VMware Horizon 7.13.3 Connection Server

Last Modified: Mar 22, 2023 @ 5:43 am

Navigation

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon 7 Standard Connection Server.

Notes regarding upgrades:

  • Upgrade all Connection Servers during the same maintenance window.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • Upgrade Horizon Composer before upgrading the Connection Servers.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
      • If upgrading from version 7.7 or older to version 7.8 or newer, then be aware of authentication changes.
    • For Security Servers, in Horizon Administrator, go to paired Connection Server, More Commands > Prepare for Upgrade or Reinstallation.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Install Horizon 7 Standard Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

Horizon 7.13.3 is the last release of Horizon 7 and will be supported until May 2023. VMware recommends upgrading all Horizon 7 implementations to Horizon 8.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Docs.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  5. The older Horizon Administrator (/flexadmin) is a Flash-based console. After December 2020, Chrome will no longer support Flash.
    • Horizon Console (/newadmin) is HTML5 and does not need Flash.
  6. Download Horizon 7.13.3 View Connection Server.
  7. If Horizon Toolbox is installed, uninstall it.
  8. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  10. If you are upgrading from version 7.7 or older to version 7.8 or newer, then acknowledge the authentication changes warning by clicking OK.
  11. In the License Agreement page, select I accept the terms, and click Next.
  12. In the Destination Folder page, click Next.
  13. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  14. In the Data Recovery page, enter a password, and click Next.
  15. In the Firewall Configuration page, click Next.
  16. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  17. In the User Experience Improvement Program page, uncheck the box, and click Next.
  18. In the Ready to Install the Program page, click Install.
  19. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.
  20. If you upgraded to Horizon 7.8 or newer and want to re-enable Logon as current user:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, go to View Configuration > Servers.

    2. On the right, switch to the tab named Connection Servers.
    3. Highlight the server you just upgraded and click Edit.

    4. Switch to the tab named Authentication.

    5. Scroll down, check the box next to Accept logon as current user and then click OK.

  21. If you upgraded to Horizon 7.8 or newer and want to re-enable sending the domain list to Horizon Client:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Global Settings. Or in Horizon Administrator, on the left, go to View Configuration > Global Settings.
    2. On the right, in the General section, click the Edit button.

    3. Near the bottom, check the box next to Send domain list. You might want to uncheck Hide domain list in client user interface. Then click OK.

Install Horizon 7 Replica Connection Server

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Download Horizon 7.13.3 View Connection Server.
  5. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  6. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Installation Options page, select Horizon 7 Replica Server, and click Next.
  10. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Load balance your multiple Horizon Connection Servers.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 5.2 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder, and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    link.win64=/downloads/VMware-Horizon-Client-5.2.0-14570289.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service, or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon 7.1 and newer portal page.

LDAP Edits

Horizon Console Timeout

The HTML5 Horizon Console (https://MyConnectionServer/newadmin) has a default timeout of 10 minutes. Changing the Horizon Administrator timeout will not affect the Horizon Console timeout. You can use adsiedit.msc to increase the Horizon Console timeout.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-APISessionTimeout, and click Edit.
  7. Enter a value in minutes. Click OK.

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = vDelboy – How to Enable Touch ID in VMware Horizon 6.2 and Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using NetScaler 12.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-7-15-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Horizon 7.2 and newer include a web-based Help Desk Tool. Run the following command to enable the timing profiler on each Connection Server instance to view logon segments.

vdmadmin -I -timingProfiler -enable

Logon Monitoring

The VMware Logon Monitor Fling is built into Horizon 7.1 and newer.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent. The Fling website has a PDF that explains how to also store them on a file share.

Inside each session log file are logon time statistics. 

VMware Horizon 7.13.3 Composer

Last Modified: Mar 22, 2023 @ 5:46 am

Navigation

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

Change Log

Planning

If you’re doing Instant Clones, then you don’t need Horizon Composer. Composer is only needed for the older method of creating Linked Clones. However, Instant Clones requires Horizon Enterprise Edition, so maybe Composer is your only option.

  • Instant Clones in Standard Edition – In Horizon 7.13, all editions of Horizon, including Standard Edition, include licensing for Instant Clones. Horizon 8 removes Composer, so start migrating to Instant Clones today.

vCenter Server planning:

  • A single vCenter Server can handle 10,000 VMs. However, this is a single point of failure. VMware recommends separate vCenter servers for each 2,000 or 4,000 VMs. More vCenter Servers means more concurrent vCenter operations, especially if your pools are configured for Refresh on Logoff.
    • Horizon 7.2 and newer supports 4,000 VMs per vCenter Server.
    • Horizon 7.1 and older supports 2,000 VMs per vCenter Server.
  • Each ESXi cluster is managed by one vCenter Server.
  • Don’t use existing vCenter servers. Build separate vCenter servers for the vSphere clusters that host Agent VMs. Horizon licenses include vCenter licenses, so there’s no excuse to not use separate vCenter servers.

Horizon View Composer server planning:

A remote SQL Server is needed for databases:

  • vCenter database
  • Horizon Composer database
  • Horizon Events database
  • Supported SQL versions are listed on the Solution/Database Interoperability tab at VMware Product Interoperability Matrices.

SQL Server Preparation

Only SQL Authentication is supported.

  1. Open the properties of the SQL Server.
  2. On the Security page, make sure SQL Server authentication is enabled.
  3. Create a new SQL database for View Composer.
  4. Call it VMwareHorizonComposer or similar. Then switch to the Options page.
  5. Select your desired Recovery model, and click OK.
  6. View Composer only supports SQL authentication on remote SQL servers. Expand Security, right-click Logins, and click New Login to create a new SQL login.
  7. Name the new account.
  8. Select SQL Server authentication.
  9. Enter a password for the new account.
  10. Uncheck the box next to Enforce password policy.
  11. Then switch to the User Mapping page.
  12. On the User Mapping page, in the upper half, check the Map box for VMwareHorizonComposer.
  13. On the bottom, check the box for the db_owner role, and click OK.

SQL Native Client

  1. Download SQL Native Client (sqlncli.msi).
  2. On the Horizon View Composer server, run sqlncli.msi.
  3. In the Welcome to the Installation Wizard for SQL Server 2012 Native Client page, click Next.
  4. In the License Agreement page, select I accept, and click Next.
  5. In the Feature Selection page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the Completing the SQL Server 2012 Native Client installation page, click Finish.

ODBC

  1. On the Horizon View Composer server, run ODBC Data Sources (64-bit) from the Start Menu.
  2. On the System DSN tab, click Add.
  3. Select SQL Server Native Client, and click Finish.
  4. Enter the name HorizonComposer for the DSN, and enter the SQL server name. Click Next.
  5. Change the selection to With SQL Server authentication, and enter the credentials of the new ViewComposer SQL account. Then click Next.
  6. Check the box next to Change the default database, and select the VMwareHorizonComposer database. Then click Next.
  7. Click Finish.
  8. Click OK twice.

Install/Upgrade Composer

  1. Upgrade can be performed in-place.
  2. Windows Server 2019 is supported with Horizon Composer 7.8 and newer.
  3. Don’t install on Horizon Connection Server: Horizon Composer cannot be installed on the Horizon Connection Server. Composer and Connection Server must be separate machines.
  4. Extra Memory for vCenter: If you install Horizon Composer on a Windows vCenter server, VMware recommends adding 8 GB of RAM to the server. See VMware 2105261 Intermittent provisioning issues and generic errors when Composer and vCenter Server are co-installed
    1. vCenter Service Account: if you install Horizon Composer on a Windows vCenter server, login as the same account that was used to install vCenter. See VMware 2017773 Installing or upgrading View Composer fails with error: The wizard was interrupted before VMware View Composer could be completely installed
  5. Internet access for CRL checking: If the Horizon Composer server does not have Internet access, see VMware 2081888 Installing Horizon View Composer fails with the error: Error 1920 Service VMware Horizon View Composer (svid) failed to start
  6. Certificate: If you install a certificate now, Composer installer will prompt you to select it during installation. Or, you can replace the certificate later.
  7. Download: Horizon 7.13.3 (ESB) Composer.
  8. Install: Run the downloaded VMware-viewcomposer-7.13.3.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Composer page, click Next.
  10. In the License Agreement page, select I accept the terms, and click Next.
  11. In the Destination Folder page, click Next.
  12. In the Database Information page, enter the name of the ODBC DSN.
  13. Enter the SQL account credentials (no Windows accounts), and click Next. For remote SQL databases, only SQL accounts will work. The SQL account must be db_owner of the database.
  14. The VMware Horizon 7 Composer Port Settings page appears. If you already installed a valid certificate on the Composer server, select Use an existing SSL certificate, and select the certificate. Click Next.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes when asked to restart the computer.
  18. If you encounter installation issues, see VMware 2087379 VMware Horizon View Composer help center

After Upgrade, Accept Untrusted Certificate

If you upgraded Composer, then go to Horizon Console or Horizon Administrator and verify the certificate. Ideally, Composer should be using a Trusted Certificate. Or you might have to Accept an untrusted certificate.

In Horizon Console 7.10 or newer: (scroll down for Horizon Administrator instructions)

  1. On the left, expand Monitor and click Dashboard.
  2. On the right, in the top left box labelled System Health, click View.
  3. With Components selected on the left, on the right, switch to the tab named View Composer Servers.
  4. Click the link for Untrusted Certificate.
  5. Scroll down and Accept the certificate.

Or in Horizon Administrator:

  1. On the top left, click Dashboard.
  2. On the right, expand View Composer Servers and click the red Composer server.
  3. Next to Untrusted certificate, click Verify.
  4. Click the button labelled View Certificate.
  5. At the bottom, click the button labelled Accept.

Administrator Permissions

If Horizon View Composer is installed on a standalone server (not on vCenter), Horizon Connection Server will need a service account with administrator permissions on the Horizon View Composer server. Add your Horizon View Composer Service Account to the local Administrators group.

Composer Certificate

  1. Open the MMC Certificates snap-in (certlm.msc).
  2. Make sure your Composer certificate private key is exportable. Try exporting the certificate, and make sure Yes, export the private key is a selectable option.

  3. Stop the VMware Horizon 7 Composer service.
  4. In the certificates console, double-click your Composer certificate. On the Details tab, note the Thumbprint.
  5. Run Command Prompt as Administrator
  6. Change the directory to C:\Program Files (x86)\VMware\VMware View Composer.
  7. Run sviconfig -operation=replacecertificate -delete=false.
  8. Select the certificate that matches the thumbprint you noted earlier.
  9. Then restart the VMware Horizon 7 Composer service.

SQL Database Maintenance

SQL password: The password for the SQL account is stored in C:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe.config. To change the password, run SviConfig ‑operation=SaveConfiguration as detailed at VMware 1022526 The View Composer service fails to start after the Composer DSN password is changed.

Database Move: To move the database to a new SQL server, you must uninstall Composer and reinstall it. See VMware 2081899 VMware Horizon View Composer fails to work properly after migrating the Composer database to a new SQL server

Related Pages

Citrix SCOM Management Pack – NetScaler (1.17.93)

Last Modified: Nov 6, 2020 @ 7:12 am

Navigation

💡 = Recently Updated

Requirements

  • NetScaler Platinum Edition
  • NetScaler 9.3 or newer
  • System Center Operations Manager 2012 or newer

Citrix Blog Post SCOM NetScaler Management Pack Resource Consumption & Performance Overview:

  • For 14,000 NetScaler objects, extra 3 GB of RAM is needed on the SCOM monitoring agent. CPU is minimal.
  • For more than 14,000 NetScaler objects, the Agent started dropping data due to workflows.
  • Performance overview at Citrix Docs

NetScaler Pack

Full documentation at http://docs.citrix.com/en-us/scom-management-packs/netscaler/1-17.html.

Install Citrix NetScaler Pack

  1. On the System Center Operations Manager server, go to the downloaded Citrix SCOM Management Pack for NetScaler, and run Citrix_SCOM_Management_Pack_for_NetScaler.1.17.93exe.
  2. In the Welcome to the setup wizard for Citrix SCOM Management Pack for NetScaler page, click Next.
  3. In the View Relevant Product Configuration page, click Next.
  4. If you see a page indicating that an older version is already installed, click Next.
  5. In the License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Choose Destination Location page, click Next.
  7. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack, and click Install.
  8. In the Completed the setup page, click Next.
  9. In the All post-install actions were successfully completed page, click Finish.

MP Agent Installation Account

Configure the MP Agent Installation Account as detailed for the XAXD Pack.

NetScaler Monitoring Account

On the NetScaler appliances, run the following commands to add a local account, and bind it to a restrictive cmdPolicy. Replace the password with a secure password. If you leave the password off the command, then NetScaler will prompt you.

add system cmdPolicy polNetScalerMonitoring ALLOW (^show\s+system\s+\S+)|(^show\s+system\s+\S+\s+.*)|(^show\s+configstatus)|(^show\s+configstatus\s+.*)|(^shell\s+nsconmsg\s+-K\s+\S+\s+.*)

add system user usrNetScalerMonitoring MyPassword

bind system user usrNetScalerMonitoring read-only 1

bind system user usrNetScalerMonitoring polNetScalerMonitoring 1

show system user usrNetScalerMonitoring

SCOM Device Discovery

  1. System Center Operations Manager uses SNMP to communicate with NetScaler. If Windows Firewall is enabled on the SCOM server, enable some Inbound and Outbound rules.
  2. Inbound Rule: Operations Manager Ping Response.
  3. Inbound Rule: Operations Manager SNMP Response.
  4. Inbound Rule: Operations Manager SNMP Trap Listener.
  5. Outbound Rule: Operations Manager Ping Request.
  6. Outbound Rule: Operations Manager SNMP Request.
  7. Make sure the NetScaler is configured with an SNMP community string with ALL permission at System > SNMP > Community.
  8. If you have SNMP Managers configured, then make sure SCOM is in the list.
  9. In SCOM Console, go to the Administration workspace, right-click, and click Discovery Wizard.
  10. Select Network devices, and click Next.
  11. In the General Properties page, give the discovery rule a name. Select a SCOM server, and resource pool to run the discovery rule. Then click Next.
  12. In the Discovery Method page, select Explicit discovery, and click Next.
  13. In the Default Accounts page, if you are using SNMPv2 (instead of SNMPv3) to connect to NetScaler, then you can add the community string now. Click Create Account.
  14. In the Introduction page, click Next.
  15. In the General Properties page, give the community string a display name, and click Next.
  16. In the Credentials page, enter the community string, and click Create.
  17. Then click Next.
  18. In the Devices page, click Add.
  19. Enter the hostname of the device.
  20. Select the SNMP version.
  21. If SNMPv2, select the community string. If SNMPv3, you can add the user account now.
  22. Click OK when done.
  23. Add more devices. Then click Next.
  24. In the Schedule Discovery page, select how often you want this rule to run, and click Next.
  25. In the Summary page, click Create.
  26. Click Yes to distribute the accounts.
  27. In the Completion page, click Close. The rule will run now.
  28. You  can also go to Administration > Network Management > Discovery Rules, and run the rule manually.
  29. And Network Devices Pending Management will show you discovery issues.
  30. The NetScaler appliance needs to be discovered and listed in the Network Devices node.
  31. You can use a SNMP Tester tool on the SCOM server to verify SNMP communication with NetScaler.  💡
  32. Also see CTX219765 Monitoring NetScaler with SCOM Management Packs – Understanding Discovery.  💡

Install Citrix NetScaler Agent

The Citrix SCOM Agent for NetScaler must be installed on the same SCOM server that is running the device discovery rule.

  1. If upgrading, uninstall the older Agent for NetScaler.
  2. On the SCOM servers that are running the SNMP Discovery Rule, go to \\scom01\CitrixMPShare\NetScaler MP, and run MPNSAgent.exe.
  3. In the Welcome to the setup wizard for Citrix SCOM Management Pack Agent for NetScaler page, click Next.
  4. If you see a page indicating that an older version is already installed, click Next.
  5. In the License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In the  Destination Data Folder page, click Install.
  8. In the Completed the setup wizard page, click Finish.

NetScaler Monitoring RunAs Account

  1. In SCOM console, go to Administration workspace, right-click, and click Create Run As Account.
  2. In the Introduction page, click Next.
  3. In the General Properties page, change the account type to Basic Authentication.
  4. Give the account a display name and click Next.
  5. In the Credentials page, enter the credentials of the local monitoring account on the NetScalers, and click Next.
  6. In the Distribution Security page, best practice is to select More secure. But you’ll need to manually specify every agent that should receive these credentials. Click Create.
  7. In the Completion page, click Close.
  8. In the Administration workspace, go to Run As > Profiles.
  9. Double-click Citrix NetScaler Appliance Action Account.
  10. In the Introduction page, click Next.
  11. In the General Properties page, click Next.
  12. In the Run As Accounts page, click Add.
  13. Select the previously created NetScaler monitoring account.
  14. Change the selection to A selected class, group, or object. Then click Select > Object.
  15. Search for the NetScaler appliances these credentials apply to, click Add, and then click OK.
  16. Then click OK.
  17. Click Save.
  18. In the Completion page, if the Run As account is configured for Secure Distribution then click the link to specify Agents to receive the credentials.

Use Management Pack

In the Monitoring workspace, under Citrix NetScaler, your appliance should eventually show up. These views should give you an inventory of the NetScaler configuration, current health status, etc.

Related Pages

Citrix SCOM Management Packs – XenApp/XenDesktop (2017_10_27)

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

Change Log

Requirements

  • XenApp/XenDesktop Platinum Edition with current Subscription Advantage
  • XenApp/XenDesktop version 6.0 or newer
  • Citrix Licensing Server 11.13.1 or newer
  • System Center Operations Manager 2012 or newer

Citrix provided an overview of the SCOM Management Packs during a breakout session at Synergy 2016.

Licensing Pack

See Citrix Docs for Full Documentation of the Licensing Pack.

  1. Download the Citrix SCOM Management Pack Bundle and extract it.
  2. Extract the Citrix_SCOM_Management_Pack_for_LicenseServer.zip file.
  3. In SCOM Console, go to Administration, right-click Management Packs, and click Import Management Packs.
  4. Click Add, and click add from disk.
  5. Browse to the extracted License Server Management Pack, and select all three files. Click Open.
  6. Click Install.
  7. Click Close when done.
  8. Go to Administration > Device Management > Agent Managed.
  9. Double-click your license server.
  10. On the Security tab, check the box next to Allow this agent to act as a proxy, and click OK.
  11. If you go to Monitoring > Citrix License Server > License Server State, you’ll eventually see your license server.

XenApp/XenDesktop Pack

See Citrix Docs for Full Documentation of the XenApp/XenDesktop Pack.

Links:

To upgrade:

  • Install the updated SCOM Pack on the SCOM Server.
  • Run the Install MPXAXD Agent task, and override the UpgradeAgent parameter to true.
  • In-place upgrade the Machine Agent.
  • Import updated SLA Dashboard Management Pack.

Install/Upgrade Citrix XenAppXenDesktop Pack

To install or upgrade:

  1. To upgrade, simply run the installer again as detailed in the next step.
  2. Download the Citrix SCOM Management Pack Bundle.
  3. On the System Center Operations Manager server, run Citrix_SCOM_Management_Pack_for_XenAppXenDesktop.exe.
  4. In the Welcome to the setup wizard for Citrix SCOM Management Pack for XenApp and XenDesktop page, click Next.
  5. In the View Relevant Product Configuration page, click Next.
  6. If upgrading, the installer will detect the older version. Click Next to begin the upgrade. For new installs, skip to the next step.
  7. In the License Agreement page, check the box next to I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack. Feel free to uncheck Enable the product to send anonymous usage statistics to Citrix. Click Install.
  10. In the Completed the setup for Citrix SCOM Management Pack for XenApp and XenDesktop page, click Next.
  11. In the All post-install actions were successfully executed page, click Finish.

Citrix XAXD Pack Action Account

  1. Create a new account. This account must be an administrator on all monitored Citrix machines: Controllers, VDAs, etc.
  2. In Citrix Studio, add the action account with Read-only permissions.



  3. In SCOM console, go to Administration workspace, right-click, and click Create Run As Account.
  4. In the Introduction page, click Next.
  5. In the General Properties page, change the account type to Windows.
  6. Give the account a display name and click Next.
  7. In the Credentials page, enter the previously created action account credentials and click Next.
  8. In the Distribution Security page, best practice is to select More secure. But you’ll need to manually specify every agent that should receive these credentials. Click Create.
  9. In the Completion page, click Close.
  10. In the Administration workspace, go to Run As > Profiles.
  11. Double-click Citrix XenApp/XenDesktop Monitoring Account.
  12. In the Introduction page, click Next.
  13. In the General Properties page, click Next.
  14. In the Run As Accounts page, click Add.
  15. Select the previously created action account, and click OK.
  16. Click Save.
  17. In the Completion page, if the Run As account is configured for Secure Distribution, then click the link to specify Agents to receive the credentials.

MP Agent Installation Account

Several of the Management Packs require an additional agent to be installed on top of the SCOM agent. Create an Active Directory account that will be used by the agent installer to connect to the file share on the System Center Operations Manager server. This configuration is used by several of Citrix’s Management Packs.

  1. In Active Directory, create a new regular account for Management Pack Agent installation.
  2. On the System Center Operations Manager server, open Computer Management.
  3. Edit the CitrixMPShareUsers local group.
  4. Add the MP Agent Installation Account. Also add the Citrix Admins group. Click OK.
  5. In SCOM Console, go to the Administration workspace, right-click, and click Create Run As Account.
  6. In the Introduction page, click Next.
  7. In the General Properties page, change the account type to Windows.
  8. Give the account a display name and click Next.
  9. In the Credentials page, enter the previously created Agent Installation account credentials, and click Next.
  10. In the Distribution Security page, best practice is to select More secure. But you’ll need to manually specify every agent that should receive these credentials. Click Create.
  11. In the Completion page, click Close.
  12. In the Administration workspace, go to Run As > Profiles.
  13. Double-click Citrix Management Pack Network Share Account.
  14. In the Introduction page, click Next.
  15. In the General Properties page, click Next.
  16. In the Run As Accounts page, click Add.
  17. Select the previously created Management Pack Agent installation account, and click OK.
  18. Click Save.

SCOM Proxy Agent

All Microsoft SCOM Agents running Citrix Agents must be marked as a Proxy Agent.

  1. In the SCOM Console, go to the Administration workspace, expand Device Management, and click Agent Managed.
  2. Double-click your SCOM Agent.
  3. On the Security tab, check the box next to Allow this agent to act as a proxy, and click OK.

Director URL

  1. On the SCOM server, run XenApp and XenDesktop MP Configuration.
  2. In Management Pack 3.12 and newer, the first time you launch the tool, you’ll be taken to the Configuration encryption tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text when running a SCOM Task to install or upgrade the agent.

  3. For environments with more than 100 Delivery Groups, 600 Server OS machines, and 1,500 applications, see Configuring SCOM Administrator at Citrix Docs to configure the SCOM Connector by specifying a SCOM Administrator on the SCOM Administrator tab.
  4. On the Director URL tab, click Add.
  5. Enter the XenDesktop Site name (farm name).
  6. Enter the Director URL for the farm, and click OK twice.

Push Citrix XAXD Agent

To push the XAXD Agent:

  1. In the SCOM Console, go to Monitoring workspace, expand Citrix Library, and click XenApp/XenDesktop Delivery Controller Computers.
  2. Select a Delivery Controller.
  3. On the bottom right, in the XAXD Delivery Controller Computer Role Tasks pane, click Check Installation Prerequisites.
  4. Click Run.
  5. Review the report, and then click Close.
  6. Now click the Install Citrix MPXAXD Agent task.
  7. If desired, you can override the Task Parameters. See the documentation for details.
  8. In 3.12 and newer, you must override the Encryption Password parameter, and specify the password you entered in the Configuration Tool.
  9. If upgrading, set UpgradeAgent to true. Then click Run.
  10. When done, review the task output, and then click Close.
  11. If you see an Error about the service logon account…

    1. Then go to the Delivery Controller, open Services, and reconfigure Citrix MPXAXD Agent service to run as a local administrator that has read-only permissions in Citrix Studio.
  12. The agent will eventually report as Healthy.
  13. You can verify configuration by running the Check Requirements and Configuration task. You might have to also run the Update Configuration task.

  14. If you scroll down, you’ll see the agent version.
  15. Citrix CTX224736 Citrix SCOM Management Pack for XenApp and XenDesktop 7.x – Disabling monitoring of VDA Services in large environments: In large environments, with 500+ Server OS machines, disable monitoring of VDA services on Server OS machines.
  16. Citrix CTX225735 Citrix SCOM MP Agents – Support Information Logging: The information in the SCOM MP Agent log files might be insufficient to troubleshoot certain issues. You can set additional product logging by modifying the log level registry key.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Comtrade\<SCOM MP Agent>
      • LogLevel (REG_SZ) = ERROR, WARN, INFO, or DEBUG
    • The log files are located at %ProgramData%\Citrix\SCOM MP Agent\logs
    • Logging configuration for some agents is located in the mp_config.ini file.
  17. Citrix CTX230082 Citrix SCOM Management Pack for XenApp and XenDesktop – Monitoring failure on connections live for more than 24 hours. If any Session A in the monitored environment last longer than 24 hours, any new sessions that start after the 24-hour retention period but before Session A ends will not be monitored properly.  💡
    • HKEY_LOCAL_MACHINE\SOFTWARE\ComTrade\XenDesktop MP Agent
      • ConnectionEventsMaxAgeInHours (DWORD) = number of hours you expect the longest connections in the monitored environment to last

Install Citrix Machine Proxy Agent

To monitor the performance of the VDAs, install the Citrix Machine Agent on any Windows Server 2012 or newer machine (Windows Server 2008 R2 is not supported). This Agent will use PSRemoting to connect to a Delivery Controller to enumerate the VDAs in the farm. The Agent will then use WinRM to pull performance data and session data from the VDAs.

  1. Enable PSRemoting on the Delivery Controllers.
  2. On the VDAs, run winrm quickconfig.
  3. The Machine Agent uses an account to connect to Delivery Controller and VDAs. You can use the same Action Account created earlier for the Management Pack. This account must be a read-only administrator in XenDesktop and it must have administrator permissions to all Controllers and VDAs.

  4. To verify WinRM, run Command Prompt as the action account.

  5. Run winrm identify -r:http://myvda.corp.local:5985 -auth:Kerberos. It should connect.
  6. Go to any Windows Server 2012 or newer machine that you want to run the VDA Machine Agent on. The Machine Agent uses WinRM to connect to the VDAs. One option is to install it on one of the Delivery Controllers.
  7. Connect to \\scom01\CitrixMPShare.
  8. Copy XenDesktop Machine MP to the local machine.
  9. Run Support.exe /checkprereq to verify prerequisites.

  10. Then run MPXAXDMachineAgent.exe.
  11. In the Welcome to the setup wizard for Citrix SCOM Management Pack Machine Agent for XenApp and XenDesktop page, click Next.
  12. The installer will detect the previously installed version. Click Next.
  13. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  14. In the Destination Folder page, click Next.
  15. In the Destination Data Folder page, click Next.
  16. In the Agent Service Account page, enter the service account (action account) credentials, and click Next.
  17. In the Delivery Controllers page, enter the hostnames of the Delivery Controllers you want this agent to monitor, and click Install.
  18. In the Completed the setup wizard for Citrix SCOM Management Pack Machine Agent for XenApp and XenDesktop page, click Finish.
  19. In SCOM console, go to Monitoring > Citrix Library > XenApp/XenDesktop Machine Monitoring.
  20. Select a Proxy computer.
  21. On the bottom right, run the Update Configuration task.
  22. Then run the Check Requirements task.

If the Machine Agent Proxy Computer is monitoring a large environment, then see the following. Environments with more than 100 Delivery Groups, 600 Server OS machines, and 1,500 applications are considered large.

New Reports

3.14 adds new Application – Usage report as described in Citrix Blog Post What’s New with the Citrix SCOM Management Packs – Nov 2017.

3.9 adds two new Reports as described in Citrix Blog Post Monitor Site Infrastructure & Delivery Group Availability with Citrix SCOM Management Pack for XenApp and XenDesktop:

  • Site – Infrastructure Availability report – availability of a Site infrastructure over time. Availability is determined by health (availability) of most important Citrix services on the Delivery controller computers, and availability of configured hosting connections.
  • Delivery Group – Availability – availability of desktops provided with the selected Delivery Group

3.8 adds two new Reports as described in Citrix Blog Post Analyzing Application/Desktop Usage with Citrix SCOM Management Pack for XenApp and XenDesktop.

  • Application – User Activity report – see for a selected application which users have been using it and when. For each specific usage you also get usage duration, IP address of the client computer, and machine name on which the application was running.

  • Delivery Group – Desktop User Activity report – shows which users have been using desktop and when for each selected Delivery Group. It is almost identical to the “Application – User Activity” report, except that the delivery group is selected instead of application and you get desktop usages in the specific delivery group instead of application usages.

Customize Management Pack

Citrix Blog Post Increasing the Application Discovery Limit in Citrix SCOM Management Pack: That limit is around 1,500 applications. Now, you can discover more than 1,500 applications using the following method. We have tested the discovery of up to 4,500 applications in our lab environment.

The existing management pack has five discoveries for applications. Each discovery can discover approximately 300 applications. We have created a custom management pack that includes an additional 10 discoveries to be able to discover a total of 4,500 applications. See the Blog Post for the download link.

SLA Dashboards

The XAXD Pack has an extra Management Pack that adds SLA Targets and dashboards.

  1. In SCOM Console, go to Administration workspace, right-click Management Packs and click Import Management Packs.
  2. Click Add and then click Add from disk.
  3. Connecting to the online catalog is not required.
  4. Browse to C:\Program Files\Citrix\XenDesktop MP (orC:\Program Files\Comtrade\XenDesktop MP) and select the Citrix.XenApp.And.XenDesktop.SLADashboards Management Pack. Click Open.
  5. Click Install.
  6. Click Close when done.
  7. Go to the Monitoring workspace, expand Citrix XenApp and XenDesktop, expand Dashboards, and click Delivery Group SLA Dashboard.
  8. On the right, click the gear icon, and click Configure.
  9. In the General Properties page, click Next.
  10. In the Scope page, click Add.
  11. Select the Desktop OS  Delivery Group Health and Server OS Delivery group Health SLAs and click Add. Then click OK.
  12. Click Finish.
  13. On the left, click the Site SLA Dashboard.
  14. On the right, look for the lower gear icon and click Configure. You might have to click the Site SLAs pane first.
  15. In the General Properties page, click Next.
  16. In the Scope page, click Add.
  17. Select Site Health and click Add. Then click OK.
  18. Click Finish.
  19. If you go to Authoring > Service Level Tracking, you can create more SLAs. See the documentation for details.
  20. The XAXD pack also adds a bunch of reports.

StoreFront Pack

Full documentation at http://docs.citrix.com/en-us/scom-management-packs/storefront/1-12.html.

Install Citrix StoreFront Pack

  1. Download the Citrix SCOM Management Pack Bundle.
  2. On the System Center Operations Manager server, run Citrix_SCOM_Management_Pack_for_StoreFront.exe.
  3. In the Welcome to the setup wizard for Citrix SCOM Management Pack for StoreFront page, click Next.
  4. In the View Relevant Product Configuration page, click Next.
  5. The installer could detect an older version. Click Next.
  6. In the License Agreement page, check the box next to I accept the terms and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack, and click Install.
  9. In the Completed the setup for the Citrix SCOM Management Pack for StoreFront page, click Next.
  10. In the All post-install actions were successfully executed page, click Finish.

MP Agent Installation Account

Configure the MP Agent Installation Account as detailed earlier for the XAXD Pack.

SCOM Proxy Agent

All Microsoft SCOM Agents running Citrix Agents must be marked as a Proxy Agent.

  1. In the SCOM Console, go to the Administration workspace, expand Device Management and click Agent Managed.
  2. Double-click your SCOM Agent.
  3. On the Security tab, check the box next to Allow this agent to act as a proxy, and click OK.

Probe Account

The StoreFront Management Pack logs into StoreFront using an account. StoreFront must be configured with Explicit Authentication.

  1. On the SCOM server, run StoreFront MP Configuration.
  2. In Management Pack 1.11 and newer, the first time you launch the tool, you’ll be taken to the Encryption Password tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text run running a SCOM Task to install or upgrade the agent.

  3. On the StoreFront availability tab, click Add.
  4. Enter credentials that can log into StoreFront. Make sure the userPrincipalName suffix or domain name matches one of the allowed domains configured on StoreFront (Source = CTX222920 Error: “StoreFront Store Service Probe Failed” While Using Citrix SCOM Management Pack for StoreFront). Click OK twice.
  5. Click OK.

Push Citrix StoreFront Agent

  1. If the StoreFront Server is Windows 2008 R2, install Microsoft hotfix 2847346 Svchost.exe running NSI service leaks memory and non-paged pool memory leak Tag NSpc. Also see Citrix CTX225624 Citrix SCOM MP for Storefront causes high memory utilization on Windows Server 2008 R2.
  2. In the SCOM Console, go to Monitoring workspace, expand Citrix Library, and click StoreFront Computers.
  3. Select a StoreFront server.
  4. On the bottom right, in the StoreFron Server Computer Role Tasks pane, click Check Installation Prerequisites.
  5. Click Run.
  6. Review the report, and then click Close.
  7. Now click the Install Citrix MPSF Agent task.
  8. If desired, you can override the Task Parameters. See the documentation for details.
  9. In 1.11 and newer, you must override the Encryption Password parameter, and specify the password you entered in the Configuration Tool.
  10. If upgrading, override UpgradeAgent, and set it to true.
  11. Then click Run.
  12. When done, review the report, and then click Close.
  13. The agent will eventually report as Healthy.
  14. You can verify configuration and version by running the Check Requirements and Configuration task. You might have to also run the Update Configuration task.

Provisioning Services Pack

Full Documentation is at http://docs.citrix.com/en-us/scom-management-packs/provisioning-services/1-19.html.

Install Citrix Provisioning Services Pack

  1. Download the Citrix SCOM Management Pack Bundle.
  2. On the System Center Operations Manager server, run Citrix_SCOM_Management_Pack_for_ProvisioningServices.exe.
  3. In the Welcome to the InstallShield wizard for Citrix SCOM Management Pack for Provisioning Services page, click Next.
  4. In the View Relevant Product Configuration page, click Next.
  5. If an older version is detected, click Next to upgrade it.
  6. In the License Agreement page, check the box next to I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Configure Post-Install Actions page, check the box next to Automatically import the Management Pack, and click Install.
  9. In the Completed the setup for Citrix SCOM Management Pack for Provisioning Services page, click Next.
  10. In the All post-install actions were successfully executed page, click Finish.

MP Agent Installation Account

Configure the MP Agent Installation Account as detailed earlier for the XAXD Pack.

SCOM Proxy Agent

All Microsoft SCOM Agents running Citrix Agents must be marked as a Proxy Agent.

  1. In the SCOM Console, go to the Administration workspace, expand Device Management, and click Agent Managed.
  2. Double-click your SCOM Agent.
  3. On the Security tab, check the box next to Allow this agent to act as a proxy and click OK.
  4. If you have many Provisioning Services servers, you can run Provisioning Services MP Configuration from the Start Menu, and enable Proxy using this tool.
  5. In Management Pack 1.17 and newer, the first time you launch the tool, you’ll be taken to the Configuration encryption tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text run running a SCOM Task to install or upgrade the agent.

  6. Then you can configure the Proxy tab.

Farm Account

The Provisioning Services Management Pack needs to log into the Provisioning Services farm.

  1. Create a service account and make it a full Provisioning Services farm administrator.
  2. On the SCOM server, run Provisioning Services MP Configuration.
  3. In Management Pack 1.17 and newer, the first time you launch the tool, you’ll be taken to the Configuration encryption tab. Click Set, and enter a permanent password. Note: the password will later be entered in clear text run running a SCOM Task to install or upgrade the agent.

  4. On the Provisioning Services tab, click Add.
  5. Enter a farm name. You’ll need this farm name later.
  6. Enter credentials for a full farm administrator, and click OK.
  7. Click OK.

Push Citrix Provisioning Services Agent

  1. In the SCOM Console, go to Monitoring workspace, expand Citrix Library, and click Provisioning Services Computers.
  2. Select a Provisioning Services server.
  3. On the bottom right, in the Tasks pane, click Check Installation Prerequisites.
  4. Click Run.
  5. Review the report, and click Close.
  6. Now click the Install Citrix MPPVS Agent task.
  7. If desired, you can override the Task Parameters. For example, UpgradeAgent can be overridden to true. See the documentation for details.
  8. In 1.18 and newer, you must override the Encryption Password parameter, and specify the password you entered in the Configuration Tool.
  9. Then click Run.
  10. When done, review the report, and click Close.
  11. Run the Set Farm Name on Citrix MPPVS Agent task.
  12. Override the Task Parameter.
  13. Specify the farm name. This should match the farm account created earlier. Then click Override.
  14. Click Run.
  15. Review the task output, and click Close.
  16. The agent will eventually report as Healthy.
  17. You can verify configuration by running the Check Requirements and Configuration task. You might have to also run the Update Configuration task.

  18. From John Haggerty in the comments: If you see: “Connection to PVS Soap Server Failed”, and if C:\ProgramData\Citrix\Provisioning Services MP Agent\mppvs_agt.log says “Security Support Provider Interface (SSPI) authentication failed”, then configure Kerberos Authentication for Citrix MPPVS Agent service. To enable Kerberos authentication, perform the following steps:
    1. Set “Log On” account for “Citrix MPVPS Agent” service to the account you are using for MPPVS.
    2. In command prompt, go to “%Program Files%\Citrix\Provisioning Services MP Agent” and execute PVSMonitorSvc.exe /setconnection runninguser
    3. Restart “Citrix MPVPS Agent” service and after a minute run check requirements tool to check if agent is ok now.
    4. NOTE: Issue will be resolved in next discovery cycle (by default 5 minutes).

Related Pages

NetScaler Gateway 11 – SSL VPN

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

💡 = Recently Updated

Overview

NetScaler Gateway supports five different connection methods:

  • ICA Proxy to XenApp/XenDesktop – client is built into Citrix Receiver
  • SSL VPN – requires NetScaler Gateway plug-in
  • Clientless – browser only, no VPN client, uses rewrite
  • Secure Browse – from MDX-wrapped mobile applications (XenMobile), uses rewrite
  • RDP Proxy – only RDP client is needed

If Endpoint Analysis is configured, then an Endpoint Analysis plug-in is downloaded to the Windows or Mac client.

Users use SSL to connect to NetScaler Gateway Virtual Servers.

  • NetScaler Gateway prompts the user for authentication.
  • Once the user is authenticated, NetScaler Gateway uses Session Policies to determine what happens next.

You can configure NetScaler Gateway Session Policies to only use one of the connection methods. Or NetScaler Gateway can be configured to let users choose between ICA Proxy, Clientless, and SSL VPN connection methods. Here’s a sample Client Choices screen using the X1 theme:

Enable SSL VPN in a Session Policy as detailed later. Then configure additional NetScaler Gateway objects including the following:

  • DNS Servers and Suffix – enable DNS resolution across the VPN tunnel
  • NetScaler Gateway Universal Licenses – all VPN users must be licensed.
  • Intranet IP addresses – give IP addresses to VPN clients. If no client IP, then VPN clients use NetScaler SNIP to communicate with internal resources. Requires routing changes on internal network.
  • Intranet Applications – if split tunnel is enabled, configure this object to dictate what traffic goes across the tunnel and which traffic stays local.
  • Authorization Policies – if default authorization is DENY, use Authorization Policies to dictate what resources can be accessed across the NetScaler Gateway connection. These Authorization Policies apply to all NetScaler Gateway connections, not just VPN.
  • Bookmarks – displayed on the built-in NetScaler Gateway portal page. Users click bookmarks to access resources across the VPN tunnel or clientless access (rewrite).
  • Endpoint Analysis Scans – block endpoints that fail security requirements. Configured in Session Policies or Preauthentication Policies.
  • Traffic Policies – Single Sign-on to internal web applications
  • AAA Groups – bind Session Policies, Authorization Policies, Intranet Applications, Intranet IPs, Bookmarks, and Traffic Policies to one or more Active Directory groups. Allows different Active Directory groups to have different NetScaler Gateway configurations.

Prerequisites

Except for ICA Proxy, all NetScaler Gateway connection methods require a NetScaler Gateway Universal License for each concurrent session. Go to System > Licenses and make sure NetScaler Gateway User licenses are installed.

Also make sure the maximum AAA users equals the number of licenses. Go to NetScaler Gateway > Global Settings > Change authentication AAA settings.

DNS usually needs to function across the VPN tunnel. Go to Traffic Management > DNS > Name Servers to add DNS servers.

Create Session Profile

You can create multiple Session Policy/Profiles, each with different settings. Then you can bind these Session Policies to different AAA groups or different NetScaler Gateway Virtual Servers. You can also bind Endpoint Analysis expressions to a Session Policy so that the Session Policy only applies to machines that pass the Endpoint Analysis scan.

If multiple Session Policies apply to a particular connection, then the settings in the policies are merged. For conflicting settings, the Session Policy with the highest priority (lowest priority number) wins. Session Policies bound to AAA groups only override Session Policies bound to NetScaler Gateway Virtual Servers if the AAA group bind point has a lower priority number. In other words, priority numbers are evaluated globally no matter where the Session Policy is bound. You can run the command nsconmsg –d current –g pol_hits to see which Session Policies are applying to a particular connection.

Do the following to enable SSL VPN. First create the Session Profile. Then create a Session Policy.

  1. On the left, expand NetScaler Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab and click Add.
  3. Name the profile VPN or similar.
  4. In Session Profiles, every line has an Override Global checkbox to the right of it. If you check this box next to a particular field, then the field in this session profile will override settings configured globally or in a lower priority session policy.
  5. Switch to the Network Configuration tab and check the box next to Advanced Settings.
  6. You will find a setting that lets you select a DNS Virtual Server. Or if you don’t select anything then the tunnel will use the DNS servers configured under Traffic Management > DNS > Name Servers.
  7. Configure the behavior when there are more VPN clients than available IPs in the address pool. This only applies if you are configuring Intranet IPs.
  8. There are also a couple timeouts lower on the page.
  9. Switch to the Client Experience tab. This tab contains most of the NetScaler Gateway VPN settings.
  10. Override Plug-in Type and set it to Windows/Mac OS X.
  11. Whenever NetScaler firmware is upgraded, all users will be prompted to upgrade their VPN clients. You can use the Upgrade drop-downs to disable the automatic upgrade.
  12. By default, if Receiver and NetScaler Gateway Plug-in are installed on the same machine, then the icons are merged. To see the NetScaler Gateway Plug-in Settings, you right-click Receiver, open Advanced Preferences and then click NetScaler Gateway Settings.

  13. You can configure the Session Policy/Profile to prevent NetScaler Gateway Plug-in from merging with Receiver. On the Client Experience tab, scroll down and check the box next to Advanced Settings.
  14. Check the box next to Show VPN Plugin-in icon with Receiver. This causes the two icons to be displayed separately thus making it easier to access the NetScaler Gateway Plug-in settings.

  15. On the Client Experience tab, override Split Tunnel and make your choice. Setting it to Off will force all traffic to use the tunnel. Setting it to On will require you to create Intranet Applications so the NetScaler Gateway Plug-in will know which traffic goes through the tunnel and which traffic goes directly out the client NIC (e.g. to the Internet).
  16. On the Client Experience tab, there are timers that can be configured. Global Settings contains default timers so you might want to override the defaults and increase the timeouts. See Configuring Time-Out Settings at Citrix Docs for details.
    1. Client Idle Time-out is a NetScaler Gateway Plug-in timer that disconnects the session if there is no user activity (mouse, keyboard) on the client machine.
    2. Session Time-out disconnects the session if there is no network activity for this duration.
    3. In addition to these two timers on the Client Experience tab, on the Network Configuration tab, under Advanced Settings, there’s a Forced Timeout setting.
  17. By default, once the VPN tunnel is established, a 3-page interface appears containing bookmarks, file shares, and StoreFront. An example of the three-page interface in the X1 theme is shown below.
  18. On the Client Experience tab, the Home Page field lets you override the 3-page interface and instead display a different webpage (e.g. Intranet or StoreFront). This homepage is displayed after the VPN tunnel is established (or immediately if connecting using Clientless Access).
  19. On the Client Experience tab, there are more settings that control the behavior of the NetScaler Gateway plug-in. Hover your mouse over the question marks to see what they do.
  20. Additional VPN settings can be found by clicking Advanced Settings near the bottom of the Client Experience tab.
  21. Under Client Experience > Advanced Settings, on the General tab, there are settings to run a login script at login, enable/disable Split DNS, and enable Local LAN Access. Use the question marks to see what they do. Reliable DNS occurs when Split DNS is set to Remote.
  22. Under Client Experience > Advanced Settings, on the General tab, is a checkbox for Client Choices. This lets the user decide if they want VPN, Clientless, or ICA Proxy (StoreFront). Without Client Choices, the VPN will launch automatically
  23. On the main Client Experience tab, if you enabled Client Choices, you can set Clientless Access to Allow to add Clientless to the list of available connection methods.
  24. An example of Client Choices is shown below:
  25. The Client Experience > Advanced Settings section has additional tabs for controlling the NetScaler Gateway Plug-in. A commonly configured tab is Proxy so you can enable a proxy server for VPN users.
  26. Back in the main Session Profile, switch to the Security tab.
  27. Set the default authorization to Allow or Deny. If Deny (recommended), you will need to create authorization policies to allow traffic across the tunnel. You can later create different authorization policies for different groups of users.
  28. On the Published Applications tab, set ICA Proxy to Off. This ensures VPN is used instead of ICA Proxy.
  29. Configure the Web Interface Address to embed StoreFront into the 3-pane default portal page. Note: additional iFrame configuration is required on the StoreFront side as detailed below.
  30. From Michael Krasnove: if you configured the Session Policy to direct users to StoreFront, then placing the following code in c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js will cause StoreFront to end the VPN tunnel when the user logs off of StoreFront.
    var LOGOFF_REDIRECT_URL = 'https://YourGatewayFQDN.com/cgi/logout';
     
    // Prevent the default "logoff" screen from being displayed
    CTXS.Controllers.LogoffController.prototype._handleLogoffResult = $.noop;
     
    CTXS.Extensions.afterWebLogoffComplete = function () {
     window.location.href = LOGOFF_REDIRECT_URL;
    };
  31. Click Create when you’re done creating the Session Profile.

Create Session Policy

  1. In the right pane, switch to the Session Policies tab and click Add.
  2. Give the policy a descriptive name.
  3. Change the Action to the VPN Profile you just created.
  4. Add a policy expression. You can enter ns_true, which applies to all connections.
  5. Or you can add Endpoint Analysis scans. If the Endpoint Analysis scan succeeds, then the session policy is applied. If the Endpoint Analysis scan fails, then this session policy is skipped and the next one is evaluated. This is how you can allow VPN if EPA scan succeeds but all failed EPA scans will get a different session policy that only has ICA Proxy enabled.
  6. To add an Endpoint Analysis scan, use one of the Editor links on the right.
  7. Configure OPSWAT scans in the OPSWAT EPA Editor.
  8. Configure Client Security Expressions in the Expression Editor.
  9. You can combine multiple Endpoint Analysis scan expressions using Booleans (&&, ||, !). Click Create when done.

Bind Session Policy

Most of the NetScaler Gateway objects can be bound to NetScaler Gateway Virtual Server, AAA Group, or both. This section details Session Policies, but the other NetScaler Gateway objects (e.g. Authorization Policies) can be bound using similar instructions.

  1. Bind the new session policy to a NetScaler Gateway Virtual Server or a AAA group. If you bind it only to a AAA group, then only members of that Active Directory group will evaluate the expression.
  2. To bind to a NetScaler Gateway Virtual Server, edit a NetScaler Gateway Virtual Server (or create a new one), scroll down to the Policies section and click the Plus icon.
  3. In the Choose Type page, select Session, Request and click Continue.
  4. Select one or more session policies. This is where you specify a priority.
  5. To bind to a AAA Group, go to NetScaler Gateway > User Administration > AAA Groups.
  6. Add a group with the same name (case sensitive) as the Active Directory group name. This assumes your LDAP policies/server are configured for group extraction.
  7. Edit the AAA Group.
  8. On the right, in the Advanced Settings column, add the Policies section.
  9. Click the plus icon to bind one or more Session Policies.
  10. If you want these Session Policies to override the Session Policies bound to the NetScaler Gateway Virtual Server then make sure the Session Policies bound to the AAA Group have lower priority numbers.

NetScaler Gateway Plug-in Installation

Here is what the user sees when launching the VPN session for the first time.


And then the 3-pane interface is displayed.

Only administrators can install the NetScaler Gateway Plug-in. You can download the Gateway plug-in from the NetScaler at /var/netscaler/gui/vpns/scripts/vista and push it to corporate-managed machines. Or you can download VPN clients from Citrix.com. The VPN client version must match the NetScaler firmware version.

Authorization Policies

If your Session Profile has Security tab > Default Authorization set to Deny (recommended), then create Authorization Policies to allow access across the tunnel.

  1. On the left, under NetScaler Gateway, expand Policies and click Authorization.
  2. On the right, click Add.
  3. Name the Authorization Policy.
  4. Select Allow or Deny.
  5. NetScaler Gateway requires you to Switch to Classic Syntax. The other syntax option is for AAA.
  6. Enter an expression. Use the Expression Editor link to build an expression. You can specify destination IP subnets, destination port numbers, etc.
  7. Click Create when done.
  8. Authorization Policies are usually bound to AAA groups. This allows different groups to have different access across the tunnel.
  9. On the right, in the Advanced Settings column, add the Authorization Policies section.
  10. Then click where it says No Authorization Policy to bind policies.

Intranet Applications

If you enabled Split Tunnel, then you’ll need to create Intranet Applications to specify which traffic goes through the tunnel.

  1. On the left, under NetScaler Gateway, expand Resources and click Intranet Applications.
  2. On the right, click Add.
  3. Enter a name for the Internal subnet.
  4. Change the Interception Mode to TRANSPARENT.
  5. Enter an IP subnet. Only packets destined for this network go across the tunnel.
  6. Then click Create.
  7. Create additional Intranet applications for each internal subnet.
  8. Intranet Applications are usually bound to the Gateway Virtual Server but you can also bind them to AAA Groups.
  9. On the right, in the Advanced Settings column, add the Intranet Applications section.
  10. On the left, click No Intranet Application to bind Intranet Applications.

DNS Suffix

Specify a DNS Suffix for Split DNS to function with single label DNS names.

  1. On the left, under NetScaler Gateway, expand Resources and click DNS Suffix.
  2. On the right, click Add.
  3. Enter the DNS Suffix and click Create. You can add multiple suffixes.

Bookmarks

Bookmarks are the links that are displayed in the 3-pane interface. They can point to file shares or websites.

  1. Under NetScaler Gateway, expand Resources, and click Bookmarks.
  2. On the right, click Add.
  3. Give the bookmark a name and display text.
  4. Enter a website or file share. For file shares you can use %username%.
  5. The other fields are for Single Sign-on through Unified Gateway. Click Create.
  6. Bookmarks (aka Published Applications > Url) are usually bound to AAA groups so different groups can have different bookmarks. But it’s also possible to bind Bookmarks to NetScaler Gateway Virtual Servers.
  7. If NetScaler Gateway Virtual Server, add the Published Applications section to bind Bookmarks.
  8. For AAA Group, it’s the Bookmarks section.
  9. On the left, find the Published Applications section and click No Url to bind Bookmarks.

VPN Client IP Pools (Intranet IPs)

By default, NetScaler Gateway VPN clients use NetScaler SNIP as their source IP when communicating with internal resources. To support IP Phones or endpoint management, you must instead assign IP addresses to VPN clients.

Any IP pool you add to NetScaler must be reachable from the internal network. Configure a static route on the upstream router. The reply traffic should be routed through a NetScaler SNIP. Or the NetScaler can participate in OSPF.

When a client is assigned a client IP, this IP address persists across multiple sessions until the appliance reboots or until the appliance runs out of IPs in the pool.

  1. Edit a NetScaler Gateway Virtual Server or a AAA group.
  2. On the right, in the Advanced Settings section, click the plus icon next to Intranet IP Addresses.
  3. On the left, click where it says No Intranet IP.
  4. Enter a subnet and netmask. Click Bind.
  5. To see the Client IP address, on the client side, right-click the NetScaler Gateway Plug-in and click Configure NetScaler Gateway.
  6. Switch to the Profile tab to see the Client IP address.
  7. To see the client IP on the NetScaler, go to NetScaler Gateway and on the right is Active user sessions.
  8. Select one of the views and click Continue.
  9. The right column contains the Intranet IP.

StoreFront in Gateway Portal

  1. If you want to enable StoreFront to integrate with NetScaler Gateway’s default portal, edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\web.config.
  2. On the bottom, there are three sections containing frame options. Change all three of them from deny to allow.
  3. Also change frame-ancestors from none to self.
  4. In NetScaler, go to NetScaler Gateway > Global Settings and click Configure Domains for Clientless Access.
  5. Change the selection to Allow Domains, enter your StoreFront FQDN and click the plus icon.
  6. Click OK.
  7. In a Session Policy/Profile, on the Client Experience tab, make sure Single Sign-on to Web Applications is enabled.
  8. On the Published Applications tab, configure the Web Interface Address to point to the StoreFront Receiver for Web page.
  9. Configure the Single Sign-on domain to match what’s configured in StoreFront.
  10. The Applications page of the 3-page portal should automatically show the StoreFront published icons.

Quarantine Group

NetScaler Gateway can be configured so that if Endpoint Analysis scans fail, then the user is placed into a Quarantine Group. You can bind session policies, authorization policies, etc. to this quarantine group. Policies bound to other AAA groups are ignored.

  1. Go to NetScaler Gateway > User Administration > AAA Groups.
  2. Add a new local group for your Quarantined Users. This group is local and does not need to exist in Active Directory.
  3. Create a new Session Profile.
  4. On the Security tab, check the box next to Advanced Settings.
  5. Check the box to the right of Client Security Check String.
  6. Use the Editor links to add an Endpoint Analysis expression.
  7. Just below the Client Security Check String, select the previously created Quarantine Group.
  8. Click Create when done.
  9. Create a Session Policy and select the Session Profile you just created.
  10. Enter ns_true as the expression. Then click Create.
  11. Edit your Gateway Virtual Server and bind the new session policy.
  12. Bind session policies, authorization policies, etc. to your quarantine group. These policies typically limit access to the internal network so users can remediate. Or it might simply display a webpage telling users how to become compliant.
  13. To troubleshoot Quarantine policies, use the command nsconmsg –d current –g pol_hits.
  14. Another option is to use the session policy bound to the Quarantine Group for SmartAccess configuration.
  15. Gateway Insight (Insight Center 11.0 build 65 and newer) shows users that failed EPA scans and their quarantine status.

Related Pages

AppDisks

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

Planning

AppDisks are available in all editions of XenApp/XenDesktop 7.8 and newer. AppDNA is only available in Platinum Edition.

AppDisks can be created on vSphere (5.1 and newer) and XenServer only. No support for Hyper-V.

Delivery Groups used with AppDisks can contain machines from Pooled Random Machine Catalogs containing Server OS or Desktop OS machines. You cannot use AppDisks with machines from other catalog types, such as pooled static or dedicated (assigned).

In Provisioning Services environments, AppDisks are stored on hypervisor storage, not Provisioning Services storage. Also, additional data might be written to the write cache.

AppDisk must be on the same hosting resource as the linked clones it is attached to. If you have multiple hosting resources, then you’ll need to import the AppDisk to each hosting resource containing linked clones that you want to attach the AppDisk to.

According to the AppDisk FAQ, Citrix has tested up to 16 AppDisks attached to a single virtual machine. To minimize the number of AppDisks, you should combine multiple applications into a single AppDisk.

AppDisks are stored on a datastore with a GUID in the folder name, thus it’s difficult to know what’s in the .vmdk file. Use PowerShell commands (Get-AppLibAppDisk) to determine the AppDisk-to-.vmdk mapping. If you intend to backup and recover these files, periodically run the PowerShell commands and export to a file so you can know which disk is which. Or, when you import the AppDisk, Studio will tell you which applications are installed in the AppDisk and you can then rename the imported AppDisk.

Links:

vCenter Preparation

Citrix has instructions for creating a XenDesktop role in vCenter. AppDisks requires an additional permission: Virtual Machine > Configuration > Modify device Settings.

For AppDisks, the read only role must be applied to the vCenter level. See Mark New at discussions.citrix.com for details.  ?

AppDNA Preparation

  1. If you intend to use AppDNA to analyze your AppDisks, build a separate AppDNA server.
  2. In Studio, go to Configuration, right-click AppDNA, and click Create AppDNA connection before creating an AppDisk.
  3. The dialog box has an example for the Connection address. It should be in http://appdnaserver:8199/appdna format.
  4. Enter the AppDNA SQL server name and database name. Click Save.

Create AppDisk

  1. Antivirus will slow down the AppDisk creation process. Add CtxPvD.exe and CtxPvDSvc.exe to the exclusion list of your antivirus program. More details in Known Issues.
  2. According to CTX211853 AppDisk Creation Task Stuck At “Creating…” In Studio, Shadow Copy and Microsoft Software Shadow Copy Service Provider services must be enabled on the machines.
  3. You need a Machine Creation Services or Provisioning Services catalog of type Random. Make sure at least one machine in the catalog is not assigned to any Delivery Group.


  4. For Provisioning Services, the machine must boot from a Maintenance (Private Image) version. After the AppDisk is created, the Maintenance version can be discarded.
  5. In Studio, right-click AppDisks and click Create AppDisk.
  6. In the Getting started with AppDisks page, click Next.
  7. In the Create AppDisk page, select a size for the disk. These are thin provisioned so size probably doesn’t matter. Just make sure it’s big enough to hold the application.
  8. Note: If PvS, if the AppDisk is bigger than the cache disk, then PvS might try to put the cache on the AppDisk and will fail to server. See Formatted drive still goes to Server for cache with PVS 7.9 at Citrix Discussions.  💡
  9. Click Next.
  10. In the Preparation Machine page, select an MCS or PVS random catalog that has an available machine not assigned to a Delivery Group. Click Next.
  11. In the Summary page, give the AppDisk a name. Include the datastore or hosting resource name since you need different AppDisks for each hosting resource. Click Finish.
  12. The new AppDisk is prepped. This takes a while.
  13. If you look in your hypervisor storage, you’ll see a new folder named AppDisk-VirtualID. It’s not obvious which AppDisk this .vmdk file belongs to. You can run a PowerShell command like get-applibappdisk | ? virtualdiskid -eq 0cac15d0-55db-4931-848e-de6ee79dddf8 to determine the AppDisk name.
  14. Once prep is done, Studio says Ready to install applications. If you look on the bottom it will show you which machine was used for AppDisk preparation.
  15. You can also right-click the AppDisk, click Install Applications, and it will tell you which machine should be used for application installation.

  16. Access the console of the prep machine and install the application(s).
  17. When done, go back to Studio, right-click the AppDisk, and click Seal AppDisk.
  18. Click Yes to seal it. This will cause the prep machine to reboot.
  19. Preparation will take some time. If it seems stuck, you might have to login to the prep machine so it continues the process.

  20. Windows Defender might interfere with the sealing process. In that case, turn off Defender’s Real-time protection.
  21. If you added AppDNA to Studio, then it will ask AppDNA to analyze the AppDisk.
  22. When done you can View report.
  23. Once the AppDisk is created and sealed, you can click the Applications tab in the bottom half of the window to see what the AppDisk contains.

Import AppDisk

AppDisks can only be attached to machines on the same hosting resource the AppDisk is located on. You can easily copy/import the AppDisk to multiple hosting resources (datastores).

Also, if you added AppDNA after creating AppDisks, then you can only analyze them by re-importing them.

To import an AppDisk:

  1. You will need an available prep machine in a MCS or PvS Random Catalog that is not assigned to any Delivery Group. The Catalog must be on the same Hosting Resource where the imported AppDisk will be placed.


  2. When you look at a datastore containing AppDisks, it’s not obvious which .vmdk goes with which AppDisk. Run the PowerShell command Get-AppLibAppDisk <AppDiskName> to see the VirtualDiskId.
  3. In vSphere Web Client, edit a non-linked clone virtual machine. Any non-MCS/PVS machine should work. This import machine is different than the linked clone machine that Studio will use to prepare the AppDisk.
  4. Make sure the import machine is currently powered off. If the machine is powered on, then vSphere might complain about the disk being currently in use.
  5. Add an Existing Hard Disk (AppDisk).

  6. When browsing the datastore with the existing AppDisk, select the folder name that matches the VirtualDiskId and then select the disk that’s in the folder.
  7. In Studio, right-click AppDisks and click Create AppDisk.
  8. In the Create AppDisk page, select Import existing AppDisk.
  9. Select a Hosting Resource where you want to copy the AppDisk to. Studio always copies the AppDisk, even if to the same datastore as the source.
  10. In the Import Disk page, browse to the virtual machine and click the arrow to expand it.
  11. Then select the attached AppDisk and click Next.
  12. In the Preparation machine page, select a random linked clone catalog with a machine that hasn’t been added to any Delivery Group and click Next.
  13. In the Summary page, give the AppDisk a name. Include the hosting resource (datastore) name. Click Finish.
  14. The AppDisk will be copied to the new datastore and analyzed if AppDNA is configured.
  15. You can then assign the imported AppDisk to Delivery Groups.
  16. Once the AppDisk is imported, click the Applications tab in the bottom half of the Windows to see what’s in the AppDisk.
  17. You can rename the AppDisk by right-clicking it and clicking Properties.

Assign to Delivery Group

AppDisks are assigned to Delivery Groups, not Catalogs.

  1. If you want to assign an AppDisk to an existing Delivery Group, right-click the Delivery Group and click Manage AppDisks.
  2. Or you can create a new Delivery Group.
  3. On the AppDisks page, click Add.
  4. Select one or more AppDisks and click OK. Notice that you can only select AppDisks on the same hosting resource as the Catalog.
  5. You can prioritize the AppDisks by using the arrow buttons on the right. Or click Auto Order to let AppDNA do it for you.
  6. If you are changing AppDisks assigned to an existing Delivery Group, choose a Rollout Strategy (reboot schedule). This is identical to Machine Creation Services Rollout Strategy. Then finish the wizard.
  7. If you chose Auto Order when assigning the AppDisks then AppDNA will need to do some analysis.
  8. If you highlight a Delivery Group, the AppDisks tab on the bottom shows the currently assigned AppDisks.

Update AppDisk

  1. In Studio, right-click an AppDisk and click Create New Version.
  2. Give the new version a name.
  3. Select a linked clone machine that is not currently in a Delivery Group.
  4. Click Create new version. This copies the AppDisk and links it to the prep virtual machine.
  5. Proceed through the normal Create AppDisk process. This includes installing applications and sealing the AppDisk.
  6. Then assign the new AppDisk to a Delivery Group. This process will include removing the old AppDisk and assigning the new AppDisk.

StoreFront 2407 through 3.5 – Tweaks

Last Modified: Jul 31, 2024 @ 2:13 pm

Navigation

This article applies to StoreFront versions 2407, 2402 LTSR, 2203 LTSR, 1912 LTSR CU8 and all other versions 3.5 and newer.

💡 = Recently Updated

Change Log

CRL Checking – Disable

When the StoreFront server checks certificate revocation for its locally signed files, a delay can occur before the StoreFront logon page is displayed.

  1. Run the following PowerShell commands:
    Add-PSSnapin Citrix.DeliveryServices.Framework.Commands
    Set-DSAssemblyVerification $false
  2. Another potential tweak to speed up StoreFront is to disable NetBIOS. Right-click the Start Menu and click Network Connections.
  3. Right-click the NIC and click Properties.
  4. Highlight Internet Protocol Version 4 and click Properties.
  5. Click Advanced.
  6. On the WINS tab, change the selection to Disable NetBIOS over TCP/IP and click OK twice and Close once.
  7. Repeat on the other StoreFront servers.

Note: According to Microsoft, it is no longer necessary to configure generatePublisherEvidence in C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.config.

Receiver Shortcuts

You can use StoreFront to control placement of shortcuts on Receiver machines.

  1. Run Notepad elevated (as administrator).
  2. Edit the file C:\inetpub\wwwroot\Citrix\Roaming\web.config.
  3. Search for <account id. Find the Store name in the name attribute.
  4. Scroll down to the first <properties> section located under <annotatedServices>.
  5. See Using StoreFront account settings to customize app shortcut locations at Citrix Docs for a list of properties. Add the properties as detailed at Citrix Docs. The properties should be added after the clear tag.
  6. Note: if subscriptions are enabled in StoreFront then only Favorites are added to the Start Menu and Desktop. If subscriptions are disabled then all applications are placed on the Start Menu or Desktop.
  7. Close and save the file.
  8. Then Propagate Changes.

PNAgent Authentication and Default Store

Default Store

If you point your browser to https://storefront.corp.com/Citrix/PNAgent/config.xml, which is the typical path for PNAgent, you’ll get a 404.

To fix this, in the StoreFront console, right-click the store, and click Configure XenApp Services Support.

In the bottom of the window, select the Default store, and click OK.

Now PNAgent can point to StoreFront without needing to specify a custom path. Note: this only works for /Citrix/PNAgent/config.xml.

Single Sign-on

From Configure authentication for XenApp Services URLs at Citrix Docs: XenApp Services URLs support explicit, domain pass-through, and pass-through with smart card authentication. Explicit authentication is enabled by default. You can change the authentication method, but only one authentication method can be configured for each XenApp Services URL. To enable multiple authentication methods, create separate stores, each with a XenApp Services URL, for each authentication method. To change the authentication method for a XenApp Services URL, you run a Windows PowerShell script.

  1. On the primary StoreFront server in your deployment, use an account with local administrator permissions to start Windows PowerShell.
  2. At a command prompt, type the following command to configure the user authentication method for users accessing the store through the XenApp Services URL.
    & "C:\Program Files\Citrix\Receiver StoreFront\Scripts\EnablePnaForStore.ps1" –SiteId 1 -ResourcesVirtualPath /Citrix/Store –LogonMethod sson
  3. Propagate changes.

Remember my password

If you leave PNAgent authentication set to Prompt, you can enable the Remember my password box by doing the following:

  1. Run Notepad as Administrator and edit the file C:\inetpub\wwwroot\Citrix\Store\Views\PnaConfig\Config.aspx.
  2. Near line 74 is EnableSavePassword. Change it to true.
  3. When PNAgent connects, there should now be a Remember my password checkbox.

Hide Applications

You can hide all icons of a particular type (Applications, Desktops, Documents). Or you can hide icons with a specific keyword.

Go to Stores > MyStore > Configure Store Settings > Advanced Settings, and look for the Filter options.

Filter resources by type lets you hide all Applications or all Desktops. If you are running Receiver inside a published desktop, then you probably don’t want desktop icons to be delivered by Receiver. In that case, create a new Store and filter the Desktop icons. Then only the application icons will be delivered.

Filter resources by excluded keywords lets you filter published icons that match a custom keyword.

Once the ExcludeKeyword has been defined, add the keyword to a published application or published desktop description, and that application/desktop will no longer display in Receiver. This works for both Receiver for Web and Receiver Self-Service (non-browser).

In XenDesktop 7.9 and and newer and Citrix Virtual Apps and Desktops, to assign a description to a Desktop, you edit the Delivery Group, go to the Desktops page, and edit one of the Desktops. Citrix CTX220429 Configure Resource Filtering to Allow Desktops to be filtered on Storefront.

Desktop Autolaunch

By default, if only a single desktop is published to the user, Receiver for Web will auto-launch it. You can change this behavior by going to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client Interface Settings and uncheck the box next to Auto launch desktop.

Full Screen Desktop

Citrix CTX139762 How to Configure StoreFront to Start Published Desktops in Full Screen Mode: This article describes how to configure StoreFront to start published desktops in Full Screen Mode.

  1. Open the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica on the StoreFront server(s) with notepad (as Administrator)
  2. Add the line:
    [Application]
    DesktopViewer-ForceFullScreenStartup=On
  3. In older versions of StoreFront, it should be true instead of On.
  4. Save the file.
  5. Open the command prompt (cmd) and run iisreset.

Autolaunch Application

See CTX572543 How to auto launch published app while logon Storefront Web URL. Add the following code to the end of C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom\script.js.

var ctxAppName = "AppName";
CTXS.Extensions.noteApp = function (app) {
  if(app.name == ctxAppName){ 
    CTXS.ExtensionAPI.launch(app);
  }
};

See the script.js code posted by Michael Bednarek at Citrix Discussions.

Store for Anonymous

If you intend to publish applications to anonymous users, then you can create a StoreFront store that does not require authentication. Note: anonymous stores only work internally (no NetScaler Gateway).

  1. On the VDAs, create and configure anonymous accounts.
  2. In Citrix Studio, configure a Delivery Group to accept unauthenticated (anonymous) users.
  3. In the StoreFront Console, right-click Stores, and click Create Store.
  4. In the Store Name and Access page, enter a new store name.
  5. Check the box next to Allow only unauthenticated users to access this store.
  6. Then click Next and finish the wizard like normal.
  7. By default, Anonymous stores are hidden (not advertised). When performing discovery in Receiver you’ll need to enter the full path to the store (e.g. https://storefront.corp.com/Citrix/Anon/discovery).

Workspace Control

Workspace Control reconnects user sessions. It can be disabled. Or configure various reconnection options.

Citrix Blog Post Workspace Control: When You DON’T Want to Roam details complete session reconnection configuration instructions for XenApp, Remote Desktop Services, StoreFront, and Receiver.

Receiver for Web

Go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Workspace Control page.

Receiver Self-Service

Citrix Blog Post – How to Disable Workspace Control Reconnect: For Receiver for Windows, Workspace Control can be managed on client devices by modifying the registry. Please see this Knowledgebase Article for how to implement it. This can also be done for domain-joined client devices using Group Policy.

In StoreFront Console, go to Stores > MyStore > Configure Store Settings > Advanced Settings, and there’s a setting for Allow session reconnect.

Treat Desktops as Applications

From Treating All Desktops as Applications at Citrix Blog Post What’s New in StoreFront 3.0: Desktops are treated differently from applications in StoreFront/Receivers. They are placed in a separate Desktop tab and in the case of Receiver for Web, they are not reconnected with workspace control. In some use cases, it is desirable to treat desktops as applications so that they are placed together with applications and get reconnected as part of workspace control. With StoreFront 2.x, you have to add the TreatAsApp keyword to all published desktops to achieve this effect. StoreFront 3.0 enables you to configure treating all desktops as applications at the store level without the need of adding the TreatAsApp keyword to all the published desktops. This is configurable using a PowerShell cmdlet.

& "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

Set-EnhancedEnumerationOptions -siteId 1 -storeVirtualPath /Citrix/Store `
-treatDesktopsAsApps $true

Also see Citrix CTX223817 How to Configure “TreatAsApp” in XenDesktop 7.8.

Special Folder Redirection

From Configure special folder redirection at Citrix Docs: With Special Folder Redirection configured, Citrix maps Windows special folders for the server, to those on their local computers. Special folders refer to standard Windows folders, such as \Documents and \Desktop.

In StoreFront Console, go to Stores > Configure Store Settings > Advanced Settings and there’s an option for Allow special folder redirection.

Receiver Self-service – Disable “Remember My Password”

By default, when Receiver Self-Service connects internally to StoreFront, the user is able to check the box next to Remember my password. Note: When connecting through NetScaler Gateway, this checkbox is never available.

This can be disabled by making a change on the StoreFront server. This procedure is documented by John Ashman at Citrix Discussions and Prevent Citrix Receiver for Windows from caching passwords and usernames at Citrix Docs.

  1. Note that this procedure seems to prevent Receiver for iOS from adding accounts.
  2. On the StoreFront server, run a text editor elevated (as administrator).
  3. Open the file C:\inetpub\wwwroot\Citrix\StoreAuth\App_Data\Templates\UsernamePassword.tfrm.
  4. Go to line 20, which should start with @SaveCredential.
  5. To comment out the line, wrap it in @* and *@. Save the file when done.

  6. Now the Remember My Password checkbox is gone.

“Activate” Option in Web Page – Disable

From Citrix Discussions: to disable the “activate…”; function for Citrix receiver for windows that is visible when a user clicks their username in the upper right hand corner of Receiver for Web, in StoreFront Console, go to Stores > MyStore > Manage Receiver for Web Sites > Configure > Client Interface Settings page. There’s a checkbox for Enable Receiver configuration.

Logoff Receiver for Web Seconds after Icon Launch

From Citrix Blog Post Logging Off Receiver for Web after an Application/Desktop Launch: Simply add the following code snippet to script.js in the custom folder for the Receiver for Web site (typically C:\inetpub\wwwroot\Citrix\StoreWeb\custom\) you would like to customize:

var delayLogoffInSeconds = 10;

CTXS.Extensions.beforeWebLogoffIca = function(action) {
    return 'none';
};

CTXS.Extensions.postLaunch = function(app, status) {
    if (! CTXS.Device.isNativeClient()) {
        if (status == CTXS.LAUNCH_SUCCESS) {
            function logoff() {
                CTXS.Environment.logOff();
            }
            window.setTimeout(logoff, delayLogoffInSeconds * 1000);
        }
    }
};

Customize Receiver UI in StoreFront 3.x

StoreFront 3.x customizations are visible in both Receiver for Web and in Receiver Self-Service.

Note: these customizations might not work in StoreFront 1811 and newer, which has a different user interface.

If you are load balancing StoreFront and want to put the server name on the webpage (or Receiver), see Citrix Blog Post How To: Add a Server Identifier to the StoreFront Page Footer. This works in StoreFront 1811 and newer.

George Spiers Insert Client IPs into the StoreFront logon page.

John Billekens Hide or change “domain\user or username@domain.com” text in Storefront: In C:\inetpub\wwwroot\Citrix\<Store>Web\custom\style.css, add the following to hide the text:

.credentialform span.pseudo-input.show {
 visibility: hidden;
}

For StoreFront older than version 1811, Citrix Blog Post Dynamic Subscription Icons in StoreFront explains how to change the Details link to a star icon based on subscription status. The star icons are not clickable like they are in StoreFront 1811 and newer.

Trentent Tye at Citrix Storefront – Adventures in customization – Add a help button to your Storefront UI uses CTXS.ExtensionAPI.addHelpButton() and CTXS.ExtensionAPI.openUrl() to add a help button which opens a help page URL. This also works in StoreFront 1811 and newer.

CTP Sam Jacobs and Rich Minichiello Adding an EULA Checkbox to StoreFront logon page

From CTP Sam Jacobs at StoreFront: Add Application Categories to Favorites Tab at CUGC. It’s a simple matter to get it to again appear. Back up the file \inetpub\wwwroot\citrix\<store>Web\custom\style.css, and add the following to the bottom of the file:

.largeTiles .myapps-view .storeapp-category {
display: block;
}

Nicolas Ignoto Lab: Part 22 – Ultimate StoreFront 3 customization guide contains many StoreFront customizations including:

  • Add disclaimer
  • Change logo/background
  • Add header
  • Add text
  • Change colors
  • Etc.

 

Citrix Blog Post Citrix Customization Cookbook contains a collection of customizations including:

  • Add Static or dynamic (read from file) text to the header and/or footer of the login page.
  • Click-through disclaimer before or after login page
  • Footer for every page
  • Default to Folder view when visiting the Apps tab
  • Change default text
  • Change background images for featured categories
  • Background image

 

Citrix Blog Post Storefront 3 Web Customization: Branding Your Deployment describes how to modify the following CSS to customize the appearance of StoreFront 3.x

  • Background images
  • Logon button
  • Colors for page and text
  • How to view the mobile version of the page
  • CSS for mobile pages

 

Jason Samuel Upgrading Citrix StoreFront 2.6 to StoreFront 3.0 – Things to Know details how to change the StoreFront logo to a Receiver logo.

 

Citrix Blog Post StoreFront Message Customization describes how to add a scrolling message to the top of the screen. This is displayed in both Browsers and Receivers. This post contains a new version of the executable that supports StoreFront 3.0 and newer.

 

Migrate Web Interface features to StoreFront at Citrix Docs details how to configure Web Interface features in StoreFront. This includes:

  • Enable return to last folder
  • Header logo
  • Pre-logon welcome message
  • Logon screen customization
  • Footer text

The code for pre-login message is already included in C:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js. Just remove the comment. Source = Citrix CTX227805 StoreFront 3.11 >>How to get the login banner on Storefront page

 

Rody Kossen and his colleague Leon Koppel built a customisation layer that reads the state of the resources presented to the end-user. If a desktop is under maintenance, inform the user so he knows before he tries to access the resource. Get the code from Citrix Blog Post Putting the Experience First, Where it Belongs.  💡

 

StoreFront 3.0 Receiver Customization APIs are detailed at Citrix Developer. Use the Receiver Customization API to brand or customize your end users’ app and desktop selection experience beyond capabilities provided in the StoreFront admin console. Customizations apply to latest Web, Chrome, Windows, Mac and Linux clients, and will be extended to mobile devices in future releases.

 

CTX221097 How to rename items on StoreFront? describes the strings that can be changed.

  1. Go to C:\inetpub\wwwroot\Citrix\<StoreName>Web\custom
  2. Open strings.en.js file
  3. See below for an example of overriding one of the built-in strings. See the article for the full list of strings.
  4. AppStore defines the title of the website. (Source = CTX236110 How to customize the storefront website title)

 

Citrix Blog Post Receiver X1 APIs describes the following:

  • Overview of the CSS classes that can be customized.
  • Override Citrix’s JavaScript functions to modify behavior – exclude or restyle apps, change a sort order, add a warning message etc.
  • How to force X1 UI to display in either phone or larger mode.

 

Citrix Blog Post X1 Customization: Going deeper with CSS describes the following:

  • Use CSS (/custom/style.css) to style the three custom regions (#customTop, #customBottom, #customScrollTop). Shown below in red, blue, and pink.
  • Marker classes for showing/hiding or highlighting parts of the UI: large display, small display, high DPI, Favorites view, Desktops view, Apps view, appinfo view.

 

Citrix Blog Post Scripting X1 describes the following:

  • JavaScript code to display an Acceptance dialog box before users can login.
  • Use JQuery to add HTML code to custom regions (e.g. #customScrollTop) including using CSS to hide the HTML code unless a specific tab is selected by the user.

Citrix Blog Post – Rewriting the Session ClientName from StoreFront: I would like to offer the following customisation DLL which can apply client name rewrites based on a template. The customisation template can be any string, but where that string contains a particular token, the token will be replaced by some information from the User Context. If the intent was just to replace the ClientName with the user name, the template is then just “$U”. More details and the .dll file are in the blog post.

StoreFront Store Customization SDK at Citrix Developer: The Store Customization SDK allows you to apply custom logic to the process of displaying resources to users and to adjust launch parameters. For example, you can use the SDK to control which apps and desktops are displayed to users, to change ICA virtual channel parameters, or to modify access conditions through XenApp and XenDesktop policy selection. Key Customization Points:

  • Post-Enumeration
  • Post-Launch ICA File
  • Post-Session Enumeration
  • Access Conditions (pre-launch and pre-enumeration)
  • Provider List
  • Device information

Citrix Blog Post Adding a Language to StoreFront 3.0: A new language pack is comprised of a culture definition file, a string bundle file and a custom string bundle file. See the Blog Post for more details.

To force StoreFront to only use English, add the following to c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js as detailed at Set default language to EN at Citrix Discussions:
CTXS.Environment.getPreferredLanguages = function () { return null; }

 

To change the StoreFront page title, see Sam Jacobs How to Change the Page Title in Citrix Receiver 3.x at mycugc.org.

 

Customizations detailed at topic Modify Receiver for Web site at Citrix Discussions:

  • Add Featured App Groups to Categories View
  • Increase the number of Featured applications beyond the default of 3.

 

StoreFront SDKs

Most of the StoreFront SDK documentation can be found at https://developer-docs.citrix.com/projects/storefront-sdk/en/latest/

StoreFront Store Customization SDK – Use the Store Customization SDK to apply custom logic to the process of displaying resources to users and to adjust launch parameters.  For example, you can use the SDK to control which apps and desktops are displayed to users, to change ICA virtual channel parameters, or to modify access conditions through XenApp and XenDesktop policy selection.

StoreFront Web API – Receiver for Web is a component of Citrix StoreFront that provides access to applications and desktops using a Web browser. It consists of a User Interface tier and a StoreFront Services Web Proxy tier.

StoreFront Authentication SDKs – With StoreFront 3.0, we have introduced a new Unified UI that is delivered from StoreFront to Receiver on all client platforms. Use the Receiver Customization API to brand or customize your end users’ app and desktop selection experience beyond capabilities provided in the StoreFront admin console. Customizations apply to latest Web, Chrome, Windows, Mac and Linux clients, and will be extended to mobile devices in future releases.

StoreFront PowerShell SDK – Citrix StoreFront provides an SDK based on a number of Microsoft Windows PowerShell version 3.0 modules. With this SDK, you can perform the same tasks as you would with the StoreFront MMC console, together with tasks you cannot do with the console alone.

Related Pages

StoreFront 2407 – Configuration for Citrix Gateway

Last Modified: Jul 31, 2024 @ 2:13 pm

Navigation

This article applies to StoreFront versions 2407, 2402 LTSR, 2203 LTSR, 1912 LTSR CU8 and all other versions 3.5 and newer.

Changelog

StoreFront Configuration for Citrix Gateway

See the Citrix Gateway ICA Proxy for instructions to create a Citrix Gateway Virtual Server for ICA Proxy and StoreFront. You then must configure StoreFront to enable the Gateway.

  1. In the StoreFront Console, in the middle, right-click your Store, and click Manage Authentication Methods.
  2. Ensure Pass-through from Citrix Gateway is selected and click OK.
  3. In the StoreFront Console, right-click the Stores node, and click Manage Citrix Gateways.
  4. If StoreFront 3.6 or newer, notice the imported from file link on top. This is a new feature of NetScaler 11.1 and newer. An example configuration that uses this feature can be found in the StoreFrontAuth page.

  5. If you’re not using the Gateway config file from NetScaler 11.1 and newer, click Add.

    1. In the General Settings page, enter a display name. This name appears in Citrix Receiver or Citrix Workspace app, so make it descriptive.
    2. In the Citrix Gateway URL field, enter the Citrix Gateway Public URL that resolves to the Citrix Gateway VIP.
      • The URL entered here must match what users enter into their browser address bars.
      • This URL can be a GSLB-enabled DNS name.
      • The Gateway URL usually does not need to be reachable from StoreFront unless you need the Callback for SmartAccess or non-password authentication (e.g. Smart Cards or Citrix Federated Authentication Service).
    3. Click Next.
    4. In the Secure Ticket Authority page, click Add.
    5. Enter the URL to a Delivery Controller. This can be http or https.
      • STA is installed automatically on Delivery Controllers.
      • There is no relationship between STA and CVAD farms. Any CVAD farm can use any STA server.
      • StoreFront chooses the STA server. Citrix Gateway must be configured to use the same STA servers that StoreFront chose.
    6. Click OK.
    7. Continue adding Secure Ticket Authorities (Delivery Controllers). Whatever Secure Ticket Authorities you add here must also be added to the Citrix Gateway Virtual Server on the Citrix ADC appliance. Click Next.
    8. In the Authentication Settings page, the VServer IP Address field is typically left blank. You only use this field if you have multiple Gateways (on separate appliance pairs) connecting to one StoreFront server. See below for details.
    9. If you need SmartAccess or non-password authentication (e.g. Smart Cards or Citrix Federated Authentication Service), then enter the Callback URL.
      • The Callback URL must resolve to any Citrix Gateway VIP on the same appliance that authenticated the user. Edit the HOSTS file on the StoreFront server so the Callback URL resolves correctly.
      • If you are configuring Single FQDN, then the Callback URL must be different than the Single FQDN.
      • The Gateway Virtual Server that the Callback URL resolves to must have a trusted and valid certificate that matches the FQDN you are entering here.
      • The Gateway Virtual Server that the Callback URL resolves to must not have client certificates set to Mandatory.
      • See CTX399424 Gateway Callback and / or XML Communication fails after upgrade to Storefront 2203 for a workaround.
    10. If you don’t need SmartAccess or non-password authentication, then leave the Callback URL field empty.
    11. If you enabled two-factor authentication (LDAP and RADIUS) on your Citrix Gateway, change the Logon type to Domain and security token. Otherwise leave it set to Domain only.
    12. Click Create.
    13. Then click Finish.
  6. You can add more Gateways depending on your design. Multiple datacenters typically requires multiple Gateways. Click Close when done.
  7. To enable the store to use Citrix Gateway, in the middle, right-click your store, and click Configure Remote Access Settings.

    1. Check the box next to Enable Remote Access.
    2. Leave it set to No VPN tunnel.
    3. Check the box next to the Citrix Gateway object you just created. This binds the Gateway to the Store.
    4. If you have multiple Gateways, select one of them as the Default appliance.
      • Note: when you point Receiver to a Citrix Gateway URL for Discovery, after Discovery is complete, the Default appliance selected here is the Gateway that Receiver uses. In other words, Receiver ignores the Gateway you entered during discovery.
    5. Click OK to close the Configure Remote Access Settings dialog box.
  8. In the StoreFront Console, right-click the Stores node, and click Manage Beacons.
  9. In the top half of the window, make sure the Internal beacon is set to a URL that is only reachable internally.
    1. If you are configuring Single FQDN, then the Internal beacon must be different than the Single FQDN.
    2. Service URL = the StoreFront Base URL. If you’re not configuring Single FQDN, then the Base URL is usually not accessible externally and is acceptable as an Internal Beacon.
    3. The Internal beacon must never go down. If it’s down, then internal native Receivers will stop working. One option is to configure a Citrix ADC Responder HTML page as detailed at Julian Mooren Citrix ADC – How to create a High Available Beacon Point for Citrix StoreFront. 💡
    4. Click OK when done.
  10. Right-click the Server Group node, and click Propagate Changes.

Citrix Gateway Logon Page Theme

To make the Citrix Gateway logon page look like Receiver 3.0 and newer, see Citrix Gateway 12 Portal Theme. The Citrix Gateway X1 theme has the fewest issues and the most readily available documentation for customization. The Citrix Gateway RfWebUI theme has less documentation for customizations.

Single FQDN

Overview

Links:

You can either define separate FQDNs for StoreFront Load Balancing (internal) and Citrix Gateway (external). Or, you can define a Single FQDN for both.

Single FQDN has the following requirements:

  • Receivers:
    • Receiver for Windows 4.2 or newer. Or upgrade to Workspace app.
    • Receiver for Mac 11.9 or newer. Or upgrade to Workspace app.
    • Mobile Receivers
  • StoreFront 2.6 or newer
  • Split DNS – different DNS resolution for internal vs external
    • Internal DNS should resolve the Single FQDN to the StoreFront Load Balancing VIP
    • External DNS should resolve the Single FQDN to the Citrix Gateway VIP (public IP)
  • NetScaler 10.1 or newer
  • The FQDN for Internal Beacon must be different than the Single FQDN.
    • The Internal Beacon URL must not be externally resolvable or accessible.
    • If Internal Beacon is down, then internal Receiver Self-Service clients will not function correctly.
    • Internal Beacon URL can be http instead of https.
    • If Internal Beacon URL is https, then the machine hosting the IP address for the Internal Beacon must have a certificate that matches the Internal Beacon FQDN.
  • The FQDN for Citrix Gateway Callback must be a different FQDN than the Single FQDN. Callback is only needed for SmartAccess and SAML.
    • Callback FQDN can resolve tot he same Gateway VIP used by external users. Or, you can create a new Gateway VIP on the same appliance that authenticated the users.
    • The Gateway Virtual Server for Callback must have a certificate that matches the Callback FQDN.

DNS caching interferes with Single FQDN – Note: if you have laptops that move from internal to external and back again, then DNS caching will interfere with Single FQDN. The DNS response for Single FQDN needs to change whenever the device moves from internal to external and back again. However, Receiver uses the same DNS cache as Internet Explorer, which caches DNS responses for 30 minutes. To clear the DNS cache, you have to close Receiver and re-open it. The DNS response you see when you ping the Single FQDN does not necessarily match the DNS response used by Internet Explorer and Receiver.

Configure Single FQDN without email-based discovery

If you don’t care about email-based discovery, then the configuration of Single FQDN is fairly simple. Sample DNS names are used below. Make sure the certificates match the DNS names.

  1. Internal DNS name = the Single FQDN (e.g. storefront.corp.com). Internally, the DNS name resolves to the internal Load Balancing VIP for StoreFront. Set the StoreFront Base URL to this address.
  2. External DNS name = the Single FQDN (e.g. storefront.corp.com). Externally, the DNS name resolves to a public IP, which is NAT’d to Citrix Gateway VIP on DMZ Citrix ADC. Set the Citrix Gateway object in StoreFront to this FQDN.


  3. If you need SmartAccess, then the Callback URL = any DNS name (e.g. callback.corp.com) that resolves to a Citrix Gateway VIP on the same DMZ Citrix ADC appliance that authenticated the user. The Callback URL cannot be the Single FQDN.

    • Callback URL can be omitted if you don’t need SmartAccess features, or SAML authentication.
    • The callback DNS name must be different than the Single FQDN.
    • The callback DNS name must resolve to a Citrix Gateway VIP on the same appliance that authenticated the user. This could be the same DMZ Gateway VIP used by external users. Or you can create a separate internal Gateway VIP on the same appliance.
    • The Citrix Gateway vServer for callback must have a certificate that matches the Callback DNS name.
  4. Internal Beacon = any internal website URL that is not externally accessible. You can’t use the Single FQDN as the Internal Beacon. Note: if the internal beacon is down, then internal Receiver Self-service will not work correctly.

    • Make sure the Internal Beacon is not resolvable externally.
    • The Internal Beacon URL cannot be the Single FQDN. It must be different.
    • Ideally, the Internal Beacon should be a new DNS name that resolves to a StoreFront Load Balancing VIP.
    • If the internal beacon is https, then the certificate must match the internal beacon DNS name. However, http URLs also work.
    • See CTX218708 How to Configure Internal Beacon for Single FQDN on StoreFront.
  5. Make sure the DMZ Citrix ADC resolves the Single FQDN to the internal StoreFront Load Balancing VIP. You typically add internal DNS servers to the Citrix ADC. Or you can create a local Address Record on Citrix ADC for the Single FQDN.

  6. In the Citrix Gateway Session Profiles, on the Published Applications tab, set the Web Interface Address, and the Account Services Address to the Single FQDN.


  7. That’s all you need to implement Single FQDN. If you made changes to an existing StoreFront deployment, then you might have to remove accounts from Receiver, and re-add the account.

If you need email-based discovery, then here’s an example configuration for ICA Proxy Citrix Gateway

DNS:

  • Sample DNS names:
    • Single FQDN = citrix.corp.com
    • Callback FQDN = callback.corp.com
    • Internal Beacon FQDN = internalbeacon.corp.com
  • External DNS:
    • citrix.corp.com resolves to a public IP, which is NAT’d to a Citrix Gateway VIP on a DMZ Citrix ADC.
    • If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to citrix.corp.com. Create this SRV record in every email suffix DNS zone.
  • Internal DNS:
    • citrix.corp.com resolves to the Load Balancing VIP for StoreFront
    • callback.corp.com resolves to a Citrix Gateway VIP on the same Citrix ADC that authenticated the user. Usually only needed for SmartAccess and/or SAML.
    • For the internal beacon, FQDN of any internal web server. Make sure this name is not resolvable externally.
    • If email-based discovery, SRV record for _citrixreceiver._tcp.email.suffix points to citrix.corp.com. Create this SRV record in every email suffix DNS zone.

Certificates:

  • External, publicly-signed certificate for Citrix Gateway:
    • One option is wildcard for *.corp.com. Assumes email suffix is also corp.com. If you more than one email suffix, then wildcard will not work.
    • Another option is the following Subject Alternative Names:
      • citrix.corp.com
      • callback.corp.com – for callback URL. Only accessed from internal.
        • Or you can create a separate internally-facing Gateway vServer for callback with a separate certificate.
      • If email-based discovery, discoverReceiver.email.suffix for each email suffix. If you have multiple email suffixes, you’ll need multiple SAN Names.
  • Internal certificate for StoreFront Load Balancing:
    • Publicly-signed certificate is recommended, especially for mobile devices and thin clients.
    • Since you have the same DNS name for internal and external, you can use the external certificate for internal StoreFront.
    • One option is wildcard for *.corp.com. Assumes email suffix is also corp.com. If you have more than one email suffix, then wildcard will not work.
    • Another option is the following Subject Alternative Names:
      • citrix.corp.com
      • If email-based discovery, discoverReceiver.email.suffix for every email suffix. If you have multiple email suffixes, then you will have multiple SAN names.

StoreFront Configuration:

  • Base URL = https://citrix.corp.com
  • Internal beacon = https://internalbeacon.corp.com. Make sure it’s not resolvable externally.
  • Gateway object:
    • Gateway URL = https://citrix.corp.com
    • Callback URL = https://callback.corp.com

Receiver for Web session policy:

  • Policy expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
  • Client Experience tab:
    • Clientless Access = Allow or Off
    • Plug-in Type = Java
    • Single Sign-on to Web Applications = checked
  • Security tab:
    • Default authorization = ALLOW
  • Published Applications tab:
    • ICA Proxy = On
    • Web Interface address = https://citrix.corp.com/Citrix/StoreWeb
    • Single Sign-on Domain = Corp

Receiver Self-Service session policy:

  • Policy expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Client Experience tab:
    • Clientless Access = Allow or Off
    • Plug-in Type = Java
    • Single Sign-on to Web Applications = checked
  • Security tab:
    • Default authorization = ALLOW
  • Published Applications tab:
    • ICA Proxy = On
    • Web Interface address = https://citrix.corp.com
    • Single Sign-on Domain = Corp
    • Account Services address = https://citrix.corp.com

Multiple Datacenters / Farms

Multi-datacenter Citrix Gateway and StoreFront Design

HTTP vs ICA

There are two connections from every Citrix client:

  • HTTP (SSL required) – goes to StoreFront
    • HTTP is usually proxied through Citrix ADC load balancing
    • If external, HTTP is proxied through Citrix Gateway, which proxies it through Citrix ADC load balancing.
    • HTTP traffic is initiated by either a web browser, or by Receiver Self-Service
  • ICA (SSL optional) – goes to Virtual Delivery Agent
    • ICA can go direct (internal) to a VDA
    • Or ICA can be proxied through Citrix Gateway ICA Proxy
    • ICA traffic is handled by Workspace app’s ICA engine – either locally installed Workspace app, or HTML5 Workspace app

The FQDN for the HTTP connection can be the same or different than the FQDN for the ICA connection.

The HTTP connection is easily handled by GSLB, HTTP/SSL load balancing, etc.

  1. DNS name – Users connect to a DNS name that resolves to StoreFront and/or Citrix Gateway.
    1. StoreFront is usually proxied through Citrix ADC Load Balancing.
    2. If Citrix Gateway, the HTTP connection is proxied to StoreFront, usually through Load Balancing.
  2. Separate VIP per datacenter – For multiple datacenters, each datacenter has its own StoreFront and/or Citrix Gateway VIP.
  3. GSLB resolves the DNS name to one of the datacenter VIPs.
    1. This can be active/active, or active/passive.
  4. Proximity and persistence – For active/active, since StoreFront traffic (HTTP) is so minimal, it usually doesn’t matter which datacenter is selected. But you can optionally enable one of the Proximity GSLB load balancing algorithms so the closest datacenter is selected.
    1. Enable one of the GSLB Service cookie-based persistence methods. Connection Proxy is the easiest to configure.

The ICA connection is dictated by StoreFront.

  1. .ica file – When a user clicks an icon in StoreFront, StoreFront generates an .ica file containing an address.
    1. If the user is internal, then the .ica file usually contains the private IP address of the Virtual Delivery Agent. Receiver connects directly to the VDA’s private IP.
    2. If the user is connecting through Citrix Gateway, or if HDX Optimal Routing is enabled, then the .ica file usually contains the FQDN of a Citrix Gateway that can proxy the ICA connection.
  2. Receiver engine for ICA protocol – The StoreFront provided .ica file is given to a Receiver engine. Receiver engine (locally installed Receiver, or HTML5 Receiver), uses ICA protocol to connect to the address contained inside the .ica file.
  3. One public IP – For external users, an advantage of Citrix Gateway is that you only have to expose one public IP address per datacenter no matter how many VDAs you have.
  4. FQDN for Gateway – For Citrix Gateway, StoreFront inserts a FQDN into the .ica file. This FQDN can be one of the following:
    1. Active/active GSLB
    2. Datacenter-specific – If you have two datacenters, each datacenter has a unique FQDN that resolves to a specific Citrix Gateway VIP in a specific datacenter. GSLB active/passive handles failover if the datacenter-specific VIP is down.
  5. ICA Routing – ICA traffic is heavier and more latency sensitive than StoreFront. Thus you typically want to control which datacenter is used for the ICA connection. There are two common designs:
    1. Proxy ICA traffic through a Citrix Gateway that’s in the same datacenter as the VDA.
    2. Proxy ICA traffic through the Citrix Gateway that’s closest to the user. The idea here is that back haul WAN connections are faster than Internet connection to a remote datacenter.
  6. HDX Optimal Routing – For proxying ICA through Citrix Gateway in the same datacenter as the VDA, StoreFront has two methods for identifying the Citrix Gateway that’s closest to the VDA:
    1. Different Citrix Virtual Apps and Desktops site/farm in each datacenter. If a VDA is launched from a particular site/farm, then provide the Citrix Gateway FQDN that is associated with that site/farm. This is configured using HDX Optimal Routing.
    2. Different Citrix Virtual Apps and Desktops zone per datacenter. If the VDA is launched from a particular zone, then provide the Citrix Gateway FQDN that is associated with that zone. This is configured using HDX Optimal Routing.
  7. Proximity and Persistence – For proxying ICA through a Citrix Gateway that is closest to the user, StoreFront returns an FQDN that is GSLB Active/Active load balanced using a Proximity load balancing algorithm.
    1. ICA is usually a long-lived TCP connection to the Citrix Gateway VIP.
    2. You can enable Source IP persistence on the active/active GSLB Virtual Server.
    3. Another method of proximity load balancing ICA is to configure Citrix ADC to insert a header to StoreFront indicating the Citrix Virtual Apps and Desktops zone the user is connecting from. See the GSLB Powered Zone Preference whitepaper.

Internal Citrix Gateway ICA Proxy? – Internal users typically have direct connectivity to VDA Private IP addresses, so you usually don’t need to use Citrix Gateway ICA Proxy internally. However, an advantage of using Citrix Gateway ICA Proxy internally is that now all ICA traffic is going through a Citrix Gateway, which makes it easy to enable AppFlow (HDX Insight) reporting to Citrix Application Delivery Management (ADM).

  • ICA Proxy through Citrix Gateway wraps ICA traffic in SSL, increasing the packet size.
  • SSL-Encrypted ICA packets cannot be optimized by normal WAN optimization products.

StoreFront and Multiple Sites/Farms

A Citrix Virtual Apps and Desktops Site/Farm is a collection of Delivery Controllers that share a single Site SQL Database. Multiple Citrix Virtual Apps and Desktops Sites/Farms implies multiple Site SQL databases, each configured separately. Note: farm is the old name for Citrix Virtual Apps and Desktops Site.

  • If you stretch a single Citrix Virtual Apps and Desktops Site/Farm across datacenters, then you have to deal with replication and recovery of the single SQL database.
  • Citrix Virtual Apps and Desktops Zones and Local Host Cache make it more feasible to stretch a farm. See XenDesktop Site Failover – how do you do it? at CUGC for an excellent discussion on multi-datacenter zone design.
  • VDAs can only register with one Citrix Virtual Apps and Desktops Site/farm.

Multiple Citrix Virtual Apps and Desktops Sites/Farms – StoreFront can enumerate icons from multiple Citrix Virtual Apps and Desktops Sites/Farms. If there are identical icons in multiple farms, then the icons can be aggregated so that only a single icon is displayed to the user. When the user clicks the icon, StoreFront then needs to select a site/farm.

  • CVAD 2311 and newer have multiple site management in Web Studio in the Settings node.

    • Use the Site selector at the top right of the page.
  • In StoreFront, Sites/Farms can be prioritized (active/passive) for different Active Directory groups. This allows you to specify a “home” site for specific users. Typically, you set the preferred site/farm to be in the same datacenter that contains the user’s home directory and roaming profile.
  • Or sites/farms can be active/active load balanced. This works best for applications that have synchronized active/active back-end data.

Icon aggregation – There are two methods of configuring icon aggregation in StoreFront:

  • StoreFront Console GUI – The most common multi-site/farm configurations can be done in the StoreFront Console GUI, including configuration of “Home Sites” (different AD groups prioritizing different sites/farms).
  • XML files – for more complex multi-site configurations. See Citrix Docs – Set up highly available multi-site store configurations

Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing subscriptions to be ignored. You can migrate the existing subscriptions by exporting, modifying, and importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.

StoreFront in Multiple Datacenters

Stretching – Citrix does not support stretching a single StoreFront Server Group across multiple datacenters. Each datacenter is expected be a different StoreFront Server Group.

  • Citrix provides scaling guidance for up to 6 servers in a single StoreFront Server Group.

Management – Each StoreFront Server Group is managed separately.

  • Subscriptions/Favorites can be replicated between the two StoreFront Sever Groups.

Receiver Roaming – When Citrix Receiver switches between different StoreFront Server Groups in multiple datacenters, it’s possible for each datacenter to be treated as a separate Store, causing multiple Store entries in Receiver. This can be prevented by ensuring the following configurations are identical in both datacenters. Source = Juan Zevallos at Citrix Discussions:

  • Match the SRID – in StoreFront, if you use the same Base URL in the 2 separate installations, then the SRID should end up being identical. If the Base URL is changed after the initial setup, the SRID doesn’t change. The SRID can be safely edited in the \inetpub\wwwroot\Citrix\Roaming\web.config file. It will be replicated into the discovery servicerecord entry in the Store web.config, which can be edited as well, or refreshed from the admin console by going into Remote Access setup for the store, and hitting OK. Make sure to propagate changes to other servers in the group.
  • Match the Base URL
  • Match the Delivery Controller names under “Manage Delivery Controllers” – The XML brokers can be different, but the actual name of the Delivery Controller/Farms must be identical.

Typical Multi-Datacenter Configuration

Here’s a typical active/active Citrix Virtual Apps and Desktops configuration using separate sites/farms in each datacenter. Another option is zones.

  • Citrix Virtual Apps and Desktops Sites/Farms: Separate Citrix Virtual Apps and Desktops sites/farms in each datacenter.
    • The Delivery Controllers for each site/farm point to a SQL database in the local datacenter. There usually is no need to enable SQL failover across datacenters.
    • Each datacenter is managed separately. But Citrix Policies in a GPO can apply to both sites/farms.
    • An advantage of separate sites/farms is that you can upgrade one datacenter before upgrading the other.
  • StoreFront Server Groups: Separate StoreFront Server Groups in each datacenter.
    • Citrix doesn’t support stretching a single StoreFront Server Group across a WAN link.
    • Each Server Group is configured identically. You can export the config from one Server Group, and import it to the other. Or configure each of them separately, but identically. Identical means: same Base URL, same farms (Manage Delivery Controllers), same SRID, same Gateways, and same Beacons.
    • If subscriptions/favorites are enabled, use PowerShell commands to configure subscription replication between the two Server Groups.
  • StoreFront Load Balancing: Separate StoreFront load balancing VIP in each datacenter
    • Each Load Balancing VIP can be active/passive. Active = the StoreFront servers in the local datacenter. Passive = the StoreFront servers in the remote datacenter.
      • Create two Load Balancing vServers: one for local StoreFront, one for remote StoreFront. In the Active (local) Load Balancing vServer, add the Protection section, and configure the Backup (remote) vServer.
      • When the active StoreFront is down, Citrix Gateway will use StoreFront in the remote datacenter. However, the remote datacenter has its own Citrix Gateway, thus there will be two different Citrix Gateways connecting to one StoreFront Server Group. If you use SmartAccess or SAML and need the Callback URL, then you’ll need a special StoreFront configuration to handle the Callback URL from multiple Gateway appliances.
  • Icon aggregation: Configure StoreFront to aggregate icons from the two farms.
    • Use AD groups to specify a user’s home datacenter, which contains the user’s roaming profile and home directory.
    • Configure farm priority based on AD groups. For an aggregated icon, the AD group and farm priority determines which farm the icon is launched from.
  • External Citrix Gateways: Externally-accessible Citrix Gateway ICA Proxy VIPs in both datacenters.
    • The main Citrix Gateway DNS name is active/active GSLB. For example: citrix.company.com)
    • Each datacenter has a datacenter-specific GSLB active/passive DNS name for Citrix Gateway. For example: citrix-a.company.com, and citrix-b.company.com
    • The Gateway SSL certificate needs to match all three DNS names: the main active/active DNS name, and the two datacenter-specific active/passive DNS names.
  • Internal Citrix Gateways: Internally-accessible Citrix Gateway ICA Proxy VIPs in both datacenters for AppFlow reporting.
    • For AppFlow/Insight reporting, Citrix Gateway ICA Proxy is typically used internally too. If you don’t need AppFlow, then you don’t need internal Citrix Gateway.
    • To handle Single Sign-on from Receiver, internal Receivers will connect HTTP directly to StoreFront Load Balancing instead of proxied through Citrix Gateway.
      • This implies that you have separate DNS names for StoreFront and Citrix Gateway.
    • HDX Optimal Routing will force the ICA connection to go through Citrix Gateway instead of directly to the VDA.
    • HDX Optimal Routing is a global setting that applies to both internal and external users. The DNS name used by HDX Optimal Routing must be valid for both internal and external. If this is not the case, then you can deploy separate StoreFront servers for internal and external.
    • DNS:
      • The main Citrix Gateway DNS name is active/active GSLB. For example: citrix.company.com.
      • Each datacenter has a datacenter-specific GSLB active/passive DNS name for Citrix Gateway. For example: citrix-a.company.com, and citrix-b.company.com
      • The Gateway SSL certificate needs to match all three DNS names – the main active/active DNS name, and the two datacenter-specific active/passive DNS names.
  • Main StoreFront and Gateway FQDNs: separate FQDNs for StoreFront and Citrix Gateway.
    • Externally,  citrix.company.com resolves to a Citrix Gateway VIP.
    • Internally,  storefront.company.com resolves to a StoreFront Load balancing VIP.
    • Single FQDN usually causes more problems than it’s worth. If you don’t do Single FQDN, then you can hide the StoreFront DNS name by pushing the store configuration to Receiver using Group Policy. Browser users would only need to know the Citrix Gateway DNS name.
  • DNS Delegation for GSLB: multiple DNS names are delegated from internal DNS and public DNS to Citrix ADNS (internal and external) for GSLB.
    • Internal GSLB and public GSLB need to resolve citrix.company.com differently. Public GSLB should resolve it to public IPs. Internal GSLB should resolve it to internal IPs.
    • Combining internal and public GSLB on the same Citrix ADC is not recommended. Public GSLB should be handled by DMZ Citrix ADC appliances. Internal GSLB should be handled by Internal Citrix ADC appliances.
    • If you only have one Citrix ADC appliance for both internal and public, then see One appliance resolving a single DNS name differently for internal and public at GSLB Planning.
    • citrix.company.com is configured as Active/Active GSLB with Proximity Load Balancing, and Site Persistence equal or greater than StoreFront RfWeb timeout.
    • citrix-a.company.com is configured as Active/Passive GSLB with Datacenter A as the Active service.
    • citrix-b.company.com is configured as Active/Passive GSLB with Datacenter B as the Active service.
    • storefront.company.com is configured as Active/Active GSLB with Proximity Load Balancing, and Site Persistence equal or greater than StoreFront RfWeb timeout.
  • HDX Optimal Routing: Use HDX Optimal Routing to route ICA traffic through the Citrix Gateway that is closest to the destination farm. This requires datacenter-specific DNS names (e.g. citrix-a.company.com, citrix-b.company.com)
    • You can use one of these DNS names to connect to StoreFront in a specific datacenter, which is helpful for testing.
  • STAs: each StoreFront Server Group uses STAs in the local datacenter. Since ICA Traffic could end up on either Citrix ADC, all STAs must be added to all Citrix Gateways.
  • Beacons: the internal beacon is critical. If the internal beacon is down then Receiver Self-service won’t be able to determine if the client device is internal or not. GSLB can be used for the internal beacon DNS name.
  • Roaming Profiles: If you are running Citrix Virtual Apps and Desktops in multiple datacenters, you must design roaming profiles and home directories correctly.

Icon Aggregation and Home Sites

To configure icon aggregation using PowerShell, see CTA Dennis Span at Citrix StoreFront Multi-Site Aggregation with PowerShell at CUGC. The PowerShell cmdlets include the following:

  • New-STFEquivalentFarmset
  • Add-STFUserFarmMapping

To configure icon aggregation using the StoreFront Console:

  1. In StoreFront Console, go to Stores.
  2. In the middle, right-click your Store, and click Manage Delivery Controllers.
  3. Add multiple sites/farms. Typically, each datacenter is a separate farm.
  4. After adding multiple farms, the Configure button becomes available. Click it.
  5. If you are publishing identical resources from multiple farms, click the link to Aggregate resources.
  6. In the Aggregate Resources dialog box, do the following:
    1. Select the farms with identical resources that you want to aggregate.
    2. Notice the checkboxes on the bottom. If your goal is to configure home sites, then make sure you uncheck Load balance resources across controllers.
    3. Click the Aggregate button to move them up to the Aggregated section.
    4. Note: if you have existing subscriptions/favorites, then enabling icon aggregation will cause the existing subscriptions to be ignored. You can migrate the existing subscriptions/favorites by exporting, modifying, and importing. See Subscriptions Missing after Enabling Aggregation at Citrix Discussions.
    5. Click OK when done.
  7. Back in the Configure User Mapping and Multi-Site Aggregation window, click Map users to controllers.
  8. In the Create User Mapping wizard, do the following:
    1. If you want the same farm failover order (active/passive) or farm load balancing settings for everyone, then leave the User Groups page set to Everyone. Or if you intend to have different home sites for different users, add a user group that contains the users that will be homed to a particular datacenter. You can run this wizard multiple times to specify different home sites for different user groups. Click Next.
    2. In the Controllers page, click Add.
    3. Select the farms that these users will have access to, and click OK.
    4. If you configured farm aggregation without load balancing, then use the up and down arrow buttons to put the active site/farm for this group of users on top. The lower priority sites will only be accessed if the primary site is down. You can run this wizard multiple times to specify different active sites for different users.
    5. If farm aggregation is configured for load balancing, then there are no arrows to prioritize the farms.
    6. Click Create.
  9. You can click Add to add more user mappings. If you add multiple user groups, you can assign different primary sites/farms to each Active Directory group. This is how you configure “home sites”. Click OK twice when done.

Shaun Ritchie Citrix StoreFront High Availability and Aggregation – A dual site Active Active design has a sample multi-site configuration using XML Notepad and explains how to use the Primary and Secondary keywords to override farm priority order.

Citrix Blogs StoreFront Multi-Site Settings: Some Examples has example XML configurations for various multi-datacenter Load Balancing and failover scenarios.

HDX Optimal Routing

The Optimal Gateway feature lets you control the Citrix Gateway used for ICA connections. Here are some scenarios where this would be useful:

  • Multi-site Load Balancing. If the icon selected by the user is published from Citrix Virtual Apps and Desktops in Datacenter A, then you probably want the ICA connection to go through a Citrix Gateway Virtual Server in Datacenter A.
    • If the main DNS name for accessing Citrix Gateway is GSLB load balanced across datacenters, then you need additional datacenter-specific DNS names so you can control which datacenter the ICA connection goes through.
    • Note: Optimal Gateway is configured at the farm/site level, or zone level.
  • Citrix Gateway for internal connections (AppFlow). If you want to force internal ICA connections to go through Citrix Gateway so AppFlow data can be sent to Citrix Application Delivery Management (ADM), then you can do that using HDX Optimal Gateway, even if the user originally connected directly to the StoreFront server. See CTX200129 How to Force Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront for more information.
  • The Citrix Gateway Virtual Server requires user certificates. If ICA traffic goes through a Citrix Gateway Virtual Server that requires user certificates (e.g. Smart Card), then each session launch will result in a PIN prompt. To prevent these extra prompts, build a separate Citrix Gateway Virtual Server that doesn’t have user certificates as Mandatory. Use Optimal Gateway to force ICA connections through the other Citrix Gateway Virtual Server. Note: SmartAccess Callback URL also cannot use a Citrix Gateway Virtual Server where client certificates are set to Mandatory, so the extra Citrix Gateway Virtual Server would be useful for that scenario too.

HDX Optimal Gateway can be configured in the StoreFront Console:

  1. Right-click the Stores node, and click Manage Citrix Gateways.
  2. Add more Citrix Gateways: one for each datacenter.
  3. When adding a Gateway, you can designate a Usage or role.
    1. The Gateway accessed through the active/active GSLB DNS name must be set to Authentication and HDX routing.
    2. The Gateways for Optimal Routing could be set to HDX routing only. Or if test users will use these datacenter-specific DNS names to connect to Gateways in specific datacenters, leave them set to Authentication and HDX routing. There’s no harm in leaving all of the Gateways set to Authentication and HDX routing.
  4. Go to Stores, right-click your store in the middle pane, and click Configure Store Settings.
  5. Go to the Optimal HDX Routing page.
  6. Highlight one of the datacenter-specific Gateways, and click Manage Delivery Controllers.
  7. Select the farms that should use this gateway, and click OK.
  8. Repeat for the other datacenter-specific Gateways.
  9. The Gateway for the active/active GSLB-enabled DNS name doesn’t need any farms associated with it.
  10. If you want to use Citrix Gateway internally for AppFlow reporting, then uncheck the External only checkbox.

    1. Another option for Optimal Gateway selection is zones. In XenApp/XenDesktop 7.7 and newer and Citrix Virtual Apps and Desktops, you can stretch a farm across datacenters (zones), and use a different Gateway for each zone. Highlight a Gateway. Click Manage Zones, and add the zone name. This assumes the zone name has also been specified in the Manage Delivery Controllers dialog box > Advanced Settings.
  11. Click OK when done.
  12. In summary, users will connect to the active/active GSLB-enabled Gateway and login. After clicking an icon, HDX will be routed through one of the datacenter-specific Gateways based on the farm the icon was launched from.

Multiple Gateways (GSLB) to One StoreFront Server Group

This section applies to SmartAccess, or SAML, and the Callback URL. If you don’t need the Callback URL for SmartAccess or SAML, then skip this section.

The Callback URL must go to the same Citrix ADC appliance that authenticated the user. If you have multiple Citrix ADC appliance pairs communicating with a single StoreFront server, then StoreFront needs to identify which Citrix ADC appliance pair the request came from, so it can perform a callback to that particular appliance pair.

If each of the Citrix Gateways uses the same DNS name (e.g. GSLB), then you can’t use the DNS name to distinguish one appliance from the other. Instead, StoreFront can use the Gateway VIP to distinguish appliances so the callback goes to the correct appliance.

  1. Create datacenter-specific callback DNS names. For example: callback-a.corp.com and callback-b.corp.com.
  2. The datacenter-specific callback DNS name must match the certificate on the Citrix Gateway Virtual Server that is handling the callback. Here are some options to handle the certificate requirement:
    • On the main Citrix Gateway Virtual Server, assign a wildcard certificate that matches both the GSLB name, and the datacenter-specific callback name.
    • On the main Citrix Gateway Virtual Server, assign an SSL certificate with Subject Alternative Names for both the GSLB name, and the datacenter-specific callback name.
    • Create an additional Citrix Gateway Virtual Server on the appliance. Bind a certificate that matches the datacenter-specific callback name.
  3. In the StoreFront console, create multiple Citrix Gateway appliances, one for each datacenter.
  4. Give each of the gateway objects unique Display names. You can’t have two Gateway objects with the same display name.
  5. Enter the same Citrix Gateway URL in all of the gateway appliances.

  6. In the Authentication Settings page, in the VServer IP address field, enter the Gateway VIP for this particular appliance pair. StoreFront will use this VIP to distinguish one Citrix ADC appliance from another.
    • When users use HTTP to connect to a Citrix Gateway for authentication and icon enumeration, when Citrix Gateway communicates with StoreFront, Citrix Gateway inserts its VIP into a HTTP Header field named X-Citrix-Via-VIP. StoreFront reads this VIP header, and compares it to the Gateway objects bound to the Store. If there’s a match, StoreFront uses the Callback URL configured for that Gateway object.
  7. The callback URL must be unique for each Citrix ADC appliance pair (e.g. callback-a.corp.com). The callback URL must resolve to a Citrix Gateway VIP on the same appliance pair that authenticated the user.

  8. When enabling Remote Access on the store, select both Gateway appliances. Select one as the default appliance. It shouldn’t matter which one is default.

Related Pages

Virtual Delivery Agent (VDA) 7.8

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

💡 = Recently Updated

Hardware

  1. If vSphere 6, don’t use hardware version 11 unless you have NVIDIA GRID. VMware 2109650 – Video playback performance issue with hardware version 11 VMs in 2D mode
  2. For virtual desktops, give the virtual machine: 2+ vCPU and 2+ GB of RAM
  3. For Windows 2008 R2 RDSH, give the virtual machine 4 vCPU and 12-24 GB of RAM
  4. For Windows 2012 R2 RDSH, give the virtual machine 8 vCPU, and 24-48 GB of RAM
  5. Remove the floppy drive
  6. Remove any serial or LPT ports
  7. If vSphere:
    1. To reduce disk space, reserve memory. Memory reservations reduce or eliminate the virtual machine .vswp file.
    2. The NIC should be VMXNET3.
  8. If this VDA will boot from Provisioning Services:
    1. Give the VDA extra RAM for caching.
    2. Do not enable Memory Hot Plug
    3. For vSphere, the NIC must be VMXNET3.
    4. For vSphere, configure the CD-ROM to boot from IDE instead of SATA. SATA comes with VM hardware version 10. SATA won’t work with PvS.
  9. Install the latest version of drivers (e.g. VMware Tools).
    1. If Windows 7 on vSphere, don’t install the VMware SVGA driver. For more details, see CTX201804 Intermittent Connection Failures/Black Screen Issues When Connecting from Multi-Monitor Client Machines to Windows 7 VDA with VDA 7.x on vSphere/ESXi.

If vSphere, disable NIC Hotplug

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine and click Edit Settings.
  4. On the VM Options tab, expand Advanced and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

Windows Preparation

  1. If RDSH, disable IE Enhanced Security Config
  2. Optionally, go to Action Center (Windows 8.1 or 2012 R2) or Security and Maintenance (Windows 10) to disable User Account Control and enable SmartScreen .
  3. Run Windows Update.
  4. If Windows Firewall is enabled:
    1. Enable File Sharing so you can access the VDA remotely using SMB
    2. Enable COM+ Network Access and the three Remote Event Log rules so you can remotely manage the VDA.

  5. Add your Citrix Administrators group to the local Administrators group on the VDA.
  6. The Remote Desktop Services “Prompt for Password” policy prevents Single Sign-on to the Virtual Delivery Agent. Check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. If fPromptForPassword = 1 then you need to fix group policy. The following GPO setting will prevent Single Sign-on from working.
    Computer Configuration Policies Administrative templates Windows Components Remotes Desktop Services Remote desktop Session Host Security Always prompt for password upon connection
    Or set the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PorticaAutoLogon (DWORD) = 0x10.
  7. For Windows 7 VDAs that will use Personal vDisk, install Microsoft hotfix 2614892 – A computer stops responding because of a deadlock situation in the Mountmgr.sys driver. This hotfix solved a Personal vDisk Image update issue detailed at Citrix Discussions.
  8. If this VDA is Windows Server 2008 R2, request and install the Windows hotfixes recommended by Citrix CTX129229. Scroll down to see the list of recommended Microsoft hotfixes for Windows Server 2008 R2. Ignore the XenApp 6.x portions of the article. Also see https://www.carlstalhood.com/windows-server-2008-r2-post-sp1-hotfixes/.
  9. To remove the built-in apps in Windows 10, see Robin Hobo How to remove built-in apps in Windows 10 Enterprise.
  10. For Remote Assistance in Citrix Director, configure the GPO setting Computer Configuration | Policies | Administrative Templates | System | Remote Assistance | Offer Remote Assistance. See Jason Samuel – How to setup Citrix Director Shadowing with Remote Assistance using Group Policy for more details.
  11. If you intend to use Citrix’s SCOM Management Packs for XenApp/XenDesktop, make sure WinRM is enabled on the VDA by running winrm quickconfig.

Install Virtual Delivery Agent 7.8

  1. For virtual desktops, make sure you are logged into the console. The VDA won’t install if you are connected using RDP.
  2. Make sure 8.3 file name generation is not disabled. If so, see CTX131995 User Cannot Launch Application in Seamless Mode to fix the AppInit_DLLs registry keys.
  3. Make sure .NET Framework 4.5.1 is installed.
  4. CTX212981 Error Upgrading VDA on Server 2012 R2 from 7.7 to 7.8 – uninstall Microsoft hotfixes KB3092630, KB3139923 & KB3075249.  Also see Citrix VDA Upgrade issues by THOMAS KÖTZING
  5. Go to the downloaded XenDesktop 7.8 (XenDesktop Platinum, XenDesktop Enterprise, XenApp Platinum, or XenApp Enterprise) .iso file and run AutoSelect.exe. Alternatively, you can download the standalone VDA package and run that instead.
  6. Click Start next to either XenApp or XenDesktop. The only difference is the product name displayed in the installation wizard.
  7. Click Virtual Delivery Agent for Windows Desktop OS or Windows Server OS depending on which type of VDA you are building.
  8. In the Environment page, select Create a Master Image and click Next.
  9. For virtual desktops, in the HDX 3D Pro page, click Next.
  10. In the Core Components page, if you don’t need Citrix Receiver installed on your VDA then uncheck the box. Click Next.
  11. In the Delivery Controller page, select Do it manually. Enter the FQDN of each Controller. Click Test connection. And then make sure you click Add. Click Next when done.
  12. In the Features page, click Next. If this is a virtual desktop, you can leave Personal vDisk unchecked now and enable it later.
  13. In the Firewall page, click Next.
  14. In the Summary page, click Install.
  15. For RDSH, click Close when you are prompted to restart.
  16. After the machine reboots twice, login and installation will continue.
  17. Note: NT SERVICE\CitrixTelemetryService needs permission to login as a service.
  18. After installation, click Finish to restart the machine again.
  19. If 8.3 file name generation is disabled, see CTX131995 User Cannot Launch Application in Seamless Mode to fix the AppInit_DLLs registry keys.

Controller Registration Port

Some environments will not accept the default port 80 for Virtual Delivery Agent registration. To change the port, do the following on the Virtual Delivery Agent:

  1. Open Programs and Features.
  2. Find Citrix Virtual Delivery Agent and click Change.
  3. Click Customize Virtual Delivery Agent Settings.
  4. Edit the Delivery Controllers and click Next.
  5. On the Configure Delivery Controller page, change the port number and click Next.
  6. In the Features page, click Next.
  7. In the Summary page, click Reconfigure.
  8. In the Finish Reconfiguration page, click Finish.
  9. Verify that the registry values WCF_Port and ControllerRegistrarPort were changed to the new port as detailed at unable to change VDA registration port in XD 7.8/VDA 7.8 at Citrix Discussions.  💡
  10. You must also change the VDA registration port on the Controllers by running BrokerService.exe /VDAPort.

Controller Registration – Verify

  1. If you restart the Virtual Delivery Agent machine or restart the Citrix Desktop Service
  2. In Windows Logs Application log, you should see an event 1012 from Citrix Desktop Service saying that it successfully registered with a controller. If you don’t see this then you’ll need to fix the ListOfDDCs registry key.
  3. You can also run Citrix’s Health Assistant on the VDA.

Call Home

VDA 7.8 has a new Telemetry Service to collect diagnostics info. You can run PowerShell commands to enable the service and schedule automatic uploads to Citrix Insight Services.

See Citrix Blog Post Citrix Call Home Technology Preview for details.

Profile Management 5.4.1

Warning: If you are upgrading and have existing Windows 2012 R2 profiles based on the !CTX_OSNAME! variable, see http://discussions.citrix.com/topic/374111-psa-upm-54-ctx-osname-server-2012-value-change/ for why your profiles might stop working.

  1. Go to the downloaded Profile Management 5.4.1 and run profilemgt_x64.msi.
  2. In the Welcome to the Citrix Profile Management Setup Wizard page, click Next.
  3. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement and click Next.
  4. In the Destination Folder page, click Next.
  5. In the Ready to install Citrix Profile Management page, click Install.
  6. If you see Files in Use, click OK.
  7. Click OK to continue the installation.
  8. In the Completed the Citrix Profile Management Setup Wizard page, click Finish.
  9. Click Yes when prompted to restart.
  10. UPM 5.4.1 breaks Logon Duration in Citrix Director. To fix it, run the following commands:
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe "C:\Program Files\Citrix\Virtual Desktop Agent\upmWmiMetrics.dll"
    
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe "C:\Program Files\Citrix\Virtual Desktop Agent\upmWmiAdmin.dll"


  11. See the Profile Management page for configuration instructions.

Upgrade to Receiver 4.4.2000

VDA 7.8 does not include this update.

If Receiver is installed on your VDA, upgrade it to version 4.4.2000  💡

  1. Go to the downloaded Receiver 4.4.2000 and run CitrixReceiver.exe.
  2. In the Welcome to Citrix Receiver page, click Start.
  3. In the License Agreement page, check the box next to I accept the license agreement and click Next.
  4. If you see the Enable Single Sign-on page, check the box next to Enable Single Sign-on and click Next.
  5. In the Help make our products better page, make your selection and click Install.
  6. After installation, click Finish.
  7. See the Receiver page for configuration instructions.

HTML5 App Switcher 2.0.2

This tool is no longer needed for Receiver for HTML5 2.0 and newer.

  1. .NET Framework 4.0.3 or newer is required.
  2. Go to the downloaded Receiver for HTML5 App Switcher (Citrix_AppSwitcher_2.0.2) and run AppSwitcher.msi.
  3. Check the box next to I accept the terms and click Install.
  4. In the Completed the App Switcher Setup Wizard page, click Finish.

  5. In Programs and Features, it is shown as version 2.0.2.25.

Citrix PDF Printer 7.8.0

This tool is only used by Receiver for HTML5.

  1. Go to the downloaded Receiver for HTML5 Citrix PDF Printer 7.8.0 (under Additional Components) and run CitrixPDFPrinter64.msi.
  2. In the Please read the Citrix PDF printer License Agreement page, check the box next to I accept the terms and click Install.
  3. In the Completed the Citrix PDF Universal Driver Setup Wizard page, click Finish.
  4. In Programs and Features, it is shown as version 7.8.0.10.
  5. Configure a Citrix Policy to enable the PDF printer. The setting is called Auto-create PDF Universal Printer.

Framehawk Configuration

To enable Framehawk, see https://www.carlstalhood.com/citrix-policy-settings/#framehawkconfig

Remote Desktop Licensing Configuration

On 2012 R2 RDSH, the only way to configure Remote Desktop Licensing is using group policy (local or domain). This procedure also works for 2008 R2 RDSH. This procedure is not needed on virtual desktops.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled and enter the names of the RDS Licensing Servers (typically installed on XenDesktop Controllers). Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

Several people in Citrix Discussions reported the following issue: If you see a message about RD Licensing Grace Period has expired even though RD Licensing is properly configured, see Eric Verdumen No remote Desktop Licence Server availible on RD Session Host server 2012. The solution was to delete the REG_BINARY in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod only leaving the default. You must take ownership and give admin users full control to be able to delete this value.

C: Drive Permissions

This section is more important for shared VDAs like Windows 2008 R2 and Windows 2012 R2.

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users and Create Folders and click Remove.
  4. Highlight the line containing Users and Special and click Remove. Click OK.
  5. Click Yes to confirm the permissions change.
  6. If you see any of these Error Applying Security windows, click Continue.
  7. Click OK to close the C: drive properties.

Pagefile

If this image will be converted to a Provisioning Services vDisk, then you must ensure the pagefile is smaller than the cache disk. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB and Provisioning Services will be unable to move it to the cache disk. This causes Provisioning Services to cache to server instead of caching to your local cache disk (or RAM).

  1. Open System. In 2012 R2, you can right-click the Start button and click System.
  2. Click Advanced system settings.
  3. On the Advanced tab, click the top Settings button.
  4. On the Advanced tab, click Change.
  5. Either turn off the pagefile or set the pagefile to be smaller than the cache disk. Don’t leave it set to System managed size. Click OK several times.

Direct Access Users

When Citrix Virtual Delivery Agent is installed on a machine, non-administrators can no longer RDP to the machine. A new local group called Direct Access Users is created on each Virtual Delivery Agent. Add your non-administrator RDP users to this local group so they can RDP directly to the machine.

Windows Profiles v3/v4/v5

Roaming Profiles are compatible only between the following client and server operating system pairs. The profile version is also listed.

  • v5 = Windows 10 and Windows Server 2016
  • v4 = Windows 8.1 and Windows Server 2012 R2
  • v3 = Windows 8 and Windows Server 2012
  • v2 = Windows 7 and Windows Server 2008 R2
  • v2 = Windows Vista and Windows Server 2008

Windows 8.1 and 2012 R2 don’t properly set the profile version. To fix this, ensure update rollup 2887595 is installed. http://support.microsoft.com/kb/2890783. After you apply this update, you must create a registry key before you restart the computer.

  1. Run regedit.
  2. Locate and then tap or click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters
  3. On the Edit menu, point to New, and then tap or click DWORD Value.
  4. Type UseProfilePathExtensionVersion.
  5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
  6. In the Value data box, type 1, and then tap or click OK.
  7. Exit Registry Editor.

Then, Windows 8.1 creates a user profile and appends the suffix “.v4” to the profile folder name to differentiate it from version 2 of the profile in Windows 7 and version 3 of the profile in Windows 8.

Registry

HDX Flash

From Citrix Knowledgebase article CTX139939 – Microsoft Internet Explorer 11 – Citrix Known Issues: The registry key value IEBrowserMaximumMajorVersion is queried by the HDX Flash service to check for maximum Internet Explorer version that HDX Flash supports. For Flash Redirection to work with Internet Explorer 11 set the registry key value IEBrowserMaximumMajorVersion to 11 on the machine where HDX flash service is running. In case of XenDesktop it would be the machine where VDA is installed.

  • Key = HKLM\SOFTWARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer
    • Value = IEBrowserMaximumMajorVersion (DWORD) = 00000011 (Decimal)

From Citrix Discussions: Add the DWORD ‘FlashPlayerVersionComparisonMask=0′ on the VDA under HKLM\Software\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer.  This disables the Flash major version checking between the VDA and Client Device.

Published Explorer

This section applies if you intend to publish apps from this VDA.

From Citrix Knoweldgebase article CTX128009 – Explorer.exe Fails to Launch: When publishing the seamless explorer.exe application, the session initially begins to connect as expected. After the loading, the dialog box disappears and the explorer application fails to appear. On the VDA, use the following registry change to set the length of time a client session waits before disconnecting the session:

  • Key = HKLM\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
    • Value = LogoffCheckerStartupDelayInSeconds (DWORD) = 10 (Hexadecimal)

Mfaphook – 8.3 File Names

  1. Open a command prompt.
  2. Switch to C:\ by running cd /d C:\
  3. Run dir /x program*
  4. If you don’t see PROGRA~1 then 8.3 is disabled. This will break Citrix.
  5. If 8.3 is disabled, open regedit and go to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows.
  6. On the right is AppInit_DLLs. Edit it and remove the path in front of MFAPHOOK64.DLL.


Logon Disclaimer Window Size

From Xenapp 7.8 – Session Launch Security/Warning Login Banner at Citrix Discussions: If your logon disclaimer window has scroll bars, set the following registry values:

HKLM\Software\Wow6432node\Citrix\CtxHook\AppInit_DLLS\Multiple Monitor Hook\LogonUIWidth = DWORD:300
HKLM\Software\Wow6432node\Citrix\CtxHook\AppInit_DLLS\Multiple Monitor Hook\LogonUIHeight = DWORD:200

Login Timeout

Citrix CTX203760 VDI Session Launches Then Disappears: XenDesktop, by default, only allows 180 seconds to complete a logon operation. The timeout can be increased by setting the following:

HKLM\SOFTWARE\Citrix\PortICA

Add a new DWORD AutoLogonTimeout and set the value to decimal 240 or higher (up to 3600).

Also see Citrix Discussions Machines in “Registered” State, but VM closes after “Welcome” screen.

Receiver for HTML5 Enhanced Clipboard

From About Citrix Receiver for Chrome 1.9 at docs.citrix.com: To enable enhanced clipboard support, set registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\Virtual Clipboard\Additional Formats\HTML Format\Name=”HTML Format”. Create any missing registry keys. This applies to both virtual desktops and Remote Desktop Session Hosts.

4K Monitors

Citrix CTX201696 – Citrix XenDesktop and XenApp – Support for Monitors Including 4K Resolution and Multi-monitors: Up to eight 4K monitors are supported with the Std-VDA and RDS VDA irrespective of underlying GPU support, provided the required policies and/or registry keys are correctly configured. Currently the Std-VDA for XenDesktop and RDS-VDA for XenApp does not support resolutions higher than 4094 in any dimension.

Framehawk currently does not support 4K monitors. At the time of writing, the number of monitors supported is 1, the use of more monitors will cause the graphics mode to change from Framehawk to Thinwire to support multi-monitor.  The maximum resolution supported by Framehawk is currently 2048×2048.

From CTX200257 – Screen Issues Connecting to 4K Resolution Monitors: Symptom: A blank or corrupt screen is displayed when connecting to Windows 7 or 8.1 Standard XenDesktop Virtual Delivery Agents on a client which has one or more 4K resolution monitors.

  1. Calculate the video memory that is required for 4K monitor using the following formula:
    Sum of total monitors (Width * height * 4 * X) where width and height are resolution of the monitor.
    X = 2 if VDA is Windows 7 OR X = 3 if VDA is Windows 88.1
    Suppose a Windows 7 VDA is connecting to a client that has dual 4K monitors (3840×2160), then video buffer should be: (3840 x 2160 x 4 x 2) + (3840 x 2160 x 4 x 2) = ~132MB
  2. Open the registry (regedit) and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vd3v
  3. Increase the value of “MaxVideoMemoryBytes” REG_DWORD value to the above calculated memory.
  4. Reboot the VDA.

When using Thinwire, Compatibility, Thinwire Plus or Legacy modes, the Display memory Limit policy needs to be configured appropriately for Std-VDA, as per Graphics Policy Settings at docs.citrix.com. The Default value for Display memory Limit is 65536KB and this is sufficient up to 2x4K monitors (2x32400KB). You can find more information on Graphics modes at Citrix Blogs – Site Wide View of HDX Graphics Modes.

Legacy Client Drive Mapping

Citrix Knowledgebase article How to Enable Legacy Client Drive Mapping Format on XenApp: Citrix Client Drive Mapping no longer uses drive letters and instead they appear as local disks. This is similar to RDP drive mapping.

The old drive letter method can be enabled by setting the registry value:

  • Key = HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\UncLinks (create the key)
    • Value = UNCEnabled (DWORD) = 0

When you reconnect, the client drives will be mapped as drive letters (starts with V: and goes backwards).

COM/LPT Port Redirection

To signal Citrix’ intention to deprecate COM and LPT support in a future major release, policy settings for COM Port and LPT Port Redirection have moved from Studio to the registry, and are now located under HKLM\Software\Citrix\GroupPolicy\Defaults\Deprecated on either your Master VDA image or your physical VDA machines. The COM/LPT port registry values are detailed at docs.citrix.com.

Print Driver for Non-Windows Clients

This section applies to Windows 2012 R2, Windows 8.1, and Windows 10 VDAs.

From Mac Client Printer Mapping Fix for Windows 8/8.1 and Windows Server 2012/2012R2. By default, Non-Windows clients cannot map printers due to a missing print driver on the VDA machine.

  1. Requirements:
    • Internet Access
    • Windows Update service enabled
  2. Click Start and run Devices and Printers.
  3. In the Printers section, highlight a local printer (e.g. Microsoft XPS Document Writer). Then in the toolbar click Print server properties.
  4. Switch to the Drivers tab. Click Change Driver Settings.
  5. Then click Add.
  6. In the Welcome to the Add Printer Driver Wizard page, click Next.
  7. In the Processor Selection page, click Next.
  8. In the Printer Driver Selection page, click Windows Update. The driver we need won’t be in the list until you click this button. Internet access is required.
  9. Once Windows Update is complete, highlight HP on the left and then select HP Color LaserJet 2800 Series PS (Microsoft) on the right. Click Next.
  10. In the Completing the Add Printer Driver Wizard page, click Finish.
  11. Repeat these instructions to install the following additional drivers:
    • HP LaserJet Series II
    • HP Color LaserJet 4500 PCL 5

SSL for VDA

If you intend to use HTML5 Receiver internally, install certificates on the VDAs so the WebSockets (and ICA) connection will be encrypted. Internal HTML5 Receivers will not accept clear text WebSockets. External users don’t have this problem since they are SSL-proxied through NetScaler Gateway. Notes:

  • Each Virtual Delivery Agent needs a machine certificate that matches the machine name. This is feasible for a small number of persistent VDAs. For non-persistent VDAs, you’ll need some automatic means for creating machine certificates every time they reboot.
  • As detailed in the following procedure, use PowerShell on the Controller to enable SSL for the Delivery Group. This forces SSL for every VDA in the Delivery Group, which means every VDA in the Delivery Group must have SSL certificates installed.

The Citrix blog post How To Secure ICA Connections in XenApp and XenDesktop 7.6 using SSL has a method for automatically provisioning certificates for pooled virtual desktops by enabling certificate auto-enrollment and setting up a task that runs after the certificate has been enrolled. Unfortunately this does not work for Remote Desktop Session Host.

The following instructions can be found at Configure SSL on a VDA using the PowerShell script at docs.citrix.com.

  1. On the VDA machine, run mmc.exe.
  2. Add the Certificates snap-in.
  3. Point it to Local Computer.
  4. Request a certificate from your internal Certificate Authority. You can use either the Computer template or the Web Server template.

    You can also use group policy to enable Certificate Auto-Enrollment for the VDA computers.
  5. Browse to the XenApp/XenDesktop 7.8 ISO. In the Support\Tools\SslSupport folder, shift+right-click the Enable-VdaSSL.ps1 script and click Copy as path.
  6. Run PowerShell as administrator (elevated).
  7. Run the command Set-ExecutionPolicy unrestricted. Enter Y to approve.
  8. In the PowerShell prompt, type in an ampersand (&), and a space.
  9. Right-click the PowerShell prompt to paste in the path copied earlier.
  10. At the end of the path, type in -Enable
  11. If there’s only one certificate on this machine, press Enter.
  12. If there are multiple certificates, you’ll need to specify the thumprint of the certificate you want to use. Open the Certificates snap-in, open the properties of the machine certificate you want to use, and copy the Thumbprint from the Details tab.

    In the PowerShell prompt, at the end of the command, enter ?CertificateThumbPrint, add a space, and type quotes (").
    Right-click the PowerShell prompt to paste the thumbprint.
    Type quotes (") at the end of the thumbprint. Then remove all spaces from the thumbprint. The thumbprint needs to be wrapped in quotes.
  13. If this VDA machine has a different service already listening on 443 (e.g. IIS), then the VDA needs to use a different port for SSL connections. At the end of the command in the PowerShell prompt, enter -SSLPort 444 or any other unused port.
  14. Press <Enter> to run the Enable-VdaSSL.ps1 script.
  15. Press <Y> twice to configure the ACLs and Firewall.
  16. You might have to reboot before the settings take effect.
  17. Login to a Controller and run PowerShell as Administrator (elevated).
  18. Run the command asnp Citrix.*
  19. Enter the command:
    Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' | Set-BrokerAccessPolicyRule ?HdxSslEnabled $true

    where <delivery-group-name> is the name of the Delivery Group containing the VDAs.

  20. You can run Get-BrokerAccessPolicyRule -DesktopGroupName '<delivery-group-name>' to verify that HDX SSL is enabled.
  21. Also run the following command:
    Set-BrokerSite –DnsResolutionEnabled $true

You should now be able to connect to the VDA using the HTML5 Receiver from internal machines.

Anonymous Accounts

If you intend to publish apps anonymously then follow this section.

  1. Anonymous accounts are created locally on the VDAs. When XenDesktop creates Anon accounts it gives them an idle time as specified at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\AnonymousUserIdleTime. The default is 10 minutes. Adjust as desired.
  2. You can pre-create the Anon accounts on the VDA by running “C:\Program Files\Citrix\ICAConfigTool\CreateAnonymousUsersApp.exe”. If you don’t run this tool then Virtual Delivery Agent will create them automatically when users log in.
  3. You can see the local Anon accounts by opening Computer Management, expanding System Tools, expand Local Users and Groups and clicking Users.
  4. If you open one of the accounts, on the Sessions tab, notice that idle timeout defaults to 10 minutes. Feel free to change it.

Group Policy for Anonymous Users

Since Anonymous users are local accounts on each Virtual Delivery Agent, domain-based GPOs will not apply. To work around this limitation, you’ll need to edit the local group policy on each Virtual Delivery Agent.

  1. On the Virtual Delivery Agent, run gpedit.exe.
  2. Open the File menu and click Add/Remove Snap-in.
  3. Highlight Group Policy Object Editor and click Add to move it to the right.
  4. In the Welcome to the Group Policy Wizard page, click Browse.
  5. On the Users tab, select Non-Administrators.
  6. Click Finish.
  7. Now you can configure group policy to lockdown sessions for anonymous users. Since this is a local group policy, you’ll need to repeat the group policy configuration on every Virtual Delivery Agent image. Also, Group Policy Preferences is not available in local group policy.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Citrix’s Recommended Antivirus Exclusions

Citrix CTX127030 Citrix Guidelines for Antivirus Software Configuration: Based on Citrix Consulting’s field experience, organizations might wish to consider configuring antivirus software on session hosts with the settings below.

  • Scan on write events or only when files are modified. It should be noted that this configuration is typically regarded as a high security risk by most antivirus vendors. In high-security environments, organizations should consider scanning on both read and write events to protect against threats that target memory, such as Conficker variants.
  • Scan local drives or disable network scanning. This assumes all remote locations, which might include file servers that host user profiles and redirected folders, are being monitored by antivirus and data integrity solutions.
  • Exclude the pagefile(s) from being scanned.
  • Exclude the Print Spooler directory from being scanned.
  • Remove any unnecessary antivirus related entries from the Run key (HKLM\Software\Microsoft\Windows\Current Version\Run).
  • If using the streamed user profile feature of Citrix Profile management, ensure the antivirus solution is configured to be aware of Hierarchical Storage Manager (HSM) drivers.

Symantec

Symantec links:

Non-persistent session hosts:

After you have installed the Symantec Endpoint Protection client and disabled Tamper Protection, open the registry editor on the base image.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC.
  2. Create a new key named Virtualization.
  3. Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1.

To configure the purge interval for offline non-persistent session host clients:

  1. In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.
  2. In the Domains tree, click the desired domain.
  3. Under Tasks, click Edit Domain Properties.
  4. On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number. The Delete clients that have not connected for specified time option must be checked to access the option for offline non-persistent VDI clients.
  5. Click OK.

Make the following changes to the Communications Settings policy:

  1. Configure clients to download policies and content in Pull mode
  2. Disable the option to Learn applications that run on the client computers
  3. Set the Heartbeat Interval to no less than one hour
  4. Enable Download Randomization, set the Randomization window for 4 hours

Make the following changes to the Virus and Spyware Protection policy:

  1. Disable all scheduled scans
  2. Disable the option to “Allow startup scans to run when users log on” (This is disabled by default)
  3. Disable the option to “Run an ActiveScan when new definitions Arrive”

Avoid using features like application learning which send information to the SEPM and rely on client state to optimize traffic flow

Linked clones:

To configure Symantec Endpoint Protection to use Virtual Image Exception to bypass the scanning of base image files

  1. On the console, open the appropriate Virus and Spyware Protection policy.
  2. Under Advanced Options, click Miscellaneous.
  3. On the Virtual Images tab, check the options that you want to enable.
  4. Click OK

 

Trend Micro

Citrix CTX136680 – Slow Server Performance After Trend Micro Installation. Citrix session hosts experience slow response and performance more noticeable while users try to log in to the servers. At some point the performance of the servers is affected, resulting in issues with users logging on and requiring the server to be restarted. This issue is more noticeable on mid to large session host infrastructures.

Trend Micro has provided a registry fix for this type of issue. Create the following registry on all the affected servers. Add new DWORD Value as:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilterParameters] “DisableCtProcCheck”=dword:00000001

Trend Micro Links:

Optimize Performance

VDA Optimizer

Installation of the VDA might have already done this but there’s no harm in doing it again. This tool is only available if you installed VDA in Master Image mode.

  1. On the master VDA, go to C:\Program Files\Citrix\PvsVm\TargetOSOptimizer and run TargetOSOptimizer.exe.
  2. Then click OK. Notice that it disables Windows Update.

RDSH

Citrix CTX131577 XenApp 6.x (Windows 2008 R2) – Optimization Guide is a document with several registry modifications that are supposed to improve server performance. Ignore the XenApp 6 content and instead focus on the Windows content.

Citrix CTX131995 User Cannot Launch Application in Seamless Mode in a Provisioning Services Server when XenApp Optimization Best Practices are Applied. Do not enable NtfsDisable8dot3NameCreation

Norskale has Windows 2008 R2 Remote Desktop and XenApp 6 Tuning Tips Update.

Windows 7

Microsoft has compiled a list of links to various optimization guides.

It’s a common practice to optimize a Windows 7 virtual machine (VM) template (or image) specifically for VDI use. Usually such customizations include the following.

  • Minimize the footprint, e.g. disable some features and services that are not required when the OS is used in “stateless” or “non-persistent” fashion. This is especially true for disk-intensive workloads since disk I/O is a common bottleneck for VDI deployment. (Especially if there are multiple VMs with the same I/O patterns that are timely aligned).
  • Lock down user interface (e.g. optimize for specific task workers).

With that said the certain practices are quite debatable and vary between actual real-world deployments. Exact choices whether to disable this or that particular component depend on customer requirements and VDI usage patterns. E.g. in personalized virtual desktop scenario there’s much less things to disable since the machine is not completely “stateless”. Some customers rely heavily on particular UI functions and other can relatively easily trade them off for the sake of performance or standardization (thus enhance supportability and potentially security). This is one of the primary reasons why Microsoft doesn’t publish any “VDI Tuning” guide officially.

Though there are a number of such papers and even tools published either by the community or third parties. This Wiki page is aimed to serve as a consolidated and comprehensive list of such resources.

Daniel Ruiz XenDesktop Windows 7 Optimization and GPO’s Settings

Microsoft Whitepaper Performance Optimization Guidelines for Windows 7 Desktop Virtualization

Windows 10 / Windows 8.1 / Windows 2012 R2

Optimization Notes:

  • If this machine is provisioned using Provisioning Services, do not disable the Shadow Copy services.
  • Windows 8 detects VDI and automatically disables SuperFetch. No need to disable it yourself.
  • Windows 8 automatically disables RSS and TaskOffload if not supported by the NIC.

Seal and Shut Down

If this session host will be a master image in a Machine Creation Services or Provisioning Services catalog, after the master is fully prepared (including applications), do the following:

  1. Go to the properties of the C: drive and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
    `
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining. It is no longer necessary to manually rearm licensing. XenDesktop will do it automatically.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Machine Creation Services and Provisioning Services require DHCP.

Session hosts commonly have DHCP reservations.

  • Shut down the master image. You can now use Studio or Provisioning Services to create a catalog of linked clones.

Troubleshooting – Graphics

If Windows 7 on vSphere, don’t install the VMware SVGA driver. For more details, see CTX201804 Intermittent Connection Failures/Black Screen Issues When Connecting from Multi-Monitor Client Machines to Windows 7 VDA with VDA 7.x on vSphere/ESXi.

For an explanation of Citrix’s graphics policy settings, see A graphical deep dive into XenDesktop 7 and What’s new with HDX display in XenDesktop & XenApp 7.x?

Citrix Knowledgebase article CTX200370 – How to Determine HDX Display Mode: Use wmic or HDX Monitor as described in the article to determine which of the following display mode options is being used:

  • DCR (Desktop Composition Redirection)
  • H.264 / H.264 Compatibility Mode
  • Legacy Graphics Mode

Citrix Blog Post – Site Wide View of HDX Graphics Modes; PowerShell script to display graphics mode of currently connected sessions.

Citrix Blog post – Optimising the performance of HDX 3D Pro – Lessons from the field

From Citrix Tips – Black Screen Issues with 7.x VDA: Users would make a successful ICA connection but the screen would stay totally black.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vbdenum]

  • “Start”=dword:00000001
  • “MaxVideoMemoryBytes”=dword:06000000
  • “Group”= “EMS”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vd3d]

  • “MaxVideoMemoryBytes”=dword:00000000

From Citrix Knowledgebase article CTX200257 – Screen Issues Connecting to 4K Resolution Monitors in DCR Mode:

  1. Calculate the video memory that is required for 4K monitor using the following formula:
    Sum of total monitors (Width * height * 4 * X) where width and height are resolution of the monitor.
    X = 2 if VDA is Windows 7 OR X = 3 if VDA is Windows 88.110
    Example: Suppose a Windows 7 VDA is connecting to a client that has dual 4K monitors (3840×2160), then video buffer should be: (3840×160 x 4 x 2) + (3840 x 2160 x 4 x 2) = ~115MB
  2. Open the registry (regedit) and navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vd3d
  3. Increase the value of “MaxVideoMemoryBytes” REG_DWORD value to the above calculated memory.
  4. Reboot the VDA

From Citrix Discussions: To exclude applications from Citrix 3D rendering, create a REG_DWORD registry value “app.exe” with value 0 or a registry value “*” with value 0.

  • XD 7.1 and XD 7.5:
    • x86: reg add hklm\software\citrix\vd3d\compatibility /v * /t REG_DWORD /f /d 0
    • x64: reg add hklm\software\Wow6432Node\citrix\vd3d\compatibility /v * /t REG_DWORD /f /d 0
  • XD 7.6/7.7/7.8 both x86 and x64:
    • reg add hklm\software\citrix\vd3d\compatibility /v * /t REG_DWORD /f /d 0

Wildcards are not supported. The asterisk * here has a special meaning “all apps” but is not a traditional wildcard. To blacklist multiple apps e.g. both appa.exe and appb.exe must be done by creating a registry value for each app individually.

This is most problematic in Remote PC since most physical PCs have GPUs. I recently had to blacklist Internet Explorer to prevent lockup issues when switching back to physical.

Uninstall VDA

Uninstall the VDA from Programs and Features.

Then see CTX209255 VDA Cleanup Utility.

Related Pages

Director 7.8

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

Director on Standalone Server

If you are installing Director 7.8 on a standalone server, see Citrix CTX142260 Installing or Upgrading to Citrix Director 7.6.200

  1. If you intend to install Director on a standalone server, start with running AutoSelect.exe from the XenApp/XenDesktop 7.8 media.
  2. On the right, click Citrix Director.
  3. It will ask you for the location of one Controller in the farm. Then finish the installation wizard.
  4. In IIS Manager, go to Default Web Site > Director > Application Settings, find Service.AutoDiscoveryAddresses and make sure it points to a Controller and not to localhost.

  5. If you built multiple Director servers, then use NetScaler to load balance them.

Director Grooming

If XenDesktop is not Platinum Edition then all historical Director data is groomed at 7 days.

For XenDesktop/XenApp Platinum Edition, by default, most of the historical Director data is groomed at 90 days. This can be adjusted up to 367 days by running a PowerShell cmdlet.

  1. On a XenDesktop Delivery Controller, run PowerShell and run asnp Citrix.*

  2. Run Get-MonitorConfiguration to see the current grooming settings.
  3. Run Set-MonitorConfiguration to change the grooming settings.

Director Single Sign-on

You can configure Director 7.8 to support Integrated Windows Authentication (Single Sign-on). Note: there seem to be issues when not connecting from the local machine or when connecting through a load balancer.

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle, double-click Authentication in the IIS section. 
  4. Right-click Windows Authentication and Enable it.
  5. Right-click Anonymous Authentication and Disable it.
  6. Pass-through auth won’t work from another computer until you set the http SPN for the Director server. See Director 7.7 Windows Authentication not working with NS LB at discussions.citrix.com.
  7. If Director is not installed on a Controller then you’ll need to configure Kerberos delegation.
  8. If you are load balancing Director then additional config is required. See Director 7.7 Windows Authentication not working with NS LB at discussions.citrix.com for more info.
    1. Create an AD service account that will be used as the Director’s ApplicationPoolIdentity.
    2. Create SPN and link it to the service account.
      setspn -S http/loadbalanced_URL domain\user
    3. Trust the user account for delegation to any service (Kerberos only) (trust the Director servers for delegation is not necessary in this case). You have to create the SPN before you can do this step.
    4. In IIS manager, on the Application Pools (Director), specify the Identity as user we have created in step 1.
    5. In IIS manager, select Default Web Site and open the Configuration Editor.
    6. Use the drop-down to navigate to the following section:

      system.webServer/security/authentication/windowsAuthentication
    7. Set useAppPoolCredentials = True and useKernelMode = False. Click Apply on the top right.

  9. When you connect to Director you will be automatically logged in. You can change the login account by first logging off.
  10. Then change the drop-down to User credentials.

Director – Multiple XenDesktop Sites

  1. Run IIS Manager. You can launch it from Server Manager (Tools menu) or from the Start Menu or by running inetmgr.
  2. On the left, expand Sites, expand Default Web Site, and click Director.
  3. In the middle pane, double-click Application Settings.
  4. Find the entry for Service.AutoDiscoveryAddresses and double-click it.
  5. If Director is installed on a Controller, localhost should already be entered.
  6. Add a comma and the NetBIOS name of one of the controllers in the 2nd XenDesktop Site (farm). Only enter one Controller name. If you have multiple Director servers, you can point each Director server to a different Controller in the 2nd XenDesktop Site (farm).
  7. According to Citrix CTX200543 Desktop Director Access Fails After XenDesktop 7.5 is Upgraded to 7.6, the addresses should be NetBIOS names, not FQDN. Click OK.

Director Alerts and Notifications

Director 7.8 supports alert conditions and email notifications. This feature requires XenApp/XenDesktop to be licensed with Platinum Edition. See Citrix Blog Post Configuring & Managing Alerts and Notifications Using Director for more information.

  1. While logged into Director, at the top of the page click the Alerts button.
  2. Switch to the Email Server Configuration tab.
  3. Enter your SMTP information and click Send Test Message. Then click Save.

  4. Switch to the Citrix Alerts Policy tab.
  5. There are three high-level categories of alerts: Site Policy, Delivery Group Policy, and Server OS Policy. Click whichever one you want to configure.
  6. Then click Create.
  7. Give the alert a name.
  8. On the bottom left, select a condition and enter thresholds.
  9. On the bottom right, in the Notifications preferences section, click Add.
  10. Enter an email address and click Add.
  11. Click Save when done. Feel free to create more alerts and notifications.
  12. Citrix has an experimental Desktop Notification Tool. See Citrix Blog Post Desktop Notification Tool For Citrix XenDesktop. 💡
    ablogpic2

Director – SCOM Integration

Director 7.8 can display alerts from System Center Operations Manager 2012 R2. This feature requires XenApp/XenDesktop Platinum Edition.

  1. See Configure SCOM integration at docs.citrix.com for detailed configuration instructions. Also see Marius Sandbu Integrating Citrix XenDesktop 7.7 and System Center Operations Manager.
  2. If Director server or System Center Operations Manager server is 2008 R2, then login to the 2008 R2 server, open PowerShell and run Enable-PSRemoting. Yes to everything. This is not needed on Windows Server 2012 R2 servers.
  3. On Director 7.8 server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /configscom
  4. FYI, the DirectorConfig.exe /configscom command enables the following features on the Director server: /FeatureName:IIS-NetFxExtensibility45 /FeatureName:IIS-ASPNET45 /FeatureName:WCF-HTTP-Activation45
  5. FYI, the System Center Operations Manager server is listed in IIS Manager at Default Web Site > Director > Application Settings (middle pane) > Connector.SCOM.ManagementServer.
  6. On the System Center Operations Manager server, edit Remote Management Users local group and add Citrix Admins and other Director users.
  7. In System Center Operations Manager Console, go to Administration > User Roles and edit Operations Manager Operators. Add the Citrix Admins and other Director users.
  8. See Citrix Blog Post SCOM Alerts in Citrix Director for information on how to view System Center Operations Manager alerts in Director.

Director Tweaks

Prepopulate the domain field

From http://www.xenblog.dk/?p=33: On the Controllers having the Director role installed, locate and edit the ‘LogOn.aspx’ file. By default you can find it at “C:\inetpub\wwwroot\Director\Logon.aspx”

In line 450 you will have the following. To find the line, search for ID=”Domain”. Note: onblur and onfocus attributes were added in newer versions of Director.

<asp:TextBox ID="Domain" runat="server" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

In the ID=”Domain” element, insert a Text attribute and set it to your domain name. Don’t change or add any other attributes. Save the file.

<asp:TextBox ID="Domain" runat="server" Text="Corp" CssClass="text-box" onfocus="showIndicator(this);" onblur="hideIndicator(this);"></asp:TextBox>

This will prepopulate the domain field text box with your domain name and still allow the user to change it, if that should be required. Note: this only seems to work if Single Sign-on is disabled.

Session timeout

By default the idle time session limit of the Director is 245 min. If you wish to change the timeout, here is how to do it.

  1. Log on to the Director Server as an administrator
  2. Open the ‘IIS Manager’
  3. Browse to ‘SitesDefault Web SiteDirector’ in the left hand pane.
  4. Open ‘Session State’ in the right hand pane
  5. Change the ‘Time-out (in minutes)’ value under ‘Cookie Settings’
  6. Click ‘Apply’ in the Actions list

SSL Check

From http://euc.consulting/blog/citrix-desktop-director-2-1: If you are not securing Director with an SSL certificate you will get this error at the logon screen.

To stop this:

  1. Log on to the Director Server as an administrator
  2. Open the ‘IIS Manager’
  3. Browse to ‘SitesDefault Web SiteDirector’ in the left hand pane.
  4. Open ‘Application Settings’ in the right hand pane
  5. Set EnableSslCheck to false.

Disable Activity Manager

From Disable the visibility of running applications in the Activity Manager in Advanced Configuration at docs.citrix.com: By default, the Activity Manager in Director displays a list of all the running applications and the Windows description in the title bars of any open applications for the user’s session. This information can be viewed by all administrators that have access to the Activity Manager feature in Director. For Delegated Administrator roles, this includes Full administrator, Delivery Group administrator, and Help Desk Administrator.

To protect the privacy of users and the applications they are running, you can disable the Applications tab from listing running applications.

  • On the VDA, modify the registry key located at HKLM\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1. Change the value to 0, which means the information will not be displayed in the Activity Manager.
  • On the server with Director installed, modify the setting that controls the visibility of running applications. By default, the value is true, which allows visibility of running applications in the Applications Change the value to false, which disables visibility. This option affects only the Activity Manager in Director, not the VDA. Modify the value of the following setting:
    UI.TaskManager.EnableApplications = false

Large Active Directory

From CTX133013 Desktop Director User Account Search Process is Slow or Fails: By default, all the Global Catalogs for the Active Directory Forest are searched using Lightweight Directory Access Protocol (LDAP). In a large Active Directory environment, this query can take some time or even time out.

  1. In Information Server (IIS) Management, under the Desktop Director site, select Application Settings and add a new value called ActiveDirectory.ForestSearch. Set it to False. This disables searching any domain except the user’s domain and the server’s domain.
  2. To search more domains, add the searchable domain or domains in the ActiveDirectory.Domains field.

Site Groups

From Citrix Blog Post Citrix Director 7.6 Deep-Dive Part 4: Troubleshooting Machines:

If there are a large number of machines, the Director administrator can now configure site groups to perform machine search so that they can narrow down searching for the machine inside a site group. The site groups can be created on the Director server by running the configuration tool via command line by running the command:

C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /createsitegroups

Then provide a site group name and IP address of the delivery controller of the site to create the site group.

Director – Saved Filters

From Scott Osborne and Jarian Gibson at Citrix Discussions: In Director, you can create a filter and save it.

The saved filter is then accessible from the Filters menu structure.

The saved filters are stored on each Director server at C:\Inetpub\wwwroot\Director\UserData. Observations:

  • Each user has their own saved filters.
  • The saved filters are not replicated across Director servers. You can schedule a robocopy script to do this automatically.
  • When upgrading Director, the saved filters are deleted?

Director – Custom Reports

The Monitoring database contains more data than is exposed in Director. To view this data, the Monitoring service has an OData Data Feed that can be queried.

Go to Citrix Blog Post Obtain XenDesktop Custom report through Citrix Director and download the tool. Once installed, in Director, go to Trends > CustomReport to construct an oData query.