not Update the file type associations for the farm by appear in the Delivery Services Console. clicking Action > Other Tasks > Update file types. Users cannot find their application after it Select Maximize application at startup in the launches. Advanced application properties. The Delivery Services Console fails to Replace the special apostrophe (and any other enumerate users or sessions when specific special characters) in the computer name. The Mac clients connect to XenApp servers. computer name is found in System Preferences > Internet and Wireless > Sharing > Computer Name.
207
Review
1. An administrator can manage published content using which node in the Delivery Services Console? a. b. c. d. Content Applications Published Resources Installation Manager
2. When an application set contains a large number of published applications, server desktops and content, how can an administrator effectively organize the resources for users? a. b. c. d. Use load-managed groups. Use the Resource Manager. Create client application folders. Create application folders in the console.
3. What are two types of content redirection? (Choose two.) a. b. c. d. e. Client-to-server Server-to-client Client-to-content Application-to-server Content-to-application
4. An administrator can configure the importance level of a published application using which option in the properties of the application? a. b. c. d. Type Limits Client options Access control
5. Which statement is true about published resource properties? a. b. c. d. Published resource properties cannot be modified. Published resource properties can be modified at any time. Published resource properties can be modified only when the resource is disabled. Published resource properties cannot be modified when users are using the resource.
6. Which two statements about session sharing are true? (Choose two.) a. Session sharing does not take precedence over load balancing settings. b. All applications in a shared session must be published with the same settings.
208
c. Session sharing is a mode in which more than one hosted application runs on a single connection. d. Session sharing is a mode in which more than one user can access the same hosted application in a single session.
209
210
Module 8
Streaming Applications
212
Overview
Application streaming simplifies how administrators deliver, administer and upgrade applications to users. With application streaming, an administrator can package and configure an application, place it on a file or web server and deliver it to servers or client devices. Upgrading or patching an application is centralized, allowing one update to be delivered to many XenApp servers and client devices. Application streaming offers the following benefits to enterprises: Cost-effective, scalable application delivery to client devices and servers Lowered installation and maintenance costs of applications on servers and client devices in large server farms Centralized maintenance allowing users to continue using applications during an update Anywhere, anytime (including offline) access to any application Isolated environments that eliminate application conflicts There are additional benefits when applications are streamed to the desktops of client devices: Optimal utilization of computing resources Reduction of application compatibility issues At the end of this module, given an environment containing XenApp, you will be able to: Identify the components required for application streaming. Describe the communications that take place during application streaming. Install the offline plug-in on a client device. Configure applications for streaming to servers and the desktops of Windows client devices. Configure linked profiles for inter-isolation communication. Publish a streaming profile. Configure XenApp Web and XenApp Services sites to stream applications. Configure offline access settings.
213
Application Streaming
Application streaming includes the following capabilities: Local system resource usage Central application updates Runs streamed applications on the client device, consuming local system resources instead of those on the XenApp server Allows administrators to deliver upgrades or patches efficiently and seamlessly to user devices the next time they access the application Runs applications within protected isolation environments on user devices, which reduces conflicts with other applications installed locally Allows the streaming of applications that require Windows Services Allows administrators to link profiles for applications that need to interact with each other When streamed, these applications communicate yet run within an isolation environment. Application caching Allows administrators to cache files on the user device to allow faster access the next time the application is opened Allows administrators to configure a backup method for application delivery in case user devices do not support streaming Allows users to continue running streamed applications after disconnecting from the network Allows administrators to deploy and update the offline plug-in using Citrix Receiver
Isolation environments
Windows Services isolation Inter-Isolation communication
Dual-mode streaming
Offline access
Support for Citrix Receiver
214
Extended App-V integration
Allows administrators to publish and manage Microsoft App-V packages through the Delivery Services Console and allows users to access Citrix and Microsoft streamed applications through the online plug-in and Dazzle Allows profiled applications to be updated with only the modified files and changed content, thus reducing the time and bandwidth needed to complete the update Allows profiles residing on a file share to be delivered using a secure web protocol Provides limited backward compatibility for Streaming Client 1.1 The newer offline plug-in supports all profiles created by all versions of the Citrix Streaming Profiler. However, previous versions of the plug-in may not support new functionalities released in XenApp 6.
Differential synchronization of updated profiles HTTP and HTTPS protocol support Backward compatibility
215
Application Streaming Components
In addition to the standard components of a XenApp 6 farm, application streaming needs the following components: Citrix Streaming Profiler (Profiler) Citrix Offline Plug-in Used by administrators to package an application and configure its profile for streaming Installed on a client device to allow the necessary application files to be streamed to that device for execution This plug-in is installed on the XenApp server by default, which allows streamed-to-server functionality.
216
Citrix Online Plug-in
Installed on a client device to allow users to access published hosted and streamed applications The Citrix online plug-in is required for offline access of streamed applications.
File or Web Server
Used to host the application profiles created by the Profiler Published applications can be streamed using UNC-based communication from a file server or using the HTTP or HTTPS protocol from a web server. The application profiles must be included in a file share that resides in the environment. Users must have read access to the file or web server hosting the application profiles.
217
Application Streaming Communication Process
The following process describes the communication that occurs when a user requests a streamed application from XenApp. 1. A user clicks a published application icon for an application configured for streaming. The application launch request is relayed to the Web Interface. 2. The Web Interface contacts the XenApp server to obtain the information required to run the application. 3. The Web Interface creates a .RAD file based on the information obtained from the XenApp server and provides it to the RadeRun utility (RADERUN.EXE), which is: Located on the client device, if the published application is being streamed to the desktop of the client device Located on the XenApp server, if the published application is being streamed to a server
218
4. The RADERUN utility passes the .RAD file to the Citrix Streaming Service (RADESVC), which creates an isolation environment and downloads the application profile from the server. 5. The Citrix Streaming Service opens the application executable according to the instructions included in the application profile and runs the executable inside the isolation space. 6. Additional application files are downloaded from the server as needed during normal application usage.
Streaming App-V Packages

App-V is an application virtualization and application streaming solution from Microsoft. It is available as part of Microsoft Desktop Optimization Pack (MDOP), Microsoft Application Virtualization for Remote Desktop Services and Microsoft Development Network (MSDN). Administrators can manage and publish App-V applications using the Delivery Services Console, allowing them to support existing infrastructures based on App V. Therefore, applications already sequenced with App V do not need to be converted to or profiled as Citrix streaming profile packages. For more information on: App-V, see the http://www.microsoft.com web site Publishing App-V applications and distributing the App-V client, see the XenApp 6 Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site
219

The Citrix offline plug-in is a component of application streaming that allows applications to be streamed to servers and the desktops of client devices. The offline plug-in is installed on every XenApp server, enabling applications to be streamed to these servers. Users must have the offline plug-in installed on their Windows devices to stream applications on their devices. To access a streamed application, one of the following combinations must be available: Citrix offline plug-in and Citrix online plug-in When the offline plug-in and online plug-in are installed on a client device, applications can be streamed or cached to the client device. Streamed applications are available from the Start menu, desktop shortcuts and the Windows notification area. When only the offline plug-in is installed on the client device, published applications can be accessed by the user through a Web Interface site. In this configuration, applications are not available for offline use.
Citrix offline plug-in with a web browser
The Citrix offline plug-in provides streamed applications from a profile target on a file server or web server to XenApp servers and the desktops of client devices. The offline plug-in: Is invisible to users except for the posting of error and status messages Runs as a service on the client device to invoke applications the user selects using the Citrix online plug-in or the Web Interface site Finds the correct profile target for the client device, creates an isolation environment on the client device and streams the files necessary for the application to run Manages the cache size of the client device User accounts must be specified in either the Group Policy Management Console or the Delivery Services Console within the Computer > Offline app users policy to allow access to offline published applications.
220
Citrix Offline Plug-in Cache

When a user launches a streamed application, the offline plug-in caches application files on the local drive of the client device in the following folder:
%PROGRAMFILES%\CITRIX\RADECACHE\
Before caching files, the plug-in checks the size of this cache. If the cache size reaches the maximum limit, the offline plug-in removes streamed application files from the cache, starting with the least-recently accessed, until the cache size is smaller than the limit. The default cache size limit is 1000MB (1GB) or 5% of the installation disk volume, whichever is larger. An administrator can change the default cache location and the default maximum cache size stored in the registry using the CLIENTCACHE.EXE tool located in the following folder on a client device with the offline plug-in installed:
%PROGRAMFILES%\CITRIX\STREAMING CLIENT\
For more information about using the CLIENTCACHE.EXE tool, see the XenApp Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Citrix Offline Plug-in Installation

An administrator can deploy the Citrix offline plug-in to client devices using Citrix Receiver and Merchandising Server, Web Interface, or third-party utilities such as Microsoft System Center Configuration Manager 2007 or Microsoft Active Directory Services. For more information about using these products to deploy an application, see the documentation for the product. The Citrix offline plug-in can be installed manually on a client device by any user who has local administrator privileges on the client device using the CITRIXOFFLINEPLUGIN.EXE file in the CITRIX RECEIVER AND PLUG-INS\WINDOWS\OFFLINE PLUG-IN folder or the XenApp Installation wizard on the Citrix XenApp 6 DVD.
221
Citrix Streaming Profiler

The Profiler is an independent application that allows an administrator to prepare commercial and custom Windows applications, web applications, browser plug-ins, files, folders and registry settings for streaming. The only software applications other than the Citrix Streaming Profiler that should be installed on the Profiler system are the operating system software and utilities. A profile consists of executable content packaged for streaming using the Citrix Streaming Profiler. A profile is created by recording the installation of applications on an independent system using the Profiler application. Prerequisites, such as Java Run-time Environment, can also be profiled with the application. It is recommended to create a single 32-bit profile for all 32-bit operating systems and test for required functionality. It is possible that a profile created on one operating system will not function properly or will not provide a complete feature set on another operating system. For example, certain application functionality that was programmed for Windows 7 may not be available if an application is profiled on Windows XP. The same principles apply to 64-bit profiles. In some cases, an administrator might find it necessary to profile certain applications together to ensure functionality among the applications or to apply a range of compatibility settings to ensure profiled applications launch and run successfully.
Profiling Process
The following process describes the communications that occur when an administrator creates an application profile. 1. An administrator starts the Profiler and elects to create a new profile. 2. The administrator identifies the installation program for an application and starts the installation of that application from within the Profiler. 3. The Profiler creates an isolation environment and runs the installation program for the application in the isolation environment. 4. The Profiler records the system changes caused by the installation program. 5. The Profiler stores the application information and the details specified by the administrator during the creation of the profile. 6. The administrator saves the profile to a file or web server so that it can be published and made available for streaming to servers and the desktops of client devices.
222
Installing the Citrix Streaming Profiler

The Citrix Streaming Profiler is installed on a profiling system. An administrator should configure the profiling system run-time environment to be as close to the environment of the client device as possible. For example: If applications are streamed to a XenApp server, the profiler system should also be a XenApp server. If applications are streamed to both 32- and 64-bit operating system client devices, there should be two separate profiling systems. If standard programs, such as antivirus software, are part of the company image, they should be installed on the profiling system. To launch the installation wizard to install the Profiler, click Manually Install Components > Common Components > Plug-ins, Streaming Profiler, and Documentation > Streaming Profiler in the Citrix XenApp 6 media.
Creating a Profile
Using the Profiler, an administrator can configure applications to run in one or more target environments. Individual targets in a profile represent one or more user environments. The range of target environments in which an application can be configured to run depends on three factors: The type of application being profiled The operating system on the profiling system The organizational needs For example, some commercial applications are capable of running on multiple operating systems and languages, while others, such as custom applications, might be capable of running only on a particular operating system and language. Applications that require packaging for a variety of environments can be contained in a single profile. To open the New Profile Wizard, click Start > All Programs > Citrix > Streaming Profiler > Streaming Profiler and then click New Profile.
Profile Security Setting

When creating a profile, an administrator can configure how restrictive the client isolation environment should be. By default, profiles prevent the running of executable content that users download into the isolation spaces; only files that are streamed from the server can be executed. This setting protects against users running malicious code or spyware.
223
The profiling wizard allows for a more relaxed security configuration. The Enable User Updates option permits the running of executable content that the user downloads into the isolation space. If this option is selected, the profile allows application files, such as .DLL application plug-ins, to be downloaded to the client device from the Internet. Any updates are stored as part of the user root and are unique to that user. It is a best practice to keep the default, more restrictive, security setting so that updates can be evaluated by an administrator prior to being downloaded to client devices. This best practice applies to automatic updates as well.
Targets
A target is a collection of files, registry data and other information used to represent an application isolation environment. A target can contain many executables including the applications that normally receive an entry on the Start menu.
224
An administrator can run the Profiler several times and from different environments to achieve a complete set of targets. By default, a target matches the operating system and configuration of the profiling system.
Target Criteria
The offline plug-in selects a target from the profile based on the following criteria: Operating system version installed on the client device Service pack level of the operating system installed on the client device System drive letter on the client device Operating system language on the client device
The criteria associated with each target is stored in a profile manifest file (.PROFILE) that is stored with the other files that make up the profile. Overlapping definitions of targets are not permitted by the Profiler. That is, only one target in a profile can be a correct match for any client device at application launch. An administrator can update a profile and target at any time without affecting already active executions on client devices. When a target is updated, another version of the target is saved to the profile. The drawback of maintaining old versions of a target is the wasted disk space on the file or web server. The Profiler cannot be used to delete old versions of targets. However, an administrator can manually delete the older versions of a target to reclaim disk space. It is the administrator's responsibility to ensure that old versions of a target are not in use prior to deleting them from the file or web server. Target Options When a user requests access to a streamed application, the Citrix offline plug-in determines which target from the application profile is appropriate for the client device. The target is selected from the profile based on a variety of criteria, including the operating system, service pack level, driver letter and operating system language.
Operating System
An administrator can configure a target for the following client operating systems: Windows XP (Home and Professional editions), 32-bit edition with Service Pack 3 Windows XP (Home and Professional editions), 64-bit edition with Service Pack 2 Windows 2003, 32- and 64-bit editions Windows Vista (Home, Business, Enterprise, and Ultimate editions), 32- and 64-bit editions with Service Pack 1
225
Windows 7 (Enterprise, Professional, Ultimate editions), 32- and 64-bit editions Windows Server 2008, 32- and 64-bit editions Windows Server 2008 R2 If the operating system on the client device is not supported, the streamed application will not run on the client device. 64-bit applications are not supported for streaming; however, 32-bit applications can be profiled on 64-bit systems and configured to be streamed to 64-bit systems.
Service Pack Level

The service pack level is an optional setting that augments the operating system version. The Profiler stores the service pack level criteria for each operating system. An administrator can set the following rules for service pack level selections for each operating system: Not required The target runs on a client device regardless of the service pack level installed, even when no service pack is installed. The target only runs on a client device that has, at a minimum, the service pack specified. The target only runs on a client device that has a service pack equal to or older than the specified service pack level. The target only runs on a client device that matches one of the service pack levels specified. The target only runs on a client device that matches the service pack level specified. The target only runs on a client device that does not have a service pack installed.
Minimum Service Pack Level
Maximum Service Pack Level
Range of Service Pack Levels
One service pack level
No service packs should be installed
By design, future service packs are not supported. An administrator should take care to specify only the service packs identified as supported or to specify that a service pack is not required.
226
System Drive Letter

The system drive letter of the profiling system must match the system drive letter of the client device in order for the target to run on the client device. No provision exists for specifying a variable for the system drive letter. To facilitate target matching, an administrator should configure the target to use the primary system drive letter. If recipient devices have different system drive letters, create a target for each drive letter.
Operating System Language

An administrator can create targets for all languages, including those languages not listed below; however, creating a target in a language that is not listed below is not fully supported. When creating a target for a language that is not listed, an administrator should select English as the operating system language to ensure that target matches occur. The Profiler supports the following languages: English French German Japanese Spanish
An administrator should use the English version of the Profiler to create targets for the following operating system languages: Korean Simplified Chinese Traditional Chinese By default, the operating system and language of the profiler system is included in the profile. If necessary, the operating system and language can be deleted in the target. For additional requirements, including those required when streaming Microsoft Office applications, see the XenApp Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
227
Adding a Target to a Profile

An administrator can add a target to a profile to make applications available to client devices that match additional and unique combinations of target criteria. For example, a profile contains targets for English, French and German language operating systems. A new branch located in Japan has been added to the company. The administrator creates a new target for the Japanese language operating system so the users in the Japan office can also use the streaming applications in the profile. When an administrator adds a target to a profile, the Profiler ensures that the target is unique from the other targets in the profile and does not permit a target to be saved if conflicts exist. To add a target to a profile, click Edit > Add New Target. During the creation of the target, at least one operating system and one language must be selected. Several languages can be included in a single target, but the administrator should not include languages that will be added to a separate target.
Creating a Specific Target for a Different Operating System

An administrator should complete the following tasks when creating a specific target for a different operating system: 1. Configure a target with one specified operating system and save the profile to a file share. 2. Go to a different profiling system whose operating system matches the additional operating system that should be added to the profile. 3. Launch the Profiler and open the target that was saved to the file share. 4. Add a new target to that profile. 5. Repeat Steps 2 through 4 as necessary.
Deleting a Target from a Profile

An administrator may find it necessary to delete targets that are no longer needed. For example, targets for operating systems that are no longer used in the environment can be deleted. When a target is deleted, the corresponding profile folder is deleted from the file share, and the entries associated with the target are removed from the manifest file (.PROFILE).
228
To delete a target from a profile, right-click the target in the console tree and click Delete.
Inter-Isolation Communication
Inter-isolation communication allows the individual profiles in a linked profile to communicate. This feature is useful if a streamed application needs to interact with another streamed application but cannot detect it because both applications are running in isolation environments. For example, when inter-isolation communication is not configured, an administrator profiles Microsoft Outlook and Adobe Reader in two separate profiles; the applications operate independently, and users will not be able to launch a .PDF attachment in Outlook because Outlook cannot detect Adobe Reader. When an administrator configures a linked profile, the included applications launch on the client device and can interact with each other while remaining isolated from both the system and other streamed applications. By linking the Outlook and Reader profiles for inter-isolation communication, Outlook and Reader can interact as users expect, even though the individual applications were profiled separately. The advantage of inter-isolation communication is that applications can be maintained separately, and updates are automatically included in all the linked profiles in which the profile is included. This feature saves time for the administration of the profile set.
Inter-Isolation Communication Configuration

Inter-isolation communication can be configured during the profiling process. There are two types of inter-isolation communication configurations: Associated Links existing profiles only Profiled applications are allowed to communicate but their installation is independent of one another. Associated profiles contain only links to profiles and do not contain executable content.
229
Dependent
Links existing profiles and installs additional executable content. In this profile, the installation of one application requires the presence of another application. Dependent, linked profiles contain application package files, isolation rules, linked profiles and hierarchy.
When a dependent profile is used, the entire target of each linked profile is downloaded to the profiling system to facilitate the installation step of the dependent profile.
Considerations for Inter-Isolation Communication

Additional considerations for configuring inter-isolation communication are as follows: The order in which profiles are listed in the Set up Inter-Isolation Communication screen determine the precedence of isolation rules and operations for the applications in the linked profile. An administrator can move the profiles up or down to affect their order. The rules for each profile are merged into a single list of rules, with the rules of highest priority taking precedence. These properties include custom rules, pre-launch or post-exit scripts and pre-launch analysis. If an administrator chooses to associate existing profiles only, without installing a new application, then no additional properties can be configured for the linked profiles. If an administrator installs an application or content while enabling inter-isolation communication, then additional properties can be configured and the properties added for the application or content are enabled for all the linked profiles. It is useful to install an application while enabling inter-isolation communication when that application is dependent on the other profiles to run. All profile directories must be located in a single directory to link profiles together. Linked profiles are stored within the .PROFILE file by name rather than by the path. At application launch, the Profiler service searches the INSTALLROOT locations of the linked profiles. Each profile must contain the same targets, including a target that matches the profiling system in the linked profile. Client devices must have a target in each of the linked profiles or they cannot launch any applications in any of the linked profiles. An administrator should be aware of the superset of operating systems, service packs and languages contained in the linked profile and then verify that each profile contains a target for all the operating systems, service packs and languages in the superset.
230
Windows Services Isolation

Windows Services are applications that typically operate in the background on a system and operate at a higher privilege level than normal user processes. The higher permissions allow services to make requests, such as the initial application start-up requests or requests for additional system resources, on behalf of applications. Programmers often create services as a means to control permitted use of application software. When a user opens the application, the application contacts the service for permission to execute. A common restriction is licensing; if a license is not available, or has already been checked out by the user or device, then the service will deny application execution. Isolating the services creates a new environment for each instance of the application launch, allowing the application to be opened by several users from the same server while complying with licensing requirements for each device. However, if the application requires unique device MAC addresses, as opposed to Windows Services, the application will not open in a multi-user environment. To stream services on devices, an administrator must specify the XenApp servers and the specific services within a list on the client device registries called the white list. For more information about creating the white list, see the XenApp Application Streaming documentation of the http://support.citrix.com/proddocs/index.jsp web site. Viewing Isolated Services Isolated services can be identified from the: Profiler The Services tab in the profiler menu provides a list of isolated services associated with the profile. The Service Control Manager isolates specified streamed services and displays them with unique alpha-numeric prefixes. Users have the ability to stop and restart isolated services from within the Service Control Manager.
Client Device
231
Profile Preference Settings

An administrator can save time by setting default preferences for use in future profiles. The preference settings for the Profiler are as follows: User Profile Security These settings determine whether or not executable files outside of the target can run on the client device. An administrator can choose whether or not to hide the User Profile Security Settings screen in the New Profile and Target wizards. This setting hides the Sign Profile step in the New Profile and Target wizards. If the majority of future profiles will not contain a digital signature, then an administrator can choose to hide this setting in the profiling wizards.
Digital Signatures
An administrator can customize security and signing settings for an individual profile after it is created. During profile creation, an administrator can configure profile signing using one of the following certificates: A certificate residing on a drive The code-signing certificate on the profiling system
Profile System Requirements

The profiling systems that create the targets in the profiles: Must match the primary drive letter of the client devices in use in the environment. For example, if the users have client devices with a main drive letter of E, the administrator must create targets on a profiling system that also has a main drive letter of E. Should match the operating system language of the client devices in use in the environment. For example, if the client devices in the environment have a German language operating system, the profiling system should have a German language operating system.
232
Profile Installation Types

During the creation of a profile, the administrator must select the type of installation to perform. The administrator can select one of the following installation types: Quick install Adds a single application or command line script to a profile A single application is defined as one that does not require the administrator to add files, folders or registry settings outside the application installation program. Advanced install Adds multiple applications or resources, such as Internet Explorer plug-ins, command line scripts, files, folders and registry settings, outside the application installation program Additional applications and command line parameters can be added to the profile after the initial application has been added. Command line parameters apply during application launch and can be used to fine tune the application. In addition, placeholders can be specified in the profile and replaced by command line arguments that are specified in the published application.
Profile Properties
An administrator can view and change the properties of a profile by clicking Edit > Profile Properties in the Profiler. The following options are available:
Information
The General section of the Profile properties displays the following information about a profile: Profile name Description Location Size The name of the manifest and the location of the profile The description provided for the profile The location of the profile The size of the profile
233
Created Last updated
The creation date of the profile The date of the last update to the profile
Applications
The Applications section in the Profile properties lists all the applications installed in the targets of a profile and indicates whether or not each application is available in all targets. When an application is available, an administrator can use the Delivery Services Console to publish it on XenApp servers. Application details are available by right-clicking an application and clicking Application Details. The following information about the selected application is available: Targets The name of the targets, service pack information, the language and the system drive letter Whether or not the application is available in this target or the other targets in the profile
Availability
234
Version
The version number of the application The version number displayed in this screen is set by the application installation program and is not the same as the target version number.
Path
The simulated path in the isolation environment to the application in the target The working directory that the application uses in the isolation environment The command line parameters passed to the application during startup
Working Directory
Command Line Parameters
In addition to viewing application information about the profile from the Applications section, an administrator can delete an application from a profile from this tab.
File Types
235
The File Types section of the Profile properties displays information about the types of files associated with the application. When a file type is associated with an application during the application publishing process, a user can open a file of the associated file type on the client device, and the offline plug-in will open the streamed application. The File Types section displays the following information about the associated file types: Extension Type Opens with Availability The extension of the associated file type A description of the file type The application invoked by the file type Whether or not the application is currently available to users
Linked Profiles
The Linked Profiles section of the Profile properties displays the profiles available for inter-isolation communication. When profiles are linked to each other they can communicate with each other on the client device.
Enable User Updates

The Enable User Updates section of the Profile properties specifies whether an application can run executable files that are written to its working directory on the client device.
Pre-Launch Analysis
The Pre-Launch Analysis section of the Profile properties identifies the applications and registry entries that are required on the client device before the application is streamed by the profile. An administrator can use the pre-launch analysis to inspect client devices for prerequisites before streaming the profiled application. The Profiler can search for the following objects during a pre-launch analysis: Applications and versions (specific or a range) Binary files and versions (specific or a range) Registry entries If the pre-launch analysis determines a client device does not have the prerequisites required for the profiled application to run correctly, the profile execution stops and the user is alerted to the problem. An administrator should determine whether pre-launch analysis is required
236
for an entire profile or for individual targets within the profile by testing the profile on client devices. The Pre-Launch Analysis section displays the following information about the applications and registry entries associated with the profile: Enable pre-launch analysis Applications and files Whether or not a pre-launch analysis is enabled The applications and files required on the client device prior to the application being streamed The registry entries required on the client device prior to the application being streamed
Registry Entries
Pre-launch analysis is also useful when an application in a profile must interact with an application that cannot be profiled. In this scenario, it is a best practice to enable pre-launch analysis for the application that cannot be profiled to ensure that it is installed on the client devices. In addition to viewing pre-launch analysis information from the Pre-launch Analysis section, an administrator can enable or disable pre-launch analysis and add, delete and modify which applications, files and registry entries are required on the client device before an application is streamed by the profile.
Pre-Launch and Post-Exit Scripts

The pre-launch and post-exit scripts section in the profile properties identifies the scripts that will run prior to and following the execution of the applications in the profile. If an administrator determines through testing that certain operations are required before or after the running of the applications in the profile, the pre-launch and post-exit scripts section can be used to invoke the scripts written by the administrator. Pre-launch and post-exit scripts are typically .CMD files, but can be any file that is executable by Windows, including VBScript and .BAT files. The pre-launch and post-exit scripts section displays the following information about the scripts associated with the profile: Pre-launch scripts The scripts that run prior to the application in the target launching on the client device The order in which the pre-launch scripts execute Whether or not a pre-launch script is isolated
Order Isolated
237
Post-exit scripts
The scripts that run after the last application in the target closes The order in which the post-exit scripts execute Whether or not a post-exit script is isolated
Order Isolated
In addition to viewing pre-launch and post-exit script information from the pre-launch and post-exit scripts section, an administrator can add and delete scripts and change the order in which the scripts execute. An administrator should determine whether pre-launch or post-exit scripts are required for an entire profile or for the individual targets in the profile by testing the profile on the client devices.
Known Limits for Profiling Applications

Some applications cannot be profiled, including: Applications that contain drivers, such as Adobe Acrobat Professional Microsoft Internet Explorer 64-bit applications Microsoft Data Access Components (MDAC) .NET Framework .NET applications can be profiled and streamed to the client device as long as the client device has .NET Framework installed. It is best practice that applications that require User Access Control (UAC) rights elevation or administrator rights be published only to users and groups that have the required rights on their client devices. Not all applications with services will function correctly when profiled. For example, an application that includes a software license service that ties the application execution to a MAC address will not work.
238
Target Properties
When users experience problems running applications in a profile, an administrator can solve some of them by editing the properties of the targets in the profile. The properties of a target include: General Applications Target Operating System and Language Rules Pre-launch Analysis Pre-launch and Post-exit scripts
To edit the target properties, open the manifest file (.PROFILE) from within the Profiler, select the appropriate target and click Edit > Target Properties.
General Properties
The General section of the Target properties displays the following information about a target: Target name The name of the target, service pack information, the language and the system drive letter The description provided for the target
Description
Information about the target operating system, target language, target boot drive, target version, target location, target creation date and last target update are also provided in the section. In addition to viewing general information about the target from the General section, an administrator can change the target name and description for the target. An administrator can also view the general properties of a target by selecting the Information tab in the profile information pane of the Profiler window.
Application Properties
The Applications section of the Target properties lists all applications installed in the targets in the profile and indicates whether or not each application is available in all targets. When
239
an application is available, an administrator can use the Delivery Services Console to publish it on XenApp servers. The Applications section displays the following information about the applications in the targets in the profile: Application Name Availability The name of the application Whether or not the application is available in this target or the other targets in the profile The version number of the application The version number displayed in this screen is set by the application installation program and is not the same as the target version number.
Version
Path
The simulated path in the isolation environment to the application in the target The working directory that the application uses in the isolation environment The command line parameters passed to the application when it starts
Working Directory
Command Line Parameters
In addition to viewing application information about the target from the Applications section, an administrator can add, modify and delete applications from the target and recover all deleted applications in the target from this section. When an application is deleted from the target, the Profiler removes only the application data from the manifest file (.PROFILE). It does not delete the application files. When an application is added or recovered, data about the application is added to the manifest file (.PROFILE) for the profile. An administrator can also view the application properties of a target by selecting the Application tab in the profile information pane of the Profiler window, right-clicking the target and selecting Application Details.
240
Target Operating System and Language Properties

The Target Operating System and Language section of the Target properties displays information about the operating systems, service packs and languages supported by the target. The Target Operating System and Language section displays the following information about the target: Operating System Service Pack The operating systems in the target The service pack levels associated with the operating systems in the target
Language
The languages supported by the operating systems in the target
In addition to viewing operating system and language information about the profile from the Target Operating System and Language section, an administrator can add operating systems, service pack levels and languages to the target, remove operating systems, service pack levels and languages from the target and check the target for conflicts from this section.
Rules Properties
The Rules section of the Target properties displays information about how the applications in the isolation environment of the target access system objects such as files, registry entries and named objects. The Rules section displays the following information about the isolation environment rules for the target: Rules The name of the rule, the action taken by the rule and the object affected by the rule The command executed by the rule
Rule description
241
In addition to viewing the information about the isolation environment rules for the target, an administrator can add, copy, modify and delete isolation environment rules in the target from this section.
Pre-Launch Analysis Properties

The Pre-launch Analysis section identifies the applications and registry entries that are required on the client device before the application is streamed by the profile. The Pre-launch Analysis section displays the following information about the applications and registry entries associated with the target: Use profile settings Whether the pre-launch analysis properties in the target or in the profile are used Whether or not a pre-launch analysis is conducted The applications and files required on the client device prior to the application being streamed The registry entries required on the client device prior to the application being streamed
Enable pre-launch analysis Applications and files
Registry entries
It is best practice to configure pre-launch analysis to identify client devices that do not have the appropriate software requirements.
Pre-Launch and Post-Exit Properties

The Pre-launch and Post-exit Scripts section displays the following information about the scripts associated with the target: Use profile settings Whether the pre-launch and post-exit scripts in the target or in the profile are used
Pre-launch scripts
The scripts that run prior to the application in the target launching on the client device
242
Order Isolated Post-exit scripts
The order in which the pre-launch scripts execute Whether or not a pre-launch script is isolated The scripts that run after the last application in the target closes The order in which the post-exit scripts execute Whether or not a post-exit script is isolated
Order Isolated
An administrator can also add and delete scripts and change the order in which the scripts execute for the target from this section.
Upgrading an Application in a Target
An administrator can upgrade an application in a target using the Profiler. A target is stored in the profile as a directory structure. When an administrator upgrades a target, the Profiler saves the target with a new, incremental version number and as a new directory structure in the profile. The version of a directory structure in a profile is identified by a number at the end of the file name. For example, a directory structure named 720EDD68-0972-49E6-AA00-80974EB81D5B_2 is the second version of the target directory structure in the profile and is identified as version two by the _2 at the end. Because the Profiler can maintain several versions of each target, users can continue to use the applications in the profile while the application is being upgraded. After the upgrade is completed, new users logging on are streamed the upgraded version of the application while logged on users continue to use, uninterruptedly, the older version of the application. When
243
users log off the older version of the application, they can no longer access that version. Instead, they begin using the upgraded version of the application in the target when they next log on.
Differential Synchronization
Differential synchronization is beneficial when targets have been updated. For example, an administrator updates an application with a new service pack that was recently released. If client devices have a previous version of the target directory structure of the profile stored in the cache, such as applications enabled for offline access, the streaming service will open the cached directory structure on the client device and compare it with the updated directory structure in the profile. The streaming service updates only the changed files and removes outdated files from the directory structure in the cache. This feature reduces the time and bandwidth needed to update applications on the client device. After the profile containing the upgraded application is saved, an administrator cannot use the Profiler to delete or modify the previous versions of an upgraded application.
Deleting an Obsolete Version of a Target

To recover disk space on a file share or web server that hosts the streaming application profiles, an administrator can delete an older version of a target that has been updated. As targets are updated, the version number assigned to the directory structure is updated. The directory structure with the lowest version number is the oldest version of the file. After a target is updated, the prior version of the updated target is no longer available through the Profiler. An administrator can delete the unnecessary directory structure associated with the prior version of the target using an operating system utility. Prior to deleting a target from a profile, the administrator must ensure that no one is currently using the obsolete target.
244
Application Delivery Methods

During the publishing task, the administrator must make decisions about the application delivery method to use, the alternate application delivery method to use and whether the application will be configured for offline use. The following delivery methods are available:
Accessed from a server

Uses the method specified in the Server application type field to determine exactly how the published application will be provided to users. The server application types include: Installed application Specifies that users will access the published application that is pre-installed on the XenApp server. Specifies that the users will access the published application that is streamed to the XenApp server. Users access the application by connecting with either the online plug-in or the Web Interface.
Streamed to server
Streamed if possible, otherwise accessed from a server

Specifies a choice of how the published application will be provided to the users. By default, the published application will be streamed to the client device. If the published application cannot be streamed to the client device, the method specified in the Server application type field will be used. The server application types include: Installed application Specifies that users will access the published application that is pre-installed on the XenApp server Specifies that users will access the published application that is streamed to the XenApp server This Server application type requires that the offline plug-in be installed on the server.
Streamed to server
245
Streamed to client
Specifies that the published application will be streamed to the client device. This option requires that both the offline plug-in and the online plug-in be installed on the client device. Clients that do not support application streaming, such as non-Windows clients and client devices that do not meet the aforementioned requirements, will not be able to access the published application. It is possible to force the delivery of streamed to client published applications with filters. To do this, configure the Load Balancing policy setting located in the Delivery Services Console for Streamed App Delivery. This policy setting overrides the selection in the Publish Application wizard. For more information, see the XenApp Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
The Benefits of Streaming with Dazzle

Administrators can allow users to obtain streamed applications through Dazzle. The benefits of doing so include: Installation Progress Bar Dazzle shows the progress of currently downloading streamed applications and displays whether the applications are available for offline use. The Windows Add and Remove Programs utility differentiates locally-installed and streamed applications in the Publisher field: Citrix Systems, Inc. indicates a locally installed application, such as the Citrix Receiver or the Citrix plug-ins. Delivered by Citrix indicates a streamed application delivered by Dazzle.
Add and Remove Programs
Removed Applications
Dazzle automatically notifies users of any applications that have been removed from the server.
The steps to adding streamed applications to Dazzle are the same as adding other published applications.
246
The Web Delivery Method

An administrator can configure an application to be streamed using the HTTP or HTTPS protocol delivery method. Using HTTP as a streaming protocol gives an administrator the ability to deploy profiles to an externally accessible web server and then stream applications from those profiles anywhere in the world. Additionally, this protocol is faster than UNC-path-based network communication over the internal network. To utilize HTTP or HTTPS as a delivery method, an administrator must complete the following tasks: Profile the application and save it to a file share using the UNC path. The file share can be configured on a web server or a file server. Configure a virtual directory on the web server by adding the following MIME type information to the virtual directory: Extension: .PROFILE MIME type: text/xml Create a virtual web site that points to the file share containing the profile using the UNC path. Turn on Directory Browsing on the virtual web site to test the configuration. Configure the binding for HTTPS. Publish the profiled application and specify the full URL path to the profile using a fully qualified domain name on the Location page in the Publish Application wizard. For more information about configuring the binding for HTTPS and configuring HTTP or HTTPS as the delivery method, see the XenApp Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
247
Streaming to Servers
An administrator can use application streaming to simplify the deployment of applications to servers in a farm. After an application is streamed to a server, users can launch and use the application through a XenApp session. An administrator can stream an application to a server by completing the following tasks: Create an application profile on a Windows Server 2008 R2 operating system. Ensure that a XenApp Web or XenApp Services site is configured to run one of the following application types: Online: This application type allows users to access applications provided by a server. Dual mode: This application type allows users to access applications that are streamed to the client device or provided by a XenApp server. Both of these application types allow users to access and run applications installed on a server. Ensure that the application is not installed on the XenApp server to which the application is being streamed. Publish the application to stream to a XenApp server by selecting Accessed from a server as the application type with Streamed to server as the Server application type. While using the "Streamed if possible, otherwise access from server" delivery method with the "Streamed to server" application type will stream applications to servers, XenApp will first try to stream the application to the client device. If the offline plug-in is installed on the client device and the published application is accessed through a Web Interface site or the plug-in installed on the client device, the application will stream to the client device rather than to the server.
248
Publishing a Streamed Application

Publishing a streamed application makes profiled applications available to users. An administrator publishes a streamed application using the Delivery Services Console. Before publishing a streamed application, an administrator must use the Profiler to profile the application. During the publishing process, an administrator must specify whether the profiled application will be delivered from a file server or a web server. If a web server is utilized, then additional configuration is required. To start the Publish Application wizard, right-click the Applications node in the Delivery Services Console and click Publish application. An administrator can change the application type of a published application. To do so, right-click the application, click Other Tasks and click Change application type. For information on publishing App-V sequenced applications, see the XenApp 6 Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
249
Specifying an Alternate Profile for a Published Application
An administrator can specify an alternate profile for connections that come from specific IP addresses. For example, an administrator could use an alternate profile to direct users on either side of a WAN to stream applications only from the file or web server on their side of the WAN. When an alternate profile is created, a duplicate of the primary profile is created and stored on a different file share, making it more accessible to the client device. If the alternate profile is different from the primary package, the application may not work properly on the client device.
Alternate Profile Properties

On the Alternate profiles screen of the published application properties, an administrator can view or modify the following: Primary application profile location The location of the profile on the network file share
250
An administrator cannot change this location on this page. Alternate profile locations A list of existing alternate profile locations, including their client IP ranges An administrator can add, modify or remove alternate profile locations. When specifying an alternate profile location, an administrator must specify an IP address range by entering the lowest IP address in the Start IP field and the highest IP address in the End IP address field. Changes take effect the next time the user launches the application.
Enabling the Least-Privileged User Account
An administrator can configure applications that are set to stream to client devices only to run with: Reduced user privileges The streamed application runs on the client device using the least-privileged user account available for the user on the client device.
251
This reduces the security risks posed by the application but may cause the application to fail if elevated privileges are required by the application. An administrator should test the application to determine if it will run correctly for users who have restricted privileges on their client devices before reducing the user privileges for a published application. For example, User1 has Restricted User privileges on a client device. User2 has Administrator privileges on a client device. Because the application requires at least Standard User privileges to run correctly, the application fails when User1 attempts to use the application. The application runs correctly for User2. Normal user privileges The streamed application runs on the client device with User rights, even if the user has administrative privileges on the client device.
These settings are part of the published application properties, not the profile.
252
Configuring Sites for Streaming Applications
An administrator can configure the following types of Web Interface sites: XenApp Web Allows users to access published resources through a web browser Allows users to access published resources through the Citrix online plug-in
XenApp Services

An administrator can make the following types of published resources available for users through a Web Interface site: Online Grants users access to published applications installed on or streamed to a server Grants users access to applications streamed to client devices Grants users access to both streaming applications and applications installed on the server
Offline Dual mode
253
Support for Both Remote and Streaming Applications

An administrator can configure Web Interface sites in the environment to support the delivery of applications installed on the servers and applications streamed to servers or the desktops of client devices in the environment. This can be accomplished in a variety of ways based on the method used to access the applications. If the applications will be accessed by users through the Web Interface: One XenApp Web site must be configured to use the Dual mode application type, or Two XenApp Web sites must be configured. One site should be configured to use the Online application type and the other site should be configured to use the Offline application type. If the applications will be accessed by users through the online plug-in: One XenApp Services site must be configured to use the Dual mode application type, or Two XenApp Services sites must be configured. One site must be configured to use the Online application type and the other site must be configured to use the Offline application type.
254
Offline Access Management
Applications that are published to stream to the desktop of a client device can be accessed by a user who is disconnected from the network. An administrator should configure the following properties to enable offline access: Configure the application properties for offline access. Enable an application for offline access. Configure users for streamed applications. Configure a XenApp Services site for Offline or Dual mode applications. Ensure a license is available for checkout or that the license which is already checked out has not expired.
Indirect Membership to the Offline Access List

An administrator can give users indirect permission for offline access by making them members of groups or subgroups that have offline access. For example, if an administrator grants Group A permission to use a published application and adds Group A to the offline access list, User 1 who is a member of Group A has offline access to the application.
255
An administrator can also specify subgroups of larger groups for indirect access. For example: Group A contains Subgroups B and C. Group A has permission to use the published application. Subgroup B has offline access permission. In this example, only members of Subgroup B can access the application while either online or offline. Members of Subgroup C can use the application while online but not when they are offline.
Providing Offline Access

During the publishing of a streaming application, an administrator can configure streamed applications for offline access. This enables users to log off from the network and continue to run the applications in offline mode for a specified length of time. When an application is configured for offline access, the offline plug-in downloads the application and caches it on the users client device. An administrator can configure the application to be pre-cached at logon or cached during application launch. Users who have been given offline access permission and permission to use the published application must launch the streaming application using the online plug-in to use the offline access feature. When users launch the streaming application, offline plug-in caches the streamed application on the hard drive of the client device. After the streamed application is cached, the user can disconnect from the network and continue to run the application in offline mode for the period of time specified in the license. The offline access feature is available only for published applications configured to use either the 'Streamed to client' or the 'Streamed if possible, otherwise accessed from a server' application type as the application delivery method. Users and groups can be added for offline access in the properties of the published application. The Operating System User Selector option that is available when adding users has several limitations. An administrator: Can browse only account authorities and select users and groups that are accessible from the server running the Delivery Services Console Can initially select users and groups outside the trust intersection of the farm, which causes errors later Cannot add NDS users and groups or Citrix built-in users
256
Offline Access Period
Administrators must specify which users can access applications offline. XenApp checks out a license on behalf of each user the first time they connect and stream an application. The license allows the use of the application offline for a specified number of days (21 by default) before the license must be renewed. An administrator can change the length of time permitted for offline use before the license must be renewed by creating a Citrix policy and configuring the Offline app license period setting.
Renewing Offline Access Period

When users with offline access permission log on to XenApp, they automatically either check out a license or renew a license that is already checked out. Licenses are valid for the specified license period set in the Citrix policies. When the user logs on, the license is renewed, if one is available. If a license nears its expiration date while the user is running the application offline, a message appears reminding the user to log on to XenApp so the license can be renewed. If the license expires while the user is offline, the user will not be able to launch the application. If no license is available when the user logs on to XenApp, the user will not be able to launch the application while online or offline. Offline application shortcuts are displayed when users log off of their XenApp sessions. However, the application shortcuts become unavailable if the licenses expire. Users can view information such as the download status of an offline application, the total license period and the number of days before a license expires using the "Offline Applications" option in the Citrix online plug-in.
257
Application Caching
When an application is configured for offline access, XenApp caches the application on users' client devices with offline access permission. An administrator can determine when this caching of the application occurs so that its impact on the network and the user experience is minimized. The two caching options are listed below. Pre-caching at Logon When a published application is configured to pre-cache at logon, XenApp streams the application to the client device cache when the user logs on to XenApp. This option is the default setting. A message notifies the user when the download begins and ends. When the download is complete, the user can log off from XenApp and run the cached application while offline until the offline access license expires. Concurrent logons by users can slow network traffic when this caching option is used.
Caching at Launch
When a published application is configured to cache at launch, XenApp streams the application to the client device cache when the user launches the published application through XenApp. When the download is complete,
258
the user can log off of XenApp and run the cached application while offline until the offline access license expires. An administrator should configure a published application to cache the application at launch if the number of users logging on at the same time and, therefore, pre-caching their applications at logon, could overload the network.
Pre-Deployment of Streaming Applications

An administrator can pre-deploy streaming applications to users to avoid the caching of the applications on the client device at logon or at launch time. Pre-deployment pushes new or updated published application files to the client devices before the user attempts to access the application. As a best practice, administrators should pre-deploy the applications used most frequently by users.
RADEDEPLOY.EXE is a command line utility that will advance copy the streaming content onto the target system. It is located in the \PROGRAM FILES\CITRIX folder on the client
device after the offline plug-in is installed. The first time that a user launches a large published application configured for streaming, the server will trigger a massive data transfer. To lessen the impact to the network, an administrator can pre-deploy new or updated published application files to the client devices during off-peak hours to help avoid overloading the file servers or networks. The administrator should use a software management system to control when the utility is executed so that the streaming content gets copied down to the client devices before users arrive in the morning and start running applications. When offline applications are predeployed using the RADEDEPLOY.EXE utility, the caching method selected in the properties of the published application is bypassed because applications are only cached to the client device once. For more information about running this utility, see the XenApp 6 Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
259
Troubleshooting Streaming Issues

An administrator can use the solutions in the following table to address common streaming issues. Issue Applications do not stream. Resolution Verify that the Citrix offline and online plug-ins are installed. Verify that the client device matches the profile configuration for: Operating system type: 32-bit or 64-bit Operating system language Service pack level System drive letter
Verify that the white list is configured for applications that require streaming Windows Services. Applications do not have full Verify that the application was streamed on the target functionality. operating system; application functionality may vary across operating systems. Applications are not automatically updated by vendor web sites. Verify the profile is configured to allow updates. Profiles do not allow application updates, by default. However, if a more relaxed security configuration is required, select the Enable User Updates option for the profile.
Streamed applications do not Verify that inter-isolation communication is configured. recognize each other. Applications are not available Verify that the applications are enabled for offline access and offline. that users are specified. Verify that the XenApp Services site is configured for the Offline or Dual mode application type.
260
Review
1. In addition to the standard server farm components of XenApp 6, which Citrix component is needed for application streaming to a desktop? a. b. c. d. Citrix Receiver Citrix online plug-in Citrix offline plug-in Citrix Access Gateway
2. Which two statements regarding the Citrix offline plug-in are accurate? (Choose two.) a. b. c. d. e. The offline plug-in is invisible to the user. The offline plug-in runs as a service on the client device. The offline plug-in determines the application delivery mode. The offline plug-in is displayed in the Windows notification area. The offline plug-in can be used in conjunction with a XenApp Web site to access applications offline.
3. A profile creates a target based on which four criteria? (Choose four.) a. b. c. d. e. f. Applications Operating system Service Pack level System drive letter Operating system language Files, folders and registry settings
4. An administrator is creating a profile for an application and wants to include a specific Internet Explorer plug-in. Which type of installation should the administrator use? a. b. c. d. e. Quick Default Standard Advanced Integrated
5. An administrator must publish which file type to make a streaming application available to users? a. .EXE b. .MSI c. .RAD
261
d. .PROFILE 6. Which two application types can be configured in a Web Interface site so that applications stream to the desktop of a client device? (Choose two.) a. b. c. d. e. Online Offline Dual mode Streamed to client Streamed to server
7. An administrator wants users to be able to access applications installed on the XenApp server through the online plug-in and access streaming applications when the users are offline. What must the administrator configure? a. b. c. d. One XenApp Web site One XenApp Services site One XenApp Web site and one XenApp Services site Two XenApp Web sites and two XenApp Services sites
262
Module 9
Configuring Policies
264
Module 9: Configuring Policies
Overview
Citrix policies provide a way for administrators to control XenApp server and farm settings as well as the functionality available to users within XenApp sessions. For example, administrators can use Citrix policies to control session security settings, bandwidth limits, printer and device mapping, client drive access and display and graphics settings. In addition, XenApp provides the ability to apply policies to worker groups, users and user groups, client IP addresses, client device names and sessions connecting through Access Gateway. At the end of this module, given an environment containing XenApp, you will be able to: Identify the types of Citrix policies that can be created. Identify the methods for creating policies. Create and configure policies. Apply policies using filters. Use policy modeling tools.
265
Group Policy Integration

Implementing the Citrix policies correctly enables administrators to fine-tune and control how users connect to resources. XenApp integrates with the Microsoft Group Policy engine, allowing organizations to leverage their Active Directory structure and Group Policy management tools to create and apply Citrix policies. Citrix policies are configured within Group Policy Objects (GPOs) using the Group Policy Management Console (GPMC) and linked to Active Directory domains, organizational units (OUs) and sites. The policy settings within those GPOs will apply to all objects within that OU regardless of XenApp farm membership. Objects added to the OU will have those policy settings applied automatically. Group Policy integration does not require changes to the Active Directory schema.
Group Policy Integration Benefits

Group policy integration also allows organizations to leverage the Group Policy management features for their XenApp environment. For example, the GPMC allows administrators to: Backup and restore policies Migrate policies from one domain to another View the resultant set of policies for a server, user or session Perform modeling by retrieving policy reports for any user connection scenario Create Active Directory delegated administration for Citrix settings and policies
Administrators with access to the Advanced Group Policy Manager (AGPM) can perform the following additional tasks: Create granular delegated administrators and role-based administration Manage the Active Directory Group Policy change control process Edit GPOs offline Enable audit logging and create policy differencing reports Recover deleted GPOs and repair live GPOs Enable email notification for GPO changes Track version changes, capture history and quickly roll back deployed changes The AGPM tool is included within the Microsoft Desktop Optimization Pack and is available only to Microsoft Software Assurance customers.
266
IMA-based Group Policies
Managing Citrix policies through the Group Policy Management Console (GPMC) generally is recommended as it provides greater management flexibility and predictability. However, using Active Directory GPOs may not be possible in the following scenarios: Environments using directory services other than Active Directory XenApp farms with published applications requiring anonymous (local) accounts Organizations that restrict or deny Active Directory delegation to XenApp administrators To support these environments, XenApp provides an IMA-based global Group Policy Object, which still leverages the Microsoft Group Policy engine within Windows Server, but does not require Active Directory. The IMA-based policies allow administrators to configure farm-specific Citrix policies within the Policies node of the Delivery Services Console. The interface is similar to the interface within the Group Policy Editor; however, the Citrix policies configured in the Delivery Services Console apply to all servers and users within the farm regardless of their Active Directory OU location. The Local Group Policy Editor (GPEDIT.MSC) can be used to override farm or OU policy settings for a particular server. Changes made to the Local Group Policy Object apply only to the local server and will not affect other servers within the farm or OU. Use of the Local Group Policy Editor generally should be avoided to reduce policy inconsistencies, unexpected session behavior and troubleshooting efforts. Active Directory GPO settings can be used to block the use of Local Group Policy Editor to
267
improve security and ensure that OU policy settings are not overwritten by local server policy settings. IMA-based Policy Use Case Having a change control process for all Citrix policy settings, regardless of who configures them or where they are configured, is recommended. However, sometimes XenApp administrators need a quick way to apply Citrix policies. IMA-based policies can serve as a backup method for quickly changing farm policy settings as these policies will bypass all Active Directory synchronization and ownership issues and immediately will apply to all new sessions, regardless of the Active Directory replication configuration. Note that these IMA-based policy settings only apply to XenApp servers and will not affect non-XenApp servers within an OU. For security purposes, the IMA-based global GPO can be disabled within an Active Directory GPO.
Group Policy Extensions
During the XenApp and Delivery Services Console installations, Citrix client-side extensions are installed, which allow Citrix policy integration within the Microsoft Group Policy engine. These extensions add a Citrix Policies node within the existing Computer and User nodes
268
within the Group Policy Object Editor. The Citrix Policies node allows administrators to create Citrix policies as either User or Computer policies within the GPO. If the Delivery Services Console is not installed as part of the XenApp installation, the client-side extensions are still installed. However, if a system running a non-server version of Windows, such as Windows 7, will be used for policy management, the Group Policy Management Console must be installed on that system in addition to the Delivery Services Console.
Group Policy Architecture
When Citrix policies are created or edited within GPMC and the Group Policy Object Editor, the configuration is stored in the following location:
\\domain\SYSVOL\domain\Policies\guid\machine or user\Citrix\GroupPolicy\Policies.GPF. When Citrix policies are created or edited
within the Delivery Services Console, the IMA-based policy settings are stored as metadata in
269
the data store database and are propagated to servers as GPF/X files stored in their local SYSVOL directory. In both instances, the settings are written to each server registry. Each time group policies are evaluated on the XenApp server, the GPF/X files are retrieved from the SYSVOL and farm data store. The client-side extension evaluates the filters and merges the results into a single Resultant Set of Policy within the HKLM\Software\Policy\Citrix registry key. Various software components read the registry values and enforce the settings. The previous figure illustrates the conceptual architecture behind the Citrix policy system.
270
Policy Evaluation
Policies are evaluated on XenApp servers when one of the following events occurs: A user logs on The server is rebooted The policy refresh interval is reached A policy update is forced
By default, the policy refresh interval is 90 minutes for Active Directory GPOs. The interval time can be changed, although reducing it too much may overload domain controllers. The refresh interval applies to servers as well as user sessions that were started before the policy change. New user sessions always capture the latest User configuration settings within GPOs; however, the latest Computer configuration settings will not be applied until one of the above events occurs. Administrators can force a policy update using the GPUPDATE /FORCE command. By default, both User and Computer configuration settings are updated. However, additional switches can be used to force updates to either the User or Computer configuration settings. IMA-based policies are subject to the same Active Directory policy refresh cycle for Computer configuration settings. However, User configuration settings within IMA-based policies are applied immediately.
Policy Application Process

The following process provides a high-level description of how policies are applied to XenApp sessions: 1. The user logs on to a client device in a company domain using domain credentials. 2. The credentials are sent to the domain controller. 3. Active Directory finds and applies all policies configured for the user, client device, organizational unit and domain. 4. The user logs on to XenApp and launches a published resource. 5. The Microsoft and the Citrix client-side extensions begin processing policies for the user and server. The Microsoft client-side extension gathers settings that are stored in Active Directory SYSVOL. The Citrix client-side extension gathers directory-level settings within the Active Directory SYSVOL and local server SYSVOL GPF/X files.
271
Local server settings automatically are propagated by IMA periodically and the Citrix client-side extension assumes those settings are current. The Citrix client-side extension is inserted into the process because it is a registered .DLL in the XenApp server registry. 6. Active Directory determines precedence for the settings and applies them to the server and user registries. 7. The user logs off of all published resources. Citrix user policies are no longer active for this user or client device. 8. The user logs off of the client device. GPOs are no longer active for this user. If the client device is still powered on, GPO computer policies continue to apply to it. Policy settings configured within Active Directory GPOs and IMA-based GPOs are both processed together to create the Resultant Set of Policy. Therefore, organizations can have a mixed configuration of both Active Directory GPOs and IMA-based GPOs. As a best practice, the number of GPOs should be limited to prevent slow logon performance due to policy processing.
Policy Processing and Precedence
The GPOs and IMA-based policies that apply to a user or computer do not all have the same precedence. If there are no conflicting settings configured within the policies, the settings are merged into the Resultant Set of Policy for the computer or user. However, settings in policies
272
that are applied later can override earlier applied settings. Policies are processed and applied in the following order: 1. Local GPOs Each server has exactly one Group Policy object that is stored locally. Both Computer and User configuration settings are processed. 2. IMA-based policies IMA-based policies configured in the Delivery Services Console are processed after local GPOs. 3. Site GPOs GPOs that have been linked to the site that the user or computer belongs to are processed next. Processing is in the order that is specified by the administrator within the Linked Group Policy Objects tab for the site in Group Policy Management Console. The GPO with the lowest link order is processed last and, therefore, is highest in the order of precedence. 4. Domain GPOs Multiple domain-linked GPOs are processed in the order specified by the administrator in the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last and, therefore, is highest in the order of precedence. 5. OU GPOs GPOs linked to the OU highest in the Active Directory hierarchy are processed first followed by GPOs that are linked to its child OU and any OUs beneath that. Finally, the OU that contains the specific user or computer are processed last. Zero, one or many GPOs can be linked to each Organizational Unit level in the Active Directory hierarchy. If several GPOs are linked to an OU, they are processed in the order that is specified by the administrator in the Linked Group Policy Objects tab in the GPMC. The GPO with the lowest link order is processed last and, therefore, is highest in the order of precedence. Settings in the Citrix ICA Listener Configuration (CTXICACFG.EXE) tool are treated as local GPOs and are overwritten by domain GPOs, if present. The Citrix ICA Listener Configuration tool contains server-specific settings such as network adapter settings, ICA connection limits and session limits. The tool is located in the C:\Program Files (x86)\Citrix\system32 folder on the XenApp server. XenApp does not process RDP or ICA settings in the Remote Desktop Session Host Configuration tool. Policy Changes Example Contractors working for KellCorp are prohibited from mapping their local drives while working in published applications. This setting was accomplished by creating a Citrix policy and applying it to the worker group that contains the Contractors OU.
273
Three contractors are working on a special project which requires the use of their local drives and have received clearance for this exception. The administrator creates a new OU below the Contractors OU and applies a policy allowing access to local drives for those three contractors. The administrator sends the contractors an email to inform them of the status change. The contractors immediately attempt to access their local drives from their published applications and report to the administrator that they still are unable to access the drives. The contractors follow the administrator's recommendation to log off of all of their sessions, log back on and try again; this time they are able to see their local drives when the policy takes effect.
Policy Precedence Exceptions

Exceptions to the default policy processing order settings may exist under the following conditions: A GPO link is enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled. User, Computer or all settings are disabled in a GPO. By default, neither User nor Computer settings are disabled in a GPO. Block Inheritance is set on an OU or domain. By default, Block Inheritance is not set. A computer is a member of a workgroup and, therefore, processes only the local GPO. Loopback processing is enabled. If loopback processing is enabled, it only affects Active Directory GPO processing. IMA-based policy settings will not be re-read and re-applied.
Shadowing and Encryption Settings

XenApp does not merge shadowing and encryption settings. Shadowing and encryption settings follow the same processing and precedence order as other GPO settings. For example, if an Active Directory GPO is configured to set the SecureICA minimum encryption level to 128-bit RC5, this setting cannot be overridden with an IMA-based or local server GPO.
274
Policy Priorities
When configuring Citrix policies, both GPOs and IMA-based, administrators can assign priority levels for those policies. In the event that policies contain conflicting settings, the setting within the policy with the highest priority is processed. However, this priority level only controls the setting that is processed during policy processing.
275
Policy Rules
When creating Citrix policies in a GPO or the Delivery Services Console, the policies are designated as either Computer or User policies. These policies contain rules for configuring the desired farm, server and user session settings. Computer policies contain rules for XenApp server settings and are organized into the following categories: ICA Licensing Server Settings Virtual IP XML Service
User policies contain rules for all XenApp user session settings. Administrators can use these settings to enable or disable features within user sessions. User policies are organized into the following categories: ICA Audio
276
Bandwidth Desktop UI File Redirection Graphics Multimedia Ports Printing Security Session Limits Shadowing Time Zone Control TWAIN devices USB devices
Server Session Settings
COMPUTER POLICIES
277
ICA
ICA listener connection timeout Specifies the maximum wait time for a connection to be completed By default, the maximum wait time is 120,000 milliseconds or two minutes. ICA listener port number Specifies the TCP/IP port number used by the ICA protocol on the server By default, the port number is 1494.
ICA\Auto Client Reconnect

Auto client reconnect Allows or prevents automatic reconnection by the same client after a connection has been interrupted Specifies whether authentication is required for automatic client reconnections Records or prevents recording auto client reconnections in the event log By default, logging is disabled.
Auto client reconnect authentication Auto Client Reconnect > Auto client reconnect logging
ICA\End User Monitoring

ICA round trip calculation Enables or disables the calculation of ICA round trip measurements By default, ICA round trip calculations are allowed.
278
ICA round trip calculation interval (Seconds) ICA round trip calculations for idle connections
Specifies the frequency, in seconds, at which ICA round trip calculations are performed Determines whether ICA round trip calculations are performed for idle connections By default, calculations are not performed for idle connections.
ICA\Graphics
Display memory limit Specifies the maximum video buffer size in kilobytes for the session By default, the display memory limit is 32,768 kilobytes. Display mode degrade preference Image caching Degrades either color depth or resolution first when the session display memory limit is reached Specifies whether to cache images to make scrolling smoother Specifies the maximum color depth allowed for a session By default, the maximum allowed color depth is 32 bits for each pixel. Notify user when display mode is degraded Queueing and tossing Specifies whether to display a popup with an explanation to the user when the color depth or resolution is degraded Discards queued images that are replaced by another image
Maximum allowed color depth
279
ICA\Keep Alive
ICA keep alive timeout Specifies the number of seconds between successive ICA keep-alive messages By default, the interval between keep-alive messages is 60 seconds. ICA keep alives Sends or prevents sending ICA keep-alive messages periodically By default, keep-alive messages are not sent.
ICA\Multimedia
HDX MediaStream Multimedia Acceleration Controls and optimizes the way XenApp servers deliver streaming audio and video to users By default, this setting is allowed. HDX MediaStream Multimedia Acceleration default buffer size HDX MediaStream Multimedia Acceleration default buffer size use Specifies a buffer size from 1 to 10 seconds for HDX MediaStream Multimedia Acceleration Uses the specified buffer size for HDX MediaStream Multimedia Acceleration By default, the buffer size specified is not used. Multimedia conferencing Allows or prevents support for video conferencing applications By default, video conferencing support is enabled.
280
ICA\Security
Prompt for password Requires the user to enter a password for all server connections regardless of access scenario By default, users are prompted for passwords only for specific types of connections.
ICA\Server Limits
Server idle timer interval Determines, in milliseconds, how long an uninterrupted user session will be maintained if there is no input from the user By default, idle connections are not disconnected.
ICA\Session Reliability
Session reliability connections Session reliability port number Allows or prevents session reliability connections
Identifies the TCP port number for incoming session reliability connections By default, the session reliability TCP port number is 2598.
Session reliability timeout
The length of time in seconds the session reliability proxy waits for a client to reconnect before allowing the session to be disconnected The default length of time is 180 seconds or three minutes.
281
ICA\Shadowing
Shadowing Allows shadowing of ICA sessions Configure the Users\ICA\Shadowing\Users who can shadow others policy to specify which users can shadow.
Licensing
License server host name License server port Specifies the name of the server hosting XenApp licenses Specifies the the port number of the server hosting XenApp licenses By default, the license server port number is 27,000.
Server Settings
Connection access control Specifies whether users can start sessions when connecting through Citrix Access Gateway Enables or disables the server to return fully qualified domain names to clients using the Citrix XML Service Enables or disables the caching of larger, high resolution published application icons on servers Specifies the XenApp product edition
DNS address resolution
Full icon caching
XenApp product edition
282
Server Settings\Connection Limits

Limit user sessions Specifies the maximum number of concurrent connections a user can establish, from none to 8192 Enables or disables connection limit enforcement for Citrix administrators Enables or disables the logging of events to the server event log about connection attempts that were denied because they exceeded logon limits
Limits on administrator sessions Logging of logon limit events
Server Settings\Health Monitoring and Recovery

Health monitoring Allows or prevents running Health Monitoring and Recovery tests on the servers By default, Health Monitoring and Recovery tests are allowed to run. Health monitoring tests Specifies which Health Monitoring tests to run Test configurations can be edited within this policy. Maximum percent of offline servers Specifies the maximum percentage of servers that Health Monitoring and Recovery can exclude from load balancing
Server Settings\Memory/CPU
CPU management server level Specifies the level of CPU utilization management on the server Enables or disables memory optimization to improve the ability to manage DLL allocation in both real and
Memory optimization
283
overall virtual memory by creating shared DLLs for applications that are open in multiple sessions Memory optimization application exclusion list Memory optimization interval Specifies the applications that memory optimization should ignore Specifies the interval for running memory optimization when memory optimization is enabled Specifies the day of the month that memory optimization runs, within the range of 1 - 31, when memory optimization is enabled Specifies the day of the week that memory optimization runs when memory optimization is enabled Specifies the time of day that memory optimization runs when memory optimization is enabled and an interval of "Daily," "Weekly" or "Monthly" is specified
Memory optimization schedule: day of month
Memory optimization schedule: day of week Memory optimization schedule: time
Server Settings\Offline Applications

Offline app client trust Enables or disables the ability of offline application clients to recreate sessions when reconnecting without authenticating again Enables or disables logging of offline application events to the event log of the server Specifies the number of days applications can work offline before users must renew the license By default, the license period is 21 days, but can range from 2 to 365 days. Offline app users Specifies the users who have offline access permission
Offline app event logging
Offline app license period
284
Server Settings\Reboot Behavior

Reboot custom warning Enables or disables sending a custom warning message, in addition to the standard restart message, to users before a scheduled server restart Specifies the text in the custom warning message sent to users before a scheduled server restart Specifies the number of minutes before a scheduled server restart that logons to the server are disabled Specifies the frequency, in days, at which scheduled server restarts occur Specifies the date on which scheduled server restarts begin Specifies the time of day at which scheduled server restarts occur Specifies how often standard and custom warning messages are sent to users before a scheduled restart Specifies the number of minutes before a scheduled server restart to send standard or custom warnings to users Enables or disables sending a standard warning message to users before a scheduled server restart Enables or disables scheduled server restarts
Reboot custom warning text
Reboot logon disable time
Reboot schedule frequency
Reboot schedule start date Reboot schedule time
Reboot warning interval
Reboot warning start time
Reboot warning to users
Scheduled reboots
Virtual IP
Virtual IP adapter address filtering Filters the list of addresses returned by the API GetAdaptersAddresses() to only include the session virtual IP address and the loopback address
285
Virtual IP compatibility programs list
Adds support to Windows OS Virtual IP so that calls to gethostbyname() API within session return the assigned virtual IP address for the session Adds support to Windows OS Virtual IP so that calls to gethostbyname() API within a session return the assigned Virtual IP address for the session Specifies the programs for the Virtual IP adapter address filtering rule Allows each session to have its own virtual loopback address for communication Specifies the programs for the Virtual IP loopback support rule
Virtual IP enhanced compatibility
Virtual IP filter adapter addresses programs list Virtual IP loopback support
Virtual IP loopback programs list
XML Service
Trust XML requests Specifies whether the Citrix XML Service should trust requests it receives Specifies the port number to use for the Citrix XML Service
XML service port
286
By default, the port is disabled. Citrix recommends using port 8080.
USER POLICIES
ICA
Client clipboard redirection Allows or prevents the clipboard on the client device to be mapped to the clipboard on the server By default, clipboard redirection is allowed.
287
Desktop launches
Allows or prevents non-administrative users to connect to a desktop session on the server By default, non-administrative users cannot connect to desktop sessions.
Launching of non-published programs during client connection
Specifies whether to launch initial applications or published applications on the server By default, only published applications are allowed to launch.
OEM Channels
Allows or prevents custom (OEM) devices attached to ports on the client device to be mapped to ports on the server By default, this setting is allowed.
ICA\Audio
Audio quality Client audio redirection Specifies the sound quality as low, medium or high Allows or prevents applications hosted on the server to play sounds through a sound device installed on the client device and allows or prevents users to record audio input The amount of bandwith consumption when playing or recording audio can be configured within this policy. Client microphone redirection Enables or disables client microphone redirection
ICA\Bandwidth
Audio redirection bandwidth limit Specifies the maximum allowed bandwidth in kilobits per second (kbps) for playing or recording audio in a client session
288
Audio redirection bandwidth limit percent
Specifies the maximum allowed bandwidth limit for playing or recording audio as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for data transfer between a session and the local clipboard Specifies the maximum allowed bandwidth limit for data transfer between a session and the local clipboard as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for accessing a COM port in a client connection Specifies the maximum allowed bandwidth for accessing COM ports in a client connection as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for accessing a client drive in a client connection Specifies the maximum allowed bandwidth limit for accessing client drives as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for print jobs using an LPT port in a single client session Specifies the bandwidth limit for print jobs using an LPT port in a single client session as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for custom (OEM) virtual print channels Specifies the bandwidth limit for custom (OEM) virtual print channels as a percent of the total session bandwidth
Clipboard redirection bandwidth limit Clipboard redirection bandwidth limit percent
COM port redirection bandwidth limit COM port redirection bandwidth limit percent
File redirection bandwidth limit File redirection bandwidth limit percent
LPT port redirection bandwidth limit LPT port redirection bandwidth limit percent
OEM channels bandwidth limit
OEM channels bandwidth limit percent
289
Overall session bandwidth limit
Specifies the total amount of bandwidth available for client sessions Specifies the maximum allowed bandwidth in kbps for accessing client printers in a client session Specifies the maximum allowed bandwidth for accessing client printers as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for controlling TWAIN imaging devices from published applications Specifies the maximum allowed bandwidth for controlling TWAIN imaging devices from published applications as a percent of the total session bandwidth
Printer redirection bandwidth limit Printer redirection bandwidth limit percent
TWAIN device redirection bandwidth limit
TWAIN device redirection bandwidth limit percent
Bandwidth Limit Percent Example Bandwidth limit percent rules limit ICA session bandwidth based on percentage of the overall session bandwidth specified in the Overall session bandwidth limit rule. PART 1: An administrator configures the Overall session bandwidth limit rule to limit bandwidth to 500 kbps and sets the Printer redirection bandwidth limit rule to limit printing to 260 kbps. If the total bandwidth for the session drops to 260 kbps, all of the session bandwidth will be consumed by the documents being printed in the session. PART 2: To prevent this from happening, the administrator configures the Printer redirection bandwidth limit percent rule. In this rule, the administrator limits the amount of session bandwidth that can be consumed by printing to 25% of the total session bandwidth. Now if the total bandwidth for the session drops to 260 kbps, only 65 kilobits will be consumed by the documents printed in the session.
ICA\Desktop UI
Desktop wallpaper Enables or disables the desktop wallpaper in user sessions
290
By default, desktop wallpaper is allowed. Menu animation Allows or prevents menu animation By default, menu animation is allowed. View window contents while dragging Controls the display of window content when dragging a window across the screen When allowed, the entire window appears to move when dragged. When prohibited, only the window outline appears to move until dragging stops and the window is dropped.
ICA\File Redirection
Auto connect client drives Allows or prevents automatic connection of client drives when users log on By default, automatic connection is allowed. Client drive redirection Enables or disables file/drive redirection to and from the client device When enabled, users can save files to all their client drives. When disabled, all file redirection is prevented, regardless of the state of the individual file redirection settings. By default, file redirection is enabled. Client fixed drives Allows or prevents users from accessing or saving files to fixed drives on the client device By default, accessing client fixed drives is allowed.
291
Client floppy drives
Allows or prevents users from accessing or saving files to floppy drives on the client device By default, accessing client floppy drives is allowed.
Client network drives
Allows or prevents users from accessing and saving files to client network/remote drives By default, accessing client network drives is allowed.
Client optical drives
Allows or prevents users from accessing or saving files to CD-ROM, DVD-ROM and BD-ROM drives on the client device By default, accessing client optical drives is allowed.
Client removable drives
Allows or prevents users from accessing or saving files to removable drives on the client device By default, accessing client removable drives is allowed.
Host to client redirection
Enables or disables file type associations for URLs and some media content to be opened on the client device By default, file type association is allowed.
Preserve client drive letters
Enables or disables preservation of client drive letters When enabled, and client drive mapping is enabled, client drives are mapped to the same drive letter in the session, where possible. By default, client drive letters are not preserved.
Special folder redirection
Allows or prevents Citrix online plug-in and Web Interface users to see their local special folders, such as Documents and Desktop, from a session By default, special folder redirection is allowed.
292
Use asynchronous writes
Enables or disables asynchronous disk writes By default, asynchronous writes are disabled.
ICA\Graphics\Image Compression
Lossy compression level Specifies the degree of lossy compression used on images By default, medium compression is selected. Lossy compression threshold value Specifies the maximum bandwidth in kbps for a connection to which lossy compression is applied By default, the threshold value is unlimited. Progressive compression level Progressive compression threshold value Provides a less detailed but faster initial display than lossy compression Specifies the maximum bandwidth in kbps for a connection to which progressive compression is applied By default, the threshold value is unlimited. Progressive heavyweight compression Reduces bandwidth without losing image quality by using a more advanced and CPU-intensive graphic algorithm By default, progressive heavyweight compression is not used.
ICA\Multimedia\HDX MediaStream for Flash (client side)

Flash acceleration Enables or disables Flash content rendering on client devices instead of the server
293
By default, client-side Flash content rendering is allowed. Flash event logging Allows or prevents Flash events to be recorded in the Windows application event log By default, logging is allowed. Flash latency threshold Specifies a threshold between 0-5000 to determine where Adobe Flash content is rendered By default, the threshold is 30. Flash server-side content fetching whitelist Lists web sites whose Flash content is allowed to render on the client device Flash content on unlisted web sites is rendered on the server. Flash URL blacklist Lists web sites whose Flash content is rendered on the server Flash content on unlisted web sites is rendered on the client device. This setting is in effect when Flash acceleration is enabled.
ICA\Multimedia\HDX MediaStream for Flash (server side)

Flash quality adjustment Adjusts the quality of Flash content rendered on session hosts to improve performance By default, this setting is allowed.
ICA\Ports
Auto connect client COM ports Connects COM ports from the client device automatically
294
By default, COM ports are not automatically connected. Auto connect client LPT ports Connects LPT ports from the client device automatically By default, LPT ports are not automatically connected. Client COM port redirection Redirects COM ports to and from the client device By default, COM port redirection is enabled. Client LPT port redirection Redirects LPT ports to the client device By default, LPT port redirection is enabled.
ICA\Printing
Client printer redirection Allows or prevents client printers to be mapped to a server when a user logs on to a session By default, client printer mapping is allowed. Default printer Specifies how the client's default printer is established in an ICA session By default, the client's current printer is used as the default printer for the session. Printer auto-creation event log preference Specifies which events are logged during the printer auto-creation process By default, errors and warnings are logged. Session printers Lists the network printers to be auto-created in an ICA session
295
Wait for printers to be created (desktop)
Allows or prevents a delay in connecting to a session so that desktop printers can be auto-created This setting does not apply to published applications or published desktops. By default, a connection delay does not occur.
ICA\Printing\Client Printers
Auto-create client printers Specifies which client printers are auto-created By default, all client printers are auto-created. Client printer names Selects the naming convention for auto-created client printers By default, standard printer names are used. Direct connections to print servers Enables or disables direct connections from the host to a print server for client printers hosted on an accessible network share By default, direct connections are enabled. Printer properties retention Specifies whether and where to store printer properties By default, the system determines whether printer properties are stored on the client device, if available, or in the user profile. Retained and restored client printers Enables or disables the retention and re-creation of client printers By default, client printers are auto-retained and auto-restored.
296
ICA\Printing\Drivers
Automatic installation of in-box printer drivers Enables or disables the installation of Windows native drivers as needed By default, native drivers are installed when users log on. Printer driver mapping and compatibility Lists driver substitution rules for auto-created printers
ICA\Printing\Universal Printing
Auto-create generic universal printer Enables or disables auto-creation of the Citrix Universal Printer generic printing object By default, generic universal printers are not auto-created. Universal driver priority Specifies the order in which XenApp attempts to use universal printer drivers Specifies when to use universal printing Specifies whether to use the print preview function for auto-created or generic universal printers By default, print preview is not used for auto-created or generic universal printers.
Universal printing Universal printing preview preference
ICA\Security
SecureICA minimum encryption level Specifies the minimum level at which to encrypt session data sent between the server and a client device
297
By default, the server uses Basic encryption for client-server traffic.
ICA\Session Limits
Concurrent logon limit Specifies the maximum number of connections a user can make to the farm at any given time By default, there is no limit on concurrent connections. Additional ICA\Session Limits rules are available but apply to XenDesktop sessions only: Disconnected session timer Disconnected session timer interval Session connection timer Session connection timer interval Session idle timer Session idle timer interval
ICA\Shadowing
Input from shadow connections Log shadow attempts Allows or prevents shadowing users to take control of the keyboard and mouse of the user being shadowed Allows or prevents recording of attempted shadowing sessions in the Windows event log Allows or prevents shadowed users to receive notification of shadowing requests from other users By default, users are notified when they are being shadowed. Users who can shadow others Specifies the users who can shadow other users
Notify user of pending shadow connections
298
Users who cannot shadow other users
Specifies the users who cannot receive shadowing requests from other users
ICA\Time Zone Control

Local Time Estimation Enables or disables estimating the local time zone of client devices that send inaccurate time zone information to the server By default, the server estimates the local time zone when necessary. Use local time of client Determines the time zone setting of the user session By default, the time zone of the server is used for the session.
ICA\TWAIN Devices
Client TWAIN device redirection Specifies whether users can access TWAIN devices, such as digital cameras or scanners, on the client device from published image processing applications By default, TWAIN device redirection is allowed. TWAIN compression level Specifies the level of compression of image transfers from client to server By default, no compression is applied.
ICA\USB Devices
Client USB device redirection Enables or disables redirection of USB devices to and from the client
299
Client USB device redirection rules Client USB Plug and Play device redirection
Lists redirection rules for USB devices
Specifies whether plug-and-play devices, such as cameras or point-of-sale (POS) devices, can be used in a client session By default, plug-and-play device redirection is allowed.
Server Session Settings

Session importance Single Sign-On Specifies the importance level at which a session is run Enables or disables the use of Single sign-on when users connect to servers or published applications Specifies the UNC path of the Single sign-on central store to which users are allowed to connect
Single Sign-On central store
300
Policy Filtering
During policy creation, administrators must determine whether unfiltered or filtered policies will be created. Unfiltered Unfiltered policy rules apply to all computers or users within the scope of the policy. For Citrix policies configured with GPMC, the scope is all computers or users that belong to the OU to which the GPO is linked. For IMA-based GPOs configured in the Delivery Services Console, the scope is all computers and users within the farm. By default, an Unfiltered policy exists in both the User and Computer nodes. The Unfiltered policy cannot be renamed or removed and another Unfiltered policy cannot be created. By default, there are no rules configured in the Unfiltered policy; an administrator must add and configure rules for the Unfiltered policy. Unfiltered policies should be used only when granular policy control is unnecessary. For example, an Unfiltered policy can be used to assign a Citrix License Server to an entire farm. Other use cases include security or encryption settings that should be applied to all servers and users in the farm or OU.
Filtered
Filtered policies allow administrators to define conditions under which the Citrix policies are applied to users and computers within the scope of the policy. For example, administrators can use a filter to disable client drive mapping for certain devices in the Finance department or enable printer auto-creation for users connecting from a certain IP address range. Citrix policies configured within the Computer node can be filtered based on Worker Groups. Citrix policies configured within the User node can be filtered based on the following criteria: Worker Groups User and user groups Client device name Client IP address range
301
Access control (incoming connections from Access Gateway) To filter policies based on OUs, the OU first must be added to a Worker Group and the Worker Group must be added to the filter. The policy effectively is filtered based on the Worker Group, but because the OU is now inside the Worker Group, the filter will be applied to the OU.
There is no limit to the number of filters that can be applied to a single policy. Instead of creating and linking several separate GPOs, administrators can create a single GPO and use filters to define a variety of conditions for applying the policy rules within that GPO. Filtered and unfiltered user policies remain in effect for the length of the session only. If any changes are made to the policy rules or filters while impacted users have active sessions, those users will not be affected until the next time they initiate a new session.
302
Policy Modeling and Troubleshooting

Administrators can use the Citrix Group Policy Modeling wizard to simulate a user connection in order to test the policy settings ultimately applied to a user session after processing. With the Citrix Group Policy Modeling wizard, administrators can specify conditions for a connection scenario such as domain controller, users, Citrix policy filters, and simulated environment settings such as slow network connection. The wizard connects to the domain controller, reads settings from the SYSVOL and produces a report that lists the Citrix policies that likely would take effect in the scenario. Policy modeling also can be performed using Microsoft Group Policy Modeling. However, this tool will not reflect Citrix policy filters and, instead, assumes that all settings within a policy will be applied. Therefore, using the Citrix Group Policy Modeling wizard is recommended. To launch the wizard from the Group Policy Management Console, right-click the Citrix Group Policy Modeling node and select Citrix Group Policy Modeling wizard. To launch the wizard from the Delivery Services Console, right-click the Citrix Policies node and select Run the modeling wizard. When running the wizard while logged on to the server as a domain user in an Active Directory domain, the wizard calculates the Resultant Set of Policy by including settings from Active Directory GPOs. When running the wizard from the Delivery Services Console, the modeling calculation includes the IMA-based GPO residing on the server. However, when running the wizard from the Delivery Services Console while logged on to the server as a local user, the wizard calculates the Resultant Set of Policy model using only the farm GPO.
Group Policy Results

The Group Policy Results tool helps to evaluate the current state of GPOs in the environment and generates a report that describes how these objects, including Citrix policies, are currently being applied to a particular user and server. The Group Policy Results tool connects to the XenApp server and reads the applied Computer and User policy settings within the registry. As a result, the tool can be useful for troubleshooting policy settings that were already applied to the user session. Group Policy Results requires the user to have logged on to the server at least once.
303
Review
1. Citrix policies can be created using which three management tools? (Choose three.) a. b. c. d. e. Delivery Services Console Terminal Services Manager Advanced Configuration Console Advanced Group Policy Manager Group Policy Management Console
2. When an existing Citrix user policy is changed, how long does the previous policy remain in effect? a. b. c. d. For the length of the session Until the user profile is changed Until the user disables the policy Until the user is moved to another group
3. Which filter is not valid for use with policies in XenApp? a. b. c. d. Servers Worker groups Client device name User and user groups
4. Which two events do not trigger a policy update evaluation? (Choose two.) a. b. c. d. e. f. A user logs on The server is rebooted An OU trust is created A policy update is forced A print server is imported The policy refresh interval is reached
5. Select the correct order in which policies are processed and applied. a. b. c. d. e. Domain GPOs, Local GPOs, IMA-based policies, OU GPOs, Site GPOs IMA-based policies, OU GPOs, Local GPOs, Site GPOs, Domain GPOs Local GPOs, IMA-based policies, Site GPOs, Domain GPOs, OU GPOs OU GPOs, Local GPOs, IMA-based policies, Site GPOs, Domain GPOs Site GPOs, Domain GPOs, Local GPOs, OU GPOs, IMA-based policies
304
Module 10
Configuring Load Management
306
Overview
XenApp administrators configure load management in a farm to facilitate quick and efficient delivery of applications and resources to users. At the end of this module, given an environment containing XenApp, you will be able to: Describe the load balancing process. Identify load calculation rules. Create and assign custom load evaluators. Assign CPU resource preference to servers and users. Configure session connection failover using load balancing policies.
307
Load Manager
Load Manager is used to balance the load created by connections to the server farm. By default, the load is measured and balanced by the number of user sessions on each server. Load Manager offers the following benefits to enterprises: Maximizes system efficiency by balancing published application sessions across the farm based on load limits set in load evaluators Provides pre-defined load evaluators that can be used as a basis for creating customized load evaluators Provides a set of rules administrators can use to tailor custom load evaluators to the server environment to improve server performance, as well as the performance of published resources It is a best practice to examine and evaluate the XenApp servers in a farm before customizing load management.
308
Load Balancing
Load Manager balances server load across the farm by: Using load evaluator rules to calculate server load Identifying which server is least-loaded, based on the rules in the load evaluator Directing client connections to the least loaded server Load Manager calculates server load using load evaluators attached to servers or published applications. When any rule in a load evaluator reports a full load or exceeds its set threshold, the load-managed server is temporarily dropped from the internal list of available servers. The next connection request for a published application is routed to the server in the internal list with the lowest load value. When the load on a server falls below the set threshold, the server is automatically re-added to the internal list of available servers. Servers are continuously added to and removed from the internal list of available servers as server loads and user activities fluctuate. Session sharing always takes precedence over load balancing. That is, if users launch an application that is published on the same server as an application they are already using but the server is at capacity, XenApp still opens the second application on the server. Load management does not transfer the user's request to another server where the second application is published.
309
Load Balancing Process
Load Manager maximizes system efficiency by balancing hosted and streamed application sessions across the farm. The following table describes the load balancing process. 1. Each server calculates its load periodically based on evaluation criteria in the load evaluators assigned to the server and published applications. 2. Each server sends values for all possible load evaluation criteria to the data collector in the zone. 3. The data collector gathers the information and maintains a numeric index for each load-balanced server in the zone. 4. A connection request for a published application is sent to the data collector.
310
5. The data collector uses the load information received from all of the servers to identify the least-loaded server hosting the published application in the zone. If a load balancing policy is enabled and filtered for a worker group, the user will be forwarded to the least-loaded server in that policy. 6. The server IP or FQDN of the least-loaded server is forwarded to the plug-in. 7. The plug-in connects to the identified server using the supplied IP or FQDN. If all servers hosting the published application are at a full load, as specified by the load evaluator rules, the session request is denied. The routing of connections to servers through load management occurs at the session request time. If the load on a server changes after a connection is established, the connection is not redistributed to accommodate the new server load.
311
Load Calculation
Load evaluators consist of rules that determine how load is calculated. These rules can be used to query specific conditions and performance metrics for servers and published applications. Each rule has a unique set of parameters that allows an administrator to specify appropriate thresholds. Load evaluators can consist of one or more rules. When several rules exist in a load evaluator, the rules work together to determine the overall load.
Load Throttling
Load throttling artificially inflates the load value of a server during initial user connection, thereby limiting an influx of new connections to a single server. Each time a new session connects there is a natural, temporary, resource surge on the server. By artificially inflating a server load value while the connections initiate, load throttling decreases the likelihood of slow user connections or server hangings. This is especially important when a large number of users log on simultaneously. The true server load is reported to the data collector after a user session fully initiates. There are five load throttling settings: Extreme High (Default) Medium High Medium Medium Low
The Extreme setting maximizes server performance, allowing one new connection at a time; all other connection requests are denied. An additional connection request is accepted after the first connection fully initiates. The High setting, which is the default, greatly increases the load when a few people log in simultaneously. The other load throttling settings allow more users to log on at the same time.
Load Calculations
The rules associated with a load evaluator are sampled during data collector updates, during session logons and logoffs and at 30-second intervals. The last ten samples are calculated into a running average for each rule and the update is sent to the data collector every five minutes, by default.
312
The load values returned by the rules determine when a full load is reached. The Load Manager does not allow new connections to the server when a load evaluator reports a full load. When the load is less than the maximum, the rules in the load evaluator determine the load of the server. The server that is least-loaded receives the next connection. The load value assigned to a server depends on the rules and parameters within the load evaluator. In instances where a load evaluator contains more than one rule, Load Manager calculates the load for each rule, then applies a complex algorithm that gives the most weight to the rule with the highest load value. All servers must have an assigned load evaluator. If one or more of the applications published on the server also has a load evaluator assigned to it, the load evaluator that produces the highest load value sets the load value for that server. If a change of +/-500 occurs to the server load, the server sends the change to the data collector immediately. Load evaluators can be classified in the following categories: Moving average Moving average compared to high threshold Incremental Boolean
For more information about calculating load with Load Manager, see Citrix Knowledge Base articles CTX103653 and CTX105449 on the www.citrix.com web site.
Moving Average Rules

Load Manager calculates moving average rules based on percentage values. If the result of a moving average rule: Is less than or equal to the low threshold, then Load Manager reports no load Is at or above the high threshold, then Load Manager reports a full load Is between the low and high threshold, then Load Manager determines the load as a percent multiplied by the full load value
313
The rules that use the moving average method to calculate load include: CPU Utilization Defines the range of processor (CPU) utilization for a selected server The default full load value is 90 percent. The default no load value is 10 percent. Keep in mind that CPU utilization spikes at user logon.
Memory Usage
Defines the range of memory usage for a server The default full load value is 90 percent. The default no load value is 10 percent.
If either the CPU Utilization or Memory Usage counter is at 100%, the server reports a full load. The CPU Utilization and Memory Usage rules are used by the Advanced load evaluator.
Moving Average Compared to High Threshold Rules

Load Manager calculates moving average compared to high threshold rules based on the moving average as a percentage of the highest threshold value specified by an administrator. If the result of a moving average load compared to high threshold rule: Is below the low threshold, then Load Manager reports no load Is at or above the high threshold, then Load Manager reports a full load Is between the low and high thresholds, then Load Manager reports a load determined by dividing the rule value by the high threshold The default threshold values are not suitable in all XenApp environments and should be set to values appropriate for the specific environment. The rules that use the moving average compared to high threshold method to calculate load include: Context Switches Defines the range of context switches per second (the number of times the operating system switches from one process to another) for a selected server
314
Disk Data I/O
Defines the range of data throughput (total disk I/O in kbps) for a selected server The default full load value is 32,767 kilobytes per second. The default no load value is 0 kilobytes per second.
Disk Operations
Defines the range of disk operation (read and write cycles per second) for a selected server The default full load value is 100 operations per second. The default no load value is 0.
Load Throttling
Defines the impact that logons have on the server load This rule limits the number of concurrent connection attempts a server is expected to handle and cannot be applied to an individual published application. The Load Throttling rule solves the issue of incorrect load values provided by servers. This issue occurs when: New connections are coming in faster than the servers can send their current load values to the data collector. Servers are restarted and have not sent their load values to the data collector yet. The Load Throttling rule should be used in conjunction with another rule, as it only affects the initial logon period. If the Load Throttling rule is included in a load evaluator, it is ignored when that load evaluator is attached to a published application. The Load Throttling rule is used by both the Default and Advanced load evaluators.
Page Fault
Defines the range of page faults (attempts to access data that has been moved from physical memory to disk) per second for a selected server The default full load value is 2000. The default no load value is 0.
315
Page Swap
Defines the range of page swaps (transfers of data between physical memory and the page file) per second for a selected server The default full load value is 100. The default no load value is 0. The Page Swap rule is used by the Advanced load evaluator.
The threshold values for these rules must be adjusted by an administrator to reflect the actual server capacity.
Incremental Rules
Load Manager calculates incremental rules based on the full load value that is specified by an administrator. The actual load value is calculated by dividing the current load by the rule value and multiplying that result by the number of concurrent connections. The rules that use the incremental method to calculate load include: Application User Load This rule limits the number of users allowed to connect to a selected published application. This rule monitors the number of active and disconnected sessions using the published application. The default full load value is 100. This rule does not apply to streamed to client applications.
Server User Load
This rule limits the number of sessions allowed to connect to a selected server. The default full load value is 100 and represents the maximum number of active and disconnected sessions that the server can support. The Server User Load rule is used by the Default load evaluator.
Boolean Rules
Load Manager calculates Boolean rules based on true or false conditions.
316
The rules that use the Boolean method to calculate load include: IP Range Defines the range of allowed or denied client IP addresses for a published application or server This rule controls access to a published application based on the IP addresses of the client devices. Scheduling Schedules the availability of selected published applications or servers This rule can remove one or more published applications from the list of applications maintained by Load Manager, so server maintenance can be performed.
Boolean rules must be used in conjunction with at least one other rule because they do not return actual load values for a server.
317
Load Evaluator Configuration

By default, XenApp provides the following pre-configured load evaluators.
Default Load Evaluator
The Default load evaluator is attached to each server automatically after XenApp is licensed. The Default load evaluator is based on the Load Throttling and Server User Load rules and functions best when the server hardware in the environment is identical and can adequately support as many as 100 sessions without fully consuming server resources.
318
Advanced Load Evaluator
The Advanced load evaluator is based on the CPU Utilization, Load Throttling, Memory Usage and Page Swap rules. The Advanced load evaluator or a custom load evaluator should be considered for use in environments: When server resources become over-utilized before the maximum number of user sessions specified in the Default load evaluator on the server is reached When published applications are CPU- or memory-intensive When the server is not able to support 100 sessions because of either resource-intensive applications or hardware limitations When the server can support more than 100 sessions The Advanced load evaluator and other load evaluators that include more than one rule calculate their load values by first determining the individual load for each rule within the load evaluator. Load Manager then uses an algorithm to determine the true load value of the server. This algorithm includes all applicable load values and gives the most weight to the load rule with the highest load value. The Default and Advanced load evaluators cannot be modified or deleted; however, an administrator can create custom load evaluators that use the same rules or different rules entirely.
319
Creating Custom Load Evaluators
A custom load evaluator is any load evaluator with the exception of the Default or Advanced load evaluator. A custom load evaluator is necessary if the Default or Advanced load evaluators are not adequate as a result of the server hardware or application configuration in the environment. An administrator can create a custom load evaluator containing one or more rules by creating a new load evaluator or by copying an existing load evaluator and modifying it. To create a new load evaluator, click Load Evaluators in the Delivery Services Console and click New > Add load evaluator. Creating Custom Load Evaluators Example The Default load evaluator is attached to a server. The server consistently reports a full load when 100 sessions are running on the server even though the server could easily handle 15 additional sessions. The administrator wants the Load Manager to direct 15 additional sessions to the server, so a custom load evaluator is created that sets the full load threshold to 115. Creating load evaluators based on a few rules can provide better results than creating complex load evaluators with many rules. However, it is only possible to
320
attach one load evaluator to a server. As a best practice test new load evaluators prior to implementing them in a production environment.
Thresholds for Load Management

When an administrator creates a custom load evaluator, the full load threshold value for the rule can be set. In general, the full load threshold value should be set below the value determined as the maximum server load. To determine the maximum server load, an administrator must first determine the baseline and peak values for key metrics on the server. EdgeSight and Microsoft Performance Monitor are good tools for capturing baseline performance data for use in determining the maximum load a server can handle. Basing a custom load evaluator on qualified threshold data ensures a more accurate utilization of server resources. Example The AppA and AppB applications are published on the servers in the farm. After evaluating the application workload and performance metrics, the servers are expected to accommodate 62 sessions. The administrator creates a custom load evaluator that uses the Server User Load rule configured with a full load threshold of 60 user sessions. The custom load evaluator ensures that a server is available for additional connections to the AppA and AppB applications as long as fewer than 60 user sessions are running on the server.
321
Assigning Load Evaluators to Servers and Applications
Assigning load evaluators to servers is a solution that meets most load management needs, especially in environments where different hardware configurations exist. Assigning load evaluators to applications can help balance the load when an application has extensive resource requirements. For example, a load evaluator can be assigned to an application that is memory intensive so that users will be directed only to servers that have the necessary amount of memory available for use by the application. Only one load evaluator can be assigned to each server and each published application.
An administrator should be aware of the following considerations for assigning load evaluators to applications: If the Load Throttling rule is included in a load evaluator, it is ignored when that load evaluator is attached to a published application. A published application that is installed on a single server does not need to be load managed. Published applications that require significant resources from servers should use load evaluators configured to report full loads at a lower threshold than the actual limits of the server.
322
Load evaluators can be assigned to published applications that are streamed to servers but cannot be assigned to published applications that are streamed to client devices. Applying load evaluators to applications can increase the load on the data collector, consume resources and slow performance. In addition, applying load evaluators to applications can add complexity to the load management process and might not accurately reflect the server load; therefore, applying load evaluators to applications is not a best practice for most environments. To assign a load evaluator to a server, right click the server in the Delivery Services Console and click Other Tasks > Assign load evaluator. To assign a load evaluator to an application, right-click the application in the Delivery Services Console and click Other Tasks > Attach application to load evaluator.
Practice: Load Evaluators

Match the load evaluators listed below with the appropriate scenarios in the following table. Each load evaluator will be used at least once. Default Advanced Custom Load Evaluator Issue All servers in the server farm host the same applications and can support 100 user sessions. The administrator wants to remove one or more published applications from the list of applications for a period of time. All servers in the server farm have different server hardware but host the same published applications. Some servers contain published applications that require significant server resources.
323
Load Balancing Policies

Load balancing policies enable XenApp administrators to optimize access to published resources by ensuring users connect to the most appropriate servers. The decision behind which server is most appropriate is often based on business needs or technical limitations, such as: Directing users to a backup server in the event of an outage This is the most common use for load balancing policies and is commonly referred to as configuring for failover. Directing a specific group of users to a group of dedicated servers Users may be grouped based on their role, such as contractors or remote employees. Servers may be dedicated based on application groupings, administrative requirements or hardware. Reducing WAN traffic and improving user experience by directing users to the closest regional server In addition, load balancing policies can force applications to be streamed.
324
Creating Load Balancing Policies
Load balancing policies are configured in the Delivery Services Console and applied by specifying filters and worker groups.
Filters
Filters specify to whom or to what the policy will apply. A load balancing policy will remain in an inactive state until a filter is configured. The filter types are: Access Control (connections made through Access Gateway) Client IP Address Client Name User
325
Worker Groups
When a worker group filter is applied to a load balancing policy, connections are made based on worker group preference. The worker group with a priority designation of 1 is ranked highest. When a user opens a published application, the load balancing policy directs the connection to servers in the highest priority worker groups first. Connections are redirected to servers in lower priority worker groups if servers in the higher priority worker groups are offline or have reached maximum capacity. Connections are not directed to servers in worker groups that are not included in the worker group preference list. In addition, if a user attempts to open an application that is not installed on any servers in any of the listed worker groups, regardless of priority, the attempt fails and an error is logged to the Application event log on the data collector. When creating more than one load balancing policy, consider any overlaps and prioritize appropriately. To create a load balancing policy, right-click the Load Balancing Policies node in the Delivery Services Console and click Create load balancing policy.
326
Force Application Streaming
The Streamed App Delivery rules within the load balancing policies can override the method for delivering published applications; therefore, it is important to understand the available options and the consequences of selecting them. When publishing a streamed application, an administrator can choose one of the following published application types: Streamed to client Accessed from a server: streamed to server Streamed if possible; otherwise accessed from a server: installed application Streamed if possible; otherwise accessed from a server: streamed to server
The load balancing policy Streamed App Delivery settings include: Allow applications to stream to the client or run on a Terminal Server (default) Force applications to stream to the client Clients that do not support streaming or do not match the profiled operating system will not be able to open the application. Do not allow applications to stream to the client
327
If this option is selected and server access is not allowed for an application, such as when it is configured to stream to the client only, the application connection will fail. If no Streamed Application Delivery policy is configured, then the application delivery method specified in the published application is used.
328
Preferential Load Balancing
Preferential Load Balancing gives administrators the ability to prioritize the allocation of CPU shares to specific users and applications and to direct important user sessions to the XenApp server running the fewest number of important sessions. Preferential Load Balancing is available in the Platinum Edition of XenApp only. Administrators can use Preferential Load Balancing to assign one of the following importance levels to specific user sessions and applications: Low, which has a value of 1 Normal, which has a value of 2 (default) High, which has a value of 3 Administrators apply importance levels to specific user sessions based on the user's job function, position within the company or other meaningful criteria such as which application is running. Preferential Load Balancing calculates an importance index based on the resource allotment for each session. The resource allotment is calculated by multiplying the importance levels of both the session and the published application that is running in the session. This determines how many CPU shares that session will receive in comparison with other sessions on the same XenApp server.
329
The optimal end result is an environment in which important sessions are prioritized, running on servers with few other important sessions, thereby maximizing the user experience.
Resource Allotment and Session Sharing

During session sharing, the resource allotment is calculated based on the maximum application importance level setting, specified in the application properties of all the published applications running in the session, multiplied by the session importance policy setting specified in the Citrix Policies node of the Group Policy Management Console (GPMC). When an application is launched in an existing session, the importance level of the new application is compared with the maximum of all current application importance levels. If the importance level of the new application is greater, the resource allotment is recalculated and the CPU entitlement for the session is adjusted upwards. Similarly, when an application is closed, if the maximum importance level of the remaining applications is lower, the resource allotment is recalculated and the CPU entitlement for the session is adjusted downward. Preferential Load Balancing Example A hospital has several applications installed in its environment and many different types of users accessing these applications. Recently, doctors who access an important published application for patient data have complained about poor performance. Occasionally, nurses also need to access the patient data application, but only for review. Based on this information, an administrator configures Preferential Load Balancing and assigns the specified doctors a High importance level, which has a value of 3 and assigns the nurses a Normal importance level, which has a value of 2. The administrator also assigns the patient data application a High importance level, which has a value of 3. When a doctor connects to the XenApp server hosting the patient data application, the resource allotment for the doctor is calculated by multiplying the importance value of the session (3) with the application value (3), returning a value of 9. A nurse then connects to the same patient data to access the application. The resource allotment for the nurse is calculated at 6. If the doctor and the nurse are the only two sessions on the XenApp server, then the total number of CPU shares available is 15. Because the doctor has a resource allotment value of 9, the doctor receives 60% of the CPU shares. The nurse receives the remaining 40%.
Preferential Load Balancing Considerations

Administrators should be aware of the following considerations when using Preferential Load Balancing: Session initialization and responsiveness are improved. CPU priority of important sessions is dynamically adjusted. Preferential Load Balancing can be used with both ICA and RDP connections to XenApp.
330
Load calculations are completed for both connected and disconnected sessions.
331
Troubleshooting Load Management Issues

An administrator can use the solutions in the following table to address common load balancing issues. Issue Resolution
Load management is not working correctly. Verify that the load evaluators are configured correctly for the environment. Load evaluator is showing full capacity, but Review load evaluator rules and settings. server should still be able to accept additional Re-establish baseline, if necessary. connections.
332
Review
1. An administrator can attach load evaluators to which two components in a server farm? (Choose two.) a. b. c. d. Users Servers Groups Published applications
2. The Default load evaluator is based on which rules? a. b. c. d. Page Faults, Load Throttling Context Switch, Load Throttling Disk Operations, Load Throttling Server User Load, Load Throttling
3. The Advanced load evaluator is based on which rules? a. b. c. d. CPU Utilization, Load Throttling, Memory Usage and Page Swap Load Throttling, Memory Usage, Page Swap and Server User Load CPU Utilization, Load Throttling, Page Swap and Server User Load CPU Utilization, Load Throttling, Memory Usage and Server User Load
4. A server to which the Advanced load evaluator is assigned is dropped from the internal list of available servers when which event occurs? a. b. c. d. When all the rules in the Advanced load evaluator meet their set thresholds When one of the rules in the Advanced load evaluator meets its set threshold When all the rules in the Advanced load evaluator exceed their set thresholds When one of the rules in the Advanced load evaluator exceeds its set threshold
5. An administrator can create a custom load evaluator using which two methods? (Choose two.) a. b. c. d. By using the Load Manager Monitor By duplicating an existing load evaluator By using the New > Add Load Evaluator menu option By altering the rules in either the Default or Advanced load evaluator
6. An administrator can adjust load evaluator properties ____________. (Fill in the blank with the correct answer.) a. At any time b. At the time of creation only
333
c. For the Advanced load evaluator only d. Only when the load evaluator is not being used
334
Module 11
Optimizing the User Experience
336
Module 11: Optimizing the User Experience
Overview
XenApp includes display and HDX features that help to improve user sessions by optimizing the responsiveness of certain types of published applications and improving connection speed and responsiveness. By the end of this module, given an environment containing XenApp, you will be able to: Describe the different session optimization display settings. Describe the different XenApp HDX settings. Identify the Profile management components. Install and configure Profile management.
337
Optimizing Session Performance

Network latency and bandwidth can impact the actual and perceived performance of a session; minimizing the impact of these factors can contribute to a better user experience. XenApp allows an administrator to improve the user experience by configuring the following policies in the Group Policy Management Console or the Delivery Services Console: Display settings HDX Broadcast Session Reliability HDX RealTime HDX Plug-n-Play HDX MediaStream Multimedia Acceleration HDX MediaStream for Flash SpeedScreen Latency Reduction HDX 3D Image Acceleration HDX 3D Progressive Display Profile management
338
Enabling Display Settings
An administrator can configure the display settings to optimize the transmission and display of graphics on the client device. The following display policy rules are found in the Computer Configuration node of a policy: Display memory limit Specifies the maximum video buffer size (in kilobytes) for a XenApp session By default, the display memory limit is configured to 32,768 kilobytes.
Display mode degrade preference
Specifies whether color depth or resolution degrades first when the session display memory limit is reached If color depth is configured to degrade first, images are displayed with fewer colors. If resolution is configured to degrade first, the size (in pixels) of the XenApp session is reduced.
339
Image caching
Retrieves sections of images from the client cache allowing pages to scroll more smoothly Specifies the maximum color depth allowed for a XenApp session By default, the maximum allowed color depth is 32 bits for each pixel.
Maximum allowed color depth
Notify user when display mode is degraded
Displays a message on the client device when the session is degraded as a result of the session display memory limit being exceeded or the client device being unable to support the requested parameters Discards redundant queued images that are replaced by other images Configuring this setting can cause animations to become choppy due to dropped frames.
Queueing and tossing
340
HDX Broadcast Session Reliability

Citrix online plug-in users may encounter times when their client devices lose network connectivity. By default, HDX Broadcast Session Reliability is configured to keep users' sessions displayed on their screens even though their connection to the session has been interrupted. HDX Broadcast Session Reliability allows a user to continue to view, but not interact with, a published resource on the screen of the client device when the connection to the server is temporarily interrupted. When connectivity is resumed, the keystrokes and mouse clicks that were queued are sent to the server and the results are displayed on the client device. HDX Broadcast Session Reliability reconnects the user without a loss of data or the need to re-authenticate. If the seconds to keep the session active setting is exceeded during the interruption, the session is disconnected or reset on the server.
Enabling HDX Broadcast Session Reliability
341
HDX Broadcast Session Reliability is enabled by default and can be configured in the Computer Configuration node of a policy. HDX Broadcast Session Reliability policy rules include: Session reliability connections Session reliability port number Allows or prevents active sessions while network connectivity is interrupted Specifies the TCP port number for incoming session reliability connections The default port number is 2598. Session reliability timeout Specifies the length of time, in seconds, the session reliability proxy waits for a client to reconnect before allowing the session to be disconnected The default timeout is 180 seconds.
Understanding HDX Broadcast Session Reliability Considerations

Administrators should consider the following points when configuring HDX Broadcast Session Reliability: Because HDX Broadcast Session Reliability does not require re-authentication, the amount of time to keep the session active while waiting for connectivity to resume should be kept to a minimum. This decreases the likelihood that the session will be accessible to unauthorized users should the user walk away from the client device. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 2598. If port 1494 has been optimized for ICA traffic, these optimizations will not apply when HDX Broadcast Session Reliability is in use until they are applied to port 2598.
342
HDX RealTime
HDX RealTime enhances real-time communications in a XenApp session by leveraging technologies at the client device and in the datacenter. HDX RealTime features include: Webcam support for Windows client devices Microsoft Office Communicator support for audio and video conferencing Softphone and voice chat support HDX RealTime is only available for Windows client devices.
343
Enabling HDX RealTime
The HDX RealTime feature is enabled by default and can be configured in the Computer Configuration node of a policy. HDX RealTime policy rules include: HDX MediaStream Multimedia Acceleration Controls and optimizes the way XenApp servers deliver streaming audio and video to users Enabling this setting increases the quality of audio and video rendered from the server to a level that compares with audio and video played locally on a client device. Multimedia conferencing Allows or prevents support for video conferencing applications To use multimedia conferencing, verify that the HDX MediaStream Multimedia Acceleration policy rule is enabled.
344
Understanding HDX RealTime Design Considerations

Administrators must understand the following HDX RealTime design considerations: Only one multimedia conferencing device is supported in a XenApp session. The Office Communications Server (OCS) renders the incoming compressed video, which increases the CPU cycles on the XenApp server. Branch Repeater cannot be used to compress audio and video traffic. HDX RealTime is recommended only for users in a LAN environment.
ICA Pass-through connections are not supported. For example, users cannot connect to a multimedia-rich application through a virtual desktop and utilize HDX RealTime. The Client audio redirection policy rule must be enabled to allow for audio input through a microphone.
345
HDX Plug-n-Play
HDX Plug-n-Play allows users in a XenApp session to interact with portable USB devices that are connected to their client device. Users can connect or disconnect a portable USB device to a XenApp session at any time, regardless of whether the session was started before or after the USB device connection. USB devices that are supported include: 3D Mice Digital cameras Scanners Headsets Microphones Point-of-sale devices
346
Webcams HDX Plug-n-Play is only available for Windows client devices.
Enabling HDX Plug-n-Play
HDX Plug-n-Play for portable USB devices is enabled by default and can be configured in the Client USB Plug and Play device redirection policy. By configuring this policy, an administrator can specify whether USB devices, such as cameras or point-of sale (POS) devices, can be used in a XenApp session.
347
Understanding HDX Plug-n-Play Design Considerations

Administrators must understand the following HDX Plug-n-Play design considerations: Many USB devices will not function properly in low-bandwidth or high-latency networks. HDX Plug-n-Play is recommended only for users in a LAN environment.
ICA Pass-through connections are not supported. For example, users cannot connect through a virtual desktop and utilize a USB device.
348
HDX MediaStream Multimedia Acceleration

HDX MediaStream Multimedia Acceleration optimizes multimedia playback on servers with published instances of Internet Explorer, Windows Media Player 10, RealOne Player, DirectShow-based media players and remote desktop connections to a server with these applications installed. When enabled, the XenApp server delivers multimedia to the client in a compressed form, which reduces bandwidth consumption. The client device then decompresses and renders the multimedia, which reduces the CPU utilization on the server. XenApp supports all DirectShow and Windows Media Foundation formats, including .AVI, .MPEG, .MPG, .MWV/.WMA and .ASF/.ASX. HDX MediaStream Multimedia Acceleration does not support media files protected with Digital Rights Management (DRM). To play back a multimedia file, a codec compatible with the encoding format of the multimedia file must be present on the client device. If a client device is missing a codec for a particular multimedia file format, it can be downloaded from the web site of the file format vendor. File formats are not the same as media types. File formats encapsulate various media types. For example, an .AVI file can contain DIVX video and AC3 digital audio media types and would require both codecs for proper playback.
HDX MediaStream Multimedia Acceleration Benefits

Benefits of HDX MediaStream Multimedia Acceleration include: Improved user experience because multimedia playback in a XenApp session plays as smoothly as a local playback Minimized server CPU utilization because the multimedia stream is sent directly to the client device in a compressed form, which allows the CPU on the client device to perform the decompression and rendering of multimedia content Decreased network bandwidth because the multimedia content sent over the network using the ICA protocol is in a compressed format
349
Enabling HDX MediaStream Multimedia Acceleration
The HDX MediaStream Multimedia Acceleration settings are enabled on all servers in the server farm by default, while audio on the client device is disabled by default. To run multimedia applications in a session, an administrator must enable audio on both the client device and the server. HDX MediaStream Multimedia Acceleration settings can be configured in the Computer Configuration node of a policy. HDX MediaStream Multimedia Acceleration policy rules include: HDX MediaStream Multimedia Acceleration HDX MediaStream Multimedia Acceleration default buffer size Controls and optimizes the way XenApp servers deliver streaming audio and video to users Allows the administrator to customize the buffer time based on the capabilities of the client device and the speed of the network An administrator can accept the default buffer time of five seconds or customize the buffer time. Increasing the buffer time creates a smoother user experience but increases
350
memory usage on both the client device and server. The default buffer time is sufficient in most cases. Values can be set to: 1 to 4 to reduce the memory used for multimedia playback on the server and the client device 6 to 10 to improve multimedia playback in networks with high latency
HDX MediaStream Multimedia Acceleration default buffer size use
Uses the buffer size specified in the HDX MediaStream Multimedia Acceleration default buffer size policy rule
351
HDX MediaStream for Flash

HDX MediaStream for Flash optimizes the way in which servers render and pass Adobe Flash animations to client devices. HDX MediaStream for Flash forces the Flash Player to start in a low-quality mode instead of the default high-quality mode. The low-quality mode renders Flash animations, videos and applications at a lower quality level, thus reducing server and network load, resulting in greater scalability. In most cases, the lower quality is not noticed by users.
Enabling HDX MediaStream for Flash
HDX MediaStream for Flash is enabled by default and can be configured in the User Configuration node of a policy.
352
HDX MediaStream for Flash policy rules include: Flash acceleration Enables or disables Flash content rendering on client devices instead of the XenApp server Allows or prevents the recording of Flash events in the Windows application event log Specifies a threshold between 0-5000 milliseconds to determine where Flash content is rendered During startup, HDX MediaStream for Flash measures the latency between the server and client device. If the latency is under the threshold, HDX MediaStream for Flash is used to render Flash content on the client device. If the latency is above the threshold, the XenApp server renders the Flash content. The default threshold is set to 30 milliseconds.
Flash event logging Flash latency threshold
Flash server-side content fetching whitelist
Lists web sites from which Flash content is allowed to render on the client device Flash content on unlisted web sites is rendered on the XenApp server. It is not necessary to add the http:// or https:// prefix to the listed URL strings, as they are ignored. Wildcards (*) are valid at the beginning and end of a URL string.
Flash URL blacklist
Lists web sites from which Flash content is rendered on the XenApp server Flash content on unlisted web sites is rendered on the client device. It is not necessary to add the http:// or https:// prefix to the listed URL strings, as they are ignored. Wildcards (*) are valid at the beginning and end of a URL string.
353
Flash quality adjustment
Adjusts the quality of Flash content rendered on session hosts to improve performance Setting options include: Do not optimize Adobe Flash animation options Optimize Adobe Flash animation options for all connections Optimize Adobe Flash animation options for low bandwidth connections only
354
SpeedScreen Latency Reduction

Users who connect to the server over a high-latency network connection can experience delays when clicking the mouse or pressing keys on the keyboard. The delay in response can cause a user to click items several times or press keys repeatedly while waiting for feedback. SpeedScreen Latency Reduction can be configured to improve users' perceived experience by emulating system processes on the client device.
Enabling SpeedScreen Latency Reduction
SpeedScreen Latency Reduction settings include: Mouse Click Feedback Changes the appearance of the mouse pointer from idle to busy after a user clicks a link This change provides the user with feedback that the system is processing the request. By default, Mouse Click Feedback is enabled and can be configured at the server level using the SpeedScreen Latency Reduction Manager tool.
355
Local Text Echo
Allows the plug-in to use fonts on the client device to display text as the user types and the plug-in is awaiting the redrawn screen from the server By default, Local Text Echo is disabled and can be configured at the server and application level using the SpeedScreen Latency Reduction Manager tool. Settings made at an application level override the server settings. Some applications that use non-standard Windows APIs for displaying text may not support Local Text Echo.
SpeedScreen Latency Reduction settings are configured using the SpeedScreen Latency Reduction Manager tool.
356
HDX 3D Image Acceleration

The size of the image affects the network traversal time of the file. Image files typically contain redundant information that is not necessary for the image redrawing process on the client device. HDX 3D Image Acceleration uses a lossy compression scheme to reduce the size of the image file by removing redundant data, which reduces the amount of bandwidth needed to transfer the file. This feature allows for quicker image transfer by reducing the quality of the image that appears on the client device. The image quality loss from HDX 3D Image Acceleration is minimal in most cases; however, an administrator should use proper discretion when enabling this feature in an environment where image quality is crucial, such as with medical imaging.
Enabling HDX 3D Image Acceleration
HDX 3D Image Acceleration is configured at a medium lossy compression level by default and can be configured in the User Configuration node of a policy.
357
HDX 3D Image Acceleration policy rules include: Lossy compression level Reduces the size of the image file by removing redundant data, which reduces the amount of bandwidth needed to transfer the file The following table identifies the lossy compression levels. Lossy compression level High Medium (Default) Low None Image quality Low Good Best Same as original Bandwidth requirements Lowest Lower Higher Highest
Lossy compression threshold value
Enables HDX 3D Image Acceleration compression when the available bandwidth is below the specified threshold
358
HDX 3D Progressive Display
HDX 3D Progressive Display is an extension of HDX 3D Image Acceleration and can be configured to improve user interactivity when displaying high-detail images. HDX 3D Progressive Display auto-detects the available bandwidth. If bandwidth is limited, the level of compression temporarily increases and the image quality when it is first transmitted over a limited bandwidth connection decreases to provide a fast (low quality) initial display. If the image is not immediately changed or overwritten by the application, it is then improved in the background to produce the normal quality image, as defined by the lossy compression level. The quality of the final image is controlled by the configuration of HDX 3D Image Acceleration.
359
Enabling HDX 3D Progressive Display
HDX 3D Progressive Display is disabled by default and can be configured in the User Configuration node of a policy. HDX 3D Progressive Display policy rules include: Progressive compression level Provides a less detailed, but faster initial display than lossy compression The following table identifies the image quality that results from the selection of each Progressive compression level. Progressive compression level Ultra High Very High High Medium Image quality Ultra Low Very Low Low Medium
360
Progressive compression level Low None (Default) High
Image quality
No Progressive Display
For example, if an administrator sets the Progressive compression level to Very High, the resulting image quality will be Very Low. For progressive compression to be effective, the Progressive compression level must be set higher than the Lossy compression level. If the Lossy compression level is set to "None," then the Progressive compression level field can be set to any compression level. These settings should be tested in the environment to ensure that the user is provided with satisfactory image quality. For example, if the Lossy compression level is set to "Low," then the setting in the Progressive compression level field must be set to "Medium" or a value that provides greater compression. Progressive compression threshold value Progressive heavyweight compression Enables HDX 3D Progressive Display compression when the available bandwidth is below the specified threshold
Reduces bandwidth further without losing image quality by using a more advanced, but more CPU-intensive graphic algorithm
361
Practice: Determining the Session Optimization Technology

Match the session optimization technology listed below with the issue that each would best resolve. 1. 2. 3. 4. 5. 6. HDX RealTime HDX Plug-n-Play HDX 3D Image Acceleration HDX MediaStream for Flash SpeedScreen Latency Reduction HDX MediaStream Multimedia Acceleration Session Optimization Technology Scenario Graphic artists experience long load times when viewing images with published photo imaging software. Accounting users experience slow keyboard and mouse response when using all published applications. Users in Human Resources experience choppy playback when viewing training videos using published Windows Media Player. Executives request the ability to use Microsoft Office Communicator as a video conferencing tool. Graphic artists request the ability to use 3D mice within a published application. Marketing users experience choppy playback of all Flash media when using published Internet Explorer.
362
User Profiles
A user profile contains information about the Windows configuration or XenApp session for a specific user. This information can include, but is not limited to, the arrangement of the desktop, screen colors, screen savers, network connections, window size and position, printer connections and mouse settings. Each time a user logs on to a session, the user's profile loads and the environment is configured according to the information in the profile. A user profile consists of the following elements: A registry hive A set of profile folders stored in the file system
Differentiating User Profile Types

Administrators must be familiar with the following user profile types to properly manage a corporate environment: Local user profiles When a user logs on to a client device for the first time, a local user profile is created and stored on the local hard disk of the client device. Changes made to the local user profile are specific to the user and to the client device on which the changes are made. A roaming user profile is a copy of a local user profile that is stored on a network share. A roaming user profile allows users to experience a consistent desktop experience from different client devices that are joined to a Windows Server domain. When a user logs onto a new client device, the roaming user profile downloads to the client device. When the user finishes the session and logs off of the client device, any changes made to the roaming user profile are synchronized with the copy of the profile on the network share. A mandatory user profile is a read-only user profile that administrators can pre-configure for users. System administrators can specify how a user's environment will be configured at logon and configure the preference settings for the user. Any changes made by a user to desktop
Roaming user profiles
Mandatory user profiles
363
settings and files are discarded when the user logs off from the client device. Mandatory profiles can be created from local or roaming user profiles.
Temporary user profiles
A temporary user profile is issued whenever an error prevents the user's profile from loading properly. Temporary profiles are deleted at the end of each session, and any changes made by a user to desktop settings and files are discarded when the user logs off from the client device.
For more information about user profiles, see the User Profile Best Practices for XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Redirecting User Data

Folder redirection provides administrators the ability to modify the target location of folders found within the user profile. Folder redirection is transparent to users and gives them a consistent way of saving data, regardless of storage location. Configuring folder redirection reduces the size of the user profile and decreases user logon times by storing the user-created data in a network location and allows users access to their data, regardless of the client device. Careful consideration should be given when redirecting the users' application data folder. Some applications continually read from and write to the application data folder, which can cause increased network utilization.
Managing User Profiles

Citrix Profile management allows administrators to select specific parts of a profile to be saved at logon and logoff. Profile management provides a method of saving personalized user profile settings while decreasing the size of user profiles. Determining which profile settings to save involves understanding the applications in use and the user interactions with the applications within the XenApp sessions. By fully understanding a user's workflow, administrators can provide a productive environment for users while reducing excessive profile size for better performance. For example, if Microsoft Office is used as an enterprise application within an organization, configuring Profile management to store user changes from the Microsoft Office suite of
364
applications is necessary. Saving settings for other applications that are not part of the enterprise application set should be avoided. Profile management is available with the Enterprise and Platinum Editions of XenApp.
Enabling Profile Management
An administrator can use the following procedure to enable Profile management in a production environment. 1. Download the Profile management package from www.citrix.com. 2. Install the Profile management software on all XenApp servers in the farm. Administrators can install the Profile management software using a distribution tool, such as Citrix Merchandising Server, an imaging solution, streaming technology, manually or by performing an unattended installation.
365
3. Create a GPO for enabling or disabling Profile management and link it to the OU that contains all of the XenApp servers in the farm. 4. Apply the ADM file included in the Profile management package to the GPO. 5. Configure the ADM template or the INI files included in the Profile management package or using Group Policy. Settings include: Processed groups Process logons of local administrators Path to user store Citrix recommends configuring the ADM template using Group Policy, if possible.
6. Enable the Profile management policy using the Group Policy Management Console. For more information about Citrix Profile management, see the Profile management documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Understanding the Profile Management Logon Process
The following steps describe how Profile management handles a user's profile: 1. A user starts a session on a XenApp server with Profile management enabled. 2. The Citrix Profile management service determines if the user is a member of the processed group defined in the Profile management ADM file. If the user is a member of the processed
366
3.
4. 5.
6.
group, the Citrix Profile management service attempts to load the user's profile from the user store. If the user is not a part of the processed group, a Microsoft local or roaming profile is assigned to the user. If the user is a member of the processed group, Profile management verifies that the user store contains the user's profile that is managed by Profile management. If the user's profile is not found in the user store, then Profile management migrates the user's local or roaming profile to the user store or creates a new profile from the template profile defined by the administrator. A local profile that is managed by Profile management is copied or streamed from the user store to the XenApp server. Profile management monitors the user's profile and logs any changes to the user's profile by comparing the profile to the Master File Table (MFT) cache file. The MFT cache file is located in the Profile management installation directory by default. Upon user logoff, Profile management exports the changes made to the user's profile back to the user store. Administrators can configure the Profile management ADM file to delete locally cached profiles upon user logoff. For more information about the Profile management logon and logoff process, see the Profile management documentation on the http://support.citrix.com/proddocs/index.jsp web site.
367
Troubleshooting User Experience Issues

An administrator can use the solutions provided in the following table to address user experience issues. Issue Users are unable to utilize a USB device during a session. Resolution Verify that the USB device is supported for use with HDX Plug-n-Play.
Users are unable to utilize Verify that the latest version of the codec for the multimedia-rich applications during multimedia-rich application is installed on the client a session. device. Users are unable to view Adobe Flash Verify that the latest version of Adobe Flash Player animations during a session. is installed on the client device. Verify that the latest version of the Citrix online plug-in is installed on the client device. Users are not assigned the proper profile after logging on to the client device. Verify that the path to the profile store is configured correctly. Verify that the user is part of the processed group. Process the logons of local administrators, if necessary.
368
Review
1. If a client device is connected to XenApp server over a slow connection and the user is experiencing delayed mouse clicks and keyboard response, which type of session optimization technology should be implemented to address this issue? a. b. c. d. HDX RealTime HDX MediaStream for Flash SpeedScreen Latency Reduction HDX MediaStream Multimedia Acceleration
2. An administrator should publish __________ and enable __________ for users who need to watch videos and require high quality. a. b. c. d. Firefox, HDX 3D Image Acceleration QuickTime, HDX MediaStream for Flash Outlook, SpeedScreen Latency Reduction RealOne Player, HDX MediaStream Multimedia Acceleration
3. Which three statements about HDX 3D Image Acceleration are correct? (Choose three.) a. b. c. d. e. HDX 3D Image Acceleration works best with medical imaging. HDX 3D Image Acceleration can be enabled using a Citrix policy. HDX 3D Image Acceleration removes redundant data from an image file. HDX 3D Progressive Display works in conjunction with HDX 3D Image Acceleration. HDX 3D Image Acceleration provides a high image quality when the compression level is set to high compression.
4. Which statement about HDX MediaStream for Flash is true? a. It auto-creates printers after the Flash Player launches. b. It auto-creates printers before the Flash Player launches. c. It forces the Flash Player to start in a high-quality mode instead of the default low-quality mode. d. It forces the Flash Player to start in a low-quality mode instead of the default high-quality mode. 5. Which three statements are true concerning HDX Broadcast Session Reliability? (Choose three.) a. HDX Broadcast Session Reliability reconnects the user without the loss of data. b. HDX Broadcast Session Reliability resets the user connection upon session interruption. c. HDX Broadcast Session Reliability reconnects the user without requiring re-authentication.
369
d. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 1494. e. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 2598.
370
Module 12
Configuring Self-Service Applications
372
Module 12: Configuring Self-Service Applications
Overview
Providing self-service access to enterprise applications simplifies ongoing user maintenance activities. Allowing users to choose which application they need from a list of approved applications offloads user application management tasks from an administrator. The following technologies make application self-service possible: Citrix Receiver Citrix Receiver is a lightweight software client that runs on user devices, including laptops, desktop workstations and mobile devices. The Receiver allows IT departments to deliver applications and desktops to users as an on-demand service regardless of the location or type of user device. Merchandising Server is a virtual appliance located in the datacenter that manages the setup, distribution and updates of plug-ins for Citrix Receiver. After performing a simple, one-time setup for Citrix Receiver, users automatically receive their plug-ins from Merchandising Server. Plug-ins are integrated into and managed by Citrix Receiver. The following plug-ins enable users to access their applications. Citrix Online Plug-in Citrix Offline Plug-in Citrix Dazzle Enables users to access hosted applications from a desktop or the Web Interface Enables users to stream applications to their desktops and open them locally Enables users to select the applications that they use most frequently and place those applications in their Start menu When a user clicks a selected application, the online plug-in, offline plug-in or App-V client will launch the application.
Citrix Merchandising Server
Citrix Plug-ins
373
Microsoft App-V Client
Enables users to access App-V virtualized applications The Microsoft App-V Client is not a Citrix plug-in but can be used for application delivery with XenApp.
At the end of this module, you will be able to: Explain the role of Citrix Receiver. Identify the plug-ins managed by Citrix Receiver. Install Citrix Receiver for Windows. Explain the role of Citrix Dazzle. Identify the components of Citrix Merchandising Server. Explain the Citrix online plug-in architecture and communication.
374
Citrix Receiver
Citrix Receiver enables users to access virtual applications and desktops on any device. With Citrix Receiver installed on a device, IT can deliver applications and desktops as an on-demand service with no need to manage the physical device or its location. This model enables IT to effectively operate as a service provider with complete control over security, performance, and most importantly, user experience.
Citrix Receiver for Windows

Citrix Receiver for Windows is a lightweight software client with an extensible browser-like plug-in architecture. Merchandising Server provides the administrative interface for configuring, delivering and upgrading plug-ins for client devices running Citrix Receiver. After performing a simple, one-time setup for Citrix Receiver, users automatically receive their plug-ins from the Merchandising Server. The first time Citrix Receiver for Windows requests a delivery from the Merchandising Server, the user enters credentials for access. As soon as the user is authenticated, a unique token is generated and installed on the user's client device. Subsequent requests from the Receiver to
375
the Merchandising Server are validated with this token, eliminating the need for repeated logons. The token prevents subsequent requests for user authentication credentials. Therefore, Citrix Receiver is not recommended for shared physical systems. Citrix Receiver for Windows has the following system requirements: .NET Framework version 2.0 or later One of the following browser versions: Internet Explorer 7.x or Internet Explorer 8.x Firefox version 2.x or 3.x One of the following operating systems: Windows XP Professional, 32-bit or 64-bit SP3 Windows Vista, 32-bit or 64-bit SP2 Windows 7, 32-bit or 64-bit Windows Server 2003, 32-bit or 64-bit SP2 Windows Server 2008, 32-bit or 64-bit SP2 Windows Server 2008 R2 Individual plug-ins have separate system requirements which may differ from those for the Citrix Receiver. Users must have administrator privileges on their client device to install Receiver for Windows software from the Download page. The administrator must either grant the users administrator privileges to perform the initial installation or push the Citrix Receiver for Windows installation to their users' client devices. Administrator privileges on the users' client devices are not required after installation is completed.
Citrix Receiver for Macintosh

Citrix Receiver for Macintosh is a lightweight software client with an extendable browser-like plug-in architecture. After performing a simple, one-time setup for Citrix Receiver, users automatically receive their plug-ins from the Merchandising Server. Citrix Receiver for Macintosh has the following system requirements: One of the following operating system versions: Mac OSX 10.5, 32-bit or 64-bit (Intel only) Mac OSX 10.6, 32-bit or 64-bit
376
Citrix Merchandising Server
Citrix Merchandising Server is a virtual appliance, available as a free download, which runs on either Citrix XenServer or VMware ESX. Merchandising Server helps create, deliver and manage a high quality user experience on Windows and Macintosh systems. IT can "merchandise" services in a simple way that seamlessly connects users to virtual applications, desktops and other services, much in the same way retail merchandising managers create a compelling shopping experience for their customers. Merchandising Server provides easy management, setup and distribution of the Citrix Receiver and plug-ins. After performing a simple, one-time setup for Citrix Receiver, users automatically receive their plug-ins from the Merchandising Server.
377
Citrix Merchandising Server Architecture
Citrix Merchandising Server connects to the following components. Component Active Directory Description Protocol
Merchandising Server connects to Active Directory to LDAP: 389 acquire user and group information, which allows the administrator to grant Administrator and Auditor permissions to specific users and create distribution lists for plug-in deliveries. Merchandising Server communicates with Citrix HTTPS: 443 Receiver to deliver plug-ins to Windows and Macintosh systems. Merchandising Server communicates with the Citrix HTTPS: 443 Update Service to download new and updated plug-ins posted by Citrix. The Citrix Update Service requires an Internet connection to contact https://citrix.com.
Citrix Receiver
Citrix Update Service
Merchandising Server Administrator Console
Administrators configure the Merchandising Server, HTTPS: 443 upload plug-in installation files and schedule deliveries using the Merchandising Server Administrator Console.
378
Citrix Dazzle
Citrix Dazzle is a self-service storefront for enterprise resources that gives users self-service access to the applications, desktops and content that they need to work productively. Dazzle represents a XenApp Services site as a store, which contains resources that users may want to add to their Start menu. Users can add several stores to the Dazzle storefront from the client device. Administrators can also configure stores on the Merchandising Server, which will deliver the URL of the XenApp Services site to Dazzle. When users start Dazzle, the stores contain the resources that were made available by an administrator. Users can then choose exactly what they need, when they need it. They simply browse or search for the resources they require and subscribe with a single click. Administrators can advertise XenApp published applications and services, as well as Microsoft App-V packages for easy, on-demand access by users.
379
Citrix Dazzle Communication Process
Citrix Dazzle integrates with Citrix Receiver and an existing XenApp infrastructure. The following process describes the communications between Dazzle and other XenApp components when delivering self-service applications to users: 1. Citrix Receiver starts automatically when the user logs on to a client device. 2. The user logs on to the stores that Dazzle is configured to contact. If Dazzle has not been run before, or if the user has not yet subscribed to any applications, Dazzle starts automatically. 3. Dazzle contacts the stores on the Web Interface, which authenticates the user to the XenApp farms that provide the applications for the stores. 4. Dazzle aggregates applications from all the stores into the same interface, displaying only those applications that the administrator has made available for the particular user. 5. The user selects and organizes applications using Dazzle. 6. Shortcuts to the selected applications are added to the user's Start menu. 7. Offline applications that the user subscribed to are downloaded from the XenApp farm to the client device by the Citrix offline plug-in. After downloading is complete, the applications are available for use. 8. The user clicks a shortcut in the Start menu to launch an application. For online applications, the Citrix online plug-in initiates a session with a XenApp server hosting the application.
380
For offline applications, the application starts and runs locally in an isolation environment. The Dazzle communication process is slightly different on a Macintosh system. Application shortcuts are placed in the Applications folder rather than the Start menu.
381
Plug-ins
Plug-ins are the components of XenApp that users run on their client devices to access resources published on XenApp servers. A published resource can be an application, content or the desktop of a server. Plug-ins extend the reach of Windows-based, Java-based and UNIX-based applications to virtually any client platform or device. XenApp supports the following plug-ins: Dazzle Allows users to select the applications that they use most frequently and place those applications in their Start menu Enables users to access hosted applications from a desktop or the Web Interface Enables users to stream applications to their desktops (both physical and virtual) and open them locally Enables users to access App-V virtualized applications
Online plug-in
Offline plug-in
Microsoft App-V Client
382
Secure access plug-in
Provides a single point of secure remote access to virtual desktops and applications Maintains and consolidates a user's roaming profile Provides real-time monitoring of the user experience Accelerates and optimizes WAN traffic Enables the use of EasyCall voice services to call phone numbers from any application using any phone Provides password security and single sign-on access to Windows and web applications
Profile management plug-in Service monitoring plug-in Acceleration plug-in Communications plug-in
Single sign-on plug-in
Many of these plug-ins have separate versions to support both Windows and Mac users. The following plug-ins provide additional cross-platform support: Client for Java Uses a Java applet that provides access to hosted applications from any client device with a standard web browser Enables users to access hosted applications from a Linux system Enables users to access hosted applications from Apple iPhone and iPod Touch devices
Citrix Receiver for Linux
Citrix Receiver for iPhone
Plug-in Delivery
Administrators have several options for delivering plug-ins to user devices. Method Citrix Receiver and the Merchandising Server Description Citrix Merchandising Server and Citrix Receiver work together to streamline the installation and management of application delivery to user desktops. Merchandising Server provides the administrative interface for configuring, delivering and upgrading plug-ins for users' client devices.
383
Method
Description IT can "merchandise" services in a simple way that seamlessly connects users to virtual applications, desktops and other services.
Web Interface
The Web Interface provides users with access to published resources through a standard web browser or through the Citrix online plug-in. When users access a Web Interface site from a Windows-based client device and a plug-in is not detected or the current plug-in on the client device is not up-to-date, the Web Interface site attempts to automatically install a plug-in on the client device. Administrators can use a group policy to distribute plug-ins based on organizational unit, machine name or user name. Administrators can use a variety of third-party software distribution products to automatically deploy and install plug-ins on client devices. Administrators can install individual plug-ins on users' systems or upload a plug-in to a web server and direct users to download and install the plug-in on their own. Users may require administrator privileges on their system to install a plug-in.
Active Directory Electronic Software Distribution (ESD) Manual Installation
384
Citrix Online Plug-in for Windows
The Citrix online plug-in for Windows allows users to access their published resources from a familiar Windows desktop environment. Users work with published resources the same way they work with local applications and files. By default, published resources are represented in the Start menu by icons that behave just like local icons. Users can double-click, move and copy icons and create shortcuts in their location of choice.
System Requirements
Administrators can install the Citrix online plug-in for Windows manually or through the Citrix Receiver. The online plug-in for Windows can be installed on client devices that meet the software requirements in the following table. Component Operating System Requirement Windows Server 2008 R2
385
Component Browser
Requirement Windows Server 2008, 32-bit edition or 64-bit edition Windows Server 2003, 32-bit edition or 64-bit edition Windows XP Professional, 32-bit edition or 64-bit edition Windows XP Embedded Windows Vista, 32-bit edition or 64-bit edition Windows 7, 32-bit edition or 64-bit edition
Internet Explorer version 6.x - 8.x Firefox version 1.x - 3.x
The online plug-in can be installed on client devices that meet the following hardware requirements: VGA or SVGA video adapter with color monitor Windows-compatible sound card for sound support (optional) A working network or Internet connection to servers
Installation Considerations
Different enterprises have different corporate needs, and the expectations and requirements for the way users access published resources and virtual desktops can shift as corporate needs evolve and grow. The Citrix plug-ins differ in terms of: Access method Installation file Supported features For a list of features, see the Receiver and Plug-ins documentation on the http://support.citrix.com/proddocs/ index.jsp web site. The following table describes the access methods for the online plug-ins. Plug-in Installation File Access Method
Citrix online plug-in CITRIXONLINEPLUGINFULL.EXE Transparent integration of published resources into user's desktop
386
Plug-in
Installation File
Access Method
Citrix online plug-in CITRIXONLINEPLUGINWEB.EXE Web browser-based access to Web published resources The Citrix online plug-in can also be installed through a command line interface, which provides additional options. For more information on command line installation, see the Receiver and Plug-ins documentation on the http://support.citrix.com/ proddocs/index.jsp web site.
Citrix Online Plug-in for Mac

The Citrix online plug-in for Mac allows users to access published resources from a familiar Macintosh desktop environment. Users work with published resources the same way they work with local applications and files. Published resources are represented on the local desktop, by icons that behave just like local icons, on the Dock or in the Dazzle folder available from the Finder. Users can also access published resources from within a familiar browser environment, by clicking links on a web page published to the corporate intranet or the Internet.
System Requirements
Administrators can install the Citrix online plug-in for Mac manually or through the Receiver. The online plug-in supports Mac OS X, Version 10.4 and above. Not all combinations of OS version and processor type (Intel-based or PowerPC) support installation through the Citrix Receiver. For more information, see the Receiver and Plug-ins documentation on the http://support.citrix.com/proddocs/index.jsp web site. The Citrix online plug-in for Mac can be installed on client devices that meet the following hardware requirements: At least 256MB of RAM 29MB of free disk space A working network or Internet connection to servers
387
Citrix online plug-in for Mac contains two installation packages. Administrators can install these plug-in installer packages with almost no user interaction.
CITRIX_ONLINE_PLUGIN.DMG
Complete package, with full feature support Smaller package with limited feature support that can be deployed from a web page The Citrix online web plug-in for Mac package does not include Dazzle.
CITRIX_ONLINE_PLUGIN_WEB.DMG
Client for Java

The Client for Java is a Java applet that provides access to applications running in a farm from any client device with a standard web browser. The applet is a download-and-run, zero-install client, optimized for use in environments where it is not possible or desirable to install software on the client device. The Client for Java does not support all features supported by other plug-ins. For a list of features, see the Receiver and Plug-ins documentation on the http://support.citrix.com/proddocs/index.jsp web site. Administrators do not need to install any software on the client device. Users require only a Java-compatible web browser. Setup is transparent and automatic. Unlike other plug-ins, which are downloaded once and then saved for future use by client systems, the Client for Java is not stored permanently by the client device. However, Java environments provide a separate cache for Java applets, which administrators can configure in the plug-in control panel.
388
System Requirements
The Client for Java can run on client devices that meet the following requirements: A web browser with Java 2, Standard Edition Version 1.4.x or 1.5.x, configured to accept signed Java applets Network access to the web server that stores the client files
Deployment Considerations
The following resources are required to deploy the Client for Java: A copy of the client package, which can be downloaded from the www.citrix.com web site or copied from the Citrix XenApp 6 media On the web site, the client package is available in the following formats: .ZIP, which is primarily used on Windows systems .TAR.GZ, which is primarily used on UNIX systems A means of decompressing and unpacking the .ZIP or .TAR.GZ package, if downloaded from the web site Administrator access to a web server If deploying the client using the Web Interface, an administrator can configure client deployment options using the Web Interface Management console.
Citrix Receiver for Linux

The Citrix Receiver for Linux provides users with access to resources published on XenApp servers. It combines ease of deployment and use, and offers quick, secure access to applications, content and virtual desktops. Users can connect to resources published on XenApp servers using either individual ICA connections or predefined ICA connection configurations from servers running the Web Interface.
389
System Requirements
The Citrix Receiver for Linux requires Linux kernel version 2.6.18 or above, with glibc 2.3.4 or above, libcap1 or libcap2 and udev support. In addition, the native client (wfcmgr) graphical user interface depends on OpenMotif 2.3.1. However, if the client is run through the Web Interface or from the command line, then OpenMotif is not required. Systems running the Citrix Receiver for Linux must meet the following requirements: 6MB of free disk space for the installed client and up to 13MB if the installation package will be expanded on the disk 256 color video display or higher A working network or Internet connection to servers
Administrators should consider the following points when installing the Citrix Receiver for Linux: USB support is enabled only if an administrator is logged on as a privileged user when installing and configuring the Citrix Receiver for Linux. Installations performed by non-privileged users will enable users to access published resources on the server using the Web Interface through one of the supported browsers. During installation, administrators will have the option of specifying that GStreamer is enabled for multimedia acceleration. This can be downloaded from the http://gstreamer.freedesktop.org web site. Use of certain codecs may require a license from the manufacturer of that technology.
390
Troubleshooting Self-Service Application Issues

An administrator can use the solutions provided in the following table to address self-service application issues. Issue Merchandising Server cannot sync with Active Directory. Resolution Use an IP address to identify the Active Directory server, rather than a Fully Qualified Domain Name (FQDN).
Merchandising Server stops allowing Verify that the Merchandising Server virtual connections to the Merchandising Server machine has enough disk space allotted to it. Administrator Console. The Citrix Receiver icon does not appear See Citrix Knowledge Base article CTX122987 on in the notification area after installation. the www.citrix.com web site to modify Explorer application compatibility settings.
391
Review
1. Which plug-in provides a self-service storefront for enterprise resources to users? a. b. c. d. Dazzle Online plug-in Offline plug-in Communications plug-in
2. From which component does the Merchandising Server obtain new plug-ins to distribute to client devices? a. b. c. d. XenApp farm Citrix Receiver The Web Interface Citrix Update Service
3. Which component manages plug-ins on a client device, allowing IT to deliver applications and desktops as an on-demand service? a. b. c. d. Dazzle Citrix Receiver Web Interface Merchandising Server
392
Module 13
Configuring Printing
394
Module 13: Configuring Printing
Overview
There are several ways to configure printers for use in a XenApp session and administrators must carefully consider the available options and business needs. The type of printers and the printing environment, as well as user and administrative requirements, can dictate the most suitable method for configuring printers for users. Because applications run remotely and not on local client devices, an administrator must determine users printing needs and monitor their level of satisfaction with printing services. When a user prints from a published application, the print job originates on the XenApp server. As a result, considering the client printers and network printers in the environment can help formulate the printing strategy. XenApp provides access to enterprise-wide printing management, allowing administrators to control, secure and configure printing using policies. By the end of this module, given an environment containing XenApp, you will be able to: Identify key printing concepts and terms. Explain the default printing behavior. Identify the methods that can be used to provision printers in a XenApp environment. Identify the printing pathways and recognize when each should be used. Configure client printer auto-creation. Recognize the different types of printer drivers. Map a client printer driver to a server printer driver. Recognize the different universal printing options available and configure the usage of a universal printer driver. Import a network print server, add a network printer and specify the default printer for a session. Implement workspace control and proximity printing. Configure where printing preferences are stored. Configure printing bandwidth restrictions.
395
Printing Concepts
In a XenApp environment, all printing is initiated on the XenApp server by a user from within a session. When a user session ends, the user's workspace is deleted. Therefore, all settings need to be rebuilt at the beginning of each session. As a result, each time a user starts a new session, XenApp must recreate or restore the printers available in the session. When a user clicks Print in a session, XenApp: Determines which printers, also referred to as printer objects, to provide to the user Restores the user's printing preferences Determines which printer is the default for the session
Printing Definitions
The following table contains definitions of printing-related terms. Term Network print server Printer object Printing device Printer driver Rendering Spooler Spooling Despooling Citrix Print Manager Service (CPSVC.EXE) Print queue Definition A server that supports network print functionality and is accessible by a UNC path. The printer entry in the Printer and Faxes folder. The physical printer. Software that formats a print job into native print commands. A printer driver process that converts device-independent graphics into a device-ready print stream. A Windows service responsible for printing. A process by which an application creates a print metafile containing the print job. The background processing of the print metafile, resulting in a device-ready data stream being sent to a print device. A Citrix service that manages the creation of printers and driver usage within XenApp sessions. Disk space that holds the output designated for the printer until the printer can receive it.
396
Term Document settings Device settings Restored printers Retained printers Default printer
Definition Printing settings such as page orientation that are stored inside a document. Printing settings such as page orientation that are set through the properties of a printer on the client device. Printers that are customized by the administrator and permanently attached to a client port. Printers that are created by users and remain available at the start of the next session. The first printer to be auto-created in a session. It can be based on the user's preferred printer on the client device or a locally installed printer on a server. A less secure printer naming convention that provides backward compatibility for Presentation Server 3.0 or earlier. A feature that allows administrators to control the assignment of network printers so that the most appropriate printer is presented, based on the location of the client device.
Legacy printer names Proximity printing
Printer Types
One of the first steps in determining the best method for configuring printers is to determine the types of printers that must be supported.
397
In a non-XenApp environment, there are two types of printers: local printers and network printers. XenApp introduces a third type of printer, the redirected client printer. When users connect to published resources, their client-side (local) printers are available to them, by default. The type of printer determines where the print metafile containing the print job is processed (spooled). Understanding where the job is spooled can be useful should an issue arise with the spooler service. Printer Type Description
Local (Client and Server) Local printers are connected to a client device or server and the local operating system directly spools the print job to a Windows client device or server, by default. Network (Client and Server) Redirected client Network printers are connected to a print server and the server operating system directly spools the print job to the print server, by default. Printers are connected to the client device using a UNC path or a cable. The server operating system spools the print job to the client device.
Demonstration: Local and Network Printing

Watch as the instructor demonstrates how printing works when print jobs are directed to a printer connected locally to a client device or server and when printers are connected across a network to a network print server.
Printing Security
XenApp provides default security settings that make printer ports unusable outside the session for which they were created. These default security settings ensure that print jobs are routed to the correct printer. In addition, security settings stop users from redirecting another user's client printer to their own port. Printer ports are private to a particular session and cannot be shared across sessions. Even if the client device name is not unique, printers within each XenApp session are individualized and temporary for that session only. For example, in an environment where every client device is assigned the name "Computer," the client printer created within each XenApp session would still be unique because the client printer names are based on the session name and number, not the client device name. In
398
addition, after the user logs off the session, the printers that were created are likewise deleted. As a result, print jobs from client devices cannot be misdirected to the printers defined by another ICA session even though they have the same client device name. In addition, to increase client printing security, access to the client printers is restricted to: The account that the Citrix Print Manager Service (CPSVC.EXE) runs in, which is Ctx_cpsvcuser, by default Processes running in the SYSTEM account such as the spooler Processes running in the user's session Windows security blocks access to the printer from all other processes on the system. Furthermore, requests for services directed to the print manager must originate from a process in the correct session. This prevents bypassing the spooler and communicating directly with the Citrix Print Manager Service.
Adjusting Printing Security Settings

Administrators cannot, by default, access client printers from another session. This prevents the administrators from inadvertently printing to printers in another session. If administrators need to adjust the security settings of printers in other sessions, they can do so through Windows Explorer using the printer security settings on the server.
399
Default Printing Behavior

By default, XenApp printing behavior is as follows: All printers configured on the client device are created automatically at the beginning of each session. The client devices spool all print jobs queued to locally-attached printers, reducing resource consumption on the XenApp servers. XenApp routes all print jobs queued to network printers directly from the server hosting the published application. If XenApp cannot route the jobs over the network, it will route them through the client device. XenApp retains all changes made by users to printer properties and settings on the client device. If the client device does not support this operation, XenApp stores the changes in the user profile for that user. XenApp uses the native Windows version of the printer driver if it is available on the server hosting the application. If the printer driver is not available, the XenApp server attempts to install the driver from the Windows operating system. If the driver is not available in Windows, XenApp uses one of the Citrix Universal Printer Drivers. If an administrator is unsure of the default printing behavior, a printing policy can be created with all printing policy rules enabled. The options that are selected by default in the enabled rules are the default settings.
Altering the Default Printing Behavior

An administrator can alter the default printing behavior in the environment using the printing policies in the Citrix policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console. Use the Group Policy Management Console unless XenApp is in a workgroup or the XenApp administrator does not have permission to the Group Policy Management Console. In those cases use the Delivery Services Console. Altering the printing behavior can affect the performance of printing in the environment and the user experience. There are several ways to configure printers for use in an ICA session and administrators must carefully consider the: Available printing options Types of printer drivers Printing environment
400
User requirements Administrative requirements Business needs Prior to changing the default printing behavior through policies, an administrator should understand basic XenApp printing concepts, including printing definitions, printer types, printing security, printer provisioning, printing pathways and printer driver behavior.
401
Printer Provisioning
XenApp print environments are highly dynamic because they are typically built during session initialization or application launch. The process by which XenApp makes printers available in a session is known as printer provisioning. An administrator can control printer provisioning and configure which printers users see in their sessions. Administrators can specify the method by which printers are provisioned to users: User self-provisioning If an administrator does not want to specify (and administer) user printers, the administrator can prevent printer auto-creation and let users self-provision the printers that are visible from their client devices. If an administrator wants to ensure that printers are available when users start their sessions, the administrator should provision printers through auto-creation. Any printer defined on the client device can be auto-created at the beginning of a session. In order for client printers to be auto-created in user sessions, the Client printer redirection policy rule must be enabled in the Citrix policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console. This is the default setting. The user self-provisioning and auto-creation methods are considered dynamic. Dynamic provisioning is used to describe printers that appear in a session, but are not predetermined and
Auto-creation
402
stored. Rather, the printers that are available in a session are determined as the session is built. As a result, an administrator can allow printing configurations to change according to changes in policies, user location and the network.
Network printer provisioning
Administrators can automatically provision network printers to users within XenApp sessions by adding the network printers and configuring the Session printers policy.
There are other ways in which printers can be provisioned, such as through Active Directory policies and logon scripts. These methods do not change how print jobs are handled in user sessions.
User Self-Provisioning
Users may want need printers that are not auto-created at the beginning of their sessions. By default, users can add printers in their sessions using the Windows Add Printer wizard on the server or an application that lets them browse to the printers.
403
Users of thin clients and non-Windows plug-ins, by default, cannot add printers to their sessions. An administrator must publish the ICA Client Printer Configuration tool (PRINTCFG.EXE) for these users. For information about publishing the ICA Client Printer Configuration tool, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site. By allowing users to self-provision printers, administrators may reduce their own overhead, but limit their control over printer provisioning. The lack of administrative control may result in users installing printer drivers that are not approved in the environment.
Retained Printers
After a user adds a printer through user self-provisioning, the printer is known as a retained printer. Retained printers are created again (or remembered) at the start of the next session and route print jobs along the client printing pathway. Retained printers appear in the session on the client device until the client printer within the session is deleted manually, the remembered printer connection is removed from the client's properties store or the client-side printer is inaccessible. A retained printer will show the notation "Auto Retained" in the Comment field of the printer properties. An administrator can prohibit retained printers from auto-creating at the beginning of a session using the Retained and restored client printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console.
Printer Auto-Creation
Auto-creation refers to the process that XenApp uses to automatically create printers at the beginning of each session, depending on which printers are configured on the client device and network and the policies that apply to the session. By default, XenApp makes printers available in sessions by creating all printers configured on the client device automatically, including locally attached and network printers. After the user ends the session, the printers for that session are deleted. The next time a session starts, XenApp evaluates the printer creation policies and enumerates the appropriate printers on the client device. An administrator can change the default auto-creation settings to limit the number or type of printers that are auto-created. XenApp can auto-create: Locally attached printers, including locally-defined network printers Network printers Citrix Universal Printer
404
Printer auto-creation may be the easiest for the administrator to configure, but auto-creating all printers may require extensive processing on the XenApp servers. In addition, maintenance may be required when new printers are added or drivers for the printers are needed on the XenApp servers. By default, native Windows printer drivers are automatically installed on a XenApp server when a client printer is auto-created. When an error occurs during the auto-creation of a printer, it is logged to the Windows Event log on the server. An administrator can control this behavior using the Printer auto-creation event log preference policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console.
Client Printer Auto-creation

Printer auto-creation creates a list of printers for use after logging in. When the user logs in, the printer drivers will be installed and all printers returned in this list will be available for use. XenApp can auto-create client printers in two different ways: By creating a one-to-one match with printers on the client device By creating one generic printer, the Citrix Universal Printer, that represents all (or any) printers on the client device In many environments, especially large ones, Citrix recommends auto-creation for the default printer only. Auto-creating a smaller number of printers creates less overhead on the server and is better for CPU utilization. However, there may be instances when all printers may need to be auto-created; in those cases use the default auto-creation settings so that all printers are created at logon.
405
Controlling Client Printer Auto-Creation
At the start of a session, XenApp auto-creates all printers on the client device by default. The administrator can control which, if any, types of printers are provisioned to users and can prevent auto-creation entirely. To ensure that printers auto-create successfully, the following requirements must be met: User accounts should not be shared Only Windows native or fully tested printer drivers should be installed Users should have write access on the server to the %SYSTEMROOT%\SYSTEM32\SPOOL folder The Auto-create client printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console allows an administrator to control printer auto-creation and specify that: No printers visible to the client device are created automatically Only the default printer for the client device is created automatically All non-network printers physically attached to the client device are created automatically All printers visible to the client device, including network and locally attached printers, are created automatically at the start of each session By default, all network printing devices available from the client device are auto-created at the beginning of a session. XenApp always tries to route network print jobs directly from XenApp to the print server and not through the client printing pathway.
406
Assigning Printer Creation Settings to Published Applications

When publishing an application or configuring published application properties, printer creation for that published application can be specified as synchronous or asynchronous. The information in the following table describes the printer creation settings. Printer Creation Settings Synchronous Description
Printers are created before the users have access to interact with and use their sessions. The users must wait for all printers to be created in the background before they can perform any activities. Synchronous printer creation should be used: When applications require all printers to be created first When applications require a stable printing environment An administrator can enable synchronous printer creation by deselecting the Start this application without waiting for printers to be created option in the application properties.
Asynchronous Printers are created in the background while the users have control of and are using their sessions. This process minimizes the amount of time it takes before users can work in their applications and does not impact the users because some application activity usually occurs before printing. Asynchronous printer creation is the default setting and is typically used for published applications. An administrator can enable asynchronous printer creation by selecting the Start this application without waiting for printers to be created option in the application properties.
Synchronous or asynchronous printer creation can be specified when publishing an application or afterwards by editing the Client options in the properties of the published application.
407
Printing Pathways
The term 'printing pathway' encompasses both the path by which print jobs are routed and the location where print jobs are spooled. Both aspects of this concept are important. Routing affects network traffic; spooling affects utilization of local resources on the device that processes the job. All print jobs start on the XenApp server when a user elects to print a document from a published application. In XenApp, print jobs can take two different printing pathways: Network printing pathway When network printers are reachable from the XenApp server, an administrator can use policies to route print jobs to network printers. This is accomplished either by leaving the default settings so that the network printer is auto-created or by provisioning the network printer through the Session printers policy rule. Print jobs are routed through the network printing pathway by default; if the network printing pathway is unavailable, the client printing pathway is used. By default, local and redirected client printers route print jobs along the client printing pathway.
Client printing pathway
Network Printing Pathway

The network printing pathway refers to print jobs that are routed from the XenApp server hosting the user's session to a print server and then spooled on a print server. Routing jobs along the network printing pathway is ideal for fast local networks and in two other instances: when the user experience should be the same as the experience that users have on their local client device and when the printer names should appear the same in every session. The network printing pathway is not suitable for printing jobs across a WAN because: Print jobs using the network printing pathway method use more bandwidth than those using the client printing pathway. Many packets are exchanged between the host server and the print server. Users might experience latency while the print jobs are spooling over the WAN. Print job traffic from the server to the print server is not compressed and is treated as regular network traffic.
408
Server Local Printers
Server local printers refer to printing devices that are physically attached to XenApp servers and use the network printing pathway. Server local printers are managed and configured in the same way as network printers and might be appropriate for printing in small farm environments. However, server local printers might not be ideal in enterprise environments because they require the printer drivers to be installed on each XenApp server in the farm and use additional resources on the XenApp servers. The previous diagram shows a server local printing example where printing begins on the XenApp server hosting the user's session and is routed to a printing device attached locally to the server.
409
Configuring a Server Local Printer
An administrator can permit users to print to a printer that is physically attached to a XenApp server by sharing the printer. Sharing the printer allows the creation of the printer when a session is launched on the server. XenApp will not recognize server local printers unless they are shared. Print jobs are redirected through the client printer pathway when the Render print jobs on client computers option is selected.
410
Disabling the Network Printing Pathway
XenApp routes print jobs to network printers from the XenApp server directly to the print server, along the network printing pathway, by default. An administrator can use the Direct connections to print servers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to disable the network printing pathway. When print jobs must be routed across a network with limited bandwidth, the print jobs should be routed through the client printing pathway so that the ICA protocol compresses the jobs.
Managing Printers Using the Network Printing Pathway

Print queues for network printers that use the network printing pathway are private and cannot be managed through XenApp. In order to modify or manage a user's network print queue, an administrator must: Have the correct level of Windows administrator privileges. Use the Control Panel on the print server. If a print job is routed over the network printing pathway and the server hosting the application does not have the appropriate printer driver or cannot install the printer driver, XenApp will send the print job through the client printing pathway, by default.
411
When a print job has been redirected from the network printing pathway to the client printing pathway, the printer will appear in the Print and Document Services role of the Server Manager snap-in on the server with the following syntax:
PrinterName on PrintServer (from clientname) in session n
where:
PrinterName is the name of the printer being redirected. PrintServer is the name of the print server with which the printer is associated. clientname is the name of the client through which the print job is being rerouted. n is the session ID for the ICA connection.
Client Printing Pathway

The client printing pathway refers to print jobs that are routed over the ICA protocol through the client device to the printer and spooled through the plug-in to the client device. The printer must be connected directly to the client device through either a UNC path or physically through a cable. When the client printing pathway is used, a virtual printer is constructed in the session that redirects the print job to the printer object within the session on the client device. The client device, in turn, sends the print job to the printing device. Even though one additional hop is added at the client device, the impact on the WAN is minimized and efficiency is increased.
Client Printing Pathway Configurations

There are two different configurations for the client printing pathway: one for printers attached directly to the client device and another for network printers defined on the client device. Client local printers Print jobs from locally attached printers are routed to the printer through the ICA protocol and plug-in on the client device, and then to the printing device. The ICA protocol compresses the print job traffic. Print jobs to client local printers must be routed through the plug-in. By default, print jobs destined for network printers route from the server, across the network and directly to the print server using the network printing pathway. However, if the XenApp server is unable to communicate with the
Network printers
412
print server, such as when the XenApp and print servers are on different domains, XenApp automatically routes the print job through the plug-in using the client printing pathway. In addition, the client printing pathway should be used for network printers when the client is connecting across low bandwidth connections such as WANs. This configuration takes advantage of the traffic compression that results from sending jobs over an ICA connection and provides the administrator the ability to limit or restrict the bandwidth allocated for the print jobs. To force print jobs to route through the client printing pathway, select Disabled in the Printing > Client Printers > Direct connections to print servers user policy rule.
Client Local Printers
The simplest printing configuration in a XenApp environment is one in which the printer is attached directly to the client device. In this configuration, the XenApp server spools the print job and sends it back to the client device. The client device then relays it to a locally attached printer. The previous diagram shows a simplified example of printing from a published resource on a XenApp server to a client local printer.
413
Client Printers on the Network
While client printers are often printers physically attached to client devices, they can also be printers connected to a network print server. In this case, print jobs are routed through the client printing pathway to the print server. The process is the same as printing to a locally attached printer through the client printing pathway. However, instead of sending the job to a printer attached to the client device, the job is sent to the network print server which sends it to the printer. By default, client printers on the network route print jobs through the network printing pathway, not the client printing pathway. The previous diagram shows client printing to a network printer. Printing to a Network Printer When a print job is spooled to a network printer along the client printing pathway, it uses the following process: 1. The XenApp server generates a spool file and sends the print job through the ICA protocol to the client device. 2. The client device processes the spooled print job and sends it to the print server. 3. The print server sends the print job to the appropriate network printer.
414
Identifying Printers that Use the Client Printing Pathway

An administrator can use the Printers icon in the Control Panel of a XenApp server to determine which printers are using a client printing pathway, that is, printers that are auto-created. The printers listed will fluctuate on the server based on the sessions connecting to the server and the printers on the client devices. By default, the name of a printer using the client printing pathway appears with the following syntax:
Printername (from Clientname) in session n
Where:
Printername is the name of the printer on the client device. Clientname is the unique name given to the client device or the Web Interface. n is the session ID of the user's session on the server.
If User Access Control is enabled on the XenApp server, the administrator must use the Print Management snap-in in the Microsoft Management Console (MMC) to view the printers.
Printing Pathway Demonstration

Watch as the instructor demonstrates how print jobs are routed when a user prints from a published application to a local printer and when a policy is used to direct a print job from the published application to a network printer.
415
Printer Drivers
Printer drivers enable the operating system and applications to create device-ready print data streams for specific print devices. Printer drivers vary among manufacturers and models. Not all drivers work as intended in a multi-user (Remote Desktop Services) environment. Using an incorrect printer driver can cause garbled print jobs or print job failure. Administrators are advised to test printer drivers in a test XenApp environment prior to using them in a production environment. The data store keeps track of all printer drivers in the environment. As drivers are added, entries are added in the data store. Because printer drivers can cause instability in a server farm, it is a best practice to only install the necessary printer drivers.
Printer Driver Types

XenApp supports the following types of printer drivers: Native printer drivers Drivers that are included with the Windows operating system These drivers have been tested and approved by Microsoft to work with the respective operating system and Remote Desktop Services. Drivers that have been created by printer manufacturers Many, though not all, OEM drivers have passed Microsoft logo certifications but may not have been fully tested in a Remote Desktop Services environment. Drivers that are automatically installed on all XenApp servers and support client printers without specific native or OEM printer drivers installed on the server An administrator can use a printing policy to auto-create printers to use a universal printer driver. A Citrix Universal Printer Driver can:
OEM printer drivers
Citrix Universal Printer Drivers
416
Enable users to print to most printers. Specialized functionalities may not be available through the universal printer drivers. Ensure that client printers auto-create regardless of printer driver availability on the server. Reduce the size of some print jobs and reduce delays when spooling print jobs over slow connections. Prevent problems with driver maintenance or printing-related issues in a diverse environment. Limit the installation and replication of a large set of printer drivers or potentially problematic printer drivers in the server farm. Minimize help desk calls.
An administrator should keep the following considerations in mind when configuring XenApp to use universal printer drivers: Universal printer drivers work with locally-attached client printers, Citrix Universal Printers and network printers that use the client printing pathway. Some universal printer driver features may have reduced functionality for some plug-ins. Some features of multi-function printers may not be available with universal printer drivers.
Automatic Driver Installation

When XenApp auto-creates printers, it determines if the corresponding printer drivers are missing. By default, XenApp installs the missing Windows native printer drivers. If an incompatible printer driver is installed, it can cause issues on the XenApp server. An administrator can control which printer drivers are installed on the XenApp servers using the following policy rules in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console:
417
Automatic installation of in-box printer drivers
Controls whether Windows native printer drivers are automatically installed when auto-creating printers. Disabling this policy rule prevents the automatic installation of printer drivers. The Automatic installation of in-box printer drivers policy rule is enabled by default and can result in the installation of a large number of native drivers in the environment.
Printer driver mapping and compatibility
418
Lists printer driver substitution settings for auto-created printers, identifies which printer drivers can and cannot be used to auto-create client printers and identifies whether the universal printer drivers should be substituted for specific printer drivers. When a user logs on, XenApp checks the compatibility and mapping list before it auto-creates the client printers. If a printer driver is on the list of allowed drivers, the printer is auto-created. If a printer driver is on the list of drivers that are not allowed, the printer is not auto-created unless the universal printer driver is specified for use. To configure this policy rule to prevent printer drivers from being installed, entries must be made for the allowed drivers and another entry must be made using a wildcard (*) for the driver name with the Do not create setting selected. When the compatibility list prevents the setup of a client printer, XenApp writes a message in the event log of the server hosting the user's session.
Server/Client Driver Mapping
During logon, each client provides information about its client-side printers, including the printer model name. The XenApp server uses this information to select the appropriate printer driver on the server to use to auto-create the printer. If the printer drivers for server and client device operating systems have different names for the same driver, XenApp may not recognize that the drivers are the same. This could result in users having difficulty printing or the failure of printer auto-creation.
419
An administrator can resolve this issue by overriding or mapping, the printer driver name that the client device provides with the appropriate driver on the server. Mapping client printer drivers gives published applications access to client printers that use the same drivers as the server but have different driver names. An administrator can configure the Printer driver mapping and compatibility policy rule in the Citrix Policies node of the Group Policy Management Console (GPMC) or the Policies node of the Delivery Services Console by specifying the client printer driver and the server printer driver to substitute for that driver. A wildcard (*) can be used in the names. For example, to force all HP printers to use a specific server printer driver, HP* can be specified as the driver name. When printer driver mappings are configured, the mappings are retained in the data store database and are available to all servers in the farm. Entries can be prioritized, changed or removed using the corresponding buttons in the policy rule.
Managing Printer Drivers
420
An administrator can use the Windows Print Management snap-in to manage the drivers, ports and printers on a print server. For information about using the Print Management snap-in, refer to Microsoft documentation for the operating system. The Print and Document Services role must be installed on the server to add the Print Management snap-in to the Microsoft Management Console.
Practice: Printer Drivers

Provide the correct response for each of the following questions. 1. In order to prevent printer drivers from being installed automatically, which policy rule should be configured? 2. What are four benefits of using the Universal printer driver?
421
Citrix Universal Printing

Citrix Universal Printer Drivers and printers are printing solutions that allow users to print regardless of whether the correct printer drivers and printers are installed. There are several different universal printing solutions. An administrator can configure a: Citrix Universal Printer Driver (EMF-based) At the beginning of each session, a device-specific printer is auto-created using the Citrix Universal Printer Driver (EMF-based). For example, the LaserJet5L printer is auto-created and uses the Citrix Universal Printer Driver (EMF-based) to communicate with the printer driver on the client device. The print job is processed on the client device. This is the default universal printer driver. At the beginning of each session, a device-specific printer is auto-created using the Citrix XPS Universal Printer Driver. For example, the LaserJet5L printer is auto-created and uses the Citrix XPS Universal Printer Driver to communicate with the printer driver on the client device. The print job is processed on the client device. At the beginning of each session, a Citrix Universal Printer is auto-created using a Citrix Universal Printer Driver. The session uses the Citrix Universal Printer Driver to communicate with the printer driver on the client device. The print job is processed on the client device. For more information about this printer, see the Citrix Universal Printer topic later in this module.
Citrix XPS Universal Printer Driver
Citrix Universal Printer with a Citrix Universal Printer Driver
Configuring a printer to use a universal printer driver improves server performance, reduces the number of drivers required on the XenApp servers and decreases the complexity of printer administration. However, configuring a universal printer driver will not improve session start time because the printers on the client device are still enumerated and auto-created at the beginning of sessions. In addition, a Citrix Universal Printer Driver may create smaller print jobs than older or less advanced print drivers but may not be able optimize print jobs as well as a device-specific printer driver.
422
Citrix Universal Printing Requirements

A Citrix universal printing solution requires: The Citrix online plug-in (or a previous version) on a Windows client device. A non-Windows plug-in can be used with universal printing on a non-Windows client device only if a universal printer driver based on the postscript universal printer driver is used. These drivers are installed automatically with XenApp. Citrix universal printing works only with applications hosted on a XenApp server. Connections made with the Citrix offline plug-in to virtualized applications on the client device cannot use universal printing. The Novell iPrint driver is not supported in a XenApp environment.
Enhanced MetaFile Format

The Universal Printer Driver is installed automatically with XenApp, supports nearly all common printer capabilities and forms and can discover underlying client printer capabilities. When the EMF-based Universal Printer Driver is used for client printing, the printer output is sent in Enhanced MetaFile (EMF) format using the Citrix Print Manager Service. The EMF format: Reduces the size of some print jobs Allows jobs to print faster Allows users to set printer properties and preview documents before printing Reduces server load by saving bandwidth and CPU processing because processing is deferred to the client device
Users can view the options of a client printer created with a universal printer driver through the properties of the printer. Other universal printer driver formats are available for client devices: PCL5c, which is primarily used by older applications that are not compatible with the EMF instructions within the new universal printer driver PCL4, which is used for older printers and for non-Windows client devices, such as Mac and UNIX PS, which is used by non-Windows client devices, such as Mac and UNIX Non-Windows client devices should use the PS universal printer drivers. By default, the Citrix Print Manager Service engages the EMF driver and then rolls back subsequently to PCL5c, PCL4 and PS, based on the client device.
423
Print Preview
The EMF-based and XPS-based Citrix Universal Printer Driver provide the following ways to preview and select print settings: The EMF-based Citrix Universal Printer Driver allows a user to preview a print job using the Citrix Print Previewer. The Local Settings button in the Citrix Print Previewer can be used to select a different printer, control the device settings for the printer hardware and preview the print job. An administrator can control whether or not the Local Settings button is available to users. If users are not allowed to change their printer through the Local Settings button, the print job prints to the default printer on the client device. The Citrix Print Previewer cannot be controlled by an administrator unless users have Citrix Presentation Server Client, version 10.100 or later, the Citrix XenApp Plug-in for Hosted Apps, version 11 x , or the Citrix online plug-in. The Citrix XPS Universal Printer Driver allows a user to preview a print job using Internet Explorer. The Print Preview button displays the print job in the Microsoft XPS "electronic paper" format. A user can follow this procedure to preview and print a document. 1. 2. 3. 4. 5. Open the Print screen ( CTRL+P ). Select the client printer that is auto-created using the universal printer driver. Click Properties in the Print dialog box. Select Preview on client and click OK. Click OK to view the document in the EMF Viewer application.
424
6. Use the navigation buttons to view the pages of the document. < = Page Up > = Page Down << = Home >> = End 7. Click the printer icon to select the printer. 8. Select the pages and number of copies to print. 9. Click Print.
The Print Preview feature is disabled by default. The User > Printing > Universal Printing > Universal printing preview preference policy must be configured to enable the feature.
Citrix Universal Printer

The Citrix Universal Printer is a generic printer that an administrator can configure to auto-create on behalf of a single printer or each printer on a client device. The Citrix Universal Printer interacts directly with the printing devices, reducing the need to auto-create printers and, thus, reducing server overhead. The Citrix Universal Printer can be created for the length of a session at the beginning of that session.
425
The Citrix Universal Printer is a generic printer that is not tied to any specific printer on the client device. It can be used to print through the client to any client-side printer. An administrator can specify that the Citrix Universal Printer be auto-created for a single printer or each printer on the client device. When the Citrix Universal Printer is enabled, the printer is created in the session with the name Citrix UNIVERSAL Printer in session number. The printer name is the same for all users with the exception of the session number. This makes it easier for users that reconnect from different client devices and can prevent issues with applications that rely on the printer name. The Citrix Universal Printer can be made available to all sessions that use a Citrix online plug-in. In addition, the Citrix Universal Printer can be the only printer that is auto-created in the session or can be auto-created along with other client printers and session printers. The Citrix Universal Printer will not auto-create if Legacy printer names are specified in the Client printer names policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console. An administrator can prevent the auto-creation of printers on the client device so that only the Citrix Universal Printer can be used in sessions. To implement this configuration, the Citrix Universal Printer should be enabled through the policy and the Auto-create all client printers policy rule must be configured with the Do not auto-create client printers setting selected.
Configuring Citrix Universal Printing

Universal printer drivers are installed on each XenApp server, but are not used, by default.
426
An administrator can use the following policy rules in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to control the usage of the Citrix Universal Printer Drivers: Universal driver priority
Specifies the order in which XenApp attempts to use the universal printer drivers, beginning with the first entry in the list. An administrator can add, edit or remove drivers and change the order of the drivers in the list. Universal printing
Specifies when to use universal printer drivers instead of native Windows printer drivers.
427
Universal printing preview preference
Specifies whether to use the print preview function for a Citrix Universal Printer or auto-created printers that use a Citrix Universal Printer Driver. Auto-create generic universal printer
Enables or disables the auto-creation of a Citrix Universal Printer printing object. By default, generic universal printers are not auto-created. Citrix universal printing can be used with Citrix Presentation Server 4.0 through Citrix XenApp 6 and the following client software: Citrix Presentation Server Client, version 9.x or version 10.x Citrix XenApp Plug-in for Hosted Apps version 11.x Citrix online plug-in
428
Administrator-Assigned Network Printers

User requirements, client devices and network printer availability are factors in determining if and how network printers should be configured. An administrator can define policies to construct customized printing and assign network printers to specific users. Network printers route print jobs from the XenApp server, across the network, directly to the printer server. Network printers do not have to be installed and configured on any of the client devices because the configurations are performed on the server by an administrator. XenApp allows an administrator to specify printers on print servers, along with related print queues into the farm. The network printers can then be assigned to users.
Adding a Network Printer
An administrator can use the Session printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to add a network printer. Within the Session printers policy rule, an administrator can add a network printer by: Specifying the printer UNC path in the \\servername\printername format Browsing to a printer on the network
429
Browsing for printers on a specific server by typing the server name using the \\servername format The server merges all enabled Session printer settings for all applied policies, starting from the highest to lowest priority. When a printer is configured in multiple policies, the customized settings are taken from only the highest priority policy object in which that printer is configured.
Editing Network Printer Settings
An administrator can use the Session printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to specify the following printer settings for a network printer: Paper size Copy count Collation setting Print quality Orientation (portrait or landscape)
An administrator can ensure that the printer settings are reset to these specific settings for all sessions, by selecting the Apply customized settings at every logon option. This results in user customization to the printer settings for the printer only being valid in the current session.
430
Specifying the Default Printer
The printer that XenApp selects for the default session printer can be: A client printer A network printer that has been added through the Session printers policy rule An administrator can use the Default printer policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to set the default printer for a session using the following settings: Do not adjust the user's default printer Uses the Remote Desktop Services (Terminal Services) or Windows user profile to determine the default printer. The default printer will be the first printer auto-created in the session, which can be the: First printer added locally to the server Default printer on the client device This setting does not save the default printer choice in the profile and does not change according to other session or client properties. An administrator can use this setting along with the Session printers policy rule to configure proximity printing, which is the ability for roaming users to print to the nearest network printer. Set default printer to the client's main printer Uses the printer set as the default printer on the client device as the default printer in sessions. Windows group policies and Remote Desktop Services (Terminal Services) settings can disable the mapping of the main printer on the client.
431
Workspace Control and Proximity Printing

In some environments, users move among different client devices or sites. An administrator can make sure that the closest printers are presented to these users wherever they try to print. Examples of such users include: Hospital employees who move among client devices in different wings of a hospital and reconnect to the same session on a different client device using a smart card Employees who travel to remote business units If employees need this type of printing functionality, an administrator can use one of these features: Workspace Control Also known as SmoothRoaming, this feature allows a user to disconnect from one session, move to another client device and reconnect to continue that same session. The printers assigned on the first client device are replaced on reconnection with the printers designated on the second client device. As a result, the user is always presented with applicable printer options from wherever the user connects. For more information, see Configuring Workspace Control in this course.
Proximity Printing
This feature allows an administrator to control the assignment of network printers for mobile workers so that the most appropriate printer is presented, based on the location of the client device.
432
Proximity printing can make printer administration easier even if mobile workers do not exist in the environment. For example, if a user moves from one department or floor to another, the administrator will not need to assign additional printers to that user, if proximity printing is implemented. When the client device is recognized within the IP address range of the new location, it has access to all network printers within that range. However, if an administrator configures proximity printing, the Session printer policy must be maintained as network printers are added or removed, or the DHCP IP address ranges for floors or departments are changed.
433
Configuring Proximity Printing
Proximity printing is enabled through the Session printers policy rule in the Citrix Policies node of the GPMC or the Policies node of the Delivery Services Console. Proximity printing requires that the policy be filtered based on some type of geographic indicator (IP address). The ability to configure proximity printing assumes that the network is designed as follows: DHCP addressing is used to assign IP addresses based on location (for example, floor of a building). All departments/floors within the company have unique designated IP address ranges. Network printers are assigned IP addresses based on the department/floor in which they are located To configure proximity printing, the administrator should: 1. Create a separate policy for each subnet or geographic location to correspond with each printer location. 2. Add the printers in that subnet or geographic location to the Session printers policy rule. 3. Set the Default printer policy rule to use the Do not adjust the user's default printer setting. 4. Filter the policies by client IP address.
434
Printing Preferences
In a XenApp environment, when users modify printing settings, the settings are stored in the following locations: On the client device: The settings are set on the client device by selecting Printing Preferences for a printer in the Printers folder on the client device. For example, if Landscape is selected as the page orientation and saved, it becomes the default page orientation preference for that printer. This type of preference is known as device settings. In a document: In word-processing and desktop-publishing programs, settings, such as page orientation, are often stored inside documents. These settings are often referred to as document settings. Document settings appear by default the next time the user prints that document. Device settings are treated distinctly from, and usually take precedence over document settings. From changes a user made during a session: The settings are set within the session by selecting Printing Preferences for an auto-created printer in the Printers folder within the session. On the server: These are the default settings associated with a particular printer driver on the server. If an administrator wants to control printing preferences, it is important to understand that the settings preserved in any Windows-based environment vary according to where the user made the changes. This means that the printing settings can be between different applications within the same session or different sessions.
Printing Properties
Printing properties are a combination of: Printing preferences, which are settings configured within the session by selecting Printing Preferences for an auto-created printer in the Printers folder within the session Printing device settings, which are settings configured on the client device by selecting Printing Preferences for a printer in the Printers folder on the client device By default, changes users make to the printer preferences and settings for a printer, whether on the local client device or in a session, are saved and used both locally and in a session. This means that printer preferences and setting are the same on the client device and in a session.
435
By default, XenApp attempts to store the printing properties on the client device. If the client does not support this operation, XenApp stores the printing properties in the user profile for that user. By default, sessions from non-Windows clients and older Windows clients use the user profiles on the server for printing properties retention. The following factors can affect how an administrator configures the Printer properties retention policy rule using the Citrix Policies node of the GPMC or the Policies node of the Delivery Services Console: If a client prior to Citrix Presentation Server Client, version 9.x is used, printing properties cannot be stored on the client device. If a mandatory profile is used, the printing properties must be stored on the client device. If a roaming profile is used, the printing properties must be stored in the user profile. If applications are load balanced in a large farm, local profiles will provide users with an inconsistent printing experience. To correct this issue, printing properties must be saved on the client device. If none of these factors apply, Citrix recommends that the printing properties be stored on the client device, if possible, otherwise stored in the user profile; this is the default setting. This is the easiest way to ensure consistent printing properties.
Printing Preference Hierarchy

Because printing properties can be stored in more than one place, XenApp processes them according to a specific priority. XenApp searches for printing properties in the following order: 1. XenApp checks for retained settings (settings changed during the session). If XenApp finds retained settings, it applies the settings when the user prints. 2. XenApp checks for any changes to the printer settings for the printers on the client device. If XenApp finds any changes on the client device, it applies the settings when the user prints. 3. XenApp checks the printer settings stored on the server and applies the settings when the user prints. At this point, the printer settings are merged.
436
Configuring Printer Property Retention
An administrator can use the Printer properties retention policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to configure where printer properties are stored. Printer properties can be: Held in profile only if not saved on client Stores printer properties on the client device, if available, or if not, in the user profile This is the default setting. Although this option is the most flexible, it can also slow logon time and use extra bandwidth to perform necessary system checking. This option provides backward compatibility with prior versions of XenApp and its plug-ins. Saved on the client device only Stores printer properties only on the client device This option should be used if users are assigned a mandatory profile or roaming profile. Retained in user profile only Stores printer properties in the user profile on the server and prevents the exchange of any properties with the client device This option requires the use of a roaming profile and reduces network traffic making it an ideal choice for connections with: Bandwidth constraints Presentation Server, version 3.0 or earlier
437
Presentation Server Clients, version 8.x or earlier These products are no longer supported.
Do not retain printer properties
Does not retain printer properties and the user must configure the desired printer properties each time
To obtain printer properties directly from the printer itself, rather than from the properties store, an administrator can edit the printer preferences in the Registry. For more information about synchronizing the printer properties, refer to the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
438
Printing Bandwidth
While printing files from published applications to client printers, other virtual channels, such as video, may experience decreased performance due to competition for bandwidth. This performance degradation is magnified if users are accessing servers through slower networks or dial-up connections. To prevent such degradation, an administrator can limit the bandwidth used by client printing. If a printer bandwidth limit is configured in a policy, it is always enforced, even when no other virtual channels are in use. By limiting the data transmission rate for printing, an administrator can make more bandwidth available in the ICA data stream for the transmission of video, keystrokes, mouse data and more. Making additional bandwidth available can help prevent degradation of the user experience during printing. An administrator can configure printing bandwidth in client sessions using the following policy rules: Printer redirection bandwidth limit This policy rule can be used to enable and disable the printing bandwidth limit using the Citrix Policies node of the GPMC or the Policies node of the Delivery Services Console. This policy rule can be used to specify the percentage of total bandwidth that can be used for printing. In addition, the Overall session bandwidth limit policy rule must be enabled
Printer redirection bandwidth limit percent
439
before this rule will have an effect on the bandwidth used by printing. An administrator can use the Citrix Session Monitoring and Control Console, included in the WFAPI SDK, to obtain real-time information about printing bandwidth. The print spooling virtual channel control, that is, the CTXCPM Client printer mapping virtual channel control, allows an administrator to set a priority and bandwidth limit for bandwidth control of the virtual channel.
440
Practice: Printing Definitions

Match the printing policy rules in the following table to the correct terms. Term __ Auto-creation Definition a. A rule that enables the use of old-style printer names as used by prior versions of XenApp
__ Printer properties retention b. A rule that controls whether network printer jobs flow directly from XenApp server to the print server or take an extra step and are routed back through the client device __ Turn off client printer mapping __ Legacy client printers __ Print job routing c. A rule that controls whether printer properties are stored on the client device or user profile d. A rule that disables the mapping of all client printers e. A rule that controls the auto-creation of all, local, default or no client printers.
441
Troubleshooting Printing Issues

An administrator can use the solutions in the following table to address common printing issues. Issue Printers do not auto-create. Resolution Verify that the printer driver for the printer is installed on the server being accessed by the session. If not, install the printer driver on all XenApp servers or use a Citrix Universal Printer Driver. Verify that the Auto-create client printers policy rule does not prohibit the creation of the printer. Verify that a higher priority policy is not preventing the auto-creation of the printers. Verify that the administrator can auto-create client printers. If so, confirm that users have at least Read, Write, and Execute permissions to the following folder and file:
%SYSTEMROOT%\SYSTEM32\SPOOL %SYSTEMROOT%\SYSTEM32\PRINTER.INF
Verify that the client device/Windows Terminal has the latest software/firmware installed. Print jobs are garbled or Verify that the printer driver name for the client is the same as the printer driver name for the server. If not, map the driver names. fail to print. Remove the incompatible printer driver, restart the Citrix Print Manager Services and use the Citrix Universal Printer Driver instead. Consider restarting the Citrix Print Manager Services after regular business hours because the restart will discard all current print jobs on the server. Network printers are not available in the session. Verify that the Session printers policy rule is applied to the session. By default, policies are applied to all sessions unless a filter is used to limit the application. Verify that a higher priority policy is not preventing the use of the printer.
442
Issue
Resolution Use the NET USE command from the client device to verify that the user has permissions to the print server.
Session appears to hang at startup when users are disconnected from network. The Ctx_CpsvcUser account becomes corrupt.
Verify that network printers are attempting to auto-create for the user and then set the Auto-create client printers policy rule to Auto-create local (non-network) client printers only for mobile users. Use the information available in the CTX113555 Knowledge Base article on www.citrix.com.
For additional printing troubleshooting tips, see the CTX107137 and CTX113261 Knowledge Base articles.
443
Review
1. Which type of printer is accessed as a shared resource and connected to the network by means of a print server? a. b. c. d. Network printer Client local printer Server local printer Client network printer
2. Which statement concerning printing in a XenApp environment is true? a. b. c. d. Auto-created network printers are identified only by their printer name. Printer properties can be stored on the client device or in the user profile. Auto-created client local printers are identified only by their printer name. By default, only the default client printer is automatically created during logon.
3. Which statement is NOT a benefit of implementing the Universal printing policy rule? a. It limits which printers users can access. b. It reduces printer driver maintenance issues. c. It ensures that client printers are auto-created regardless of printer driver availability on the server. d. It reduces the size of some print jobs and reduces delays when print jobs are spooled over slow connections. 4. Which printer drivers are installed by default on a XenApp server? a. b. c. d. No printer drivers HP printer drivers Universal printer drivers Those designated during installation
5. Printer bandwidth limitations can be set using which two methods? (Choose two.) a. b. c. d. Worker group properties Published application properties Policies in the Delivery Services Console Citrix Policies in Group Policy Management Console
444
Module 14
Securing XenApp
446
Module 14: Securing XenApp
Overview
Security is a crucial component of any production environment, including environments containing XenApp. Depending on the security needs of the environment, an administrator can incorporate several Citrix-specific security measures. By the end of this module, you will be able to: Identify the components of a comprehensive XenApp security solution. Describe the SSL Relay communication flow. Secure XenApp communications using SSL Relay. Describe the benefits of using Citrix Access Gateway in a XenApp environment. Secure application access using Access Gateway. Avoid or resolve common security configuration missteps with simple solutions.
447
XenApp Security Solutions

Administrators can incorporate the following security measures for XenApp servers: SecureICA SecureICA can secure: Internal communication in a LAN or a WAN Communications from older clients such as the Client for DOS or the Clients for Windows (16-bit) that cannot be upgraded SecureICA encryption should not be the only security solution used to secure communications across public networks.
SSL Relay
SSL Relay can secure: End-to-end communication between client devices and XenApp servers using encryption Communication with servers that host the Citrix XML Service SSL Relay cannot be used with Network Address Translation (NAT) when the IP addresses of servers must be hidden or when access must be secured at a DMZ.
Citrix Access Gateway
Citrix Access Gateway can secure: Environments of all sizes Access to servers and resources in a server farm through endpoint scans and policies Access by users in locked-down environments such as Internet cafes Access from unknown or non-corporate devices Citrix Access Gateway is a secure access solution that provides administrators with application control while empowering users with access from anywhere. With flexible deployment options and a single point of management, IT administrators set policies, which are based on roles, devices, and networks, to control access and users' actions, ensuring better security and compliance management.
448
Access Gateway appliance information is not addressed in this course.
For more information about Citrix Access Gateway courses, visit the http://www.citrixeducation.com web site.
449
SecureICA
SecureICA (ICA encryption) guards against the threat of eavesdropping by encrypting the information sent between XenApp servers and client devices. In the unlikely event that an attack succeeds, SecureICA encryption ensures that the attacker sees only screen commands and does not see sensitive information. Although SecureICA encryption prevents eavesdropping, it does not authenticate the identity of XenApp servers as SSL/TLS does. Information is susceptible to man-in-the-middle attacks, particularly if the plug-in traffic is crossing a public network. As a result, SecureICA encryption should be used for internal networks only and should be considered as one aspect of a more comprehensive security policy.
450
Citrix SSL Relay

SSL Relay provides server authentication, user credential and data encryption, as well as message integrity for a TCP/IP connection. It encrypts the ICA and XML communications between: Web Interface and Citrix XML Service Client devices and XenApp servers SSL Relay is commonly used to secure Citrix XML traffic, especially when the Web Interface server is located in the DMZ. When SSL Relay is implemented in a farm, a server certificate and SSL Relay must be installed and configured on each XenApp server. The SSL root certificate must be present on every client device as well. The client device must connect using the FQDN of the XenApp server, not the IP address.
451
SSL Relay Communication
The client device and the web server running the Web Interface are allowed access to a XenApp server with SSL Relay after confirming the server certificate against a list of trusted certificate authorities. After authentication of the server certificate occurs, all requests are negotiated in an encrypted form. SSL Relay decrypts the requests and passes them to the XenApp server. The XenApp server then uses SSL Relay to encrypt any data being sent to the client device and the web server running Web Interface. Message integrity checks in SSL Relay verify that each communication has not been tampered with.
452
Configuring SSL Relay

An administrator can use the following procedure to configure SSL Relay: 1. Obtain and install a unique server certificate for each XenApp server. A separate server certificate is needed for each server on which SSL Relay is enabled. 2. Install a root certificate from the certificate authority (CA) on each client device and web server running the Web Interface, if one is not already installed. 3. Configure the relay credentials, connections and ciphersuites using the SSL Relay Configuration tool. 4. Restart the XenApp servers for the configuration to take effect. 5. Configure the web servers running the Web Interface to verify the signature of the CA on the server certificate. 6. Configure the client devices so they can: Support 128-bit encryption. Verify the signature of the CA on the server certificate. Access network traffic on the TCP listening port used by the Citrix XTE Service. The default TCP port is number 443.
453
Access Gateway
Access Gateway is a universal SSL VPN appliance that can be used to secure client connections to XenApp and XenDesktop environments as well as provide secure access to other internal network resources. Access Gateway is available both as a hardware appliance and as a virtual appliance. Access Gateway provides the following benefits: A secure and scalable device SmartAccess technology, which allows administrators to control access based on user and endpoint device characteristics Secure remote access to hosted applications and desktops from the Internet XenApp connections through Access Gateway do not require concurrent user (CCU) licenses. Full VPN connections and endpoint analysis require the Access Gateway universal license, which is included in XenApp Platinum. The Access Gateway hardware appliance must be purchased separately. For complete information on using Access Gateway with XenApp, refer to the Access Gateway documentation on the http://support.citrix.com/products/index.jsp web site.
Access Gateway Deployment Scenarios

Two deployment scenarios of Access Gateway with XenApp are possible: Access Gateway and the Web Interface in the DMZ In this deployment scenario, which is best practice, the Access Gateway and the Web Interface server are both located in the DMZ. Benefits No unauthenticated traffic reaches the secure internal network. If a user fails to authenticate, the user traffic will not pass beyond the DMZ. Drawbacks Some security experts consider locating Internet Information Services (IIS) in the DMZ to be a security risk.
454
Access Gateway in the DMZ and Web Interface in the internal network
In this deployment scenario, the Access Gateway is located in the DMZ and the Web Interface is deployed behind the firewall, within the internal network. Benefits IIS is not located in the DMZ and is more secure behind the firewall in the internal network. Only one Web Interface instance is required for both internal and external users. Drawbacks Access Gateway does not perform authentication. Therefore, encrypted but unauthenticated traffic can enter the internal network to reach Web Interface.
Figure 14-1: Access Gateway in the DMZ and Web Interface in the internal network
455
It is important to consult with a security expert to determine an appropriate security strategy for the organization. In general: Carefully consider whether the Web Interface should be located in the DMZ or in the internal network. If the Web Interface is placed in the DMZ, use Citrix SSL Relay to secure the Citrix XML traffic.
Access Gateway Communications
The following process provides an overview of the communications when Access Gateway is deployed in a XenApp environment. 1. The user navigates to the Access Gateway entry point. Access Gateway optionally runs an endpoint analysis scan before authentication. If the scan is successful, Access Gateway presents the authentication page to the user.
456
2. The user authenticates to Access Gateway. If authentication is successful, the credentials and endpoint analysis scan results are forwarded to the Web Interface, which passes the results to XenApp. 3. The user clicks a published application and the request is sent to the Web Interface. 4. The Web Interface generates an ICA file that includes a session ticket generated by the Secure Ticket Authority (STA). 5. The plug-in on the client device processes the ICA file and presents the ICA session ticket to Access Gateway. 6. Access Gateway validates the ticket. If the ticket is valid, the STA responds with the IP address of the XenApp server hosting the published application. 7. Access Gateway establishes a connection between the plug-in on the client device and the XenApp server.
Digital Certificates
ICA traffic between client devices on unsecured networks and the XenApp servers in the secure network is encrypted using an SSL version 3 or TLS version 1 protocol. These protocols rely on digital certificates to verify the identity of the systems participating in the connection. Access Gateway uses two types of digital certificates to provide secure communication and effective authentication: Server certificates Issued by a certificate authority (CA) and provides a way to confirm the identity of a server before data is transmitted to it The server certificate is based on the unique FQDN name of the server. Root certificates Issued by a CA and used to confirm the authenticity of the CA signature on the server certificates In a XenApp environment, the root certificate must be installed on each client device and Web Interface server. If an internal certificate is used for cost savings, the internal certificate must also be installed on each client device. Access Gateway self-signed certificates cannot be used as a root certificate.
The responsibility for issuing certificates can be delegated to an intermediate CA, which issues intermediate certificates, when a certificate base is too large for a single CA to maintain. Obtaining digital certificates incurs a cost and can take several days, especially if a third party is contracted for this purpose. However, the main advantage of using a third party is that most
457
popular operating systems embed root certificates so an administrator does not need to install them on the servers and client devices.
Access Gateway Certificate Requirements

Web Interface - Root certificate Citrix XML Service on XenApp servers - Server certificate
A root certificate must be installed on the Web Interface server because IIS requires a root certificate to make HTTPS connections to the Access Gateway. The IIS certificate and Access Gateway certificate must be from the same certificate authority. The Certificates MMC snap-in tool must be used to install the certificate and add it to the Trusted Root Certification Authorities on the local system.
458
If the communication is secured between the Access Gateway and the Secure Ticket Authority (STA) on the XenApp servers, each XenApp server that hosts the Citrix XML Service must also have a server certificate installed. The certificate must be trusted by the Access Gateway.
Securing Access to Hosted Applications

Instead of allowing VPN traffic between clients and servers running XenApp, administrators can configure Access Gateway for ICA proxy mode, sometimes known informally as Secure Gateway replacement mode. In ICA proxy mode, Access Gateway functions as an SSL proxy server between XenApp and client devices accessing published resources. In this configuration, client devices do not connect to the internal IP addresses of servers running XenApp. As a result, client devices do not need the Secure Access plug-in to access published resources; only the Citrix online plug-in is required on client devices. ICA proxy allows Access Gateway to secure access to hosted applications with the following benefits: A hardened appliance in the DMZ Browser-only access to published resources Granular access control with secure application access Traffic optimization, compression and SSL offload Support for Citrix Receiver When Access Gateway is configured for ICA proxy mode, the Secure Access plug-in is not required.
Access Gateway Authentication

When ICA proxy mode is enabled, Access Gateway authentication can be either enabled or disabled. If Access Gateway authentication is disabled, Web Interface is responsible for authenticating users. As a result, when users navigate to the Access Gateway FQDN, they are automatically forwarded to the Web Interface site. Users enter their credentials directly on the Web Interface site, which validates the credentials against the authentication service. However, if Access Gateway authentication is enabled, both Access Gateway and Web Interface are responsible for authenticating users. When users navigate to the FQDN of the Access Gateway, the Access Gateway logon page is displayed. Users enter their credentials on the logon page, which validates the credentials against the configured authentication server. If validation is successful, Access Gateway automatically forwards the credentials to Web Interface, which also validates them.
459
Single Sign-on to Web Interface

If ICA proxy mode is enabled, Access Gateway automatically provides single sign-on to Web Interface. User credentials entered on the Access Gateway logon page are forwarded to Web Interface, which also validates them. As a result, users enter their credentials only once but are authenticated twice. This increases security as only authenticated users and traffic are allowed access to Web Interface. When ICA proxy mode is disabled but the Access Gateway home page is set to the Web Interface site, administrators can enable Single sign-on manually.
Enabling ICA Proxy Mode

ICA proxy mode is set as part of an access policy. An administrator can use the following procedure to enable ICA proxy mode in the Access Gateway Administration Tool. 1. Click Authentication > Secure Ticket Authority and enter the Secure Ticket Authority settings. 2. Select the Access Policy Manager tab. 3. Right-click a user group and then click Properties. 4. Select the Gateway Portal tab and select Redirect to Web Interface. 5. Type the appropriate path in the Path field: Web Interface Type Web Interface 4.5 XenApp Web for Web Interface XenApp Services for Web Interface Path /Citrix/AccessPlatform /Citrix/XenApp /Citrix/PNAgent
6. Type the IP address or FQDN of the Web Interface in the Web server field and click OK.
SmartAccess
SmartAccess allows administrators to control user access to applications published in XenApp based on Access Gateway policy expressions, including end-point analysis (EPA) scans and SSL certificate checks. For example, by configuring secure application access, administrators
460
can deny users access to published applications if they fail an antivirus endpoint analysis scan. Administrators can also use SmartAccess to allow users a full VPN tunnel if connecting from a corporate-managed system or ICA-only access if connecting from another type of device.
SmartAccess Policies
Secure application access utilizes Citrix policy filters to control user access to published applications. If an Access Gateway policy evaluates to true based on the results of an EPA scan, the name of the session policy is sent to XenApp. XenApp compares the policy name with the policy filter names configured in the Access Control properties for a published application. Depending on the policy configuration, if the names match, the application will or will not appear in the list of applications available to the user. If an Access Gateway policy does not evaluate to true, the Access Gateway policy name is not sent to XenApp. Again, depending on the configuration, the application will or will not appear in the list of applications available to the user. In addition to controlling application access, policy filters can be used to apply Citrix policies to user sessions. If an Access Gateway policy evaluates to true based on the results of an EPA scan, the corresponding Citrix policy will be applied to the user session. If an Access Gateway policy does not evaluate to true, the corresponding Citrix policy will not be applied to the user session. For example, an administrator can configure policies so that if a connection attempt passes an EPA scan for antivirus software, client drive mapping would be enabled for the users XenApp session. Conversely, if the connection attempt did not pass the EPA scan, client drive mapping would be disabled. For more information on SmartAccess, see the Access Gateway documentation on the http://support.citrix.com web site.
461
Practice: Security Solutions

Match the security solutions listed below with the appropriate scenario in the following table. Each solution is used at least once. SecureICA SSL Relay Access Gateway Security Solution Scenario Lydia is the administrator of a large server farm with users that access the server farm resources through the Internet. Jeremy is the administrator of a large server farm with users that access the server farm resources internally through the LAN at the company. Ben is the administrator of a small server farm and needs to provide encryption of the communications being sent to the client devices and the Web Interface. Adam is the administrator of a small server farm and needs to provide two-factor authentication to users accessing server farm resources through the Web Interface.
462
Web Interface Configuration

Access Gateway, together with the Web Interface, provides a single, secure encrypted point of access from the Internet to servers on an internal corporate network. When Access Gateway is implemented in an environment, the Web Interface site can be configured to send the addresses of the XenApp servers to the Access Gateway. This configuration allows plug-ins to securely connect to XenApp servers.
Access Methods
Web Interface can be configured for the following access methods: Gateway direct Sends the actual address of the XenApp server to the Access Gateway This setting is the most common access method. Gateway alternate Sends the alternate address assigned to the XenApp server to the Access Gateway This setting requires configuration of the XenApp server with an alternate address and configuration of the firewall for network address translation. Gateway translated Uses the address translation mappings set in the Web Interface to determine which address is sent to the Access Gateway This setting is required when the address and port of the XenApp servers are translated at the internal firewall.
Gateway alternate and Gateway translated access methods each require configuration elsewhere. In a Gateway alternate configuration, ALTADDR must run on each server. Gateway translated requires configuration on the internal firewall.
463
Client Routes
In order to send communications through the Access Gateway, the access method must be specified in the client route. The default client route is configured to send the communications from and to all client devices using the specified access method. Additional client routes can be created for specific client devices that use a different access method. When multiple client routes are specified, they are applied in the order in which they appear in the client address table. An administrator can change the order that the client routes are applied by moving the client routes up or down in the table.
Client Route Example

An administrator wants the communications from external users coming in over the Internet to go through the Access Gateway; however, the communications from internal users should not go through the Access Gateway. To accomplish this, the administrator configures the default client route to use a "Gateway" access method and another client route to use either the direct, alternate or translated access method so that internal communications bypass the Access Gateway. In this case Web Interface would need to be on an internal network.
Access Gateway Settings

The following settings can be configured for a Web Interface site to enable it to work with the Access Gateway: FQDN Identifies the FQDN of the Access Gateway. This value must exactly match the name on the Access Gateway certificate. Identifies the port to be used by the Access Gateway. The default port is 443. Enables and disables the reconnection of user sessions in broken connections. Session Reliability is provided by the Citrix XTE Service through the Common Gateway Protocol (CGP). Identifies the URLs of the Secure Ticket Authorities (STAs). A single STA is capable of supporting a large number of users. As many as 256 STAs can be specified to provide fault tolerance. The URL must
Port
Enable session reliability
Secure Ticket Authorities URLs
464
include the FQDN of a XenApp server and end with /SCRIPTS/CTXSTA.DLL. Load Balancing Distributes the ticketing load across the available pool of STAs. Load balancing is done by round robin. By default, any failed STA is removed from the round-robin list for one hour. Hardware load balancer solutions are not recommended for STA load balancing. Specifies the amount of time the Web Interface will avoid contacting a failed STA. After the bypass interval has passed, the Web Interface will attempt to contact that STA again.
Bypass failed servers for
Configuring Web Interface for Access Gateway Connections

Web Interface must be able to reach a virtual server on the Access Gateway. If the Access Gateway is running in a two-arm configuration, an Access Gateway virtual server must have the same certificate and Web Interface must be able to contact the virtual server directly. This requirement includes: Resolving the name Routing traffic to the address Trusting the certificate An administrator can use the following procedure to configure Web Interface for Access Gateway connections in the Web Interface Management console. 1. Select a Web Interface site and click Secure Access in the Edit Settings pane. 2. Click Add in the Edit Secure Access Settings. 3. Enter the IP address and netmask of the client network. 4. Select an access method from the list. Gateway direct Gateway alternate Gateway translated If ICA proxy mode is disabled and VPN traffic to Web Interface is allowed, Web Interface can be configured in direct mode to accept user connections.
465
5. Type the FQDN of the Access Gateway in the Address (FQDN) field. The Access Gateway FQDN must match the FQDN used on the Access Gateway certificate, and Web Interface must be able to resolve and send traffic to the address. 6. Type the port number of the Access Gateway virtual server. 7. Add the URLs of the Secure Ticket Authorities.
466
Security Configuration Best Practices

Security configuration best practices include: Always install the latest version of Citrix plug-ins. Use IP addresses rather than FQDNs to connect to the Secure Ticket Authority. Secure connections between Access Gateway and other services (such as LDAP and Web Interface) with SSL. Deploy Access Gateway in the DMZ and Web Interface in the secure network. Ensure the management interface for Access Gateway and XenApp are not routable from a public network and are protected by host- and network-based firewalls. For more information about security best practices, see the XenApp security documentation on the http://support.citrix.com/proddocs/index.jsp web site.
467
Troubleshooting Access Gateway with XenApp

An administrator can use the solutions in the following table to address issues in a XenApp environment with Access Gateway. The Access Gateway log file is available in the administration tool under Access Gateway Cluster > Gateway > Logging/Settings > Show log file. Issue Resolution
The client cannot connect Ensure that DNS is properly configured between the client to Access Gateway device and the Access Gateway. Verify that the FQDN of the Access Gateway is specified correctly and matches the name on the server certificate. The IP address cannot be used. Ensure that the address and port to which the plug-in connects is a valid Access Gateway service if network errors such as SSL error 4 are returned. Install the CA root certificate on all client devices so they can connect when using an internal certificate server or a trial certificate from a CA. IPv6 connections fail Access Gateway cannot connect to the Secure Ticket Authority Ensure that Web Interface 5.0 or higher and the latest Citrix plug-ins are installed. Double-check the URL for the Secure Ticket Authority. The URL can change depending on whether or not port sharing is being used, or XML is being run on a different port. Understand how XML is running in the environment of the Secure Ticket Authority configuration because the URL and configuration information may reside in different areas.
Users are not able to log in Ensure the LDAP bind account has read privilege on the AD to Access Gateway tree. Investigate: The Access Gateway log file The security event log on the domain controller The contents of LDAP using LDAP Browser
468
Issue
Resolution
A user is not able to log in Verify that the logon credentials are valid. to Access Gateway Investigate: The Access Gateway log file The security event log on the domain controller User gets an "Access denied" error
Verify that the access method settings and Access Gateway settings for the Web Interface are correct. Investigate: The Access Gateway settings: Authentication Secure Ticket Authority IP address and port Authorization Session profile settings for published applications
The Web Interface settings: User gets a "Resource no longer available" error DMZ settings Gateway settings Authentication service URL
XML settings on XenApp server Access Gateway log file Web Interface trace Web Interface application event log
Verify the XML port in the Secure Ticket Authority for the Web Interface configuration is correct. Investigate: The Access Gateway log file The XML service and configuration on Web Interface and XenApp servers
A Secure Ticket Authority Verify the Secure Ticket Authority configuration. ticket is not issued and Investigate:
469
Issue user gets an SSL error upon launching a published application
Resolution The ICA file to ensure that it contains a valid ticket (right-click published application icon and save it as .TXT file) The accuracy of the Secure Ticket Authority link in Web Interface The Security Ticket Authority monitor to ensure it is running The Access Gateway log file
For more information on troubleshooting, see the Access Gateway documentation on the http://support.citrix.com/proddocs/index.jsp web site.
470
Review
1. Which component is not required for Access Gateway integration with Web Interface? a. b. c. d. A failover virtual server A FQDN that Web Interface can resolve An SSL certificate that Web Interface trusts An Access Gateway server that Web Interface can access
2. Which two critical security capabilities is SecureICA not designed to do? (Choose two.) a. b. c. d. It does not authenticate the XenApp server that the client accesses with SSL certificates. It does not encrypt session data sent between the client and the XenApp server. It does not authenticate the user that is requesting access to the XenApp server. It does not encrypt user authentication credentials sent between the client and the XenApp server.
3. Which two deployment scenarios are valid for Access Gateway and XenApp? (Choose two.) a. b. c. d. e. Access Gateway in the DMZ, Web Interface in the DMZ Access Gateway in the DMZ, Secure Ticket Authority in the DMZ Access Gateway in the DMZ, Web Interface in the internal network Access Gateway in the secure network, Web Interface in the DMZ Access Gateway in the secure network, Secure Ticket Authority in the DMZ
471
472
Module 15
Monitoring
474
Module 15: Monitoring
Overview
At the end of this module, you will be able to: Identify available Health Monitoring and Recovery tests. Track the usage of XenApp licenses at a point in time and over time. Automate complex workflows. Access XenApp information using PowerShell and other command line tools.
475

Health monitoring and recovery verifies specified XenApp services and sends an alert or takes an action when the verification fails. This capability is important to ensure proper functioning of a XenApp environment.
Health Monitoring Policies

Health monitoring and recovery settings are implemented as Citrix policies. Three policy types are available: Health monitoring Health monitoring tests Allows or prevents running health monitoring tests on the farm servers
Specifies which tests to run Preconfigured, default tests include the following: Test Citrix IMA Service Logon Monitor XML Service Terminal Services (Remote Desktop Services) Check DNS Function Queries the service to ensure that it is running Monitors session logon/logoff cycles Requests a ticket from the Citrix XML Service running on the server and prints the ticket Enumerates the list of sessions running on the server and the session user information, such as user name Performs a forward DNS lookup using the local host name to query the local DNS server in the environment for the IP address Ensures the data stored in the local host cache of the XenApp server is not corrupted and that there are no duplicate entries Inspects the threshold of the current number of worker threads running in the Citrix XML Service
Check Local Host Cache (LHC) Check XML threads
476
Test
Function
Microsoft Print Spooler Enumerates printer drivers, printer processors, Service and printers to determine whether or not the Print Spooler Service in Windows Server 2008 R2 is healthy and ready for use ICA Listener Citrix Print Manager Service Determines whether or not the XenApp server is able to accept ICA connections Enumerates session printers to determine the health of the Citrix Print Manager Service.
In addition, custom tests can be scripted and added to a health monitoring policy. Administrators can update the default names of the preconfigured tests. For more information on Health Monitoring Tests for XenApp 6, see the support.citrix.com/proddocs/index.jsp web site. For each test, the following parameters are required: Interval Time-out How frequently to check How long to wait after checking before determining that the check has failed How many checks to run before executing the recovery action Which action the farm should take if the test fails The options are: Alert only Remove server from load balancing Shutdown IMA service Restart IMA service Reboot server
Threshold
Recovery action
477
Maximum percent of offline servers
The maximum percentage of servers that health monitoring and recovery can exclude from load balancing.
An administrator can use the Citrix Policies node of the Group Policy Management Console (GPMC) or the Policies node of the Delivery Services Console to enable or disable health monitoring and recovery policies.
Health Monitoring and Recovery Example

An administrator of a small server farm has configured the health monitoring and recovery feature to run all of the available tests on all servers running XenApp in the farm except on the servers acting as dedicated data collectors. Because no user sessions will be running on these servers, the administrator configures only the Citrix IMA Services test to be run on the data collector servers.
478
EdgeSight Monitoring
Citrix EdgeSight is a performance and availability management solution. In XenApp environments, it is used to monitor: License usage XenApp server performance and availability Published application performance and availability EdgeSight for XenApp provides visibility into the following key areas: Farm-wide monitoring, including a tree view of the entire farm structure, visual detection of farm and subfolder errors and visual flags for devices with alerts Server availability, health check and session reliability monitoring Suite Monitoring and Alerting (SMA) log entries and alerting Extended end-user experience monitoring (EUEM) of the full set of ICA channels, providing a granular view of the environment Active Application Monitoring (AAM) allows for the establishment of configurable service level agreements (SLAs). An administrator can synthesize user tasks and monitor their execution time while EdgeSight provides feedback on application performance and availability based on the user experience. When SLA violations occur, real-time alerts containing diagnostic information can be triggered for the administrators review and action.
EdgeSight Components
For general performance reasons, 64-bit systems are recommended for EdgeSight server components. A Citrix EdgeSight environment consists of the following components: EdgeSight web console EdgeSight agents EdgeSight server Web Component Microsoft SQL Server Database Microsoft SQL Server Reporting Services Citrix License Server SMTP server SNMP server
479
EdgeSight Agents
The EdgeSight agent is a service that runs on a user device or XenApp server and collects data, which it writes into an agent-side database. At intervals the agent aggregates the data into a payload, sends the payload to the EdgeSight server and issues alerts if certain criteria are met. Data can also be displayed directly from an agent database for use in issue resolution. The EdgeSight agent monitors the following types of data: Device Network Process Published application Session User XenApp XenDesktop
The following list describes the types of EdgeSight agents available: Endpoint agent The endpoint agent is designed for client devices. The agent operates continuously and discreetly on client devices collecting performance, resource, application and network data. The XenApp agent is designed for use on Citrix XenApp servers. The agent records information about user sessions, client and server performance, application usage and network connections. Two types of XenApp agents are available: Basic Records data equivalent to previous versions of XenApp Resource Manager Records the full set of metrics for end-user experience monitoring (EUEM)
XenApp agent
Advanced
Basic agent functionality requires only a XenApp Enterprise Edition license, while advanced agent functionality requires a XenApp Platinum Edition or EdgeSight for XenApp license.
Virtual Desktop agent
The Virtual Desktop agent is designed for XenDesktop virtual desktops. It monitors system, application and network performance.
480
EdgeSight Server
The EdgeSight server collects data from the distributed agents and allows administrators to display the data to identify potential issues in the enterprise and to assist in issue resolution. The following components make up the EdgeSight server: Web component Serves as the configuration and reporting console of the EdgeSight architecture, accepts the data uploads from the agents and displays performance and availability information in a wide range of standard reports Stores the data uploaded from the agents and acts as the data source for Microsoft SQL Server Reporting Services Generates performance and availability information as reports from Microsoft SQL Server Reporting Services
Database
Report server
EdgeSight Web Console
Administrators and support personnel interact with the EdgeSight server through the EdgeSight web console. The console provides a powerful and flexible tool for displaying availability and performance information from the data collected by the distributed agents. Accessing the console is as simple as opening a web browser to the URL for the EdgeSight server and providing
481
credentials on the logon page. An EdgeSight user can access the console using the http://servername/edgesight URL. Replace servername with the name of the EdgeSight server.
License Server
A Citrix license server is used to supply licenses authorizing EdgeSight agents to upload data to an EdgeSight server. The license server can be anywhere on the network as long as it can be reached from the web server component of the EdgeSight server. A single license server can be shared by several Citrix products, including multiple EdgeSight servers.
SMTP Server
An SMTP server is used to send email notices to administrators for many conditions, including: Alert notification distribution Server error conditions New user passwords
SNMP Server
An SNMP server is an optional component of the EdgeSight environment. EdgeSight can send SNMP traps to notify system management consoles that alert conditions have been reached.
Microsoft System Center Operations Manager

System Center Operations Manager is an end-to-end service management product. EdgeSight alerts can be forwarded to System Center Operations Manager.
EdgeSight Communication
It is important for an administrator to understand the basic EdgeSight architecture and communication processes to effectively monitor an environment.
482
Agent Data Collection

Data collection is typically performed during hours of normal system usage to ensure that the data collected is an accurate representation of system availability and performance, without being skewed by large amounts of idle time. Some metrics, such as critical application and service resource statistics, are only collected when the user is actively using the system. This improves data accuracy and avoids capturing usage data for non-critical tasks, such as screen savers.
Agent Data Aggregation

XenApp agent data is aggregated in the following way: Every 15 seconds, data is collected and stored in the local agent database. The detailed data is retained for approximately four hours, dependent on the volume of data generated.
483
Approximately every 20 minutes, the collected data is aggregated into five-minute chunks. This time interval may vary up to several hours under system load. The five-minute data is retained in the agent database for three days so that historical information can be displayed. The time that the data is retained can be extended up to 29 days. Twice each day, the agent contacts the EdgeSight server to determine if data needs to be uploaded. The agent re-aggregates the data into one-hour chunks and then uploads it to the EdgeSight server. This frequency is configurable. If the agent software cannot reach the EdgeSight server, the aggregated data is retained for up to 29 days, or until the data is uploaded to the server. The data retention time can be configured by an administrator if required.
Performance Data
Performance data includes system metrics that are not linked to a specific event but to normal system operation. EdgeSight captures data related to system, network, application and XenApp session performance. For complete lists of individual metrics, see the EdgeSight documentation on the support.citrix.com/proddocs/index.jsp web site.
Event-Driven Data
Event-driven data includes metrics that are generated by an event occurring on the user system, for example, when the user invokes and starts to use an application or when a socket connection is made. The following list describes the application data that EdgeSight captures: Application issues EdgeSight can be used to determine: Which error message appeared When the error or crash occurred How many times the error or crash occurred Which system generated the error or crash What else was running on the system at the time of the error or crash
Application usage
EdgeSight can be used to determine: How long the application was running in memory
484
How much active or idle time has elapsed
Network connection
EdgeSight can be used to determine: How long network communications take What the average speed of the network is How much network volume is being utilized Which systems are experiencing the most delay Which applications are generating the most volume Which systems are responding slowly Which protocols are in use on the network
Agent Data Upload

When the agent is first installed, it registers itself with the server and obtains information about when data is scheduled to be uploaded to the server and what data is required by the server. Details about the data upload process include the following: Upload schedule Data is uploaded from the agent database to the associated EdgeSight server by default once each day for endpoints and twice each day for XenApp servers. The agent can be configured to upload as frequently as once each hour. For instance, a midday data upload can be scheduled to evaluate morning activity.
Data upload size
EdgeSight for XenApp agent data uploads can reach 500KB to 5MB. These data upload sizes depend on a number of factors such as the agent configuration and the usage profile of the system hosting the agent. For a database size estimation tool, see Knowledge Base article CTX122146 on the http://support.citrix.com web site.
Communication Protocol
HTTP or HTTPS is used to transfer the data to the server.
485
The data upload process is as follows: 1. The EdgeSight agent contacts the EdgeSight server to find out which data is requested based on when the last successful upload occurred. 2. The EdgeSight server responds with instructions for the data upload. 3. Based on the instructions, the agent aggregates its data into hourly chunks, bundles the aggregated data into a compressed payload and sends that payload to the configured EdgeSight server over HTTP/S. 4. The server stores the data in the local data folder from where it is retrieved and processed by the EdgeSight Script Host (RSSH). 5. The EdgeSight Script Host uploads the payload data to the Microsoft SQL Server database.
486
License Usage Monitoring

Service monitoring, which leverages the EdgeSight component, tracks XenApp license usage. License tracking functionality is available in all XenApp editions and is separate from the licenses that EdgeSight agents need to run. The Track Usage tab in the EdgeSight console contains reports for both current license usage and historical trends.
EdgeSight users can view current or historical license usage for all types of Citrix licenses. The service monitoring function does not require any agents; the EdgeSight server polls the license server directly. If an EdgeSight environment will be used solely for monitoring license usage, no agents are involved.
487
Configuring License Alerts

An administrator can use the following procedure to create an alert rule for a license server. 1. Open the EdgeSight Console and log on with your administrator credentials. Navigate to Configure > Company Configuration > Alerts > Rules. 2. Create a new alert rule by navigating to XenApp Error Alerts > License Server Connection Failure. No other parameter but a name for the rule is required. 3. Create an optional alert action.
Viewing License Usage

An EdgeSight user can use the following procedure to view current license usage information. 1. Navigate to Track Usage > License Usage Summary tab in the EdgeSight console. 2. Select a Product groups or Individual product and click Go. The current license usage is displayed.
Viewing Historical License Data

An EdgeSight user can use the following procedure to view license usage trends: 1. Navigate to Track Usage > License Usage Trending in the EdgeSight console. 2. Select Product groups or Individual product and click Go. Historical license usage is displayed. 3. Select applicable timeframes using the Zoom button. 4. Click the magnifying glass icon next to a product to isolate trends.
488
Workflow Studio Overview

Citrix Workflow Studio is an IT process automation solution that enables the creation, scheduling, management and running of workflows. Workflow Studio is built on the Microsoft .NET Framework, Windows Workflow Foundation and Windows PowerShell. Through use of a graphical workflow designer, an individual with no prior scripting experience can build workflows to fully automate business and IT processes. Key Workflow Studio terms include: Workflow A workflow is a compiled set of code that performs actions. Citrix Workflow Studio is geared specifically for automating IT processes through the use of workflows. A job is an instance of a workflow that is scheduled to be deployed. An activity library is a pre-configured set of workflow scripts that extend the graphical workflow designer. Using activity libraries, workflows can easily be created by dragging and dropping workflow tasks to create automated processes and build customized workflows. Existing activity libraries can be downloaded from the http://community.citrix.com/cdn/wf web site.
Job Activity Library
489
Workflow Studio Architecture
The Workflow Studio technology stack depicted in the graphic works as follows: 1. Products expose functionality through APIs. 2. Activity Libraries make the product functionality available to the workflow developer. 3. Workflows can be created to solve business problems. Workflow Studio is comprised of three components: Management Console/Designer User interface for: Developing and testing workflows Scheduling and reviewing workflow jobs
Designer Runtime
A Windows service that runs the workflow for testing
490
Runtime Engine
A Windows service that runs the workflow when a job is scheduled
Workflow Automation Use Cases

A workflow is the sequence of actions for a particular operation. The sequence of actions typically represents interactions between a computer system and a human operator. Workflow automation enables a computer system to complete the sequence of actions without involvement of the operator by specifying actions to perform given a set of specific criteria. Workflow automation allows instantaneous response times when thresholds are triggered by removing the need for operator interaction. Key use cases for workflow automation include: Power Management Power consumption in the datacenter can be reduced by triggering the shutdown and startup of datacenter resources to coincide with time periods of high and low usage. The process of provisioning users, which includes group, password and resources assignment, can be automated. Changes in user traffic patterns can be detected and server resources for on-demand access can be automatically re-configured by provisioning new resources as needed to support these changes. Failover and recovery procedures can be automated to meet recovery time objectives and enforce consistency during a disaster event. Repetitive tasks can be automated to ensure best practices are followed without introducing operator error. Server restarts can be scheduled to automatically occur at a specified date and time, or at a recurring interval using workflow automation. vDisk image updates can be automated on a scheduled or on-call basis in environments using Provisioning Services.
User Provisioning
Dynamic Resource Allocation
Disaster Recovery
Product Automation
Scheduled Restarts
vDisk Image Updates
491
Fault Recovery
EdgeSight can use the external actions capability to launch a workflow when an alert occurs.
492
Accessing the Server Farm using PowerShell

XenApp is built on the PowerShell SDK and provides cmdlets for automating XenApp administration and monitoring. XenApp information is available in interactive PowerShell sessions or in PowerShell scripts. Any task that can be performed in the Delivery Services Console can be automated with PowerShell, and most common administrative tasks have a cmdlet that can perform the task in only one line. For example, the New-XAWorkerGroup, New-XAFolder and New-XAApplication cmdlets manage applications. An administrator can use the following procedure to access the server farm using PowerShell: 1. Open a PowerShell window from the Start menu. 2. Add the XenApp PowerShell snap-in:
PS C:\Users\Administrator> Add-PSSnapin Citrix.XenApp.Commands
3. Execute a XenApp PowerShell cmdlet. For example, the Get-XAServer cmdlet retrieves and displays information about a XenApp servers in a farm.
PS C:\Users\Administrator> Get-XAServer XAProd1 ServerName FolderPath ZoneName ElectionPreference IPAddresses OSVersion OSServicePack Is64Bit CitrixProductName CitrixVersion CitrixEdition CitrixEditionString CitrixServicePack CitrixInstallDate CitrixInstallPath LicenseServerName LicenseServerPortNumber LogOnsEnabled IcaPortNumber : : : : : : : : : : : : : : : : : : : XAPROD1 Servers Default Zone MostPreferred {10.6.28.152} 6.1.7600 True Citrix Presentation Server 6.0.6406 Platinum PLT 0 3/6/2010 10:23:39 AM C:\Program Files (x86)\Citrix\ dmc 27000 True 1494
493
RdpPortNumber SessionCount
: : 163
Type
PS C:\Users\Administrator> Get-Help XA
to view a complete list of the cmdlets. For more information on using a cmdlet, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site. For example, execute the following command to view the help on the Get-XAServer command.
PS C:\Users\Administrator> Get-Help Get-XAServer
494
Administering the Server Farm using Commands

A number of command-line utilities are available to manage XenApp farms as an alternative to the Delivery Services Console. They are: ALTADDR APP AUDITLOG CHANGECLIENT CTXKEYTOOL CTXXMLS DSCHECK DSMAINT ENABLELB Specifies server alternate IP address Runs application execution shell Generates server logon/logoff reports Changes client device mapping Generates farm key for IMA encryption Changes the Citrix XML Service port number Validates the integrity of the farm data store Maintains the farms data store Enables load balancing for servers that fail health monitoring tests Configures TCP/IP port number used by the ICA protocol on the server Changes IMA ports Displays information about server farms, processes, ICA sessions, and users
ICAPORT
IMAPORT QUERY
495
These commands can be executed from a command prompt or PowerShell session. For more information on these commands and their options, see the XenApp documentation on the http://support.citrix.com/productdocs/index.jsp web site.
496
Review
1. At which interval is data collected and stored in the local Firebird database on a XenApp EdgeSight agent? a. b. c. d. e. 1 hour 5 minutes 5 seconds 20 minutes 15 seconds
2. When health monitoring and recovery is configured for a server, which three actions can be configured to take place automatically? (Choose three.) a. b. c. d. e. Restart the Citrix IMA Service. Restart the Citrix XML Service. Shut down the Citrix IMA Service. Send alerts to the Event Log of the server. Send a message to the data store database.
497
498
Module 16
Additional Components
500
Module 16: Additional Components
Overview
This module briefly discusses some of the additional Citrix components that can be used with XenApp. By the end of this module, you should be able to: Identify the purpose and key components of SmartAuditor. Identify the purpose and key components of Single sign-on. Identify the purpose and key components of EasyCall voice services. Identify the purpose and key components of Branch optimization. Identify the purpose and key components of Provisioning Services. Identify the purpose and key components of Power and Capacity Management. Identify the purpose and key components of XenServer.
501
SmartAuditor
SmartAuditor allows an organization to record the on-screen activity of any user's session, over any type of connection, from any server running XenApp. SmartAuditor uses flexible policies to automatically trigger recordings of XenApp sessions, which enables IT to monitor and examine the user activity in applications and demonstrate internal control, thus ensuring regulatory compliance and successful security audits. SmartAuditor should not be configured in countries that prohibit the recording of users' sessions. Key benefits of SmartAuditor include: Enhanced auditing Provides regulatory compliance that allows organizations to record on-screen user activity in applications Captures and archives screen updates, including mouse activity and the visible output of keystrokes in secured video recordings to provide a record of activity for specific users, applications and servers Allows the recording of thousands of sessions concurrently with minimum impact on system operation and performance Allows administrators to monitor activity in user sessions in near real-time Allows administrators to record activity based on the user, application or XenApp server being accessed Encrypts the playback of recordings through HTTPS communications, enables clientless recording and supports all Windows platforms that have a Citrix plug-in SmartAuditor supports the monitoring of published applications, but cannot monitor applications streamed to client devices.
Activity monitoring
Scalability
Live playback
Flexible recording
Strong security architecture
502
Clientless recording
Requires no client-side software and eliminates the need for client-side updates Records any session initiated on XenApp from all supported Windows and non-Windows devices
Multi-platform support
SmartAuditor Components
SmartAuditor consists of the following components: SmartAuditor Database A SQL Server 2005 or 2008 Enterprise or Express edition database used to store recorded session file metadata and service search requests A server that hosts a web application responsible for search queries, file download requests, policy administrator requests and evaluates recording policies for each session A Windows service on this server manages the recorded session files from each XenApp server containing a SmartAuditor agent. SmartAuditor Policy Console A visual interface for defining SmartAuditor recording policies Policies can be defined at the user, group, application or server level. SmartAuditor Agent An agent installed on each XenApp server that records session data The user interface that is used to play recorded session files and is typically installed on a workstation that is not in the datacenter
SmartAuditor Server
SmartAuditor Player
The SmartAuditor database, SmartAuditor server and SmartAuditor Policy Console can be installed on the same server or on separate servers.
503
Session Recording Process

SmartAuditor uses flexible policies to trigger recordings of sessions automatically, so an administrator can monitor and examine user activity, ensure regulatory compliance and conduct successful security audits of applications. The following process explains how session recording with SmartAuditor works: 1. A user launches a published application running on XenApp. 2. The SmartAuditor Agent begins recording the session while it queries the SmartAuditor Server to determine if the session should be recorded. 3. The SmartAuditor Server returns one of the following replies: Record with Notification (The user is presented with a dialog stating that the session is being recorded.) Record without Notification (The recording begins without user notification.) Do Not Record (The agent stops recording and the recording file is deleted.) 4. The Agent records the session. 5. The SmartAuditor Server stores the session metadata to the database and the session recording to disk, so the recording can be retrieved and reviewed using the SmartAuditor Player. For more information on SmartAuditor, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
504
Single Sign-on
Citrix Single sign-on (formerly Citrix Password Manager) provides password security and Single sign-on access to Windows, web, and terminal emulator applications running in the XenApp environment as well as applications running on the client device. Users authenticate once and Single sign-on completes the authentication, automatically logging on to selected password-protected information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks. In addition, Single sign-on contains self-service features such as account unlock and self-service password reset. These features allow users to reset their domain password or unlock their domain accounts from the Web Interface logon page without help desk or administrator intervention.
Single Sign-on Components

The main components of Single sign-on include: Central Store Is the centralized repository used to store and manage user data such as credentials and security question answers, and administrative data such as password policies, application definitions and security questions. Contains a Single sign-on node in the console and is the command center used to configure user configuration, application definitions, password policies and identity verification for Single sign-on. Submits the credentials to the applications running on the client device or server, enforces password policies, provides self-service functionality and enables users to manage their credentials with the Logon Manager. Provides the foundation for optional features such as self-service password resets by users, protection of data during transit to the plug-in, secondary credential recovery capability, provisioning of user data and credential information and credential synchronization among domains.
Single sign-on plug-in
Single sign-on service (optional)
505
Single Sign-on Process

The following process shows how password authentication works with Single sign-on: 1. 2. 3. 4. The Single sign-on plug-in is installed on the client device. A users attempts to access an application that requires authentication. The plug-in detects the application request for authentication. The plug-in locates the correct credentials in the local or central store and submits them to the application. 5. The local and central stores are synchronized. For more information on Single sign-on, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
506
EasyCall Voice Services

EasyCall voice services integrates with the existing telephone system and corporate directory and enables a user to call any phone number displayed in published, streamed, or installed Windows, Macintosh and web-based applications without dialing the number. The user simply hovers the mouse pointer over telephone numbers in application windows and then clicks a button to start the call from any telephone (office, mobile, home and so on). EasyCall does not replace the existing VoIP or softphone system.
EasyCall Components
The main components of EasyCall include: EasyCall Gateway Is a virtual appliance that installs on Citrix XenServer 5 and is adjunct to the corporate telephony system Enables most telephone numbers that appear in Windows applications to be directly called, including local, long distance, international and internal extensions Allows developers to build click-to-call functions into applications and develop a web service client that verifies domain/username against an authentication mechanism
Communications plug-in
EasyCall Web Services APIs
EasyCall Process
EasyCall allows each user to create profiles for work, home and mobile phones. These profiles are used by the EasyCall Gateway to contact the user when a call is placed. After the EasyCall profiles are created, the user can begin using EasyCall to initiate calls from phone numbers within applications. The following process outlines the steps involved in placing a call with EasyCall, from start to finish: 1. The user hovers the mouse pointer over a number in an application.
507
The EasyCall phonebar appears. The user clicks the EasyCall button to place the call. The Communications plug-in sends a call request to the EasyCall Gateway. The EasyCall Gateway initiates a call from the private branch exchange (PBX) to the users phone. 6. The user accepts the call. 7. The EasyCall Gateway initiates a call from the PBX to the call recipients number. 8. The recipient accepts the call. 9. The PBX establishes the call path. 10. The EasyCall Gateway removes itself from the call cycle. 11. The user completes the conversation and terminates the call. For more information on EasyCall, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
2. 3. 4. 5.
508
Branch Optimization
Citrix Branch Optimization is a WAN optimization solution that provides a LAN-like desktop and application experience to branch and mobile users while dramatically reducing WAN bandwidth costs and simplifying branch infrastructure.
Branch Repeater Components
Branch Optimization is a symmetric solution that requires Branch Repeater technology at both ends of the WAN link. Branch optimization can take place between any pair of Branch Repeater appliances or between a Branch Repeater appliance and a Branch Repeater plug-in. A Branch Repeater appliance in the datacenter can communicate concurrently with many Branch Repeater appliances and Branch Repeater plug-ins at branch offices.
509
Branch Repeater is available with the following components: Repeater appliance Resides in the datacenter of large offices and provides acceleration for high-volume and mission-critical links Has a browser-based user interface. Branch Repeater appliance Resides in branch offices and is smaller than a Repeater appliance Uses the same user interface as the Repeater appliance. Branch Repeater with Windows Server Is a Windows-based appliance that resides in branch offices and is smaller than a Repeater appliance Uses a Microsoft Management Console user interface. Branch Repeater VPX (virtual appliance) Is a virtual Branch Repeater appliance that runs on a server running an open-source Xen hypervisor and resides in branch offices Most, but not all of the functionality provided by a Branch Repeater appliance is available with the Branch Repeater VPX. Acceleration plug-in Is a software implementation of Citrix acceleration technology that runs on Windows-based client devices to provide similar acceleration features to the Repeater and Branch Repeater VPX components The plug-in is compatible with a Repeater appliance and a Branch Repeater VPX, but not with a Branch Repeater or Branch Repeater with Windows Server.
Branch Optimization Process for the Plug-in

The Branch Optimization solution can be easily deployed because it is transparent to both the application and the network. No changes are required to the existing application delivery infrastructure.
510
Administrators deploy a Repeater appliance in the data center. Users install the Repeater plug-in and the plug-in accelerates the applications traffic. The following process explains how Branch Optimization works: 1. The user's application opens a connection to the server. 2. The Acceleration plug-in looks up the address and decides to redirect the connection to the Repeater appliance. 3. The Repeater appliance accepts the connection and forwards the packet to the server. 4. The server accepts the connection and responds with an acknowledgement packet. 5. The Repeater appliance rewrites the addresses and forwards the packet to the Acceleration plug-in. 6. The connection is open and the client device and server send packets back and forth through the Repeater appliance. For more information on Branch Optimization, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
511
Provisioning Services
Provisioning Services reduces total cost of ownership and improves both manageability and business agility by virtualizing the workload of a datacenter server, including the operating system, applications, and configuration and the streaming server workloads on demand to physical or virtual servers in the network. Provisioning Services can also be used to provision physical and virtualized desktops for use with VM hosted apps. Delivering server workloads on demand rather than deploying them on individual servers: Simplifies and streamlines server management and reduces software rollout risk
512
Delivers the operating system, applications and server configuration information in a real-time stream, maximizing performance and minimizing network load Ensures server consistency by provisioning servers simultaneously from a single standard image Increases IT responsiveness and agility by enabling capacity on demand; repurposes any server to do any job Reduces utility costs and space needs by lowering the number of backup servers needed to support disaster recovery and business continuity Enables rollback to a previous working image in the time it takes to reboot Supports redundant servers, networks, and databases Provisioning Services included with XenApp Platinum Edition is limited to provisioning XenApp Platinum Edition workloads only.
Provisioning Services Components
513
The following components are used by Citrix Provisioning Services: Provisioning Services Server Provisioning Services Database Store Streams a vDisk to a target device
Stores the Provisioning Services, vDisk, target device and system configuration settings Identifies the logical name given to a physical storage location for vDisks The store can be placed on the Provisioning Services local drive, a SAN, CIFS share, NAS or UNC path.
vDisk vDisk Pool
Contains an image of a workload Identifies the collection of all vDisks available to a site A site can contain only one vDisk pool.
Target Device
Receives the streamed operating system and applications from a vDisk
For more information on Provisioning Services, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
514
Power and Capacity Management

Power and Capacity Management helps to reduce power consumption and manage server capacity by dynamically scaling up or scaling down the number of online virtualized XenApp servers. This is accomplished by consolidating users sessions onto fewer servers to improve server utilization so unnecessary servers can be powered down. In addition, Power and Capacity Management can be used to observe and record utilization and capacity levels through monitoring and report generation. Power and Capacity Management configuration is managed according to farms and workloads. These are distinct from XenApp farms and server groups.
Workloads and Profiles

A workload is a group of servers, defined by the administrator, that are managed as a common pool. Workloads often consist of servers that all host the same application or set of applications, referred to as an application silo. A Power and Capacity Management farm can contain one or more workloads. Within a workload, servers are grouped by profiles. A server profile contains information the agent discovers and information provided by the administrator to measure server capacity. The agent discovers hardware information such as the CPU type and the amount of memory, and sends it to the concentrator. The concentrator creates a profile entry in the database for a new profile or, if the profile values are the same as those in an existing profile, the existing profile is reused. If the hardware configuration changes (for example, more RAM is added to a server), Power and Capacity Management creates a new profile. The original profile is not altered, because other servers may still be using it. As new servers connect and report their profiles, they inherit any existing configured capacity value if they have the same profile as an existing configured server.
Power and Capacity Management Farm

XenApp servers being managed by Power and Capacity Management are called a farm. Members of a Power and Capacity Management farm can include some or all of the XenApp servers in a XenApp farm and even XenApp servers from multiple XenApp farms.
515
Control Modes
In Power and Capacity Management, servers are assigned a control mode. The control mode determines whether the server is eligible for power management or is participating in load consolidation. Control modes include: Unmanaged Servers assigned this control mode are not controlled by Power and Capacity Management. Servers assigned this control mode contribute to the capacity of the workload, but are not controlled by Power and Capacity Management. Servers that contribute essential services and should not be taken offline, for example the data collector and the server hosting the data store should be assigned this control mode. Servers assigned this control mode are fully controlled by Power and Capacity Management.
Managed (base load)
Managed
Power Management
Power Management controls the power on and power off operations for the servers in a workload or farm using the power controller preferences set in the server properties. For a power-on operation, the selection algorithm chooses a server with the highest power controller preference before selecting a server with a lower preference. For a power-off operation, the algorithm chooses a server with a lower power controller preference before a server with a higher preference. If that server is currently hosting sessions, the server is placed into drain mode. While in drain mode, the server does not accept new sessions but allows the reconnection of disconnected sessions. A server in drain mode powers off only when no sessions remain.
Load Consolidation
Load consolidation has the opposite effect of traditional XenApp load balancing. It aims to consolidate sessions onto fewer servers instead of spreading load evenly across many servers. By consolidating sessions, there is greater opportunity to power down excess servers, saving power and reducing running costs. Greater consolidation of sessions equates to higher levels of utilization for each server while online. Load consolidation works by continually monitoring the number of active sessions and remaining capacity for each server. It aims to load up small groups of servers with new sessions
516
to an optimal load level that each server can effectively handle. Once a server reaches its optimal load, load consolidation enables an additional server in the workload to accept new session load. When used in conjunction with Power Management, this additional server will be powered on automatically if it is currently powered off.
Power and Capacity Management Components

Power and Capacity Management consists of the following components: Agent The agent is a Windows service that reports the capacity and system state of the XenApp server. In addition, the agent acts on operations and commands issued by the concentrator. The agent is installed on XenApp servers. The concentrator is a Windows service that coordinates the system states and operations for the managed XenApp servers. As many as two concentrators can be installed, in which case they form a cluster. In a cluster, one concentrator will be the master concentrator. The Power and Capacity Management console connects to the master concentrator to obtain its data. The second concentrator will assume the master role if the master concentrator fails. The database uses Microsoft SQL Server to store information such as the inventory of servers being managed, workload assignments, schedules, metric data and configuration settings. The reporting component uses Microsoft SQL Server Reporting Services to provide workload reports for historical system loads, capacities and utilization summaries. The management console is an MMC snap-in and is used to manage, monitor and configure Power and Capacity Management.
Concentrator
Database
Reporting
Management Console
Power Setpoints
Throughout the day and week, different demands are placed on a XenApp environment. As a result, different setpoints must be used so Power and Capacity Management can ensure that the appropriate number of servers are online to handle the expected load and that servers are powered down during periods of low demand. This can be accomplished with schedules.
517
Schedules allow an administrator to assign values to the setpoints based on the time of day and day of week. A setpoint defines either a target capacity level (number of sessions) or a target number of online servers. Setpoints are used to determine how many servers should be powered on. For more information on Power and Capacity Management, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
518
XenServer
Citrix XenServer is a virtualization platform that provides open and powerful server virtualization. XenServer can reduce datacenter costs by transforming static and complex datacenter environments into more dynamic, easy to manage server workload delivery centers. It is based on the open source Xen hypervisor and delivers a secure and mature server virtualization platform with near bare-metal performance.
XenServer Components
XenServer consists of the following components: XenServer host The software installed on a physical server that is dedicated entirely to hosting virtual machines The XenServer host controls the interaction between the virtualized devices seen by VMs and the physical hardware. XenCenter The software used to manage the XenServer host This software can be installed on any system running a Windows operating system and can be used to run other applications simultaneously. For more information on XenServer, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
519
Review
1. Which three components are included in XenApp? (Choose three.) a. b. c. d. e. EdgeSight NetScaler XenDesktop SmartAuditor Single sign-on
2. Which statement about EasyCall voice services is true? a. b. c. d. It is a virtual appliance that allows users to access applications using any phone It is a virtual appliance that enables users to place calls from business applications It is a virtual appliance that verifies the password of a user accessing a business application It is a virtual appliance that speeds up communication channels and replaces the PBX in an organization
3. What are two benefits of SmartAuditor? (Choose two.) a. Administrators can monitor sessions to aid in the compliance of regulatory policies. b. Administrators can configure a Security Module to protect the data store database. c. Administrators can configure policies to control which applications client devices can access. d. Administrators can specify recording options based on the user, application or the XenApp server that is accessed. 4. For which purpose can Provisioning Services be used? a. b. c. d. Secure ICA traffic Host virtual machines Provision physical and virtual desktops Automate business and IT processes
520
Appendix A
Review Questions and Answers
522
Appendix A: Review Questions and Answers
Module 2 Introducing XenApp: Review Answers

1. Which options are editions of XenApp? a. b. c. d. Standard, Enterprise, Custom Advanced, Essential, Platinum Basic, Intermediate, Advanced Advanced, Enterprise, Platinum Answer: d 2. Which feature of XenApp delivers a high performance, high definition user experience through virtualized applications from any device, on any network? a. b. c. d. SSL Relay SNMP Monitoring Citrix HDX technology Support for Microsoft App-V Answer: c 3. Which component is not one of the primary architectural components of XenApp? a. b. c. d. Data collector License server Data store database Desktop Delivery Controller Answer: d 4. Which statement about Independent Management Architecture is true? a. b. c. d. Communicates with XenApp using TCP port 25000 Delivers crucial systems that collectively leverage additional Citrix products Runs on designated XenApp servers and is enabled in the Delivery Services Console Provides the framework for all server-to-server communication that occurs in a XenApp farm Answer: d
523
Module 3 Licensing XenApp: Review Answers

1. After a license server is installed and licenses added, servers can lose contact with the license server for up to how many days without the loss of functionality? a. b. c. d. 5 30 90 96 Answer: b 2. Which type of licensing manages the licenses that are required for each device or user to connect to a Remote Desktop Session (RDS) Host server? a. b. c. d. Citrix licensing XenApp licensing Microsoft plug-in licensing Remote Desktop licensing Answer: d 3. Complete the following sentence. When implementing XenApp, It is a best practice to install the license server _______. a. b. c. d. After installing XenApp Before installing XenApp On the same server as XenApp On the same server as the Web Interface Answer: b 4. What should an administrator do to obtain a license file? a. b. c. d. Call Citrix Technical Support Copy a file from a previous XenApp implementation Log on to the MyCitrix web site using personalized credentials Run the License Generation Wizard from the Delivery Services Console Answer: c
524
Module 4 Installing XenApp: Review Answers

1. True or False: An individual can elevate their privilege to local administrator through User Account Control to gain membership to the local administrators group. a. True b. False Answer: b 2. Which item is not available as a role in the XenApp Server Role Manager? a. b. c. d. Data collector XenApp server Web Interface server Provisioning services Answer: a 3. Complete the following sentence. When configuring XenApp, to use an existing license server, administrators enter the license server name or __________. a. b. c. d. IP address license key MAC address administrator credentials Answer: a 4. Complete the following sentence. If pass-through authentication is not enabled during the installation and is later desired on the server, the plug-in software __________. a. b. c. d. cannot be configured to use pass-through authentication automatically configures upon reboot for pass-through authentication must be reinstalled on the server before pass-through authentication can be used can be copied from another XenApp environment that contains pass-through authentication Answer: c
525
Module 5 Configuring XenApp Administration: Review Answers

1. Which privileges can be granted to a XenApp administrator account? a. b. c. d. Full, View Only, Guest Read Only, Write Only, Add/Update View Only, Full Administration, Custom Create Accounts, Delete Accounts, Update Accounts Answer: c 2. Which statement about folders in the Delivery Services Console is true? a. b. c. d. All administrators can create folders. Permissions can be assigned to individual applications in folders. Folders can be used to delegate the administration of applications and servers. Changes to permissions on a parent folder are automatically copied to all subfolders. Answer: c 3. If IMA encryption is enabled, which effect will it have on the Configuration Logging database? a. b. c. d. All data in the Configuration Logging database will be backed up. Credentials to the Configuration Logging database will be encrypted. Only an Oracle database can be used for the Configuration Logging database. Only a SQL Server database can be used for the Configuration Logging database. Answer: b 4. Which statement about worker groups is true? a. The first XenApp server moved into a worker group becomes the zone data collector. b. Farm servers in a worker group with a priority setting of 3 are considered the highest priority. c. A farm server added to a worker group will automatically inherit the policy configurations for the worker group. d. A farm server added to a worker group does not need to have an application installed locally to be able to inherit the published application configurations of the worker group and host the application. Answer: c
526
Module 6 Installing and Configuring Web Interface: Review Answers

1. Which authentication method is not recommended in secure environments? a. b. c. d. Smart card Anonymous Single sign-on Novell Directory Services Answer: b 2. Which feature allows users to disconnect and reconnect to ICA sessions as they move between client devices? a. b. c. d. Workspace control Explicit authentication Pass-through authentication Pass-through with smart card authentication Answer: a 3. Which two types of Web Interface sites can an administrator create? (Choose two.) a. b. c. d. XenApp Web XenApp Plug-in XenApp Services XenApp Advanced Configuration Answer: a, c 4. Which three protocols can be used to transport Web Interface data between the web server and XenApp servers? (Choose three.) a. b. c. d. HTTP HTTPS IPX/SPX SSL Relay Answer: a, b, d 5. Which statement is true when using network address translation in a Web Interface deployment?
527
a. b. c. d.
The alternate IP address of a XenApp server is included in the client files The alternate IP address of a Secure Gateway server is included in client files. The ALTADDR command is used to change the IP address of the Web Interface server. The internal IP address of a XenApp server is mapped to the external IP address of the Web Interface server. Answer: a
6. The Client for Java should be used in which two situations? (Choose two.) a. b. c. d. A web browser does not exist on the client device. Permanent installation of plug-in software is desired. Permanent installation of plug-in software is not permitted. A Java-compatible web browser exists on the client device. Answer: c, d 7. When the Citrix online plug-in is used to access published applications, which statement is correct? a. b. c. d. A XenApp Web site is required. A XenApp Services site is required. Pass-through authentication cannot be used. A web browser is used to communicate with the Web Interface site. Answer: a
528
Module 7 Delivering Applications and Content: Review Answers

1. An administrator can manage published content using which node in the Delivery Services Console? a. b. c. d. Content Applications Published Resources Installation Manager Answer: b 2. When an application set contains a large number of published applications, server desktops and content, how can an administrator effectively organize the resources for users? a. b. c. d. Use load-managed groups. Use the Resource Manager. Create client application folders. Create application folders in the console. Answer: c 3. What are two types of content redirection? (Choose two.) a. b. c. d. e. Client-to-server Server-to-client Client-to-content Application-to-server Content-to-application Answer: a, b 4. An administrator can configure the importance level of a published application using which option in the properties of the application? a. b. c. d. Type Limits Client options Access control Answer: b 5. Which statement is true about published resource properties?
529
a. b. c. d.
Published resource properties cannot be modified. Published resource properties can be modified at any time. Published resource properties can be modified only when the resource is disabled. Published resource properties cannot be modified when users are using the resource. Answer: b
6. Which two statements about session sharing are true? (Choose two.) a. Session sharing does not take precedence over load balancing settings. b. All applications in a shared session must be published with the same settings. c. Session sharing is a mode in which more than one hosted application runs on a single connection. d. Session sharing is a mode in which more than one user can access the same hosted application in a single session. Answer: b, c
530
Module 8 Streaming Applications: Review Answers

1. In addition to the standard server farm components of XenApp 6, which Citrix component is needed for application streaming to a desktop? a. b. c. d. Citrix Receiver Citrix online plug-in Citrix offline plug-in Citrix Access Gateway Answer: c 2. Which two statements regarding the Citrix offline plug-in are accurate? (Choose two.) a. b. c. d. e. The offline plug-in is invisible to the user. The offline plug-in runs as a service on the client device. The offline plug-in determines the application delivery mode. The offline plug-in is displayed in the Windows notification area. The offline plug-in can be used in conjunction with a XenApp Web site to access applications offline. Answer: a, b 3. A profile creates a target based on which four criteria? (Choose four.) a. b. c. d. e. f. Applications Operating system Service Pack level System drive letter Operating system language Files, folders and registry settings Answer: b, c, d, e 4. An administrator is creating a profile for an application and wants to include a specific Internet Explorer plug-in. Which type of installation should the administrator use? a. b. c. d. e. Quick Default Standard Advanced Integrated
531
Answer: d 5. An administrator must publish which file type to make a streaming application available to users? a. b. c. d. .EXE .MSI .RAD .PROFILE Answer: d 6. Which two application types can be configured in a Web Interface site so that applications stream to the desktop of a client device? (Choose two.) a. b. c. d. e. Online Offline Dual mode Streamed to client Streamed to server Answer: b, c 7. An administrator wants users to be able to access applications installed on the XenApp server through the online plug-in and access streaming applications when the users are offline. What must the administrator configure? a. b. c. d. One XenApp Web site One XenApp Services site One XenApp Web site and one XenApp Services site Two XenApp Web sites and two XenApp Services sites Answer: b
532
Module 9 Configuring Policies: Review Answers

1. Citrix policies can be created using which three management tools? (Choose three.) a. b. c. d. e. Delivery Services Console Terminal Services Manager Advanced Configuration Console Advanced Group Policy Manager Group Policy Management Console Answer: a, d, e 2. When an existing Citrix user policy is changed, how long does the previous policy remain in effect? a. b. c. d. For the length of the session Until the user profile is changed Until the user disables the policy Until the user is moved to another group Answer: a 3. Which filter is not valid for use with policies in XenApp? a. b. c. d. Servers Worker groups Client device name User and user groups Answer: a 4. Which two events do not trigger a policy update evaluation? (Choose two.) a. b. c. d. e. f. A user logs on The server is rebooted An OU trust is created A policy update is forced A print server is imported The policy refresh interval is reached Answer: c, e
533
5. Select the correct order in which policies are processed and applied. a. b. c. d. e. Domain GPOs, Local GPOs, IMA-based policies, OU GPOs, Site GPOs IMA-based policies, OU GPOs, Local GPOs, Site GPOs, Domain GPOs Local GPOs, IMA-based policies, Site GPOs, Domain GPOs, OU GPOs OU GPOs, Local GPOs, IMA-based policies, Site GPOs, Domain GPOs Site GPOs, Domain GPOs, Local GPOs, OU GPOs, IMA-based policies Answer: c
534
Module 10 Configuring Load Management: Review Answers

1. An administrator can attach load evaluators to which two components in a server farm? (Choose two.) a. b. c. d. Users Servers Groups Published applications Answer: b, d 2. The Default load evaluator is based on which rules? a. b. c. d. Page Faults, Load Throttling Context Switch, Load Throttling Disk Operations, Load Throttling Server User Load, Load Throttling Answer: d 3. The Advanced load evaluator is based on which rules? a. b. c. d. CPU Utilization, Load Throttling, Memory Usage and Page Swap Load Throttling, Memory Usage, Page Swap and Server User Load CPU Utilization, Load Throttling, Page Swap and Server User Load CPU Utilization, Load Throttling, Memory Usage and Server User Load Answer: a 4. A server to which the Advanced load evaluator is assigned is dropped from the internal list of available servers when which event occurs? a. b. c. d. When all the rules in the Advanced load evaluator meet their set thresholds When one of the rules in the Advanced load evaluator meets its set threshold When all the rules in the Advanced load evaluator exceed their set thresholds When one of the rules in the Advanced load evaluator exceeds its set threshold Answer: b 5. An administrator can create a custom load evaluator using which two methods? (Choose two.)
535
a. b. c. d.
By using the Load Manager Monitor By duplicating an existing load evaluator By using the New > Add Load Evaluator menu option By altering the rules in either the Default or Advanced load evaluator Answer: b
6. An administrator can adjust load evaluator properties ____________. (Fill in the blank with the correct answer.) a. b. c. d. At any time At the time of creation only For the Advanced load evaluator only Only when the load evaluator is not being used Answer: a
536
Module 11 Optimizing the User Experience: Review Answers

1. If a client device is connected to XenApp server over a slow connection and the user is experiencing delayed mouse clicks and keyboard response, which type of session optimization technology should be implemented to address this issue? a. b. c. d. HDX RealTime HDX MediaStream for Flash SpeedScreen Latency Reduction HDX MediaStream Multimedia Acceleration Answer: c 2. An administrator should publish __________ and enable __________ for users who need to watch videos and require high quality. a. b. c. d. Firefox, HDX 3D Image Acceleration QuickTime, HDX MediaStream for Flash Outlook, SpeedScreen Latency Reduction RealOne Player, HDX MediaStream Multimedia Acceleration Answer: d 3. Which three statements about HDX 3D Image Acceleration are correct? (Choose three.) a. b. c. d. e. HDX 3D Image Acceleration works best with medical imaging. HDX 3D Image Acceleration can be enabled using a Citrix policy. HDX 3D Image Acceleration removes redundant data from an image file. HDX 3D Progressive Display works in conjunction with HDX 3D Image Acceleration. HDX 3D Image Acceleration provides a high image quality when the compression level is set to high compression. Answer: b, c, d 4. Which statement about HDX MediaStream for Flash is true? a. It auto-creates printers after the Flash Player launches. b. It auto-creates printers before the Flash Player launches. c. It forces the Flash Player to start in a high-quality mode instead of the default low-quality mode. d. It forces the Flash Player to start in a low-quality mode instead of the default high-quality mode.
537
Answer: d 5. Which three statements are true concerning Session Reliability? (Choose three.) a. HDX Broadcast Session Reliability reconnects the user without the loss of data. b. HDX Broadcast Session Reliability resets the user connection upon session interruption. c. HDX Broadcast Session Reliability reconnects the user without requiring re-authentication. d. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 1494. e. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 2598. Answer: a, c, e
538
Module 12 Configuring Self-Service Applications: Review Answers

1. Which plug-in provides a self-service storefront for enterprise resources to users? a. b. c. d. Dazzle Online plug-in Offline plug-in Communications plug-in Answer: a 2. From which component does the Merchandising Server obtain new plug-ins to distribute to client devices? a. b. c. d. XenApp farm Citrix Receiver The Web Interface Citrix Update Service Answer: d 3. Which component manages plug-ins on a client device, allowing IT to deliver applications and desktops as an on-demand service? a. b. c. d. Dazzle Citrix Receiver Web Interface Merchandising Server Answer: b
539
Module 13 Configuring Printing: Review Answers

1. Which type of printer is accessed as a shared resource and connected to the network by means of a print server? a. b. c. d. Network printer Client local printer Server local printer Client network printer Answer: a 2. Which statement concerning printing in a XenApp environment is true? a. b. c. d. Auto-created network printers are identified only by their printer name. Printer properties can be stored on the client device or in the user profile. Auto-created client local printers are identified only by their printer name. By default, only the default client printer is automatically created during logon. Answer: b 3. Which statement is NOT a benefit of implementing the Universal printing policy rule? a. It limits which printers users can access. b. It reduces printer driver maintenance issues. c. It ensures that client printers are auto-created regardless of printer driver availability on the server. d. It reduces the size of some print jobs and reduces delays when print jobs are spooled over slow connections. Answer: a 4. Which printer drivers are installed by default on a XenApp server? a. b. c. d. No printer drivers HP printer drivers Universal printer drivers Those designated during installation Answer: c 5. Printer bandwidth limitations can be set using which two methods? (Choose two.)
540
a. b. c. d.
Worker group properties Published application properties Policies in the Delivery Services Console Citrix Policies in Group Policy Management Console Answer: d
541
Module 14 Securing XenApp: Review Answers

1. Which component is not required for Access Gateway integration with Web Interface? a. b. c. d. A failover virtual server A FQDN that Web Interface can resolve An SSL certificate that Web Interface trusts An Access Gateway server that Web Interface can access Answer: a 2. Which two critical security capabilities is SecureICA not designed to do? (Choose two.) a. b. c. d. It does not authenticate the XenApp server that the client accesses with SSL certificates. It does not encrypt session data sent between the client and the XenApp server. It does not authenticate the user that is requesting access to the XenApp server. It does not encrypt user authentication credentials sent between the client and the XenApp server. Answer: a, d 3. Which two deployment scenarios are valid for Access Gateway and XenApp? (Choose two.) a. b. c. d. e. Access Gateway in the DMZ, Web Interface in the DMZ Access Gateway in the DMZ, Secure Ticket Authority in the DMZ Access Gateway in the DMZ, Web Interface in the internal network Access Gateway in the secure network, Web Interface in the DMZ Access Gateway in the secure network, Secure Ticket Authority in the DMZ Answer: a, c
542
Module 15 Monitoring: Review Answers

1. At which interval is data collected and stored in the local Firebird database on a XenApp EdgeSight agent? a. b. c. d. e. 1 hour 5 minutes 5 seconds 20 minutes 15 seconds Answer: e 2. When health monitoring and recovery is configured for a server, which three actions can be configured to take place automatically? (Choose three.) a. b. c. d. e. Restart the Citrix IMA Service. Restart the Citrix XML Service. Shut down the Citrix IMA Service. Send alerts to the Event Log of the server. Send a message to the data store database. Answer: a, c, e
543
Module 16 Additional Components: Review Answers

1. Which three components are included in XenApp? (Choose three.) a. b. c. d. e. EdgeSight NetScaler XenDesktop SmartAuditor Single sign-on
2. Which statement about EasyCall voice services is true? a. b. c. d. It is a virtual appliance that allows users to access applications using any phone It is a virtual appliance that enables users to place calls from business applications It is a virtual appliance that verifies the password of a user accessing a business application It is a virtual appliance that speeds up communication channels and replaces the PBX in an organization Answer: b 3. What are two benefits of SmartAuditor? (Choose two.) a. Administrators can monitor sessions to aid in the compliance of regulatory policies. b. Administrators can configure a Security Module to protect the data store database. c. Administrators can configure policies to control which applications client devices can access. d. Administrators can specify recording options based on the user, application or the XenApp server that is accessed. Answer: b, d 4. For which purpose can Provisioning Services be used? a. b. c. d. Secure ICA traffic Host virtual machines Provision physical and virtual desktops Automate business and IT processes Answer: c
544
Appendix B
Practice Questions and Answers
546
Appendix B: Practice Questions and Answers
Module 2 Introducing XenApp: Practice Answers

Match the components of XenApp in the following table with the description that best identifies its function. Issue c Worker groups d Resource Manager f Load Manager g Web Interface a Data collector e Delivery Service Console b Citrix Plug-ins Resolution a. Stores dynamic farm information b. Makes it possible for users to access published resources c. Allows multiple servers to be grouped together to ease administration d. Provides the ability to monitor, report and collect server resource metrics for all servers in a farm e. Allows administrators to configure administrative permissions and published resources f. Ensures that each user connects to the server most capable of handling the connection g. Provides users access to published resources in one or more server farms through a web browser or the Citrix online plug-in
547
Module 5 Administrative Configuration: Practice Answers

Use your knowledge of folders and permissions to provide the answers to the following scenarios. Scenario 1: An administrator with full administration privileges (full administrator) grants an administrator with custom privileges (custom administrator) access to the Applications node in the Delivery Services Console. The custom administrator is given full permissions to the following: Publish Applications and Edit Properties All Application Sessions tasks Six months later, the full administrator creates a folder within the Applications node of the Delivery Services Console to better manage the published applications in the server farm. When creating the new folder, the full administrator chooses to copy permissions from the parent folder. Which permissions does the custom administrator have to the new folder? Answer: The same permissions as those of the parent folder. Scenario 2: An administrator with full administration privileges (full administrator) grants an administrator with custom privileges (custom administrator) access to the Applications node in the Delivery Services Console. The custom administrator is given full permissions to the following: Publish Applications and Edit Properties All Application Sessions tasks Six months later, the full administrator creates a folder within the Applications node of the Delivery Services Console to better manage the published applications in the server farm. When creating the new folder, the full administrator chooses not to copy permissions from the parent folder. Which permissions does the custom administrator have to the new folder? Answer: The custom administrator does not have permissions to the new folder. Scenario 3: CompanyA has a server farm that consists of ten servers: five located in Quebec and five located in Hong Kong. The administrators in each location must have permission to manage only the servers in their geographic region. To accomplish this task, the full administrator creates two folders under the Servers node in the Delivery Services Console (QB_Servers and HK_Servers). The full administrator then moves the servers into the respective folders.
548
What else must the full administrator do to ensure that administrators can only manage the servers in their geographic region? Answer: The full administrator must grant permissions for the new folders to the appropriate regional custom administrators to ensure that the administrators in each location can administer only the servers in their location.
549
Module 6 Installing Web Interface: Practice Answers

Site Customization
Match the scenarios in the following table with the customization option used to address the scenario. Layout Appearance Content Customization Option Layout Content Appearance Content Layout Appearance Scenario Change the number of tabs displayed in the site. Change the standard language of the site to Spanish for users in Mexico. Add the company logo to the header area of the site. Add the "Welcome to the Marketing Department" welcome message to the site. Allow users to customize the screen layout on the client device. Add the company logo.
Authentication Configuration
Fill in the blanks to complete the following sentences. 1. A User Principal Name is a unique name in Windows Active Directory given to each user as an identifier and consists of a principal name and a domain name or domain alias. 2. When pass-through authentication is implemented, users do not need to enter their credentials to access their application set. 3. A smart card can be used to authenticate users to a Web Interface site. 4. An administrator can select Windows, NDS or NIS authentication for explicit logon to a Web Interface site. 5. When Novell Directory Services is selected for explicit authentication, a tree name and context name must be specified.
550
6. Both SafeWord and RSA SecurID two-factor authentication methods use a token and a PIN number to create a passcode. 7. When Single sign-on is integrated with the Web Interface, the reset feature can be enabled to allow users to reset their network password.
551
Module 7 Delivering Applications and Content: Practice Answers

Publishing Resources
Identify which statements are true and which statements are false. Correct the false statements to make them true. 1. F The display name for the published resource is auto-generated. The display name is important because it is the name that the plug-in uses to identify the published resource. The display name for the published resource is not auto-generated. The name is specified by the administrator. It is important because it is the name that the users use to identify the published resource. 2. T An administrator can stream an application to XenApp servers and to the desktops of client devices using the application streaming feature in XenApp. 3. T After the basic settings have been configured for a published resource, an administrator can publish the resource immediately without configuring the advanced settings. 4. F Installing an application on servers in a different directory on each server in the server farm will make accessing published applications easier for the users. The location of the published application on a server has no impact on users. Installing an application in the same directory on all servers in the server farm will make publishing an application easier for the administrator. 5. T The user profile information is persistent for configured user accounts.
Content Redirection
Match each scenario in the following table with the content redirection method that should be implemented. Each method is used once. Server-to-client content redirection Client-to-server content redirection Published content with client-to-server content redirection
552
Content Redirection Method Published content with client-to-server content redirection
Scenario Once a month, a published version of a listing of employee events is made available to all employees. Because employees have a range of client devices, HR wants employees to view the document using a published application. Alisha wants to access a published version of a web-based accounting tool using a web browser installed locally on her client device. The Operations team wants to view its weekly log reports (.XLS files) using a published version of Excel.
Server-to-client content redirection Client-to-server content redirection
553
Module 10 Configuring Load Management: Practice Answers

Match the load evaluators listed below with the appropriate scenarios in the following table. Each load evaluator will be used at least once. Default Advanced Custom Load Evaluator Default Custom Advanced, Custom Custom Issue All servers in the server farm host the same applications and can support 100 user sessions. The administrator wants to remove one or more published applications from the list of applications for a period of time. All servers in the server farm have different server hardware but host the same published applications. Some servers contain published applications that require significant server resources.
554
Module 11 Optimizing the User Experience: Practice Answers

Match the session optimization technology listed below with the issue that each would best resolve. 1. 2. 3. 4. 5. 6. HDX RealTime HDX Plug-n-Play HDX 3D Image Acceleration HDX MediaStream for Flash SpeedScreen Latency Reduction HDX MediaStream Multimedia Acceleration Session Optimization Technology 3. HDX 3D Image Acceleration 5. SpeedScreen Latency Reduction 6. HDX MediaStream Multimedia Acceleration 1. HDX RealTime 2. HDX Plug-n-Play 4. HDX MediaStream for Flash Scenario Graphic artists experience long load times when viewing images with published photo imaging software. Accounting users experience slow keyboard and mouse response when using all published applications. Users in Human Resources experience choppy playback when viewing training videos using published Windows Media Player. Executives request the ability to use Microsoft Office Communicator as a video conferencing tool. Graphic artists request the ability to use 3D mice within a published application. Marketing users experience choppy playback of all Flash media when using published Internet Explorer.
555
Module 13 Configuring Printing: Practice Answers

Printer Drivers
Provide the correct response for each of the following questions. 1. In order to prevent printer drivers from being installed automatically, which policy rule should be configured? Native printer driver auto-install 2. What are four benefits of using the Universal printer driver? 1. 2. 3. 4. It reduces the size of some print jobs. It limits the need to install and replicate printer drivers. It reduces the number of help desk calls. It enables users to print to almost any modern printer.
Printing Definitions
Match the printing policy rules in the following table to the correct terms. Term e Auto-creation Definition a. A rule that enables the use of old-style printer names as used by prior versions of XenApp
c Printer properties retention b. A rule that controls whether network printer jobs flow directly from XenApp server to the print server or take an extra step and are routed back through the client device d Turn off client printer mapping a Legacy client printers b Print job routing c. A rule that controls whether printer properties are stored on the client device or user profile d. A rule that disables the mapping of all client printers e. A rule that controls the auto-creation of all, local, default or no client printers.
556
Module 14 Securing XenApp: Practice Answers

Match the security solutions listed below with the appropriate scenario in the following table. Each solution is used at least once. SecureICA SSL Relay Access Gateway Security Solution Access Gateway SecureICA Scenario Lydia is the administrator of a large server farm with users that access the server farm resources through the Internet. Jeremy is the administrator of a large server farm with users that access the server farm resources internally through the LAN at the company. Ben is the administrator of a small server farm and needs to provide encryption of the communications being sent to the client devices and the Web Interface. Adam is the administrator of a small server farm and needs to provide two-factor authentication to users accessing server farm resources through the Web Interface.
SSL Relay
Access Gateway
557
Glossary
Access Management Console
See Delivery Services Console. giving users access to system objects based on their identity. Authentication confirms the identity of the user but does not impact the access rights of the user.
account authority
The platform-specific source of information about user accounts used by a XenApp server; for example, Windows NT domain, Active Directory domain, or Novell eDirectory.
authentication service
A service available on a server running Citrix Access Gateway that issues access tokens for connection requests for resources available through a server farm. These access tokens form the basis of authentication and authorization for users connecting through Access Gateway.
Advanced Access Control

A management component of Citrix SmartAccess that enables granular control over applications, files, web content and email attachments. It manages what can be accessed and which actions are permitted, based on the user's access scenario.
authorization
The process of granting or denying access to a network resource. Most computer security systems are based on a two-step process. The first stage is authentication, which confirms the identity of the user. The second stage is authorization, which allows the user access to various resources based on the users identity.
anonymous user
An unidentified user granted minimal access to a server or farm and its published applications.
auto-creation
See printer auto-creation.
anonymous user account

A user account defined on a XenApp server for access by anonymous users.
automatic reconnect
The feature that automatically reconnects users running the Citrix online plug-in to their sessions when the connections are dropped as a result of network issues.
application set
Users' view of the published resources to which they are permitted.
certificate
See digital certificate.
authentication
The process of identifying a user, usually based on a user name and password. In security systems, authentication is distinct from authorization, which is the process of
ciphersuite
When establishing an SSL/TLS connection, the client and server determine a common set of supported ciphersuites
(encryption/decryption algorithms) and then use the most secure one to encrypt the communications. These algorithms have differing advantages in terms of speed, encryption strength and exportability.
Citrix XML Service

A service that provides an HTTP interface to the web browser. It uses TCP packets instead of UDP, which allows connections to work across most firewalls. The default port for the Citrix XML Service is 80.

Formerly the XenApp Plug-in for Streamed Apps. The plug-in (formerly named the XenApp Plug-in for Streamed Apps) that provides streamed applications from an application profile on a network file server to the user desktop or XenApp server.
client COM port redirection

The feature that enables applications running on a server to access peripherals attached to COM ports on the client device.
Citrix Secure Access Plug-in

Citrix plug-in software used with Citrix Access Gateway to connect users to network resources.
client device
Any hardware device capable of running the plug-in software.
Citrix SSL Relay

A Citrix service that facilitates an SSL-secured connection between a XenApp server, the Web Interface or a Citrix plug-in.
client device mapping

The feature that enables published resources running on the server to access storage and peripherals attached to the local client device. Client device mapping consists of several distinct features: client drive mapping, client printer mapping, and client COM port mapping.
Citrix Streaming Profiler

A stand-alone application that enables administrators to prepare applications, browser plug-ins, files, folders and registry settings that can stream to the client device for execution.
client drive mapping

The feature that enables applications running on the server to access physical and logical drives configured on the client device.
Citrix Universal Printer

The Citrix Universal Printer is a device-independent printer object that represents all printers on the client device. The Citrix Universal Printer reduces the number of printer objects created during printer auto-creation at the beginning of sessions.
client printer mapping

The feature that enables applications running on the server to send output to printers configured on the client device.
Common Gateway Protocol Citrix Web Interface

The Web Interface provides users with access to published resources through the Citrix online plug-in or a standard web browser. A general-purpose tunneling protocol that provides connection reliability by allowing broken connections to be restored without affecting the tunneled protocols.
560
Configuration Logging
A feature that tracks administrative changes made to the server farm and logs them to a logging database from which reports can be generated. The Configuration Logging feature is available only with the Enterprise and Platinum Editions of XenApp.
CPU-intensive applications in the server farm do not degrade the performance of other applications.
custom administrator
An administrator who is subordinate to a full administrator. Custom administrators cannot set up other administrator accounts and have only a subset of the permissions that a full administrator has.
Configuration Logging database

A database that must be set up and configured to support the Configuration Logging feature. Information about administrative changes is stored in this database and the Delivery Services Console is used to view reports from this information.
data source name

The system data source name (DSN) stores information about how a plug-in can connect to a database. XenApp servers use a DSN file to access the data store.
connection control
The feature that allows administrators to set a limit on the number of connections that each user can have simultaneously in the farm. Administrators can also limit the number of concurrent connections to specified published applications and prevent users from launching more than one instance of the same published application.
data store
An Open Database Connectivity (ODBC)-compliant database that stores persistent data for a farm. Examples of persistent data include configuration information about published applications, users, printers, and servers. Each server farm has a single data store.
content publishing
This feature allows administrators to publish document files, media files, web URLs and any other type of file from any network location. Users can double-click published content icons to access content in the same way they access published applications.
delegated administration
The feature that allows administrators to delegate areas of administration and farm management to the IT staff. Administrators can assign specialized staff members to perform specific tasks such as managing printers, published applications or user policies. Specialized staff members can carry out their assigned tasks without being granted full management access to all areas of the farm.
content redirection
This feature allows administrators to specify whether plug-ins open published content, applications, browsers or media players locally or remotely. There are two types of content redirection: from server-to-client device and from client device-to-server.

Formerly known as the Access Management Console. The Delivery Services Console is a stand-alone snap-in to the Microsoft Management Console (MMC) that allows administrators to manage items in multiple server farms. Management functionality is provided through a number of management tools (extension snap-ins).
CPU prioritization
The feature that allows administrators to assign each published application in the server farm a priority level for CPU access. This feature can be used to ensure that
561
demilitarized zone (DMZ)

A network isolated from the trusted or secure network by a firewall. Network administrators often isolate public resources, such as web or email servers in the DMZ, to prevent an intruder from attacking the internal network.
Full administrators are the only ones who are allowed to create or modify other administrator accounts.
HDX 3D Image Acceleration

A feature that offers a trade-off between the quality of photographic image files as they appear on client devices and the amount of bandwidth the files consume on their way from the server to the client device.
digital certificate
A credential for a principal, such as a user or server. The certificate consists of the principals public key, a digital signature from a certificate authority and other information. The digital certificate is used to perform authentication of the principal cryptographically and to secure communications between the principal and another entity.
HDX 3D Progressive Display

A feature that improves interactivity when displaying high-detail images by temporarily increasing the level of compression (decreasing the quality) of such an image when it is first transmitted over a limited bandwidth connection, to provide a fast (but low quality) initial display.
disconnected session
A disconnected session occurs when the client device is no longer connected to the server, but the applications in the session continues to run on the server. A user can reconnect to a disconnected session. If the user does not do so within a specified time-out period, the server automatically terminates the session.
HDX MediaStream for Flash

A feature that can control and optimize the way XenApp passes Adobe Flash animations to users.
display name
A name specified during the application publishing process that is used to identify a published resource.
HDX MediaStream Multimedia Acceleration

A feature that can control and optimize the way XenApp passes streaming audio and video to users.
file type association

A method of associating file extensions with published resources. When a user double-clicks a file with one of the associated file extensions, the published resource opens.

A feature of XenApp that can run tests on servers that participate in load balancing to ensure that if one server experiences a problem, it does not interfere with the users ability to access published applications through another server. Citrix provides a standard set of tests; however, administrators can also develop tests using the Health Monitoring & Recovery SDK. Health Monitoring & Recovery is available only with the Enterprise and Platinum Editions of XenApp.
FQDN
Fully qualified domain name.
full administrator
An administrator who has full access to all the administrative functions and features of the server farm.
562
ICA (Independent Computing Architecture)

The architecture that XenApp uses to separate an application's logic from its user interface. With ICA, only virtual channel data such as keystrokes, mouse clicks and screen updates pass between the client device and server on the network, while 100% of the application's logic executes on the server.
An ICA session normally terminates when the user logs off from the server.
ICACLIENT.ADM
Group Policy Object template file used to configure the plug-in options and settings.
ICA Client Printer Configuration tool

The utility used to configure client printers for the plug-in for Windows CE. This utility is run in an ICA session from the client device.
IMA encryption
A feature of XenApp that allows the administrator to automatically encrypt sensitive information that is housed in the IMA data store.
ICA connection
The logical port used by a plug-in to connect to and start a session on a XenApp server. It is the active link established between a plug-in and a XenApp server.
Independent Management Architecture (IMA)

A server-to-server infrastructure that provides robust, secure and scalable tools for managing any size server farm. Among other features, IMA enables centralized platform-independent management, an ODBC-compliant data store and management products that plug into a management console.
ICA file
A text file (with the extension .ICA) containing information about an ICA connection. ICA files are written in Windows .INI file format and organize published application information in a standard way that plug-ins can interpret. When a plug-in receives an ICA file, it initializes a session running the application on the server specified in the file.
inter-isolation communication
A feature provided by the Streaming Profiler that allows individually profiled applications to communicate with each other when launched on the client device.
ICA protocol
The protocol that plug-ins use to format user input, such as keystrokes and mouse clicks, and address it to a server farm for processing. Server farms use it to format application output (display and audio) and return it to the client device.
isolation environment
A feature provided by the application streaming feature that allows published applications to run on the local client device without interfering with other applications running on the same device. An isolation environment is specific for the application and user session, regardless of whether the user streams to the local client device or virtualizes the streamed application from a server.
ICA session
A connection between a plug-in and a XenApp server, identified by a specific user ID and ICA connection. The session consists of the status of the connection, the server resources allocated to the user for the duration of the session and any applications executing during the session.
License Administration Console

A web-based tool that runs on the same server as the license server. The License Administration Console features help download license files from Citrix, copy license files to the license server and evaluate license usage.
563
license file
A digitally signed text-only file downloaded from MyCitrix.com that contains product licenses and information the license server requires to manage the licenses.
migrate
A process where an administrator manually moves a server farm from a legacy version of XenApp to a newer version of XenApp.
license server
A shared or dedicated server installed with licensing software and, optionally, the License Administration Console. This server responds to requests for licenses for Citrix products. A license server can be shared among farms and can host licenses for more than one product.
monitoring
The process of automatically checking the values of metrics on servers.
mouse click feedback

A feature that enables visual feedback for mouse clicks. When a user clicks the mouse, the plug-in software immediately changes the mouse pointer to an hourglass to show that the users input is being processed.
load management
A feature of XenApp that enables management of application loads. When a user launches a published application that is configured for load management, that user's session is established on the most lightly loaded server in the farm, based on criteria an administrator can configure.
network printer
A shared printer object accessed through a network print server.
local application
An application installed on a local client device.
Novell Directory Services (NDS) support

Support for NDS allows users in Novell network environments to log on using their NDS credentials to access applications and content published on XenApp servers.
local host cache

A subset of the server farm data store information. This file is present on all XenApp servers.
offline access local text echo

A feature that accelerates the display of text input on a client device to effectively shield users from experiencing latency on the network. The capability to configure users and streamed applications so that users can disconnect from the company network and continue to run the applications in offline mode for a specified length of time.
metric
One of a series of measurable items for a server or application. An administrator can select which metrics to monitor for a particular server.
pass-through authentication
A feature that passes the Windows logon information to the XenApp server so users can log on to sessions without reentering credentials.
564
pass-through client
A plug-in installed on a XenApp server that allows users of older clients to use a new plug-in to connect to published resources.
policies
Citrix policies are a method of controlling connection settings for groups of users, client devices, and servers. An administrator can use policies to apply select settings, known as rules, to connections filtered for access type, specific users, client devices, IP addresses or servers. For example, a policy can apply one set of rules to connections from client devices in company headquarters and another set of rules to connections from lender laptops provided to a roaming sales force.
determines where print jobs are processed and manages the scheduling of print jobs. The print spooler also determines if the printer prints each page as it receives it or if it waits until it receives all pages to print the print job. Typically, when a print job is spooled to a printer, the spooler loads the print job into a buffer. The printing device then retrieves the print jobs from the buffer when it is ready to print the job. By storing the job, the computer can perform other operations while the printing occurs in the background.
printer auto-creation
The term auto-creation refers to a process XenApp uses to add printers (printer objects) at the beginning of sessions. When a user starts a session, by default, printer objects are created automatically in the session based on the printers on the client device. When the user ends the session, these printers are deleted. This occurs so that printer objects are not stored locally on the client device. The way in which the printers are auto-created is based on printing policy settings.
print job
When a user prints a document, the data sent to the printer is known as a print job. Jobs are queued to the printer in a specific sequence, which the print spooler controls. When this sequence appears, it is known as the print queue.
printer driver
The software program that lets the computer communicate with the printing device. This program converts the information to be printed to a language that the printing device can process. The printer driver also understands the device and job settings of the printing device and presents a user interface for users to configure the settings. In a Windows system, printer drivers are distinct from the software representation of printers.
print queue
A sequential, prioritized list of the print jobs waiting to be printed. The spooler maintains this list for each printer object in the computer.
print server
A server that manages the communications between client devices and printers. In Citrix documentation, the term print server refers to dedicated computers that are running a Windows server operating system and hosting x number of shared printers. Print servers provide client devices with drivers they need to print and store files, or print jobs, in a print queue until the printer can print them. A print server is a remote print spooler.
printer driver mapping

The process of connecting inconsistently named printer drivers on the client device and server operating systems. For example, a printer driver on the client operating system named "HP LaserJet5 PostScript" and the same driver on the server operating system named "HP LaserJet 5 PS," can be mapped for XenApp to use the HP LaserJet 5 PS driver whenever it encounters the HP LaserJet5 PostScript driver.
print spooler
The spooler is a Windows service that manages printer objects, coordinates drivers, allows printer creation,
printers
Refers to the software representation of a printing device. Computers must store information about printers so they
565
can find and interact with printing devices. The printer icons in the Control Panel > Printers panel display the software representation of the printers, not the printer drivers. Printer object is also used to refer to the software representation of a printing device.
The main components are the agents, the server and an administration and reporting console.
schema
A description of a database to a database management system (DBMS) in the language provided by the DBMS. A DBMS handles requests for database actions and permits control of security and data integrity requirements.
printing device
In a XenApp printing context, the term printing device refers to the physical printer (that is, the hardware device to print jobs are sent.)
process
An instance of a program that is being executed.
seamless window
One of the settings available for the window size of a published application. If a published application runs in a seamless window, the user can take advantage of all the client platform's window management features, such as resizing and minimizing.
published application
An application installed on servers in a XenApp server farm that is configured for multi-user access from plug-ins.
Secure Gateway
A component that provides a secure, encrypted channel for ICA traffic over the Internet using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) between clients and the Secure Gateway. The Secure Gateway provides a single point of encryption and access to server farms.
published content
A document, media clip, graphic or other type of file or URL published for access by users. Published content is executed by local applications on client devices.
redirection
The term redirection refers to redirecting client device resources to server sessions so that published applications or desktops have access to them. Redirection is often used to describe the process by which users can access local hardware devices, such as printers, hard drives, special folders, COM ports, TWAIN scanners, smart cards and digital cameras.
Secure Sockets Layer/Transport Layer Security (SSL/TLS)

A standards-based architecture for encryption, authentication and message integrity. It is used to secure the communications between two computers across a public network, authenticate the two computers to each other based on a separate trusted authority, and ensure that the communications are not tampered with. See also ciphersuites.
Resource Manager
Resource Manager (powered by EdgeSight technology) is a resource management solution for Citrix XenApp, Enterprise Edition. It monitors user sessions and server performance in real time, allowing administrators to quickly analyze, resolve and proactively prevent problems.
Secure Ticket Authority (STA)

The STA is a ticketing mechanism that runs on each XenApp server in the server farm and issues session tickets for clients. These tickets form the basis of authentication and authorization for connections to a server farm.
566
server
A server on which XenApp software is running. An administrator can publish applications, content and desktops on these servers for remote access by plug-ins.
streaming application profile

A collection of configurations (targets) and a list of applications that users can execute. In addition, profiles include scripts and other settings that are used in streaming applications to client devices. Administrators create application profiles on a profiling system and make them available for publishing by saving them to a web server or network file share.
server farm
A group of servers running XenApp managed as a single entity with some form of physical connection and an IMA-based data store.
transform file
A database file that modifies an MSI package. The transform file modifies instructions about how the package is installed; for example, to enable an application to run in a Remote Desktop Services environment.
server group
A group of servers used for easier application deployment on target servers.
UAC session ID
A unique identifier for a specific ICA session on a XenApp server. User Access Control. A security feature of Windows Vista and Windows Server 2008.
unattended install session reliability

Session reliability keeps ICA sessions active and on the user's screen when network connectivity is interrupted. Users continue to see the application they are working in until network connectivity resumes. An installation type that does not require user intervention during software installations.
universal printer
See Citrix Universal Printer.
shadowing
A feature that enables an authorized user to remotely join or take control of another users session for diagnosis, training or technical support.
universal printer driver

A universal printer driver can be used as the driver for any printing device. Citrix provides several generic printer drivers, as well as an XPS-based Citrix Universal Printer Driver and a EMF-based Citrix Universal Printer Driver. Using a universal printer driver on farm servers can replace multiple native printer drivers and reduce driver maintenance.
SpeedScreen Latency Reduction

A combination of technologies implemented in ICA that decreases bandwidth consumption and total packets transmitted, resulting in reduced latency and consistent performance regardless of network connection.
universal printing
A term that refers to a printing solution which uses the Citrix universal printers.
567
upgrade
A process by which an administrator moves from one version of XenApp to another, newer version. The farm must be using an earlier version of Presentation Server, or XenApp, that is compatible with the upgrade path to the newest version; otherwise, the administrator must migrate the server farm. Often, the term upgrade denotes using an installation wizard to move to the newer version.
collector for the zone. Citrix recommends limiting the number of zones in a farm and using them only for different geographic sites across a WAN.
zone data collector

A server that stores dynamic data for one zone in a farm. Examples of dynamic data include current server load, the number of current user sessions, and the applications currently running in user sessions on a specified server.
zone
A logical grouping of XenApp servers. All servers in a zone communicate with the server designated as the data
568
Index
A
Access Gateway 37, 47, 118, 156, 193, 448, 454, 456, 460 Advanced Access Control 156, 193 communications 456 deployment scenarios 454 description 37 SmartAccess 460 VPX 47 Active Application Monitoring (AAM) 479 Active Directory 37, 49 group policy integration 37 Active Directory Federation Services (ADFS) 120 ActiveX control 176 activity library 489 administrative utility 49 administrators account permissions 96 creating 96 delegating 103 disabling accounts 98 folder permissions 101 permissions 100 Adobe Flash 352, 368 alert rule 488 anonymous logon 147 App-V support 37 application delivery troubleshooting issues 207 application isolation environment 224 application set 191 application streaming App-V 219 App-V integration 214 application caching 214 capabilities 214 central application updates 214 Citrix offline plug-in 220 components 216 configuring sites 253 Dazzle 246 delivery method 245 Differential synchronization of updated profiles 214 digital signature 232 dual mode streaming 214 enable user updates 223 force 327 inter-isolation communication 214 isolation environments 214 application streaming (continued) local system resource usage 214 offline access 214, 255 offline license 255 process 218 profile 222 Profiler 222, 223 installing 223 profiling process 222 Profiler 222 publishing 249 security settings 223 streaming to servers applications dual mode 248 online 248 troubleshooting 260 Windows Services isolation 214, 231 applications importance 200 publishing to worker groups 94 authentication explicit 148 Microsoft Windows domain 149 NIS (UNIX) 149 Novell Directory Services (NDS) 149 pass-through 148, 160 pass-through with smart card 160 smart card 148, 160 automation workflow 491
B
benefits 27, 349, 454, 502, 512, 515 Access Gateway 454 Citrix certification 27 Citrix training 27 Power and Capacity Management 515 Provisioning Services 512 SmartAuditor 502 Branch Optimization 509, 510 components 509 process 510
C
certificate Access Gateway requirements 458
certificate (continued) certificate authority (CA) 453, 457 root certificate 457 server certificate 457 Trusted Root Certification Authorities 458 certificate, course completion 30 Certification Manager 28 Citrix Access Gateway 448 Citrix Branch Repeater description 37 Citrix certification benefits 27 Citrix Dazzle 37, 379 description 37 Citrix EdgeSight description 37 Citrix ICA Listener Configuration (CtxICACfg.exe) tool 272 Citrix License Server 479 Citrix Merchandising Server 365, 377 Citrix offline plug-in 216, 220, 221, 225 application streaming 216, 220 cache CLIENTCACHE.EXE 221 installation 221 web browser 220 Citrix online plug-in 147, 216 application streaming 216 Citrix online plug-in for Mac 387, 388 installing 388 system requirements 387 Citrix online plug-in for Windows 385, 386 installing 386 system requirements 385 Citrix plug-ins 48, 382 Citrix Print Manager Service 396, 398 Citrix Profile management 364, 365, 366 Citrix Receiver 37, 375, 376, 377, 379, 391 Dazzle 379 description 37 for Macintosh 376 for Windows 375 Merchandising Server 377 requirements 375, 376 troubleshooting 391 Citrix Receiver for Linux 389, 390 installing 390 system requirements 390 Citrix resources 28 Citrix Single sign-on 149, 156, 505 Citrix SSL Relay 112 Citrix Streaming description 37 Citrix Streaming Profiler (Profiler) 216 Citrix Streaming Service 218 Citrix training benefits 27
Citrix Universal Printer 405, 425, 426 configuring 426 Citrix Universal Printer Driver 422 Citrix Web Interface Management console 124, 125, 126, 127, 128 Citrix XenApp Provider 48 Citrix XenDesktop 188 Citrix XenServer 519 Citrix XML Service 113, 161, 171, 172, 448, 451 Citrix XML traffic 454 Client audio redirection policy 345 Client Deployment option 146 client drive mapping 195 Client for Java 140, 141, 143, 388, 389 deploying 389 system requirements 389 client IP 250 client printing pathway 411, 413 command-line tool 495 commands CTXKEYTOOL 105 Get-CtxConfigurationLogReport 105 Common Gateway Protocol 342 compression Adobe Flash 352 images 357, 359, 360 lossy image compression 357, 360 multimedia 349, 350 concurrent user license 57 CONFIG.XML 122, 123, 124, 175 Configuration Logging 105, 106, 107 configuring 106 creating the database 105 database 105, 106 enabling 107 configuring administrative permissions 96, 98 Citrix Profile management 365, 366 Configuration Logging 105 Configuration Logging database 105, 106 display settings 339 folder permissions 101 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 360 HDX Broadcast Session Reliability 342 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 350 HDX Plug-n-Play 347 HDX RealTime 344 SpeedScreen Latency Reduction 355 SSL Relay 453 Web Interface 464 worker groups 94 Connected Users screen 204 considerations HDX Broadcast Session Reliability 342
570
considerations (continued) HDX Plug-n-Play 348 HDX RealTime 345 content redirection client-to-server 194 file type association 194 server-to-client 194 course certificate, emailing 30 certificate, printing 30 certificate, saving 30 completion certificate 30 evaluation 30 materials 21 outline 23 prerequisites 22 survey 30 CPSVC.EXE 396, 398 CPU priority level 193 creating administrator account 96 configuration log report 105 Configuration Logging database 105 Ctx_cpsvcuser 398 CTXKEYTOOL 105 CTXXMLSS 112, 172
Direct access 165 direct connections 411 Directory Browsing 247 disabling IMA encryption 105 display settings 338, 339 enabling 339 DMZ 454 Domain field 151
E
EasyCall description 37 EasyCall voice services 507 components 507 process 507 EdgeSight 47, 58, 61 EdgeSight Script Host (RSSH) 482 emailing course certificate 30 enabling Configuration Logging 107 display settings 339 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 360 HDX Broadcast Session Reliability 342 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 350 HDX Plug-n-Play 347 HDX RealTime 344 ICA Proxy mode 460 IMA encryption 105 SpeedScreen Latency Reduction 355 encryption 193 evaluating course 30 exam registration 28 Extended end-user experience monitoring (EUEM) 479
D
data collection 482 data collector 42, 45, 310, 312 description 42 election 45 data store 42, 43 data store database description 42 database Configuration Logging 105, 106 Microsoft SQL Server 105, 106 Oracle 105, 106 database size estimation tool 482 Dazzle 375, 377, 379, 380 Citrix Receiver 375 communications 380 Merchandising Server 377 delegating administrator accounts 103 delivering plug-ins 383 Delivery Services Console 48, 49, 105, 106, 189, 204, 205, 219, 220, 239, 411, 493, 495 published resource information 204 deploying Access Gateway 454 Client for Java 389 Desktop Delivery Controller 189
F
file share 247 file type association 194, 195 filtering policies worker groups 95 Flash acceleration 352 Flash server-side content fetching whitelist 352 Flash URL blacklist 352 folder redirection 364 folders 191
G
Get-CtxConfigurationLogReport 105
571
Group Policy Management Console 161, 172, 220, 365, 366, 411
H
HDX 3D Image Acceleration 357 enabling 357 HDX 3D Progressive Display 359, 360 enabling 360 HDX Broadcast Session Reliability 341, 342 considerations 342 enabling 342 proxy 342 HDX MediaStream for Flash 352 enabling 352 HDX MediaStream Multimedia Acceleration 349, 350 benefits 349 enabling 350 HDX Plug-n-Play 346, 347, 348 considerations 348 enabling 347 HDX RealTime 343, 344, 345 considerations 345 enabling 344 Health Assistant description 37 health monitoring and recovery 476 hosted application 203
installing (continued) Citrix Receiver for Linux 390 Profiler 223 inter-isolation communication 229 Internet Information Services (IIS) 454 isolation environment 222, 241
K
Kerberos 118
L
license 257 License Administration Console 42, 48 license monitoring 487 license server 42, 61, 65, 66, 68, 71, 72, 96 dedicated 66 description 42 shared 66 License Server Configuration tool 65 license upgrade 58 licensing components 56 linked profile 229, 230 load balancing 37, 45, 203 description 37 load balancing policies 324, 325 creating 325 Load Balancing policy 245 load evaluator 309, 312, 318, 320, 321, 322 Advanced load evaluator 318 assigning 322 Boolean 312 configuration 318 creating custom 320 Default load evaluator 318 Incremental 312 load throttling 312 Moving average 312 Moving average compared to high threshold 312 thresholds 321 Load Manager 47, 308, 309, 310, 312, 313, 314, 316, 329, 332 benefits 308 definition 308 load balancing process 310 load calculation 312 load evaluator 312 Preferential Load Balancing 329 troubleshooting 332 local host cache 44 Local Text Echo 355 local user profiles 363 lossy 357, 360
I
ICA encryption 451 ICA Client Printer Configuration tool 403 ICA Pass-through 345, 348 ICA session 194 ICACLIENT.ADM 158, 159 icons 191 IMA 44 service 44 images compression 357, 359, 360 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 359 incremental method 316 Independent Management Architecture (IMA) 44 indirect permission 255 installation Citrix offline plug-in 221 Installation Manager description 37 installation prerequisites 77 installing Citrix online plug-in for Mac 388 Citrix online plug-in for Windows 386 Citrix Profile management 365
572
M
mandatory user profiles 363 manifest file 239, 247 Master File Table (MFT) 366 Merchandising Server 221, 375, 377, 378, 379, 391 architecture 378 Citrix Receiver 375 Dazzle 379 troubleshooting 391 MFCOM 49 Microsoft Active Directory Services 221 Application Virtualization for Remote Desktop Services 219 client access licenses (CALs) 58, 59 Desktop Optimization Pack (MDOP) 219 Development Network (MSDN) 219 MSI utility 65 System Center Configuration Manager 2007 221 Terminal Services 58, 59 Visual C++ 2008 Redistributable 65 Windows Server 2008 R2 58, 59 Microsoft Active Directory Federation Services 118 Microsoft Management Console (MMC) 48 Microsoft Office Communicator 343, 345 Office Communications Server 345 Microsoft SQL Server 43, 105, 106, 517 Microsoft SQL Server Reporting Services 517 Microsoft Windows domain authentication 149 Microsoft Windows user profile 363 MMC snap-in 517 Mouse Click Feedback 355 multimedia compression 349, 350 MyCitrix.com 68, 69
P
pass-through authentication 176 password 156 Pearson VUE 28 permissions administrator accounts 100 folder 101 plug-ins Citrix online plug-in for Mac 387 Citrix online plug-in for Windows 385 Citrix Receiver for Linux 389 Client for Java 388 delivery 383 supported 382 troubleshooting 391 policies application process 271 Citrix Group Policy Modeling wizard 303 evaluation 271 filtering 95, 301 GPUPDATE /FORCE 271 Group Policy architecture 269 Group Policy extensions 268 group policy ressults 303 IMA-based 267 load balancing 324 Microsoft Active Directory 266 Advanced Group Policy Manager (AGPM) 266 Group Policy engine 266 Group Policy Management Console (GPMC) 266 Group Policy Objects (GPOs) 266 modeling 303 precedence exceptions 274 priorities 274 processing and precedence 272 rules 276 shadowing and encryption settings 274 troubleshooting 303 policy 197, 406, 408, 426, 429, 431, 437, 439 auto-create client printers 406 Auto-create generic universal printer 426 default printer 431 printer properties retention 437 printing bandwidth 439 session printers 408, 429 universal driver 426 universal driver priority 426 Universal printing preview preference 426 ports 1494 342 2598 342 27000 62 389 378
N
native plug-in 140, 141, 143 Network Address Translation 163 Network Address Translation (NAT) 448 network file share 250 network printing pathway 411 NIS (UNIX) authentication 149 no-disconnected-sessions policy 136 Novell Directory Services (NDS) authentication 149
O
offline plug-in 256 online plug-in 191, 195, 341, 343 Operating System User Selector 256 Oracle 43, 105, 106
573
ports (continued) 443 112, 378, 453 7279 62 80 112 8082 62 Power and Capacity Management components 517 control modes 515 description 37 load consolidation 516 Power and Capacity Management farm 515 Power Management 516 power setpoints 517 workloads and profiles 515 power consumption 515 PowerShell SDK 493 Preferential Load Balancing 200 PRINTCFG.EXE 403 printer auto-creation 402, 404, 405, 406, 407 asynchronous 407 Citrix Universal Printer 405 client printer 405 controlling client printer 406 synchronous 407 driver installation 417 driver management 421 driver mapping 419 drivers 416 network printer provisioning 402 retained 403 user self-provisioning 402, 403 printer driver Citrix universal print driver 416 Citrix XPS Universal Printer Driver 422 native 416 OEM 416 printer type local 397 network 397 redirected client 397 printers default 431 network 429, 430 properties 437 printing bandwidth 439 Citrix universal printing 422 concepts 396 course certificate 30 Ctx_cpsvcuser 398 default behavior 400 definition Citrix Print Manager Service (CPSVC.EXE) 396 default printer 396 despooling 396
printing (continued) definition (continued) device settings 396 document settings 396 legacy printer names 396 network print server 396 print queue 396 printer driver 396 printer object 396 printing device 396 proximity printing 396 rendering 396 restored printers 396 retained printers 396 spooler 396 spooling 396 device settings 435 preferences 435, 436 print preview 424 printer initialization 193 security 398 troubleshooting 442 printing pathway client printing pathway 408, 412, 414, 415 network printing pathway 408, 409, 410 profile adding target 228 advanced install 233 creating 223 deleting target 228 linked 229 preference settings 232 properties 233 quick install 233 security settings 223 system requirements 232 profile directory 230 Profile management description 37 profile manifest file 225 Profiler 223 profiling known limits 238 Prohibit User Installs 141 Prometric 28 Provisioning Services 37, 512, 514 components 514 description 37 proximity printing 432, 434 configuring 434 proxy server 167 Publish Application Wizard 201 published resources appearance 202 application 183 content 183
574
published resources (continued) desktop 183 information 204 limits 200 organizing 191 publishing resources advanced configurations 182, 193, 202 assigning servers 185 assigning worker groups 185 basic configurations 182 command line 184 location 184 name 184 phases 182, 193 settings 186 streamed applications 249 user access 185, 186 worker groups 94 working directory 184
R
RADEDEPLOY.EXE 259 RADERUN utility 218 reallocating 66 registering exams, for 28 Remote Authentication Dial-in User Service (RADIUS) 153 Remote Desktop Connection (RDP) 140 resource allotment 329 Resource Manager 47 roaming user profiles 363
S
saving course certificate 30 Secure Gateway 163, 165, 166, 459 Secure Sockets Layer (SSL) 61 Secure Ticket Authority (STA) 456 SecureICA 448, 450 security Access Gateway 454 access to hosted applications 459 best practices 467 Citrix Access Gateway 448 ICA Proxy mode 460 SecureICA 448, 450 SmartAccess 460 SSL Relay 448, 451 troubleshooting 468 Web Interface 463 server farms 43, 46 mixed 46 multiple 43
server ranking 45 server-side ticketing 176 Service Control Manager 231 Service monitoring 487 session printers 429 session sharing 309, 329 settings display settings 339 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 360 HDX Broadcast Session Reliability 342 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 350 HDX Plug-n-Play 347 HDX RealTime 344 SpeedScreen Latency Reduction 355 Web Interface 464 Single sign-on 37, 505, 506 authentication process 506 components 505 description 37 Smart Access description 37 SmartAccess 460 SmartAuditor 37, 502, 503, 504 components 503 description 37 recording process 504 SmoothRoaming 432 SpeedScreen Latency Reduction 355 enabling 355 SpeedScreen Latency Reduction Manager tool 355 SpeedScreen Latency Reduction Manager tool 355 SSL certificates 451 SSL Relay 448, 451, 452, 453, 454 communication 452 configuring 453 SSL VPN appliance 454 streamed application 225, 251 properties 251 streaming video 344 streaming application 256 streaming application profile 244 Suite Monitoring and Alerting (SMA) 479 survey, course 30
T
target adding to profile 228 criteria 225 definition 224 deleting 228 environment 223 multiple operating systems 228
575
target (continued) properties 239 upgrading applications 243 target directory structure 244 temporary user profiles 363 tracking certification progress 28 training resources 28 troubleshooting Adobe Flash 368 application delivery issues 207 application streaming 260 Citrix Receiver 391 load management 332 Merchandising Server 391 plug-ins 391 policies 303 printing 442 security 468 USB device 368 user experience 368 user profiles 368 Trust XML 161
W
WAN optimization 509 Web Interface 37, 42, 112, 161, 188, 221, 253, 254, 454, 463, 464 access methods 463 client routes 464 description 37, 42 ports 112 security 463 servers 42 settings 464 streaming applications 253 VM hosted apps 188 Web Interface Management console 117, 118, 122, 132, 138, 168, 169, 171, 172, 174, 175 Web Interface ticket 174 WEBINTERFACE.CONF 118, 124, 125, 175 white list 231 Windows Services isolation 231 worker group preference list 95 worker groups 42, 94, 95 description 42 filtering policies 95 prioritizing 95 publishing resources 94 worker group preference list 95 Workflow Studio activity library definition 489 description 37 job definition 489 overview 489 workflow automation 491 workflow definition 489 workspace control 135, 432
U
Universal Printer Driver Citrix Print Previewer 424 Enhanced MetaFile (EMF) 423, 424 URL embedded 197 USB devices 346, 347, 348, 368 user access anonymous accounts 185 configured accounts 185 User Access Control (UAC 238, 415 User Principal Name (UPN) 151 user profile security settings 232 user profiles 363, 364, 365, 366, 368 folder redirection 364 local 363 mandatory 363 Microsoft Windows user profile 363 Profile management 364, 365, 366 roaming 363 temporary 363
X
XenApp components 42 features 37 installing 43 primary architectural components 41 servers 42 XenApp Server Roles Manager 116 XenApp Services site 119, 121, 131, 148, 150, 157, 158, 159, 169, 253 authentication 148, 150, 157, 158, 159 explicit 150, 157 pass-through 158 smart card 159 session preferences 131 streaming applications 253 XenApp session display settings 338, 339 HDX 3D Image Acceleration 357
V
video conferencing 344 Virtual Desktop Agent 189 VM hosted apps 37, 188, 189 components 189 description 37 VM Hosted Apps Console 189
576
XenApp session (continued) HDX 3D Progressive Display 359 HDX Broadcast Session Reliability 341 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 349 HDX Plug-n-Play 346 HDX RealTime 343 passwords 505 recording 502, 504 SpeedScreen Latency Reduction 355 USB devices 346, 347 user profiles 363, 364, 365, 366 XenApp Web site 121, 131, 133, 146, 148, 150, 157, 158, 159, 169 authentication 148, 150, 157, 158, 159 explicit 150, 157 pass-through 158
XenApp Web site (continued) authentication (continued) smart card 159 client deployment 146 session preferences 131 XenServer 519 components 519
Z
zone 45 zones 42, 45, 46, 47 default 47 description 42 optimal configuration 47 sharing data across 47
577
851 West Cypress Creek Road Fort Lauderdale Florida 33309 USA | (954) 267 3000 | www.citrix.com Rheinweg 9 8200 Schaffhausen Switzerland | +41 (0) 52 63577 00 | www.citrix.com
Copyright 2010 Citrix Systems, Inc. All rights reserved.
578
The following label contains the voucher code needed to access the online student resources.

XenApp 6.0 - Student Manual

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

XenApp 6.0 - Student Manual

Uploaded by

Copyright:

Available Formats

Basic Administration for Citrix XenApp 6

Citrix Course CXA-204-1I June 2010

Module 2: Introducing XenApp.......................................................33

Module 3: Licensing XenApp..........................................................53

Module 4: Installing XenApp...........................................................75

Module 5: Configuring XenApp Administration............................91

Module 6: Installing and Configuring Web Interface..................109

Copyright 2010 Citrix Systems, Inc.

Module 7: Delivering Applications and Content.........................179

Copyright 2010 Citrix Systems, Inc.

Module 8: Streaming Applications...............................................211

Copyright 2010 Citrix Systems, Inc.

Module 9: Configuring Policies....................................................263

Module 10: Configuring Load Management...............................305

Module 11: Optimizing the User Experience...............................335

Copyright 2010 Citrix Systems, Inc.

Module 12: Configuring Self-Service Applications.....................371

Copyright 2010 Citrix Systems, Inc.

Module 13: Configuring Printing..................................................393

Module 14: Securing XenApp.......................................................445

Copyright 2010 Citrix Systems, Inc.

Module 15: Monitoring..................................................................473

Module 16: Additional Components............................................499

Copyright 2010 Citrix Systems, Inc.

XenServer Components............................................................................................................519 Review..........................................................................................................................................520

Appendix A: Review Questions and Answers.............................521

Appendix B: Practice Questions and Answers...........................545

Copyright 2010 Citrix Systems, Inc.

The Important icon identifies prerequisite information for a given task.

Introduction and Course Overview

Module 1: Introduction and Course Overview

Copyright 2010 Citrix Systems, Inc.

Restroom and phone locations

Break and lunch schedules

Copyright 2010 Citrix Systems, Inc.

Module 1: Introduction and Course Overview

Module 1: Introduction and Course Overview

Copyright 2010 Citrix Systems, Inc.

Module 3: Licensing XenApp

Copyright 2010 Citrix Systems, Inc.

Module 1: Introduction and Course Overview

Module 8: Streaming Applications

Module 1: Introduction and Course Overview

Copyright 2010 Citrix Systems, Inc.

Module 10: Configuring Load Management

Copyright 2010 Citrix Systems, Inc.

Module 1: Introduction and Course Overview

Module 1: Introduction and Course Overview

Copyright 2010 Citrix Systems, Inc.

Citrix Certification Benefits

Copyright 2010 Citrix Systems, Inc.

Module 1: Introduction and Course Overview

Module 1: Introduction and Course Overview

Copyright 2010 Citrix Systems, Inc.

Resource Citrix eDocs

Copyright 2010 Citrix Systems, Inc.

Module 1: Introduction and Course Overview

Course Evaluation and Completion Certificate

Course Completion Certificate

Module 1: Introduction and Course Overview

Copyright 2010 Citrix Systems, Inc.

Copyright 2010 Citrix Systems, Inc.