Carl Stalhood – Page 42

PCoIP Proxy – NetScaler Gateway 12 / Citrix Gateway 12.1

Last Modified: Dec 22, 2018 @ 8:47 am

Navigation

Change Log
Overview
Prerequisites
PCoIP Profile
Session Policy/Profile
Gateway Virtual Server
Horizon Configuration
Update Content Switching Expression for Unified Gateway
Use Citrix Gateway PCoIP Proxy
CLI Commands

Change Log

2018 Dec 22 – renamed NetScaler Gateway to Citrix Gateway
2018 Oct 7 – updated screenshots for Citrix Gateway 12.1
- Horizon Configuration – 12.1 build 49 supports USB redirection with PCoIP

Overview

NetScaler Gateway 12.0 and Citrix Gateway 12.1 and newer support the PC-over-IP (PCoIP) protocol, which is the remote display protocol for several non-Citrix VDI solutions, including VMware Horizon. PCoIP is analogous to Citrix HDX/ICA protocol, and Microsoft RDP protocol. PCoIP uses UDP port 4172.

VMware Blast is currently not supported

When PCoIP is proxied through Citrix Gateway, Citrix Gateway can replace the traditional PCoIP remote access solutions, like Horizon Security Server, or VMware Unified Access Gateway.

Prerequisites

NetScaler Version – NetScaler 12.0 or newer.
- Build 51 and newer for NAT
NetScaler Edition – PCoIP Proxy is available in all NetScaler Editions
Universal Licenses – PCoIP Proxy uses the Clientless Access feature of Citrix Gateway, which means every Citrix Gateway connection must be licensed for Citrix Gateway Universal. On the Citrix Gateway Virtual Server, ensure ICA Only is unchecked.
Horizon infrastructure – A functioning internal Horizon infrastructure. Ensure you can connect to Horizon Agents internally without Citrix Gateway.
- Ensure that the Horizon HTTP(S) Secure Tunnel and PCoIP Secure Gateway are not enabled on the Horizon Connection Servers that NetScaler will proxy connections to.
- Configure Desktop Pools and RDS Farms to use PCoIP as the default protocol.
Firewall Ports:
- TCP 4172, UDP 4172, and TCP 443 open from Horizon Clients to the Citrix Gateway VIP.
- TCP 4172, and UDP 4172 open from the NetScaler SNIP to all internal Horizon Agents.
Certificate – A valid certificate for the Citrix Gateway Virtual Server.
Authentication – An LDAP authentication policy/server.
Unified Gateway (optional) – If Unified Gateway, create the Unified Gateway before adding PCoIP functionality.
RfWebUI Portal Theme – For web browser access to Horizon, the Citrix Gateway Virtual Server must be configured with the RfWebUI theme.
Horizon Client – The Horizon Client must be installed on the client device, even if accessing Horizon published icons using the NetScaler RfWebUI portal.

PCoIP Profile

To create the PCoIP Profile:

In the NetScaler management GUI, navigate to Citrix Gateway > Policies> PCoIP.
On the right, in the PCoIP Profiles and Connections pane, you will create a VServer profile and a PCoIP profile.
To create a VServer profile, on the VServer Profiles tab, click Add.
1. Enter a name for the VServer profile. The only purpose of the VServer Profile is to specify the Active Directory domain name so name it accordingly.
2. Enter an Active Directory Domain Name that will be used for Single Sign-on to Horizon Connection Server, and then click Create.
3. Note: only a single Active Directory domain is supported per NetScaler Gateway Virtual Server. Also, the domain name specified here is displayed in the Horizon Client.
To create a PCoIP profile, on the Profiles tab, click Add.
1. Enter a name for the PCoIP Profile. The PCoIP Profile specifies the internal DNS name for Horizon so name it accordingly.
2. Enter the internal connection URL for the internal VMware Horizon View Connection Servers, and then click Create. NetScaler SNIP needs to be able to connect to this URL.

Session Policy/Profile

To create or edit a Session Policy/Profile that has PCoIP Proxy enabled:

Navigate to Citrix Gateway > Policies> Session.
On the right, select the Session Profiles tab.
On the NetScaler Gateway Session Policies and Profiles page, create or edit a NetScaler Gateway Session Profile.
1. To create a NetScaler Gateway session profile, click Add, and provide a name.
2. To edit a NetScaler Gateway session profile, select the profile, and click Edit.
On the Client Experience tab, ensure that the Clientless Access value is set to On.
On the Security tab, ensure that the Default Authorization Action value is set to ALLOW.
On the PCoIP tab, select the required PCoIP profile. Note: you can also create or edit PCoIP Profiles from this tab.
Click Create or OK to finish creating or editing the Session Profile.
If you created a new Session Profile, then you must also create a corresponding Session Policy.
1. Navigate to Configuration > Citrix Gateway > Policies > Session.
2. On the right, select the Session Policies tab.
3. Click Add.
4. Provide a name for the Session Policy, and select the required session profile name from the Profile drop-down.
5. In the Expression area, type true (Default Syntax, or Advanced Policy), and then click Create.

Gateway Virtual Server

Bind the created PCoIP VServer profile and Session Policy to a Citrix Gateway Virtual Server:

Go to Citrix Gateway > Virtual Servers.
On the right, either Add a new Citrix Gateway Virtual Server, or Edit an existing Citrix Gateway Virtual Server.
If you are editing an existing Citrix Gateway Virtual Server, in the Basic Settings section, click the pencil icon.
For both adding and editing, in the Basic Settings section, click More.
Use the PCoIP VServer Profile drop-down to select the required PCoIP VServer Profile.
Scroll down and ensure that ICA Only is unchecked. Then click OK to close the Basic Settings section.
If you are creating a new Citrix Gateway Virtual Server, bind a certificate, and bind an LDAP authentication policy.
Then scroll down to the Policies section and click the plus icon.
The Choose Type page defaults to Session and Request. Click Continue.
In the Policy Binding section, click on Click to select.
Click the radio button next to the required Session Policy that has the PCoIP Profile configured, and then click the blue Select button at the top of the window.
Back in the Policy Binding page, click Bind.
If you want to use a web browser to connect to VMware Horizon, then on the right, under Advanced Settings, add the Portal Themes section. If you are only using Horizon Client to connect to Citrix Gateway, then you don’t need to perform this step.
1. Use the Portal Theme drop-down to select RfWebUI, and click OK.
2. Horizon published icons are added to the RfWebUI portal.
To enable support for NAT, SSH to the NetScaler to access the CLI.
1. Run the command set vpn vserver MyVserverName -vserverFqdn MyFQDN. This causes NetScaler to send the FQDN back to the Horizon Client, which enables it to connect to the public IP instead of the DMZ private IP address. Unfortunately, this setting is not available in the NetScaler GUI.

Horizon Configuration

In Horizon Administrator, go to View Configuration > Servers. Edit the Horizon Connection Server that Citrix Gateway connects to.
1. On the General tab, uncheck PCoIP Secure Gateway.
2. In Citrix Gateway 12.1 build 49 and newer, to enable USB Redirection, enable the HTTP(S) Secure Tunnel and enter the external FQDN for Citrix Gateway.
3. Click OK when done.
At Resources > Farms, edit your RDS Farms.
1. Set the Default display protocol to PCoIP.

Update Content Switching Expression for Unified Gateway

If your Citrix Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the PCoIP URL paths.

In the NetScaler GUI, navigate to Configuration> Traffic Management > Content Switching > Policies.
On the right, select the Unified Gateway Content Switching Policy, and then click Edit.

Append the following expression under the Expression area, and then click OK.

|| http.req.url.path.eq("/broker/xml") || http.req.url.path.eq("/broker/resources") || http.req.url.path.eq("/pcoip-client")

Use Citrix Gateway PCoIP Proxy

To connect, you must have Horizon View Client installed on the client device. Once installed, you can either use the Horizon View Client’s User Interface to connect to Citrix Gateway, or you can use the Citrix Gateway RfWebUI portal page to view the icons published from Horizon.
To view the active PCoIP connections, in NetScaler, go to Citrix Gateway > Policies > PCoIP.
On the right, switch to the Connections tab. The active sessions are displayed with the following data: user name, Horizon View Client IP, and Horizon View Agent Destination IP.
To terminate a connection, right-click the connection, and click Kill Connection. Or click Kill All Connnections to terminate all PCoIP connections.

CLI Commands

Here are CLI Commands for the configuration shown above.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"

add authentication ldapAction AD01 -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL
add authentication ldapPolicy AD01 ns_true AD01

add vpn pcoipVserverProfile corp -loginDomain corp
add vpn pcoipProfile vcs01 -conServerUrl "https://vcs01.corp.local"

add vpn sessionAction VPN -defaultAuthorizationAction ALLOW -clientlessVpnMode ON -pcoipProfileName vcs01
add vpn sessionPolicy VPN true VPN

add vpn vserver VPN SSL 10.3.3.13 443 -downStateFlush DISABLED -Listenpolicy NONE -vserverFqdn vpn.corp.com -pcoipVserverProfileName corp

bind vpn vserver VPN -portaltheme RfWebUI
bind vpn vserver VPN -policy AD01 -priority 100
bind vpn vserver VPN -policy VPN -priority 100 -gotoPriorityExpression NEXT -type REQUEST -urlName RDP
bind ssl vserver VPN -certkeyName WildcardCorpCom

EUC Weekly Digest – July 29, 2017

Last Modified: Nov 7, 2020 @ 6:34 am

1 Comment

Here are some EUC items I found interesting last week. For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

XenApp/XenDesktop

Delivering and Optimizing Citrix from Microsoft Azure – 1.5 hour recorded CUGC Webinar

App Layering (Unidesk)

How To Define Page File Size and Placement in Citrix App Layering 4.x – Citrix KB article
Citrix App Layering 4.x: PVS Connector Script to Convert VHD to VHDX – Citrix KB article
Citrix PvS Publishing Script: boot published vDisk, let layering scripts run, shutdown – Citrix KB article
PVS Image Management Utility: choose an image, list all targets using that image, then assign the image to targets – Citrix KB article

WEM/Profile Management

Want to sync the Windows10 start menu in VDI? – configure SettlementPeriodBeforeAutoShutdown – Daniel Feller

StoreFront

Download Citrix Receiver 2.5 for HTML5

NetScaler

NetScaler 12 VPX consuming 100% CPU on hypervisor? Enable CPU Yield at System > Settings > Change VPX Configuration Settings
Primer for NetScaler Routing, Default Routes, Interfaces and Channels, VLANs, and GARP – Citrix KB article
Firmware 10.5-63.47 and 11.0-70.114 for NetScaler MPX 59xx/89xx Models fixes SSL failures and poodle – Citrix KB article
Configure NetScaler nFactor custom credential handler to display Swivel image – Citrix KB article
How to load balance Exchange 2013/2016 on NetScaler with AAA using one public ip address – Julian Mooren

NetScaler MAS

Build 45.108 of the Agent for NetScaler MA Cloud Service is available. How to upgrade the Agent – Citrix Docs

Native One Time Passwords (OTP) – NetScaler Gateway 12 / Citrix Gateway 12.1

Last Modified: Oct 17, 2024 @ 12:50 pm

313 Comments

Navigation

Change Log
Overview
LDAP Policies/Actions
Login Schemas
Authentication PolicyLabel
AAA vServer
Traffic Policy for Single Sign-on
NetScaler Gateway and Authentication Profile
Update Content Switching Expression for Unified Gateway
Manageotp
CLI Commands

Change Log

2019 Feb 4 – Login Schemas – added link to Morten Kallesoee n-Factor – restrictions on native OTP management
2018 Oct 6 – Overview – Workspace app 1809 and newer with Citrix Gateway (NetScaler) 12.1 build 49 and newer support nFactor (and OTP) authentication.
- Updated screenshots for Citrix ADC 12.1
2018 June 15 – Login Schemas – added link to Stan Demburg NetScaler Native OTP – Prevent Enrollment Of Additional Devices Externally
2018 Mar 18 – in the Traffic Policy section, added info from Julien Mooren NetScaler – Native OTP is breaking SSL VPN.

Overview

NetScaler Native OTP lets you enable two-factor authentication without purchasing any other authentication product. A typical configuration uses Google Authenticator to generate Passcodes. See the following for an overview:

Citrix Blog Post NetScaler Unified Gateway Provides One Time Password (OTP), Natively
Citrix Docs Native OTP support for authentication

Here are some notes:

NetScaler Native OTP is part of nFactor, and thus requires Citrix ADC Advanced Edition (aka NetScaler Enterprise Edition) or Citrix ADC Premium Edition (aka NetScaler Platinum Edition) licensing. NetScaler ADC Standard Edition licensing is not sufficient.
Workspace app 1809 and newer with Citrix Gateway (NetScaler) 12.1 build 49 and newer support nFactor authentication. Older Receivers and older NetScalers don’t support it, so you’ll instead have to use a web browser. 💡
Citrix Gateway VPN Plug-in 12.1 build 49 and later support nFactor when authenticating using the VPN Plug-in. 💡
nFactor requires a AAA vServer, which can be non-addressable – you don’t need any additional public IPs.
OTP stores device enrollment secrets in an Active Directory attribute that accepts Strings. Citrix’s documentation uses the userParameters Active Directory attribute.
- The LDAP bind account must have permission to modify this attribute on every user.
Users can enroll multiple devices. There’s no way to prevent this.
The manageotp website is usually only protected by single factor authentication. Since users can add multiple devices, the manageotp website must be protected from external access.
Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).

Here are the OTP configuration objects:

Make sure NTP is configured on the NetScaler. Accurate time is required.
An LDAP Policy/Server with authentication disabled and OTP Secret configured. This one OTP-specific LDAP Policy/Server can be used for two scenarios:
- manageotp device enrollment
- Two-factor authentication to NetScaler Gateway after a device has been enrolled. This LDAP Policy/Server verifies the entered passcode.
An LDAP Policy/Server with authentication enabled. This one policy is used for two scenarios:
- Single-factor authentication to the manageotp authenticator/device enrollment website.
- Two-factor authentication to NetScaler Gateway after a device has been enrolled.
A single non-addressable AAA vServer with two Login Schemas for the following scenarios:
- A single-factor Login Schema for manageotp.
- A dual-factor Login Schema for NetScaler Gateway authentication.
An Authentication Profile to link the AAA vServer to the NetScaler Gateway vServer.

LDAP Policies/Actions

Go to Security > AAA – Application Traffic > Polices > Authentication > Advanced Policies > Actions > LDAP.
On the right, click Add.
1. Create a normal LDAP Server if you don’t have one already. This one has Authentication enabled. This LDAP Policy/Server will be used for single-factor authentication to the manageotp website, and for first factor of dual-factor authentication to NetScaler Gateway (second factor is OTP). There are no special instructions for this LDAP Server.
Create another LDAP Action.
1. This one is used by the manageotp site to set the OTP authenticator in Active Directory, so name it accordingly.
2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
3. Make sure the Administrator Bind DN has permissions to modify the OTP Secret Active Directory attribute for all users.
4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work. Then click Test LDAP Reachability.
5. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
6. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute where NetScaler will store the user’s OTP secret. You can use the userParameters attribute if that attribute isn’t being used for anything else.
7. Thomas Rolfs in the comments advises not to enable Nested Group Extraction in this LDAP Action.
8. Click Create when done.
Create another LDAP Action.
1. This one will verify the OTP code entered by the user, so name it accordingly. The only difference from the prior one is the addition of an LDAP Search Filter.
2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
3. Make sure the Administrator Bind DN has permissions to read the OTP Secret Active Directory attribute.
4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
5. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
6. In the Search Filter field, enter the text userParameters>=#@. This syntax ensures that only users with enrolled authenticators can login. See George Spiers NetScaler native OTP for more info.
7. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute containing the user’s OTP secret.
8. Click Create when done.
Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy.
On the right, click Add.
1. You probably don’t already have an Advanced Authentication Policy for your normal LDAP server.
2. Change the Action Type to LDAP.
3. Select your normal LDAP server, which is the one that has Authentication enabled.
4. Enter true as the expression. This uses Default Syntax instead of Classic Syntax.
5. Click Create.
Create another Authentication Policy.
1. This policy is for OTP management so name it accordingly.
2. Change the Action Type to LDAP.
3. Select the Set OTP LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should not have the Search Filter configured.
4. Enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) in the Expression box, and click Create.
Create another Authentication Policy.
1. This policy is for OTP verification so name it accordingly.
2. Change the Action Type to LDAP.
3. Select the OTP Verification LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should have the Search Filter configured to prevent unenrolled users from authenticating.
4. Enter true in the Expression box, and click Create.

Login Schemas

Go to Security > AAA – Application Traffic > Login Schema.
On the right, switch to the Profiles tab, and click Add.
1. This is the single factor Login Schema for manageotp so name the Schema accordingly.
2. Click the Edit icon.
3. On the left, click the LoginSchema folder to open it.
4. Scroll down, and click SingleAuthManageOTP.xml to highlight it.
5. On the top right, click Select.
6. Click Create.
Add another Login Schema profile.
1. This Login Schema is for two-factor authentication to NetScaler Gateway so name it accordingly.
2. Click the edit icon. Follow the same procedure as above, but this time select /LoginSchema/DualAuth.xml.
3. Click More to reveal more options.
4. Scroll down. In the Password Credential Index field, enter 1. This causes nFactor to save the user’s password into AAA Attribute #1, which we’ll use later in a Traffic Policy to Single Sign-on to StoreFront. If you don’t do this, then NetScaler Gateway will try to use the Passcode to authenticate to StoreFront, which obviously won’t work.
5. Check the box next to Enable Single Sign On Credentials. Mark in the comments indicates that this checkbox is needed to Single Sign On to RDP Hosts.
6. Click Create.
On the right, switch to the Policies tab.
Click Add to add a Login Schema policy.
1. In the Profile field, select the Single Factor Manage OTP Login Schema Profile.
2. Name the Login Schema Policy for OTP management.
3. In the Rule field, enter the following. This ensures that this single factor Login Schema is only used if the user enters /manageotp, and if the user is on the internal network. You don’t want manageotp to be accessible externally, because it’s only protected by single factor authentication, and it’s too easy to add multiple devices.
```
http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)
```
  - Stan Demburg at NetScaler Native OTP – Prevent Enrollment Of Additional Devices Externally at iRangers has a method of preventing external access to manageotp if the user already has a device enrolled.
  - Morten Kallesoee at n-Factor – restrictions on native OTP management restricts manageotp if the user already has a device enrolled.
4. Click Create.
Create another Login Schema Policy.
1. In the Profile field, select the dual factor Login Schema.
2. Name the Login Schema to indicate dual factor authentication.
3. In the Rule box, enter true.
4. Click Create.

Authentication PolicyLabel

Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel.
On the right, click Add.
This PolicyLabel is for OTP management, and OTP verification, so name it accordingly.
In the Login Schema field, select LSCHEMA_INT, which means noschema.
Click Continue.
In the Policy Binding section, Click to select.
Click the radio button button next to the Manage OTP LDAP Policy that has authentication disabled, and OTP Secret configured. This one should have a policy expression that limits it to manageotp only. Click Select.
Click Bind.
Click Add Binding to add another one.
Click to select.
Click the radio button next to the LDAP Policy that verifies OTP. Click Select.
Click Bind.
Make sure the manageotp policy is higher in the list than the OTP Verification policy. To adjust priorities, right-click on the policies, and click Edit Binding. Click Done.

AAA vServer

Go to Security > AAA – Application Traffic.
1. If the AAA feature is not enabled, then right-click the AAA node, and click Enable Feature.
Go to Security > AAA – Application Traffic > Virtual Servers.
On the right, click Add.
This AAA vServer is for OTP so name it accordingly.
Change the IP Address Type to Non Addressable.
Click OK.
Click where it says No Server Certificate.
1. In the Server Certificate Binding section, click Click to select.
2. Click the radio button next to a certificate, and click Select. You can use the same certificate as NetScaler Gateway.
3. Click Bind.
Click Continue to close the Certificate section.
In the Advanced Authentication Policies section, click where it says No Authentication Policy.
1. Click where it says Click to select.
2. Click the radio button next to the normal LDAP Policy that has authentication enabled. Then click the blue Select button.
3. In the Select Next Factor field, click where it says Click to select.
4. Click the radio button next to the OTP PolicyLabel, and click Select.
5. Click Bind.
In the Advanced Authentication Policies section, click Continue.
On the right, in the Advanced Settings column, click Login Schemas.
On the left, scroll down, and click where it says No Login Schema.
1. Click where it says Click to select.
2. Click the radio button next to the Manage OTP Login Schema, and click Select.
3. Click Bind.
Click where it says 1 Login Schema.
1. Click Add Binding.
2. Click where it says Click to select.
3. Click the radio button next to the dual factor Login Schema, and click Select.
4. Click Bind.
5. Make sure the single factor Manage OTP Login Schema is higher in the list (lower priority number) than the dual factor Login Schema. Click Close.
On the right, in the Advanced Settings column, click Portal Themes.
On the left, scroll down, select RfWebUI as the Portal Theme, and click OK.
Click Done.

Traffic Policy for Single Sign-on

On the left, go to NetScaler Gateway > Policies > Traffic.
On the right, switch to the Traffic Profiles tab, and click Add.
This Traffic Profile is for OTP and/or nFactor. Name it accordingly.
Scroll down.
In the SSO Password Expression box, enter the following. This is where we use the Login Schema Password Attribute specified earlier.
```
http.REQ.USER.ATTRIBUTE(1)
```
Click Create.
On the right, switch to the Traffic Policies tab, and click Add.
In the Request Profile field, select the Traffic Profile you just created.
Name the Traffic Policy.
In the Expression box, enter true (Default Syntax).
- If your NetScaler Gateway Virtual Server allows full VPN, change the expression to the following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSL VPN.
```
http.req.method.eq(post)||http.req.method.eq(get) && false
```
Click Create.

NetScaler Gateway and Authentication Profile

Go to NetScaler Gateway > Virtual Servers.
Edit an existing Gateway vServer. If you don’t have one, see the other NetScaler Gateway topics on this site.
Scroll down to the Policies section, and click the plus icon.
Change the Choose Policy drop-down to Traffic, and click Continue.
Click to select.
Click the radio button next to the Traffic Policy you created earlier, and click Select.
Click Bind.
On the right, in the Advanced Settings column, click Authentication Profile.
On the left, scroll down to the Authentication Profile section.
Click Add to create one.
Authentication Profile links the NetScaler Gateway vServer with the OTP AAA vServer, so name it accordingly.
In the Authentication Virtual Server section, Click to select.
Click the radio button next to the OTP AAA vServer, and click Select.
Click Create.
Scroll down again to the Authentication Profile section, and click OK.
The Portal Theme bound to the Gateway vServer should be RfWebUI, or a derivative.
Go to System > Profiles.
On the right, switch to the SSL Profile tab.
Edit the ns_default_ssl_profile_frontend profile.
Make sure HSTS is not enabled in the profile, or RfWebUI, and manageotp won’t work correctly. This is probably a bug. Note: the Rewrite method of enabling HSTS should work.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the manageotp paths.

In the NetScaler GUI, navigate to Configuration> Traffic Management > Content Switching > Policies.
On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
Append the following expression under the Expression area, and then click OK.
```
|| HTTP.REQ.URL.CONTAINS("/manageotp")
```

Manageotp

Point your browser to https://mygateway.corp.com/manageotp or similar. Simply add /manageotp to the end of your Gateway URL.
Notice it’s only single-factor authentication. Login using normal LDAP credentials.
Click Add Device.
Enter a device name, and click Go.
Launch the Google Authenticator application on your phone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
Click Test.
Enter the passcode shown in your Authenticator, and click Go.
If you logoff of manageotp, and access your Gateway URL normally, you’ll be prompted for two-factor authentication. Use the passcodes shown in your Google Authenticator application.
It should Single Sign-on into StoreFront.

CLI Commands

Here’s a complete CLI configuration.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc"
add authentication ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute2 userParameters
add authentication ldapAction LDAP_OTP_set_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication ldapAction LDAP_OTP_verify_no_auth -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication Policy Corp-Adv -rule true -action LDAP-Corp
add authentication Policy LDAP_Manage_OTP-pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_OTP_set_no_auth
add authentication Policy LDAP_Confirm_OTP-pol -rule true -action LDAP_OTP_verify_no_auth

add authentication loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex 1
add authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.3.0.0/16)" -action Single_Manage_OTP-lschema
add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -action Dual_OTP-lschema

add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT
bind authentication policylabel OTP_pollabel -policyName LDAP_Manage_OTP-pol -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel OTP_pollabel -policyName LDAP_Confirm_OTP-pol -priority 110 -gotoPriorityExpression NEXT 

add authentication vserver OTP-AAA SSL 0.0.0.0
bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom

bind authentication vserver OTP-AAA -portaltheme RfWebUI
bind authentication vserver OTP-AAA -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Corp-Adv -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT

add vpn trafficAction OTP-trafficprofile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile

add authentication authnProfile OTP-authnprofile -authnVsName OTP-AAA

add vpn vserver Gateway.corp.com SSL 10.2.5.220 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile
set ssl vserver Gateway.corp.com -sslProfile ns_default_ssl_profile_frontend
add vpn sessionAction "Receiver For Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront2.corp.com/Citrix/StoreWeb" -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://storefront2.corp.com"
add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver For Web"
bind vpn vserver Gateway.corp.com -portaltheme RfWebUI
bind vpn vserver Gateway.corp.com -policy "Receiver For Web" -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver Gateway.corp.com -policy OTP-trafficpol -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver Gateway.corp.com -certkeyName WildcardCorpCom

EUC Weekly Digest – July 22, 2017

Last Modified: Nov 7, 2020 @ 6:34 am

1 Comment

Here are some EUC items I found interesting last week. For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

App Layering (Unidesk)

Citrix 4.x Layering Best Practices – Citrix KB article
Considerations When Creating a Platform Layer in Citrix App Layering 4.x – Citrix KB article
Citrix App Layering 4: LayerPriority Utility – Citrix KB article
Citrix have released an App Layering 4.3.0.44 version that fixes the AppV issues existing in v4.2 and v4.3. Contact support to obtain – George Spiers on Twitter

NetScaler

Download NetScaler Firmware 12.0 Build 51.24
How Do I: NetScaler Secure Web Gateway 12.0 – Citrix KB article
Secure Web Gateway FAQ – Citrix KB article
5 Gbps NetScaler VPX at AWS using SR-IOV – Citrix Blog Post
NetScaler in AWS can load balance an Auto Scaling group – Citrix Docs

NetScaler MAS

Download NetScaler MAS 12.0 Build 51.24
NetScaler MAS 12.0 build 51 High Availability is now Active/Passive instead of Active/Active – Citrix Docs

NetScaler Gateway

Native one-time passwords (OTP) Support in NetScaler 12 Feature Release 1 – Citrix Docs

XenMobile

New in XenMobile Apps 10.6.10 – Allowed Email Domains MDX policy for Secure Mail iOS, Samsung S8 wide screen – Citrix Docs
What’s new in XenMobile Cloud Service 10.6.2 – alphabetized lists, Package ID, Restart/Locate/Ring – Citrix Docs

Citrix Cloud

A comprehensive walk-through of Citrix Smart Tools – George Spiers
Citrix Cloud XenApp and XenDesktop Service Sizing and Scalability Considerations – Citrix Docs

VMware

Download Horizon Toolbox 7.2 – Horizon 7.2 support, USB storage, Client Drive Redirection and Clipboard auditing – VMware Fling

Microsoft

Microsoft’s Recommended settings for Windows 10 VDI desktops – Microsoft Docs

EUC Weekly Digest – July 15, 2017

Last Modified: Nov 7, 2020 @ 6:34 am

1 Comment

Here are some EUC items I found interesting last week. For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

XenApp/XenDesktop

Up to 2000 VDAs for each Citrix Machine Catalog – Citrix KB article
Citrix GPMC Console 3.0.0 crashing in Win 2K12R2 when editing polices – install Visual C++ 2015 Redistributable – Citrix KB article

VDA

Download Citrix Health Assistant v1.3.0.17 – released July 15, 2017 – Citrix KB article
Cropped maximized published application on Windows 2016 VDA? There’s a private fix – Citrix Discussions
Google Chrome on Citrix deep-dive – Dennis Span

App Layering (Unidesk)

Citrix App Layering 4.3 is now available at Citrix Downloads
Citrix App Layering (Unidesk) 4.3 is available at Citrix Cloud
New lab feature in Citrix App Layering 4.3: Export Layers
Experimental Gold Tools (Scripts only) for Citrix App Layering 4.x – Citrix Optimizer, removed 2.x/3.x – unidesk.com

Director/Monitoring

In Citrix Director 7.13/7.14: Trends > Failures > Connection – “Unexpected error” – private fix – Citrix KB article

StoreFront

Citrix Federated Authentication Service (FAS) High Availability and Scalability – describes hashing algorithm for load balancing – Citrix KB article

NetScaler

NetScaler VPX (12.0, 11.1, 11.0) Loses Network Connectivity Intermittently on VMware ESXi – VMXNET3, or upcoming builds – Citrix KB article
Citrix NetScaler in Microsoft Azure – recorded CUGC webinar
NetScaler SDX/SVM 11.1-53.11 HDD full or increasing due to large file logs; halting VPX instances – fixed in 53.13 – Citrix KB article

XenMobile

Citrix XenMobile announcements for SHA1 certs, SSLv3, iOS11/Android O support & upcoming deprecations – Citrix KB article, source = George Spiers on Twitter

ShareFile

Download ShareFile StorageZones Controller 5.0.1

EUC Weekly Digest – July 8, 2017

Last Modified: Nov 7, 2020 @ 6:34 am

Leave a comment

Here are some EUC items I found interesting last week. For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

XenApp/XenDesktop

How Do I for Windows Application Delivery – Links to Citrix KB articles
Download Citrix Secure Gateway 3.3.5 for Windows – Update SGE3.3.5 – English – Citrix KB article

VDA

New version of Citrix Optimizer – Beta (v1.0.0.5) – Citrix KB article
In VDA 7.14, Enable-VdaSSL.ps1 script, CertificateThumbPrint is no longer optional due to cert from In-Product CA – Citrix Docs

App Layering (Unidesk)

Windows / Office 2016 KMS not activating in Citrix App Layering images – Citrix KB article
Citrix App Layering w/ PVS & WEM, Netlogon dependencies do not merge. See http://www.jgspiers.com/citrix-workspace-environment-manager/Install-WEM-Agent for w/around.To be fixed in future release – George Spiers on Twitter

Provisioning Services

We now have the PVS vDisk replicator (version 2) PS tool available on GitHub. Check it out. – John McBride on Twitter
Citrix PvS 7.14 SOAP Service crashes if Auditing is enabled? – Citrix Discussions

NetScaler

NetScaler Master Class July 2017 – YouTube
Exchange 2016 load balancing on NetScaler with pre-authentication and SSON – CLI commands – Simon Lauger

NetScaler MAS

Installing NetScaler MA Service Agent on AWS and Azure – Citrix Docs

XenMobile

How to Enable Okta as IDP for Enrollment with XenMobile – OpenID Connect – Citrix KB article

Citrix Virtual Apps and Desktops (CVAD) Upgrades

Last Modified: Jun 4, 2024 @ 3:44 pm

257 Comments

Navigation

Change Log
Citrix Virtual Apps and Desktops (CVAD) Versions
CVAD Upgrade Overview
Upgrade Citrix Virtual Apps and Desktops (CVAD)

Change Log

2024 June 4 – updated article for Citrix Virtual Apps and Desktops (CVAD) 2203 LTSR CU5
2024 April 20 – updated article for Citrix Virtual Apps and Desktops (CVAD) 2402 LTSR
2024 April 24 – updated article for Workspace app 2403 (Current Release)
2023 Sept 11 – updated article for Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU8
2022 Sep 11 – Delivery Controllers – added alternate method of upgrading the operating system
2022 July 9 – updated entire article for XenApp/XenDesktop 7.15.9000

Citrix Virtual Apps and Desktops (CVAD) Versions

Version Numbering

Citrix Virtual Apps and Desktops (CVAD) is the new name for XenApp and XenDesktop.

The most recent version of Citrix Virtual Apps and Desktops (CVAD) 7 is 2402 LTSR. The version number is based on YYMM (Year Month) format. References to 7.x versions in this article include the YYMM versions.

XenApp and XenDesktop 7.x versions range from 7.0 through 7.18. 7.18 is the last version of XenApp and XenDesktop. Citrix Virtual Apps and Desktops (CVAD) 2402, 2203, and 1912 are newer than XenApp and XenDesktop 7.18.

Release Notifications

Follow my Twitter or EUC Weekly Digests for new release notifications.

Sometimes release notifications are posted to Citrix Blogs, but this is not comprehensive.

Watch Citrix Discussions and Citrix Support Knowledgebase to learn about known issues that are fixed in a later release.

Release Classifications – LTSR, CR

Image from Citrix Blog Post What’s New in XenApp, XenDesktop and XenServer November 2017.

There are three classifications for on-premises releases:

LTSR (Long Term Service Release) – these releases get 5 years of mainstream support from the release date, plus up to 5 more years of paid extended support
CR (Current Release) – 6 months support from the release date. Updated quarterly.
LTSR Compatible Components – non-LTSR components running in a LTSR implementation. This classification provides exceptions to the requirement that all components must be LTSR versions.

Citrix Virtual Apps and Desktops (CVAD) is a bundle of components. Long Term Support requires the components to be specific versions. Any deviation from the required versions results in loss of Long Term Support, and instead is classified and supported as a Current Release. Use Citrix LTSR Assistant tool to confirm LTSR compliance.

LTSR Programs

There are three different LTSR programs:

Citrix Virtual Apps and Desktops (CVAD) LTSR – includes Delivery Controllers, VDAs, StoreFront, Citrix Provisioning, Session Recording, and Profile Management.
- More info at FAQ: Virtual Apps and Desktops and Citrix Hypervisor Long Term Service Release (LTSR)
- There is no LTSR version of Citrix Workspace Environment Management (WEM) so you should always deploy the latest version of WEM.
Citrix Hypervisor LTSR
- More info at FAQ: Virtual Apps and Desktops and Citrix Hypervisor Long Term Service Release (LTSR)
Workspace app LTSR
- More info at Lifecycle Milestones for Citrix Workspace app & Citrix Receiver.

LTSR Licensing requirement

LTSR requires you to be on Customer Success Services Select, formerly known as Software Maintenance.

LTSR vs CR

Support Duration

LTSR is supported for 5 years from the LTSR release date, plus 5 more years of optional, paid extended support.

LTSR Cumulative Updates (similar to service packs) are released periodically. Cumulative Updates for LTSR are installed exactly like upgrading to a newer Current Release, except you don’t get any new features.
- Cumulative Updates are released only for LTSR versions. To patch a Current Release, upgrade to the newest Current Release.
Be prepared to install these LTSR Cumulative Updates every 6 months. Workspace app LTSR (or Receiver LTSR) too.

Current Releases are end-of-maintenance after 6 months, and end-of-life after 18 months.

Be prepared to upgrade to a newer Current Release every 6 months. Workspace app too.

See Lifecycle Milestones for Citrix Virtual Apps & Citrix Virtual Apps and Desktops for an explanation of support durations for each release classification.

In either case, you are expected to perform some sort of upgrade or update approximately twice per year.

Release Frequency

New LTSR versions of CVAD are released every 18-24 months.

There are three supported LTSR releases of Citrix Virtual Apps and Desktops: LTSR 2402, LTSR 2203, and LTSR 1912.

2402 is the first build of LTSR 2402.
2203 Cumulative Update 4 (CU5) is the latest updated build of LTSR 2203.
1912 Cumulative Update 8 (CU8) is the latest updated build of LTSR 1912.

LTSR 7.15 is no longer supported by Citrix.

Cumulative Updates (CU) for LTSR are released every few months. Don’t forget to install these patches. I’ve seen CUs fix LTSR issues.

Cumulative Updates do not include new features.
Citrix has not yet released any Cumulative Updates for LTSR 2402.
Citrix has released three Cumulative Updates for LTSR 2203, bumping up the version to 2203.3000.
Citrix has released eight Cumulative Updates for LTSR 1912, bumping up the version to 1912.8000.
Citrix will continue to release Cumulative Updates for all currently supported LTSR versions.

You can upgrade directly to the latest Cumulative Update. It is not necessary to upgrade to the base version before upgrading to the latest Cumulative Update.

New Current Release versions are released every quarter. Sometimes longer for Workspace app.

Some Citrix Virtual Apps and Desktops (CVAD) components are released on a separate schedule from the main LTSR or Current Release releases:

App Layering
Workspace Environment Management

Citrix Provisioning version numbers don’t line up with Citrix Virtual Apps and Desktops (CVAD) LTSR Cumulative Update version numbers:

Citrix Virtual Apps and Desktops (CVAD) 2402 LTSR comes with Citrix Provisioning 2402
Citrix Virtual Apps and Desktops (CVAD) 2203 LTSR CU5 comes with Citrix Provisioning 2203 CU4
Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU8 comes with Provisioning Services 1912 CU7

Current Release cons

New Current Releases add new features, and new bugs.

No hotfixes will be released for Current Releases. To get hotfixes, upgrade to the newest Current Release.

LTSR cons

Features not in LTSR – Some features are not included in the LTSR program. In other words, these features don’t get 5 years of support, and might not even be included in the LTSR installer.

Personal vDisk and AppDisks – these are replaced by User Personalization Layers.
Framehawk

Features in Current Release but not LTSR:

Upcoming CVAD Current Release Version 2405 will have new features that are not in 2402 LTSR. Will you upgrade to CVAD 2405, which puts you on the Current Release upgrade train? Or will you wait until the next LTSR, probably released sometime in 2026?
- Another option is to remain on 2402 LTSR (with latest cumulative update) until you see a Current Release with new features that are desirable enough to upgrade to. You can then upgrade directly from 2402 LTSR to the latest Current Release (e.g., 2502). There’s no need to upgrade to intermediary versions.

Don’t mix Current Release and LTSR components – As soon as you upgrade one LTSR component to Current Release, upgrade all other LTSR components to Current Release and keep them updated with new Current Releases every 6 months.

When the next LTSR is released, you can stop upgrading (except for Cumulative Updates).
Or deploy Current Release in a separate environment.
Use Citrix LTSR Assistant tool to confirm LTSR compliance.
Some app vendors require you to remain on LTSR.

LTSR “compatible” components require frequent upgrades – Some components, like App Layering, are LTSR “compatible”, meaning there’s no LTSR version, but it’s OK to use them in an LTSR environment. Since they’re Current Release and not LTSR, you’re expected to update the Current Release components to the latest release every 6 months.

There’s no LTSR version of Citrix Licensing. Instead, always upgrade Citrix Licensing to the latest Current Release version.
There’s no LTSR version of App Layering. Instead, always upgrade App Layering to the latest Current Release version.
There’s no LTSR version of Citrix Workspace Environment Management. Instead, always upgrade Citrix Workspace Environment Management (WEM) to the latest Current Release version.

Windows 11 is supported in CVAD 2109 and newer. Windows 11 is not supported in CVAD 1912 LTSR.

Windows 7 and Windows Server 2008 R2 support: 7.16 VDA and newer, including 1912 LTSR VDA, are not supported on Windows 7 or Windows Server 2008 R2. For these operating system versions, install 7.15 LTSR VDA. The 7.15 LTSR VDA can register with newer Delivery Controllers. However, the 7.15 LTSR VDAs cannot take advantage of the newer features in the newer releases.

Citrix Virtual Apps and Desktops (CVAD) Supported versions

The most recent release of Citrix Virtual Apps and Desktops (CVAD) is version 2402.

There are three supported LTSR versions of Citrix Virtual Apps and Desktops (CVAD): LTSR 2402, LTSR 2203, and LTSR 1912.

No Cumulative Updates have yet been released for LTSR 2402.
Cumulative Update 5 has been released for LTSR 2203, resulting in version number 2203.5000.
Cumulative Update 8 has been released for LTSR 1912, resulting in version number 1912.8000.

You can directly install the latest Cumulative Update of any LTSR version. It is not necessary to install the base version of the LTSR version before you upgrade to the latest Cumulative Update.

Examples of non-supported versions:

Citrix Virtual Apps and Desktops (CVAD) 1909 is not LTSR, and is more than six months past release date, so Citrix will not provide any code fixes. Once 18 months have elapsed, Citrix will not support it at all.

Workspace app Supported Versions

Starting in August 2018, Receiver have been renamed to Workspace app. Also, versioning has changed from 4.x to a YYMM (year month) format.

The most recent Current Release of Workspace app is version Workspace app 2403.

The latest LTSR version of Workspace app is version 2402 LTSR.

Browser Content Redirection does not work in LTSR Workspace app because Embedded browser is removed due to infrequent updates of LTSR versus frequent updates of the embedded browser.

Citrix Virtual Apps and Desktops (CVAD) Component Version Dependencies

Citrix Virtual Apps and Desktops (CVAD) is a collection of installable components:

Citrix Licensing Server
Delivery Controller
Citrix Studio
Virtual Delivery Agent
Director
StoreFront
Federated Authentication Service
App Layering
Citrix Provisioning
Citrix Group Policy Management Plug-in
Profile Management
Workspace Environment Management
Session Recording
Workspace app for Windows, Linux, Mac, iOS, and Android
Workspace app for HTML5
Skype for Business HDX RealTime Optimization Pack
Citrix ADC (aka NetScaler) Load Balancing
Citrix Gateway

Component behaviors:

Each component can be installed separately.
Some components can be combined onto the same machine.
Some components are completely standalone with no dependency on other components.
Some components communicate with other components, and thus are dependent on those other components.

The fewest components that make up a Citrix Virtual Apps and Desktops (CVAD) site/farm are License Server + Delivery Controller + Studio + VDA + SQL Databases.

A farm/site is a collection of Delivery Controllers that share the same SQL databases.
The official term is Citrix Virtual Apps and Desktops (CVAD) Site. However, since the word “site” has multiple meanings, this article instead refers to a Citrix Virtual Apps and Desktops (CVAD) Site as a Farm, which is the same terminology used in XenApp 6.5 and older.

Some of the components can be used with multiple sites/farms.

Citrix Licensing Server can be used by multiple sites/farms.
StoreFront can pull icons from multiple sites/farms, including XenApp 6.5. This enables multi-farm capabilities for the following components that are dependent on StoreFront:
- Federated Authentication Service can be used by multiple StoreFront servers.
- Workspace app for Windows, Linux, Mac, iOS, and Android can connect to multiple StoreFront stores, which can be on different StoreFront servers.
- Each StoreFront server has its own Workspace app for HTML5
- Citrix Gateway connects to one StoreFront server
Citrix Studio can connect to multiple sites/farms.
Virtual Delivery Agent can register with only one site/farm at a time, but the farm registration can be easily changed by modifying the ListOfDDCs registry key.
Director can display monitoring data from multiple sites/farms.
App Layering has no relationship to Citrix Virtual Apps and Desktops (CVAD) sites/farms, and thus can be used with any number of them.
Citrix Provisioning has no relationship to Citrix Virtual Apps and Desktops (CVAD) sites/farms, and thus can be used with any number of them.
Citrix Group Policy Management Plug-in can be used to create Citrix Policies that can apply to multiple sites/farms.
Profile Management has no relationship to Citrix Virtual Apps and Desktops (CVAD) sites/farms, and thus can be used with any number of them. The profiles are usually tied to a VDA operating system version.
Workspace Environment Management has no relationship to Citrix Virtual Apps and Desktops (CVAD) sites/farms, and thus can be used with any number of them.
Session Recording has no relationship to Citrix Virtual Apps and Desktops (CVAD) sites/farms, and thus can be used with any number of them.
Skype for Business HDX RealTime Optimization Pack has no relationship to Citrix Virtual Apps and Desktops (CVAD) sites/farms, and thus can be used with any number of them. This component only cares about the RealTime Connector that is installed on the VDA.

The Citrix components that don’t have any relationship to Citrix Virtual Apps and Desktops (CVAD) sites/farms can be used with XenApp 6.5 too.

Some components communicate with other components, and thus are dependent on the versions of those other components.

Citrix Licensing Server should always be the newest version. Citrix Virtual Apps and Desktops (CVAD) Components will verify the Licensing Server version.
StoreFront can usually work with any Delivery Controller version, including XenApp 6.5.
Citrix Studio should be the same version as the Delivery Controllers it is managing.
Virtual Delivery Agents can be any version, including older or newer than the Delivery Controllers.
Director uses the Citrix Monitoring Service that is installed on the Delivery Controllers.
- New Director features don’t work unless Delivery Controllers, and sometimes VDAs are upgraded. See Director Feature compatibility matrix for details.
Workspace Environment Management (WEM) – newer WEM can configure newer Profile Management features. Otherwise, WEM is independent from Citrix Virtual Apps and Desktops (CVAD).
Workspace app – Many newer Citrix Virtual Apps and Desktops (CVAD) features require a specific version of Workspace app.
- The newest Workspace app along with the newest VDA supports the latest Teams optimization (offload) features. LTSR versions of these components might not support the latest Teams optimization features.
- If you are deploying Current Releases, then deploy the newest Current Release Workspace app.
- If you are deploying LTSR, then deploy the latest LTSR Workspace app or LTSR Receiver.
  - If you need Browser Content Redirection, then deploy the latest Current Release Workspace app since LTSR Workspace app does not support Browser Content Redirection.
Citrix Gateway – Some Newer Citrix features require newer Citrix ADC firmware. For example:
- EDT (Enlightened Data Transport) / Adaptive Transport
- Gateway Configuration export/import with StoreFront
Citrix ADC builds have bug fixes that affect the Citrix Virtual Apps and Desktops (CVAD) experience.

Upgrade Overview

Components

Citrix Virtual Apps and Desktops (CVAD) is composed of multiple Components, each of which is upgraded separately.

Citrix Licensing Server
Delivery Controllers
App Layering (Unidesk)
Workspace Environment Management (WEM)
Session Recording
Citrix Provisioning
Virtual Delivery Agents (VDA)
StoreFront
Workspace app for HTML5
Director
Citrix Group Policy Management Plug-in
Citrix Profile Management Group Policy Templates
Workspace app Group Policy Templates
Workspace app
Skype for Business HDX Real Time Optimization Pack
Federated Authentication Service (FAS)
Citrix ADC (aka NetScaler) Firmware

Newer versions of Citrix components enable Customer Experience Improvement Program (CEIP) automatically. If you wish to disable CEIP, see https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#ceip.

Component Upgrade Process

In-place upgrades – CVAD components can be upgraded in-place. No need to rebuild like you did in XenApp 6.5 and older.

For LTSR releases, you can upgrade directly to the latest Cumulative Update. It is not necessary to install the base LTSR version first.
For Current Releases, you can upgrade directly to the latest Current Release.

Here’s the general, in-place upgrade process for each component. Detailed instructions for each component are detailed later.

In-place upgrade one (or half) of the component’s servers.
Upgrade the component’s database. Requires temporary sysadmin permission on SQL Server. Not all components have databases.
In-place upgrade the remaining component’s servers.
In-place upgrade the agents.
1. Rebuilding of master images might be preferred, assuming you have time to automate it.

Mix and match VDA/Controller versions – You can upgrade VDAs without upgrading Delivery Controllers. Or vice versa.

Newer VDA features sometimes require Citrix Policy to enable or configure. The newest Citrix Policy settings are included in Delivery Controller / Citrix Studio upgrades. Or, if you haven’t upgraded your Delivery Controllers yet, you can simply upgrade the Citrix Group Policy Management component.

VDA Operating System version Upgrade – Considerations when upgrading the VDA operating system version:

Operating System Version – VDA 7.16 and newer no longer support Windows Server 2008 R2, Windows 7, or Windows 8/8.1. If you need these older operating system versions, then install VDA 7.15 instead. VDA 7.15 can register with 1912 Delivery Controllers.
- Windows 11 – VDA 1912 LTSR does not support Windows 11, but CVAD 2109 and newer do support Windows 11
App compatibility – Verify app compatibility with the new OS version. For compatibility with a Server OS version, check compatibility with the equivalent Desktop OS version.
- Windows Server 2012 R2 = 64-bit Windows 8.1
- Windows Server 2016 = 64-bit Windows 10 1607
- Windows Server 2019 = 64-bit Windows 10 1809
- Windows Server 2022 = 64-bit Windows 10 21H2
Start Menu in published desktop – If you publish desktops, is the Windows 2012 R2 Start Menu acceptable to the users? Windows 2012 R2 Start Menu is the same as Windows 8.1 Start Menu.
- Windows Server 2016 Start Menu is the same as Windows 10 1607 Start Menu.
- Windows Server 2019 Start Menu is the same as Windows 10 1809 Start Menu.
- Windows Server 2022 Start Menu is the same as Windows 10 21H2 Start Menu.
GPO settings– Newer OSs have newer Microsoft GPO settings.
- Copy the newer Microsoft ADMX templates to PolicyDefinitions (Sysvol or C:\Windows)
- Configure the newer GPO settings.
Profile version – Newer OS means newer profile version. Older profile versions do not work on newer operating system versions. For example, you can’t use Windows 7 profiles on Windows 10. This means that an OS upgrade results in new profiles for every user.
- Write a script to copy profile settings from the old profiles to the new profiles.
Remote Desktop Services (RDS) Licensing – if you are building RDSH (Server OS) VDAs, then every user that connects must have an RDS License for the RDSH operating system version. If RDSH is Windows 2016, then every user needs a Windows 2016 RDS License. Windows 2008 R2 RDS Licenses won’t work.
- RDS Licensing Server – RDS Licensing Server is a built-in Windows Server Role. It must be installed on servers with the same or newer operating system version than the RDSH VDAs.
Windows 10 versions and Windows 11 versions – See CTX224843Windows 10 & 11 Compatibility with Citrix Virtual Desktops.
Upgrade Windows 10 or Windows 11 version – If you in-place upgrade Windows 10 or Windows 11, first remove the VDA software, upgrade Windows, and then reinstall VDA.
- App Layering – Due to dependencies between App Layers and OS Layer, you might have to in-place upgrade your OS Layer.
Citrix Virtual Apps and Desktops (CVAD)Component Agents – ensure the Citrix component agents (WEM Agent, Profile Management, Session Recording Agent, App Layering Tools, etc.) are supported on the new OS version.

Considerations for upgrading the operating system version on component servers:

Do not in-place upgrade the operating system version. Instead, build new VMs, and join them to the existing infrastructure.
New OS version requires newer component versions. The required component version might be newer than what you’re currently running.
When adding a server to the existing component farm/site, the new server must be running the same component version as the existing servers. That means you might have to in-place upgrade your existing component servers before you can add new component servers running a newer operating system version.
For example:
- Existing Delivery Controllers are version 1912 on Windows Server 2019.
- You desire to migrate to new Windows Server 2022 Delivery Controllers.
- Only Delivery Controller 2203 and newer can be installed on Windows 2022. But you can’t add Delivery Controller 2203 to a Delivery Controller 1912 farm/site.
- Upgrade the existing Delivery Controllers to 2203 or newer first.
- Then you can add the new Windows Server 2022 Delivery Controllers VMs to the existing farm/site.

Here are general instructions to upgrade component server OS version. Detailed instructions for each component are detailed later.

In-place upgrade the existing component servers to a version that supports the new OS. Check the System Requirements documentation for each component to verify OS version compatibility.
Build new machine(s) with desired OS version.
On the new machines, install the same component version as the existing component servers.
- The new machines must be the same component version as the existing machines. You can’t add machines with newer component versions.
Add the new component servers to the existing farm/site/server group.
Migrate load balancer, VDAs, Targets, etc. from old to new. See below for detailed instructions for each component.
Decommission old servers.

Upgrade Guidelines

Test farms – Test Citrix infrastructure upgrades in separate test environments (separate test farms):

Due to forwards and backwards compatibility, VDA upgrades can usually be tested in production.
Everything else requires global server-side upgrades first, so you can’t test them in production.
Upgrade procedures for High Availability components (e.g., multiple Delivery Controllers) are different than upgrade procedures for singe, standalone components. The Test environment should look like production, which means HA too.
The separate Test environments should include multi-datacenter capabilities (StoreFront icon aggregation, GSLB, etc.) so those multi-datacenter features can be tested.

Known upgrade issues – Read Citrix Discussions, or ask your Citrix Support TRM, for known upgrade issues. Don’t upgrade production immediately after a new version is released.

Read the release notes, especially the known issues.

Smart Check the environment before upgrading. It’s free. Access it at https://smart.cloud.com.

Backup/snapshot – Backup databases, snapshot machines, etc. before starting the in-place upgrade.

Have a rollback plan, including the databases.

Citrix Licensing Server – Always upgrade the Citrix Licensing Server before upgrading anything else.

Check Subscription Advantage (SA) date on the installed licenses. Some components require SA expiration date to be later than the component’s release date.

In-place upgrade preparation:

Make sure other admins are logged off before starting the upgrades.
Close all consoles and PowerShell.
Snapshot the machines.

Upgrade Citrix Virtual Apps and Desktops (CVAD)

All CVAD components can be upgraded in-place.

For the list of versions that you can upgrade directly from, see Citrix Docs. Also see the Citrix Upgrade Guide.
Current Release upgrades are cumulative. You can skip intermediary versions.
LTSR Cumulative Updates are also cumulative, hence the name.
LTSR Cumulative Updates are installed using the same process as Current Release upgrades. The only difference is that you don’t get new features with LTSR updates.

Some components (Delivery Controllers, Citrix Provisioning, Session Recording, WEM, etc.) require the person doing the upgrade to have temporary sysadmin permissions on the SQL server so the database can be upgraded.

Upgrade order – For the most part, upgrade order doesn’t matter. That’s because there are few dependencies between each component, as detailed earlier.

Before upgrading anything else, upgrade the Citrix Licensing Server.
- Install updated license files with non-expired Subscription Advantage dates.
VDAs and Delivery Controllers can be different versions.
- VDAs can be upgraded before Controllers, or vice/versa.
If Zones, upgrade all Delivery Controllers in all zones at the same time.
For Director, upgrading Director won’t do you much good if the Controllers aren’t upgraded, since Director uses the Monitoring service that’s installed on the Controllers.
For Citrix Provisioning, the Citrix Provisioning servers must be upgraded before you upgrade the Target Device Software.
For Session Recording, the Session Recording server(s) must be upgraded before you upgrade the Session Recording agent.
For WEM, the WEM server(s) must be upgraded before you upgrade the WEM agent.

If you upgrade to a version that has CEIP functionality, decide if you want to disable CEIP, or leave it enabled.

After upgrading, configure new functionality.

Additional general upgrade guidance can be found at Upgrade a deployment at Citrix Docs.

Citrix Licensing Server

It’s a simple in-place upgrade.

After upgrading, download the latest license files from http://mycitrix.com, and install the license files on the license server. Make sure the Subscription Advantage date hasn’t expired.

To upgrade the Licensing Server Operating System version:

Build a new VM with desired OS version.
Install the latest Current Release License Server.
At http://mycitrix.com, reallocate licenses to the new case-sensitive hostname, and install the license file on the new Licensing Server.
In Citrix Studio, go to Configuration > Licensing, and change the License Server to the new Licensing Server.

Delivery Controllers

Both of the following types of upgrades/updates use the same upgrade process:

Install latest LTSR Cumulative Update
Upgrade to latest Current Release

To in-place upgrade Delivery Controller version:

Upgrade the Citrix Licensing Server if you haven’t already. Install current licenses if you haven’t already. Make sure CSS date is not expired.
Ask a DBA for temporary sysadmin permission to the SQL server.
Prepare: logoff other admins, close consoles.
If upgrading from 7.15 to 2203 or newer, then 7.15 must be Cumulative Update 5 or newer.
In-place upgrade one (or half) of the Delivery Controllers. Upgrade to one of the following:
Launch Citrix Studio or Site Manager. Upgrade the database when prompted.
In-place upgrade the remaining Delivery Controllers.
Temporary SQL sysadmin permissions can now be removed.
For Citrix Studio that’s installed on administrator machines other than Delivery Controllers, in-place upgrade Citrix Studio by running AutoSelect.exe from the Current Release or LTSR CVAD ISO.

To upgrade the operating system version of the Delivery Controllers:

In-place upgrade the existing Delivery Controllers to a version that supports the new operating system version.
1. For Windows Server 2016, upgrade Delivery Controller to version 7.15 or newer.
2. For Windows Server 2019, upgrade Delivery Controller to version 1912 or newer
3. For Windows Server 2022, upgrade Delivery Controller to version 2203 or newer.
  - CVAD 1912 does not support Windows Server 2022.
  - CVAD 2203 does not support Windows Server 2012 R2. If upgrading from Windows 2012 R2 to Windows 2022, then upgrade to CVAD 1912 first, replace the OS to Windows 2019, upgrade to CVAD 2203, and then replace the OS to Windows 2022.
Build one or more new virtual machines with the new operating system version.
Install Delivery Controller software with the same version as the other Delivery Controllers.
If vSphere, import the vCenter cert into Trusted Root or Trusted People.
Run Citrix Studio and join the new machines to the existing farm/site.
Reconfigure VDAs to point to the new Delivery Controllers. Edit the ListOfDDCs registry key.
Reconfigure Director server > IIS Admin > Default Web Site > Director > Application Settings > Service.AutoDiscoveryAddresses to point to the new Delivery Controllers.
Reconfigure StoreFront console > MyStore > Manage Delivery Controllers to point to the new Delivery Controllers.
Secure Ticket Authorities:
1. Add the new Delivery Controllers to firewall rules between Citrix ADC SNIP and STAs.
2. In Citrix Gateway > Edit Virtual Server > scroll down to the Published Applications section > click the line to edit the Secure Ticket Authorities. Add the new Delivery Controllers as Secure Ticket Authorities. Don’t remove the old ones yet.
3. In StoreFront Console, go to Manage Citrix Gateways > edit each Gateway > on the Secure Ticket Authority page, add the new Delivery Controllers as Secure Ticket Authorities, and remove the old ones.
4. In Citrix Gateway > Edit Virtual Server > scroll down to the Published Applications section > click the line to edit the Secure Ticket Authorities. Remove the older Controllers as Secure Ticket Authorities.
In Citrix Studio, at Configuration > Controllers, remove the old Delivery Controllers.
- Note: if this doesn’t work, then you might have to manually evict the old Delivery Controllers from the SQL database.
Decommission the old Delivery Controllers.

An alternate method of upgrading the operating system on the Delivery Controllers while preserving the machine’s identity:

The new server will have the same Citrix version as already installed. You might have to in-place upgrade Citrix to get to a version that supports the new operating system version. CVAD 1912 can run on Windows Server 2019, but it cannot run on Windows Server 2022. CVAD 2203 supports Windows Server 2022, but it does not support Windows Server 2012 R2. If upgrading from Windows 2012 R2 to Windows 2022, then upgrade to CVAD 1912 first, replace the OS to Windows 2019, upgrade to CVAD 2203, and then replace the OS to Windows 2022.
Export any certificates that you want to keep and put them on a different machine.
Record the IP Address and hostname of the machine you want to replace.
Record the database connection strings. PowerShell Get-BrokerDBConnection shows the main database connection. Get the Logging and Monitoring database names from Citrix Studio > Configuration.
Shut down a Delivery Controller and never power it on again. Don’t remove this machine from the domain to avoid accidentally deleting the Active Directory computer object.
Build a new machine with an operating system version supported by the Citrix version running on the other Delivery Controllers. Give it the same name and IP address. Join it to the domain using the existing Active Directory computer object.
Install the same version of Delivery Controller as was running previously. Don’t run Citrix Studio.
If vSphere, import the vCenter cert into Trusted Root or Trusted People.
Use the PowerShell commands at https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#changedbstrings to connect the new machine to the SQL database.
Run Citrix Studio. It might ask you to upgrade the database but it’s merely finishing the database connection and not actually upgrading anything.

App Layering

To in-place upgrade Citrix App Layering:

In-place upgrade the ELM appliance.
- From 4.2 and newer, newer versions should be downloaded automatically. Just click the link to start the upgrade.
- From 4.1 and older, download the upgrade package and upload it to the ELM.
Upgrade the App Layering Citrix Provisioning Agent by uninstalling the Citrix Provisioning Agent and re-installing it.
Create a new OS Layer version and install the latest OS Machine Tools.
When the images are published, the drivers will be updated automatically by the ELM.

Workspace Environment Management (WEM)

There is no LTSR version of Citrix Workspace Environment Management (WEM) so you should always deploy the latest version of WEM.

To in-place upgrade Citrix Workspace Environment Management (WEM):

In-place upgrade the Citrix Licensing Server if you haven’t already.
1. Ensure the installed licenses have a non-expired Subscription Advantage date.
Ask a DBA for temporary sysadmin permission to the SQL server.
In-place upgrade the first WEM Server. Consider removing it from load balancing before performing the upgrade.
Use the Database Maintenance tool to upgrade the WEM database.
Run the WEM Broker Configuration Tool on the upgraded Broker to point to the upgraded database.
In-place upgrade the remaining WEM Servers. Consider removing them from load balancing before performing the upgrade.
Temporary sysadmin permissions can now be removed.
In-place upgrade the WEM Console on all non-server machines where it is installed.
In-place upgrade the WEM Agents.
If you are upgrading from WEM 4.2 and older, in the WEM Console, add the WEM Agents (computer accounts) to Configuration Sets instead of the old WEM Sites.

To upgrade the operating system version of the Workspace Environment Management servers, it’s easier if you have a custom DNS name, or load balanced DNS name for WEM, instead of using a server name:

In-place upgrade the existing WEM servers to a version that supports the OS you intend for the new WEM servers.
Build new WEM servers with the same WEM version as the existing WEM servers.
Configure the new WEM servers to point to the same database as the old WEM servers.
Cutover options:
1. If you have a load balanced DNS name for WEM, reconfigure the load balancer to point to the new WEM servers.
2. If you have a custom DNS name for WEM, change it to resolve to the new WEM server’s IP address.
3. If you were previously using the actual server name, then you can either change the WEM Agent group policy to point to the new WEM server name, or delete the old WEM server and rename the new WEM server, or delete the old WEM server and reconfigure the old DNS name as a custom DNS name for the new WEM server.
Decommission the old WEM servers.

Session Recording

To in-place upgrade Session Recording:

In-place upgrade the Citrix Licensing Server if you haven’t already.
- Ensure the installed licenses have a non-expired Subscription Advantage/CSS date.
Ask a DBA for temporary sysadmin permission to the SQL server.
In-place upgrade the first Session Recording server to one of the following.
1. Session Recording is on the main Citrix Virtual Apps and Desktops (CVAD) ISO.
2. Session Recording LTSR 2402
3. Session Recording LTSR 2203 CU5
4. Session Recording LTSR 1912 CU8
The upgrade of the first Session Recording server should automatically upgrade the database.
In-place upgrade the remaining Session Recording Servers. Consider removing them from load balancing before performing the upgrade.
Temporary sysadmin permissions can now be removed.
In-place upgrade the Session Recording Agents.
In-place upgrade the Session Recording Player on all machines where it is installed.

To upgrade the operating system version of the Session Recording servers, it’s easier if you have a custom DNS name or load balanced DNS name for Session Recording, instead of using a server name:

In-place upgrade the existing Session Recording servers to a version that supports the OS you intend for the new Session Recording servers.
Build new Session Recording servers with the same Session Recording version as the existing Session Recording servers.
Configure the new Session Recording servers to point to the same database as the old Session Recording servers.
Configure the new Session Recording servers to store recordings on the same UNC path as the old Session Recording servers.
The certificate on the Session Recording servers or load balancer must match the DNS name used by the Session Recording Agents and Player.
Cutover:
1. If you have a load balanced DNS name for Session Recording, reconfigure the load balancer to point to the new Session Recording servers.
2. If you have a custom DNS name for Session Recording, change it to resolve to the new Session Recording server’s IP address.
3. If you were previously using the actual server name, then you can either: change the Session Recording Agents and Players to point to the new Session Recording server name, or delete the old Session Recording server and rename the new Session Recording server, or delete the old Session Recording server and reconfigure the old DNS name as a custom DNS name for the new Session Recording server.
4. If the Session Recording DNS name changed, reconfigure Director to point to the new Session Recording DNS name.
Decommission the old Session Recording servers.

Citrix Provisioning

Citrix Provisioning servers must be upgraded before you can upgrade Target Devices.

To in-place upgrade Citrix Provisioning servers:

Make sure Citrix Provisioning High Availability (HA) is working for target devices. If HA is functional, in-place upgrade can be done during the day.
- In the Citrix Provisioning console, you should see an even distribution of Target Devices across all Citrix Provisioning servers.
- Check the WriteCache folders on Citrix Provisioning servers to make sure they’re empty. If any Target Device is caching on Server, then those Target Devices will not failover to another Citrix Provisioning server.
Get temporary sysadmin permissions to the SQL Server that hosts the Citrix Provisioning database.
Get the one of the following installation media:
On the first Citrix Provisioning Server:
1. In-place upgrade Citrix Provisioning Console by running the LTSR 2402, LTSR 2203 CU4, or LTSR 1912 CU8, Citrix Provisioning Console installer.
2. Re-register the Citrix.PVS.snapin.dll snap-in:
```
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"
```
3. In-place upgrade Citrix Provisioning Server by running the LTSR 2402, LTSR 2203 CU4, or LTSR 1912 CU8 Citrix Provisioning Server installer
4. Run the Citrix Provisioning Configuration Wizard. The farm should already be configured, so just click Next a few times and let it upgrade the database and restart the services.
In-place upgrade the PVS Console and PVS Server software on the remaining Citrix Provisioning Servers. After installation, run the Citrix Provisioning Configuration Wizard, and click Next until the end.
Temporary SQL sysadmin permissions can now be removed.
Target Device Software can now be upgraded.

There are several methods of upgrading the Citrix Provisioning Target Device Software that’s inside a vDisk:

In-place upgrade the Target Device Software while doing your normal vDisk update process.
Completely rebuild the vDisk. An automated build process like MDT is recommended.
Or you can reverse image. To upgrade VMware Tools (or any software that modifies the NIC), you must reverse image.

To in-place upgrade Target Device software:

Create a new vDisk Maintenance version or put the vDisk in Private Image mode. Then boot an Updater Target Device. This is the normal process for updating a vDisk.
Run the LTSR 2402, LTSR 2203 CU4, or LTSR 1912 CU8 Target Device software installer to upgrade the software. The Target Device software must be the same version or older than the Citrix Provisioning Servers.
Shut down the Updater. Promote the Maintenance version to Production or change the vDisk to Standard Image mode. This is the normal process for updating a vDisk.

Reverse image methods:

Boot from VHD – Build a VM. Copy Citrix Provisioning vDisk VHD/VHDX to VM. Boot from VHD/VHDX.
Hyper-V can boot from a VHD directly. Copy Citrix Provisioning vDisk VHD/VHDX to Hyper-V host. Create a VM that boots from VHD/VHDX.
Citrix Image Portability Service can convert PVS VHD to VMware .vmdk.
Once VHD/VHDX is updated, copy the VHD/VHDX back to Citrix Provisioning, import to a Citrix Provisioning Store, which creates a new vDisk, and assign the new vDisk to target devices. Takes effect at next Target Device reboot.

If using Citrix Provisioning Accelerator, keep XenServer patched.

To upgrade the operating system version of the Citrix Provisioning Servers:

In-place upgrade the existing Citrix Provisioning Servers to a version that supports the new operating system version.
Build one or more new virtual machines with the new operating system version.
Install Citrix Provisioning Server software with the same version as the other Citrix Provisioning Servers.
Run Citrix Provisioning Configuration Wizard and join the new machines to the existing Citrix Provisioning farm and Citrix Provisioning database.
Copy the vDisk files from an existing Citrix Provisioning Server to the new Citrix Provisioning Servers. Check Replication Status of each vDisk.
Install the App Layering Citrix Provisioning Agent.
In Citrix Provisioning Console, reconfigure Bootstrap to point to the new Citrix Provisioning Servers. Go to Sites > MySite > Servers > right-click each server and click Configure Bootstrap.
Reconfigure DHCP Options or BDM to point to the new Citrix Provisioning Servers. Do one or more of the following:
- Reconfigure TFTP load balancing to point to the new Citrix Provisioning Servers.
- Change DHCP Scope Options 66/67 to the new Citrix Provisioning Servers.
- Create a new Boot ISO with the new Citrix Provisioning Servers.
- Use the Citrix Provisioning Console to update the BDM Partition on each Target Device.
- Start the PXE Service on the new Citrix Provisioning Servers and stop the PXE Service on the old Citrix Provisioning Servers.
- Reboot some Target Devices to make sure they work.
In Citrix Provisioning Console, delete the old Citrix Provisioning Servers.
Decommission the old Citrix Provisioning Servers.

Virtual Delivery Agents (VDA)

To in-place upgrade the Virtual Delivery Agent software:

In-place upgrade the VDA software to one of the following versions:
Upgrade the Workspace Environment Management Agent that’s installed on the VDA machines.
Upgrade the Session Recording Agent that’s installed on the VDA machines.
Upgrade the Citrix Files software that’s installed on the VDA machines.
- Citrix Files is the new name for ShareFile Drive Mapper. Citrix Files is built into VDA 1903 and newer.
Upgrade the Connection Quality Indicator software that’s installed on the VDA machines.
Upgrade the Chrome Receiver File Access software that’s installed on the VDA machines.
Upgrade the Citrix Provisioning Target Device software that’s installed on the VDA machines.

Instead of in-place upgrading the VDAs, you can also rebuild them with the new software versions. If rebuilding, use an automated method, like MDT.

To upgrade the operating system version of the Virtual Delivery Agents, it’s recommended to rebuild the VDA. But keep in mind the following:

Windows 11 is not supported by VDA 1912 LTSR, but Windows 11 is supported with VDA 2109 and newer.
Windows 10 version upgrades should be a rebuild, not an in-place upgrade.
- If you in-place upgrade, uninstall VDA software, upgrade Windows, then reinstall VDA software.
- Citrix App Layering might require in-place upgrade of Windows 10 due to other layers being linked to the OS Layer.
Newer VDA operating system versions use newer profile versions, which means older profiles will not work.
Newer RDSH operating system versions require newer RDS Licensing Servers and newer RDS Licenses.
GPO settings– Newer OSs have newer Microsoft GPO settings.
- Copy the newer Microsoft ADMX templates to PolicyDefinitions (Sysvol or C:\Windows)
- Configure the newer GPO settings.

StoreFront

StoreFront is the most problematic component to upgrade so be prepared to roll back.

Newer versions of StoreFront installer are adding pre-upgrade checks to prevent known upgrade issues.

Citrix does not support mixing StoreFront versions within a single Server Group, and they instead prefer that you do this: (source = Upgrade StoreFront at Citrix Docs)

It’s critical that you snapshot the StoreFront machines before beginning the upgrade since there is no rollback from a failed upgrade.
Remove a StoreFront sever from the Server Group and load balancing.
Prep: close consoles, close PowerShell, logoff other admins, etc.
Upgrade the removed server by installing one of the following:
1. StoreFront LTSR 2402.
2. StoreFront LTSR 2203 CU5.
3. StoreFront LTSR 1912 CU8.
4. If upgrade fails, review the install logs to determine the cause. Once the cause is determined, revert the VM to prior snapshot, and try the upgrade again.
5. Upgrade the HTML5 Workspace app installed on StoreFront. The instructions for all StoreFront versions are the same.
Swap out the upgraded server on the load balancer so all traffic goes to the new server.
Uninstall/reinstall StoreFront on the remaining StoreFront servers and join the first server that was already upgraded.

To upgrade the operating system version of the StoreFront Servers:

Build one or more new virtual machines with the new operating system version.
Install StoreFront software. Configuration export/import requires the new servers to run the same version of StoreFront as the old servers. After the config is imported, you can in-place upgrade the new StoreFront servers.
Do one of the following:
- Export the StoreFront configuration from the old servers and import to the new servers.
- Manually configure the new StoreFront Server Group to match the old StoreFront Server Group. This configuration includes: Base URL, entries under Manage Delivery Controllers (case sensitive), SRID (c:\inetpub\wwwroot\Citrix\Roaming\web.config), export/import subscriptions, Beacons, Gateways, Icon Aggregation, etc. Keeping the new configuration identical to old allows Workspace app to failover without any reconfiguration.
- (unsupported): join the new machines to the existing Server Group. This causes configuration and subscriptions to replicate to the new server. Citrix does not support mixing operating system versions in the same StoreFront server group.
Copy customizations (e.g., default.ica) from old StoreFront to new StoreFront.
Upgrade the HTML5 Workspace app installed on StoreFront. The instructions for all StoreFront versions are the same.
Test the new StoreFront by modifying HOSTS file on test workstations. Make sure existing Workspace app can connect to the new StoreFront.
On cutover night, reconfigure the load balancer to point to the new StoreFront servers instead of the old StoreFront servers.
Decommission the old StoreFront servers.

Workspace app for HTML5

Workspace app for HTML5 is usually released on a different schedule than StoreFront and is upgraded out-of-band.

There is no LTSR version of Workspace app for HTML5 so you should upgrade to the latest Workspace app for HTML5, especially for the newer features (e.g. multi-monitor, USB redirection).

To in-place upgrade Workspace app for HTML5:

Upgrade the HTML5 Workspace app installed on StoreFront. The instructions for all StoreFront versions are the same.
Upgrade the Chrome File Access software that’s installed on the VDA machines.

Director

To in-place upgrade the Director servers:

Ensure the Delivery Controllers are already upgraded. There’s no point in upgrading Director if Delivery Controllers aren’t upgraded.
In-place upgrade to one of the following versions:
Upgrading Director overrides modifications to LogOn.aspx (e.g., default domain name), so you’ll have to reapply them.
Repeat for the remaining Director servers.
Upgrade the StoreFront Probes.

To upgrade the operating system version of the Director servers, it’s easier if you have a custom DNS name or load balanced DNS name for Director instead of using a server name:

Make sure Delivery Controllers are running a version that supports the OS you intend for Director.
Build new Director servers with the same version or newer than the Delivery Controllers.
Configure the new Director servers to point to the same Delivery Controllers as the old Director servers.
Copy the Director data files from the old Director servers to the new Director servers. Or point the new Director servers to the existing UNC path.
Cutover:
1. If you have a load balanced DNS name for Director, reconfigure the load balancer to point to the new Director servers.
2. If you have a custom DNS name for Director, change it to resolve to the new Director server’s IP address.
3. If you were previously using the actual server name, then you can either inform users of the new Director server name, or delete the old Director server and rename the new Director server, or delete the old Director server and reconfigure the old DNS name as a custom DNS name for the new Director server.
  1. Also reconfigure the StoreFront probes to point to the new Director name.
Decommission the old Director servers.

Citrix Group Policy Management Plug-in

On any machine that has Group Policy Management installed, in-place upgrade the Citrix Group Policy Management Plug-in by running the installer from the Citrix Virtual Apps and Desktops (CVAD) LTSR 2402, CVAD LTSR 2203 CU5, or CVAD LTSR 1912 CU8. Or download it from the DaaS download page.

Profile Management Group Policy Templates

Profile Management service is included with Virtual Delivery Agent. Upgrading the VDA also upgrades Profile Management.

New templates don’t break existing functionality – Upgrading the Profile Management group policy templates (.admx files) will not affect existing functionality. The templates do nothing more than expose new settings that can be configured.

To in-place upgrade the Profile Management Group Policy Templates:

Copy the newer Profile Management Group Policy Templates to the PolicyDefinitions folder: either Sysvol, or C:\Windows on every group policy editing machine.
Look for older versions of the templates and delete them. Older template files have the version number in their name (e.g., ctxprofile7.19.0.admx).
Edit the VDA GPOs that have Profile Management settings configured. Review the new settings, and configure them, if desired. Review the Profile Management release notes for the list of new features.

Workspace app Group Policy Templates

New templates don’t break existing functionality – Upgrading the Workspace app group policy templates (.admx files) will not affect existing functionality. The newer templates do nothing more than expose new settings that can be configured.

To in-place upgrade the Workspace app Group Policy Templates:

Copy the newer Workspace app Group Policy Templates to the PolicyDefinitions folder: either Sysvol, or C:\Windows\PolicyDefinitions on every group policy editing machine. Overwrite existing template files.
1. LTSR Workspace app and Current Release Workspace app have different versions of the group policy template files.
2. Current Release Workspace app template files include all of the LTSR Workspace app settings, plus new settings that don’t apply to LTSR Workspace app.
If you are deploying a newer Current Release Workspace app version, edit the GPOs that have Workspace app settings configured, review the new settings, and configure them, if desired. Review the Workspace app release notes for the list of new features.

Workspace app

To in-place upgrade Workspace app:

Microsoft Configuration Manager – Use Microsoft Configuration Manager or similar to push one of the following versions:
- Workspace app 2402 LTSR
StoreFront delivery of Workspace app – If Workspace app is offered directly from StoreFront servers, copy the newer Current Release Workspace app to StoreFront 3.12+.
- StoreFront, by default, does not offer Workspace app upgrades to users but it can be enabled. If Workspace app upgrades are not offered, then Workspace app is provided by StoreFront only if there’s no Workspace app installed on the client device.
  - In StoreFront 3.5 and newer, enable Upgrade plug-in at logon at the same place you upload the Workspace app files.
  - For StoreFront 3.0 and older, edit C:\inetpub\wwwroot\Citrix\StoreWeb\web.config and set upgradeAtLogin to true.
Auto-update – In Workspace app, if Auto-Update is enabled, then users with permissions will receive an update notification. Users can then manually initiate the Workspace app upgrade.
- You can configure group policy or an install switch to only update to LTSR versions of Workspace app.
Manual update – Inform remote users to upgrade their Workspace app by downloading the Current Release version from http://workspace.app.
- If Workspace app was initially installed as an administrator, then only an administrator can upgrade it.
- If Workspace app was initially installed without administrator permissions, then each non-admin user on the same machine has a different Workspace app installation, and each user has to upgrade it separately.

Skype for Business HDX RealTime Optimization Pack

The Skype for Business HDX RealTime Optimization Pack is usually released separately from the main Citrix Virtual Apps and Desktops (CVAD) releases.

To in-place upgrade HDX RealTime Optimization Pack:

On the VDAs, install the HDX RealTime Connector.
- 2.9 is the last version of Skype for Business HDX RealTime Optimization Pack.
On each Workspace app machine, install the HDX RealTime Media Engine normally.

Federated Authentication Service (FAS)

To in-place upgrade the Federated Authentication Service (FAS) servers:

On the existing FAS servers, run AutoSelect.exe from the Citrix Virtual Apps and Desktops (CVAD) 2402 LTSR ISO, the LTSR 2203 CU5 ISO, or the LTSR 1912 CU8 ISO, and click the button to install Federated Authentication Service. It’s a simple Next, Next, Next process.
Newer versions of FAS might have newer group policy templates. If so, copy them to Sysvol, or C:\Windows\PolicyDefinitions on all group policy editing machines.

To upgrade the operating system version of the FAS servers:

Build one or more new FAS servers.
Request a Registration Authority certificate for each of the FAS servers.
Change the group policy object for FAS to point to the new FAS servers. Run gpupdate on StoreFront and VDAs.
Decommission the old FAS servers.

Customer Experience Improvement Program (CEIP)

Newer versions of Citrix Virtual Apps and Desktops (CVAD) components automatically enable Customer Experience Improvement Program (CEIP). To disable, see the following:

Citrix ADC Firmware

Test appliances – Ideally, Citrix ADC firmware upgrades should be tested on separate test appliances. VIPs on the test appliances should then be tested.

Downtime if no High Availability – If you only have a single Citrix ADC appliance, then upgrading the firmware will cause downtime while the appliance is rebooting.

GSLB and mixed versions – If GSLB Metric Exchange Protocol (MEP) is enabled, then the Citrix ADC appliances on both sides of the MEP connection can run different versions of firmware.

To in-place upgrade Citrix ADC Firmware:

Save the config. Then download a copy of the ns.conf file, or perform a backup of the appliance and download the backup file.
On the secondary appliance, install the newer firmware.
To test the new firmware, perform an HA failover.
1. Configuration changes made on the primary appliance will not be synchronized to the secondary appliance until the firmware on the secondary appliance is upgraded.
2. You can failover HA again to revert to the older firmware.
3. To downgrade, on the appliance you’ve already upgraded, you can perform the firmware upgrade process again, but this time upload the older firmware.
On the primary appliance, install the newer firmware. A HA failover occurs automatically.

Site Updates – June 2017

Last Modified: Sep 9, 2021 @ 12:12 pm

Leave a comment

To trigger RSS Feed, Mailing List, etc., here is the June 2017 excerpt from the Detailed Change Log.

2017-06-27
- Citrix Workspace Environment Management > Actions – prevent shortcuts from being created if application isn’t installed, source = Citrix Discussions
- Citrix Workspace Environment Management > Profiles – added how to configure Folder Redirection, source = Citrix Discussions
- ShareFile Drive Mapper – updated for version 3.8
- Citrix SCOM Management Pack NetScaler – updated for version 1.17.93
2017-06-26
- Citrix Workspace Environment Management > Create Database – no dash in database name, source = Discussions
2017-06-25
- VMware Identity Manager – updated for version 2.9.1
- VMware User Environment Manager > Initial Configuration – added how to roam Windows 10 1703 Start Menu, source = VMware KB article
- Citrix SCOM Packs > XAXD Agent – added link to KB article on disabling VDA service monitoring in large (500+) Server OS environments
- Virtual Delivery Agent > VMware – added link to Discussions post indicating the vnetflt.sys causes Connection Interrupted
- Citrix Profile Management > Exclusions – added link to James Rankin’s post on the new Start Menu tiles location in Windows 10 1703
- Catalogs > Scheduled Restart – updated link to Restart Script
- Citrix App Layering > App Layers – added link to Unidesk’s Office recipe
- Citrix Director 7.14 > Install – added link to Dennis Span’s unattended install script
- Delivery Controller 7.14 > vCenter Connection – right-click Hosting Resource > Edit Storage to update hypervisor object names, source = Citrix KB article
- Citrix App Layering > Layers Overview – added note that User Layers are tied to the OS Layer, source = unidesk.com
2017-06-24
- Receiver > Skype – added link to Capability Checker tool
- Citrix Federated Authentication Service – added link to Citrix KB article on how to handle multiple domains
- Citrix Provisioning Services > Install – added link to Dennis Smith’s PvS automated install/configuration guide
- Citrix App Layering > OS Preparation – added link to re-released OS Machine Tools 4.2.1 (expand Tools)
- VMware Horizon 7.2.0 – updated for version 7.2
2017-06-22
- Citrix App Layering > Layers Overview – added Layering Tips from Citrix Blog Post
2017-06-21
- Citrix App Layering > Licensing – source = Citrix Blog Post
- XenApp/XenDesktop 7.6 LTSR CU4 – updated for Cumulative Update 4
2017-06-20
- NetScaler Essential Concepts – new post containing Network Essentials information.
- Receiver for Windows 4.8 – new Auto-update feature
- Director 7.14 > Use Director – added link to Citrix Blog Post detailing disk space consumption for disk usage monitoring
2017-06-17
- Citrix Provisioning Services – updated for 7.14
- Director 7.14 > Use Director – added link to KB article detailing failure codes
- Delivery Controller 7.14 > vCenter Connection – added link to KB article detailing what to do if vCenter Cert changes
- Virtual Delivery Agent 7.14 > Hardware – Windows 10 Current Branch is not supported, source = KB article
- Director 7.14 > Licensing – added link to KB article containing Director Feature Matrix
- Session Recording > Planning – added link to KB article listing features by version
2017-06-12
- VMware Unified Access Gateway – removed legacy content
- Delivery Controller 7.14 – added section for Concurrent Logon Hard Limit
- Citrix App Layering > OS Layer – added link to XenApp 6.5 recipe
- Citrix App Layering > Platform Layer – added link to Citrix Discussions that recommends installing Imprivata in the same layer as VDA
- Citrix App Layering > App Layer – added link to Citrix KB Article explaining how to handle domain join
2017-06-10
- Delivery Controller 7.14.1 – added references to re-released ISO 7.14.1
2017-06-04
- NetScaler Gateway 11.1 > SSL VPN – rewrote the Overview section
2017-06-03
- PvS > Seal the vDisk – added link to BIS-F
2017-06-02
- NetScaler Scripting – updated screenshots, added link to Esther Barthel’s PowerShell script
- NetScaler MAS 12 > System Settings – added Database Summarization instructions, source = Citrix KB article
- XenApp 6.5 Hotfixes – added link to HRP07 Hotfix 11, which fixes Citrix Print Management service.
- Provisioning Services > Write Cache disk – added link to Citrix KB article on controlling the drive letter
- VMware User Environment Management > Mandatory Profile – added link to James Rankin’s article on mandatory profile on Windows 10 1703
- VMware User Environment Management > Additional Configuration – added link to VMware KB article detailing how to enable Debug Logging for one user
2017-06-01
- Citrix App Layering > Elastic Layers – added quote from Rob Zylowski about logon delay
- Delivery Groups > License Types – new section with links to articles on how to configure multiple license types in one 7.14+ farm
- StoreFront 3.5+ > Authentication – added link to Citrix KB article on how to setup Self Service Password Reset
- Delivery Groups > RDSH Scheduled Restarts – added link to Citrix KB article on odd/even restart script
- Virtual Delivery Agent > Verify Registration – added link to Citrix Docs article detailing VDA Registration
- Virtual Delivery Agent > Optimize Performance – added link to TechNet Blog on Windows 2016 services that can be disabled
- Citrix SCOM Packs > XenApp/XenDesktop – added link to Citrix Blog Post detailing the performance improvements in 3.12
- Horizon Agent – added note that Persona is not supported with Instant Clone, source = Comment

EUC Weekly Digest – July 1, 2017

Last Modified: Nov 7, 2020 @ 6:34 am

Leave a comment

Here are some EUC items I found interesting last week. For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

XenApp/XenDesktop

Security TechTalk: Managing identity and access – 1 hour recorded webinar – FAS, Windows Hello, Intune/NetScaler, Unified Gateway, WorkSpace Service

VDA

Citrix Desktop Helper Service – delay shutdown after logoff, force gpupdate after boot, delay Citrix service start – Citrix Blog Post
Remove Ghost devices natively with Powershell – Trentent Tye

MCS

How to add new AWS region to Citrix XenDesktop MCS – and update AWS defaults – Citrix KB article

App Layering (Unidesk)

Citrix App Layering 4 documentation is now at Citrix Docs
Citrix App Layering Best Practices – Citrix KB article

WEM/Profile Management

Citrix WEM 4.3 Norskale Infrastructure Service crashing? There’s a private fix
How to prevent Citrix WEM from creating shortcut if app isn’t installed – Citrix Discussions
To configure Folder Redirection in Citrix WEM, go to Microsoft USV Settings – Citrix Discussions

Provisioning Services

Preventing Possible PVS Pain Points – 1-hour recorded webinar from two CTPs – scripted builds/configs, pester testing – CUGC
In-place upgrade of Citrix PvS Device tools, only 50% success. Workarounds for other 50% – Trentent Tye

Receiver

Citrix Windows 10 Issue 8: black lock screen when Receiver is installed – Microsoft kb4022723 hotfix – Citrix KB article

NetScaler

NetScaler Essentials, ideal for XA/XD admins wanting to learn Netscaler! – Twitter
NetScaler SDX 8900 series uses Crypto Units instead of SSL Chips – Citrix Docs
Download NetScaler Release 11.0 Build 70.112 for the new 59xx & 89xx Platforms Only
How to properly enable HTTP/2 on NetScaler – Citrix KB article
Deploy NetScaler CPX Proxy on Google Compute Engine – Citrix Docs
Download Citrix SCOM Management Pack for NetScaler (2017_06_20)

NetScaler MAS

NetScaler MAS Cloud Service is now available
NetScaler Management and Analytics Cloud Service documentation – Citrix Docs

NetScaler Gateway

NetScaler MAC VPN plugin does not support Split DNS – remote only – Citrix KB article

XenMobile

Download Updated XenMobile MDX files for Secure Mail & Secure Web for iOS and Android 10.6.5 Released 29 June 2017
What’s new in XenMobile Cloud Service 10.6.1 – iBooks, register enterprise for Android for Work, new REST APIs – Citrix Docs
Citrix XenMobile Secure Forms Mobile App is EOL December 31, 2017 – use ShareFile Workflows for XenMobile instead – Citrix Docs

ShareFile

Download ShareFile Drive Mapper 3.7.110.0 – Favorites folder

Citrix Cloud

Citrix Cloud Master Class 101 – Part 1 – 2 hour recorded webinar – YouTube
How to create custom checks and alerts with Citrix Smart Check – Citrix Docs

VMware

VMware Airwatch Windows 10 Unified Endpoint Management Reviewer’s Guide – 74-page guide

Other

What’s new in ControlUp v7 – VMware hypervisor storage monitoring, VM drives, AWS EC2 (cost metrics, metadata), display IE browser URL, Top Insights dashboard, NetScaler monitor – recorded webinar – CUGC

EUC Weekly Digest – June 24, 2017

Last Modified: Nov 7, 2020 @ 6:34 am

Leave a comment

Here are some EUC items I found interesting last week. For more immediate updates, follow me at http://twitter.com/cstalhood.

For a list of updates at carlstalhood.com, see the Detailed Change Log.

XenApp/XenDesktop

Reminder: Citrix XenApp 6.5 is End of Life on 30-Jun-2018, 1 year from now – End of Maintenance on 31-Dec-2017
Download XenApp 7.6 LTSR Cumulative Update 4 – All Editions
Several new Premium Citrix articles with TechEdge content – Citrix KB article
In 7.13 and newer, if hypervisor objects renamed, run Update-HypHypervisorConnection to inform XenDesktop – Citrix KB article
Scripts to fix Speech_OneCore Citrix Policy issue in XenDesktop 7.14 – Citrix KB article

VDA

Download Citrix Optimizer – Beta (v1.0.0.4)

App Layering (Unidesk)

Download Citrix App Layering 4.2.1 OS Machine Tools – expand Tools – Reissued after removing some files reported as malware false positives
The only Citrix Layer you can run the scripts to remove windows 10 apps is the OS layer – Unidesk Forums
Unidesk Recipe for Office 2016: Using Shared Computer Activation From Office 365 – Citrix KB article
Citrix App Layering Optimization Guide for App Layering 4.x – Unidesk Forums

Director/Monitoring

Citrix Director unattended installation with PowerShell – Dennis Span

WEM/Profile Management

High memory usage in Citrix UPM 5.7 with registry active write back enabled – upgrade to 5.8 – Citrix KB article

Provisioning Services

Download Citrix Provisioning Services 7.6.5

Receiver

Download Citrix Receiver 4.8 for Windows
Download Citrix Receiver 12.6 for Mac
What’s New in Citrix Receiver for Windows 4.8 – Auto-update – Citrix Docs
Download Receiver 4.4.5000 for Windows LTSR – Cumulative Update 5

NetScaler

NetScaler 12 VPX does not support vSphere 5.5 – Citrix Docs
NetScaler 11.1 build 54 release notes

NetScaler Gateway

NetScaler 11.1 build 54 supports delegating authentication to StoreFront – Twitter

XenMobile

Download XenMobile Server 10.6.0.22
XenMobile Scalability doc updated for 75,000 devices in a 7-node cluster – Citrix Docs

VMware

Download VMware Horizon 7.2.0 Standard

Navigation

Change Log

Overview

Prerequisites

PCoIP Profile

Session Policy/Profile

Gateway Virtual Server

Horizon Configuration

Update Content Switching Expression for Unified Gateway

Use Citrix Gateway PCoIP Proxy

CLI Commands

XenApp/XenDesktop

App Layering (Unidesk)

WEM/Profile Management

StoreFront

NetScaler

NetScaler MAS

NetScaler Gateway

NetScaler SD-WAN

XenMobile

VMware

Other

Navigation

Change Log

Overview

LDAP Policies/Actions

Login Schemas

Authentication PolicyLabel

AAA vServer

Traffic Policy for Single Sign-on

NetScaler Gateway and Authentication Profile

Update Content Switching Expression for Unified Gateway

Manageotp

CLI Commands

App Layering (Unidesk)

NetScaler

NetScaler MAS

NetScaler Gateway

XenMobile

Citrix Cloud

VMware

Microsoft

XenApp/XenDesktop

VDA

App Layering (Unidesk)

Director/Monitoring

StoreFront

NetScaler

XenMobile

ShareFile

XenApp/XenDesktop

VDA

App Layering (Unidesk)

Provisioning Services

NetScaler

NetScaler MAS

XenMobile

Navigation

Change Log

Citrix Virtual Apps and Desktops (CVAD) Versions

Version Numbering

Release Notifications

Release Classifications – LTSR, CR

LTSR Programs

LTSR Licensing requirement

LTSR vs CR

Support Duration

Release Frequency

Current Release cons

LTSR cons

Citrix Virtual Apps and Desktops (CVAD) Supported versions

Workspace app Supported Versions

Citrix Virtual Apps and Desktops (CVAD) Component Version Dependencies

Upgrade Overview

Components

Component Upgrade Process

Upgrade Guidelines

Upgrade Citrix Virtual Apps and Desktops (CVAD)

Citrix Licensing Server

Delivery Controllers