Professional Documents
Culture Documents
Table of Contents
Module 1: Introduction and Course Overview..............................19
Overview.........................................................................................................................................21 Course Outline................................................................................................................................23 Citrix Education...............................................................................................................................27 Course Evaluation and Completion Certificate.................................................................................30
High Availability Considerations.......................................................................................................71 Additional License Server Processes...........................................................................................71 License Server Clustering............................................................................................................72 Review............................................................................................................................................73
Site Creation Considerations.....................................................................................................118 XenApp Web Site Configuration Options...................................................................................119 XenApp Services Site Configuration..........................................................................................122 Web Interface Site Modification.....................................................................................................124 Modifying the Web Interface Configuration File..........................................................................124 Using the Web Interface Management Console.........................................................................125 Specifying Citrix Plug-in Backup URLs..........................................................................................126 Site Appearance...........................................................................................................................127 Site Customization Options.......................................................................................................128 Practice: Site Customization......................................................................................................129 Session Preferences..................................................................................................................130 Session Options........................................................................................................................131 User Options.............................................................................................................................133 Workspace Control.......................................................................................................................135 Workspace Control Functionality...............................................................................................135 Workspace Control Configuration Options.................................................................................136 Workspace Control User Customization....................................................................................137 Configuring Workspace Control.................................................................................................138 Citrix Plug-ins and Web Interface..................................................................................................140 Plug-in Deployment Options......................................................................................................140 Automatically Detecting Plug-ins...............................................................................................141 Client Detection.........................................................................................................................141 Client for Java...........................................................................................................................145 Authentication Configuration.........................................................................................................147 Authentication Options..............................................................................................................148 Generic RADIUS Support..........................................................................................................149 Explicit Authentication...............................................................................................................149 Pass-through Authentication.....................................................................................................157 Smart Card Authentication........................................................................................................159 Citrix XML Service Trust Relationships.......................................................................................160 Practice: Authentication Configuration.......................................................................................161 Secure Access Configuration........................................................................................................163 Access Methods.......................................................................................................................163 Network Address Translation.....................................................................................................165 Network Address Translation Access Types..............................................................................166 Client-side Proxy Settings.............................................................................................................167 Configuring Client-side Proxy Settings.......................................................................................168 Server Configuration.....................................................................................................................169 Configuring Multiple Server Farms.............................................................................................169 Adding Farms............................................................................................................................170 Configuring Load Balancing.......................................................................................................171 Enabling Fault Tolerance...........................................................................................................172 Specifying the XML Communication Port...................................................................................172 Ticket Expiration Settings..........................................................................................................174 Web Interface Site Removal..........................................................................................................175 Troubleshooting Web Interface Issues...........................................................................................176 Review..........................................................................................................................................177
Publishing Resources....................................................................................................................182 Published Resource Types........................................................................................................183 Resource Name and Location...................................................................................................184 Server Assignment....................................................................................................................185 Configured or Anonymous Accounts.........................................................................................185 Users and Groups.....................................................................................................................186 Resource Publishing Settings....................................................................................................186 Practice: Publishing Resources.................................................................................................187 VM Hosted Apps..........................................................................................................................188 Components of VM Hosted Apps..............................................................................................189 Organizing Published Resources for Users....................................................................................191 Advanced Published Resource Settings........................................................................................193 Access Control..........................................................................................................................193 Content Redirection..................................................................................................................194 Implementing Resource Limits and Client Options.....................................................................200 Configuring Resource Appearance............................................................................................202 Published Resource Configuration................................................................................................204 Managing Connections to Resources........................................................................................204 Disabling or Hiding a Published Resource.................................................................................205 Troubleshooting Application Delivery Issues..................................................................................207 Review..........................................................................................................................................208
Specifying an Alternate Profile for a Published Application.........................................................250 Enabling the Least-Privileged User Account..............................................................................251 Configuring Sites for Streaming Applications.................................................................................253 Support for Both Remote and Streaming Applications...............................................................254 Offline Access Management..........................................................................................................255 Indirect Membership to the Offline Access List..........................................................................255 Providing Offline Access............................................................................................................256 Offline Access Period................................................................................................................257 Renewing Offline Access Period................................................................................................257 Application Caching..................................................................................................................258 Pre-Deployment of Streaming Applications ...............................................................................259 Troubleshooting Streaming Issues................................................................................................260 Review..........................................................................................................................................261
Optimizing Session Performance..................................................................................................338 Enabling Display Settings..........................................................................................................339 HDX Broadcast Session Reliability................................................................................................341 Enabling HDX Broadcast Session Reliability...............................................................................341 Understanding HDX Broadcast Session Reliability Considerations.............................................342 HDX RealTime...............................................................................................................................343 Enabling HDX RealTime.............................................................................................................344 Understanding HDX RealTime Design Considerations...............................................................345 HDX Plug-n-Play...........................................................................................................................346 Enabling HDX Plug-n-Play.........................................................................................................347 Understanding HDX Plug-n-Play Design Considerations............................................................348 HDX MediaStream Multimedia Acceleration..................................................................................349 HDX MediaStream Multimedia Acceleration Benefits.................................................................349 Enabling HDX MediaStream Multimedia Acceleration ...............................................................350 HDX MediaStream for Flash..........................................................................................................352 Enabling HDX MediaStream for Flash........................................................................................352 SpeedScreen Latency Reduction..................................................................................................355 Enabling SpeedScreen Latency Reduction................................................................................355 HDX 3D Image Acceleration..........................................................................................................357 Enabling HDX 3D Image Acceleration........................................................................................357 HDX 3D Progressive Display.........................................................................................................359 Enabling HDX 3D Progressive Display.......................................................................................360 Practice: Determining the Session Optimization Technology.........................................................362 User Profiles.................................................................................................................................363 Differentiating User Profile Types...............................................................................................363 Redirecting User Data...............................................................................................................364 Managing User Profiles..............................................................................................................364 Enabling Profile Management....................................................................................................365 Understanding the Profile Management Logon Process............................................................366 Troubleshooting User Experience Issues.......................................................................................368 Review..........................................................................................................................................369
Securing Access to Hosted Applications...................................................................................459 SmartAccess.............................................................................................................................460 Practice: Security Solutions...........................................................................................................462 Web Interface Configuration..........................................................................................................463 Access Methods.......................................................................................................................463 Access Gateway Settings..........................................................................................................464 Configuring Web Interface for Access Gateway Connections....................................................465 Security Configuration Best Practices...........................................................................................467 Troubleshooting Access Gateway with XenApp............................................................................468 Review..........................................................................................................................................471
10
Glossary.........................................................................................559
11
Notices
Citrix Systems, Inc. (Citrix) makes no representations or warranties with respect to the content or use of this publication. Citrix specifically disclaims any expressed or implied warranties, merchantability or fitness for any particular purpose. Citrix reserves the right to make any changes in specifications and other information contained in this publication without prior notice and without obligation to notify any person or entity of such revisions or changes.
Copyright 2010 Citrix Systems, Inc. All Rights Reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchasers personal use, without express written permission of: Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA http://www.citrix.com The following marks are service marks, trademarks or registered trademarks of their respective owners in the United States and other countries. Mark Flash, Flex, Reader Apple, iPhone, Mac Avaya Bloomberg Cisco Owner Adobe Systems Incorporated Apple, Inc. Avaya, Inc. Bloomberg Finance L.P. Cisco Systems, Inc.
Branch Repeater, Citrix, Citrix Access Gateway, Citrix Citrix Systems, Inc. Application Firewall, Citrix Authorized Learning Center, Citrix Certified Administrator, Citrix Certified Enterprise Administrator, Citrix Certified Integration Architect, Citrix EasyCall, Citrix Education, Citrix Receiver, Dazzle, EdgeSight, FlexCast, HDX, ICA, NetScaler, MyCitrix, WANScaler, XenApp, XenDesktop Android Linux Google Linus Torvalds
Mark
Owner
Active Directory, Internet Explorer, Microsoft, Microsoft Microsoft Corporation Internet Explorer, SQL Server, Windows, Windows Mobile, Windows Server, Win32, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio Firefox UNIX Oracle Pearson VUE Blackberry Skype Java Mozilla Corporation The Open Group Oracle Corporation Pearson Education, Inc. Research In Motion Limited Skype Limited Sun Microsystems, Inc.
Other product and company names mentioned herein might be the service marks, trademarks or registered trademarks of their respective owners in the United States and other countries.
Course Conventions
This courseware uses the following typographic conventions to emphasize information. Convention UPPERCASE Usage Commands such as DIR and COPY Filename extensions such as .COM and .INI Drive letters such as A: and C: Case-sensitive items are the only exception to the usage listed. lowercase Command line parameters such as /w and -r URL addresses such as http://finance.yahoo.com Internet addresses such as www.citrix.com Domain names such as education.ctx Email addresses such as training@citrix.com
Case-sensitive items are the only exception to the usage listed. Bold Initial Capitalization Words or terms that are defined Interface items that are selected, deselected, clicked, double-clicked or right-clicked such as options and menu items in lab exercises Case-sensitive items are the only exception to the usage listed. ITALIC UPPERCASE A variable in a system name such as XenAppX and ClientX A variable in a user name such as UserX and AdminX Variable drive letters such as z: and x: Variable directory names such as %systemroot% and dir_name Case-sensitive items are the only exception to the usage listed.
italic lowercase
This courseware uses the following icons. The Note icon identifies additional relevant information.
The Tip icon identifies information that can save time and effort.
The Warning icon identifies information that must be heeded in order to prevent harm to systems or users. The following table provides a list of updated Citrix product and component names used throughout the course. New Name Delivery Services Console License Administration Console Citrix online plug-in Citrix offline plug-in Old Name Access Management Console License Management Console Citrix XenApp Plugin for Hosted Apps Citrix XenApp Plugin for Streamed Apps
Credits
Instructional Designers: Lab Developer: Jeremy Boehl, Ben Colborn, Lydia Kellman, George Komoto, Brad Moczik, Meghan Myers, Adam Pallesen, Karla Stagray Andrew Garfield
Education Media Specialists: Joshua Jack, Nathan Jackson Education Project Manager: Leah Thompson Editor: Subject Matter Experts: Kathryn Morris Neil Alhadeff, Jenny Berger, Rob Blincoe, Ronald Brown, Blaise Cacciola, Victor Cataluna, Dave Coleman, Michael Delaguardia, Dan Feller, Jo Harder, Ann Harmison, James Hsu, Mark Ma, Abhishek Mandhana, Mike Melton, Robert Morris, Sridhar Mullapudi, Joseph Nord, Jan Penovich, Elisabeth Reynolds, Daniel Romig, Andrea Rutherford, Stacy Scott, Mark Simmons, Lenny Soletti, Wayne Stillson, Jay Tomlin, Danny Van Dam, Sharin Yeoh, Andy Zhu Rob Blincoe, James Hsu, Mark Simmons
Special Thanks:
Module 1
20
Overview
This module provides you with an opportunity to become familiar with the facilities, course materials, Citrix offerings and to meet your fellow students.
Facilities
Use the following space to document details about the facilities, classroom policies and contact information: Parking
Class policies
Emergency information
Course Materials
The following materials are included with your student kit: Name card. Write your name on both sides of the name card so students in front and behind you will know who you are.
21
Student workbook and lab guide. Use the student workbook and lab guide to follow along with the instructor, to document notes and to perform the lab exercises during the class. After the class, take the courseware with you. Reference materials. Do not remove reference materials, such as product documentation from the classroom. These materials are for classroom use only. Online Student Resources. Access these resources after the class. The courseware includes an eLearning voucher code for accessing the Online Student Resources, which contain materials such as answers to review and practice questions and the slide deck from the manual. For information on accessing the Online Student Resources, see the letter at the back of this book.
Course Prerequisites
To complete this course successfully, you must have the following knowledge: Working knowledge of Microsoft Windows Server 2008 with Terminal Services or Microsoft Windows Server 2008 R2 with Remote Desktop Services Basic knowledge of installing applications Basic network security principles
Student Introductions
When asked by the instructor, introduce yourself to the class. Include the following information in your introduction: Name and company Job title and responsibility Networking experience Citrix experience Class expectations
22
Course Outline
Day One
The following table provides an overview of the agenda for the first day of class. Module Description
Module 1: Introduction Provides essential introductory information regarding course and Course Overview materials, prerequisite experience, course content, courseware exercises, Citrix information and the course evaluation and completion certificate Module 2: Introducing XenApp Provides an introduction to Citrix XenApp By the end of this module, you will be able to identify the components included in Citrix XenApp 6, its architecture and communications, features and management consoles. Provides information and requirements about licensing Citrix XenApp By the end of this module, you will be able to configure Citrix licensing for XenApp 6 in a Windows Server 2008 R2 environment. Module 4: Installing XenApp Provides information about the Citrix XenApp hardware and software requirements and the decisions an administrator must make when installing XenApp By the end of this module, you will be able to install XenApp in a Windows Server 2008 R2 environment. Module 5: Configuring Provides information about configuring administrator accounts XenApp Administration for the management of a XenApp 6 environment By the end of this module, you will be able to add administrators to a server farm, delegate administration through folders and permissions and enable and test configuration logging. This module concludes on Day Two.
23
Day Two
The following table provides an overview of the agenda for the second day of class. Module Description
Module 6: Installing and Provides information about the Web Interface architecture and Configuring Web communications, site creation and customization Interface By the end of this module, you will be able to create Web Interface sites, customize the site appearance, workspace control settings, authentication methods, and server settings and remove a Web Interface site. Module 7: Delivering Applications and Content Provides information about publishing, customizing and managing resources in a server farm By the end of this module, you will be able to publish applications, content and server desktops, configure content redirection and manage sessions. Provides information about streaming applications, including creating profiles, target requirements, as well as publishing, updating and troubleshooting streamed applications By the end of this module, you will be able to install the Streaming Profiler and create a streaming profile for single and multiple target operating systems, link profiles for inter-isolation communication and publish an App-V application. This module concludes on Day Three.
Day Three
The following table provides an overview of the agenda for the third day of class. Module Description
Module 9: Configuring Provides information on the functionality of policies, how and when Policies to configure policies and the results of implementing policies in a XenApp 6 environment
24
Module
Description By the end of this module, you will be able identify the policy rules, configure policies, apply policies using filters, prioritize policies and create a shadow policy.
Provides information on the administrative processes for managing server load in a XenApp 6.0 environment By the end of this module, you will be able to create and assign load evaluators, assign CPU resource preference to servers and users and configure session connection failover by using load balancing policies.
Day Four
The following table provides an overview of the agenda for the fourth day of class. Module Module 11: Optimizing the User Experience Description Provides information on optimizations that XenApp administrators can perform to optimize the user experience in a XenApp 6.0 environment By the end of this module, you will be able to configure various components that optimize the user experience, including display and HDX technology settings. Module 12: Configuring Provides information about the various plug-ins and the methods Self-Service Applications used to install and configure them, including enabling self-service application delivery By the end of this module, you will be able to install the Citrix Receiver and Citrix plug-ins on a client device, and configure self-service application delivery. Module 13: Configuring Provides information on configuring printers for use in XenApp Printing sessions By the end of this module, you will be able to install and manage printer drivers, configure printing policies and assign network printers to users.
25
Day Five
The following table provides an overview of the agenda for the fifth day of class. Module Module 14: Securing XenApp Description Provides information on configuring a security solution for XenApp 6, including avoiding or resolving common security configuration missteps By the end of this module, you will be able to secure XenApp using SSL Relay and Citrix Access Gateway, and identify the components of a comprehensive XenApp security solution. Module 15: Monitoring XenApp Provides information on monitoring XenApp license usage over time By the end of this module, you will be able to track the usage of XenApp licenses. Module 16: Additional Provides information on additional Citrix components that can be Components implemented as part of XenApp Platinum Edition and other Citrix products that can be used in conjunction with XenApp By the end of this module, you will be able to identify the key features of SmartAuditor, Single sign-on, EasyCall, Branch Optimization, Provisioning Services, Power and Capacity Management and XenServer.
26
Citrix Education
Citrix Training Benefits
Available as instructor-led training, 24/7 self-paced online training or a combination of both, Citrix training courses provide you with the knowledge you need to exceed your business goals. Benefits to organizations include: Maximum Return on Investment (ROI) for Citrix products through proper implementation and support Improved reliability and efficiency of Citrix environments while decreasing downtime Increased expertise of in-house staff, reducing implementation and support costs as more problems can be resolved faster by internal staff Greater employee job satisfaction, leading to higher levels of customer satisfaction Benefits to IT professionals include: Tools and knowledge that can be directly applied on the job to optimize and maintain Citrix environments Enhanced credibility by keeping skills and knowledge current with advances in technology Improved work performance, which increases employee value Citrix training is essential for your organization to ensure successful product implementation and maintenance. Visit www.citrixeducation.com and navigate to the Training section to explore the current Citrix training offerings.
27
Competitive business advantage with staff that is trained and certified on a regular basis Benefits to IT professionals include: Demonstrated competency in Citrix products to employers and clients The most current skills and knowledge necessary to do your job Enhanced marketability and competitive edge by possessing a recognized and respected IT credential Investing in Citrix certification will help organizations and IT professionals realize their business goals. Get started now by visiting the Certification section of the www.citrixeducation.com web site.
Key Resources
To obtain detailed and up-to-date information on Citrix instructor-led training (ILT), self-paced online training, exams and certifications, visit the www.citrixeducation.com web site. Resource Description
Instructor-led Training To view course descriptions, or to search schedules and register for (ILT) courses additional ILT courses in your area, including customized training, visit the Training section of the www.citrixeducation.com web site. You may also contact your Citrix Authorized Learning Center (CALC) representative. Self-paced Online Training Courses Exams To search, view course descriptions and register for self-paced online training courses, visit the Training section of the www.citrixeducation.com web site. To download Exam enablement guides, visit the Exam section of the www.citrixeducation.com web site. To register for Citrix exams administered by Pearson VUE, contact the provider directly: Pearson VUE Web: www.pearsonvue.com Telephone: 1-800-931-4084 (Americas) For a list of phone numbers by region, visit the http://vue.com/citrix/contact web site. Certification Manager To track your certification progress and publish your Citrix credentials, visit the www.citrixcertmanager.com web site. The following table lists additional resources.
28
Description To access product documentation, visit the support.citrix.com/proddocs/index.jsp web site. provides access to product documentation along with links to the Citrix Knowledge Center, Citrix communities, blogs and forums. To access Citrix blogs, labs, partner communities, the Citrix Developer Network, Support Forums and more, visit the community.citrix.com web site. To view a wide variety of videos that address Citrix products and technology, visit the www.citrix.com/tv web site.
Citrix Community
Citrix TV
29
30
properly. If you elect to email the course completion certificate, click the Back button from the email page to return to the certificate and select an alternative method. If your classroom is not equipped with a printer, we strongly recommend that you email or save to HTML. You will not be able to re-access your course completion certificate after you close the page.
31
32
Module 2
Introducing XenApp
34
Overview
Citrix XenApp 6 for Windows Server 2008 R2 is an on-demand application delivery solution that enables any application to be virtualized, centralized and managed in the datacenter and instantly delivered as a service to users anywhere on any device. XenApp reduces the cost of application management by up to 50 percent, increases IT responsiveness when delivering an application to distributed users and improves application and data security. XenApp also enables IT to centrally manage a single instance of each application and virtualize them for delivery to users for online and offline use, while providing a high definition experience. At the end of this module, you will be able to: Identify the features of XenApp. Identify the basic architecture of XenApp and the server farm components. Identify the functionality provided by the Delivery Services Console.
35
XenApp 6 Editions
Citrix XenApp 6 is available in three editions: Advanced Edition Provides the fundamental functionality for delivering applications to client devices in very basic environments Contains all of the features of Advanced Edition and adds capabilities that help manage more complex user and application environments Contains all of the features of Enterprise Edition and adds capabilities that enhance security and performance management Platinum Edition provides a comprehensive, end-to-end application delivery system for instantly providing any application to any user, on any device, over any network.
Enterprise Edition
Platinum Edition
36
XenApp 6 Features
XenApp 6 contains a robust set of features that provides administrators and users with the best functionality possible for an end-to-end application delivery solution. For a comprehensive list of all features, see the www.citrix.com web site. Features are covered in more depth throughout the course. The features in the following table are available in all editions of XenApp. Feature Citrix Receiver Description Provides a single client interface that automatically installs on and configures client devices to access applications and resources meant specifically for authenticated users For more information on Receiver, see the "Configuring Self-Service Applications" module of this course. Citrix Dazzle Allows users to define a list of favorite or frequently used applications for fast access IT can configure featured applications for easy access to mission-critical programs. Users can also subscribe to the application required for work using a simple drag and drop interface. For more information on Dazzle, see the "Configuring Self-Service Applications" module of this course. Citrix Streaming Streams and runs multiple online and offline applications and integrated Windows services on Windows desktops in an isolated environment without system conflicts For more information on Citrix Streaming, see the "Streaming Applications" module of this course. Support for Microsoft App-V Active Directory Group Policy Integration Delivers applications to Windows devices for offline access with Microsoft App-V application virtualization technology Enables IT to configure application availability and delivery using familiar Active Directory Group Policies and Local Group Policies This enables fine-level control of applications and allows for easy control of thousands of applications delivered to thousands of users on thousands of servers.
37
Feature
Description For more information, see the "Configuring Policies" module of this course.
Web Interface
Provides a browser-based interface for accessing applications and offers built-in support for two-factor authentication, simple customization through the management console and multilingual support Integration with most third-party portals is seamless. For more information on Web Interface, see the "Installing and Configuring Web Interface" module of this course.
Delivers a high performance, high definition user experience through virtualized applications- even those that are graphic-rich and contain multimedia content Users have a seamless experience with zero downtime and higher overall productivity. For more information on specific HDX features, see the www.citrix.com web site and the "Optimizing the User Experience" module of this course.
Uses the corporate telephony system instead of personal phone to initiate calls from anywhere, and includes call redirection, conference calling, and helpdesk support features Uses visual scripting to help automate common IT tasks and orchestrate the collaborative function of Citrix XenApp, XenDesktop, XenServer and NetScaler For more information on Workflow Studio scripts, see the support.citrix.com web site.
The features in the following table are only available in the Enterprise and Platinum Editions of XenApp. Feature VM hosted applications Description Allows applications to run on a centralized Windows XP, Vista and Windows 7 virtual or physical system (32 or 64-bit) in the datacenter Session virtualization technology remotely displays the applications to users' desktops and devices, while screen updates, keystrokes and mouse clicks traverse the network. Installation Manager Enables IT to automatically and remotely install applications across multiple servers simultaneously
38
Description Auto-detects and stores modified profile settings, prevents unintentional overwriting, and loads user profile settings on-demand Administrators can specify rules for downloading and caching large profile components to reduce logon time and accelerate application access. For additional profile management information, see the www.citrix.com web site and the "Optimizing the User Experience" module in this course.
Allows for creation of system policies that manage server power consumption and optimize server capacity Automatically brings capacity online to maintain expected user performance and access and retires capacity when it is no longer needed.
Performs continuous server health checks and automatically initiates recovery procedures, minimizing the need for administrator intervention
The features in the following table are only available in the Platinum Edition of XenApp. Feature Provisioning Services Description Allows administrators to virtualize the entire XenApp farm of application hosting servers, both physical and virtual, from a single, standardized server image For more information on Provisioning Services, see the "Additional Components" module of this course. SmartAccess with Citrix Provides granular access control policies and integrated endpoint Access Gateway analysis for users accessing applications using an SSL VPN Administrators have a single point of access control for all applications and resources, not just XenApp traffic. HDX Broadcast Branch Powered by Citrix Branch Repeater, automatically adapts and tunes Optimization WAN communications, TCP flow and data compression for optimal performance. For more information on Citrix Branch Repeater and HDX Broadcast Branch Optimization, see the www.citrix.com web site. Service Monitoring with Enables IT to quickly pinpoint and troubleshoot server, network Citrix EdgeSight and application performance issues that impact the user experience
39
Description Enables administrators to prioritize a user, group and application based on pre-established requirements. Ensures sessions are properly balanced to provide an enhanced user experience Secures application logons and enhances the security of all password-protected Windows, web and terminal emulator applications Additional functionality exists for managing password policies, auto-application password change and self-service reset.
SmartAuditor
Provides powerful application session recording for improving regulatory compliance, risk mitigation and accelerated problem resolution
40
XenApp Architecture
A XenApp server farm is a logical group of servers that can be managed as a single entity. Applications can be made available by installing or streaming them to a server or client device. The primary architectural components of a XenApp server farm are: XenApp servers Data collector Data store database License server Web Interface servers Worker groups Zones
41
XenApp Components
XenApp 6 is composed of several components. The primary architectural components include the following: XenApp servers XenApp servers deliver online and offline (hosted and streamed) applications on demand. Data collectors keep track of dynamic data in a zone, such as session and server load information. In farms with more than one zone, data collectors also act as communication gateways between the zones. The data store database is a repository of persistent XenApp server farm information, including configuration data for the farm, published applications, servers, administrators and printers. The license server checks out licenses to XenApp, which places the request on behalf of connecting users. The License Administration Console is a browser-based utility that allows administrators to manage licenses. Web Interface provides users access to resources published in one or more server farms through a web browser or the Citrix online plug-in. An administrator can configure the Web Interface to download plug-in software to client devices and perform user authentication checks using RSA SecurID, RADIUS or Secure Computing SafeWord. Worker groups, which consist of servers or domain OUs, allow multiple servers to be grouped together to ease administration. They provide the ability to manage published applications and policies on multiple servers at the same time. XenApp servers added to a worker group automatically inherit the group settings. Zones can enhance performance in farms distributed across WANs by grouping geographically related servers together. Zones collect data from member servers in a hierarchical structure and efficiently distribute changes to all servers in the farm. Each zone contains a server designated as the data collector.
Data collector
License server
Worker groups
Zones
42
Multiple Farms
Each farm has its own data store. Applications can be load balanced across all servers in a farm but cannot be load balanced across multiple farms
The business decisions for an organization can help an administrator determine which farm configuration is needed.
Data Store
All XenApp servers in a farm use a single, centralized database called the data store to maintain persistent farm data. This database enables the entire farm and individual server settings to be centrally managed. The data store may be a Microsoft SQL Server Express database on a XenApp server or an enterprise-level database on a separate server running Microsoft SQL Server or Oracle. The data store contains static information for the farm such as: Farm configuration information Published application configurations Server configurations Farm management security Printer configurations License server name and port For more information on installing, maintaining, recovering and migrating a data store, see "Data Store Database Reference" on the http://support.citrix.com web site.
43
44
Data Collectors
XenApp servers must be load balanced to ensure a quality user experience. Load balancing determines which servers are least busy and can best run an application. A single XenApp server in each zone, called the data collector, maintains dynamic farm information and communicates this information to data collectors in other zones. The Independent Management Architecture (IMA) provides the framework for all server-to-server communication that occurs in a XenApp farm, including session information. The data collector is responsible for load balancing decisions based on the following criteria: Server load data User session status In a large XenApp farm environment, it is recommended to restrict the data collector from delivering applications, thereby dedicating its function. A dedicated data collector speeds up load balancing decisions and improves session logon time.
45
1. Highest XenApp version (also referred to as Host Record Version) - Servers with the most recent software, XenApp 6, will have a Host Record of 1, which is the highest. 2. XenApp server ranking - XenApp servers can be configured with the following rankings using the Set Election Preference menu in the Delivery Services Console: Most Preferred (1) Preferred (2) Default Preference (3) Not Preferred (4) The Set Election Preference menu is located in the task pane of the Delivery Services Console under XenApp > Name of Farm > Zones > Name of Zone > Set Election Preference. When XenApp is installed, the first server in the farm is given a preference setting of Most Preferred. Each additional server added to the farm has a data collector setting of Default Preference. The first server continues to be the data collector unless an administrator changes its setting from Most Preferred to a lower preference setting, or a server with a newer version of XenApp joins the farm. Mixed farms are not supported with XenApp 6.
If the primary data collector is down or unavailable, an election is held to designate another server in the zone to act as the data collector. The newly-elected data collector gathers all necessary data within 30 seconds. As a best practice, configure one server with the Preferred ranking in the event that the server with the Most Preferred ranking becomes unavailable. This will ensure that the proper XenApp server becomes the new data collector should an election occur. 3. Host ID number - Host ID numbers are assigned at random during installation. In the event that all XenApp servers have the same preference setting, the election winner would be determined by the highest Host ID number. An administrator can use the QUERYHR command line utility to view the Host ID numbers for all the servers in the farm. For more information about the data collector election process, see Citrix Knowledge Base article CTX112525 on the http://support.citrix.com web site.
Zones
A logical group of XenApp servers communicating with a single data collector is called a zone. Zones are typically based on subnets.
46
During the installation of XenApp on a server, the server must join a zone. The first XenApp server installed in a farm defines the initial zone and becomes the data collector for the zone. The default name of the first zone is Default Zone. After the installation is complete, an administrator can create additional zones and move servers into the different zones. The first XenApp server moved into a zone becomes the data collector for that zone. Zones can be used to designate physical or logical groupings. If a XenApp server is moved to another zone, a restart of the moved XenApp server is required. The moved XenApp server will not respond to application requests until after the restart.
47
The Citrix XenApp Provider provides support for health information systems, such as Microsoft Systems Center Operations Manager (SCOM). For more information about the Citrix XenApp Provider, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
The Delivery Services Console is a Microsoft Management Console (MMC) snap-in that allows administrators to configure administrative permissions, server and farm properties through policies, published resources and much more. It is the primary administrative utility for XenApp. The License Administration Console is a browser-based utility that allows administrators to manage licenses, track license usage and configure licensing alerts. Citrix plug-ins make it possible for users to access published resources regardless of the operating system installed on the client device. The Citrix plug-ins related to XenApp include: Citrix online plug-in Citrix offline plug-In Client for Java Citrix Receiver (versions exist for Windows, Mac, Java and Linux) For more information on specific Citrix plug-ins, navigate to the www.citrix.com web site and select Downloads > Clients.
48
The Delivery Services Console is the primary administrative utility for XenApp. All tasks in the Delivery Services Console can be automated using PowerShell, which replaces MFCOM. The console is organized around the tasks related to: Administrators Applications Policies Zones Add administrators and set permissions Publish and organize online and offline applications Create and manage policies Manage and monitor zones and servers in zones
XenApp 6 seamlessly integrates with Microsoft management tools. Administrators can manage XenApp servers and farms using Active Directory Group Policies.
49
The Delivery Services Console can also be used for the following tasks: Create and assign load evaluators to servers and published applications. Set the edition on the XenApp server. Connect to a server desktop. Configure and view hotfix information for Citrix products. View server health information. If two administrators are using the Delivery Services Console at the same time to change the same information in a farm, only the changes entered last are maintained in the data store database.
50
Load Manager
Web Interface
Data collector
Citrix Plug-ins
51
Review
1. Which are the editions of XenApp? a. b. c. d. Standard, Enterprise, Custom Advanced, Essential, Platinum Basic, Intermediate, Advanced Advanced, Enterprise, Platinum
2. Which feature of XenApp delivers a high performance, high definition user experience through virtualized applications from any device, on any network? a. b. c. d. SSL Relay SNMP Monitoring Citrix HDX technology Support for Microsoft App-V
3. Which component is not one of the primary architectural components of XenApp? a. b. c. d. Data collector License server Data store database Desktop Delivery Controller
4. Which statement about Independent Management Architecture is true? a. b. c. d. Communicates with XenApp using TCP port 25000 Delivers crucial systems that collectively leverage additional Citrix products Runs on designated XenApp servers and is enabled in the Delivery Services Console Provides the framework for all server-to-server communication that occurs in a XenApp farm
52
Module 3
Licensing XenApp
54
Overview
Citrix XenApp requires product licenses to function properly. Two major components of the Citrix licensing process are the license server and the License Administration Console. The licensing model applies to several products. This module provides information on the major components as well as additional relevant information for licensing XenApp. XenApp provides organizations with the ability to install, publish and manage applications and content from one centralized location. These published resources can then be securely accessed by users from anywhere, anytime, using any device over any connection. At the end of this module, you will be able to: Explain XenApp licensing communications and license types. Configure License Administration Console ports and administrators. Install the Citrix License Server and import license files into the console. Explain how the license server can be made highly available.
55
XenApp Licensing
Citrix XenApp requires licenses for users to connect successfully.
Licensing Communication
The following table outlines the components that an administrator must consider when deploying licensing. Component License Server License File Stores the licenses Keeps the license information for the product Contains vital information such as the product edition, number of users and any expiration dates applicable Is stored on the license server. License Administration Console Allows an administrator to maintain the license server and license files for XenApp servers using a web-based interface Description
56
License Types
XenApp uses concurrent user licenses, which are licenses that are not tied to specific users. When a server requests a license, it is reserved for a specific client device/user combination. When the user logs off from the session, the license is returned to the license pool and made available for another user. Users connecting from multiple devices will consume multiple licenses. In addition, if some servers in a farm are configured to connect to a different license server, users opening applications from both server groups will consume a license from each license server.
57
Citrix XenApp 6 can use any license server version 11.6.1 or above. The version can be verified in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\LicenseServer\Install.
The version number appears in the format: 11.6.1 build 10007. Any license server, version 11.x and above, can be upgraded. After the upgrade is completed, the License Server configuration tool will launch. Configuration, for settings such as the administrator password and license server ports, is required. Additionally, after the upgrade is completed, the previous report log (REPORTLOG.RL) will be disabled because license reporting is now available only in Citrix EdgeSight.
58
Microsoft requires client access licenses (CALs) and RDS CALs for each system that connects through Remote Desktop Services and provides a grace period of 120 days for an administrator to acquire the proper licenses. Remote Desktop licensing must also be installed. For more information on Microsoft licensing requirements, see the www.microsoft.com web site.
59
When analyzing the number of licenses required in an environment, an administrator must consider whether users employ various types of clients to connect to product servers. For example, users connecting to XenApp using a Citrix plug-in and Remote Desktop Services connection simultaneously consume multiple licenses. The license server considers Remote Desktop Services connections as separate from the Citrix plug-in connection and even though the connection may be from the same user, XenApp consumes two licenses. Remote Desktop Services connections made to a console, however, do not consume a license. Most application manufacturers require user licenses for their products. An administrator must adhere to these licensing requirements whether users connect directly to the desktop or launch individual published applications. Licensing practices may vary from company to company, as well as in an RDS environment as compared with a traditional networking environment. Citrix recommends that an administrator contact each manufacturer to verify the specifications to ensure compliance with licensing requirements.
60
To open the License Administration Console from the server on which it is installed, click Start > All Programs > Citrix > Management Consoles > License Administration Console. To open the License Administration Console using a web browser, type: http://servername:webserviceport in the Address field of the web browser. For example, if the server is Server1, type http://Server1:8082. Additional considerations include the following:
61
It is a best practice that administrators install and configure Secure Sockets Layer (SSL) and configure Secure HTTP(S) when accessing the License Administration Console using a browser on a UNIX workstation or in an unsecure environment. For more information on securing the License Administration Console with SSL, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site. If the vendor daemon stops running, vendor daemon services can be restarted in the License Administration Console, which is less intrusive than restarting the server. It is a best practice to use a Virtual Private Network (VPN) when accessing the License Administration Console from outside the network. The license server does not use a Windows Server account. The console requires authentication except to view the Dashboard. A default "Admin" account is created during installation and a password is configured for the account after the installation. If the password is forgotten, the license server must be reinstalled.
Port Configuration
Port configurations in the license files are no longer supported. The Citrix Licensing Support service searches for existing port configurations in license files and removes them. The Citrix vender daemon port (default: 7279), license server manager port (default: 27000) and License Administration Console port (default: 8082) can all be configured using the following methods: License Administration Console Configuring ports in the License Administration Console requires a restart of the Citrix Licensing service.
62
The original administrator can add delegated administrators to the License Administration Console. These administrators can have full or partial control of the License Administration Console, as designated by the original administrator. An administrator can also add a domain user within the License Administration Console. When adding the new user, an administrator must choose to allow or deny them certain features. Therefore, an administrator can choose to add users to perform specific tasks in the License Administration Console with no ability to view other areas.
63
Description The ability to view current license usage, the complete license inventory and any alerts concerning these areas The ability to add new license files, manage files related to the License Administration Console and configure alert thresholds The ability to add new delegated administrators and assign them roles
64
Installing Licensing
The installation of the license server software automatically installs the licensing prerequisites with the exception of the following items: Microsoft Visual C++ 2008 Redistributable Microsoft MSI utility version 3.x Additional considerations for installing licensing include the following: It is a best practice to install the license server first. If licensing is installed after XenApp, a policy must be configured to point to the license server. Licensing can exist on a separate server or can share a server with another component.
Installation and configuration of the license server is divided into two separate processes. Post-installation configuration is performed using the License Server Configuration tool. This
65
tool is used to configure the console "Admin" password and port numbers and automatically launches after the initial installation or an upgrade is completed. The tool can only be run once. Multiple attempts to run the tool will produce an error. Unattended installation is also supported, but only by using MSIEXEC at the command line. The Admin password and port numbers are also configurable using the MSIEXEC command during an unattended installation. Active Directory and transform files are no longer supported for deploying licensing. For more information about the MSIEXEC command line arguments, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Uninstalling Licensing
An administrator may need to uninstall licensing for a variety of reasons, including moving the component to another system or renaming the system. Some of the files that are not deleted during the uninstall process include the following: Options file (CITRIX.OPT) License file (LICENSE_NAME.LIC) A new license server with a valid license file must be ready to accept connections from the Citrix product within a 30-day recovery period of removing the original license server. If the server is unable to establish communication within this time frame, users cannot connect. When the license file is moved to a server with a different name from the current hostname, the license file must be returned to Citrix and exchanged for a license file that indicates the new server name. This process is called reallocating and is completed on the www.MyCitrix.com web site.
66
of license checkouts, these transactions may tax the network bandwidth. In these cases, the license server should reside on the same LAN as the servers.
67
68
4. Browse to the license file. 5. (Optional) Select the Overwrite License File on the License Server check box if the file has the same name as the existing file. 6. Click Import License and then OK. The import process copies the file from the existing location into the MyFiles directory where it can be read by the license server. 7. Click the Administrator link in the Citrix vendor daemon line. 8. Click Reread License Files to allow the license server to recognize the new file.
Subscription Advantage
Citrix products include a one-year membership to Subscription Advantage. This membership provides major releases, minor releases and product update downloads through the MyCitrix web site. The membership includes email notifications concerning the account and new items available for members. Members can view, update and obtain benefit information and privileges on MyCitrix at any time. Organizations can renew Subscription Advantage at the end of a one-year membership. For each major product release, Citrix issues at least one minor release; these releases are available free of charge with a Subscription Advantage membership. Customers who have let their membership lapse prior to the availability of a new product are unable to obtain the minor product releases. The license itself, however, continues to function at its current platform level and does not expire. The product version date in the license file must be the same as or newer than the product version date of the installed product, whether a major or minor release. Citrix issues new license files with updated Subscription Advantage expiration dates on the MyCitrix web site after membership renewal. Administrators can obtain and install major and minor releases after the Subscription Advantage membership expires, as long as the products were released while the membership was still valid. The following table describes several possible scenarios and how they affect product functionality. Subscription Status Valid Product Release Date Prior to Subscription Advantage expiration date Product Functionality Product functions properly
69
Product Release Date Prior to Subscription Advantage expiration date After Subscription Advantage expiration date
Product Functionality Product functions properly Product does not function properly
70
71
administrator must change the farm or server configurations to point to the original license server. Bandwidth: Although bandwidth consumption is minimal, network resources are a consideration when additional servers connect to a license server. License availability: License availability is important because it affects financial decisions for the organization and ultimately, user connectivity. The license reserve diminishes faster than it does under normal circumstances when there are additional users making license requests. For this reason, an adequate number of licenses must be available for all users who typically connect to the farm, as well as the new users. Replacing the license server - Administrators can rebuild or replace the license server in the event that a backup license server becomes unavailable or when the production license server becomes inoperable prior to setting up a backup license server. The new license server can use the same license file as long as the hostname remains the same. If the hostname of the replacement license server is different from that of the original license server, administrators must obtain a new license file from the MyCitrix web site. License files are case sensitive; therefore, if the hostname is spelled the same but the case is different, the license file will need to be replaced.
72
Review
1. After a license server is installed and licenses added, servers can lose contact with the license server for up to how many days without the loss of functionality? a. b. c. d. 5 30 90 96
2. Which type of licensing manages the licenses that are required for each device or user to connect to a Remote Desktop Session (RDS) Host server? a. b. c. d. Citrix licensing XenApp licensing Microsoft plug-in licensing Remote Desktop licensing
3. Complete the following sentence. When implementing XenApp, It is a best practice to install the license server _______. a. b. c. d. After installing XenApp Before installing XenApp On the same server as XenApp On the same server as the Web Interface
4. What should an administrator do to obtain a license file? a. b. c. d. Call Citrix Technical Support Copy a file from a previous XenApp implementation Log on to the MyCitrix web site using personalized credentials Run the License Generation Wizard from the Delivery Services Console
73
74
Module 4
Installing XenApp
76
Overview
Citrix XenApp 6 installation is only supported on Microsoft Windows Server 2008 R2 operating systems. XenApp 6 can be installed using a wizard. When the wizard is used, the prerequisites are automatically installed by the wizard during the installation. When XenApp 6 is installed using a command line or an unattended installation, the administrator must manually install the prerequisites prior to installing XenApp 6. XenApp 6 is not supported for installation on a domain controller.
At the end of this module, you will be able to: Identify the methods that can be used to install XenApp. Identify the XenApp hardware and software requirements. Make installation decisions appropriate for an environment.
77
The XenApp Server Role Manager can be used to install and configure XenApp 6. The XenApp Server Role Manager allows the administrator to choose what to install. Administrators can add server roles as needed as the wizard guides the administrator through the installation. Roles available with XenApp include the following: Citrix License server XenApp Server The Citrix online plug-in and Citrix offline plug-in are installed automatically with the XenApp Server role. Web Interface Server Single sign-on services (Platinum Edition only) Power and Capacity Management Administration (Enterprise and Platinum Editions only) EdgeSight Server (Platinum Edition only) Provisioning Services (Platinum Edition only)
78
79
Hardware Requirements
Most servers running Microsoft Windows Server 2008 R2 meet the hardware requirements for XenApp with ample processing power to host user sessions accessing the published resources. However, additional research may be needed to determine if the current hardware meets the requirements. The following table details requirements for XenApp 6. Technology CPU Requirement 64-bit architecture with Intel Pentium Xeon family with Intel Extended Memory 64 Technology AMD Opteron family AMD Athlon 64 family Compatible processor
512MB RAM (minimum) 32GB (minimum) 6MB free disk space without the copied plug-ins 120MB free disk space with the copied plug-ins 3.5MB for each Web Interface site
80
Software Requirements
The components of XenApp require specific software in order to function correctly. An administrator can use the information in the following table to determine the software requirements for the installation stages of XenApp. Installation Stage Requirements
Delivery Services One of the following operating systems: Console Windows Server 2008 R2 Windows Server 2008 x86 and x64 Windows Server 2003 (Standard, Datacenter and Enterprise Editions) x86 SP2, x64, R2 x86 and x64 SP2 Windows XP Professional x86 SP3 Windows XP Professional x64 SP2 Windows Vista (Business, Enterprise and Ultimate Editions) x86, x64 SP1 Windows 7 x86 and x64 .NET Framework 3.5 SP1 (automatically installed) MMC 3.0 MS Visual C++ 2005\2008 SP1 Redistributable x64 (automatically installed) 25MB free disk space Web Interface One of the following operating systems: Windows Server 2008 R2 Windows Server 2008 x86 and x64 Windows Server 2003 with SP2 Internet Information Services (IIS) (automatically installed) Windows Authentication Client Certificate Mapping Authentication ASP.NET 3.5 Visual J# .NET Framework (automatically installed)
81
The following installation prerequisites are automatically enabled during the XenApp Server Role Manager wizard-based installations: Microsoft .NET 3.5 SP1 Windows Application Server Role Group Policy Management Console (GPMC) The Group Policy Management Console is only installed if the Delivery Services Console is selected for installation. Additionally, the Citrix Group Policy Engine, is added as a new service in XenApp 6. Microsoft Remote Desktop Services "Session Host" role The following installation prerequisites are automatically installed during wizard-based installation: Microsoft Visual C++ 2005\2008 SP1 Redistributable (and x64 edition) Microsoft Primary Interoperability Assemblies 2005
82
Installation Decisions
As a best practice, an administrator should review the configuration options available during the XenApp installation process prior to installing the product. By reviewing the options, the administrator can determine in advance how to configure XenApp so that it meets the needs of the organization. Administrators must be members of the Administrators group before installing or configuring XenApp. Individuals cannot elevate their privileges to local administrator through User Account Control to gain membership. Licensing should not be overlooked during the installation phase. Administrators are required to maintain proper licensing for: XenApp Operating system Remote Desktop Services (RDS) All applications For more information about Windows Server 2008 R2 and RDS licensing, see the www.microsoft.com web site.
83
Zones
A zone is a logical grouping of servers within a farm. Single zones work best when all XenApp servers are located in the same geographic location. Multiple zones work best when XenApp servers are separated geographically. If the administrator does not specify a zone name during installation, "Default Zone" will be used as the name of the zone. The administrator can create a custom zone name by selecting the checkbox and entering the name.
84
The following information is required in order for XenApp to connect to the license server: License server name or IP address License server port number (default is port 27000) Server daemon port number (default is port 7279) If a license server from a previous version of XenApp will be used, it must be upgraded to use the license server software included with XenApp 6 or later.
Which Database Engine Will Be Used for the Data Store Database?
The data store database is used to store static information about the servers and published applications in a farm. When creating a farm, the Server Configuration Tool installs the Microsoft SQL Server Express database automatically, with the instance name CITRIX_METAFRAME and the database name MF20. This database uses Windows authentication. A Microsoft SQL Server Express data store database can already exist on a XenApp server, but the server must be restarted prior to the installation of XenApp. Farms can use the following databases as the data store: SQL 2008 SP1 (x32, x64 and Express versions) SQL 2008 (x32, x64 and Express versions) SQL 2005 SP3 (x32 and x64 versions) Oracle 11g R2
It is a best practice to install the database software on a non-XenApp server. The account used to install XenApp must have db_owner permissions to the database. Additionally, if XenApp will be configured from the command-line, the Data Source Name (DSN) file for the SQL Server database must be created prior to the XenApp configuration. Support for Microsoft Access and IBM DB2 has been removed for XenApp 6 on Windows Server 2008 R2. For additional information about supported database software versions, see the XenApp product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
85
The following table describes the options available when enabling shadowing. Option Prohibit remote control Description Prohibits the shadower from remotely controlling a users keyboard and mouse during shadowing sessions
Force a shadow acceptance popup Displays a shadowing acceptance message on the client device Log all shadow connections Keeps a log of all shadowed sessions
If shadowing is prohibited during XenApp installation, it can only be enabled at a later time by reinstalling XenApp. In some regions, shadowing is forbidden by industry or government regulations. If XenApp will be used in such a region, shadowing should be disabled during the installation.
When Will Users Be Added to the Local Remote Desktop Users Group?
During the installation of XenApp, the existing users and groups and the anonymous user accounts created by XenApp can be added to the local Remote Desktop Users group on the server. Members of the local Administrators group have a built-in right to shadow. They do not need to be a member of the local Remote Desktop Users group. All others must be added to the group.
86
The following table describes the options available when adding users to the local Remote Desktop Users group. Option Add the Authenticated Users Add the list of users from the Users group Add Anonymous users Description Adds all authenticated users Adds groups and users from the Users group Adds anonymous users
87
Will Information in the Data Store and Configuration Logging Databases Be Protected with IMA Encryption?
XenApp can be configured to encrypt the credentials used by IMA to send information to the data store and configuration logging databases. This encryption can add a layer of security to the sensitive data stored in these databases. When IMA encryption is enabled on one server, it must be enabled on each server in the farm. IMA encryption is no longer part of the XenApp installation and must be manually configured using the CTXKEYTOOL command, following installation.
88
89
Review
1. True or False: An individual can elevate their privilege to local administrator through User Account Control to gain membership to the local administrators group. a. True b. False 2. Which item is not available as a role in the XenApp Server Role Manager? a. b. c. d. Data collector XenApp server Web Interface server Provisioning services
3. Complete the following sentence. When configuring XenApp, to use an existing license server, administrators enter the license server name or __________. a. b. c. d. IP address license key MAC address administrator credentials
4. Complete the following sentence. If pass-through authentication is not enabled during the installation and is later desired on the server, the plug-in software __________. a. b. c. d. cannot be configured to use pass-through authentication automatically configures upon reboot for pass-through authentication must be reinstalled on the server before pass-through authentication can be used can be copied from another XenApp environment that contains pass-through authentication
90
Module 5
92
Overview
Organizations use XenApp to provide users with the resources they need to accomplish their jobs. Because all organizations are different, XenApp must be customized to take full advantage of its capabilities. By the end of this module, given an environment containing XenApp, you will be able to: Add and configure worker groups. Add and configure administrative accounts and permissions. Identify the components required for configuration logging. Log administrative changes made to a XenApp farm environment.
93
Worker Groups
XenApp servers can be organized and managed as a single unit known as a worker group. Administrators can configure a worker group to contain servers based on OU membership within Active Directory or assign individual farm servers to a worker group. Worker groups can be used to: Reduce the time needed to publish an application to several farm servers by organizing servers based on hosted application type Prioritize the groups of servers that users can access Filter policies to apply settings to a specific group of farm servers
94
later added to the worker group, or Active Directory OU, are automatically added to the properties of the published applications. An administrator must ensure that each application published to a worker group is installed on every server in the worker group. If the application is not installed on one or more farm servers in the worker group, the application will not launch and an error is logged to the Application event log on the data collector.
95
96
An administrator can configure users from the following locations with administrative permissions: Citrix User Selector Adds a new administrator from the Windows users and groups within the domain Adds a new administrator from the local users and groups on the server A domain administrator can also be selected, but appropriate credentials must be provided before permission to browse the list of Active Directory users is granted.
97
An administrator with full permissions can configure additional administrator accounts using the following settings: View Only Provides the administrator account permission to view all areas of XenApp using the Delivery Services Console and command line utilities, but the administrator cannot make modifications using these consoles or tools Provides the administrator account full access to view and modify all areas of XenApp using the Delivery Services Console and command line utilities The account specified during the XenApp installation becomes the default administrator with full administration privileges. These administrators can also:
Full Administration
98
Add and delete administrators. Grant permissions to other administrators. Create and delete server and application folders.
Custom
Provides the administrator account with limited permissions to view and modify XenApp using the Delivery Services Console and command line utilities A full administrator must configure the areas of XenApp to which a custom administrator has access.
Disables the selected administrator account If the logon permission to a console is disabled, the administrator will not be able to perform administrative tasks using the Delivery Services Console.
99
Creating an administrator account with custom privileges allows an administrator to delegate the administration of one or more particular areas of the farm. During the creation of a custom administrator account, the privilege level and permissions for the administrator account are specified. When the administrator uses the Delivery Services Console, only the console tree nodes and folders to which the administrator has permissions to administer are displayed. Permissions can be granted to custom administrators: During the creation of the custom administrator account Through the Administrator properties in the Delivery Services Console Through the Permissions option for application and server folders in the Delivery Services Console Delegated Administration Example CompanyA has a local IT staff and a help desk. The local IT staff is responsible for managing and maintaining the server farm. The help desk is responsible for providing the first level of support to all users. The IT staff must have full administration privileges, while the help desk needs the following custom privileges and permissions:
100
View only permissions for: Administrators (as well as Log on to the Management Console) Farm Management Printers and Printer Drivers Published Applications and Content Server Information
Full administration permissions for: Sessions (located in the Servers and Applications nodes) Policies By delegating these administrative permissions for the farm, the help desk personnel are only able to: View all areas of the Delivery Services Console. Perform session tasks and user policy tasks related to their jobs.
101
The remote users require reduced color depth and no audio support in order to reduce bandwidth requirements. The application administrator must only be allowed to manage the published applications and user sessions connecting to the published applications and must not have permissions to perform any other administrative tasks in the farm. To meet these requirements, an administrator with full administration privileges for the farm: Creates folders named OFFICE_HR and REMOTE_HR Publishes the required applications with the appropriate settings so all office users are assigned to the applications, and the applications are placed in the OFFICE_HR folder Publishes the same applications with the appropriate settings so all remote users are assigned to the applications, and the applications are placed in the REMOTE_HR folder Modifies the permissions for the OFFICE_HR and REMOTE_HR folders to allow the application administrator to perform both published application and session-related administrative tasks
Delegating Administration
102
The administration of application and server folders can be delegated to specific administrators and groups of administrators. This delegated administration is configured through the permissions assigned to the folders. These permissions can be: Copied from the parent folder to the child subfolder during the creation of the folder By default, any permission changes to the parent folder are not automatically copied to the subfolders. A full administrator can select, in the permissions of the parent folder, Copy the permissions of all administrators for this folder to its subfolders to propagate all changes to the subfolders. Specified or modified after the folder is created An administrator should be aware of the following considerations when configuring delegated administration for a folder: The administration of the folders can be simplified by assigning groups of administrators instead of individual users. The use of groups allows the administrator to grant or deny permissions by adding administrators to or removing administrators from the groups. When granting session management permissions such as Disconnect Users to an application or server folder, remember that disconnecting the session for one application will cause all other applications within the session to disconnect.
103
Scenario 2: An administrator with full administration privileges (full administrator) grants an administrator with custom privileges (custom administrator) access to the Applications node in the Delivery Services Console. The custom administrator is given full permissions to the following: Publish Applications and Edit Properties All Application Sessions tasks Six months later, the full administrator creates a folder within the Applications node of the Delivery Services Console to better manage the published applications in the farm. When creating the new folder, the full administrator chooses not to copy permissions from the parent folder. Which permissions does the custom administrator have to the new folder? ______________________________________________________ ______________________________________________________ ______________________________________________________ Scenario 3: CompanyA has a farm that consists of ten servers: five located in Quebec and five located in Hong Kong. The administrators in each location must have permission to manage only the servers in their geographic region. To accomplish this task, the full administrator creates two folders under the Servers node in the Delivery Services Console (QB_Servers and HK_Servers). The full administrator then moves the servers into the respective folders. What else must the full administrator do to ensure that administrators can only manage the servers in their geographic region? ______________________________________________________ ______________________________________________________ ______________________________________________________
104
Configuration Logging
In many organizations, a large number of administrators are responsible for configuring and administering XenApp. It can be beneficial to know which administrators made changes, what the changes were and when the changes were made. Configuration Logging provides a means for tracking administrative changes made to the XenApp farm environment, including: Who performed the change The date and time the change was made The object to which the change was made Details about whether the change was successful or not
An administrator can create configuration log reports using the Get-CtxConfigurationLogReport PowerShell command after Configuration Logging is enabled. The most useful information is logged when each administrator has a separate account.
105
encryption must be enabled on all servers in the farm. Administrators will be unable to access the IMA-encrypted data if the encryption for the farm is later disabled. The CTXKEYTOOL command can be used to enable and disable the IMA encryption feature and generate, load, replace, enable, disable and back up farm key files.
The Delivery Services Console is used to specify the database that XenApp will use to log configuration changes. A Configuration Logging database must be created before Configuration Logging can be enabled. A Configuration Logging database can only support information for one farm. To store Configuration Logging information for a second farm, a second Configuration Logging database must be created. The following settings can be used to create the Configuration Logging database: SQL Server An administrator should select this setting to choose SQL Server as the Configuration Logging database type. If SQL Server is selected, the
106
administrator must provide the following information before proceeding with the configuration process: The name of the database server which is found in the Server name drop-down list The authentication mode used with the SQL Server database
Oracle
An administrator should select this setting to choose Oracle as the Configuration Logging database type. If Oracle is selected, the administrator must provide the network service name of the Oracle server.
107
Review
1. Which privileges can be granted to a XenApp administrator account? a. b. c. d. Full, View Only, Guest Read Only, Write Only, Add/Update View Only, Full Administration, Custom Create Accounts, Delete Accounts, Update Accounts
2. Which statement about folders in the Delivery Services Console is true? a. b. c. d. All administrators can create folders. Permissions can be assigned to individual applications in folders. Folders can be used to delegate the administration of applications and servers. Changes to permissions on a parent folder are automatically copied to all subfolders.
3. If IMA encryption is enabled, which effect will it have on the Configuration Logging database? a. b. c. d. All data in the Configuration Logging database will be backed up. Credentials to the Configuration Logging database will be encrypted. Only an Oracle database can be used for the Configuration Logging database. Only a SQL Server database can be used for the Configuration Logging database.
4. Which statement about worker groups is true? a. The first XenApp server moved into a worker group becomes the zone data collector. b. Farm servers in a worker group with a priority setting of 3 are considered the highest priority. c. A farm server added to a worker group will automatically inherit the policy configurations for the worker group. d. A farm server added to a worker group does not need to have an application installed locally to be able to inherit the published application configurations of the worker group and host the application.
108
Module 6
110
Overview
The Web Interface provides users with access to published resources and content through a standard web browser or through Citrix plug-ins. The Web Interface employs Java and .NET technology to present users with a dynamically-created HTML depiction of farm resources. An administrator can create standalone web sites for resource access or integrate a web site into a corporate portal. Additionally, an administrator can configure settings for users accessing resources through the Citrix plug-ins. Web Interface sites are configured using the Web Interface Management console. The Web Interface is not a single point of failure. The options and configurations presented in this module pertain to Web Interface 5.3. By the end of this module, given an environment containing XenApp, you will be able to: Describe the Web Interface communication process. Install and configure the Web Interface. Create and configure XenApp Web and XenApp Services sites. Configure client delivery and customizations. Configure explicit, pass-through and smart card authentication. Configure secure access settings for the Web Interface. Configure the Web Interface to communicate with XenApp farms. Remove a Web Interface site.
111
443
112
The following process provides an overview of how a XenApp Web site communicates with client devices and XenApp servers to initiate a session: 1. A user submits logon credentials through a Web Interface logon page. 2. The Web Interface forwards the logon credentials to the Citrix XML Service on the XenApp server. 3. The credentials are forwarded to a domain controller for authentication. 4. The Citrix XML Service retrieves a list of applications from the IMA subsystem. 5. The Web Interface presents the applications in a web page on the client device. The user clicks an application icon on the web page. 6. The Web Interface contacts the Citrix XML Service to locate the least busy server in the farm. The Citrix XML Service requests a secure ticket for the user from the least busy server.
113
7. The Citrix XML Service returns the address of the least busy server and the secure ticket for the user to the Web Interface. The Web Interface server dynamically generates a customized ICA file (LAUNCH.ICA) and sends it to the web browser on the client device. If bookmarking is enabled, a LAUNCHER.HTML file will be created instead of the LAUNCH.ICA file. 8. The client device initiates a connection with the server specified in the connection information of the ICA file.
114
Not all features are supported by all browsers. For information about supported features for the plug-ins, see Knowledge Base article CTX104182 on the www.citrix.com web site. For security and performance, the Web Interface should not be installed on a XenApp server. Client devices accessing XenApp Web sites must have a web browser and supported plug-in to connect to the Web Interface site. For additional security, the Web Interface can be installed on the internal network . If the Web Interface is placed in the demilitarized zone (DMZ), it is a best practice to use Citrix SSL Relay to secure Citrix XML traffic. This requires the use of a digital certificate.
115
An administrator can use the XenApp Server Roles Manager to install the Web Interface. For more information about installing the Web Interface, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
116
Site Creation
An administrator can create the following types of Web Interface sites using the Web Interface Management console: XenApp Web A XenApp Web site allows users to access remote applications, virtualized applications and content using a web browser. A XenApp Services site allows users to access remote applications, virtualized applications and content using a Citrix online plug-in.
XenApp Services
The Web Interface Management console guides an administrator through the process of creating each site type and allows an administrator to specify the IIS site, the configuration source location, user authentication settings and server farm settings for the site. After the site is created, it is added to the Web Interface Management console.
117
An administrator can use the Create Site option in the Web Interface Management console to create a XenApp Web or XenApp Services site.
The configuration information for a site is stored on the local server. An administrator can configure the site using the Web Interface Management console on the local server or by editing the WEBINTERFACE.CONF file on the local server. When specifying the point of authentication, an administrator can choose between the following options: At Web Interface (default), which enables built-in authentication methods such as explicit, pass-through and smart card authentication At Microsoft Active Directory Federation Services account partner, which enables authentication to take place at a client organization that wants to use the applications on the site At Access Gateway, which enables authentication to take place at the Access Gateway and pass the credentials through to the web site At third party using Kerberos, which uses a third-party federation or single sign-on product to authenticate users and map identities to Active Directory accounts so Kerberos can be used for single sign-on to the web site At Web server, which enables the authentication of users using Kerberos
118
When specifying authentication settings for a XenApp Web site, an administrator can choose from the following options: Explicit (default), which requires credentials be typed Pass-through, which passes the credentials specified at Windows logon to the web site
119
Pass-through with smart card, which passes the credentials specified at Windows logon to the web site. If a XenApp Services site is being accessed, the smart card PIN number must be provided Smart card, which prompts for the smart card PIN number regardless of the type of web site and for every application request Anonymous, which requires no typed credentials When Explicit, Pass-through or Pass-through with smart card are selected, the configuration wizard allows the administrator to restrict access to the site to users from specific domains. Active Directory Federation Services Users can also access published applications using Active Directory Federation Services (ADFS). ADFS extends the existing Active Directory infrastructure to provide access to resources offered by trusted partners across the Internet. ADFS support for the Web Interface enables the partner of an ADFS deployment to use XenApp in conjunction with the Web Interface. By enabling ADFS, the administrator in the resource partner's domain can create sites for users in the account partner's domain. The users in the account partner's domain will have single sign-on access to published applications in the resource partners domain. Sites configured to use ADFS, support authentication using ADFS only. Other methods of authentication are not supported. After a site configured to use ADFS is created, the administrator cannot configure that site to use built-in authentication or access through Access Gateway.
120
Administrators can select the following published resource types for XenApp Web and XenApp Services sites: Online, which allows users to access published applications, content and desktops hosted on XenApp servers Offline, which allows users to access virtualized applications from their client device and open them locally using the Citrix offline plug-in Dual mode, which allows users to access offline virtualized applications and online published applications, content and desktops from the same web site If Dual mode is selected as the published resource type, XenApp attempts to virtualize the application to the client device first. If it is unable to virtualize the application to the client device, the published resource is accessed from the server.
121
A XenApp Services site is used to deliver applications and resources to users through the Start menu, the Windows desktop or through the Citrix online plug-in icon displayed in the Windows notification area on the client device. The administrator can perform an initial configuration of the XenApp Services site using the Create Site option in the Web Interface Management console to create the CONFIG.XML configuration file in the \INETPUB\WWWROOT\CITRIX\PNAGENT\CONF\ directory on the Web Interface web server. During the configuration of a XenApp Services site, the administrator must specify: The farm name, XML servers, XML service port and transport type to use for the site The published resource types to be provided by the site For more information, see the Published Resource Types topic in this module.
122
CONFIG.XML File
An administrator can also configure a XenApp Web and XenApp Services site by editing the following parameters in the CONFIG.XML file: FolderDisplay, which specifies the location of published resource icons DesktopIntegration, which specifies whether or not shortcuts are added to the Start menu, Windows desktop or system tray ConfigurationFile, which facilitates moving published resource requests to a different server running the Web Interface Request, which specifies where the plug-in should request published application data from and how often to refresh the information Failover, which specifies a maximum of five backup server URLs to contact if the primary URL is unavailable Logon, which specifies the logon method to use UserInterface, which specifies whether to hide or display certain groups of options to the user as part of the online plug-in ReconnectOptions, which specifies whether or not workspace control functionality is available to users FileCleanup, which specifies whether or not shortcuts are deleted when a user logs off of the online plug-in ICA_Options, which specifies the display and sound options for the connections AppAccess, which specifies the types of applications available to users
123
124
An administrator can directly modify the Web Interface site parameters and settings by editing the \INETPUB\WWWROOT\CITRIX\XENAPP\CONF\WEBINTERFACE.CONF file on the local web server with a text editor. The Web Interface uses a .NET Watcher feature that recognizes and automatically re-loads any changes made to the configuration file. The server running the Web Interface does not need to be restarted in order for changes to take effect.
Administrators can use the Web Interface Management console to perform daily Web Interface administration tasks quickly and easily. The right pane of the console contains the actions that can be used to edit the settings of the selected Web Interface site. New administrators and administrators with limited experience modifying the WEBINTERFACE.CONF file parameters should use the Web Interface Management console to configure the Web Interface.
125
An administrator can specify URLs of backup servers to contact if the online plug-in cannot access the primary XenApp Services web site. A maximum of five backup URLs can be configured for each site. An administrator can use the Server Settings option in the Web Interface Management console to specify backup URLs for a XenApp Services site.
126
Site Appearance
Overall site appearance, layout, branding, application windows and the welcome area of a XenApp Web site are options that the administrator can configure through the Web Interface Management console to meet the needs of an organization. The Web Interface features a breadcrumb trail for navigation through the list of applications. The navigation bar allows users to access different screens within the Web Interface with well-defined labels to enhance the user experience. Users can add /m or /mobile to the end of the Web Interface URL to access available mobile pages on the site. The mobile pages also feature breadcrumb navigation, user-selectable views, a navigation bar, tabbed view and an application or resource search.
127
An administrator can use the Web Site Appearance option in the Web Interface Management console to customize the appearance of a XenApp Web site. The following list describes the options available for customizing the appearance of a XenApp Web site, including the pre-logon, logon, applications and messages screens for the site. Option Layout Description Allows an administrator to specify: The overall screen layout Display settings Whether or not users will be allowed to customize the layout of the site The number of application tabs that are displayed in the site
Appearance Allows an administrator to specify: View mode for the logon screen Minimal mode is the default view; it removes the header, ability to read messages and ability to change user preferences.
128
Option
Description Full mode provides users with full functionality, including the ability to read messages and change preferences before logon. The color used for the background, text and overall branding The header image, background image or color Navigation bar background image or color Content area background image or color
Content
Allows an administrator to specify: The default language and additional languages for the local area Standard language code allows an administrator to select standard languages from a list. User-defined language code allows custom language strings and requires the administrator to type the appropriate language code. XenApp Web sites change language settings based on the language settings of the browser. Custom text for the welcome message, footer, pre-logon message, logon screen text, application screen text, message screen text and footer text on all screens
Change the standard language of the site to Spanish for users in Mexico.
129
Add the "Welcome to the Marketing Department" welcome message to the site. Allow users to customize the screen layout on the client device. Add the company logo.
Session Preferences
An administrator can configure the following session preferences for a XenApp Web site: Whether kiosk mode is enabled or disabled Whether the Preferences button in the Web Interface site is displayed to users The length of time a user session can be inactive before the session is logged off Whether browser bookmarks can be used to access resources Whether bandwidth control is enabled and users can configure settings to optimize the performance of their remote sessions Whether font smoothing can be used and users can control the window size in their remote sessions Whether users can customize local resource mappings such as key combinations, PDA settings and special folder redirection Whether or not the XenApp Web site should override the user device name
130
An administrator can use the Session Preferences option in the Web Interface Management console to configure the session preferences for a XenApp Web site. Session preferences are not available for XenApp Services sites.
Session Options
An administrator can configure the following session options for a XenApp Services site: The window size Whether font smoothing is allowed The color quality and sound quality allowed Where key combinations can be used Whether special folder redirection is provided and whether users are allowed to customize it
131
How workspace control is configured for the site For more information about workspace control, see the Workspace Control topic later in this module.
An administrator can use the Change Session Options menu in the Web Interface Management console to configure the session options for a XenApp Services site. Session options are not available for XenApp Web sites.
132
User Options
When connected to a XenApp Web site, users can select the view used to display their applications and resources in the site. The Select view drop-down list in the right corner of the Applications tab allows the user to select from the following views: Icons Details List Tree Groups
Users are also provided with: Hints that appear at the bottom of the Applications tab. These hints appear below the applications in the Applications tab and contain helpful information about using the site more efficiently. A low-end graphics mode for users with a hand-held device or bandwidth-challenged connections. This option appears below the Applications tab when it is available for use. Inline help to explain possible problem areas. This information is displayed above the Applications tab.
133
A search capability to assist in finding applications and resources. The Search field appears in the upper-right corner of the screen and the search results are displayed in the Search Results tab to the right of the Applications tab.
134
Workspace Control
The workspace control feature allows users to disconnect and reconnect to sessions as they move between different client devices. For example, in a health care environment, as doctors move around the hospital, they may require access to the same sessions from different locations. Using workspace control, the doctors are able to quickly reconnect to application sessions. The following requirements must be met to use workspace control: XenApp must be installed and configured. The Web Interface must be installed. At least one Web Interface site must be configured. Workspace control works with both XenApp Web and XenApp Services sites but cannot be used with Remote Desktop Connection software. Workspace Control Example Dr. Jones has an active PowerPoint session open on Device #1. When Dr. Jones starts his rounds, he leaves Device #1 and opens a session in the hospital patient data application on Device #2 to record patient data. Both the PowerPoint and patient data applications are opened on Device #2. When he finishes, he clicks the Disconnect button and continues his rounds in another location in the hospital. Next, Dr. Jones logs on to Device #1 and decides to reconnect to both his active and disconnected sessions. The doctors PowerPoint session on Device #1 is automatically disconnected by the Web Interface and reconnected on Device #3. The disconnected session on Device #2 is reconnected on Device #3. In addition to the applications, workspace control can automatically provide the printers for the sessions based on the client device and policy settings.
135
Requires that the Web Interface site be set to override the client name setting in the Manage Session Preferences task (default setting) Workspace control functions are disabled if no trust relationship exists between the Web Interface server and the XenApp servers and pass-through or smart card authentication methods are used. For more information about this trust relationship, see the Citrix XML Service Trust Relationships topic later in this module.
Automatically Set the automatic reconnection of sessions to: reconnect to Reconnect to all sessions, which allows users to automatically sessions when users reconnect both disconnected and active sessions log in Reconnect only to disconnected sessions, which allows users to automatically reconnect to disconnected sessions Allow user to customize, which allows users to change this setting Enable the Reconnect button Sets the automatic reconnection of sessions after the user logs on and clicks the Reconnect button to: Reconnect to all sessions, which allows users to automatically reconnect both disconnected and active sessions Reconnect only to disconnected sessions, which allows users to automatically reconnect to disconnected sessions Allow users to customize, which allows users to change this setting Logoff Sets the behavior of the logoff activity to: Log off active sessions when users log off from the site, which automatically logs off the session when the user logs off the site Allow users to customize, which allows users to change this setting The Logoff options are only available for XenApp Web sites.
If an organization has a strict no-disconnected-sessions policy for the farm, an administrator should disable workspace control.
136
After an administrator configures a XenApp Web site to allow user customizations for the workspace control settings, the Logon options become available in the Preferences tab of the Web Interface site. The Logon options allow a user to change the workspace control settings.
137
An administrator can use the Workspace Control option in the Web Interface Management console to configure workspace control settings for a XenApp Web site.
138
An administrator can use the Change Session Options menu in the Web Interface Management console to configure the workspace control settings for a XenApp Services site.
139
140
Option
Description clients, the client detection and deployment process checks whether the Remote Desktop Connection software is available and helps users to enable the Remote Desktop ActiveX Control, if necessary.
Client Detection
The Client Detection option can be configured to check client devices during the logon to the XenApp Web site to determine if an appropriate plug-in is installed. If a plug-in is not detected or a more appropriate plug-in is available, an installation caption can be displayed on the Web Interface screen. The installation caption provides an easy method for users to download and install the required plug-in software. A display notification message can be configured to display: Whenever a plug-in is needed or an upgraded plug-in is available Only if resources cannot be accessed Never
141
An administrator can use the Client Deployment option in the Web Interface Management console to configure the client detection settings for a XenApp Web site.
142
Fallback Behavior
An administrator can specify which client (plug-in) will be deployed when the native plug-in software is not detected on the client device. An administrator can choose from the following options: Deploy a native client to download and deploy the appropriate native plug-in software. This is the default setting. Deploy a native client and allow user to choose between this and the Client for Java to allow users without a native plug-in to be offered the Client for Java and only be prompted to download and deploy a native plug-in if they cannot use the Client for Java. Automatically fall back to the Client for Java to allow users without a native plug-in to be prompted to download and deploy the Client for Java.
143
The Citrix offline plug-in is required on a user's client device in order for an application to be able to stream to client, even if the user is online. The offline plug-in communicates with the server farm through a URL. An administrator can choose from the following offline plug-in configuration options: Automatically detect session URL Specify session URL This is the default setting
In instances in which both HTTP and HTTPS are used to access the site or the domain of the web server cannot be resolved, an administrator may need to specify the URL for use by the offline plug-in in the following format: http://servername:port/Citrix/XenApp/rade.aspx
144
Local text echo SSL/TLS Encryption Client drive mapping Printer mapping Configuration UI
145
Package
Description
Allow user to select packages Allows users to control which components are required
An administrator can use the Client Deployment option in the Web Interface Management console to configure the Client for Java settings for a XenApp Web site.
146
Authentication Configuration
Authentication to a Web Interface site takes place when a user logs on using the Web Interface logon page or a Citrix online plug-in. The Web Interface passes the user's credentials to XenApp, which passes the credentials to the appropriate authentication authority. If authentication is successful, the Web Interface displays the application set for the user. Users can only log on using the authentication methods made available by the administrator. If two authentication methods are made available for the site and one method fails, the user can attempt to log on using the other authentication method. Web Interface sites can also be configured to use anonymous logon. Anonymous logon allows users to access the site without supplying a user name or password. Anonymous logon should not be widely used because security can be compromised.
147
Authentication Options
The following list identifies the authentication options that are available for XenApp Web and XenApp Services sites. Explicit Authentication to the site requires users to supply a user name and password. User Principal Names (UPN), Microsoft domain-based authentication and Novell Directory Service (NDS) are available for both XenApp Web and XenApp Services sites. In addition, RSA SecurID, RADIUS and Secure Computing SafeWord authentication are available for XenApp Web sites. Pass-through Authentication to the site occurs using the credentials that users provided when they logged on to their Windows desktop. The users do not need to re-enter credentials to log on to the site and their application set is displayed automatically. Additionally, Kerberos authentication can be used to connect to servers. If Kerberos authentication is specified and Kerberos fails, pass-through authentication will also fail, and users will not be able to authenticate. Pass-through with smart card This option is only available for use with the Citrix online plug-in and requires configuration of smart cards in the environment. Authentication to Windows is accomplished by inserting a smart card into a smart card reader attached to the client device and specifying the PIN. After the initial logon to Windows, authentication to the site is accomplished using the smart card and the cached PIN information. If a XenApp Services site is also configured to use Kerberos authentication, it can be used to connect to the site. If the Kerberos authentication fails, the pass-through authentication of the cached PIN will also fail. Kerberos Delegated Authentication or Kerberos Ticketing simplifies user authentication by eliminating the need for client-side configuration to enable pass-through authentication. Kerberos Ticketing also reduces logon points and ensures the integrity of the logon chain for increased security.
Smart card
Authentication to the site is accomplished by inserting a smart card into a smart card reader attached to the client device. The user is prompted for a
148
PIN. Smart cards must be configured in the environment to select this option. Anonymous Anonymous logon allows users to access the site without supplying a user name or password. Anonymous logon should not be widely used, especially if Secure Gateway or Access Gateway is being used, because security can be compromised.
Explicit Authentication
When explicit authentication is implemented, users authenticate by specifying a user name, password and domain. An administrator must take into account the following considerations when enabling explicit authentication for a Web Interface site: Whether or not domain restrictions will be specified Which authentication type will be used for explicit authentication. Valid authentication types include: Microsoft Windows domain-based authentication NIS (UNIX) authentication Novell Directory Services authentication Whether or not two-factor authentication will be implemented What the password change and expiry notification settings will be
149
Whether or not users will be allowed to reset their passwords for the Web Interface site using Citrix Single sign-on.
An administrator can use the domain list field in the web site properties to specify the domains that are authorized to access a XenApp Web or XenApp Services site.
150
An administrator can configure a Web Interface site to use Windows or NIS (UNIX) authentication with one of the following credential formats for user logons: Domain user name and UPN When this credential format is selected, the administrator can specify: Whether or not the Domain field in the Logon page is automatically displayed so users can type the domain name into the field Whether or not the Domain field is pre-populated with a list of domains from which users can choose Which domains are authorized to access the Web Interface site These domains appear in the Domain field in the Logon page. The domain order can also be specified by an administrator. Whether or not all UPN suffixes are permitted By default, all UPN suffixes are permitted. The UPN suffixes that will be accepted and the suffix order
151
Domain user name only When this credential format is selected, the administrator can specify: Whether or not the Domain field in the Logon page is automatically displayed so users can type the domain name into the field Whether or not the Domain field is pre-populated with a list of domains from which users can choose Which domains are authorized to access the Web Interface site These domains appear in the Domain field in the Logon page. The domain order can also be specified by an administrator. UPN only When this credential format is selected, the administrator can specify: Whether or not all UPN suffixes are permitted By default, all UPN suffixes are permitted. The UPN suffixes that will be accepted and the suffix order A User Principal Name (UPN) is a unique name in Windows Active Directory given to each user. Users are identified by the UPN, which consists of a principal name and a domain name or domain alias that identifies the user. The UPN has an email address format. For example: JohnSmith@company.com
152
An administrator can configure a Web Interface site to use the Novell Directory Services authentication type for the explicit logon. When Novell Directory Services is selected, an administrator must specify the tree name and context restrictions, if applicable. More than one context name can be supplied. The order in which the names are specified determines the sequential search order.
153
providing domain credentials, users must also provide their RSA SecurID passcode during logon. Prior to enabling RSA SecurID authentication, the RSA ACE/Agent for Windows version 6 or later must be installed, followed by the installation of the Web Interface. SafeWord This two-factor authentication method uses alpha-numeric codes generated by a SafeWord token to create a passcode. In addition to providing domain credentials, users must also provide their SafeWord passcode during logon. Prior to enabling SafeWord authentication, the SafeWord Web Agent must be installed on the web server after the Web Interface has been installed. RADIUS This authentication method uses the Remote Authentication Dial-in User Service (RADIUS) authentication protocol, as opposed to proprietary agent software. Both SafeWord and RSA SecurID can be installed and configured to be presented as a RADIUS server. For Web Interface for Java Application Servers, RADIUS authentication is the only two-factor authentication option available.
154
When explicit authentication is enabled, an administrator can configure the password settings for a Web Interface site that determine: Whether or not users are permitted to change their logon passwords When users are permitted to change their logon passwords Whether or not a message is sent to users when their password is about to expire and how frequently the message is sent
155
Account Self-Service allows users to reset their network passwords and unlock their account by answering a series of simple security questions. An administrator can configure the Account Self-Service settings for a Web Interface site when: Citrix Single sign-on is installed in the environment (Platinum Edition only). The site is configured to use explicit authentication. The site is configured to allow users direct access. Account Self-Service is not available for sites accessed using Access Gateway with Advanced Access Control. The site is configured to use only one Single sign-on service. The site is configured to allow users to change their password when password reset functionality is enabled.
156
An administrator can use the Authentication Methods option in the Web Interface Management console to configure explicit authentication for a XenApp Web or XenApp Services site.
Pass-through Authentication
Pass-through authentication allows users to authenticate to a Web Interface site using the credentials provided during logon to the client device. Users do not need to re-enter their credentials in the Web Interface logon page; their application set is automatically displayed. The following requirements must be met prior to enabling pass-through authentication: All servers and client devices must be part of the same domain, trusted domain or federated trust.
157
Client devices must run Internet Explorer 6.0 or later. Pass-through authentication should only be enabled in environments that are secure or trusted to prevent user credentials from being misrouted to an unauthorized or counterfeit server.
An administrator can use the Authentication Methods option in the Web Interface Management console to configure XenApp Web and XenApp Services sites to use pass-through or pass-through with smart card authentication. The ICACLIENT.ADM administrative template must also be configured to enable pass-through authentication. XenApp Services sites can also be configured to use Kerberos in conjunction with pass-through authentication. After the Web Interface site is configured for authentication, the administrator must enable authentication for the plug-ins. An administrator can use the Group Policy Management
158
Console and the ICACLIENT.ADM file to configure plug-ins to use pass-through or pass-through with smart card authentication by configuring the Local user name and password setting. For more information about using the ICACLIENT.ADM file to configure plug-ins, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
The following requirements must be met prior to enabling smart card authentication: The web server must have Secure Sockets Layer (SSL) enabled and a valid server certificate. Windows Service smart card must be enabled. Client devices must run Internet Explorer 5.5 or later and a Windows-based plug-in (version 6.30 or later). The ICACLIENT.ADM administrative template must be configured The environment must have a cryptographic service provider. Smart card authentication is not available on UNIX platforms.
159
After the Web Interface site is configured for authentication, the administrator must enable authentication for the plug-ins. An administrator can use the Group Policy Management Console and the ICACLIENT.ADM file to configure plug-ins to use pass-though or pass-through with smart card authentication by configuring the Local user name and password setting. For more information about using the ICACLIENT.ADM file to configure plugins, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
160
An administrator can use the Trust XML requests policy in the Group Policy Management Console to configure a XenApp server to trust the requests sent to the Citrix XML Service from the Web Interface. Trust relationships must be enabled on the XenApp servers that are running the Citrix XML Service and are directly contacted by the Web Interface. Typically, a server designated as the data collector for the zone would be the server running the Citrix XML Service. An administrator can view the list of the servers running the Citrix XML Service that are contacted by the Web Interface site by selecting Server Farms in the Web Interface Management console. To avoid security risks when setting up trust relationships, IPSec, firewalls or any other technology that ensures that only trusted services communicate with the Citrix XML Service should be used.
161
4. An administrator can select __________, NDS or NIS authentication for explicit logon to a Web Interface site. 5. When Novell Directory Services is selected for explicit authentication, a __________ name and context name must be specified. 6. Both _________ and __________ two-factor authentication methods use a token and a PIN number to create a passcode. 7. When Single sign-on is integrated with the Web Interface, the __________ feature can be enabled to allow users to reset their network password.
162
Access Methods
An administrator must configure the appropriate access method in order for users to access resources through the Web Interface. An administrator can choose from the following access methods if the connection will not be directed through Secure Gateway or Access Gateway: Direct access Direct access is typically configured in situations in which internal users connect from trusted environments, such as corporate intranets, and there is no need for address translation or for keeping the address of the XenApp server private. Direct is the default access method and requires no configuration. Alternate access is configured in situations in which the IP address of the server running XenApp must be kept private from users. A second IP address is required. An administrator must configure XenApp to use an alternate address by using the ALTADDR command on each target XenApp server. Selecting alternate access signifies that the address translation takes place on the XenApp server. Translated access Translated access is configured in situations in which the IP address of the server running XenApp must be kept private from users, and multiple servers in the farm are used to provide application access. With translated access, the firewall is configured to perform the address translation. Translated access is more commonly selected than direct or alternate. However, when selecting translated access, the configuration must be done in accordance with firewall rules. If firewall rules change, the translated addresses must be maintained. After selecting translated access, administrators should configure the server address translation map.
Alternate access
163
Administrators should also configure the firewall for Network or Port Address Translation.
If users will access resources in the farm through a Secure Gateway or Access Gateway connection, the Gateway direct, Gateway alternate or Gateway translated access method should be configured for those connections. For more information about these access methods, refer to the Security module in this course. Secure Access Methods Example
An administrator can configure a XenApp Web site to support external users with alternate addressing and still allow users on the internal subnet to use normal addressing. When configuring address translation, the XenApp Web site must be configured to define mappings from internal server IP addresses to external IP addresses and ports. These mappings allow users to open applications if the address and port of the server are translated at the internal firewall.
164
An administrator should deploy the servers running the Web Interface inside the internal firewall. By default, the Direct access method is used to connect all users to a Web Interface site. An administrator can configure exceptions to the Default access method by providing a specific IP address and subnet mask to ensure that when the user connects from a client device with a matching subnet address the connection is made using the associated access method. If a firewall is used with XenApp, an administrator can configure the Web Interface site to include the appropriate IP address in the client files. It is important to configure addressing correctly for the Web Interface site so that internal IP addresses are not exposed externally. Exposing internal IP addresses provides a security weakness that can be avoided by implementing alternate addressing or translated addressing with or without Secure Gateway or Citrix Access Gateway.
165
An administrator can select the following access types when mapping between an internal address and external address: User device route translation The plug-in uses the translated address to connect to the server. The Secure Gateway server or Citrix Access Gateway uses the translated address to connect to the server. Both the plug-in and the Secure Gateway server or Citrix Access Gateway use the translated address to connect to the server.
166
Users browser setting The plug-in auto-detects the proxy based on the configuration of the client device web browser. Auto proxy detection is typically used in organizations with multiple proxy servers. The details of the proxy server are determined when the plug-in communicates with the local web browser. This is the most common setting. Web Proxy Auto Detect Client defined The plug-in auto-detects the web proxy using the Web Proxy Auto Discovery protocol. The proxy setting of the plug-in is used by the Web Interface site. This option requires the proxy settings to be configured on the client device. No proxy is used. No proxy server is explicitly mapped and the administrator must provide a proxy server address (IP address or DNS) and a proxy port. The proxy server is explicitly mapped and the administrator must provide a proxy server address (IP address or DNS) and a proxy port.
167
An administrator can use the Client Side Proxy option in the Web Interface Management console to configure the client-side proxy settings for a Web Interface site.
168
Server Configuration
An administrator can configure XenApp Web and XenApp Services sites to communicate with one or more farms. An administrator can add and edit farm names, specify the order in which the farms are used for load balancing, and configure communication settings and ticketing settings. Enabling multiple farms through the Web Interface is particularly useful during migration to a new farm. The migrated delivery of multiple farms is seamless and transparent to users.
The Manage Server Farms screen identifies the farms that communicate with the site. When specifying a farm, the administrator can: Add a new farm entry Edit an existing farm entry After a farm has been specified, an administrator can configure the settings for each farm individually.
169
A Web Interface site acquires application data from all farms before displaying applications. Each farm is contacted in the order that it appears in the Farms field. As a result, a farm that is slow to respond impacts overall responsiveness when obtaining application sets because of the sequential nature of this process. The impact on the response time is compounded as more farms are specified.
Adding Farms
An administrator can use the Server Farms option in the Web Interface Management console to add farms that will provide published resources to the Web Interface site. If a secure connection (SSL Relay or HTTPS) is planned between the Web Interface and the servers in the farm, the server name must be specified as an FQDN and must match the name on the certificate exactly. The order in which the servers are specified is important for fault tolerance.
170
An administrator can use the Server Farm option in the Web Interface Management console to specify multiple servers to be used to service XML requests for the farm. When multiple servers are specified for a farm and the Use the server list for load balancing option is enabled, the Web Interface site sends Citrix XML Service requests to the listed servers in a round-robin sequence. If a listed server cannot be contacted, it is removed from the list for one hour by default or for another period or interval as specified by the administrator. This load balancing feature has no impact on load balancing connections to the servers in the farm. All servers specified for a farm must be running the Citrix XML Service and use the same port for that service.
171
An administrator can use the Server Farm option in the Web Interface Management console to enable fault tolerance among servers running the Citrix XML Service for each farm defined for the Web Interface site. If an error occurs while communicating with a XenApp server, the failed server is bypassed for a specified time, and communication continues with the remaining servers that are listed in the Servers (in failover order) field. By default, a failed server is bypassed for one hour; however, this value can be modified by an administrator. If a server running the Citrix XML Service fails, the Web Interface site will not attempt to communicate with the failed server until the time specified in the "Bypass any failed server for field" has elapsed. If all servers in the list fail to respond, the Web Interface site retries the servers every 10 seconds.
172
administrator must ensure that all servers in the farm have the Citrix XML Service configured to use the same port. An administrator can use the XML service port policy rule in the Group Policy Management Console or the CTXXMLSS command to change the port number for the Citrix XML Service on a server.
HTTPS
SSL Relay
173
Ticketing provides enhanced authentication security for explicit logons by eliminating user credentials from the client files sent from the web server to the client devices. Each Web Interface ticket has a configurable expiration time which is set to 200 seconds by default. An administrator can use the Server Farms option in the Web Interface Management console to configure the ticket expiration settings for a farm.
174
An administrator can use the Site Maintenance option in the Web Interface Management console to uninstall a Web Interface site when it is no longer needed. Uninstalling a site completely removes it from the system. Prior to uninstalling a Web Interface site, any custom files used for the site should be backed up if they will be used to create other Web Interface sites. It is also best practice to back up the CONFIG.XML and WEBINTERFACE.CONF files.
175
Pass-through authentication fails after Use the CTX1222207 Knowledge Base article known good credentials are entered from a on the www.citrix.com web site to enable Windows XP Professional client device. NTLMv2 on the client device. Pass-through authentication or pass-through Use the CTX123836 Knowledge Base article on with smart card fails with the message "An the www.citrix.com web site to configure the authentication error has occurred." required server roles. Server-side ticketing fails in mixed farm environments with XenApp 4 or earlier. An error occurs while trying to access a published resource in the Web Interface. Upgrade to newer version of XenApp or downgrade the version of Web Interface. Use the CTX122613 Knowledge Base article on the www.citrix.com web site to change the address resolution type in the WEBINTERFACE.CONF file.
176
Review
1. Which authentication method is not recommended in secure environments? a. b. c. d. Smart card Anonymous Single sign-on Novell Directory Services
2. Which feature allows users to disconnect and reconnect to ICA sessions as they move between client devices? a. b. c. d. Workspace control Explicit authentication Pass-through authentication Pass-through with smart card authentication
3. Which two types of Web Interface sites can an administrator create? (Choose two.) a. b. c. d. XenApp Web XenApp Plug-in XenApp Services XenApp Advanced Configuration
4. Which three protocols can be used to transport Web Interface data between the web server and XenApp servers? (Choose three.) a. b. c. d. HTTP HTTPS IPX/SPX SSL Relay
5. Which statement is true when using network address translation in a Web Interface deployment? a. b. c. d. The alternate IP address of a XenApp server is included in the client files The alternate IP address of a Secure Gateway server is included in client files. The ALTADDR command is used to change the IP address of the Web Interface server. The internal IP address of a XenApp server is mapped to the external IP address of the Web Interface server.
6. The Client for Java should be used in which two situations? (Choose two.) a. A web browser does not exist on the client device. b. Permanent installation of plug-in software is desired.
177
c. Permanent installation of plug-in software is not permitted. d. A Java-compatible web browser exists on the client device. 7. When the Citrix online plug-in is used to access published applications, which statement is correct? a. b. c. d. A XenApp Web site is required. A XenApp Services site is required. Pass-through authentication cannot be used. A web browser is used to communicate with the Web Interface site.
178
Module 7
180
Overview
Publishing resources gives administrators the ability to provide users with access to applications, content and desktops. XenApp offers three, complementary options for delivering applications. Server hosted applications Server hosted applications are centrally stored on the server and provide the lowest total cost of ownership, the highest level of security and access on any device even across low bandwidth connections. Local applications use application streaming to deliver the application into an isolated environment on the users client device to eliminate application conflicts and provide users with a seamless experience even when offline. Application streaming is covered in a separate module.
Local applications
VM hosted apps
VM hosted apps are delivered from a virtual desktop to provide reduced validation cycles and a faster time to market, even with problem applications.
Administrators manage how resources are delivered to users, the configuration of the applications and the user experience by managing and customizing settings. At the end of this module, you will be able to: Publish applications, content and server desktops for users. Identify the components of VM hosted apps. Identify advanced published resource settings. Organize published resources for users. Disable and hide published resources.
181
Publishing Resources
The administrator can publish resources in two phases using the Publish Application wizard. These two phases include: Basic In this phase, the administrator: Names the resource Identifies the type of resource to be published Specifies where the resource is located Identifies which servers in the farm will host the resource Identifies the users who will be allowed to access the resource (Optional) Specifies where to place the shortcut on the client device
When the Basic phase is completed, the administrator has the option to disable the resource temporarily, publish the resource immediately or proceed to the Advanced phase of the resource publishing process. Advanced In this phase, the administrator: Specifies whether published resources can be used with Citrix Access Gateway Associates file types with the published resource Specifies the application limits and CPU priority level for the published resource Specifies options that control audio, encryption and printer initialization on the client device Configures the appearance of the published resource The configuration of the properties in the Advanced phase of resource publishing is optional.
The properties available in the Basic and Advanced phases of the resource publishing process change depending on the type of resource being published.
182
The following table describes the resource types that can be published in XenApp. Resource Type Server Desktop Description Provides users access to a desktop of a XenApp server and the resources available on the server. Published desktops allow users unlimited access to the resources on a server which can result in configurations and settings being changed, causing server vulnerabilities. Administrators should mitigate this risk by setting strict policies through Active Directory. Application Provides users access to applications installed on the XenApp server, streamed to the XenApp server or streamed to client devices Hosted and streamed applications are both managed from the Delivery Services Console. VM hosted apps are hosted in a separate farm and therefore are managed in a separate console.
183
Description Provides users access to data files, such as documents, spreadsheets, media files and other data that users access by means of a published UNC path or URL. The following examples identify the content types that can be published: HTML web site For example: http://www.citrix.com File on a web server For example: https://www.citrix.com/edu/certification.doc Directory on an FTP server For example: ftp://ftp.citrix.com/edu/ File on an FTP server For example: ftp://ftp.citrix.com/edu/readme.txt Universal Naming Convention (UNC) file path For example: \\servername\sharename\filename UNC directory path For example: \\servername\sharename Users can open published content using either: An associated local application A published application installed on a XenApp server A published application streamed to a XenApp server or a client device
184
Application description
The application description specifies additional information about the published resource such as the version number or service pack level. The command line identifies the location of the application on the server. If the application will be available from multiple servers in the farm, the application should be located in the same location on each server. The working directory identifies where working files created by the application are stored. The working directory is not used to store users' files created with the published application.
Command line
Working directory
Server Assignment
The administrator must also specify which servers in the farm will host the published application or server desktop. The administrator can select a single server, multiple servers or a worker group and add them to the Selected items list. If the application is published to multiple servers, XenApp can load balance the application requests across all assigned servers. If the application is published to only one server, all users who open the application will connect to that server.
185
ends, no user information is retained. The server does not maintain any information that was configured for the session. When anonymous user access is enabled, administrators cannot provide access to configured users. Anonymous user accounts might be warranted when a resource can be used by anyone and tracking is not necessary. Anonymous user accounts should not be used in a highly secure environment.
186
Description Streams the application to the client device whenever possible When the application cannot be streamed to the client device, the application is accessed from the server.
Streamed-to-client Installed application Streamed-to-server Allow anonymous users Allow only configured users Disable application initially Configure advanced application settings now
Streams the application to the client device only Provides access to an application already installed on a server Streams an application to a server for access by the user Allows anonymous users to access the published resource Allows specific users and groups to access the published resource Disables the application so users cannot access it Configures advanced application settings before publishing the application
187
VM Hosted Apps
VM hosted apps allows administrators to isolate applications and host them from virtual machines or physical computers, including blade servers, running a Windows desktop operating system. Users access these applications just as they would applications from XenApp servers. VM hosted apps allows administrators to host applications that otherwise must be installed locally or require extensive compatibility testing on XenApp servers. VM hosted apps uses Citrix XenDesktop technology to deliver applications hosted on desktops, but unlike XenDesktop, gives users no direct access to the desktops themselves. To use VM hosted apps, administrators create a VM hosted apps farm and populate it with desktop groups configured with applications they want to deliver. Then, users access those applications using the Web Interface. Although VM hosted apps cannot share a farm with XenApp servers, a VM hosted apps farm can share a Web Interface site with XenApp server farms. Applications from both types of farms appear the same to users.
188
VM hosted apps require the following components: Desktop Delivery Controller The Desktop Delivery Controller authenticates users, manages the assembly of user virtual desktop environments and brokers connections between users and their virtual desktops. It controls the state of the desktops, starting and stopping them based on demand and administrative configuration. VM hosted apps includes two management consoles. The following management consoles are installed on the Desktop Delivery Controller: VM Hosted Apps Console Delivery Services Console
Management Consoles
189
Administrators use this console to create, update and manage desktop groups in VM hosted apps farms. This is a separate Delivery Services Console than the one used to manage the XenApp server farm.
This agent communicates with the Desktop Delivery Controller and the Citrix Receiver on the client device. The Virtual Desktop Agent must be installed on each virtual machine that will host an application.
190
Application Set
An application set contains the permitted user resources that are published in the server farm. The process of publishing a resource automatically adds the resource to the application set for the server farm. The published resources within an application set are available to users through plug-ins. An administrator can organize the published resources in an application set by placing the published resources in folders during the resource publishing process or afterwards by editing the properties of the published resource.
Folders
By default, all resources are published to the root folder of the application set. An administrator can organize the published resources into folders. This can be useful in helping users quickly locate the applications they need. For example, Microsoft Word, Excel and PowerPoint are published in a server farm along with many other applications. An administrator can place the Microsoft applications into a folder called Microsoft Office to make it easier for users to locate their published resources.
Application Icon
An application icon identifies the published resource. An administrator can change the icon using the Change Icon button during the resource publishing process or afterwards by editing the properties of the published resource. An administrator may decide to change an icon to enhance a user's ability to visually differentiate between published resources. For example, published content typically uses the icon associated with the application that is used to open the content. If several published content resources use the same application, an administrator might decide to change the icons to make it easier for users to differentiate between the resources.
191
Users can access published resources by authenticating through the online plug-in. Some plug-ins allow shortcuts to be placed on the client device so that users can easily access the published resources. The following table provides a list of settings an administrator can configure when organizing a published resource on the client device. Setting Change icon Client application folder Add to the clients Start menu* Place under Programs folder* Add shortcut to the clients desktop* *Unnecessary if using Dazzle Description Changes the icon of the published application Specifies the folder location of the application in the Citrix online plug-in and Web Interface Creates a shortcut to the application in the Start menu of the client device Creates a shortcut in the Programs folder of the Start menu on the client device Creates a shortcut to the application on the desktop of the client device
192
Access Control
Administrators can configure the Access Control settings to further specify which sessions are allowed to connect to published resources through the Citrix Access Gateway. Citrix Access Gateway provides users with controlled access to enterprise resources. Citrix Access Gateway allows the administrator to control who can access resources, such as web sites, file shares, email resources and published resources, and which actions they can perform with these resources. The following table identifies and describes the settings an administrator can configure using Access Control. Setting Any connection Description Allows all connections made through the Access Gateway
Any connection that meets any of the Allows only connections that meet one or more of the following filters selected Access Gateway filters Allow all other connections Allows all connections other than those made through Access Gateway
193
Content Redirection
Content redirection allows an administrator to specify whether users can access published content, applications, browsers and media players from applications that are running locally on the client device or published on a server. The two types of content redirection are: Client-to-server content redirection Server-to-client content redirection Occurs when a user accesses local files using a published application Occurs when a user accesses a URL link in a published application using an application installed on the client device
194
A local application, if no published application is configured with a file type association for the content type or the user is not configured to access the published application Content redirection with published content generates an ICA session and consumes server resources.
The client-to-server content redirection feature allows users of the online plug-in to use a published application to access files residing on the local client device. If a user double-clicks a file with an extension associated with a published application, the online plug-in starts the published application and opens the selected file in the published application. This functionality is enabled by configuring file type associations.
195
By default, when a published application is configured with file type associations, all users of the online plug-in who are configured to access the published application can use it for content redirection. Content redirection can be implemented for a limited portion of users who access the published application in two ways. The administrator can: Publish two instances of the same application and enable separate file type associations for each instance. Publish a single instance of the application and specify file type associations. Deploy the online plug-in to the users who require the content redirection feature.
Client-to-Server Content Redirection Example The diagram in this section illustrates the client-to-server content redirection process when file type associations are configured for a published resource. A user double-clicks an email attachment with a .DOC file extension in an email program that is running locally on the client device. The file opens in Microsoft Word that is published on a XenApp server and is associated with the .DOC file type.
196
Server-to-client content redirection allows embedded URLs in published applications to be resolved using an application installed on the client device. When a user clicks a URL in an application running in a XenApp session, the URL is redirected to the client device to be displayed by a local application. After the embedded URL is opened in the browser on the client device, all links in the browser open on the local client device. There is no way to link back to the XenApp session from the local client browser even though that XenApp session remains open and available for continued use. Server-to-client content redirection can be configured through policies. By enabling server-to-client content redirection, an administrator can prevent applications that are published on the XenApp servers from processing requests that require access to web browsers or media
197
players. When server-to-client content redirection is enabled, the following URL types are opened locally by the plug-ins: HTTP(S) RTSP (Real Player and QuickTime) RTSPU (Real Player and QuickTime) PNM (Legacy Real Player) MMS (Microsoft Media Server) If server-to-client content redirection is not enabled, Internet Explorer opens in a XenApp session on the server, if available, instead of on the client device. Server-to-client content redirection cannot be disabled by users. Server-to-Client Content Redirection Example The diagram in this section illustrates how server-to-client content redirection works when a user clicks a URL link in a message from inside a published email application. The URL is opened by Internet Explorer on the local client device.
198
Administrators should perform the following tasks to configure content redirection from server to client. 1. Create or edit a policy within User Configuration > Citrix Policies of the Group Policy Management Console or the Delivery Services Console. 2. Enable ICA> File Redirection > Host to client redirection. This setting is disabled by default, which results in content being opened on the server. 3. Apply the policy. 4. Publish the content file in the Delivery Services Console.
The Operations team wants to view its weekly log reports (.XLS files) using a published version of Excel.
199
Application Importance
An administrator can improve the performance of a published resource by assigning it with additional CPU cycles. By default, all published applications and server desktops are set to use an importance level of Normal. If an administrator sets a published resource to use an importance level of: High More CPU cycles are allotted to the resource and the performance of the published resource improves, but fewer CPU cycles are available for other published resources and server processes Fewer CPU cycles are allotted to the resource, and the performance of the published resource degrades, but more CPU cycles are available for other published resources and server processes
Low
If Preferential Load Balancing is configured, the application importance level together with the session policy importance level determine the resource allotment of the session. The higher the resource allotment of the session, the higher the percentage of CPU cycles allotted to the session. Connection Controls Example CompanyA has several applications installed in its environment; one application is resource-intensive. The farm is sized and configured to allow all required groups to connect to at least one instance of the resource-intensive application with satisfactory application performance. The administrator of this farm faces a challenge: users who have several client devices are opening several copies of the resource-intensive application concurrently. Although the servers are sized to support the load of the application and expected users, many users complain that application performance is extremely slow, not only for the resource-intensive application but for all applications in the farm.
200
Based on this information, the administrator configures the connection controls for the farm to allow only one instance of the application for each user. As a result, users can no longer open several instances of the resource-intensive application, farm-wide resource consumption returns to expected levels and performance improves.
Allow only one instance of Prevents users from opening or connecting to more than one application for each user instance of the resource Application importance Changes the number of CPU cycles allotted to the published resource The application importance is configured by selecting a priority level in the Application importance drop-down list. Enable legacy audio Allows audio support for applications to which HDX MediaStream Multimedia Acceleration does not apply If the "Minimum requirement" option is enabled in the Client audio settings, the client system must have a sound card installed or the published application will fail to launch on the client device. Enable SSL and TLS protocols Encryption Requests the use of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for plug-ins connecting to the published resource Controls which plug-ins are allowed to connect based on their encryption level: basic (with a non-RC5 algorithm); RC5 128-bit logon only; RC5 40-bit; RC5 56-bit or RC5 128-bit encryption The basic encryption level should not be used in a secure environment.
201
Option
Description
Start this application Controls whether published resources wait for client printers without waiting for printers to create before opening or open immediately to be created
202
Session Sharing
Session sharing is a mode in which more than one hosted application runs on a single connection. Session sharing occurs when a user has an open session and launches another application that is published on the same server; the result is that the two applications run in the same session. For session sharing to occur, both applications must be hosted on the same server with the same published application settings. Session sharing is configured by default. If a user runs several applications with session sharing, the session counts as one connection. All applications in a shared session must be published with the same settings. Inconsistent results may occur when applications are configured for different requirements, such as encryption or screen resolution. Session sharing always takes precedence over load balancing. That is, if users launch an application that is published on the same server as an application they are already using but the server is at capacity, XenApp still opens the second application on the server. Load management does not transfer the user's request to another server where the second application is published.
203
Current settings
An administrator can view only information, alerts, configured users and current settings for published content. Connected user information is not available.
204
It may be necessary to temporarily disable a published resource in order to apply updates or address an issue with the resource. In cases in which the resource must be made unavailable (for reconfiguration or troubleshooting), an administrator can use the application properties in the Delivery Services Console to disable or hide the application from users. An administrator can configure the following options for each published resource by clicking Application properties > Name. Disable application Prevents users from opening the published resource even though the published resource continues to appear in the users' application sets When users attempt to access the disabled application, they receive the following message: ERROR: The application you have requested is not enabled. For more information, contact your Citrix administrator. Hide disabled application Prevents the published resource from appearing in the users' application sets while the application is disabled The administrator can notify current published resource users prior to disabling it. Any users connected to the resource before it is disabled can
205
continue to use the resource. If the users log off while the resource is disabled, they will no longer be able to access the resource until it is reenabled. If the users disconnect from the resource while it is disabled, they can still access the resource by reconnecting to the disconnected sessions.
206
Client-to-server content redirection opens Verify that client drive mapping is enabled. the published application but does not open the local content. File types for a published application do not Update the file type associations for the farm by appear in the Delivery Services Console. clicking Action > Other Tasks > Update file types. Users cannot find their application after it Select Maximize application at startup in the launches. Advanced application properties. The Delivery Services Console fails to Replace the special apostrophe (and any other enumerate users or sessions when specific special characters) in the computer name. The Mac clients connect to XenApp servers. computer name is found in System Preferences > Internet and Wireless > Sharing > Computer Name.
207
Review
1. An administrator can manage published content using which node in the Delivery Services Console? a. b. c. d. Content Applications Published Resources Installation Manager
2. When an application set contains a large number of published applications, server desktops and content, how can an administrator effectively organize the resources for users? a. b. c. d. Use load-managed groups. Use the Resource Manager. Create client application folders. Create application folders in the console.
3. What are two types of content redirection? (Choose two.) a. b. c. d. e. Client-to-server Server-to-client Client-to-content Application-to-server Content-to-application
4. An administrator can configure the importance level of a published application using which option in the properties of the application? a. b. c. d. Type Limits Client options Access control
5. Which statement is true about published resource properties? a. b. c. d. Published resource properties cannot be modified. Published resource properties can be modified at any time. Published resource properties can be modified only when the resource is disabled. Published resource properties cannot be modified when users are using the resource.
6. Which two statements about session sharing are true? (Choose two.) a. Session sharing does not take precedence over load balancing settings. b. All applications in a shared session must be published with the same settings.
208
c. Session sharing is a mode in which more than one hosted application runs on a single connection. d. Session sharing is a mode in which more than one user can access the same hosted application in a single session.
209
210
Module 8
Streaming Applications
212
Overview
Application streaming simplifies how administrators deliver, administer and upgrade applications to users. With application streaming, an administrator can package and configure an application, place it on a file or web server and deliver it to servers or client devices. Upgrading or patching an application is centralized, allowing one update to be delivered to many XenApp servers and client devices. Application streaming offers the following benefits to enterprises: Cost-effective, scalable application delivery to client devices and servers Lowered installation and maintenance costs of applications on servers and client devices in large server farms Centralized maintenance allowing users to continue using applications during an update Anywhere, anytime (including offline) access to any application Isolated environments that eliminate application conflicts There are additional benefits when applications are streamed to the desktops of client devices: Optimal utilization of computing resources Reduction of application compatibility issues At the end of this module, given an environment containing XenApp, you will be able to: Identify the components required for application streaming. Describe the communications that take place during application streaming. Install the offline plug-in on a client device. Configure applications for streaming to servers and the desktops of Windows client devices. Configure linked profiles for inter-isolation communication. Publish a streaming profile. Configure XenApp Web and XenApp Services sites to stream applications. Configure offline access settings.
213
Application Streaming
Application streaming includes the following capabilities: Local system resource usage Central application updates Runs streamed applications on the client device, consuming local system resources instead of those on the XenApp server Allows administrators to deliver upgrades or patches efficiently and seamlessly to user devices the next time they access the application Runs applications within protected isolation environments on user devices, which reduces conflicts with other applications installed locally Allows the streaming of applications that require Windows Services Allows administrators to link profiles for applications that need to interact with each other When streamed, these applications communicate yet run within an isolation environment. Application caching Allows administrators to cache files on the user device to allow faster access the next time the application is opened Allows administrators to configure a backup method for application delivery in case user devices do not support streaming Allows users to continue running streamed applications after disconnecting from the network Allows administrators to deploy and update the offline plug-in using Citrix Receiver
Isolation environments
Dual-mode streaming
Offline access
214
Allows administrators to publish and manage Microsoft App-V packages through the Delivery Services Console and allows users to access Citrix and Microsoft streamed applications through the online plug-in and Dazzle Allows profiled applications to be updated with only the modified files and changed content, thus reducing the time and bandwidth needed to complete the update Allows profiles residing on a file share to be delivered using a secure web protocol Provides limited backward compatibility for Streaming Client 1.1 The newer offline plug-in supports all profiles created by all versions of the Citrix Streaming Profiler. However, previous versions of the plug-in may not support new functionalities released in XenApp 6.
Differential synchronization of updated profiles HTTP and HTTPS protocol support Backward compatibility
215
In addition to the standard components of a XenApp 6 farm, application streaming needs the following components: Citrix Streaming Profiler (Profiler) Citrix Offline Plug-in Used by administrators to package an application and configure its profile for streaming Installed on a client device to allow the necessary application files to be streamed to that device for execution This plug-in is installed on the XenApp server by default, which allows streamed-to-server functionality.
216
Installed on a client device to allow users to access published hosted and streamed applications The Citrix online plug-in is required for offline access of streamed applications.
Used to host the application profiles created by the Profiler Published applications can be streamed using UNC-based communication from a file server or using the HTTP or HTTPS protocol from a web server. The application profiles must be included in a file share that resides in the environment. Users must have read access to the file or web server hosting the application profiles.
217
The following process describes the communication that occurs when a user requests a streamed application from XenApp. 1. A user clicks a published application icon for an application configured for streaming. The application launch request is relayed to the Web Interface. 2. The Web Interface contacts the XenApp server to obtain the information required to run the application. 3. The Web Interface creates a .RAD file based on the information obtained from the XenApp server and provides it to the RadeRun utility (RADERUN.EXE), which is: Located on the client device, if the published application is being streamed to the desktop of the client device Located on the XenApp server, if the published application is being streamed to a server
218
4. The RADERUN utility passes the .RAD file to the Citrix Streaming Service (RADESVC), which creates an isolation environment and downloads the application profile from the server. 5. The Citrix Streaming Service opens the application executable according to the instructions included in the application profile and runs the executable inside the isolation space. 6. Additional application files are downloaded from the server as needed during normal application usage.
219
The Citrix offline plug-in provides streamed applications from a profile target on a file server or web server to XenApp servers and the desktops of client devices. The offline plug-in: Is invisible to users except for the posting of error and status messages Runs as a service on the client device to invoke applications the user selects using the Citrix online plug-in or the Web Interface site Finds the correct profile target for the client device, creates an isolation environment on the client device and streams the files necessary for the application to run Manages the cache size of the client device User accounts must be specified in either the Group Policy Management Console or the Delivery Services Console within the Computer > Offline app users policy to allow access to offline published applications.
220
Before caching files, the plug-in checks the size of this cache. If the cache size reaches the maximum limit, the offline plug-in removes streamed application files from the cache, starting with the least-recently accessed, until the cache size is smaller than the limit. The default cache size limit is 1000MB (1GB) or 5% of the installation disk volume, whichever is larger. An administrator can change the default cache location and the default maximum cache size stored in the registry using the CLIENTCACHE.EXE tool located in the following folder on a client device with the offline plug-in installed:
%PROGRAMFILES%\CITRIX\STREAMING CLIENT\
For more information about using the CLIENTCACHE.EXE tool, see the XenApp Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
221
Profiling Process
The following process describes the communications that occur when an administrator creates an application profile. 1. An administrator starts the Profiler and elects to create a new profile. 2. The administrator identifies the installation program for an application and starts the installation of that application from within the Profiler. 3. The Profiler creates an isolation environment and runs the installation program for the application in the isolation environment. 4. The Profiler records the system changes caused by the installation program. 5. The Profiler stores the application information and the details specified by the administrator during the creation of the profile. 6. The administrator saves the profile to a file or web server so that it can be published and made available for streaming to servers and the desktops of client devices.
222
Creating a Profile
Using the Profiler, an administrator can configure applications to run in one or more target environments. Individual targets in a profile represent one or more user environments. The range of target environments in which an application can be configured to run depends on three factors: The type of application being profiled The operating system on the profiling system The organizational needs For example, some commercial applications are capable of running on multiple operating systems and languages, while others, such as custom applications, might be capable of running only on a particular operating system and language. Applications that require packaging for a variety of environments can be contained in a single profile. To open the New Profile Wizard, click Start > All Programs > Citrix > Streaming Profiler > Streaming Profiler and then click New Profile.
223
The profiling wizard allows for a more relaxed security configuration. The Enable User Updates option permits the running of executable content that the user downloads into the isolation space. If this option is selected, the profile allows application files, such as .DLL application plug-ins, to be downloaded to the client device from the Internet. Any updates are stored as part of the user root and are unique to that user. It is a best practice to keep the default, more restrictive, security setting so that updates can be evaluated by an administrator prior to being downloaded to client devices. This best practice applies to automatic updates as well.
Targets
A target is a collection of files, registry data and other information used to represent an application isolation environment. A target can contain many executables including the applications that normally receive an entry on the Start menu.
224
An administrator can run the Profiler several times and from different environments to achieve a complete set of targets. By default, a target matches the operating system and configuration of the profiling system.
Target Criteria
The offline plug-in selects a target from the profile based on the following criteria: Operating system version installed on the client device Service pack level of the operating system installed on the client device System drive letter on the client device Operating system language on the client device
The criteria associated with each target is stored in a profile manifest file (.PROFILE) that is stored with the other files that make up the profile. Overlapping definitions of targets are not permitted by the Profiler. That is, only one target in a profile can be a correct match for any client device at application launch. An administrator can update a profile and target at any time without affecting already active executions on client devices. When a target is updated, another version of the target is saved to the profile. The drawback of maintaining old versions of a target is the wasted disk space on the file or web server. The Profiler cannot be used to delete old versions of targets. However, an administrator can manually delete the older versions of a target to reclaim disk space. It is the administrator's responsibility to ensure that old versions of a target are not in use prior to deleting them from the file or web server. Target Options When a user requests access to a streamed application, the Citrix offline plug-in determines which target from the application profile is appropriate for the client device. The target is selected from the profile based on a variety of criteria, including the operating system, service pack level, driver letter and operating system language.
Operating System
An administrator can configure a target for the following client operating systems: Windows XP (Home and Professional editions), 32-bit edition with Service Pack 3 Windows XP (Home and Professional editions), 64-bit edition with Service Pack 2 Windows 2003, 32- and 64-bit editions Windows Vista (Home, Business, Enterprise, and Ultimate editions), 32- and 64-bit editions with Service Pack 1
225
Windows 7 (Enterprise, Professional, Ultimate editions), 32- and 64-bit editions Windows Server 2008, 32- and 64-bit editions Windows Server 2008 R2 If the operating system on the client device is not supported, the streamed application will not run on the client device. 64-bit applications are not supported for streaming; however, 32-bit applications can be profiled on 64-bit systems and configured to be streamed to 64-bit systems.
By design, future service packs are not supported. An administrator should take care to specify only the service packs identified as supported or to specify that a service pack is not required.
226
An administrator should use the English version of the Profiler to create targets for the following operating system languages: Korean Simplified Chinese Traditional Chinese By default, the operating system and language of the profiler system is included in the profile. If necessary, the operating system and language can be deleted in the target. For additional requirements, including those required when streaming Microsoft Office applications, see the XenApp Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
227
228
To delete a target from a profile, right-click the target in the console tree and click Delete.
Inter-Isolation Communication
Inter-isolation communication allows the individual profiles in a linked profile to communicate. This feature is useful if a streamed application needs to interact with another streamed application but cannot detect it because both applications are running in isolation environments. For example, when inter-isolation communication is not configured, an administrator profiles Microsoft Outlook and Adobe Reader in two separate profiles; the applications operate independently, and users will not be able to launch a .PDF attachment in Outlook because Outlook cannot detect Adobe Reader. When an administrator configures a linked profile, the included applications launch on the client device and can interact with each other while remaining isolated from both the system and other streamed applications. By linking the Outlook and Reader profiles for inter-isolation communication, Outlook and Reader can interact as users expect, even though the individual applications were profiled separately. The advantage of inter-isolation communication is that applications can be maintained separately, and updates are automatically included in all the linked profiles in which the profile is included. This feature saves time for the administration of the profile set.
229
Dependent
Links existing profiles and installs additional executable content. In this profile, the installation of one application requires the presence of another application. Dependent, linked profiles contain application package files, isolation rules, linked profiles and hierarchy.
When a dependent profile is used, the entire target of each linked profile is downloaded to the profiling system to facilitate the installation step of the dependent profile.
230
Client Device
231
Digital Signatures
An administrator can customize security and signing settings for an individual profile after it is created. During profile creation, an administrator can configure profile signing using one of the following certificates: A certificate residing on a drive The code-signing certificate on the profiling system
232
Profile Properties
An administrator can view and change the properties of a profile by clicking Edit > Profile Properties in the Profiler. The following options are available:
Information
The General section of the Profile properties displays the following information about a profile: Profile name Description Location Size The name of the manifest and the location of the profile The description provided for the profile The location of the profile The size of the profile
233
The creation date of the profile The date of the last update to the profile
Applications
The Applications section in the Profile properties lists all the applications installed in the targets of a profile and indicates whether or not each application is available in all targets. When an application is available, an administrator can use the Delivery Services Console to publish it on XenApp servers. Application details are available by right-clicking an application and clicking Application Details. The following information about the selected application is available: Targets The name of the targets, service pack information, the language and the system drive letter Whether or not the application is available in this target or the other targets in the profile
Availability
234
Version
The version number of the application The version number displayed in this screen is set by the application installation program and is not the same as the target version number.
Path
The simulated path in the isolation environment to the application in the target The working directory that the application uses in the isolation environment The command line parameters passed to the application during startup
Working Directory
In addition to viewing application information about the profile from the Applications section, an administrator can delete an application from a profile from this tab.
File Types
235
The File Types section of the Profile properties displays information about the types of files associated with the application. When a file type is associated with an application during the application publishing process, a user can open a file of the associated file type on the client device, and the offline plug-in will open the streamed application. The File Types section displays the following information about the associated file types: Extension Type Opens with Availability The extension of the associated file type A description of the file type The application invoked by the file type Whether or not the application is currently available to users
Linked Profiles
The Linked Profiles section of the Profile properties displays the profiles available for inter-isolation communication. When profiles are linked to each other they can communicate with each other on the client device.
Pre-Launch Analysis
The Pre-Launch Analysis section of the Profile properties identifies the applications and registry entries that are required on the client device before the application is streamed by the profile. An administrator can use the pre-launch analysis to inspect client devices for prerequisites before streaming the profiled application. The Profiler can search for the following objects during a pre-launch analysis: Applications and versions (specific or a range) Binary files and versions (specific or a range) Registry entries If the pre-launch analysis determines a client device does not have the prerequisites required for the profiled application to run correctly, the profile execution stops and the user is alerted to the problem. An administrator should determine whether pre-launch analysis is required
236
for an entire profile or for individual targets within the profile by testing the profile on client devices. The Pre-Launch Analysis section displays the following information about the applications and registry entries associated with the profile: Enable pre-launch analysis Applications and files Whether or not a pre-launch analysis is enabled The applications and files required on the client device prior to the application being streamed The registry entries required on the client device prior to the application being streamed
Registry Entries
Pre-launch analysis is also useful when an application in a profile must interact with an application that cannot be profiled. In this scenario, it is a best practice to enable pre-launch analysis for the application that cannot be profiled to ensure that it is installed on the client devices. In addition to viewing pre-launch analysis information from the Pre-launch Analysis section, an administrator can enable or disable pre-launch analysis and add, delete and modify which applications, files and registry entries are required on the client device before an application is streamed by the profile.
Order Isolated
237
Post-exit scripts
The scripts that run after the last application in the target closes The order in which the post-exit scripts execute Whether or not a post-exit script is isolated
Order Isolated
In addition to viewing pre-launch and post-exit script information from the pre-launch and post-exit scripts section, an administrator can add and delete scripts and change the order in which the scripts execute. An administrator should determine whether pre-launch or post-exit scripts are required for an entire profile or for the individual targets in the profile by testing the profile on the client devices.
238
Target Properties
When users experience problems running applications in a profile, an administrator can solve some of them by editing the properties of the targets in the profile. The properties of a target include: General Applications Target Operating System and Language Rules Pre-launch Analysis Pre-launch and Post-exit scripts
To edit the target properties, open the manifest file (.PROFILE) from within the Profiler, select the appropriate target and click Edit > Target Properties.
General Properties
The General section of the Target properties displays the following information about a target: Target name The name of the target, service pack information, the language and the system drive letter The description provided for the target
Description
Information about the target operating system, target language, target boot drive, target version, target location, target creation date and last target update are also provided in the section. In addition to viewing general information about the target from the General section, an administrator can change the target name and description for the target. An administrator can also view the general properties of a target by selecting the Information tab in the profile information pane of the Profiler window.
Application Properties
The Applications section of the Target properties lists all applications installed in the targets in the profile and indicates whether or not each application is available in all targets. When
239
an application is available, an administrator can use the Delivery Services Console to publish it on XenApp servers. The Applications section displays the following information about the applications in the targets in the profile: Application Name Availability The name of the application Whether or not the application is available in this target or the other targets in the profile The version number of the application The version number displayed in this screen is set by the application installation program and is not the same as the target version number.
Version
Path
The simulated path in the isolation environment to the application in the target The working directory that the application uses in the isolation environment The command line parameters passed to the application when it starts
Working Directory
In addition to viewing application information about the target from the Applications section, an administrator can add, modify and delete applications from the target and recover all deleted applications in the target from this section. When an application is deleted from the target, the Profiler removes only the application data from the manifest file (.PROFILE). It does not delete the application files. When an application is added or recovered, data about the application is added to the manifest file (.PROFILE) for the profile. An administrator can also view the application properties of a target by selecting the Application tab in the profile information pane of the Profiler window, right-clicking the target and selecting Application Details.
240
Language
In addition to viewing operating system and language information about the profile from the Target Operating System and Language section, an administrator can add operating systems, service pack levels and languages to the target, remove operating systems, service pack levels and languages from the target and check the target for conflicts from this section.
Rules Properties
The Rules section of the Target properties displays information about how the applications in the isolation environment of the target access system objects such as files, registry entries and named objects. The Rules section displays the following information about the isolation environment rules for the target: Rules The name of the rule, the action taken by the rule and the object affected by the rule The command executed by the rule
Rule description
241
In addition to viewing the information about the isolation environment rules for the target, an administrator can add, copy, modify and delete isolation environment rules in the target from this section.
Registry entries
It is best practice to configure pre-launch analysis to identify client devices that do not have the appropriate software requirements.
Pre-launch scripts
The scripts that run prior to the application in the target launching on the client device
242
The order in which the pre-launch scripts execute Whether or not a pre-launch script is isolated The scripts that run after the last application in the target closes The order in which the post-exit scripts execute Whether or not a post-exit script is isolated
Order Isolated
An administrator can also add and delete scripts and change the order in which the scripts execute for the target from this section.
An administrator can upgrade an application in a target using the Profiler. A target is stored in the profile as a directory structure. When an administrator upgrades a target, the Profiler saves the target with a new, incremental version number and as a new directory structure in the profile. The version of a directory structure in a profile is identified by a number at the end of the file name. For example, a directory structure named 720EDD68-0972-49E6-AA00-80974EB81D5B_2 is the second version of the target directory structure in the profile and is identified as version two by the _2 at the end. Because the Profiler can maintain several versions of each target, users can continue to use the applications in the profile while the application is being upgraded. After the upgrade is completed, new users logging on are streamed the upgraded version of the application while logged on users continue to use, uninterruptedly, the older version of the application. When
243
users log off the older version of the application, they can no longer access that version. Instead, they begin using the upgraded version of the application in the target when they next log on.
Differential Synchronization
Differential synchronization is beneficial when targets have been updated. For example, an administrator updates an application with a new service pack that was recently released. If client devices have a previous version of the target directory structure of the profile stored in the cache, such as applications enabled for offline access, the streaming service will open the cached directory structure on the client device and compare it with the updated directory structure in the profile. The streaming service updates only the changed files and removes outdated files from the directory structure in the cache. This feature reduces the time and bandwidth needed to update applications on the client device. After the profile containing the upgraded application is saved, an administrator cannot use the Profiler to delete or modify the previous versions of an upgraded application.
244
Streamed to server
Streamed to server
245
Streamed to client
Specifies that the published application will be streamed to the client device. This option requires that both the offline plug-in and the online plug-in be installed on the client device. Clients that do not support application streaming, such as non-Windows clients and client devices that do not meet the aforementioned requirements, will not be able to access the published application. It is possible to force the delivery of streamed to client published applications with filters. To do this, configure the Load Balancing policy setting located in the Delivery Services Console for Streamed App Delivery. This policy setting overrides the selection in the Publish Application wizard. For more information, see the XenApp Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
Removed Applications
Dazzle automatically notifies users of any applications that have been removed from the server.
The steps to adding streamed applications to Dazzle are the same as adding other published applications.
246
247
Streaming to Servers
An administrator can use application streaming to simplify the deployment of applications to servers in a farm. After an application is streamed to a server, users can launch and use the application through a XenApp session. An administrator can stream an application to a server by completing the following tasks: Create an application profile on a Windows Server 2008 R2 operating system. Ensure that a XenApp Web or XenApp Services site is configured to run one of the following application types: Online: This application type allows users to access applications provided by a server. Dual mode: This application type allows users to access applications that are streamed to the client device or provided by a XenApp server. Both of these application types allow users to access and run applications installed on a server. Ensure that the application is not installed on the XenApp server to which the application is being streamed. Publish the application to stream to a XenApp server by selecting Accessed from a server as the application type with Streamed to server as the Server application type. While using the "Streamed if possible, otherwise access from server" delivery method with the "Streamed to server" application type will stream applications to servers, XenApp will first try to stream the application to the client device. If the offline plug-in is installed on the client device and the published application is accessed through a Web Interface site or the plug-in installed on the client device, the application will stream to the client device rather than to the server.
248
249
An administrator can specify an alternate profile for connections that come from specific IP addresses. For example, an administrator could use an alternate profile to direct users on either side of a WAN to stream applications only from the file or web server on their side of the WAN. When an alternate profile is created, a duplicate of the primary profile is created and stored on a different file share, making it more accessible to the client device. If the alternate profile is different from the primary package, the application may not work properly on the client device.
250
An administrator cannot change this location on this page. Alternate profile locations A list of existing alternate profile locations, including their client IP ranges An administrator can add, modify or remove alternate profile locations. When specifying an alternate profile location, an administrator must specify an IP address range by entering the lowest IP address in the Start IP field and the highest IP address in the End IP address field. Changes take effect the next time the user launches the application.
An administrator can configure applications that are set to stream to client devices only to run with: Reduced user privileges The streamed application runs on the client device using the least-privileged user account available for the user on the client device.
251
This reduces the security risks posed by the application but may cause the application to fail if elevated privileges are required by the application. An administrator should test the application to determine if it will run correctly for users who have restricted privileges on their client devices before reducing the user privileges for a published application. For example, User1 has Restricted User privileges on a client device. User2 has Administrator privileges on a client device. Because the application requires at least Standard User privileges to run correctly, the application fails when User1 attempts to use the application. The application runs correctly for User2. Normal user privileges The streamed application runs on the client device with User rights, even if the user has administrative privileges on the client device.
These settings are part of the published application properties, not the profile.
252
An administrator can configure the following types of Web Interface sites: XenApp Web Allows users to access published resources through a web browser Allows users to access published resources through the Citrix online plug-in
XenApp Services
253
254
Applications that are published to stream to the desktop of a client device can be accessed by a user who is disconnected from the network. An administrator should configure the following properties to enable offline access: Configure the application properties for offline access. Enable an application for offline access. Configure users for streamed applications. Configure a XenApp Services site for Offline or Dual mode applications. Ensure a license is available for checkout or that the license which is already checked out has not expired.
255
An administrator can also specify subgroups of larger groups for indirect access. For example: Group A contains Subgroups B and C. Group A has permission to use the published application. Subgroup B has offline access permission. In this example, only members of Subgroup B can access the application while either online or offline. Members of Subgroup C can use the application while online but not when they are offline.
256
Administrators must specify which users can access applications offline. XenApp checks out a license on behalf of each user the first time they connect and stream an application. The license allows the use of the application offline for a specified number of days (21 by default) before the license must be renewed. An administrator can change the length of time permitted for offline use before the license must be renewed by creating a Citrix policy and configuring the Offline app license period setting.
257
Application Caching
When an application is configured for offline access, XenApp caches the application on users' client devices with offline access permission. An administrator can determine when this caching of the application occurs so that its impact on the network and the user experience is minimized. The two caching options are listed below. Pre-caching at Logon When a published application is configured to pre-cache at logon, XenApp streams the application to the client device cache when the user logs on to XenApp. This option is the default setting. A message notifies the user when the download begins and ends. When the download is complete, the user can log off from XenApp and run the cached application while offline until the offline access license expires. Concurrent logons by users can slow network traffic when this caching option is used.
Caching at Launch
When a published application is configured to cache at launch, XenApp streams the application to the client device cache when the user launches the published application through XenApp. When the download is complete,
258
the user can log off of XenApp and run the cached application while offline until the offline access license expires. An administrator should configure a published application to cache the application at launch if the number of users logging on at the same time and, therefore, pre-caching their applications at logon, could overload the network.
device after the offline plug-in is installed. The first time that a user launches a large published application configured for streaming, the server will trigger a massive data transfer. To lessen the impact to the network, an administrator can pre-deploy new or updated published application files to the client devices during off-peak hours to help avoid overloading the file servers or networks. The administrator should use a software management system to control when the utility is executed so that the streaming content gets copied down to the client devices before users arrive in the morning and start running applications. When offline applications are predeployed using the RADEDEPLOY.EXE utility, the caching method selected in the properties of the published application is bypassed because applications are only cached to the client device once. For more information about running this utility, see the XenApp 6 Application Streaming documentation on the http://support.citrix.com/proddocs/index.jsp web site.
259
Verify that the white list is configured for applications that require streaming Windows Services. Applications do not have full Verify that the application was streamed on the target functionality. operating system; application functionality may vary across operating systems. Applications are not automatically updated by vendor web sites. Verify the profile is configured to allow updates. Profiles do not allow application updates, by default. However, if a more relaxed security configuration is required, select the Enable User Updates option for the profile.
Streamed applications do not Verify that inter-isolation communication is configured. recognize each other. Applications are not available Verify that the applications are enabled for offline access and offline. that users are specified. Verify that the XenApp Services site is configured for the Offline or Dual mode application type.
260
Review
1. In addition to the standard server farm components of XenApp 6, which Citrix component is needed for application streaming to a desktop? a. b. c. d. Citrix Receiver Citrix online plug-in Citrix offline plug-in Citrix Access Gateway
2. Which two statements regarding the Citrix offline plug-in are accurate? (Choose two.) a. b. c. d. e. The offline plug-in is invisible to the user. The offline plug-in runs as a service on the client device. The offline plug-in determines the application delivery mode. The offline plug-in is displayed in the Windows notification area. The offline plug-in can be used in conjunction with a XenApp Web site to access applications offline.
3. A profile creates a target based on which four criteria? (Choose four.) a. b. c. d. e. f. Applications Operating system Service Pack level System drive letter Operating system language Files, folders and registry settings
4. An administrator is creating a profile for an application and wants to include a specific Internet Explorer plug-in. Which type of installation should the administrator use? a. b. c. d. e. Quick Default Standard Advanced Integrated
5. An administrator must publish which file type to make a streaming application available to users? a. .EXE b. .MSI c. .RAD
261
d. .PROFILE 6. Which two application types can be configured in a Web Interface site so that applications stream to the desktop of a client device? (Choose two.) a. b. c. d. e. Online Offline Dual mode Streamed to client Streamed to server
7. An administrator wants users to be able to access applications installed on the XenApp server through the online plug-in and access streaming applications when the users are offline. What must the administrator configure? a. b. c. d. One XenApp Web site One XenApp Services site One XenApp Web site and one XenApp Services site Two XenApp Web sites and two XenApp Services sites
262
Module 9
Configuring Policies
264
Overview
Citrix policies provide a way for administrators to control XenApp server and farm settings as well as the functionality available to users within XenApp sessions. For example, administrators can use Citrix policies to control session security settings, bandwidth limits, printer and device mapping, client drive access and display and graphics settings. In addition, XenApp provides the ability to apply policies to worker groups, users and user groups, client IP addresses, client device names and sessions connecting through Access Gateway. At the end of this module, given an environment containing XenApp, you will be able to: Identify the types of Citrix policies that can be created. Identify the methods for creating policies. Create and configure policies. Apply policies using filters. Use policy modeling tools.
265
Administrators with access to the Advanced Group Policy Manager (AGPM) can perform the following additional tasks: Create granular delegated administrators and role-based administration Manage the Active Directory Group Policy change control process Edit GPOs offline Enable audit logging and create policy differencing reports Recover deleted GPOs and repair live GPOs Enable email notification for GPO changes Track version changes, capture history and quickly roll back deployed changes The AGPM tool is included within the Microsoft Desktop Optimization Pack and is available only to Microsoft Software Assurance customers.
266
Managing Citrix policies through the Group Policy Management Console (GPMC) generally is recommended as it provides greater management flexibility and predictability. However, using Active Directory GPOs may not be possible in the following scenarios: Environments using directory services other than Active Directory XenApp farms with published applications requiring anonymous (local) accounts Organizations that restrict or deny Active Directory delegation to XenApp administrators To support these environments, XenApp provides an IMA-based global Group Policy Object, which still leverages the Microsoft Group Policy engine within Windows Server, but does not require Active Directory. The IMA-based policies allow administrators to configure farm-specific Citrix policies within the Policies node of the Delivery Services Console. The interface is similar to the interface within the Group Policy Editor; however, the Citrix policies configured in the Delivery Services Console apply to all servers and users within the farm regardless of their Active Directory OU location. The Local Group Policy Editor (GPEDIT.MSC) can be used to override farm or OU policy settings for a particular server. Changes made to the Local Group Policy Object apply only to the local server and will not affect other servers within the farm or OU. Use of the Local Group Policy Editor generally should be avoided to reduce policy inconsistencies, unexpected session behavior and troubleshooting efforts. Active Directory GPO settings can be used to block the use of Local Group Policy Editor to
267
improve security and ensure that OU policy settings are not overwritten by local server policy settings. IMA-based Policy Use Case Having a change control process for all Citrix policy settings, regardless of who configures them or where they are configured, is recommended. However, sometimes XenApp administrators need a quick way to apply Citrix policies. IMA-based policies can serve as a backup method for quickly changing farm policy settings as these policies will bypass all Active Directory synchronization and ownership issues and immediately will apply to all new sessions, regardless of the Active Directory replication configuration. Note that these IMA-based policy settings only apply to XenApp servers and will not affect non-XenApp servers within an OU. For security purposes, the IMA-based global GPO can be disabled within an Active Directory GPO.
During the XenApp and Delivery Services Console installations, Citrix client-side extensions are installed, which allow Citrix policy integration within the Microsoft Group Policy engine. These extensions add a Citrix Policies node within the existing Computer and User nodes
268
within the Group Policy Object Editor. The Citrix Policies node allows administrators to create Citrix policies as either User or Computer policies within the GPO. If the Delivery Services Console is not installed as part of the XenApp installation, the client-side extensions are still installed. However, if a system running a non-server version of Windows, such as Windows 7, will be used for policy management, the Group Policy Management Console must be installed on that system in addition to the Delivery Services Console.
When Citrix policies are created or edited within GPMC and the Group Policy Object Editor, the configuration is stored in the following location:
\\domain\SYSVOL\domain\Policies\guid\machine or user\Citrix\GroupPolicy\Policies.GPF. When Citrix policies are created or edited
within the Delivery Services Console, the IMA-based policy settings are stored as metadata in
269
the data store database and are propagated to servers as GPF/X files stored in their local SYSVOL directory. In both instances, the settings are written to each server registry. Each time group policies are evaluated on the XenApp server, the GPF/X files are retrieved from the SYSVOL and farm data store. The client-side extension evaluates the filters and merges the results into a single Resultant Set of Policy within the HKLM\Software\Policy\Citrix registry key. Various software components read the registry values and enforce the settings. The previous figure illustrates the conceptual architecture behind the Citrix policy system.
270
Policy Evaluation
Policies are evaluated on XenApp servers when one of the following events occurs: A user logs on The server is rebooted The policy refresh interval is reached A policy update is forced
By default, the policy refresh interval is 90 minutes for Active Directory GPOs. The interval time can be changed, although reducing it too much may overload domain controllers. The refresh interval applies to servers as well as user sessions that were started before the policy change. New user sessions always capture the latest User configuration settings within GPOs; however, the latest Computer configuration settings will not be applied until one of the above events occurs. Administrators can force a policy update using the GPUPDATE /FORCE command. By default, both User and Computer configuration settings are updated. However, additional switches can be used to force updates to either the User or Computer configuration settings. IMA-based policies are subject to the same Active Directory policy refresh cycle for Computer configuration settings. However, User configuration settings within IMA-based policies are applied immediately.
271
Local server settings automatically are propagated by IMA periodically and the Citrix client-side extension assumes those settings are current. The Citrix client-side extension is inserted into the process because it is a registered .DLL in the XenApp server registry. 6. Active Directory determines precedence for the settings and applies them to the server and user registries. 7. The user logs off of all published resources. Citrix user policies are no longer active for this user or client device. 8. The user logs off of the client device. GPOs are no longer active for this user. If the client device is still powered on, GPO computer policies continue to apply to it. Policy settings configured within Active Directory GPOs and IMA-based GPOs are both processed together to create the Resultant Set of Policy. Therefore, organizations can have a mixed configuration of both Active Directory GPOs and IMA-based GPOs. As a best practice, the number of GPOs should be limited to prevent slow logon performance due to policy processing.
The GPOs and IMA-based policies that apply to a user or computer do not all have the same precedence. If there are no conflicting settings configured within the policies, the settings are merged into the Resultant Set of Policy for the computer or user. However, settings in policies
272
that are applied later can override earlier applied settings. Policies are processed and applied in the following order: 1. Local GPOs Each server has exactly one Group Policy object that is stored locally. Both Computer and User configuration settings are processed. 2. IMA-based policies IMA-based policies configured in the Delivery Services Console are processed after local GPOs. 3. Site GPOs GPOs that have been linked to the site that the user or computer belongs to are processed next. Processing is in the order that is specified by the administrator within the Linked Group Policy Objects tab for the site in Group Policy Management Console. The GPO with the lowest link order is processed last and, therefore, is highest in the order of precedence. 4. Domain GPOs Multiple domain-linked GPOs are processed in the order specified by the administrator in the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last and, therefore, is highest in the order of precedence. 5. OU GPOs GPOs linked to the OU highest in the Active Directory hierarchy are processed first followed by GPOs that are linked to its child OU and any OUs beneath that. Finally, the OU that contains the specific user or computer are processed last. Zero, one or many GPOs can be linked to each Organizational Unit level in the Active Directory hierarchy. If several GPOs are linked to an OU, they are processed in the order that is specified by the administrator in the Linked Group Policy Objects tab in the GPMC. The GPO with the lowest link order is processed last and, therefore, is highest in the order of precedence. Settings in the Citrix ICA Listener Configuration (CTXICACFG.EXE) tool are treated as local GPOs and are overwritten by domain GPOs, if present. The Citrix ICA Listener Configuration tool contains server-specific settings such as network adapter settings, ICA connection limits and session limits. The tool is located in the C:\Program Files (x86)\Citrix\system32 folder on the XenApp server. XenApp does not process RDP or ICA settings in the Remote Desktop Session Host Configuration tool. Policy Changes Example Contractors working for KellCorp are prohibited from mapping their local drives while working in published applications. This setting was accomplished by creating a Citrix policy and applying it to the worker group that contains the Contractors OU.
273
Three contractors are working on a special project which requires the use of their local drives and have received clearance for this exception. The administrator creates a new OU below the Contractors OU and applies a policy allowing access to local drives for those three contractors. The administrator sends the contractors an email to inform them of the status change. The contractors immediately attempt to access their local drives from their published applications and report to the administrator that they still are unable to access the drives. The contractors follow the administrator's recommendation to log off of all of their sessions, log back on and try again; this time they are able to see their local drives when the policy takes effect.
274
Policy Priorities
When configuring Citrix policies, both GPOs and IMA-based, administrators can assign priority levels for those policies. In the event that policies contain conflicting settings, the setting within the policy with the highest priority is processed. However, this priority level only controls the setting that is processed during policy processing.
275
Policy Rules
When creating Citrix policies in a GPO or the Delivery Services Console, the policies are designated as either Computer or User policies. These policies contain rules for configuring the desired farm, server and user session settings. Computer policies contain rules for XenApp server settings and are organized into the following categories: ICA Licensing Server Settings Virtual IP XML Service
User policies contain rules for all XenApp user session settings. Administrators can use these settings to enable or disable features within user sessions. User policies are organized into the following categories: ICA Audio
276
Bandwidth Desktop UI File Redirection Graphics Multimedia Ports Printing Security Session Limits Shadowing Time Zone Control TWAIN devices USB devices
COMPUTER POLICIES
277
ICA
ICA listener connection timeout Specifies the maximum wait time for a connection to be completed By default, the maximum wait time is 120,000 milliseconds or two minutes. ICA listener port number Specifies the TCP/IP port number used by the ICA protocol on the server By default, the port number is 1494.
Auto client reconnect authentication Auto Client Reconnect > Auto client reconnect logging
278
ICA round trip calculation interval (Seconds) ICA round trip calculations for idle connections
Specifies the frequency, in seconds, at which ICA round trip calculations are performed Determines whether ICA round trip calculations are performed for idle connections By default, calculations are not performed for idle connections.
ICA\Graphics
Display memory limit Specifies the maximum video buffer size in kilobytes for the session By default, the display memory limit is 32,768 kilobytes. Display mode degrade preference Image caching Degrades either color depth or resolution first when the session display memory limit is reached Specifies whether to cache images to make scrolling smoother Specifies the maximum color depth allowed for a session By default, the maximum allowed color depth is 32 bits for each pixel. Notify user when display mode is degraded Queueing and tossing Specifies whether to display a popup with an explanation to the user when the color depth or resolution is degraded Discards queued images that are replaced by another image
279
ICA\Keep Alive
ICA keep alive timeout Specifies the number of seconds between successive ICA keep-alive messages By default, the interval between keep-alive messages is 60 seconds. ICA keep alives Sends or prevents sending ICA keep-alive messages periodically By default, keep-alive messages are not sent.
ICA\Multimedia
HDX MediaStream Multimedia Acceleration Controls and optimizes the way XenApp servers deliver streaming audio and video to users By default, this setting is allowed. HDX MediaStream Multimedia Acceleration default buffer size HDX MediaStream Multimedia Acceleration default buffer size use Specifies a buffer size from 1 to 10 seconds for HDX MediaStream Multimedia Acceleration Uses the specified buffer size for HDX MediaStream Multimedia Acceleration By default, the buffer size specified is not used. Multimedia conferencing Allows or prevents support for video conferencing applications By default, video conferencing support is enabled.
280
ICA\Security
Prompt for password Requires the user to enter a password for all server connections regardless of access scenario By default, users are prompted for passwords only for specific types of connections.
ICA\Server Limits
Server idle timer interval Determines, in milliseconds, how long an uninterrupted user session will be maintained if there is no input from the user By default, idle connections are not disconnected.
ICA\Session Reliability
Session reliability connections Session reliability port number Allows or prevents session reliability connections
Identifies the TCP port number for incoming session reliability connections By default, the session reliability TCP port number is 2598.
The length of time in seconds the session reliability proxy waits for a client to reconnect before allowing the session to be disconnected The default length of time is 180 seconds or three minutes.
281
ICA\Shadowing
Shadowing Allows shadowing of ICA sessions Configure the Users\ICA\Shadowing\Users who can shadow others policy to specify which users can shadow.
Licensing
License server host name License server port Specifies the name of the server hosting XenApp licenses Specifies the the port number of the server hosting XenApp licenses By default, the license server port number is 27,000.
Server Settings
Connection access control Specifies whether users can start sessions when connecting through Citrix Access Gateway Enables or disables the server to return fully qualified domain names to clients using the Citrix XML Service Enables or disables the caching of larger, high resolution published application icons on servers Specifies the XenApp product edition
282
Server Settings\Memory/CPU
CPU management server level Specifies the level of CPU utilization management on the server Enables or disables memory optimization to improve the ability to manage DLL allocation in both real and
Memory optimization
283
overall virtual memory by creating shared DLLs for applications that are open in multiple sessions Memory optimization application exclusion list Memory optimization interval Specifies the applications that memory optimization should ignore Specifies the interval for running memory optimization when memory optimization is enabled Specifies the day of the month that memory optimization runs, within the range of 1 - 31, when memory optimization is enabled Specifies the day of the week that memory optimization runs when memory optimization is enabled Specifies the time of day that memory optimization runs when memory optimization is enabled and an interval of "Daily," "Weekly" or "Monthly" is specified
284
Scheduled reboots
Virtual IP
Virtual IP adapter address filtering Filters the list of addresses returned by the API GetAdaptersAddresses() to only include the session virtual IP address and the loopback address
285
Adds support to Windows OS Virtual IP so that calls to gethostbyname() API within session return the assigned virtual IP address for the session Adds support to Windows OS Virtual IP so that calls to gethostbyname() API within a session return the assigned Virtual IP address for the session Specifies the programs for the Virtual IP adapter address filtering rule Allows each session to have its own virtual loopback address for communication Specifies the programs for the Virtual IP loopback support rule
XML Service
Trust XML requests Specifies whether the Citrix XML Service should trust requests it receives Specifies the port number to use for the Citrix XML Service
286
USER POLICIES
ICA
Client clipboard redirection Allows or prevents the clipboard on the client device to be mapped to the clipboard on the server By default, clipboard redirection is allowed.
287
Desktop launches
Allows or prevents non-administrative users to connect to a desktop session on the server By default, non-administrative users cannot connect to desktop sessions.
Specifies whether to launch initial applications or published applications on the server By default, only published applications are allowed to launch.
OEM Channels
Allows or prevents custom (OEM) devices attached to ports on the client device to be mapped to ports on the server By default, this setting is allowed.
ICA\Audio
Audio quality Client audio redirection Specifies the sound quality as low, medium or high Allows or prevents applications hosted on the server to play sounds through a sound device installed on the client device and allows or prevents users to record audio input The amount of bandwith consumption when playing or recording audio can be configured within this policy. Client microphone redirection Enables or disables client microphone redirection
ICA\Bandwidth
Audio redirection bandwidth limit Specifies the maximum allowed bandwidth in kilobits per second (kbps) for playing or recording audio in a client session
288
Specifies the maximum allowed bandwidth limit for playing or recording audio as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for data transfer between a session and the local clipboard Specifies the maximum allowed bandwidth limit for data transfer between a session and the local clipboard as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for accessing a COM port in a client connection Specifies the maximum allowed bandwidth for accessing COM ports in a client connection as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for accessing a client drive in a client connection Specifies the maximum allowed bandwidth limit for accessing client drives as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for print jobs using an LPT port in a single client session Specifies the bandwidth limit for print jobs using an LPT port in a single client session as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for custom (OEM) virtual print channels Specifies the bandwidth limit for custom (OEM) virtual print channels as a percent of the total session bandwidth
COM port redirection bandwidth limit COM port redirection bandwidth limit percent
LPT port redirection bandwidth limit LPT port redirection bandwidth limit percent
289
Specifies the total amount of bandwidth available for client sessions Specifies the maximum allowed bandwidth in kbps for accessing client printers in a client session Specifies the maximum allowed bandwidth for accessing client printers as a percent of the total session bandwidth Specifies the maximum allowed bandwidth in kbps for controlling TWAIN imaging devices from published applications Specifies the maximum allowed bandwidth for controlling TWAIN imaging devices from published applications as a percent of the total session bandwidth
Bandwidth Limit Percent Example Bandwidth limit percent rules limit ICA session bandwidth based on percentage of the overall session bandwidth specified in the Overall session bandwidth limit rule. PART 1: An administrator configures the Overall session bandwidth limit rule to limit bandwidth to 500 kbps and sets the Printer redirection bandwidth limit rule to limit printing to 260 kbps. If the total bandwidth for the session drops to 260 kbps, all of the session bandwidth will be consumed by the documents being printed in the session. PART 2: To prevent this from happening, the administrator configures the Printer redirection bandwidth limit percent rule. In this rule, the administrator limits the amount of session bandwidth that can be consumed by printing to 25% of the total session bandwidth. Now if the total bandwidth for the session drops to 260 kbps, only 65 kilobits will be consumed by the documents printed in the session.
ICA\Desktop UI
Desktop wallpaper Enables or disables the desktop wallpaper in user sessions
290
By default, desktop wallpaper is allowed. Menu animation Allows or prevents menu animation By default, menu animation is allowed. View window contents while dragging Controls the display of window content when dragging a window across the screen When allowed, the entire window appears to move when dragged. When prohibited, only the window outline appears to move until dragging stops and the window is dropped.
ICA\File Redirection
Auto connect client drives Allows or prevents automatic connection of client drives when users log on By default, automatic connection is allowed. Client drive redirection Enables or disables file/drive redirection to and from the client device When enabled, users can save files to all their client drives. When disabled, all file redirection is prevented, regardless of the state of the individual file redirection settings. By default, file redirection is enabled. Client fixed drives Allows or prevents users from accessing or saving files to fixed drives on the client device By default, accessing client fixed drives is allowed.
291
Allows or prevents users from accessing or saving files to floppy drives on the client device By default, accessing client floppy drives is allowed.
Allows or prevents users from accessing and saving files to client network/remote drives By default, accessing client network drives is allowed.
Allows or prevents users from accessing or saving files to CD-ROM, DVD-ROM and BD-ROM drives on the client device By default, accessing client optical drives is allowed.
Allows or prevents users from accessing or saving files to removable drives on the client device By default, accessing client removable drives is allowed.
Enables or disables file type associations for URLs and some media content to be opened on the client device By default, file type association is allowed.
Enables or disables preservation of client drive letters When enabled, and client drive mapping is enabled, client drives are mapped to the same drive letter in the session, where possible. By default, client drive letters are not preserved.
Allows or prevents Citrix online plug-in and Web Interface users to see their local special folders, such as Documents and Desktop, from a session By default, special folder redirection is allowed.
292
Enables or disables asynchronous disk writes By default, asynchronous writes are disabled.
ICA\Graphics\Image Compression
Lossy compression level Specifies the degree of lossy compression used on images By default, medium compression is selected. Lossy compression threshold value Specifies the maximum bandwidth in kbps for a connection to which lossy compression is applied By default, the threshold value is unlimited. Progressive compression level Progressive compression threshold value Provides a less detailed but faster initial display than lossy compression Specifies the maximum bandwidth in kbps for a connection to which progressive compression is applied By default, the threshold value is unlimited. Progressive heavyweight compression Reduces bandwidth without losing image quality by using a more advanced and CPU-intensive graphic algorithm By default, progressive heavyweight compression is not used.
293
By default, client-side Flash content rendering is allowed. Flash event logging Allows or prevents Flash events to be recorded in the Windows application event log By default, logging is allowed. Flash latency threshold Specifies a threshold between 0-5000 to determine where Adobe Flash content is rendered By default, the threshold is 30. Flash server-side content fetching whitelist Lists web sites whose Flash content is allowed to render on the client device Flash content on unlisted web sites is rendered on the server. Flash URL blacklist Lists web sites whose Flash content is rendered on the server Flash content on unlisted web sites is rendered on the client device. This setting is in effect when Flash acceleration is enabled.
ICA\Ports
Auto connect client COM ports Connects COM ports from the client device automatically
294
By default, COM ports are not automatically connected. Auto connect client LPT ports Connects LPT ports from the client device automatically By default, LPT ports are not automatically connected. Client COM port redirection Redirects COM ports to and from the client device By default, COM port redirection is enabled. Client LPT port redirection Redirects LPT ports to the client device By default, LPT port redirection is enabled.
ICA\Printing
Client printer redirection Allows or prevents client printers to be mapped to a server when a user logs on to a session By default, client printer mapping is allowed. Default printer Specifies how the client's default printer is established in an ICA session By default, the client's current printer is used as the default printer for the session. Printer auto-creation event log preference Specifies which events are logged during the printer auto-creation process By default, errors and warnings are logged. Session printers Lists the network printers to be auto-created in an ICA session
295
Allows or prevents a delay in connecting to a session so that desktop printers can be auto-created This setting does not apply to published applications or published desktops. By default, a connection delay does not occur.
ICA\Printing\Client Printers
Auto-create client printers Specifies which client printers are auto-created By default, all client printers are auto-created. Client printer names Selects the naming convention for auto-created client printers By default, standard printer names are used. Direct connections to print servers Enables or disables direct connections from the host to a print server for client printers hosted on an accessible network share By default, direct connections are enabled. Printer properties retention Specifies whether and where to store printer properties By default, the system determines whether printer properties are stored on the client device, if available, or in the user profile. Retained and restored client printers Enables or disables the retention and re-creation of client printers By default, client printers are auto-retained and auto-restored.
296
ICA\Printing\Drivers
Automatic installation of in-box printer drivers Enables or disables the installation of Windows native drivers as needed By default, native drivers are installed when users log on. Printer driver mapping and compatibility Lists driver substitution rules for auto-created printers
ICA\Printing\Universal Printing
Auto-create generic universal printer Enables or disables auto-creation of the Citrix Universal Printer generic printing object By default, generic universal printers are not auto-created. Universal driver priority Specifies the order in which XenApp attempts to use universal printer drivers Specifies when to use universal printing Specifies whether to use the print preview function for auto-created or generic universal printers By default, print preview is not used for auto-created or generic universal printers.
ICA\Security
SecureICA minimum encryption level Specifies the minimum level at which to encrypt session data sent between the server and a client device
297
ICA\Session Limits
Concurrent logon limit Specifies the maximum number of connections a user can make to the farm at any given time By default, there is no limit on concurrent connections. Additional ICA\Session Limits rules are available but apply to XenDesktop sessions only: Disconnected session timer Disconnected session timer interval Session connection timer Session connection timer interval Session idle timer Session idle timer interval
ICA\Shadowing
Input from shadow connections Log shadow attempts Allows or prevents shadowing users to take control of the keyboard and mouse of the user being shadowed Allows or prevents recording of attempted shadowing sessions in the Windows event log Allows or prevents shadowed users to receive notification of shadowing requests from other users By default, users are notified when they are being shadowed. Users who can shadow others Specifies the users who can shadow other users
298
Specifies the users who cannot receive shadowing requests from other users
ICA\TWAIN Devices
Client TWAIN device redirection Specifies whether users can access TWAIN devices, such as digital cameras or scanners, on the client device from published image processing applications By default, TWAIN device redirection is allowed. TWAIN compression level Specifies the level of compression of image transfers from client to server By default, no compression is applied.
ICA\USB Devices
Client USB device redirection Enables or disables redirection of USB devices to and from the client
299
Client USB device redirection rules Client USB Plug and Play device redirection
Specifies whether plug-and-play devices, such as cameras or point-of-sale (POS) devices, can be used in a client session By default, plug-and-play device redirection is allowed.
300
Policy Filtering
During policy creation, administrators must determine whether unfiltered or filtered policies will be created. Unfiltered Unfiltered policy rules apply to all computers or users within the scope of the policy. For Citrix policies configured with GPMC, the scope is all computers or users that belong to the OU to which the GPO is linked. For IMA-based GPOs configured in the Delivery Services Console, the scope is all computers and users within the farm. By default, an Unfiltered policy exists in both the User and Computer nodes. The Unfiltered policy cannot be renamed or removed and another Unfiltered policy cannot be created. By default, there are no rules configured in the Unfiltered policy; an administrator must add and configure rules for the Unfiltered policy. Unfiltered policies should be used only when granular policy control is unnecessary. For example, an Unfiltered policy can be used to assign a Citrix License Server to an entire farm. Other use cases include security or encryption settings that should be applied to all servers and users in the farm or OU.
Filtered
Filtered policies allow administrators to define conditions under which the Citrix policies are applied to users and computers within the scope of the policy. For example, administrators can use a filter to disable client drive mapping for certain devices in the Finance department or enable printer auto-creation for users connecting from a certain IP address range. Citrix policies configured within the Computer node can be filtered based on Worker Groups. Citrix policies configured within the User node can be filtered based on the following criteria: Worker Groups User and user groups Client device name Client IP address range
301
Access control (incoming connections from Access Gateway) To filter policies based on OUs, the OU first must be added to a Worker Group and the Worker Group must be added to the filter. The policy effectively is filtered based on the Worker Group, but because the OU is now inside the Worker Group, the filter will be applied to the OU.
There is no limit to the number of filters that can be applied to a single policy. Instead of creating and linking several separate GPOs, administrators can create a single GPO and use filters to define a variety of conditions for applying the policy rules within that GPO. Filtered and unfiltered user policies remain in effect for the length of the session only. If any changes are made to the policy rules or filters while impacted users have active sessions, those users will not be affected until the next time they initiate a new session.
302
303
Review
1. Citrix policies can be created using which three management tools? (Choose three.) a. b. c. d. e. Delivery Services Console Terminal Services Manager Advanced Configuration Console Advanced Group Policy Manager Group Policy Management Console
2. When an existing Citrix user policy is changed, how long does the previous policy remain in effect? a. b. c. d. For the length of the session Until the user profile is changed Until the user disables the policy Until the user is moved to another group
3. Which filter is not valid for use with policies in XenApp? a. b. c. d. Servers Worker groups Client device name User and user groups
4. Which two events do not trigger a policy update evaluation? (Choose two.) a. b. c. d. e. f. A user logs on The server is rebooted An OU trust is created A policy update is forced A print server is imported The policy refresh interval is reached
5. Select the correct order in which policies are processed and applied. a. b. c. d. e. Domain GPOs, Local GPOs, IMA-based policies, OU GPOs, Site GPOs IMA-based policies, OU GPOs, Local GPOs, Site GPOs, Domain GPOs Local GPOs, IMA-based policies, Site GPOs, Domain GPOs, OU GPOs OU GPOs, Local GPOs, IMA-based policies, Site GPOs, Domain GPOs Site GPOs, Domain GPOs, Local GPOs, OU GPOs, IMA-based policies
304
Module 10
306
Overview
XenApp administrators configure load management in a farm to facilitate quick and efficient delivery of applications and resources to users. At the end of this module, given an environment containing XenApp, you will be able to: Describe the load balancing process. Identify load calculation rules. Create and assign custom load evaluators. Assign CPU resource preference to servers and users. Configure session connection failover using load balancing policies.
307
Load Manager
Load Manager is used to balance the load created by connections to the server farm. By default, the load is measured and balanced by the number of user sessions on each server. Load Manager offers the following benefits to enterprises: Maximizes system efficiency by balancing published application sessions across the farm based on load limits set in load evaluators Provides pre-defined load evaluators that can be used as a basis for creating customized load evaluators Provides a set of rules administrators can use to tailor custom load evaluators to the server environment to improve server performance, as well as the performance of published resources It is a best practice to examine and evaluate the XenApp servers in a farm before customizing load management.
308
Load Balancing
Load Manager balances server load across the farm by: Using load evaluator rules to calculate server load Identifying which server is least-loaded, based on the rules in the load evaluator Directing client connections to the least loaded server Load Manager calculates server load using load evaluators attached to servers or published applications. When any rule in a load evaluator reports a full load or exceeds its set threshold, the load-managed server is temporarily dropped from the internal list of available servers. The next connection request for a published application is routed to the server in the internal list with the lowest load value. When the load on a server falls below the set threshold, the server is automatically re-added to the internal list of available servers. Servers are continuously added to and removed from the internal list of available servers as server loads and user activities fluctuate. Session sharing always takes precedence over load balancing. That is, if users launch an application that is published on the same server as an application they are already using but the server is at capacity, XenApp still opens the second application on the server. Load management does not transfer the user's request to another server where the second application is published.
309
Load Manager maximizes system efficiency by balancing hosted and streamed application sessions across the farm. The following table describes the load balancing process. 1. Each server calculates its load periodically based on evaluation criteria in the load evaluators assigned to the server and published applications. 2. Each server sends values for all possible load evaluation criteria to the data collector in the zone. 3. The data collector gathers the information and maintains a numeric index for each load-balanced server in the zone. 4. A connection request for a published application is sent to the data collector.
310
5. The data collector uses the load information received from all of the servers to identify the least-loaded server hosting the published application in the zone. If a load balancing policy is enabled and filtered for a worker group, the user will be forwarded to the least-loaded server in that policy. 6. The server IP or FQDN of the least-loaded server is forwarded to the plug-in. 7. The plug-in connects to the identified server using the supplied IP or FQDN. If all servers hosting the published application are at a full load, as specified by the load evaluator rules, the session request is denied. The routing of connections to servers through load management occurs at the session request time. If the load on a server changes after a connection is established, the connection is not redistributed to accommodate the new server load.
311
Load Calculation
Load evaluators consist of rules that determine how load is calculated. These rules can be used to query specific conditions and performance metrics for servers and published applications. Each rule has a unique set of parameters that allows an administrator to specify appropriate thresholds. Load evaluators can consist of one or more rules. When several rules exist in a load evaluator, the rules work together to determine the overall load.
Load Throttling
Load throttling artificially inflates the load value of a server during initial user connection, thereby limiting an influx of new connections to a single server. Each time a new session connects there is a natural, temporary, resource surge on the server. By artificially inflating a server load value while the connections initiate, load throttling decreases the likelihood of slow user connections or server hangings. This is especially important when a large number of users log on simultaneously. The true server load is reported to the data collector after a user session fully initiates. There are five load throttling settings: Extreme High (Default) Medium High Medium Medium Low
The Extreme setting maximizes server performance, allowing one new connection at a time; all other connection requests are denied. An additional connection request is accepted after the first connection fully initiates. The High setting, which is the default, greatly increases the load when a few people log in simultaneously. The other load throttling settings allow more users to log on at the same time.
Load Calculations
The rules associated with a load evaluator are sampled during data collector updates, during session logons and logoffs and at 30-second intervals. The last ten samples are calculated into a running average for each rule and the update is sent to the data collector every five minutes, by default.
312
The load values returned by the rules determine when a full load is reached. The Load Manager does not allow new connections to the server when a load evaluator reports a full load. When the load is less than the maximum, the rules in the load evaluator determine the load of the server. The server that is least-loaded receives the next connection. The load value assigned to a server depends on the rules and parameters within the load evaluator. In instances where a load evaluator contains more than one rule, Load Manager calculates the load for each rule, then applies a complex algorithm that gives the most weight to the rule with the highest load value. All servers must have an assigned load evaluator. If one or more of the applications published on the server also has a load evaluator assigned to it, the load evaluator that produces the highest load value sets the load value for that server. If a change of +/-500 occurs to the server load, the server sends the change to the data collector immediately. Load evaluators can be classified in the following categories: Moving average Moving average compared to high threshold Incremental Boolean
For more information about calculating load with Load Manager, see Citrix Knowledge Base articles CTX103653 and CTX105449 on the www.citrix.com web site.
313
The rules that use the moving average method to calculate load include: CPU Utilization Defines the range of processor (CPU) utilization for a selected server The default full load value is 90 percent. The default no load value is 10 percent. Keep in mind that CPU utilization spikes at user logon.
Memory Usage
Defines the range of memory usage for a server The default full load value is 90 percent. The default no load value is 10 percent.
If either the CPU Utilization or Memory Usage counter is at 100%, the server reports a full load. The CPU Utilization and Memory Usage rules are used by the Advanced load evaluator.
314
Defines the range of data throughput (total disk I/O in kbps) for a selected server The default full load value is 32,767 kilobytes per second. The default no load value is 0 kilobytes per second.
Disk Operations
Defines the range of disk operation (read and write cycles per second) for a selected server The default full load value is 100 operations per second. The default no load value is 0.
Load Throttling
Defines the impact that logons have on the server load This rule limits the number of concurrent connection attempts a server is expected to handle and cannot be applied to an individual published application. The Load Throttling rule solves the issue of incorrect load values provided by servers. This issue occurs when: New connections are coming in faster than the servers can send their current load values to the data collector. Servers are restarted and have not sent their load values to the data collector yet. The Load Throttling rule should be used in conjunction with another rule, as it only affects the initial logon period. If the Load Throttling rule is included in a load evaluator, it is ignored when that load evaluator is attached to a published application. The Load Throttling rule is used by both the Default and Advanced load evaluators.
Page Fault
Defines the range of page faults (attempts to access data that has been moved from physical memory to disk) per second for a selected server The default full load value is 2000. The default no load value is 0.
315
Page Swap
Defines the range of page swaps (transfers of data between physical memory and the page file) per second for a selected server The default full load value is 100. The default no load value is 0. The Page Swap rule is used by the Advanced load evaluator.
The threshold values for these rules must be adjusted by an administrator to reflect the actual server capacity.
Incremental Rules
Load Manager calculates incremental rules based on the full load value that is specified by an administrator. The actual load value is calculated by dividing the current load by the rule value and multiplying that result by the number of concurrent connections. The rules that use the incremental method to calculate load include: Application User Load This rule limits the number of users allowed to connect to a selected published application. This rule monitors the number of active and disconnected sessions using the published application. The default full load value is 100. This rule does not apply to streamed to client applications.
This rule limits the number of sessions allowed to connect to a selected server. The default full load value is 100 and represents the maximum number of active and disconnected sessions that the server can support. The Server User Load rule is used by the Default load evaluator.
Boolean Rules
Load Manager calculates Boolean rules based on true or false conditions.
316
The rules that use the Boolean method to calculate load include: IP Range Defines the range of allowed or denied client IP addresses for a published application or server This rule controls access to a published application based on the IP addresses of the client devices. Scheduling Schedules the availability of selected published applications or servers This rule can remove one or more published applications from the list of applications maintained by Load Manager, so server maintenance can be performed.
Boolean rules must be used in conjunction with at least one other rule because they do not return actual load values for a server.
317
The Default load evaluator is attached to each server automatically after XenApp is licensed. The Default load evaluator is based on the Load Throttling and Server User Load rules and functions best when the server hardware in the environment is identical and can adequately support as many as 100 sessions without fully consuming server resources.
318
The Advanced load evaluator is based on the CPU Utilization, Load Throttling, Memory Usage and Page Swap rules. The Advanced load evaluator or a custom load evaluator should be considered for use in environments: When server resources become over-utilized before the maximum number of user sessions specified in the Default load evaluator on the server is reached When published applications are CPU- or memory-intensive When the server is not able to support 100 sessions because of either resource-intensive applications or hardware limitations When the server can support more than 100 sessions The Advanced load evaluator and other load evaluators that include more than one rule calculate their load values by first determining the individual load for each rule within the load evaluator. Load Manager then uses an algorithm to determine the true load value of the server. This algorithm includes all applicable load values and gives the most weight to the load rule with the highest load value. The Default and Advanced load evaluators cannot be modified or deleted; however, an administrator can create custom load evaluators that use the same rules or different rules entirely.
319
A custom load evaluator is any load evaluator with the exception of the Default or Advanced load evaluator. A custom load evaluator is necessary if the Default or Advanced load evaluators are not adequate as a result of the server hardware or application configuration in the environment. An administrator can create a custom load evaluator containing one or more rules by creating a new load evaluator or by copying an existing load evaluator and modifying it. To create a new load evaluator, click Load Evaluators in the Delivery Services Console and click New > Add load evaluator. Creating Custom Load Evaluators Example The Default load evaluator is attached to a server. The server consistently reports a full load when 100 sessions are running on the server even though the server could easily handle 15 additional sessions. The administrator wants the Load Manager to direct 15 additional sessions to the server, so a custom load evaluator is created that sets the full load threshold to 115. Creating load evaluators based on a few rules can provide better results than creating complex load evaluators with many rules. However, it is only possible to
320
attach one load evaluator to a server. As a best practice test new load evaluators prior to implementing them in a production environment.
321
Assigning load evaluators to servers is a solution that meets most load management needs, especially in environments where different hardware configurations exist. Assigning load evaluators to applications can help balance the load when an application has extensive resource requirements. For example, a load evaluator can be assigned to an application that is memory intensive so that users will be directed only to servers that have the necessary amount of memory available for use by the application. Only one load evaluator can be assigned to each server and each published application.
An administrator should be aware of the following considerations for assigning load evaluators to applications: If the Load Throttling rule is included in a load evaluator, it is ignored when that load evaluator is attached to a published application. A published application that is installed on a single server does not need to be load managed. Published applications that require significant resources from servers should use load evaluators configured to report full loads at a lower threshold than the actual limits of the server.
322
Load evaluators can be assigned to published applications that are streamed to servers but cannot be assigned to published applications that are streamed to client devices. Applying load evaluators to applications can increase the load on the data collector, consume resources and slow performance. In addition, applying load evaluators to applications can add complexity to the load management process and might not accurately reflect the server load; therefore, applying load evaluators to applications is not a best practice for most environments. To assign a load evaluator to a server, right click the server in the Delivery Services Console and click Other Tasks > Assign load evaluator. To assign a load evaluator to an application, right-click the application in the Delivery Services Console and click Other Tasks > Attach application to load evaluator.
323
324
Load balancing policies are configured in the Delivery Services Console and applied by specifying filters and worker groups.
Filters
Filters specify to whom or to what the policy will apply. A load balancing policy will remain in an inactive state until a filter is configured. The filter types are: Access Control (connections made through Access Gateway) Client IP Address Client Name User
325
Worker Groups
When a worker group filter is applied to a load balancing policy, connections are made based on worker group preference. The worker group with a priority designation of 1 is ranked highest. When a user opens a published application, the load balancing policy directs the connection to servers in the highest priority worker groups first. Connections are redirected to servers in lower priority worker groups if servers in the higher priority worker groups are offline or have reached maximum capacity. Connections are not directed to servers in worker groups that are not included in the worker group preference list. In addition, if a user attempts to open an application that is not installed on any servers in any of the listed worker groups, regardless of priority, the attempt fails and an error is logged to the Application event log on the data collector. When creating more than one load balancing policy, consider any overlaps and prioritize appropriately. To create a load balancing policy, right-click the Load Balancing Policies node in the Delivery Services Console and click Create load balancing policy.
326
The Streamed App Delivery rules within the load balancing policies can override the method for delivering published applications; therefore, it is important to understand the available options and the consequences of selecting them. When publishing a streamed application, an administrator can choose one of the following published application types: Streamed to client Accessed from a server: streamed to server Streamed if possible; otherwise accessed from a server: installed application Streamed if possible; otherwise accessed from a server: streamed to server
The load balancing policy Streamed App Delivery settings include: Allow applications to stream to the client or run on a Terminal Server (default) Force applications to stream to the client Clients that do not support streaming or do not match the profiled operating system will not be able to open the application. Do not allow applications to stream to the client
327
If this option is selected and server access is not allowed for an application, such as when it is configured to stream to the client only, the application connection will fail. If no Streamed Application Delivery policy is configured, then the application delivery method specified in the published application is used.
328
Preferential Load Balancing gives administrators the ability to prioritize the allocation of CPU shares to specific users and applications and to direct important user sessions to the XenApp server running the fewest number of important sessions. Preferential Load Balancing is available in the Platinum Edition of XenApp only. Administrators can use Preferential Load Balancing to assign one of the following importance levels to specific user sessions and applications: Low, which has a value of 1 Normal, which has a value of 2 (default) High, which has a value of 3 Administrators apply importance levels to specific user sessions based on the user's job function, position within the company or other meaningful criteria such as which application is running. Preferential Load Balancing calculates an importance index based on the resource allotment for each session. The resource allotment is calculated by multiplying the importance levels of both the session and the published application that is running in the session. This determines how many CPU shares that session will receive in comparison with other sessions on the same XenApp server.
329
The optimal end result is an environment in which important sessions are prioritized, running on servers with few other important sessions, thereby maximizing the user experience.
330
Load calculations are completed for both connected and disconnected sessions.
331
Load management is not working correctly. Verify that the load evaluators are configured correctly for the environment. Load evaluator is showing full capacity, but Review load evaluator rules and settings. server should still be able to accept additional Re-establish baseline, if necessary. connections.
332
Review
1. An administrator can attach load evaluators to which two components in a server farm? (Choose two.) a. b. c. d. Users Servers Groups Published applications
2. The Default load evaluator is based on which rules? a. b. c. d. Page Faults, Load Throttling Context Switch, Load Throttling Disk Operations, Load Throttling Server User Load, Load Throttling
3. The Advanced load evaluator is based on which rules? a. b. c. d. CPU Utilization, Load Throttling, Memory Usage and Page Swap Load Throttling, Memory Usage, Page Swap and Server User Load CPU Utilization, Load Throttling, Page Swap and Server User Load CPU Utilization, Load Throttling, Memory Usage and Server User Load
4. A server to which the Advanced load evaluator is assigned is dropped from the internal list of available servers when which event occurs? a. b. c. d. When all the rules in the Advanced load evaluator meet their set thresholds When one of the rules in the Advanced load evaluator meets its set threshold When all the rules in the Advanced load evaluator exceed their set thresholds When one of the rules in the Advanced load evaluator exceeds its set threshold
5. An administrator can create a custom load evaluator using which two methods? (Choose two.) a. b. c. d. By using the Load Manager Monitor By duplicating an existing load evaluator By using the New > Add Load Evaluator menu option By altering the rules in either the Default or Advanced load evaluator
6. An administrator can adjust load evaluator properties ____________. (Fill in the blank with the correct answer.) a. At any time b. At the time of creation only
333
c. For the Advanced load evaluator only d. Only when the load evaluator is not being used
334
Module 11
336
Overview
XenApp includes display and HDX features that help to improve user sessions by optimizing the responsiveness of certain types of published applications and improving connection speed and responsiveness. By the end of this module, given an environment containing XenApp, you will be able to: Describe the different session optimization display settings. Describe the different XenApp HDX settings. Identify the Profile management components. Install and configure Profile management.
337
338
An administrator can configure the display settings to optimize the transmission and display of graphics on the client device. The following display policy rules are found in the Computer Configuration node of a policy: Display memory limit Specifies the maximum video buffer size (in kilobytes) for a XenApp session By default, the display memory limit is configured to 32,768 kilobytes.
Specifies whether color depth or resolution degrades first when the session display memory limit is reached If color depth is configured to degrade first, images are displayed with fewer colors. If resolution is configured to degrade first, the size (in pixels) of the XenApp session is reduced.
339
Image caching
Retrieves sections of images from the client cache allowing pages to scroll more smoothly Specifies the maximum color depth allowed for a XenApp session By default, the maximum allowed color depth is 32 bits for each pixel.
Displays a message on the client device when the session is degraded as a result of the session display memory limit being exceeded or the client device being unable to support the requested parameters Discards redundant queued images that are replaced by other images Configuring this setting can cause animations to become choppy due to dropped frames.
340
341
HDX Broadcast Session Reliability is enabled by default and can be configured in the Computer Configuration node of a policy. HDX Broadcast Session Reliability policy rules include: Session reliability connections Session reliability port number Allows or prevents active sessions while network connectivity is interrupted Specifies the TCP port number for incoming session reliability connections The default port number is 2598. Session reliability timeout Specifies the length of time, in seconds, the session reliability proxy waits for a client to reconnect before allowing the session to be disconnected The default timeout is 180 seconds.
342
HDX RealTime
HDX RealTime enhances real-time communications in a XenApp session by leveraging technologies at the client device and in the datacenter. HDX RealTime features include: Webcam support for Windows client devices Microsoft Office Communicator support for audio and video conferencing Softphone and voice chat support HDX RealTime is only available for Windows client devices.
343
The HDX RealTime feature is enabled by default and can be configured in the Computer Configuration node of a policy. HDX RealTime policy rules include: HDX MediaStream Multimedia Acceleration Controls and optimizes the way XenApp servers deliver streaming audio and video to users Enabling this setting increases the quality of audio and video rendered from the server to a level that compares with audio and video played locally on a client device. Multimedia conferencing Allows or prevents support for video conferencing applications To use multimedia conferencing, verify that the HDX MediaStream Multimedia Acceleration policy rule is enabled.
344
ICA Pass-through connections are not supported. For example, users cannot connect to a multimedia-rich application through a virtual desktop and utilize HDX RealTime. The Client audio redirection policy rule must be enabled to allow for audio input through a microphone.
345
HDX Plug-n-Play
HDX Plug-n-Play allows users in a XenApp session to interact with portable USB devices that are connected to their client device. Users can connect or disconnect a portable USB device to a XenApp session at any time, regardless of whether the session was started before or after the USB device connection. USB devices that are supported include: 3D Mice Digital cameras Scanners Headsets Microphones Point-of-sale devices
346
HDX Plug-n-Play for portable USB devices is enabled by default and can be configured in the Client USB Plug and Play device redirection policy. By configuring this policy, an administrator can specify whether USB devices, such as cameras or point-of sale (POS) devices, can be used in a XenApp session.
347
ICA Pass-through connections are not supported. For example, users cannot connect through a virtual desktop and utilize a USB device.
348
349
The HDX MediaStream Multimedia Acceleration settings are enabled on all servers in the server farm by default, while audio on the client device is disabled by default. To run multimedia applications in a session, an administrator must enable audio on both the client device and the server. HDX MediaStream Multimedia Acceleration settings can be configured in the Computer Configuration node of a policy. HDX MediaStream Multimedia Acceleration policy rules include: HDX MediaStream Multimedia Acceleration HDX MediaStream Multimedia Acceleration default buffer size Controls and optimizes the way XenApp servers deliver streaming audio and video to users Allows the administrator to customize the buffer time based on the capabilities of the client device and the speed of the network An administrator can accept the default buffer time of five seconds or customize the buffer time. Increasing the buffer time creates a smoother user experience but increases
350
memory usage on both the client device and server. The default buffer time is sufficient in most cases. Values can be set to: 1 to 4 to reduce the memory used for multimedia playback on the server and the client device 6 to 10 to improve multimedia playback in networks with high latency
Uses the buffer size specified in the HDX MediaStream Multimedia Acceleration default buffer size policy rule
351
HDX MediaStream for Flash is enabled by default and can be configured in the User Configuration node of a policy.
352
HDX MediaStream for Flash policy rules include: Flash acceleration Enables or disables Flash content rendering on client devices instead of the XenApp server Allows or prevents the recording of Flash events in the Windows application event log Specifies a threshold between 0-5000 milliseconds to determine where Flash content is rendered During startup, HDX MediaStream for Flash measures the latency between the server and client device. If the latency is under the threshold, HDX MediaStream for Flash is used to render Flash content on the client device. If the latency is above the threshold, the XenApp server renders the Flash content. The default threshold is set to 30 milliseconds.
Lists web sites from which Flash content is allowed to render on the client device Flash content on unlisted web sites is rendered on the XenApp server. It is not necessary to add the http:// or https:// prefix to the listed URL strings, as they are ignored. Wildcards (*) are valid at the beginning and end of a URL string.
Lists web sites from which Flash content is rendered on the XenApp server Flash content on unlisted web sites is rendered on the client device. It is not necessary to add the http:// or https:// prefix to the listed URL strings, as they are ignored. Wildcards (*) are valid at the beginning and end of a URL string.
353
Adjusts the quality of Flash content rendered on session hosts to improve performance Setting options include: Do not optimize Adobe Flash animation options Optimize Adobe Flash animation options for all connections Optimize Adobe Flash animation options for low bandwidth connections only
354
SpeedScreen Latency Reduction settings include: Mouse Click Feedback Changes the appearance of the mouse pointer from idle to busy after a user clicks a link This change provides the user with feedback that the system is processing the request. By default, Mouse Click Feedback is enabled and can be configured at the server level using the SpeedScreen Latency Reduction Manager tool.
355
Allows the plug-in to use fonts on the client device to display text as the user types and the plug-in is awaiting the redrawn screen from the server By default, Local Text Echo is disabled and can be configured at the server and application level using the SpeedScreen Latency Reduction Manager tool. Settings made at an application level override the server settings. Some applications that use non-standard Windows APIs for displaying text may not support Local Text Echo.
SpeedScreen Latency Reduction settings are configured using the SpeedScreen Latency Reduction Manager tool.
356
HDX 3D Image Acceleration is configured at a medium lossy compression level by default and can be configured in the User Configuration node of a policy.
357
HDX 3D Image Acceleration policy rules include: Lossy compression level Reduces the size of the image file by removing redundant data, which reduces the amount of bandwidth needed to transfer the file The following table identifies the lossy compression levels. Lossy compression level High Medium (Default) Low None Image quality Low Good Best Same as original Bandwidth requirements Lowest Lower Higher Highest
Enables HDX 3D Image Acceleration compression when the available bandwidth is below the specified threshold
358
HDX 3D Progressive Display is an extension of HDX 3D Image Acceleration and can be configured to improve user interactivity when displaying high-detail images. HDX 3D Progressive Display auto-detects the available bandwidth. If bandwidth is limited, the level of compression temporarily increases and the image quality when it is first transmitted over a limited bandwidth connection decreases to provide a fast (low quality) initial display. If the image is not immediately changed or overwritten by the application, it is then improved in the background to produce the normal quality image, as defined by the lossy compression level. The quality of the final image is controlled by the configuration of HDX 3D Image Acceleration.
359
HDX 3D Progressive Display is disabled by default and can be configured in the User Configuration node of a policy. HDX 3D Progressive Display policy rules include: Progressive compression level Provides a less detailed, but faster initial display than lossy compression The following table identifies the image quality that results from the selection of each Progressive compression level. Progressive compression level Ultra High Very High High Medium Image quality Ultra Low Very Low Low Medium
360
Image quality
No Progressive Display
For example, if an administrator sets the Progressive compression level to Very High, the resulting image quality will be Very Low. For progressive compression to be effective, the Progressive compression level must be set higher than the Lossy compression level. If the Lossy compression level is set to "None," then the Progressive compression level field can be set to any compression level. These settings should be tested in the environment to ensure that the user is provided with satisfactory image quality. For example, if the Lossy compression level is set to "Low," then the setting in the Progressive compression level field must be set to "Medium" or a value that provides greater compression. Progressive compression threshold value Progressive heavyweight compression Enables HDX 3D Progressive Display compression when the available bandwidth is below the specified threshold
Reduces bandwidth further without losing image quality by using a more advanced, but more CPU-intensive graphic algorithm
361
362
User Profiles
A user profile contains information about the Windows configuration or XenApp session for a specific user. This information can include, but is not limited to, the arrangement of the desktop, screen colors, screen savers, network connections, window size and position, printer connections and mouse settings. Each time a user logs on to a session, the user's profile loads and the environment is configured according to the information in the profile. A user profile consists of the following elements: A registry hive A set of profile folders stored in the file system
363
settings and files are discarded when the user logs off from the client device. Mandatory profiles can be created from local or roaming user profiles.
A temporary user profile is issued whenever an error prevents the user's profile from loading properly. Temporary profiles are deleted at the end of each session, and any changes made by a user to desktop settings and files are discarded when the user logs off from the client device.
For more information about user profiles, see the User Profile Best Practices for XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
364
applications is necessary. Saving settings for other applications that are not part of the enterprise application set should be avoided. Profile management is available with the Enterprise and Platinum Editions of XenApp.
An administrator can use the following procedure to enable Profile management in a production environment. 1. Download the Profile management package from www.citrix.com. 2. Install the Profile management software on all XenApp servers in the farm. Administrators can install the Profile management software using a distribution tool, such as Citrix Merchandising Server, an imaging solution, streaming technology, manually or by performing an unattended installation.
365
3. Create a GPO for enabling or disabling Profile management and link it to the OU that contains all of the XenApp servers in the farm. 4. Apply the ADM file included in the Profile management package to the GPO. 5. Configure the ADM template or the INI files included in the Profile management package or using Group Policy. Settings include: Processed groups Process logons of local administrators Path to user store Citrix recommends configuring the ADM template using Group Policy, if possible.
6. Enable the Profile management policy using the Group Policy Management Console. For more information about Citrix Profile management, see the Profile management documentation on the http://support.citrix.com/proddocs/index.jsp web site.
The following steps describe how Profile management handles a user's profile: 1. A user starts a session on a XenApp server with Profile management enabled. 2. The Citrix Profile management service determines if the user is a member of the processed group defined in the Profile management ADM file. If the user is a member of the processed
366
3.
4. 5.
6.
group, the Citrix Profile management service attempts to load the user's profile from the user store. If the user is not a part of the processed group, a Microsoft local or roaming profile is assigned to the user. If the user is a member of the processed group, Profile management verifies that the user store contains the user's profile that is managed by Profile management. If the user's profile is not found in the user store, then Profile management migrates the user's local or roaming profile to the user store or creates a new profile from the template profile defined by the administrator. A local profile that is managed by Profile management is copied or streamed from the user store to the XenApp server. Profile management monitors the user's profile and logs any changes to the user's profile by comparing the profile to the Master File Table (MFT) cache file. The MFT cache file is located in the Profile management installation directory by default. Upon user logoff, Profile management exports the changes made to the user's profile back to the user store. Administrators can configure the Profile management ADM file to delete locally cached profiles upon user logoff. For more information about the Profile management logon and logoff process, see the Profile management documentation on the http://support.citrix.com/proddocs/index.jsp web site.
367
Users are unable to utilize Verify that the latest version of the codec for the multimedia-rich applications during multimedia-rich application is installed on the client a session. device. Users are unable to view Adobe Flash Verify that the latest version of Adobe Flash Player animations during a session. is installed on the client device. Verify that the latest version of the Citrix online plug-in is installed on the client device. Users are not assigned the proper profile after logging on to the client device. Verify that the path to the profile store is configured correctly. Verify that the user is part of the processed group. Process the logons of local administrators, if necessary.
368
Review
1. If a client device is connected to XenApp server over a slow connection and the user is experiencing delayed mouse clicks and keyboard response, which type of session optimization technology should be implemented to address this issue? a. b. c. d. HDX RealTime HDX MediaStream for Flash SpeedScreen Latency Reduction HDX MediaStream Multimedia Acceleration
2. An administrator should publish __________ and enable __________ for users who need to watch videos and require high quality. a. b. c. d. Firefox, HDX 3D Image Acceleration QuickTime, HDX MediaStream for Flash Outlook, SpeedScreen Latency Reduction RealOne Player, HDX MediaStream Multimedia Acceleration
3. Which three statements about HDX 3D Image Acceleration are correct? (Choose three.) a. b. c. d. e. HDX 3D Image Acceleration works best with medical imaging. HDX 3D Image Acceleration can be enabled using a Citrix policy. HDX 3D Image Acceleration removes redundant data from an image file. HDX 3D Progressive Display works in conjunction with HDX 3D Image Acceleration. HDX 3D Image Acceleration provides a high image quality when the compression level is set to high compression.
4. Which statement about HDX MediaStream for Flash is true? a. It auto-creates printers after the Flash Player launches. b. It auto-creates printers before the Flash Player launches. c. It forces the Flash Player to start in a high-quality mode instead of the default low-quality mode. d. It forces the Flash Player to start in a low-quality mode instead of the default high-quality mode. 5. Which three statements are true concerning HDX Broadcast Session Reliability? (Choose three.) a. HDX Broadcast Session Reliability reconnects the user without the loss of data. b. HDX Broadcast Session Reliability resets the user connection upon session interruption. c. HDX Broadcast Session Reliability reconnects the user without requiring re-authentication.
369
d. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 1494. e. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 2598.
370
Module 12
372
Overview
Providing self-service access to enterprise applications simplifies ongoing user maintenance activities. Allowing users to choose which application they need from a list of approved applications offloads user application management tasks from an administrator. The following technologies make application self-service possible: Citrix Receiver Citrix Receiver is a lightweight software client that runs on user devices, including laptops, desktop workstations and mobile devices. The Receiver allows IT departments to deliver applications and desktops to users as an on-demand service regardless of the location or type of user device. Merchandising Server is a virtual appliance located in the datacenter that manages the setup, distribution and updates of plug-ins for Citrix Receiver. After performing a simple, one-time setup for Citrix Receiver, users automatically receive their plug-ins from Merchandising Server. Plug-ins are integrated into and managed by Citrix Receiver. The following plug-ins enable users to access their applications. Citrix Online Plug-in Citrix Offline Plug-in Citrix Dazzle Enables users to access hosted applications from a desktop or the Web Interface Enables users to stream applications to their desktops and open them locally Enables users to select the applications that they use most frequently and place those applications in their Start menu When a user clicks a selected application, the online plug-in, offline plug-in or App-V client will launch the application.
Citrix Plug-ins
373
Enables users to access App-V virtualized applications The Microsoft App-V Client is not a Citrix plug-in but can be used for application delivery with XenApp.
At the end of this module, you will be able to: Explain the role of Citrix Receiver. Identify the plug-ins managed by Citrix Receiver. Install Citrix Receiver for Windows. Explain the role of Citrix Dazzle. Identify the components of Citrix Merchandising Server. Explain the Citrix online plug-in architecture and communication.
374
Citrix Receiver
Citrix Receiver enables users to access virtual applications and desktops on any device. With Citrix Receiver installed on a device, IT can deliver applications and desktops as an on-demand service with no need to manage the physical device or its location. This model enables IT to effectively operate as a service provider with complete control over security, performance, and most importantly, user experience.
375
the Merchandising Server are validated with this token, eliminating the need for repeated logons. The token prevents subsequent requests for user authentication credentials. Therefore, Citrix Receiver is not recommended for shared physical systems. Citrix Receiver for Windows has the following system requirements: .NET Framework version 2.0 or later One of the following browser versions: Internet Explorer 7.x or Internet Explorer 8.x Firefox version 2.x or 3.x One of the following operating systems: Windows XP Professional, 32-bit or 64-bit SP3 Windows Vista, 32-bit or 64-bit SP2 Windows 7, 32-bit or 64-bit Windows Server 2003, 32-bit or 64-bit SP2 Windows Server 2008, 32-bit or 64-bit SP2 Windows Server 2008 R2 Individual plug-ins have separate system requirements which may differ from those for the Citrix Receiver. Users must have administrator privileges on their client device to install Receiver for Windows software from the Download page. The administrator must either grant the users administrator privileges to perform the initial installation or push the Citrix Receiver for Windows installation to their users' client devices. Administrator privileges on the users' client devices are not required after installation is completed.
376
Citrix Merchandising Server is a virtual appliance, available as a free download, which runs on either Citrix XenServer or VMware ESX. Merchandising Server helps create, deliver and manage a high quality user experience on Windows and Macintosh systems. IT can "merchandise" services in a simple way that seamlessly connects users to virtual applications, desktops and other services, much in the same way retail merchandising managers create a compelling shopping experience for their customers. Merchandising Server provides easy management, setup and distribution of the Citrix Receiver and plug-ins. After performing a simple, one-time setup for Citrix Receiver, users automatically receive their plug-ins from the Merchandising Server.
377
Citrix Merchandising Server connects to the following components. Component Active Directory Description Protocol
Merchandising Server connects to Active Directory to LDAP: 389 acquire user and group information, which allows the administrator to grant Administrator and Auditor permissions to specific users and create distribution lists for plug-in deliveries. Merchandising Server communicates with Citrix HTTPS: 443 Receiver to deliver plug-ins to Windows and Macintosh systems. Merchandising Server communicates with the Citrix HTTPS: 443 Update Service to download new and updated plug-ins posted by Citrix. The Citrix Update Service requires an Internet connection to contact https://citrix.com.
Citrix Receiver
Administrators configure the Merchandising Server, HTTPS: 443 upload plug-in installation files and schedule deliveries using the Merchandising Server Administrator Console.
378
Citrix Dazzle
Citrix Dazzle is a self-service storefront for enterprise resources that gives users self-service access to the applications, desktops and content that they need to work productively. Dazzle represents a XenApp Services site as a store, which contains resources that users may want to add to their Start menu. Users can add several stores to the Dazzle storefront from the client device. Administrators can also configure stores on the Merchandising Server, which will deliver the URL of the XenApp Services site to Dazzle. When users start Dazzle, the stores contain the resources that were made available by an administrator. Users can then choose exactly what they need, when they need it. They simply browse or search for the resources they require and subscribe with a single click. Administrators can advertise XenApp published applications and services, as well as Microsoft App-V packages for easy, on-demand access by users.
379
Citrix Dazzle integrates with Citrix Receiver and an existing XenApp infrastructure. The following process describes the communications between Dazzle and other XenApp components when delivering self-service applications to users: 1. Citrix Receiver starts automatically when the user logs on to a client device. 2. The user logs on to the stores that Dazzle is configured to contact. If Dazzle has not been run before, or if the user has not yet subscribed to any applications, Dazzle starts automatically. 3. Dazzle contacts the stores on the Web Interface, which authenticates the user to the XenApp farms that provide the applications for the stores. 4. Dazzle aggregates applications from all the stores into the same interface, displaying only those applications that the administrator has made available for the particular user. 5. The user selects and organizes applications using Dazzle. 6. Shortcuts to the selected applications are added to the user's Start menu. 7. Offline applications that the user subscribed to are downloaded from the XenApp farm to the client device by the Citrix offline plug-in. After downloading is complete, the applications are available for use. 8. The user clicks a shortcut in the Start menu to launch an application. For online applications, the Citrix online plug-in initiates a session with a XenApp server hosting the application.
380
For offline applications, the application starts and runs locally in an isolation environment. The Dazzle communication process is slightly different on a Macintosh system. Application shortcuts are placed in the Applications folder rather than the Start menu.
381
Plug-ins
Plug-ins are the components of XenApp that users run on their client devices to access resources published on XenApp servers. A published resource can be an application, content or the desktop of a server. Plug-ins extend the reach of Windows-based, Java-based and UNIX-based applications to virtually any client platform or device. XenApp supports the following plug-ins: Dazzle Allows users to select the applications that they use most frequently and place those applications in their Start menu Enables users to access hosted applications from a desktop or the Web Interface Enables users to stream applications to their desktops (both physical and virtual) and open them locally Enables users to access App-V virtualized applications
Online plug-in
Offline plug-in
382
Provides a single point of secure remote access to virtual desktops and applications Maintains and consolidates a user's roaming profile Provides real-time monitoring of the user experience Accelerates and optimizes WAN traffic Enables the use of EasyCall voice services to call phone numbers from any application using any phone Provides password security and single sign-on access to Windows and web applications
Profile management plug-in Service monitoring plug-in Acceleration plug-in Communications plug-in
Many of these plug-ins have separate versions to support both Windows and Mac users. The following plug-ins provide additional cross-platform support: Client for Java Uses a Java applet that provides access to hosted applications from any client device with a standard web browser Enables users to access hosted applications from a Linux system Enables users to access hosted applications from Apple iPhone and iPod Touch devices
Plug-in Delivery
Administrators have several options for delivering plug-ins to user devices. Method Citrix Receiver and the Merchandising Server Description Citrix Merchandising Server and Citrix Receiver work together to streamline the installation and management of application delivery to user desktops. Merchandising Server provides the administrative interface for configuring, delivering and upgrading plug-ins for users' client devices.
383
Method
Description IT can "merchandise" services in a simple way that seamlessly connects users to virtual applications, desktops and other services.
Web Interface
The Web Interface provides users with access to published resources through a standard web browser or through the Citrix online plug-in. When users access a Web Interface site from a Windows-based client device and a plug-in is not detected or the current plug-in on the client device is not up-to-date, the Web Interface site attempts to automatically install a plug-in on the client device. Administrators can use a group policy to distribute plug-ins based on organizational unit, machine name or user name. Administrators can use a variety of third-party software distribution products to automatically deploy and install plug-ins on client devices. Administrators can install individual plug-ins on users' systems or upload a plug-in to a web server and direct users to download and install the plug-in on their own. Users may require administrator privileges on their system to install a plug-in.
384
The Citrix online plug-in for Windows allows users to access their published resources from a familiar Windows desktop environment. Users work with published resources the same way they work with local applications and files. By default, published resources are represented in the Start menu by icons that behave just like local icons. Users can double-click, move and copy icons and create shortcuts in their location of choice.
System Requirements
Administrators can install the Citrix online plug-in for Windows manually or through the Citrix Receiver. The online plug-in for Windows can be installed on client devices that meet the software requirements in the following table. Component Operating System Requirement Windows Server 2008 R2
385
Component Browser
Requirement Windows Server 2008, 32-bit edition or 64-bit edition Windows Server 2003, 32-bit edition or 64-bit edition Windows XP Professional, 32-bit edition or 64-bit edition Windows XP Embedded Windows Vista, 32-bit edition or 64-bit edition Windows 7, 32-bit edition or 64-bit edition
The online plug-in can be installed on client devices that meet the following hardware requirements: VGA or SVGA video adapter with color monitor Windows-compatible sound card for sound support (optional) A working network or Internet connection to servers
Installation Considerations
Different enterprises have different corporate needs, and the expectations and requirements for the way users access published resources and virtual desktops can shift as corporate needs evolve and grow. The Citrix plug-ins differ in terms of: Access method Installation file Supported features For a list of features, see the Receiver and Plug-ins documentation on the http://support.citrix.com/proddocs/ index.jsp web site. The following table describes the access methods for the online plug-ins. Plug-in Installation File Access Method
Citrix online plug-in CITRIXONLINEPLUGINFULL.EXE Transparent integration of published resources into user's desktop
386
Plug-in
Installation File
Access Method
Citrix online plug-in CITRIXONLINEPLUGINWEB.EXE Web browser-based access to Web published resources The Citrix online plug-in can also be installed through a command line interface, which provides additional options. For more information on command line installation, see the Receiver and Plug-ins documentation on the http://support.citrix.com/ proddocs/index.jsp web site.
System Requirements
Administrators can install the Citrix online plug-in for Mac manually or through the Receiver. The online plug-in supports Mac OS X, Version 10.4 and above. Not all combinations of OS version and processor type (Intel-based or PowerPC) support installation through the Citrix Receiver. For more information, see the Receiver and Plug-ins documentation on the http://support.citrix.com/proddocs/index.jsp web site. The Citrix online plug-in for Mac can be installed on client devices that meet the following hardware requirements: At least 256MB of RAM 29MB of free disk space A working network or Internet connection to servers
387
Installation Considerations
Citrix online plug-in for Mac contains two installation packages. Administrators can install these plug-in installer packages with almost no user interaction.
CITRIX_ONLINE_PLUGIN.DMG
Complete package, with full feature support Smaller package with limited feature support that can be deployed from a web page The Citrix online web plug-in for Mac package does not include Dazzle.
CITRIX_ONLINE_PLUGIN_WEB.DMG
388
System Requirements
The Client for Java can run on client devices that meet the following requirements: A web browser with Java 2, Standard Edition Version 1.4.x or 1.5.x, configured to accept signed Java applets Network access to the web server that stores the client files
Deployment Considerations
The following resources are required to deploy the Client for Java: A copy of the client package, which can be downloaded from the www.citrix.com web site or copied from the Citrix XenApp 6 media On the web site, the client package is available in the following formats: .ZIP, which is primarily used on Windows systems .TAR.GZ, which is primarily used on UNIX systems A means of decompressing and unpacking the .ZIP or .TAR.GZ package, if downloaded from the web site Administrator access to a web server If deploying the client using the Web Interface, an administrator can configure client deployment options using the Web Interface Management console.
389
System Requirements
The Citrix Receiver for Linux requires Linux kernel version 2.6.18 or above, with glibc 2.3.4 or above, libcap1 or libcap2 and udev support. In addition, the native client (wfcmgr) graphical user interface depends on OpenMotif 2.3.1. However, if the client is run through the Web Interface or from the command line, then OpenMotif is not required. Systems running the Citrix Receiver for Linux must meet the following requirements: 6MB of free disk space for the installed client and up to 13MB if the installation package will be expanded on the disk 256 color video display or higher A working network or Internet connection to servers
Installation Considerations
Administrators should consider the following points when installing the Citrix Receiver for Linux: USB support is enabled only if an administrator is logged on as a privileged user when installing and configuring the Citrix Receiver for Linux. Installations performed by non-privileged users will enable users to access published resources on the server using the Web Interface through one of the supported browsers. During installation, administrators will have the option of specifying that GStreamer is enabled for multimedia acceleration. This can be downloaded from the http://gstreamer.freedesktop.org web site. Use of certain codecs may require a license from the manufacturer of that technology.
390
Merchandising Server stops allowing Verify that the Merchandising Server virtual connections to the Merchandising Server machine has enough disk space allotted to it. Administrator Console. The Citrix Receiver icon does not appear See Citrix Knowledge Base article CTX122987 on in the notification area after installation. the www.citrix.com web site to modify Explorer application compatibility settings.
391
Review
1. Which plug-in provides a self-service storefront for enterprise resources to users? a. b. c. d. Dazzle Online plug-in Offline plug-in Communications plug-in
2. From which component does the Merchandising Server obtain new plug-ins to distribute to client devices? a. b. c. d. XenApp farm Citrix Receiver The Web Interface Citrix Update Service
3. Which component manages plug-ins on a client device, allowing IT to deliver applications and desktops as an on-demand service? a. b. c. d. Dazzle Citrix Receiver Web Interface Merchandising Server
392
Module 13
Configuring Printing
394
Overview
There are several ways to configure printers for use in a XenApp session and administrators must carefully consider the available options and business needs. The type of printers and the printing environment, as well as user and administrative requirements, can dictate the most suitable method for configuring printers for users. Because applications run remotely and not on local client devices, an administrator must determine users printing needs and monitor their level of satisfaction with printing services. When a user prints from a published application, the print job originates on the XenApp server. As a result, considering the client printers and network printers in the environment can help formulate the printing strategy. XenApp provides access to enterprise-wide printing management, allowing administrators to control, secure and configure printing using policies. By the end of this module, given an environment containing XenApp, you will be able to: Identify key printing concepts and terms. Explain the default printing behavior. Identify the methods that can be used to provision printers in a XenApp environment. Identify the printing pathways and recognize when each should be used. Configure client printer auto-creation. Recognize the different types of printer drivers. Map a client printer driver to a server printer driver. Recognize the different universal printing options available and configure the usage of a universal printer driver. Import a network print server, add a network printer and specify the default printer for a session. Implement workspace control and proximity printing. Configure where printing preferences are stored. Configure printing bandwidth restrictions.
395
Printing Concepts
In a XenApp environment, all printing is initiated on the XenApp server by a user from within a session. When a user session ends, the user's workspace is deleted. Therefore, all settings need to be rebuilt at the beginning of each session. As a result, each time a user starts a new session, XenApp must recreate or restore the printers available in the session. When a user clicks Print in a session, XenApp: Determines which printers, also referred to as printer objects, to provide to the user Restores the user's printing preferences Determines which printer is the default for the session
Printing Definitions
The following table contains definitions of printing-related terms. Term Network print server Printer object Printing device Printer driver Rendering Spooler Spooling Despooling Citrix Print Manager Service (CPSVC.EXE) Print queue Definition A server that supports network print functionality and is accessible by a UNC path. The printer entry in the Printer and Faxes folder. The physical printer. Software that formats a print job into native print commands. A printer driver process that converts device-independent graphics into a device-ready print stream. A Windows service responsible for printing. A process by which an application creates a print metafile containing the print job. The background processing of the print metafile, resulting in a device-ready data stream being sent to a print device. A Citrix service that manages the creation of printers and driver usage within XenApp sessions. Disk space that holds the output designated for the printer until the printer can receive it.
396
Term Document settings Device settings Restored printers Retained printers Default printer
Definition Printing settings such as page orientation that are stored inside a document. Printing settings such as page orientation that are set through the properties of a printer on the client device. Printers that are customized by the administrator and permanently attached to a client port. Printers that are created by users and remain available at the start of the next session. The first printer to be auto-created in a session. It can be based on the user's preferred printer on the client device or a locally installed printer on a server. A less secure printer naming convention that provides backward compatibility for Presentation Server 3.0 or earlier. A feature that allows administrators to control the assignment of network printers so that the most appropriate printer is presented, based on the location of the client device.
Printer Types
One of the first steps in determining the best method for configuring printers is to determine the types of printers that must be supported.
397
In a non-XenApp environment, there are two types of printers: local printers and network printers. XenApp introduces a third type of printer, the redirected client printer. When users connect to published resources, their client-side (local) printers are available to them, by default. The type of printer determines where the print metafile containing the print job is processed (spooled). Understanding where the job is spooled can be useful should an issue arise with the spooler service. Printer Type Description
Local (Client and Server) Local printers are connected to a client device or server and the local operating system directly spools the print job to a Windows client device or server, by default. Network (Client and Server) Redirected client Network printers are connected to a print server and the server operating system directly spools the print job to the print server, by default. Printers are connected to the client device using a UNC path or a cable. The server operating system spools the print job to the client device.
Printing Security
XenApp provides default security settings that make printer ports unusable outside the session for which they were created. These default security settings ensure that print jobs are routed to the correct printer. In addition, security settings stop users from redirecting another user's client printer to their own port. Printer ports are private to a particular session and cannot be shared across sessions. Even if the client device name is not unique, printers within each XenApp session are individualized and temporary for that session only. For example, in an environment where every client device is assigned the name "Computer," the client printer created within each XenApp session would still be unique because the client printer names are based on the session name and number, not the client device name. In
398
addition, after the user logs off the session, the printers that were created are likewise deleted. As a result, print jobs from client devices cannot be misdirected to the printers defined by another ICA session even though they have the same client device name. In addition, to increase client printing security, access to the client printers is restricted to: The account that the Citrix Print Manager Service (CPSVC.EXE) runs in, which is Ctx_cpsvcuser, by default Processes running in the SYSTEM account such as the spooler Processes running in the user's session Windows security blocks access to the printer from all other processes on the system. Furthermore, requests for services directed to the print manager must originate from a process in the correct session. This prevents bypassing the spooler and communicating directly with the Citrix Print Manager Service.
399
400
User requirements Administrative requirements Business needs Prior to changing the default printing behavior through policies, an administrator should understand basic XenApp printing concepts, including printing definitions, printer types, printing security, printer provisioning, printing pathways and printer driver behavior.
401
Printer Provisioning
XenApp print environments are highly dynamic because they are typically built during session initialization or application launch. The process by which XenApp makes printers available in a session is known as printer provisioning. An administrator can control printer provisioning and configure which printers users see in their sessions. Administrators can specify the method by which printers are provisioned to users: User self-provisioning If an administrator does not want to specify (and administer) user printers, the administrator can prevent printer auto-creation and let users self-provision the printers that are visible from their client devices. If an administrator wants to ensure that printers are available when users start their sessions, the administrator should provision printers through auto-creation. Any printer defined on the client device can be auto-created at the beginning of a session. In order for client printers to be auto-created in user sessions, the Client printer redirection policy rule must be enabled in the Citrix policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console. This is the default setting. The user self-provisioning and auto-creation methods are considered dynamic. Dynamic provisioning is used to describe printers that appear in a session, but are not predetermined and
Auto-creation
402
stored. Rather, the printers that are available in a session are determined as the session is built. As a result, an administrator can allow printing configurations to change according to changes in policies, user location and the network.
Administrators can automatically provision network printers to users within XenApp sessions by adding the network printers and configuring the Session printers policy.
There are other ways in which printers can be provisioned, such as through Active Directory policies and logon scripts. These methods do not change how print jobs are handled in user sessions.
User Self-Provisioning
Users may want need printers that are not auto-created at the beginning of their sessions. By default, users can add printers in their sessions using the Windows Add Printer wizard on the server or an application that lets them browse to the printers.
403
Users of thin clients and non-Windows plug-ins, by default, cannot add printers to their sessions. An administrator must publish the ICA Client Printer Configuration tool (PRINTCFG.EXE) for these users. For information about publishing the ICA Client Printer Configuration tool, see the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site. By allowing users to self-provision printers, administrators may reduce their own overhead, but limit their control over printer provisioning. The lack of administrative control may result in users installing printer drivers that are not approved in the environment.
Retained Printers
After a user adds a printer through user self-provisioning, the printer is known as a retained printer. Retained printers are created again (or remembered) at the start of the next session and route print jobs along the client printing pathway. Retained printers appear in the session on the client device until the client printer within the session is deleted manually, the remembered printer connection is removed from the client's properties store or the client-side printer is inaccessible. A retained printer will show the notation "Auto Retained" in the Comment field of the printer properties. An administrator can prohibit retained printers from auto-creating at the beginning of a session using the Retained and restored client printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console.
Printer Auto-Creation
Auto-creation refers to the process that XenApp uses to automatically create printers at the beginning of each session, depending on which printers are configured on the client device and network and the policies that apply to the session. By default, XenApp makes printers available in sessions by creating all printers configured on the client device automatically, including locally attached and network printers. After the user ends the session, the printers for that session are deleted. The next time a session starts, XenApp evaluates the printer creation policies and enumerates the appropriate printers on the client device. An administrator can change the default auto-creation settings to limit the number or type of printers that are auto-created. XenApp can auto-create: Locally attached printers, including locally-defined network printers Network printers Citrix Universal Printer
404
Printer auto-creation may be the easiest for the administrator to configure, but auto-creating all printers may require extensive processing on the XenApp servers. In addition, maintenance may be required when new printers are added or drivers for the printers are needed on the XenApp servers. By default, native Windows printer drivers are automatically installed on a XenApp server when a client printer is auto-created. When an error occurs during the auto-creation of a printer, it is logged to the Windows Event log on the server. An administrator can control this behavior using the Printer auto-creation event log preference policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console.
405
At the start of a session, XenApp auto-creates all printers on the client device by default. The administrator can control which, if any, types of printers are provisioned to users and can prevent auto-creation entirely. To ensure that printers auto-create successfully, the following requirements must be met: User accounts should not be shared Only Windows native or fully tested printer drivers should be installed Users should have write access on the server to the %SYSTEMROOT%\SYSTEM32\SPOOL folder The Auto-create client printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console allows an administrator to control printer auto-creation and specify that: No printers visible to the client device are created automatically Only the default printer for the client device is created automatically All non-network printers physically attached to the client device are created automatically All printers visible to the client device, including network and locally attached printers, are created automatically at the start of each session By default, all network printing devices available from the client device are auto-created at the beginning of a session. XenApp always tries to route network print jobs directly from XenApp to the print server and not through the client printing pathway.
406
Printers are created before the users have access to interact with and use their sessions. The users must wait for all printers to be created in the background before they can perform any activities. Synchronous printer creation should be used: When applications require all printers to be created first When applications require a stable printing environment An administrator can enable synchronous printer creation by deselecting the Start this application without waiting for printers to be created option in the application properties.
Asynchronous Printers are created in the background while the users have control of and are using their sessions. This process minimizes the amount of time it takes before users can work in their applications and does not impact the users because some application activity usually occurs before printing. Asynchronous printer creation is the default setting and is typically used for published applications. An administrator can enable asynchronous printer creation by selecting the Start this application without waiting for printers to be created option in the application properties.
Synchronous or asynchronous printer creation can be specified when publishing an application or afterwards by editing the Client options in the properties of the published application.
407
Printing Pathways
The term 'printing pathway' encompasses both the path by which print jobs are routed and the location where print jobs are spooled. Both aspects of this concept are important. Routing affects network traffic; spooling affects utilization of local resources on the device that processes the job. All print jobs start on the XenApp server when a user elects to print a document from a published application. In XenApp, print jobs can take two different printing pathways: Network printing pathway When network printers are reachable from the XenApp server, an administrator can use policies to route print jobs to network printers. This is accomplished either by leaving the default settings so that the network printer is auto-created or by provisioning the network printer through the Session printers policy rule. Print jobs are routed through the network printing pathway by default; if the network printing pathway is unavailable, the client printing pathway is used. By default, local and redirected client printers route print jobs along the client printing pathway.
408
Server local printers refer to printing devices that are physically attached to XenApp servers and use the network printing pathway. Server local printers are managed and configured in the same way as network printers and might be appropriate for printing in small farm environments. However, server local printers might not be ideal in enterprise environments because they require the printer drivers to be installed on each XenApp server in the farm and use additional resources on the XenApp servers. The previous diagram shows a server local printing example where printing begins on the XenApp server hosting the user's session and is routed to a printing device attached locally to the server.
409
An administrator can permit users to print to a printer that is physically attached to a XenApp server by sharing the printer. Sharing the printer allows the creation of the printer when a session is launched on the server. XenApp will not recognize server local printers unless they are shared. Print jobs are redirected through the client printer pathway when the Render print jobs on client computers option is selected.
410
XenApp routes print jobs to network printers from the XenApp server directly to the print server, along the network printing pathway, by default. An administrator can use the Direct connections to print servers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to disable the network printing pathway. When print jobs must be routed across a network with limited bandwidth, the print jobs should be routed through the client printing pathway so that the ICA protocol compresses the jobs.
411
When a print job has been redirected from the network printing pathway to the client printing pathway, the printer will appear in the Print and Document Services role of the Server Manager snap-in on the server with the following syntax:
PrinterName on PrintServer (from clientname) in session n
where:
PrinterName is the name of the printer being redirected. PrintServer is the name of the print server with which the printer is associated. clientname is the name of the client through which the print job is being rerouted. n is the session ID for the ICA connection.
Network printers
412
print server, such as when the XenApp and print servers are on different domains, XenApp automatically routes the print job through the plug-in using the client printing pathway. In addition, the client printing pathway should be used for network printers when the client is connecting across low bandwidth connections such as WANs. This configuration takes advantage of the traffic compression that results from sending jobs over an ICA connection and provides the administrator the ability to limit or restrict the bandwidth allocated for the print jobs. To force print jobs to route through the client printing pathway, select Disabled in the Printing > Client Printers > Direct connections to print servers user policy rule.
The simplest printing configuration in a XenApp environment is one in which the printer is attached directly to the client device. In this configuration, the XenApp server spools the print job and sends it back to the client device. The client device then relays it to a locally attached printer. The previous diagram shows a simplified example of printing from a published resource on a XenApp server to a client local printer.
413
While client printers are often printers physically attached to client devices, they can also be printers connected to a network print server. In this case, print jobs are routed through the client printing pathway to the print server. The process is the same as printing to a locally attached printer through the client printing pathway. However, instead of sending the job to a printer attached to the client device, the job is sent to the network print server which sends it to the printer. By default, client printers on the network route print jobs through the network printing pathway, not the client printing pathway. The previous diagram shows client printing to a network printer. Printing to a Network Printer When a print job is spooled to a network printer along the client printing pathway, it uses the following process: 1. The XenApp server generates a spool file and sends the print job through the ICA protocol to the client device. 2. The client device processes the spooled print job and sends it to the print server. 3. The print server sends the print job to the appropriate network printer.
414
Where:
Printername is the name of the printer on the client device. Clientname is the unique name given to the client device or the Web Interface. n is the session ID of the user's session on the server.
If User Access Control is enabled on the XenApp server, the administrator must use the Print Management snap-in in the Microsoft Management Console (MMC) to view the printers.
415
Printer Drivers
Printer drivers enable the operating system and applications to create device-ready print data streams for specific print devices. Printer drivers vary among manufacturers and models. Not all drivers work as intended in a multi-user (Remote Desktop Services) environment. Using an incorrect printer driver can cause garbled print jobs or print job failure. Administrators are advised to test printer drivers in a test XenApp environment prior to using them in a production environment. The data store keeps track of all printer drivers in the environment. As drivers are added, entries are added in the data store. Because printer drivers can cause instability in a server farm, it is a best practice to only install the necessary printer drivers.
416
Enable users to print to most printers. Specialized functionalities may not be available through the universal printer drivers. Ensure that client printers auto-create regardless of printer driver availability on the server. Reduce the size of some print jobs and reduce delays when spooling print jobs over slow connections. Prevent problems with driver maintenance or printing-related issues in a diverse environment. Limit the installation and replication of a large set of printer drivers or potentially problematic printer drivers in the server farm. Minimize help desk calls.
An administrator should keep the following considerations in mind when configuring XenApp to use universal printer drivers: Universal printer drivers work with locally-attached client printers, Citrix Universal Printers and network printers that use the client printing pathway. Some universal printer driver features may have reduced functionality for some plug-ins. Some features of multi-function printers may not be available with universal printer drivers.
417
Controls whether Windows native printer drivers are automatically installed when auto-creating printers. Disabling this policy rule prevents the automatic installation of printer drivers. The Automatic installation of in-box printer drivers policy rule is enabled by default and can result in the installation of a large number of native drivers in the environment.
418
Lists printer driver substitution settings for auto-created printers, identifies which printer drivers can and cannot be used to auto-create client printers and identifies whether the universal printer drivers should be substituted for specific printer drivers. When a user logs on, XenApp checks the compatibility and mapping list before it auto-creates the client printers. If a printer driver is on the list of allowed drivers, the printer is auto-created. If a printer driver is on the list of drivers that are not allowed, the printer is not auto-created unless the universal printer driver is specified for use. To configure this policy rule to prevent printer drivers from being installed, entries must be made for the allowed drivers and another entry must be made using a wildcard (*) for the driver name with the Do not create setting selected. When the compatibility list prevents the setup of a client printer, XenApp writes a message in the event log of the server hosting the user's session.
During logon, each client provides information about its client-side printers, including the printer model name. The XenApp server uses this information to select the appropriate printer driver on the server to use to auto-create the printer. If the printer drivers for server and client device operating systems have different names for the same driver, XenApp may not recognize that the drivers are the same. This could result in users having difficulty printing or the failure of printer auto-creation.
419
An administrator can resolve this issue by overriding or mapping, the printer driver name that the client device provides with the appropriate driver on the server. Mapping client printer drivers gives published applications access to client printers that use the same drivers as the server but have different driver names. An administrator can configure the Printer driver mapping and compatibility policy rule in the Citrix Policies node of the Group Policy Management Console (GPMC) or the Policies node of the Delivery Services Console by specifying the client printer driver and the server printer driver to substitute for that driver. A wildcard (*) can be used in the names. For example, to force all HP printers to use a specific server printer driver, HP* can be specified as the driver name. When printer driver mappings are configured, the mappings are retained in the data store database and are available to all servers in the farm. Entries can be prioritized, changed or removed using the corresponding buttons in the policy rule.
420
An administrator can use the Windows Print Management snap-in to manage the drivers, ports and printers on a print server. For information about using the Print Management snap-in, refer to Microsoft documentation for the operating system. The Print and Document Services role must be installed on the server to add the Print Management snap-in to the Microsoft Management Console.
421
Configuring a printer to use a universal printer driver improves server performance, reduces the number of drivers required on the XenApp servers and decreases the complexity of printer administration. However, configuring a universal printer driver will not improve session start time because the printers on the client device are still enumerated and auto-created at the beginning of sessions. In addition, a Citrix Universal Printer Driver may create smaller print jobs than older or less advanced print drivers but may not be able optimize print jobs as well as a device-specific printer driver.
422
Users can view the options of a client printer created with a universal printer driver through the properties of the printer. Other universal printer driver formats are available for client devices: PCL5c, which is primarily used by older applications that are not compatible with the EMF instructions within the new universal printer driver PCL4, which is used for older printers and for non-Windows client devices, such as Mac and UNIX PS, which is used by non-Windows client devices, such as Mac and UNIX Non-Windows client devices should use the PS universal printer drivers. By default, the Citrix Print Manager Service engages the EMF driver and then rolls back subsequently to PCL5c, PCL4 and PS, based on the client device.
423
Print Preview
The EMF-based and XPS-based Citrix Universal Printer Driver provide the following ways to preview and select print settings: The EMF-based Citrix Universal Printer Driver allows a user to preview a print job using the Citrix Print Previewer. The Local Settings button in the Citrix Print Previewer can be used to select a different printer, control the device settings for the printer hardware and preview the print job. An administrator can control whether or not the Local Settings button is available to users. If users are not allowed to change their printer through the Local Settings button, the print job prints to the default printer on the client device. The Citrix Print Previewer cannot be controlled by an administrator unless users have Citrix Presentation Server Client, version 10.100 or later, the Citrix XenApp Plug-in for Hosted Apps, version 11 x , or the Citrix online plug-in. The Citrix XPS Universal Printer Driver allows a user to preview a print job using Internet Explorer. The Print Preview button displays the print job in the Microsoft XPS "electronic paper" format. A user can follow this procedure to preview and print a document. 1. 2. 3. 4. 5. Open the Print screen ( CTRL+P ). Select the client printer that is auto-created using the universal printer driver. Click Properties in the Print dialog box. Select Preview on client and click OK. Click OK to view the document in the EMF Viewer application.
424
6. Use the navigation buttons to view the pages of the document. < = Page Up > = Page Down << = Home >> = End 7. Click the printer icon to select the printer. 8. Select the pages and number of copies to print. 9. Click Print.
The Print Preview feature is disabled by default. The User > Printing > Universal Printing > Universal printing preview preference policy must be configured to enable the feature.
425
The Citrix Universal Printer is a generic printer that is not tied to any specific printer on the client device. It can be used to print through the client to any client-side printer. An administrator can specify that the Citrix Universal Printer be auto-created for a single printer or each printer on the client device. When the Citrix Universal Printer is enabled, the printer is created in the session with the name Citrix UNIVERSAL Printer in session number. The printer name is the same for all users with the exception of the session number. This makes it easier for users that reconnect from different client devices and can prevent issues with applications that rely on the printer name. The Citrix Universal Printer can be made available to all sessions that use a Citrix online plug-in. In addition, the Citrix Universal Printer can be the only printer that is auto-created in the session or can be auto-created along with other client printers and session printers. The Citrix Universal Printer will not auto-create if Legacy printer names are specified in the Client printer names policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console. An administrator can prevent the auto-creation of printers on the client device so that only the Citrix Universal Printer can be used in sessions. To implement this configuration, the Citrix Universal Printer should be enabled through the policy and the Auto-create all client printers policy rule must be configured with the Do not auto-create client printers setting selected.
426
An administrator can use the following policy rules in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to control the usage of the Citrix Universal Printer Drivers: Universal driver priority
Specifies the order in which XenApp attempts to use the universal printer drivers, beginning with the first entry in the list. An administrator can add, edit or remove drivers and change the order of the drivers in the list. Universal printing
Specifies when to use universal printer drivers instead of native Windows printer drivers.
427
Specifies whether to use the print preview function for a Citrix Universal Printer or auto-created printers that use a Citrix Universal Printer Driver. Auto-create generic universal printer
Enables or disables the auto-creation of a Citrix Universal Printer printing object. By default, generic universal printers are not auto-created. Citrix universal printing can be used with Citrix Presentation Server 4.0 through Citrix XenApp 6 and the following client software: Citrix Presentation Server Client, version 9.x or version 10.x Citrix XenApp Plug-in for Hosted Apps version 11.x Citrix online plug-in
428
An administrator can use the Session printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to add a network printer. Within the Session printers policy rule, an administrator can add a network printer by: Specifying the printer UNC path in the \\servername\printername format Browsing to a printer on the network
429
Browsing for printers on a specific server by typing the server name using the \\servername format The server merges all enabled Session printer settings for all applied policies, starting from the highest to lowest priority. When a printer is configured in multiple policies, the customized settings are taken from only the highest priority policy object in which that printer is configured.
An administrator can use the Session printers policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to specify the following printer settings for a network printer: Paper size Copy count Collation setting Print quality Orientation (portrait or landscape)
An administrator can ensure that the printer settings are reset to these specific settings for all sessions, by selecting the Apply customized settings at every logon option. This results in user customization to the printer settings for the printer only being valid in the current session.
430
The printer that XenApp selects for the default session printer can be: A client printer A network printer that has been added through the Session printers policy rule An administrator can use the Default printer policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to set the default printer for a session using the following settings: Do not adjust the user's default printer Uses the Remote Desktop Services (Terminal Services) or Windows user profile to determine the default printer. The default printer will be the first printer auto-created in the session, which can be the: First printer added locally to the server Default printer on the client device This setting does not save the default printer choice in the profile and does not change according to other session or client properties. An administrator can use this setting along with the Session printers policy rule to configure proximity printing, which is the ability for roaming users to print to the nearest network printer. Set default printer to the client's main printer Uses the printer set as the default printer on the client device as the default printer in sessions. Windows group policies and Remote Desktop Services (Terminal Services) settings can disable the mapping of the main printer on the client.
431
Proximity Printing
This feature allows an administrator to control the assignment of network printers for mobile workers so that the most appropriate printer is presented, based on the location of the client device.
432
Proximity printing can make printer administration easier even if mobile workers do not exist in the environment. For example, if a user moves from one department or floor to another, the administrator will not need to assign additional printers to that user, if proximity printing is implemented. When the client device is recognized within the IP address range of the new location, it has access to all network printers within that range. However, if an administrator configures proximity printing, the Session printer policy must be maintained as network printers are added or removed, or the DHCP IP address ranges for floors or departments are changed.
433
Proximity printing is enabled through the Session printers policy rule in the Citrix Policies node of the GPMC or the Policies node of the Delivery Services Console. Proximity printing requires that the policy be filtered based on some type of geographic indicator (IP address). The ability to configure proximity printing assumes that the network is designed as follows: DHCP addressing is used to assign IP addresses based on location (for example, floor of a building). All departments/floors within the company have unique designated IP address ranges. Network printers are assigned IP addresses based on the department/floor in which they are located To configure proximity printing, the administrator should: 1. Create a separate policy for each subnet or geographic location to correspond with each printer location. 2. Add the printers in that subnet or geographic location to the Session printers policy rule. 3. Set the Default printer policy rule to use the Do not adjust the user's default printer setting. 4. Filter the policies by client IP address.
434
Printing Preferences
In a XenApp environment, when users modify printing settings, the settings are stored in the following locations: On the client device: The settings are set on the client device by selecting Printing Preferences for a printer in the Printers folder on the client device. For example, if Landscape is selected as the page orientation and saved, it becomes the default page orientation preference for that printer. This type of preference is known as device settings. In a document: In word-processing and desktop-publishing programs, settings, such as page orientation, are often stored inside documents. These settings are often referred to as document settings. Document settings appear by default the next time the user prints that document. Device settings are treated distinctly from, and usually take precedence over document settings. From changes a user made during a session: The settings are set within the session by selecting Printing Preferences for an auto-created printer in the Printers folder within the session. On the server: These are the default settings associated with a particular printer driver on the server. If an administrator wants to control printing preferences, it is important to understand that the settings preserved in any Windows-based environment vary according to where the user made the changes. This means that the printing settings can be between different applications within the same session or different sessions.
Printing Properties
Printing properties are a combination of: Printing preferences, which are settings configured within the session by selecting Printing Preferences for an auto-created printer in the Printers folder within the session Printing device settings, which are settings configured on the client device by selecting Printing Preferences for a printer in the Printers folder on the client device By default, changes users make to the printer preferences and settings for a printer, whether on the local client device or in a session, are saved and used both locally and in a session. This means that printer preferences and setting are the same on the client device and in a session.
435
By default, XenApp attempts to store the printing properties on the client device. If the client does not support this operation, XenApp stores the printing properties in the user profile for that user. By default, sessions from non-Windows clients and older Windows clients use the user profiles on the server for printing properties retention. The following factors can affect how an administrator configures the Printer properties retention policy rule using the Citrix Policies node of the GPMC or the Policies node of the Delivery Services Console: If a client prior to Citrix Presentation Server Client, version 9.x is used, printing properties cannot be stored on the client device. If a mandatory profile is used, the printing properties must be stored on the client device. If a roaming profile is used, the printing properties must be stored in the user profile. If applications are load balanced in a large farm, local profiles will provide users with an inconsistent printing experience. To correct this issue, printing properties must be saved on the client device. If none of these factors apply, Citrix recommends that the printing properties be stored on the client device, if possible, otherwise stored in the user profile; this is the default setting. This is the easiest way to ensure consistent printing properties.
436
An administrator can use the Printer properties retention policy rule in the Citrix Policies node of the Group Policy Management Console or the Policies node of the Delivery Services Console to configure where printer properties are stored. Printer properties can be: Held in profile only if not saved on client Stores printer properties on the client device, if available, or if not, in the user profile This is the default setting. Although this option is the most flexible, it can also slow logon time and use extra bandwidth to perform necessary system checking. This option provides backward compatibility with prior versions of XenApp and its plug-ins. Saved on the client device only Stores printer properties only on the client device This option should be used if users are assigned a mandatory profile or roaming profile. Retained in user profile only Stores printer properties in the user profile on the server and prevents the exchange of any properties with the client device This option requires the use of a roaming profile and reduces network traffic making it an ideal choice for connections with: Bandwidth constraints Presentation Server, version 3.0 or earlier
437
Presentation Server Clients, version 8.x or earlier These products are no longer supported.
Does not retain printer properties and the user must configure the desired printer properties each time
To obtain printer properties directly from the printer itself, rather than from the properties store, an administrator can edit the printer preferences in the Registry. For more information about synchronizing the printer properties, refer to the XenApp documentation on the http://support.citrix.com/proddocs/index.jsp web site.
438
Printing Bandwidth
While printing files from published applications to client printers, other virtual channels, such as video, may experience decreased performance due to competition for bandwidth. This performance degradation is magnified if users are accessing servers through slower networks or dial-up connections. To prevent such degradation, an administrator can limit the bandwidth used by client printing. If a printer bandwidth limit is configured in a policy, it is always enforced, even when no other virtual channels are in use. By limiting the data transmission rate for printing, an administrator can make more bandwidth available in the ICA data stream for the transmission of video, keystrokes, mouse data and more. Making additional bandwidth available can help prevent degradation of the user experience during printing. An administrator can configure printing bandwidth in client sessions using the following policy rules: Printer redirection bandwidth limit This policy rule can be used to enable and disable the printing bandwidth limit using the Citrix Policies node of the GPMC or the Policies node of the Delivery Services Console. This policy rule can be used to specify the percentage of total bandwidth that can be used for printing. In addition, the Overall session bandwidth limit policy rule must be enabled
439
before this rule will have an effect on the bandwidth used by printing. An administrator can use the Citrix Session Monitoring and Control Console, included in the WFAPI SDK, to obtain real-time information about printing bandwidth. The print spooling virtual channel control, that is, the CTXCPM Client printer mapping virtual channel control, allows an administrator to set a priority and bandwidth limit for bandwidth control of the virtual channel.
440
__ Printer properties retention b. A rule that controls whether network printer jobs flow directly from XenApp server to the print server or take an extra step and are routed back through the client device __ Turn off client printer mapping __ Legacy client printers __ Print job routing c. A rule that controls whether printer properties are stored on the client device or user profile d. A rule that disables the mapping of all client printers e. A rule that controls the auto-creation of all, local, default or no client printers.
441
Verify that the client device/Windows Terminal has the latest software/firmware installed. Print jobs are garbled or Verify that the printer driver name for the client is the same as the printer driver name for the server. If not, map the driver names. fail to print. Remove the incompatible printer driver, restart the Citrix Print Manager Services and use the Citrix Universal Printer Driver instead. Consider restarting the Citrix Print Manager Services after regular business hours because the restart will discard all current print jobs on the server. Network printers are not available in the session. Verify that the Session printers policy rule is applied to the session. By default, policies are applied to all sessions unless a filter is used to limit the application. Verify that a higher priority policy is not preventing the use of the printer.
442
Issue
Resolution Use the NET USE command from the client device to verify that the user has permissions to the print server.
Session appears to hang at startup when users are disconnected from network. The Ctx_CpsvcUser account becomes corrupt.
Verify that network printers are attempting to auto-create for the user and then set the Auto-create client printers policy rule to Auto-create local (non-network) client printers only for mobile users. Use the information available in the CTX113555 Knowledge Base article on www.citrix.com.
For additional printing troubleshooting tips, see the CTX107137 and CTX113261 Knowledge Base articles.
443
Review
1. Which type of printer is accessed as a shared resource and connected to the network by means of a print server? a. b. c. d. Network printer Client local printer Server local printer Client network printer
2. Which statement concerning printing in a XenApp environment is true? a. b. c. d. Auto-created network printers are identified only by their printer name. Printer properties can be stored on the client device or in the user profile. Auto-created client local printers are identified only by their printer name. By default, only the default client printer is automatically created during logon.
3. Which statement is NOT a benefit of implementing the Universal printing policy rule? a. It limits which printers users can access. b. It reduces printer driver maintenance issues. c. It ensures that client printers are auto-created regardless of printer driver availability on the server. d. It reduces the size of some print jobs and reduces delays when print jobs are spooled over slow connections. 4. Which printer drivers are installed by default on a XenApp server? a. b. c. d. No printer drivers HP printer drivers Universal printer drivers Those designated during installation
5. Printer bandwidth limitations can be set using which two methods? (Choose two.) a. b. c. d. Worker group properties Published application properties Policies in the Delivery Services Console Citrix Policies in Group Policy Management Console
444
Module 14
Securing XenApp
446
Overview
Security is a crucial component of any production environment, including environments containing XenApp. Depending on the security needs of the environment, an administrator can incorporate several Citrix-specific security measures. By the end of this module, you will be able to: Identify the components of a comprehensive XenApp security solution. Describe the SSL Relay communication flow. Secure XenApp communications using SSL Relay. Describe the benefits of using Citrix Access Gateway in a XenApp environment. Secure application access using Access Gateway. Avoid or resolve common security configuration missteps with simple solutions.
447
SSL Relay
SSL Relay can secure: End-to-end communication between client devices and XenApp servers using encryption Communication with servers that host the Citrix XML Service SSL Relay cannot be used with Network Address Translation (NAT) when the IP addresses of servers must be hidden or when access must be secured at a DMZ.
Citrix Access Gateway can secure: Environments of all sizes Access to servers and resources in a server farm through endpoint scans and policies Access by users in locked-down environments such as Internet cafes Access from unknown or non-corporate devices Citrix Access Gateway is a secure access solution that provides administrators with application control while empowering users with access from anywhere. With flexible deployment options and a single point of management, IT administrators set policies, which are based on roles, devices, and networks, to control access and users' actions, ensuring better security and compliance management.
448
For more information about Citrix Access Gateway courses, visit the http://www.citrixeducation.com web site.
449
SecureICA
SecureICA (ICA encryption) guards against the threat of eavesdropping by encrypting the information sent between XenApp servers and client devices. In the unlikely event that an attack succeeds, SecureICA encryption ensures that the attacker sees only screen commands and does not see sensitive information. Although SecureICA encryption prevents eavesdropping, it does not authenticate the identity of XenApp servers as SSL/TLS does. Information is susceptible to man-in-the-middle attacks, particularly if the plug-in traffic is crossing a public network. As a result, SecureICA encryption should be used for internal networks only and should be considered as one aspect of a more comprehensive security policy.
450
451
The client device and the web server running the Web Interface are allowed access to a XenApp server with SSL Relay after confirming the server certificate against a list of trusted certificate authorities. After authentication of the server certificate occurs, all requests are negotiated in an encrypted form. SSL Relay decrypts the requests and passes them to the XenApp server. The XenApp server then uses SSL Relay to encrypt any data being sent to the client device and the web server running Web Interface. Message integrity checks in SSL Relay verify that each communication has not been tampered with.
452
453
Access Gateway
Access Gateway is a universal SSL VPN appliance that can be used to secure client connections to XenApp and XenDesktop environments as well as provide secure access to other internal network resources. Access Gateway is available both as a hardware appliance and as a virtual appliance. Access Gateway provides the following benefits: A secure and scalable device SmartAccess technology, which allows administrators to control access based on user and endpoint device characteristics Secure remote access to hosted applications and desktops from the Internet XenApp connections through Access Gateway do not require concurrent user (CCU) licenses. Full VPN connections and endpoint analysis require the Access Gateway universal license, which is included in XenApp Platinum. The Access Gateway hardware appliance must be purchased separately. For complete information on using Access Gateway with XenApp, refer to the Access Gateway documentation on the http://support.citrix.com/products/index.jsp web site.
454
Access Gateway in the DMZ and Web Interface in the internal network
In this deployment scenario, the Access Gateway is located in the DMZ and the Web Interface is deployed behind the firewall, within the internal network. Benefits IIS is not located in the DMZ and is more secure behind the firewall in the internal network. Only one Web Interface instance is required for both internal and external users. Drawbacks Access Gateway does not perform authentication. Therefore, encrypted but unauthenticated traffic can enter the internal network to reach Web Interface.
Figure 14-1: Access Gateway in the DMZ and Web Interface in the internal network
455
It is important to consult with a security expert to determine an appropriate security strategy for the organization. In general: Carefully consider whether the Web Interface should be located in the DMZ or in the internal network. If the Web Interface is placed in the DMZ, use Citrix SSL Relay to secure the Citrix XML traffic.
The following process provides an overview of the communications when Access Gateway is deployed in a XenApp environment. 1. The user navigates to the Access Gateway entry point. Access Gateway optionally runs an endpoint analysis scan before authentication. If the scan is successful, Access Gateway presents the authentication page to the user.
456
2. The user authenticates to Access Gateway. If authentication is successful, the credentials and endpoint analysis scan results are forwarded to the Web Interface, which passes the results to XenApp. 3. The user clicks a published application and the request is sent to the Web Interface. 4. The Web Interface generates an ICA file that includes a session ticket generated by the Secure Ticket Authority (STA). 5. The plug-in on the client device processes the ICA file and presents the ICA session ticket to Access Gateway. 6. Access Gateway validates the ticket. If the ticket is valid, the STA responds with the IP address of the XenApp server hosting the published application. 7. Access Gateway establishes a connection between the plug-in on the client device and the XenApp server.
Digital Certificates
ICA traffic between client devices on unsecured networks and the XenApp servers in the secure network is encrypted using an SSL version 3 or TLS version 1 protocol. These protocols rely on digital certificates to verify the identity of the systems participating in the connection. Access Gateway uses two types of digital certificates to provide secure communication and effective authentication: Server certificates Issued by a certificate authority (CA) and provides a way to confirm the identity of a server before data is transmitted to it The server certificate is based on the unique FQDN name of the server. Root certificates Issued by a CA and used to confirm the authenticity of the CA signature on the server certificates In a XenApp environment, the root certificate must be installed on each client device and Web Interface server. If an internal certificate is used for cost savings, the internal certificate must also be installed on each client device. Access Gateway self-signed certificates cannot be used as a root certificate.
The responsibility for issuing certificates can be delegated to an intermediate CA, which issues intermediate certificates, when a certificate base is too large for a single CA to maintain. Obtaining digital certificates incurs a cost and can take several days, especially if a third party is contracted for this purpose. However, the main advantage of using a third party is that most
457
popular operating systems embed root certificates so an administrator does not need to install them on the servers and client devices.
A root certificate must be installed on the Web Interface server because IIS requires a root certificate to make HTTPS connections to the Access Gateway. The IIS certificate and Access Gateway certificate must be from the same certificate authority. The Certificates MMC snap-in tool must be used to install the certificate and add it to the Trusted Root Certification Authorities on the local system.
458
If the communication is secured between the Access Gateway and the Secure Ticket Authority (STA) on the XenApp servers, each XenApp server that hosts the Citrix XML Service must also have a server certificate installed. The certificate must be trusted by the Access Gateway.
459
6. Type the IP address or FQDN of the Web Interface in the Web server field and click OK.
SmartAccess
SmartAccess allows administrators to control user access to applications published in XenApp based on Access Gateway policy expressions, including end-point analysis (EPA) scans and SSL certificate checks. For example, by configuring secure application access, administrators
460
can deny users access to published applications if they fail an antivirus endpoint analysis scan. Administrators can also use SmartAccess to allow users a full VPN tunnel if connecting from a corporate-managed system or ICA-only access if connecting from another type of device.
SmartAccess Policies
Secure application access utilizes Citrix policy filters to control user access to published applications. If an Access Gateway policy evaluates to true based on the results of an EPA scan, the name of the session policy is sent to XenApp. XenApp compares the policy name with the policy filter names configured in the Access Control properties for a published application. Depending on the policy configuration, if the names match, the application will or will not appear in the list of applications available to the user. If an Access Gateway policy does not evaluate to true, the Access Gateway policy name is not sent to XenApp. Again, depending on the configuration, the application will or will not appear in the list of applications available to the user. In addition to controlling application access, policy filters can be used to apply Citrix policies to user sessions. If an Access Gateway policy evaluates to true based on the results of an EPA scan, the corresponding Citrix policy will be applied to the user session. If an Access Gateway policy does not evaluate to true, the corresponding Citrix policy will not be applied to the user session. For example, an administrator can configure policies so that if a connection attempt passes an EPA scan for antivirus software, client drive mapping would be enabled for the users XenApp session. Conversely, if the connection attempt did not pass the EPA scan, client drive mapping would be disabled. For more information on SmartAccess, see the Access Gateway documentation on the http://support.citrix.com web site.
461
462
Access Methods
Web Interface can be configured for the following access methods: Gateway direct Sends the actual address of the XenApp server to the Access Gateway This setting is the most common access method. Gateway alternate Sends the alternate address assigned to the XenApp server to the Access Gateway This setting requires configuration of the XenApp server with an alternate address and configuration of the firewall for network address translation. Gateway translated Uses the address translation mappings set in the Web Interface to determine which address is sent to the Access Gateway This setting is required when the address and port of the XenApp servers are translated at the internal firewall.
Gateway alternate and Gateway translated access methods each require configuration elsewhere. In a Gateway alternate configuration, ALTADDR must run on each server. Gateway translated requires configuration on the internal firewall.
463
Client Routes
In order to send communications through the Access Gateway, the access method must be specified in the client route. The default client route is configured to send the communications from and to all client devices using the specified access method. Additional client routes can be created for specific client devices that use a different access method. When multiple client routes are specified, they are applied in the order in which they appear in the client address table. An administrator can change the order that the client routes are applied by moving the client routes up or down in the table.
Port
464
include the FQDN of a XenApp server and end with /SCRIPTS/CTXSTA.DLL. Load Balancing Distributes the ticketing load across the available pool of STAs. Load balancing is done by round robin. By default, any failed STA is removed from the round-robin list for one hour. Hardware load balancer solutions are not recommended for STA load balancing. Specifies the amount of time the Web Interface will avoid contacting a failed STA. After the bypass interval has passed, the Web Interface will attempt to contact that STA again.
465
5. Type the FQDN of the Access Gateway in the Address (FQDN) field. The Access Gateway FQDN must match the FQDN used on the Access Gateway certificate, and Web Interface must be able to resolve and send traffic to the address. 6. Type the port number of the Access Gateway virtual server. 7. Add the URLs of the Secure Ticket Authorities.
466
467
The client cannot connect Ensure that DNS is properly configured between the client to Access Gateway device and the Access Gateway. Verify that the FQDN of the Access Gateway is specified correctly and matches the name on the server certificate. The IP address cannot be used. Ensure that the address and port to which the plug-in connects is a valid Access Gateway service if network errors such as SSL error 4 are returned. Install the CA root certificate on all client devices so they can connect when using an internal certificate server or a trial certificate from a CA. IPv6 connections fail Access Gateway cannot connect to the Secure Ticket Authority Ensure that Web Interface 5.0 or higher and the latest Citrix plug-ins are installed. Double-check the URL for the Secure Ticket Authority. The URL can change depending on whether or not port sharing is being used, or XML is being run on a different port. Understand how XML is running in the environment of the Secure Ticket Authority configuration because the URL and configuration information may reside in different areas.
Users are not able to log in Ensure the LDAP bind account has read privilege on the AD to Access Gateway tree. Investigate: The Access Gateway log file The security event log on the domain controller The contents of LDAP using LDAP Browser
468
Issue
Resolution
A user is not able to log in Verify that the logon credentials are valid. to Access Gateway Investigate: The Access Gateway log file The security event log on the domain controller User gets an "Access denied" error
Verify that the access method settings and Access Gateway settings for the Web Interface are correct. Investigate: The Access Gateway settings: Authentication Secure Ticket Authority IP address and port Authorization Session profile settings for published applications
The Web Interface settings: User gets a "Resource no longer available" error DMZ settings Gateway settings Authentication service URL
XML settings on XenApp server Access Gateway log file Web Interface trace Web Interface application event log
Verify the XML port in the Secure Ticket Authority for the Web Interface configuration is correct. Investigate: The Access Gateway log file The XML service and configuration on Web Interface and XenApp servers
A Secure Ticket Authority Verify the Secure Ticket Authority configuration. ticket is not issued and Investigate:
469
Resolution The ICA file to ensure that it contains a valid ticket (right-click published application icon and save it as .TXT file) The accuracy of the Secure Ticket Authority link in Web Interface The Security Ticket Authority monitor to ensure it is running The Access Gateway log file
For more information on troubleshooting, see the Access Gateway documentation on the http://support.citrix.com/proddocs/index.jsp web site.
470
Review
1. Which component is not required for Access Gateway integration with Web Interface? a. b. c. d. A failover virtual server A FQDN that Web Interface can resolve An SSL certificate that Web Interface trusts An Access Gateway server that Web Interface can access
2. Which two critical security capabilities is SecureICA not designed to do? (Choose two.) a. b. c. d. It does not authenticate the XenApp server that the client accesses with SSL certificates. It does not encrypt session data sent between the client and the XenApp server. It does not authenticate the user that is requesting access to the XenApp server. It does not encrypt user authentication credentials sent between the client and the XenApp server.
3. Which two deployment scenarios are valid for Access Gateway and XenApp? (Choose two.) a. b. c. d. e. Access Gateway in the DMZ, Web Interface in the DMZ Access Gateway in the DMZ, Secure Ticket Authority in the DMZ Access Gateway in the DMZ, Web Interface in the internal network Access Gateway in the secure network, Web Interface in the DMZ Access Gateway in the secure network, Secure Ticket Authority in the DMZ
471
472
Module 15
Monitoring
474
Overview
At the end of this module, you will be able to: Identify available Health Monitoring and Recovery tests. Track the usage of XenApp licenses at a point in time and over time. Automate complex workflows. Access XenApp information using PowerShell and other command line tools.
475
Specifies which tests to run Preconfigured, default tests include the following: Test Citrix IMA Service Logon Monitor XML Service Terminal Services (Remote Desktop Services) Check DNS Function Queries the service to ensure that it is running Monitors session logon/logoff cycles Requests a ticket from the Citrix XML Service running on the server and prints the ticket Enumerates the list of sessions running on the server and the session user information, such as user name Performs a forward DNS lookup using the local host name to query the local DNS server in the environment for the IP address Ensures the data stored in the local host cache of the XenApp server is not corrupted and that there are no duplicate entries Inspects the threshold of the current number of worker threads running in the Citrix XML Service
476
Test
Function
Microsoft Print Spooler Enumerates printer drivers, printer processors, Service and printers to determine whether or not the Print Spooler Service in Windows Server 2008 R2 is healthy and ready for use ICA Listener Citrix Print Manager Service Determines whether or not the XenApp server is able to accept ICA connections Enumerates session printers to determine the health of the Citrix Print Manager Service.
In addition, custom tests can be scripted and added to a health monitoring policy. Administrators can update the default names of the preconfigured tests. For more information on Health Monitoring Tests for XenApp 6, see the support.citrix.com/proddocs/index.jsp web site. For each test, the following parameters are required: Interval Time-out How frequently to check How long to wait after checking before determining that the check has failed How many checks to run before executing the recovery action Which action the farm should take if the test fails The options are: Alert only Remove server from load balancing Shutdown IMA service Restart IMA service Reboot server
Threshold
Recovery action
477
The maximum percentage of servers that health monitoring and recovery can exclude from load balancing.
An administrator can use the Citrix Policies node of the Group Policy Management Console (GPMC) or the Policies node of the Delivery Services Console to enable or disable health monitoring and recovery policies.
478
EdgeSight Monitoring
Citrix EdgeSight is a performance and availability management solution. In XenApp environments, it is used to monitor: License usage XenApp server performance and availability Published application performance and availability EdgeSight for XenApp provides visibility into the following key areas: Farm-wide monitoring, including a tree view of the entire farm structure, visual detection of farm and subfolder errors and visual flags for devices with alerts Server availability, health check and session reliability monitoring Suite Monitoring and Alerting (SMA) log entries and alerting Extended end-user experience monitoring (EUEM) of the full set of ICA channels, providing a granular view of the environment Active Application Monitoring (AAM) allows for the establishment of configurable service level agreements (SLAs). An administrator can synthesize user tasks and monitor their execution time while EdgeSight provides feedback on application performance and availability based on the user experience. When SLA violations occur, real-time alerts containing diagnostic information can be triggered for the administrators review and action.
EdgeSight Components
For general performance reasons, 64-bit systems are recommended for EdgeSight server components. A Citrix EdgeSight environment consists of the following components: EdgeSight web console EdgeSight agents EdgeSight server Web Component Microsoft SQL Server Database Microsoft SQL Server Reporting Services Citrix License Server SMTP server SNMP server
479
EdgeSight Agents
The EdgeSight agent is a service that runs on a user device or XenApp server and collects data, which it writes into an agent-side database. At intervals the agent aggregates the data into a payload, sends the payload to the EdgeSight server and issues alerts if certain criteria are met. Data can also be displayed directly from an agent database for use in issue resolution. The EdgeSight agent monitors the following types of data: Device Network Process Published application Session User XenApp XenDesktop
The following list describes the types of EdgeSight agents available: Endpoint agent The endpoint agent is designed for client devices. The agent operates continuously and discreetly on client devices collecting performance, resource, application and network data. The XenApp agent is designed for use on Citrix XenApp servers. The agent records information about user sessions, client and server performance, application usage and network connections. Two types of XenApp agents are available: Basic Records data equivalent to previous versions of XenApp Resource Manager Records the full set of metrics for end-user experience monitoring (EUEM)
XenApp agent
Advanced
Basic agent functionality requires only a XenApp Enterprise Edition license, while advanced agent functionality requires a XenApp Platinum Edition or EdgeSight for XenApp license.
The Virtual Desktop agent is designed for XenDesktop virtual desktops. It monitors system, application and network performance.
480
EdgeSight Server
The EdgeSight server collects data from the distributed agents and allows administrators to display the data to identify potential issues in the enterprise and to assist in issue resolution. The following components make up the EdgeSight server: Web component Serves as the configuration and reporting console of the EdgeSight architecture, accepts the data uploads from the agents and displays performance and availability information in a wide range of standard reports Stores the data uploaded from the agents and acts as the data source for Microsoft SQL Server Reporting Services Generates performance and availability information as reports from Microsoft SQL Server Reporting Services
Database
Report server
Administrators and support personnel interact with the EdgeSight server through the EdgeSight web console. The console provides a powerful and flexible tool for displaying availability and performance information from the data collected by the distributed agents. Accessing the console is as simple as opening a web browser to the URL for the EdgeSight server and providing
481
credentials on the logon page. An EdgeSight user can access the console using the http://servername/edgesight URL. Replace servername with the name of the EdgeSight server.
License Server
A Citrix license server is used to supply licenses authorizing EdgeSight agents to upload data to an EdgeSight server. The license server can be anywhere on the network as long as it can be reached from the web server component of the EdgeSight server. A single license server can be shared by several Citrix products, including multiple EdgeSight servers.
SMTP Server
An SMTP server is used to send email notices to administrators for many conditions, including: Alert notification distribution Server error conditions New user passwords
SNMP Server
An SNMP server is an optional component of the EdgeSight environment. EdgeSight can send SNMP traps to notify system management consoles that alert conditions have been reached.
EdgeSight Communication
It is important for an administrator to understand the basic EdgeSight architecture and communication processes to effectively monitor an environment.
482
483
Approximately every 20 minutes, the collected data is aggregated into five-minute chunks. This time interval may vary up to several hours under system load. The five-minute data is retained in the agent database for three days so that historical information can be displayed. The time that the data is retained can be extended up to 29 days. Twice each day, the agent contacts the EdgeSight server to determine if data needs to be uploaded. The agent re-aggregates the data into one-hour chunks and then uploads it to the EdgeSight server. This frequency is configurable. If the agent software cannot reach the EdgeSight server, the aggregated data is retained for up to 29 days, or until the data is uploaded to the server. The data retention time can be configured by an administrator if required.
Performance Data
Performance data includes system metrics that are not linked to a specific event but to normal system operation. EdgeSight captures data related to system, network, application and XenApp session performance. For complete lists of individual metrics, see the EdgeSight documentation on the support.citrix.com/proddocs/index.jsp web site.
Event-Driven Data
Event-driven data includes metrics that are generated by an event occurring on the user system, for example, when the user invokes and starts to use an application or when a socket connection is made. The following list describes the application data that EdgeSight captures: Application issues EdgeSight can be used to determine: Which error message appeared When the error or crash occurred How many times the error or crash occurred Which system generated the error or crash What else was running on the system at the time of the error or crash
Application usage
EdgeSight can be used to determine: How long the application was running in memory
484
Network connection
EdgeSight can be used to determine: How long network communications take What the average speed of the network is How much network volume is being utilized Which systems are experiencing the most delay Which applications are generating the most volume Which systems are responding slowly Which protocols are in use on the network
EdgeSight for XenApp agent data uploads can reach 500KB to 5MB. These data upload sizes depend on a number of factors such as the agent configuration and the usage profile of the system hosting the agent. For a database size estimation tool, see Knowledge Base article CTX122146 on the http://support.citrix.com web site.
Communication Protocol
485
The data upload process is as follows: 1. The EdgeSight agent contacts the EdgeSight server to find out which data is requested based on when the last successful upload occurred. 2. The EdgeSight server responds with instructions for the data upload. 3. Based on the instructions, the agent aggregates its data into hourly chunks, bundles the aggregated data into a compressed payload and sends that payload to the configured EdgeSight server over HTTP/S. 4. The server stores the data in the local data folder from where it is retrieved and processed by the EdgeSight Script Host (RSSH). 5. The EdgeSight Script Host uploads the payload data to the Microsoft SQL Server database.
486
EdgeSight users can view current or historical license usage for all types of Citrix licenses. The service monitoring function does not require any agents; the EdgeSight server polls the license server directly. If an EdgeSight environment will be used solely for monitoring license usage, no agents are involved.
487
488
489
The Workflow Studio technology stack depicted in the graphic works as follows: 1. Products expose functionality through APIs. 2. Activity Libraries make the product functionality available to the workflow developer. 3. Workflows can be created to solve business problems. Workflow Studio is comprised of three components: Management Console/Designer User interface for: Developing and testing workflows Scheduling and reviewing workflow jobs
Designer Runtime
490
Runtime Engine
User Provisioning
Disaster Recovery
Product Automation
Scheduled Restarts
491
Fault Recovery
EdgeSight can use the external actions capability to launch a workflow when an alert occurs.
492
3. Execute a XenApp PowerShell cmdlet. For example, the Get-XAServer cmdlet retrieves and displays information about a XenApp servers in a farm.
PS C:\Users\Administrator> Get-XAServer XAProd1 ServerName FolderPath ZoneName ElectionPreference IPAddresses OSVersion OSServicePack Is64Bit CitrixProductName CitrixVersion CitrixEdition CitrixEditionString CitrixServicePack CitrixInstallDate CitrixInstallPath LicenseServerName LicenseServerPortNumber LogOnsEnabled IcaPortNumber : : : : : : : : : : : : : : : : : : : XAPROD1 Servers Default Zone MostPreferred {10.6.28.152} 6.1.7600 True Citrix Presentation Server 6.0.6406 Platinum PLT 0 3/6/2010 10:23:39 AM C:\Program Files (x86)\Citrix\ dmc 27000 True 1494
493
RdpPortNumber SessionCount
: : 163
Type
PS C:\Users\Administrator> Get-Help XA
to view a complete list of the cmdlets. For more information on using a cmdlet, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site. For example, execute the following command to view the help on the Get-XAServer command.
PS C:\Users\Administrator> Get-Help Get-XAServer
494
ICAPORT
IMAPORT QUERY
495
These commands can be executed from a command prompt or PowerShell session. For more information on these commands and their options, see the XenApp documentation on the http://support.citrix.com/productdocs/index.jsp web site.
496
Review
1. At which interval is data collected and stored in the local Firebird database on a XenApp EdgeSight agent? a. b. c. d. e. 1 hour 5 minutes 5 seconds 20 minutes 15 seconds
2. When health monitoring and recovery is configured for a server, which three actions can be configured to take place automatically? (Choose three.) a. b. c. d. e. Restart the Citrix IMA Service. Restart the Citrix XML Service. Shut down the Citrix IMA Service. Send alerts to the Event Log of the server. Send a message to the data store database.
497
498
Module 16
Additional Components
500
Overview
This module briefly discusses some of the additional Citrix components that can be used with XenApp. By the end of this module, you should be able to: Identify the purpose and key components of SmartAuditor. Identify the purpose and key components of Single sign-on. Identify the purpose and key components of EasyCall voice services. Identify the purpose and key components of Branch optimization. Identify the purpose and key components of Provisioning Services. Identify the purpose and key components of Power and Capacity Management. Identify the purpose and key components of XenServer.
501
SmartAuditor
SmartAuditor allows an organization to record the on-screen activity of any user's session, over any type of connection, from any server running XenApp. SmartAuditor uses flexible policies to automatically trigger recordings of XenApp sessions, which enables IT to monitor and examine the user activity in applications and demonstrate internal control, thus ensuring regulatory compliance and successful security audits. SmartAuditor should not be configured in countries that prohibit the recording of users' sessions. Key benefits of SmartAuditor include: Enhanced auditing Provides regulatory compliance that allows organizations to record on-screen user activity in applications Captures and archives screen updates, including mouse activity and the visible output of keystrokes in secured video recordings to provide a record of activity for specific users, applications and servers Allows the recording of thousands of sessions concurrently with minimum impact on system operation and performance Allows administrators to monitor activity in user sessions in near real-time Allows administrators to record activity based on the user, application or XenApp server being accessed Encrypts the playback of recordings through HTTPS communications, enables clientless recording and supports all Windows platforms that have a Citrix plug-in SmartAuditor supports the monitoring of published applications, but cannot monitor applications streamed to client devices.
Activity monitoring
Scalability
Live playback
Flexible recording
502
Clientless recording
Requires no client-side software and eliminates the need for client-side updates Records any session initiated on XenApp from all supported Windows and non-Windows devices
Multi-platform support
SmartAuditor Components
SmartAuditor consists of the following components: SmartAuditor Database A SQL Server 2005 or 2008 Enterprise or Express edition database used to store recorded session file metadata and service search requests A server that hosts a web application responsible for search queries, file download requests, policy administrator requests and evaluates recording policies for each session A Windows service on this server manages the recorded session files from each XenApp server containing a SmartAuditor agent. SmartAuditor Policy Console A visual interface for defining SmartAuditor recording policies Policies can be defined at the user, group, application or server level. SmartAuditor Agent An agent installed on each XenApp server that records session data The user interface that is used to play recorded session files and is typically installed on a workstation that is not in the datacenter
SmartAuditor Server
SmartAuditor Player
The SmartAuditor database, SmartAuditor server and SmartAuditor Policy Console can be installed on the same server or on separate servers.
503
504
Single Sign-on
Citrix Single sign-on (formerly Citrix Password Manager) provides password security and Single sign-on access to Windows, web, and terminal emulator applications running in the XenApp environment as well as applications running on the client device. Users authenticate once and Single sign-on completes the authentication, automatically logging on to selected password-protected information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks. In addition, Single sign-on contains self-service features such as account unlock and self-service password reset. These features allow users to reset their domain password or unlock their domain accounts from the Web Interface logon page without help desk or administrator intervention.
505
506
EasyCall Components
The main components of EasyCall include: EasyCall Gateway Is a virtual appliance that installs on Citrix XenServer 5 and is adjunct to the corporate telephony system Enables most telephone numbers that appear in Windows applications to be directly called, including local, long distance, international and internal extensions Allows developers to build click-to-call functions into applications and develop a web service client that verifies domain/username against an authentication mechanism
Communications plug-in
EasyCall Process
EasyCall allows each user to create profiles for work, home and mobile phones. These profiles are used by the EasyCall Gateway to contact the user when a call is placed. After the EasyCall profiles are created, the user can begin using EasyCall to initiate calls from phone numbers within applications. The following process outlines the steps involved in placing a call with EasyCall, from start to finish: 1. The user hovers the mouse pointer over a number in an application.
507
The EasyCall phonebar appears. The user clicks the EasyCall button to place the call. The Communications plug-in sends a call request to the EasyCall Gateway. The EasyCall Gateway initiates a call from the private branch exchange (PBX) to the users phone. 6. The user accepts the call. 7. The EasyCall Gateway initiates a call from the PBX to the call recipients number. 8. The recipient accepts the call. 9. The PBX establishes the call path. 10. The EasyCall Gateway removes itself from the call cycle. 11. The user completes the conversation and terminates the call. For more information on EasyCall, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
2. 3. 4. 5.
508
Branch Optimization
Citrix Branch Optimization is a WAN optimization solution that provides a LAN-like desktop and application experience to branch and mobile users while dramatically reducing WAN bandwidth costs and simplifying branch infrastructure.
Branch Optimization is a symmetric solution that requires Branch Repeater technology at both ends of the WAN link. Branch optimization can take place between any pair of Branch Repeater appliances or between a Branch Repeater appliance and a Branch Repeater plug-in. A Branch Repeater appliance in the datacenter can communicate concurrently with many Branch Repeater appliances and Branch Repeater plug-ins at branch offices.
509
Branch Repeater is available with the following components: Repeater appliance Resides in the datacenter of large offices and provides acceleration for high-volume and mission-critical links Has a browser-based user interface. Branch Repeater appliance Resides in branch offices and is smaller than a Repeater appliance Uses the same user interface as the Repeater appliance. Branch Repeater with Windows Server Is a Windows-based appliance that resides in branch offices and is smaller than a Repeater appliance Uses a Microsoft Management Console user interface. Branch Repeater VPX (virtual appliance) Is a virtual Branch Repeater appliance that runs on a server running an open-source Xen hypervisor and resides in branch offices Most, but not all of the functionality provided by a Branch Repeater appliance is available with the Branch Repeater VPX. Acceleration plug-in Is a software implementation of Citrix acceleration technology that runs on Windows-based client devices to provide similar acceleration features to the Repeater and Branch Repeater VPX components The plug-in is compatible with a Repeater appliance and a Branch Repeater VPX, but not with a Branch Repeater or Branch Repeater with Windows Server.
510
Administrators deploy a Repeater appliance in the data center. Users install the Repeater plug-in and the plug-in accelerates the applications traffic. The following process explains how Branch Optimization works: 1. The user's application opens a connection to the server. 2. The Acceleration plug-in looks up the address and decides to redirect the connection to the Repeater appliance. 3. The Repeater appliance accepts the connection and forwards the packet to the server. 4. The server accepts the connection and responds with an acknowledgement packet. 5. The Repeater appliance rewrites the addresses and forwards the packet to the Acceleration plug-in. 6. The connection is open and the client device and server send packets back and forth through the Repeater appliance. For more information on Branch Optimization, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
511
Provisioning Services
Provisioning Services reduces total cost of ownership and improves both manageability and business agility by virtualizing the workload of a datacenter server, including the operating system, applications, and configuration and the streaming server workloads on demand to physical or virtual servers in the network. Provisioning Services can also be used to provision physical and virtualized desktops for use with VM hosted apps. Delivering server workloads on demand rather than deploying them on individual servers: Simplifies and streamlines server management and reduces software rollout risk
512
Delivers the operating system, applications and server configuration information in a real-time stream, maximizing performance and minimizing network load Ensures server consistency by provisioning servers simultaneously from a single standard image Increases IT responsiveness and agility by enabling capacity on demand; repurposes any server to do any job Reduces utility costs and space needs by lowering the number of backup servers needed to support disaster recovery and business continuity Enables rollback to a previous working image in the time it takes to reboot Supports redundant servers, networks, and databases Provisioning Services included with XenApp Platinum Edition is limited to provisioning XenApp Platinum Edition workloads only.
513
The following components are used by Citrix Provisioning Services: Provisioning Services Server Provisioning Services Database Store Streams a vDisk to a target device
Stores the Provisioning Services, vDisk, target device and system configuration settings Identifies the logical name given to a physical storage location for vDisks The store can be placed on the Provisioning Services local drive, a SAN, CIFS share, NAS or UNC path.
Contains an image of a workload Identifies the collection of all vDisks available to a site A site can contain only one vDisk pool.
Target Device
For more information on Provisioning Services, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
514
515
Control Modes
In Power and Capacity Management, servers are assigned a control mode. The control mode determines whether the server is eligible for power management or is participating in load consolidation. Control modes include: Unmanaged Servers assigned this control mode are not controlled by Power and Capacity Management. Servers assigned this control mode contribute to the capacity of the workload, but are not controlled by Power and Capacity Management. Servers that contribute essential services and should not be taken offline, for example the data collector and the server hosting the data store should be assigned this control mode. Servers assigned this control mode are fully controlled by Power and Capacity Management.
Managed
Power Management
Power Management controls the power on and power off operations for the servers in a workload or farm using the power controller preferences set in the server properties. For a power-on operation, the selection algorithm chooses a server with the highest power controller preference before selecting a server with a lower preference. For a power-off operation, the algorithm chooses a server with a lower power controller preference before a server with a higher preference. If that server is currently hosting sessions, the server is placed into drain mode. While in drain mode, the server does not accept new sessions but allows the reconnection of disconnected sessions. A server in drain mode powers off only when no sessions remain.
Load Consolidation
Load consolidation has the opposite effect of traditional XenApp load balancing. It aims to consolidate sessions onto fewer servers instead of spreading load evenly across many servers. By consolidating sessions, there is greater opportunity to power down excess servers, saving power and reducing running costs. Greater consolidation of sessions equates to higher levels of utilization for each server while online. Load consolidation works by continually monitoring the number of active sessions and remaining capacity for each server. It aims to load up small groups of servers with new sessions
516
to an optimal load level that each server can effectively handle. Once a server reaches its optimal load, load consolidation enables an additional server in the workload to accept new session load. When used in conjunction with Power Management, this additional server will be powered on automatically if it is currently powered off.
Concentrator
Database
Reporting
Management Console
Power Setpoints
Throughout the day and week, different demands are placed on a XenApp environment. As a result, different setpoints must be used so Power and Capacity Management can ensure that the appropriate number of servers are online to handle the expected load and that servers are powered down during periods of low demand. This can be accomplished with schedules.
517
Schedules allow an administrator to assign values to the setpoints based on the time of day and day of week. A setpoint defines either a target capacity level (number of sessions) or a target number of online servers. Setpoints are used to determine how many servers should be powered on. For more information on Power and Capacity Management, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
518
XenServer
Citrix XenServer is a virtualization platform that provides open and powerful server virtualization. XenServer can reduce datacenter costs by transforming static and complex datacenter environments into more dynamic, easy to manage server workload delivery centers. It is based on the open source Xen hypervisor and delivers a secure and mature server virtualization platform with near bare-metal performance.
XenServer Components
XenServer consists of the following components: XenServer host The software installed on a physical server that is dedicated entirely to hosting virtual machines The XenServer host controls the interaction between the virtualized devices seen by VMs and the physical hardware. XenCenter The software used to manage the XenServer host This software can be installed on any system running a Windows operating system and can be used to run other applications simultaneously. For more information on XenServer, see the product documentation on the http://support.citrix.com/proddocs/index.jsp web site.
519
Review
1. Which three components are included in XenApp? (Choose three.) a. b. c. d. e. EdgeSight NetScaler XenDesktop SmartAuditor Single sign-on
2. Which statement about EasyCall voice services is true? a. b. c. d. It is a virtual appliance that allows users to access applications using any phone It is a virtual appliance that enables users to place calls from business applications It is a virtual appliance that verifies the password of a user accessing a business application It is a virtual appliance that speeds up communication channels and replaces the PBX in an organization
3. What are two benefits of SmartAuditor? (Choose two.) a. Administrators can monitor sessions to aid in the compliance of regulatory policies. b. Administrators can configure a Security Module to protect the data store database. c. Administrators can configure policies to control which applications client devices can access. d. Administrators can specify recording options based on the user, application or the XenApp server that is accessed. 4. For which purpose can Provisioning Services be used? a. b. c. d. Secure ICA traffic Host virtual machines Provision physical and virtual desktops Automate business and IT processes
520
Appendix A
522
523
524
525
526
527
a. b. c. d.
The alternate IP address of a XenApp server is included in the client files The alternate IP address of a Secure Gateway server is included in client files. The ALTADDR command is used to change the IP address of the Web Interface server. The internal IP address of a XenApp server is mapped to the external IP address of the Web Interface server. Answer: a
6. The Client for Java should be used in which two situations? (Choose two.) a. b. c. d. A web browser does not exist on the client device. Permanent installation of plug-in software is desired. Permanent installation of plug-in software is not permitted. A Java-compatible web browser exists on the client device. Answer: c, d 7. When the Citrix online plug-in is used to access published applications, which statement is correct? a. b. c. d. A XenApp Web site is required. A XenApp Services site is required. Pass-through authentication cannot be used. A web browser is used to communicate with the Web Interface site. Answer: a
528
529
a. b. c. d.
Published resource properties cannot be modified. Published resource properties can be modified at any time. Published resource properties can be modified only when the resource is disabled. Published resource properties cannot be modified when users are using the resource. Answer: b
6. Which two statements about session sharing are true? (Choose two.) a. Session sharing does not take precedence over load balancing settings. b. All applications in a shared session must be published with the same settings. c. Session sharing is a mode in which more than one hosted application runs on a single connection. d. Session sharing is a mode in which more than one user can access the same hosted application in a single session. Answer: b, c
530
531
Answer: d 5. An administrator must publish which file type to make a streaming application available to users? a. b. c. d. .EXE .MSI .RAD .PROFILE Answer: d 6. Which two application types can be configured in a Web Interface site so that applications stream to the desktop of a client device? (Choose two.) a. b. c. d. e. Online Offline Dual mode Streamed to client Streamed to server Answer: b, c 7. An administrator wants users to be able to access applications installed on the XenApp server through the online plug-in and access streaming applications when the users are offline. What must the administrator configure? a. b. c. d. One XenApp Web site One XenApp Services site One XenApp Web site and one XenApp Services site Two XenApp Web sites and two XenApp Services sites Answer: b
532
533
5. Select the correct order in which policies are processed and applied. a. b. c. d. e. Domain GPOs, Local GPOs, IMA-based policies, OU GPOs, Site GPOs IMA-based policies, OU GPOs, Local GPOs, Site GPOs, Domain GPOs Local GPOs, IMA-based policies, Site GPOs, Domain GPOs, OU GPOs OU GPOs, Local GPOs, IMA-based policies, Site GPOs, Domain GPOs Site GPOs, Domain GPOs, Local GPOs, OU GPOs, IMA-based policies Answer: c
534
535
a. b. c. d.
By using the Load Manager Monitor By duplicating an existing load evaluator By using the New > Add Load Evaluator menu option By altering the rules in either the Default or Advanced load evaluator Answer: b
6. An administrator can adjust load evaluator properties ____________. (Fill in the blank with the correct answer.) a. b. c. d. At any time At the time of creation only For the Advanced load evaluator only Only when the load evaluator is not being used Answer: a
536
537
Answer: d 5. Which three statements are true concerning Session Reliability? (Choose three.) a. HDX Broadcast Session Reliability reconnects the user without the loss of data. b. HDX Broadcast Session Reliability resets the user connection upon session interruption. c. HDX Broadcast Session Reliability reconnects the user without requiring re-authentication. d. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 1494. e. HDX Broadcast Session Reliability tunnels the ICA traffic through the Common Gateway Protocol (CGP) on port 2598. Answer: a, c, e
538
539
540
a. b. c. d.
Worker group properties Published application properties Policies in the Delivery Services Console Citrix Policies in Group Policy Management Console Answer: d
541
542
543
2. Which statement about EasyCall voice services is true? a. b. c. d. It is a virtual appliance that allows users to access applications using any phone It is a virtual appliance that enables users to place calls from business applications It is a virtual appliance that verifies the password of a user accessing a business application It is a virtual appliance that speeds up communication channels and replaces the PBX in an organization Answer: b 3. What are two benefits of SmartAuditor? (Choose two.) a. Administrators can monitor sessions to aid in the compliance of regulatory policies. b. Administrators can configure a Security Module to protect the data store database. c. Administrators can configure policies to control which applications client devices can access. d. Administrators can specify recording options based on the user, application or the XenApp server that is accessed. Answer: b, d 4. For which purpose can Provisioning Services be used? a. b. c. d. Secure ICA traffic Host virtual machines Provision physical and virtual desktops Automate business and IT processes Answer: c
544
Appendix B
546
547
548
What else must the full administrator do to ensure that administrators can only manage the servers in their geographic region? Answer: The full administrator must grant permissions for the new folders to the appropriate regional custom administrators to ensure that the administrators in each location can administer only the servers in their location.
549
Authentication Configuration
Fill in the blanks to complete the following sentences. 1. A User Principal Name is a unique name in Windows Active Directory given to each user as an identifier and consists of a principal name and a domain name or domain alias. 2. When pass-through authentication is implemented, users do not need to enter their credentials to access their application set. 3. A smart card can be used to authenticate users to a Web Interface site. 4. An administrator can select Windows, NDS or NIS authentication for explicit logon to a Web Interface site. 5. When Novell Directory Services is selected for explicit authentication, a tree name and context name must be specified.
550
6. Both SafeWord and RSA SecurID two-factor authentication methods use a token and a PIN number to create a passcode. 7. When Single sign-on is integrated with the Web Interface, the reset feature can be enabled to allow users to reset their network password.
551
Content Redirection
Match each scenario in the following table with the content redirection method that should be implemented. Each method is used once. Server-to-client content redirection Client-to-server content redirection Published content with client-to-server content redirection
552
Scenario Once a month, a published version of a listing of employee events is made available to all employees. Because employees have a range of client devices, HR wants employees to view the document using a published application. Alisha wants to access a published version of a web-based accounting tool using a web browser installed locally on her client device. The Operations team wants to view its weekly log reports (.XLS files) using a published version of Excel.
553
554
555
Printing Definitions
Match the printing policy rules in the following table to the correct terms. Term e Auto-creation Definition a. A rule that enables the use of old-style printer names as used by prior versions of XenApp
c Printer properties retention b. A rule that controls whether network printer jobs flow directly from XenApp server to the print server or take an extra step and are routed back through the client device d Turn off client printer mapping a Legacy client printers b Print job routing c. A rule that controls whether printer properties are stored on the client device or user profile d. A rule that disables the mapping of all client printers e. A rule that controls the auto-creation of all, local, default or no client printers.
556
SSL Relay
Access Gateway
557
Glossary
Access Management Console
See Delivery Services Console. giving users access to system objects based on their identity. Authentication confirms the identity of the user but does not impact the access rights of the user.
account authority
The platform-specific source of information about user accounts used by a XenApp server; for example, Windows NT domain, Active Directory domain, or Novell eDirectory.
authentication service
A service available on a server running Citrix Access Gateway that issues access tokens for connection requests for resources available through a server farm. These access tokens form the basis of authentication and authorization for users connecting through Access Gateway.
authorization
The process of granting or denying access to a network resource. Most computer security systems are based on a two-step process. The first stage is authentication, which confirms the identity of the user. The second stage is authorization, which allows the user access to various resources based on the users identity.
anonymous user
An unidentified user granted minimal access to a server or farm and its published applications.
auto-creation
See printer auto-creation.
automatic reconnect
The feature that automatically reconnects users running the Citrix online plug-in to their sessions when the connections are dropped as a result of network issues.
application set
Users' view of the published resources to which they are permitted.
certificate
See digital certificate.
authentication
The process of identifying a user, usually based on a user name and password. In security systems, authentication is distinct from authorization, which is the process of
ciphersuite
When establishing an SSL/TLS connection, the client and server determine a common set of supported ciphersuites
(encryption/decryption algorithms) and then use the most secure one to encrypt the communications. These algorithms have differing advantages in terms of speed, encryption strength and exportability.
client device
Any hardware device capable of running the plug-in software.
560
Configuration Logging
A feature that tracks administrative changes made to the server farm and logs them to a logging database from which reports can be generated. The Configuration Logging feature is available only with the Enterprise and Platinum Editions of XenApp.
CPU-intensive applications in the server farm do not degrade the performance of other applications.
custom administrator
An administrator who is subordinate to a full administrator. Custom administrators cannot set up other administrator accounts and have only a subset of the permissions that a full administrator has.
connection control
The feature that allows administrators to set a limit on the number of connections that each user can have simultaneously in the farm. Administrators can also limit the number of concurrent connections to specified published applications and prevent users from launching more than one instance of the same published application.
data store
An Open Database Connectivity (ODBC)-compliant database that stores persistent data for a farm. Examples of persistent data include configuration information about published applications, users, printers, and servers. Each server farm has a single data store.
content publishing
This feature allows administrators to publish document files, media files, web URLs and any other type of file from any network location. Users can double-click published content icons to access content in the same way they access published applications.
delegated administration
The feature that allows administrators to delegate areas of administration and farm management to the IT staff. Administrators can assign specialized staff members to perform specific tasks such as managing printers, published applications or user policies. Specialized staff members can carry out their assigned tasks without being granted full management access to all areas of the farm.
content redirection
This feature allows administrators to specify whether plug-ins open published content, applications, browsers or media players locally or remotely. There are two types of content redirection: from server-to-client device and from client device-to-server.
CPU prioritization
The feature that allows administrators to assign each published application in the server farm a priority level for CPU access. This feature can be used to ensure that
561
Full administrators are the only ones who are allowed to create or modify other administrator accounts.
digital certificate
A credential for a principal, such as a user or server. The certificate consists of the principals public key, a digital signature from a certificate authority and other information. The digital certificate is used to perform authentication of the principal cryptographically and to secure communications between the principal and another entity.
disconnected session
A disconnected session occurs when the client device is no longer connected to the server, but the applications in the session continues to run on the server. A user can reconnect to a disconnected session. If the user does not do so within a specified time-out period, the server automatically terminates the session.
display name
A name specified during the application publishing process that is used to identify a published resource.
FQDN
Fully qualified domain name.
full administrator
An administrator who has full access to all the administrative functions and features of the server farm.
562
An ICA session normally terminates when the user logs off from the server.
ICACLIENT.ADM
Group Policy Object template file used to configure the plug-in options and settings.
IMA encryption
A feature of XenApp that allows the administrator to automatically encrypt sensitive information that is housed in the IMA data store.
ICA connection
The logical port used by a plug-in to connect to and start a session on a XenApp server. It is the active link established between a plug-in and a XenApp server.
ICA file
A text file (with the extension .ICA) containing information about an ICA connection. ICA files are written in Windows .INI file format and organize published application information in a standard way that plug-ins can interpret. When a plug-in receives an ICA file, it initializes a session running the application on the server specified in the file.
inter-isolation communication
A feature provided by the Streaming Profiler that allows individually profiled applications to communicate with each other when launched on the client device.
ICA protocol
The protocol that plug-ins use to format user input, such as keystrokes and mouse clicks, and address it to a server farm for processing. Server farms use it to format application output (display and audio) and return it to the client device.
isolation environment
A feature provided by the application streaming feature that allows published applications to run on the local client device without interfering with other applications running on the same device. An isolation environment is specific for the application and user session, regardless of whether the user streams to the local client device or virtualizes the streamed application from a server.
ICA session
A connection between a plug-in and a XenApp server, identified by a specific user ID and ICA connection. The session consists of the status of the connection, the server resources allocated to the user for the duration of the session and any applications executing during the session.
563
license file
A digitally signed text-only file downloaded from MyCitrix.com that contains product licenses and information the license server requires to manage the licenses.
migrate
A process where an administrator manually moves a server farm from a legacy version of XenApp to a newer version of XenApp.
license server
A shared or dedicated server installed with licensing software and, optionally, the License Administration Console. This server responds to requests for licenses for Citrix products. A license server can be shared among farms and can host licenses for more than one product.
monitoring
The process of automatically checking the values of metrics on servers.
load management
A feature of XenApp that enables management of application loads. When a user launches a published application that is configured for load management, that user's session is established on the most lightly loaded server in the farm, based on criteria an administrator can configure.
network printer
A shared printer object accessed through a network print server.
local application
An application installed on a local client device.
metric
One of a series of measurable items for a server or application. An administrator can select which metrics to monitor for a particular server.
pass-through authentication
A feature that passes the Windows logon information to the XenApp server so users can log on to sessions without reentering credentials.
564
pass-through client
A plug-in installed on a XenApp server that allows users of older clients to use a new plug-in to connect to published resources.
policies
Citrix policies are a method of controlling connection settings for groups of users, client devices, and servers. An administrator can use policies to apply select settings, known as rules, to connections filtered for access type, specific users, client devices, IP addresses or servers. For example, a policy can apply one set of rules to connections from client devices in company headquarters and another set of rules to connections from lender laptops provided to a roaming sales force.
determines where print jobs are processed and manages the scheduling of print jobs. The print spooler also determines if the printer prints each page as it receives it or if it waits until it receives all pages to print the print job. Typically, when a print job is spooled to a printer, the spooler loads the print job into a buffer. The printing device then retrieves the print jobs from the buffer when it is ready to print the job. By storing the job, the computer can perform other operations while the printing occurs in the background.
printer auto-creation
The term auto-creation refers to a process XenApp uses to add printers (printer objects) at the beginning of sessions. When a user starts a session, by default, printer objects are created automatically in the session based on the printers on the client device. When the user ends the session, these printers are deleted. This occurs so that printer objects are not stored locally on the client device. The way in which the printers are auto-created is based on printing policy settings.
print job
When a user prints a document, the data sent to the printer is known as a print job. Jobs are queued to the printer in a specific sequence, which the print spooler controls. When this sequence appears, it is known as the print queue.
printer driver
The software program that lets the computer communicate with the printing device. This program converts the information to be printed to a language that the printing device can process. The printer driver also understands the device and job settings of the printing device and presents a user interface for users to configure the settings. In a Windows system, printer drivers are distinct from the software representation of printers.
print queue
A sequential, prioritized list of the print jobs waiting to be printed. The spooler maintains this list for each printer object in the computer.
print server
A server that manages the communications between client devices and printers. In Citrix documentation, the term print server refers to dedicated computers that are running a Windows server operating system and hosting x number of shared printers. Print servers provide client devices with drivers they need to print and store files, or print jobs, in a print queue until the printer can print them. A print server is a remote print spooler.
print spooler
The spooler is a Windows service that manages printer objects, coordinates drivers, allows printer creation,
printers
Refers to the software representation of a printing device. Computers must store information about printers so they
565
can find and interact with printing devices. The printer icons in the Control Panel > Printers panel display the software representation of the printers, not the printer drivers. Printer object is also used to refer to the software representation of a printing device.
The main components are the agents, the server and an administration and reporting console.
schema
A description of a database to a database management system (DBMS) in the language provided by the DBMS. A DBMS handles requests for database actions and permits control of security and data integrity requirements.
printing device
In a XenApp printing context, the term printing device refers to the physical printer (that is, the hardware device to print jobs are sent.)
process
An instance of a program that is being executed.
seamless window
One of the settings available for the window size of a published application. If a published application runs in a seamless window, the user can take advantage of all the client platform's window management features, such as resizing and minimizing.
published application
An application installed on servers in a XenApp server farm that is configured for multi-user access from plug-ins.
Secure Gateway
A component that provides a secure, encrypted channel for ICA traffic over the Internet using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) between clients and the Secure Gateway. The Secure Gateway provides a single point of encryption and access to server farms.
published content
A document, media clip, graphic or other type of file or URL published for access by users. Published content is executed by local applications on client devices.
redirection
The term redirection refers to redirecting client device resources to server sessions so that published applications or desktops have access to them. Redirection is often used to describe the process by which users can access local hardware devices, such as printers, hard drives, special folders, COM ports, TWAIN scanners, smart cards and digital cameras.
Resource Manager
Resource Manager (powered by EdgeSight technology) is a resource management solution for Citrix XenApp, Enterprise Edition. It monitors user sessions and server performance in real time, allowing administrators to quickly analyze, resolve and proactively prevent problems.
566
server
A server on which XenApp software is running. An administrator can publish applications, content and desktops on these servers for remote access by plug-ins.
server farm
A group of servers running XenApp managed as a single entity with some form of physical connection and an IMA-based data store.
transform file
A database file that modifies an MSI package. The transform file modifies instructions about how the package is installed; for example, to enable an application to run in a Remote Desktop Services environment.
server group
A group of servers used for easier application deployment on target servers.
UAC session ID
A unique identifier for a specific ICA session on a XenApp server. User Access Control. A security feature of Windows Vista and Windows Server 2008.
universal printer
See Citrix Universal Printer.
shadowing
A feature that enables an authorized user to remotely join or take control of another users session for diagnosis, training or technical support.
universal printing
A term that refers to a printing solution which uses the Citrix universal printers.
567
upgrade
A process by which an administrator moves from one version of XenApp to another, newer version. The farm must be using an earlier version of Presentation Server, or XenApp, that is compatible with the upgrade path to the newest version; otherwise, the administrator must migrate the server farm. Often, the term upgrade denotes using an installation wizard to move to the newer version.
collector for the zone. Citrix recommends limiting the number of zones in a farm and using them only for different geographic sites across a WAN.
zone
A logical grouping of XenApp servers. All servers in a zone communicate with the server designated as the data
568
Index
A
Access Gateway 37, 47, 118, 156, 193, 448, 454, 456, 460 Advanced Access Control 156, 193 communications 456 deployment scenarios 454 description 37 SmartAccess 460 VPX 47 Active Application Monitoring (AAM) 479 Active Directory 37, 49 group policy integration 37 Active Directory Federation Services (ADFS) 120 ActiveX control 176 activity library 489 administrative utility 49 administrators account permissions 96 creating 96 delegating 103 disabling accounts 98 folder permissions 101 permissions 100 Adobe Flash 352, 368 alert rule 488 anonymous logon 147 App-V support 37 application delivery troubleshooting issues 207 application isolation environment 224 application set 191 application streaming App-V 219 App-V integration 214 application caching 214 capabilities 214 central application updates 214 Citrix offline plug-in 220 components 216 configuring sites 253 Dazzle 246 delivery method 245 Differential synchronization of updated profiles 214 digital signature 232 dual mode streaming 214 enable user updates 223 force 327 inter-isolation communication 214 isolation environments 214 application streaming (continued) local system resource usage 214 offline access 214, 255 offline license 255 process 218 profile 222 Profiler 222, 223 installing 223 profiling process 222 Profiler 222 publishing 249 security settings 223 streaming to servers applications dual mode 248 online 248 troubleshooting 260 Windows Services isolation 214, 231 applications importance 200 publishing to worker groups 94 authentication explicit 148 Microsoft Windows domain 149 NIS (UNIX) 149 Novell Directory Services (NDS) 149 pass-through 148, 160 pass-through with smart card 160 smart card 148, 160 automation workflow 491
B
benefits 27, 349, 454, 502, 512, 515 Access Gateway 454 Citrix certification 27 Citrix training 27 Power and Capacity Management 515 Provisioning Services 512 SmartAuditor 502 Branch Optimization 509, 510 components 509 process 510
C
certificate Access Gateway requirements 458
certificate (continued) certificate authority (CA) 453, 457 root certificate 457 server certificate 457 Trusted Root Certification Authorities 458 certificate, course completion 30 Certification Manager 28 Citrix Access Gateway 448 Citrix Branch Repeater description 37 Citrix certification benefits 27 Citrix Dazzle 37, 379 description 37 Citrix EdgeSight description 37 Citrix ICA Listener Configuration (CtxICACfg.exe) tool 272 Citrix License Server 479 Citrix Merchandising Server 365, 377 Citrix offline plug-in 216, 220, 221, 225 application streaming 216, 220 cache CLIENTCACHE.EXE 221 installation 221 web browser 220 Citrix online plug-in 147, 216 application streaming 216 Citrix online plug-in for Mac 387, 388 installing 388 system requirements 387 Citrix online plug-in for Windows 385, 386 installing 386 system requirements 385 Citrix plug-ins 48, 382 Citrix Print Manager Service 396, 398 Citrix Profile management 364, 365, 366 Citrix Receiver 37, 375, 376, 377, 379, 391 Dazzle 379 description 37 for Macintosh 376 for Windows 375 Merchandising Server 377 requirements 375, 376 troubleshooting 391 Citrix Receiver for Linux 389, 390 installing 390 system requirements 390 Citrix resources 28 Citrix Single sign-on 149, 156, 505 Citrix SSL Relay 112 Citrix Streaming description 37 Citrix Streaming Profiler (Profiler) 216 Citrix Streaming Service 218 Citrix training benefits 27
Citrix Universal Printer 405, 425, 426 configuring 426 Citrix Universal Printer Driver 422 Citrix Web Interface Management console 124, 125, 126, 127, 128 Citrix XenApp Provider 48 Citrix XenDesktop 188 Citrix XenServer 519 Citrix XML Service 113, 161, 171, 172, 448, 451 Citrix XML traffic 454 Client audio redirection policy 345 Client Deployment option 146 client drive mapping 195 Client for Java 140, 141, 143, 388, 389 deploying 389 system requirements 389 client IP 250 client printing pathway 411, 413 command-line tool 495 commands CTXKEYTOOL 105 Get-CtxConfigurationLogReport 105 Common Gateway Protocol 342 compression Adobe Flash 352 images 357, 359, 360 lossy image compression 357, 360 multimedia 349, 350 concurrent user license 57 CONFIG.XML 122, 123, 124, 175 Configuration Logging 105, 106, 107 configuring 106 creating the database 105 database 105, 106 enabling 107 configuring administrative permissions 96, 98 Citrix Profile management 365, 366 Configuration Logging 105 Configuration Logging database 105, 106 display settings 339 folder permissions 101 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 360 HDX Broadcast Session Reliability 342 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 350 HDX Plug-n-Play 347 HDX RealTime 344 SpeedScreen Latency Reduction 355 SSL Relay 453 Web Interface 464 worker groups 94 Connected Users screen 204 considerations HDX Broadcast Session Reliability 342
570
considerations (continued) HDX Plug-n-Play 348 HDX RealTime 345 content redirection client-to-server 194 file type association 194 server-to-client 194 course certificate, emailing 30 certificate, printing 30 certificate, saving 30 completion certificate 30 evaluation 30 materials 21 outline 23 prerequisites 22 survey 30 CPSVC.EXE 396, 398 CPU priority level 193 creating administrator account 96 configuration log report 105 Configuration Logging database 105 Ctx_cpsvcuser 398 CTXKEYTOOL 105 CTXXMLSS 112, 172
Direct access 165 direct connections 411 Directory Browsing 247 disabling IMA encryption 105 display settings 338, 339 enabling 339 DMZ 454 Domain field 151
E
EasyCall description 37 EasyCall voice services 507 components 507 process 507 EdgeSight 47, 58, 61 EdgeSight Script Host (RSSH) 482 emailing course certificate 30 enabling Configuration Logging 107 display settings 339 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 360 HDX Broadcast Session Reliability 342 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 350 HDX Plug-n-Play 347 HDX RealTime 344 ICA Proxy mode 460 IMA encryption 105 SpeedScreen Latency Reduction 355 encryption 193 evaluating course 30 exam registration 28 Extended end-user experience monitoring (EUEM) 479
D
data collection 482 data collector 42, 45, 310, 312 description 42 election 45 data store 42, 43 data store database description 42 database Configuration Logging 105, 106 Microsoft SQL Server 105, 106 Oracle 105, 106 database size estimation tool 482 Dazzle 375, 377, 379, 380 Citrix Receiver 375 communications 380 Merchandising Server 377 delegating administrator accounts 103 delivering plug-ins 383 Delivery Services Console 48, 49, 105, 106, 189, 204, 205, 219, 220, 239, 411, 493, 495 published resource information 204 deploying Access Gateway 454 Client for Java 389 Desktop Delivery Controller 189
F
file share 247 file type association 194, 195 filtering policies worker groups 95 Flash acceleration 352 Flash server-side content fetching whitelist 352 Flash URL blacklist 352 folder redirection 364 folders 191
G
Get-CtxConfigurationLogReport 105
571
Group Policy Management Console 161, 172, 220, 365, 366, 411
H
HDX 3D Image Acceleration 357 enabling 357 HDX 3D Progressive Display 359, 360 enabling 360 HDX Broadcast Session Reliability 341, 342 considerations 342 enabling 342 proxy 342 HDX MediaStream for Flash 352 enabling 352 HDX MediaStream Multimedia Acceleration 349, 350 benefits 349 enabling 350 HDX Plug-n-Play 346, 347, 348 considerations 348 enabling 347 HDX RealTime 343, 344, 345 considerations 345 enabling 344 Health Assistant description 37 health monitoring and recovery 476 hosted application 203
installing (continued) Citrix Receiver for Linux 390 Profiler 223 inter-isolation communication 229 Internet Information Services (IIS) 454 isolation environment 222, 241
K
Kerberos 118
L
license 257 License Administration Console 42, 48 license monitoring 487 license server 42, 61, 65, 66, 68, 71, 72, 96 dedicated 66 description 42 shared 66 License Server Configuration tool 65 license upgrade 58 licensing components 56 linked profile 229, 230 load balancing 37, 45, 203 description 37 load balancing policies 324, 325 creating 325 Load Balancing policy 245 load evaluator 309, 312, 318, 320, 321, 322 Advanced load evaluator 318 assigning 322 Boolean 312 configuration 318 creating custom 320 Default load evaluator 318 Incremental 312 load throttling 312 Moving average 312 Moving average compared to high threshold 312 thresholds 321 Load Manager 47, 308, 309, 310, 312, 313, 314, 316, 329, 332 benefits 308 definition 308 load balancing process 310 load calculation 312 load evaluator 312 Preferential Load Balancing 329 troubleshooting 332 local host cache 44 Local Text Echo 355 local user profiles 363 lossy 357, 360
I
ICA encryption 451 ICA Client Printer Configuration tool 403 ICA Pass-through 345, 348 ICA session 194 ICACLIENT.ADM 158, 159 icons 191 IMA 44 service 44 images compression 357, 359, 360 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 359 incremental method 316 Independent Management Architecture (IMA) 44 indirect permission 255 installation Citrix offline plug-in 221 Installation Manager description 37 installation prerequisites 77 installing Citrix online plug-in for Mac 388 Citrix online plug-in for Windows 386 Citrix Profile management 365
572
M
mandatory user profiles 363 manifest file 239, 247 Master File Table (MFT) 366 Merchandising Server 221, 375, 377, 378, 379, 391 architecture 378 Citrix Receiver 375 Dazzle 379 troubleshooting 391 MFCOM 49 Microsoft Active Directory Services 221 Application Virtualization for Remote Desktop Services 219 client access licenses (CALs) 58, 59 Desktop Optimization Pack (MDOP) 219 Development Network (MSDN) 219 MSI utility 65 System Center Configuration Manager 2007 221 Terminal Services 58, 59 Visual C++ 2008 Redistributable 65 Windows Server 2008 R2 58, 59 Microsoft Active Directory Federation Services 118 Microsoft Management Console (MMC) 48 Microsoft Office Communicator 343, 345 Office Communications Server 345 Microsoft SQL Server 43, 105, 106, 517 Microsoft SQL Server Reporting Services 517 Microsoft Windows domain authentication 149 Microsoft Windows user profile 363 MMC snap-in 517 Mouse Click Feedback 355 multimedia compression 349, 350 MyCitrix.com 68, 69
P
pass-through authentication 176 password 156 Pearson VUE 28 permissions administrator accounts 100 folder 101 plug-ins Citrix online plug-in for Mac 387 Citrix online plug-in for Windows 385 Citrix Receiver for Linux 389 Client for Java 388 delivery 383 supported 382 troubleshooting 391 policies application process 271 Citrix Group Policy Modeling wizard 303 evaluation 271 filtering 95, 301 GPUPDATE /FORCE 271 Group Policy architecture 269 Group Policy extensions 268 group policy ressults 303 IMA-based 267 load balancing 324 Microsoft Active Directory 266 Advanced Group Policy Manager (AGPM) 266 Group Policy engine 266 Group Policy Management Console (GPMC) 266 Group Policy Objects (GPOs) 266 modeling 303 precedence exceptions 274 priorities 274 processing and precedence 272 rules 276 shadowing and encryption settings 274 troubleshooting 303 policy 197, 406, 408, 426, 429, 431, 437, 439 auto-create client printers 406 Auto-create generic universal printer 426 default printer 431 printer properties retention 437 printing bandwidth 439 session printers 408, 429 universal driver 426 universal driver priority 426 Universal printing preview preference 426 ports 1494 342 2598 342 27000 62 389 378
N
native plug-in 140, 141, 143 Network Address Translation 163 Network Address Translation (NAT) 448 network file share 250 network printing pathway 411 NIS (UNIX) authentication 149 no-disconnected-sessions policy 136 Novell Directory Services (NDS) authentication 149
O
offline plug-in 256 online plug-in 191, 195, 341, 343 Operating System User Selector 256 Oracle 43, 105, 106
573
ports (continued) 443 112, 378, 453 7279 62 80 112 8082 62 Power and Capacity Management components 517 control modes 515 description 37 load consolidation 516 Power and Capacity Management farm 515 Power Management 516 power setpoints 517 workloads and profiles 515 power consumption 515 PowerShell SDK 493 Preferential Load Balancing 200 PRINTCFG.EXE 403 printer auto-creation 402, 404, 405, 406, 407 asynchronous 407 Citrix Universal Printer 405 client printer 405 controlling client printer 406 synchronous 407 driver installation 417 driver management 421 driver mapping 419 drivers 416 network printer provisioning 402 retained 403 user self-provisioning 402, 403 printer driver Citrix universal print driver 416 Citrix XPS Universal Printer Driver 422 native 416 OEM 416 printer type local 397 network 397 redirected client 397 printers default 431 network 429, 430 properties 437 printing bandwidth 439 Citrix universal printing 422 concepts 396 course certificate 30 Ctx_cpsvcuser 398 default behavior 400 definition Citrix Print Manager Service (CPSVC.EXE) 396 default printer 396 despooling 396
printing (continued) definition (continued) device settings 396 document settings 396 legacy printer names 396 network print server 396 print queue 396 printer driver 396 printer object 396 printing device 396 proximity printing 396 rendering 396 restored printers 396 retained printers 396 spooler 396 spooling 396 device settings 435 preferences 435, 436 print preview 424 printer initialization 193 security 398 troubleshooting 442 printing pathway client printing pathway 408, 412, 414, 415 network printing pathway 408, 409, 410 profile adding target 228 advanced install 233 creating 223 deleting target 228 linked 229 preference settings 232 properties 233 quick install 233 security settings 223 system requirements 232 profile directory 230 Profile management description 37 profile manifest file 225 Profiler 223 profiling known limits 238 Prohibit User Installs 141 Prometric 28 Provisioning Services 37, 512, 514 components 514 description 37 proximity printing 432, 434 configuring 434 proxy server 167 Publish Application Wizard 201 published resources appearance 202 application 183 content 183
574
published resources (continued) desktop 183 information 204 limits 200 organizing 191 publishing resources advanced configurations 182, 193, 202 assigning servers 185 assigning worker groups 185 basic configurations 182 command line 184 location 184 name 184 phases 182, 193 settings 186 streamed applications 249 user access 185, 186 worker groups 94 working directory 184
R
RADEDEPLOY.EXE 259 RADERUN utility 218 reallocating 66 registering exams, for 28 Remote Authentication Dial-in User Service (RADIUS) 153 Remote Desktop Connection (RDP) 140 resource allotment 329 Resource Manager 47 roaming user profiles 363
S
saving course certificate 30 Secure Gateway 163, 165, 166, 459 Secure Sockets Layer (SSL) 61 Secure Ticket Authority (STA) 456 SecureICA 448, 450 security Access Gateway 454 access to hosted applications 459 best practices 467 Citrix Access Gateway 448 ICA Proxy mode 460 SecureICA 448, 450 SmartAccess 460 SSL Relay 448, 451 troubleshooting 468 Web Interface 463 server farms 43, 46 mixed 46 multiple 43
server ranking 45 server-side ticketing 176 Service Control Manager 231 Service monitoring 487 session printers 429 session sharing 309, 329 settings display settings 339 HDX 3D Image Acceleration 357 HDX 3D Progressive Display 360 HDX Broadcast Session Reliability 342 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 350 HDX Plug-n-Play 347 HDX RealTime 344 SpeedScreen Latency Reduction 355 Web Interface 464 Single sign-on 37, 505, 506 authentication process 506 components 505 description 37 Smart Access description 37 SmartAccess 460 SmartAuditor 37, 502, 503, 504 components 503 description 37 recording process 504 SmoothRoaming 432 SpeedScreen Latency Reduction 355 enabling 355 SpeedScreen Latency Reduction Manager tool 355 SpeedScreen Latency Reduction Manager tool 355 SSL certificates 451 SSL Relay 448, 451, 452, 453, 454 communication 452 configuring 453 SSL VPN appliance 454 streamed application 225, 251 properties 251 streaming video 344 streaming application 256 streaming application profile 244 Suite Monitoring and Alerting (SMA) 479 survey, course 30
T
target adding to profile 228 criteria 225 definition 224 deleting 228 environment 223 multiple operating systems 228
575
target (continued) properties 239 upgrading applications 243 target directory structure 244 temporary user profiles 363 tracking certification progress 28 training resources 28 troubleshooting Adobe Flash 368 application delivery issues 207 application streaming 260 Citrix Receiver 391 load management 332 Merchandising Server 391 plug-ins 391 policies 303 printing 442 security 468 USB device 368 user experience 368 user profiles 368 Trust XML 161
W
WAN optimization 509 Web Interface 37, 42, 112, 161, 188, 221, 253, 254, 454, 463, 464 access methods 463 client routes 464 description 37, 42 ports 112 security 463 servers 42 settings 464 streaming applications 253 VM hosted apps 188 Web Interface Management console 117, 118, 122, 132, 138, 168, 169, 171, 172, 174, 175 Web Interface ticket 174 WEBINTERFACE.CONF 118, 124, 125, 175 white list 231 Windows Services isolation 231 worker group preference list 95 worker groups 42, 94, 95 description 42 filtering policies 95 prioritizing 95 publishing resources 94 worker group preference list 95 Workflow Studio activity library definition 489 description 37 job definition 489 overview 489 workflow automation 491 workflow definition 489 workspace control 135, 432
U
Universal Printer Driver Citrix Print Previewer 424 Enhanced MetaFile (EMF) 423, 424 URL embedded 197 USB devices 346, 347, 348, 368 user access anonymous accounts 185 configured accounts 185 User Access Control (UAC 238, 415 User Principal Name (UPN) 151 user profile security settings 232 user profiles 363, 364, 365, 366, 368 folder redirection 364 local 363 mandatory 363 Microsoft Windows user profile 363 Profile management 364, 365, 366 roaming 363 temporary 363
X
XenApp components 42 features 37 installing 43 primary architectural components 41 servers 42 XenApp Server Roles Manager 116 XenApp Services site 119, 121, 131, 148, 150, 157, 158, 159, 169, 253 authentication 148, 150, 157, 158, 159 explicit 150, 157 pass-through 158 smart card 159 session preferences 131 streaming applications 253 XenApp session display settings 338, 339 HDX 3D Image Acceleration 357
V
video conferencing 344 Virtual Desktop Agent 189 VM hosted apps 37, 188, 189 components 189 description 37 VM Hosted Apps Console 189
576
XenApp session (continued) HDX 3D Progressive Display 359 HDX Broadcast Session Reliability 341 HDX MediaStream for Flash 352 HDX MediaStream Multimedia Acceleration 349 HDX Plug-n-Play 346 HDX RealTime 343 passwords 505 recording 502, 504 SpeedScreen Latency Reduction 355 USB devices 346, 347 user profiles 363, 364, 365, 366 XenApp Web site 121, 131, 133, 146, 148, 150, 157, 158, 159, 169 authentication 148, 150, 157, 158, 159 explicit 150, 157 pass-through 158
XenApp Web site (continued) authentication (continued) smart card 159 client deployment 146 session preferences 131 XenServer 519 components 519
Z
zone 45 zones 42, 45, 46, 47 default 47 description 42 optimal configuration 47 sharing data across 47
577
851 West Cypress Creek Road Fort Lauderdale Florida 33309 USA | (954) 267 3000 | www.citrix.com Rheinweg 9 8200 Schaffhausen Switzerland | +41 (0) 52 63577 00 | www.citrix.com
Copyright 2010 Citrix Systems, Inc. All rights reserved.
578
The following label contains the voucher code needed to access the online student resources.